Even the U.S. government is telling Americans to use encrypted apps.
  • someguy
    2267 months ago

    @return2ozma @technology
    10 years ago, the Feds wanted backdoors to all of phones so they could read all of our text messages. Now, the Feds want everyone not to use software that has backdoors so the Chinese cannot read our phones. The Feds don’t want competition.

    • @Routhinator@startrek.websiteEnglish
      697 months ago

      The problem for me is that most Canadian Banks give you the choice of SMS or their shitty adware filled bank app that relies on Google Play Services and wont implement TOTP so I can use a true MFA app. And Im done with being forced to accept user policies I don’t agree with to do shit, and most of all done with Google Play Services on my device 😑

      • HellsBelleEnglish
        217 months ago

        Adding to this that my Canadian bank just updated their app and it doesn’t work with my older phone. So my only option is to use online services with SMS/call verification.

        It’s such a joy to know that my bank, who made $40.670 billion last year, takes care of every customer equally.

      • @sugar_in_your_tea@sh.itjust.worksEnglish
        137 months ago

        This is the main reason I switched to Fidelity here in the US. It’s a brokerage, but it does basic bank things, like checks, debit card, etc, and they support SymantecVIP, which works w/o Google Play Services. TOTP support really isn’t that hard, I don’t understand why banks are so slow in adopting it…

        • @ipkpjersi@lemmy.mlEnglish
          107 months ago

          The issue is, banks are only going to do what they’re required to do by law. The government is run by dinosaurs who don’t know what computers are, let alone what TOTP is.

          • @sugar_in_your_tea@sh.itjust.worksEnglish
            127 months ago

            No, they’re only going to do what they’re required to do by their insurance. The law is an option, but if insurance costs go way up if they don’t have proper MFA, they’ll get MFA.

          • @sugar_in_your_tea@sh.itjust.worksEnglish
            47 months ago

            They’re fantastic. :)

            The only negative stories I’ve heard are from people who really push the boundaries, like people day trading and whatnot. If you’re a regular user looking for a bank alternative, you should be good.

            Just know their branches don’t really have any banking services, so you can’t go there to withdraw or deposit cash, get a cashier’s check, etc. I keep an account w/ a local institution and transfer money as needed for banking services.

            • @dan@upvote.auEnglish
              27 months ago

              I had a negative experience when initially setting up my account, because of TikTok. This group of kids who called themselves “Fidelity Boyz” discovered that you could deposit a fake check and immediately withdraw the money.

              So many people did this that they had to severely lock things down. For most customers, money transferred in either via check or via ACH pull (telling Fidelity to take the money from an account at another bank), was subject to a 16 business day (three weeks and one day) hold. Direct deposits (e.g. paychecks) were not affected, and ACH pushes (when you tell another bank to send the money to Fidelity) were eventually fine too.

              It was a big pain. The money I transferred was in limbo for a long time, after I had already switched all my auto-pays over to Fidelity, so I had to switch them all back until the money cleared.

              Now that that’s over, it’s great. I love that they reimburse ATM fees worldwide, and I’m a big fan of their basket portfolios product since it makes it so easy to rebalance a portfolio. Saves me from having to manually do a bunch of calculations, and I love that it has a fixed monthly price instead of being percentage based like roboadvisors.

          • @dan@upvote.auEnglish
            17 months ago

            I’ve got one. It’s nice. The cash is automatically invested in a money market account, which is a bit like a high yield savings account.

        • @dan@upvote.auEnglish
          27 months ago

          In case you weren’t aware, Symantec VIP is just TOTP-OATH in a fancy coat. You can extract the secret and use it with any TOTP app. I use Authenticator Pro (now called Stratum) because it’s open-source and has a watch app.

        • @Routhinator@startrek.websiteEnglish
          17 months ago

          Now you’ve got me wondering about this for Canada. Would be a pita to move mortgage and investments, but there must be a better way than the big banks.

      • @oldfart@lemm.eeEnglish
        107 months ago

        My bank prides itself being the first in the country to support yubikeys for 2fa. I was so happy until i learned it’s just for logging in, transactions are still confirmed by SMS or their app. And security experts all say it’s better this way, using a regular 2fa solution would be insecure because you wouldn’t know what you’re confirming.

        There really is no hope.

          • @oldfart@lemm.eeEnglish
            37 months ago

            I’m not defending that madness, but that device doesn’t show who is the recipient. The argument was that this is protection against phishing sites pretending to be a bank, proxying your connection but sending it to a different recipient.

            Makes one wonder how much the user has to fuck up to end in such a scenario, and of it’s really worth transmitting everyone’s financial data in almost plain text over the air for this

      • @john89@lemmy.caEnglish
        87 months ago

        Should be illegal to put ads in something as crucial to day-to-day life as a banking app.

        If it’s not illegal, then everyone is going to do it and we won’t have the “choice” that crapitalists love to tout so much.

        • @Routhinator@startrek.websiteEnglish
          27 months ago

          Its supposed to be illegal for banks to be in “sales” but my wife was working for BMO and they were forcing her to prioritize outbound cold calls ans upselling products the customer didnt need and would clearly be bad for their financials as a Personal Banking Assistant. The conflict of interest was so great it stressed her right the fuck out and she had to take leave and start therapy. Her MS also spiked likely due to the stress levels. She was there to help people, and she made the bank earn loyal customers and they willing got more products from the bank because she helped them. She was the top performer at the bank if she just let her do the job she was there to do, but instead her boss started ragging on her daily about her cold calling numbers and forcing her to cancel necessary appointments and focus time to deal with customer requests and instead prioritize sales.

          In the end her numbers dropped, her customer satisfaction dropped, and her MS got worse from the stress and she’s now on long term leave, uncertain if she’ll recover her focus and able to go back to work. Her neurologist has said she cannot go back for now.

          Not sure how that bullshit helped the bank, but I can sure see how I didn’t, and I may be wrong but I think there are laws against it.

          Also worth noting that this change in tactics happened right at the same time BMO took all their “we’re here to help” signage down. Brings so many memories of Google dropping the “don’t be evil”. Everything that came after in both cases was shit.

          EDIT: Oh looks like CBC did an article on this now because it is so prolific. https://www.cbc.ca/news/business/banks-upselling-go-public-1.4023575

        • @carpelbridgesyndrome@sh.itjust.worksEnglish
          47 months ago

          They support USB hardware tokens… but only for the website. Everything else is SMS which kinda defeats the point.

          Annoyingly, other than Vanguard, they are the only financial institution to support USB FIDO tokens

          • DankOfAmericaEnglish
            17 months ago

            in my experience, FIDO tokens suck. I have to around 10 times every time I use one to log in.

  • @rarbg@lemmy.zipEnglish
    657 months ago

    Oh man it sure would be nice if the feds had the power to regulate something like this /s

    • @da_peda@lemmings.worldEnglish
      587 months ago

      They did. That’s the reason for this hack, they wanted Lawful Interception, they got their backdoor. It’s what professionals and privacy advocates said all along, if it exists it will be abused.

      • Encrypt-KeeperEnglish
        97 months ago

        This isn’t a hack in the way you’re thinking of, nor is it a product of government mandated interception, or a back door. The salt typhoon event you’re referring to is nothing more than the tip of the iceberg of a much bigger problem, which is abuse of the dated SS7 system we’ve known about for decades.

  • Uriel238 [all pronouns]English
    567 months ago

    Oh it turns out we needed NSA to do its actual fucking job after all rather than holding onto exploits for the surveillance state.

    Now — for the second time — we have an adversarial administration eager to weaponize government departments while Americans are vulnerable. Why? Because America is the good guys and would never abuse its extrajudicial powers (say, by detaining, rendering and torturing Americans with names similar to those of POIs.)

    We could have had twenty-four years of robust communications security developments if NSA didnt sell the public out like Judas.

      • Uriel238 [all pronouns]English
        57 months ago

        Extraordinary Rendition is the euphemism from the aughts from which the movie Rendition was titled. It means taking your detainee somewhere else, often across national borders, to a black site, usually to do things there for plausible deniability (e.g. we don’t torture in the United States )

        • @sugar_in_your_tea@sh.itjust.worksEnglish
          47 months ago

          Looks like I missed that movie, I’ll have to check it out.

          And I don’t think I’ve ever heard the term “rendering” used in that context, I guess we just used other terminology. Thanks!

  • @archchan@lemmy.mlEnglish
    447 months ago

    I hate forced 2FA that you can’t disable anyway. I don’t want to waste time waiting for an insecure text, I don’t want to input an unencrypted code you sent to my email, I don’t want to click your damn notification that runs through Play Services, and no I’m not enrolling in passwordless auth. I don’t need to be babied into securing my accounts. Any account I do actively and willingly secure is already using TOTP. Let me put in my username and password, then kindly fuck off.

    • @Charlatan@lemm.eeEnglish
      227 months ago

      Yeah. So you, myself, and some others are the exception to the rule. But, you can’t look at it that way because its a ‘lowest common denominator’ problem. The least secure of us means we are all only as secure. Others need to be hand held.

      It’s definitely time to raise all boats and drop SMS 2fa like a hot rock.

      • KairosEnglish
        37 months ago

        You can apply this logic to nearly anything with very bad consequences.

    • @dan@upvote.auEnglish
      37 months ago

      is already using TOTP.

      A lot of things are moving to phishing-resistant technologies like FIDO2/WebAuthn or passkeys. All my important accounts, like my password manager, are secured using Yubikeys (one that I keep with me and one as a backup in a secure place).

  • @randon31415@lemmy.worldEnglish
    337 months ago

    Authentication for my work email: Enter 28 character password, receive sms, enter message, log in

    Authentication for my Battle.net account:

    -Enter email made before 2000 because they don’t let you change email

    -Enter password

    -Get rejected

    -Solve CAPTCHA

    -Try backup passwords, get rejected

    -Request new password

    -Send request to 24 year old email

    -Try to log on to 24 year old email, email is suspicious and sends Authentication request to my newer email

    -Open newer email, Authenticate older email

    -open old email, Put in code to battle.net

    -Battle.net requests Authenticator code from Battle.net app

    -Open battle.net app (no requests)

    -Try manual code, doesn’t work

    • Realize Battle.net app Authenticator not connected

    -Try to connect Battle.net app Authenticator to account

    -Realize you cannot connect Authenticator without signing in AND signing in requires Authenticator

    -Close Battle.net app

    -Open Blizzard Authenticator

    -Close warning that this app got depreciated in January

    -Enter manual code

    -it works

    -Attempt to change password to password I first attempted

    -Won’t let me use same password

    -Try logging in using that password

    -Still doesn’t work - Solve one more CAPTCHA

    -Change password to backup password and back to original password - have to solve 2 more Captchas

    -Finally works

    -Log in

    • λλλEnglish
      17 months ago

      That just kept going. I feel you, but maybe try a password manager? You open it up, type blizzard and it tells you exactly what password you used. Even better, it can generate really good passwords for you.

      I use bitwarden.

  • @finitebanjo@lemmy.worldEnglish
    277 months ago

    The end of an era.

    Or actually, probably not until we redo whole cellular phone technology works and kick out all the bad actors using SS7 vulnerabilities for stuff like spoofing numbers and stealing messages. We really shouldn’t be using a 45 year old system for almost all communications.

    • @Agent641@lemmy.worldEnglish
      77 months ago

      Use Telegram.

      Not the app, the 200 year old wire radio messaging system based on Morse code, E2EE (Elderly man to Elderly man Enciphered)

      • @finitebanjo@lemmy.worldEnglish
        17 months ago

        I guarantee you that is the opposite of a solution, old man encryption is very easily hacked by other old men for spoofing, redirecting, or listening.

    • 𝕸𝖔𝖘𝖘English
      37 months ago

      In their defense, they JUST applied an update in March 1993, so they’re knocking on the doors of cutting edge technology updates -_-

      Edit: added link

    • @sugar_in_your_tea@sh.itjust.worksEnglish
      87 months ago

      Even stupider is supporting hardware keys for MFA, but having SMS fallback which can’t be disabled (looking at you, Vanguard). I’d much rather have email as my second factor than SMS, and I literally abandoned a bank (Ally) for removing email as an alternative to SMS.

  • @communism@lemmy.mlEnglish
    237 months ago

    I wish Signal stopped using it. I know you can set a Signal PIN but a lot of the non-techy friends I speak to on Signal probably wouldn’t think to, or look through the settings (not that you need to be “techy” to set it, but you know the kind of learned helplessness most people have about tech). At least a prompt for all users to set an account PIN so their account can’t just be stolen by anyone with their SIM card.

      • @ChillPill@lemmy.worldEnglish
        217 months ago

        They abandoned letting you use the Signal app to send and recieve SMS. You still need to get a code via SMS to activate your Signal account. I believe this is what they are referring to.

        • @communism@lemmy.mlEnglish
          77 months ago

          Yep, I was referring to that. You can stick someone else’s SIM in your phone and log into their signal account if they’ve not set a Signal PIN. You don’t see message history but new messages to that person will go to you.

  • @Cocodapuf@lemmy.worldEnglish
    207 months ago

    Since when was sms ever secure? My understanding is that messages are sent in the clear, meaning your carrier and the recipient’s carrier both have the opportunity to intercept messages.

    I mean that’s the message content, not the authentication, but still, sms is the opposite of secure, always has been.

    • @brie@programming.devEnglish
      87 months ago

      Not true. SMS is encrypted in 3G, LTE, 5G. Block cyphers like Kasumi and A/9 are used. SMS is reasonably secure, because it’s hard to infiltrate telecom systems like S7

        • @brie@programming.devEnglish
          27 months ago

          Watch the video again to see how hard it was for Derrick to get access. He got it via his telecom/academia researcher contact.

      • @Abnorc@lemm.eeEnglish
        57 months ago

        It’s hard, but not hard enough from what I’ve been able to gather. We should want something better IMO. I’m surprised that TOTP isn’t more common.

        • @brie@programming.devEnglish
          47 months ago

          S7 will be retired or extended with access control. TOTP apps don’t work for edge cases like broken phone. Dedicated token devices get lost. SMS will continue being the main solution for 2FA.

          • @JasonDJ@lemmy.zipEnglish
            37 months ago

            Nah what we need is good privacy-focussed companies getting into the public IAM space.

            You know how you can sign into stuff with your Google or Facebook account? And get a 2FA push to your phone?

            Like that. Except by a company with a shred of ethics and morality. Like Proton.

            I do also think that we all should have a cryptographically secure federally issued identity for official uses such as signing documents or signing into financial accounts and other things that must use your official identity, and not an online pseudonym. Like SSN but on a smartcard. Basically CAC or ECA but for general civilian use.

            • @brie@programming.devEnglish
              17 months ago

              Proton is already used for identity management: OTP via email. They’ll implement OAuth if there’s enough demand for it. A company’s purpose is to be profitable, ethics side is largely irrelevant.

              Many countries already have digital government ID: Australia, Estonia, Russia.

              • @JasonDJ@lemmy.zipEnglish
                27 months ago

                A company’s purpose is to be profitable, ethics side is largely irrelevant.

                Maybe so, but companies such as Proton’s biggest asset is their reputation…a reputation of being privacy-focussed. Without that they are nothing, and they know that. As a result, they try to live up to that reputation as well as possible.

                Being as it was started by Sir Tim Berners-Lee (among some of CERN’s other founding fathers of the web) is just icing on the cake.

          • @HotChickenFeet@sopuli.xyzEnglish
            17 months ago

            You can use TOTP with multiple devices. For example with an app on your phone and something like KeePass on your laptop/desktop.

            Still not convenient since you don’t walk around with this in your pocket - but it doesn’t have to be just one point of failure.

              • @HotChickenFeet@sopuli.xyzEnglish
                27 months ago

                I agree, it’s not a perfect system. Even if you do have multiple devices - you may be locked out if you lose your phone while traveling, can have multiple failures.

                Although I don’t know what is remotely secure and is elderly friendly. Email or SMS 2FA would have been the closest in mind, but it’s not secure, and plenty of elderly struggle with both.

                • @brie@programming.devEnglish
                  27 months ago

                  Pedantic types always mention that secure is only relevant in the context of a particular threat model. The elderly can use hardware authentication like those RSA devices or ubikey. Unfortunately, this is expensive, and banks don’t believe there’s demand for that. Would you switch banks for this feature?

      • @john89@lemmy.caEnglish
        57 months ago

        because it’s hard to infiltrate telecom systems like S7

        cough You can pay a few grand and get access to SS7 networks.

        Might be out of reach for most of us, but we can rest assured that any and all security firms and goverrnment agencies have access to this information at a moment’s notice.

        • @brie@programming.devEnglish
          37 months ago

          Simply paying is not sufficient. You need to be a telecom company, or a researcher afaik.

          In what world would the US gov care to get into your bank account? Or your Facebook account when it’s already tightly controlled?