For All Of You That Still Think SMS For 2FA For Wallets Is Or Was Safe.

[DaveF]

It never was. And no matter how much you want to think otherwise YOU were probably part of this breach.
That's correct, billions of messages over 5 years.

https://www.vice.com/en/article/z3xpm8/company-that-routes-billions-of-text-messages-quietly-says-it-was-hacked

The company wrote that it discovered the breach in May 2021, but that the hack began in May of 2016.

Go ahead, send nudes to your partner. I'll just download them and look at them later. I am busy taking some money out of your accounts at the moment.

-Dave

[1714176122]

1714176122

[1714176122]

1714176122

[1714176122]

1714176122

[BrianH]

Signal for messages. Doesn't protect your wallet, though. This is proof that 2FA is just annoying.

[shield132]

It's not 100% safe and that has been proven but that doesn't mean that it's not better than nothing. I have also read back in 2018 that there was something wrong with PGP and it was crackable. Can't claim the actual title to be fair but remember that the article was stating that PGP isn't safe option.
We live in the era of IT and still we are new in it, it's full of surprises and will even be!

That's not the end! Can you remember how secure houses were decades ago? And can you remind how secure they are right now? There is a huge difference, right? At past you could burn any house, right now elite houses have superior protections. Again, it's not the end! Very sad but what's done, is done. 2FA is better than nothing, if someone hacks our account, I hugely, hugely doubt that that will be a person who had access on that company's database.

[20kevin20]

Let's not even mention those "hacks" done with the actual help of carriers by replacing the real owner's SIM card with a perpetrator's new one as well. SIMs are never safe. I think that anything going through a centralized method is going to have a flaw found sooner or later. Just the fact that those carriers know your 2FA before actually sending it to you is scary enough. Use offline as much as possible for security, and by offline I mean anything that sits only in your local storage and never communicates with external servers/satellites/whatever.

[HCP]

Sim swapping has been an issue forever.

It still bothers me that there are services that insist of using either email or SMS as part of a 2FA system, as they're so easily exploitable. I really wish more services would use TOTP as standard. While not perfect, they are much better than email or SMS.

[pooya87]

Can't claim the actual title to be fair but remember that the article was stating that PGP isn't safe option.

Interesting but in my experience these insecurities almost always related to the implementation of the algorithm not the algorithm itself. Otherwise the underlying cryptography is secure, it is using RSA and ECC and the last one is basically what we are using in bitcoin too and is secure when used correctly (choose secure EC curve, a strong hash algorithm, etc.).

[o_e_l_e_o]

It's not 100% safe and that has been proven but that doesn't mean that it's not better than nothing.

It actually might mean it's not better than nothing. In the case of the recent Coinbase hack, due to an vulnerability in their SMS system, attackers which could intercept users' SMS message (which we know is very easy to do) were able to gain access to their Coinbase accounts and steal all their coins.

2FA is better than nothing, if someone hacks our account

2FA should be mandatory on all your online accounts which hold anything sensitive or valuable, especially any accounts holding bitcoin. But that 2FA should never be either SMS or email based. As we've seen, SMS messages are sent unencrypted through an unknown number of intermediaries before they reach you, can be intercepted at any point along the way, and your phone number can easily be transferred to an attacker with a SIM swap attack. Email also isn't secure, as if someone compromises your email account then they can both reset your exchange account password and receive any 2FA email, meaning both your factors have the same single point of failure. 2FA should be at a minimum a 2FA app, preferably on a phone you never use to access the accounts in question (since again, if an attacker unlocks your phone, they can log in to your account through the saved credentials and access the relevant 2FA code, meaning both your factors have the same single point of failure). The best option is to use a hardware key such as a yubikey. Some hardware wallets also offer this function.

[n0nce]

Oh, well, SMS based 2FA should not be used anyway. I was under the assumption that it's insecure and not to be used for years.
If you use something like FIDO U2F your chances are better.
However, no system is 100% secure, and almost everything will probably be hacked sooner or later. Even with a perfectly secure cryptosystem, you'll have flaws in the implementation for example.
I don't see how 2FA is used in a wallet though. Would this be for online wallets? Because those shouldn't be used in the first place either

[Pmalek]

I have also read back in 2018 that there was something wrong with PGP and it was crackable. Can't claim the actual title to be fair but remember that the article was stating that PGP isn't safe option.

I guess you read something about the EFAIL vulnerability like it's explained in this article.

According to the article, it is possible to decrypt a PGP encrypted email if it gets intercepted or stolen from a computer or a server. But to do that, a custom HTML modification would need to be inserted in the encrypted email before it gets sent back to the attacker. If performed successfully, this tricks the email software to send back an unencrypted version of the encrypted email back to the attackers. The problem lies in the email clients, and not directly in PGP. The article mentions Outlook and Thunderbird as two email clients vulnerable to this type of attack. At least they were back in 2018.   

The article suggests a mitigation technique. Disable HTML rendering in your email software.

[DaveF]

Oh, well, SMS based 2FA should not be used anyway. I was under the assumption that it's insecure and not to be used for years.
If you use something like FIDO U2F your chances are better.
However, no system is 100% secure, and almost everything will probably be hacked sooner or later. Even with a perfectly secure cryptosystem, you'll have flaws in the implementation for example.
I don't see how 2FA is used in a wallet though. Would this be for online wallets? Because those shouldn't be used in the first place either

Exchanges, use 2fa all the time. Some use Google or similar many use SMS.
And even if you live by the don't leave your coins on an exchange idea. If you do want to move fiat in and out or do trading, you are going to one sooner or later.

On top of that, no matter how you look at it, it's really surprising that the fact that a hack of this magnitude went on for so long and nobody is really talking about it.

-Dave

[n0nce]

Oh, well, SMS based 2FA should not be used anyway. I was under the assumption that it's insecure and not to be used for years.
If you use something like FIDO U2F your chances are better.
However, no system is 100% secure, and almost everything will probably be hacked sooner or later. Even with a perfectly secure cryptosystem, you'll have flaws in the implementation for example.
I don't see how 2FA is used in a wallet though. Would this be for online wallets? Because those shouldn't be used in the first place either

Exchanges, use 2fa all the time. Some use Google or similar many use SMS.
And even if you live by the don't leave your coins on an exchange idea. If you do want to move fiat in and out or do trading, you are going to one sooner or later.

Ahh right, so with 2FA for wallets, you mean 2FA for exchanges. I didn't know they still allow to use SMS for 2FA, that's really bad, and should not be changed today, it should have been changed actually years ago!

On top of that, no matter how you look at it, it's really surprising that the fact that a hack of this magnitude went on for so long and nobody is really talking about it.

I agree, most people are more worried about Facebook being down for a few hours than their 2FA setups

[stompix]

2FA should be mandatory on all your online accounts which hold anything sensitive or valuable, especially any accounts holding bitcoin. But that 2FA should never be either SMS or email based. As we've seen, SMS messages are sent unencrypted through an unknown number of intermediaries before they reach you, can be intercepted at any point along the way, and your phone number can easily be transferred to an attacker with a SIM swap attack.

Intercepting is one thing, matching it with the account in question is a different thing altogether for a service that receives hundreds of logins per minute and routes them through different providers like the large exchanges or banks, you are simply looking at a list and lists of codes, you need to also know the phone number of the victim, the password, the login. Of course, SMS 2FA is not really the best choice but it's way better than nothing, and let's be clear, at this point, there is only speculation that hackers had access to the content of the messages, one random source that said the hackers could have gained access, not that they did.

Others have taken this to another level, my bank asks for a security pin every time I change the IP from which I log in, even for the app, that one can't be changed and the option can't be removed unless you go to a physical bank and submit a request, unlike the 6 numbers 2FA that is used only to validate transactions.

[suzanne5223]

This shares more light on how the Sim splitting scammer was able to scam their victim, cause I once thought it was an error from a crypto holder who set 2fa that led to their wallet/account been hacked.

[snip]
 I really wish more services would use TOTP as standard. While not perfect, they are much better than email or SMS.

In my view, TOTP is also not better since most TOTP are send as SMS.

[o_e_l_e_o]

Intercepting is one thing, matching it with the account in question is a different thing altogether for a service that receives hundreds of logins per minute

Easily done if the user's details have been part of a database leak from the exchange or from any other site where they have signed up using their email address and phone number in the same account. And then you can potentially exploit an SMS account recovery process as was done in the Coinbase hack.

In my view, TOTP is also not better since most TOTP are send as SMS.

Most TOTP are generated using an authenticator app such as Aegis, andOTP, or (shudder!) Google Authenticator. And regardless, TOTP refers only to the process of generating the code, which is completely secure provided you don't leak the shared secret. It is the mode of delivery - SMS instead of on an app - which is insecure.

[DireWolfM14]

Once upon a time there was a bitcoin mixer that used PGP to generate a one-time password.  I can't remember their name (bitcoin blender?,) but they shutdown a couple of years ago when there was a law enforcement crack-down on mixers.  I thought that was probably the most secure 2FA process I had ever used.

PGP may not be ready for main-stream adoption, or maybe it's more accurate to say that the "Main-Stream" aren't ready for PGP adoption, but this is crypto!  You would think that more businesses involved in crypto would at least provide PGP as one of the 2FA options.  I can't wait for the day when MainStreet Bank implements PGP security options for those of who use it.

[DaveF]

Once upon a time there was a bitcoin mixer that used PGP to generate a one-time password.  I can't remember their name (bitcoin blender?,) but they shutdown a couple of years ago when there was a law enforcement crack-down on mixers.  I thought that was probably the most secure 2FA process I had ever used.

PGP may not be ready for main-stream adoption, or maybe it's more accurate to say that the "Main-Stream" aren't ready for PGP adoption, but this is crypto!  You would think that more businesses involved in crypto would at least provide PGP as one of the 2FA options.  I can't wait for the day when MainStreet Bank implements PGP security options for those of who use it.

For a while my bank REQUIRED their phone app to be able to log into their web portal.
Don't know if it really was secure or how the phone app worked, but it seemed like a good idea.

Phone apps are really the downfall of a lot of security, Google auth, Authy, Email, SMS whatever since for too many people your phone does have it all.

Going back to the Coinbase hack.
Lets assume that to change you CB password or do certain transactions you need ALL of the following

1) Email access
2) Google / Authy access
3) SMS access

Raise your hands if all of those are on one device.

PGP works to a point, but too many people use it and assume they are safe, when if the PC that you have it on is compromised it's just a bad as any other authentication. Could be worse, if you are doing everything on that 1 PC.

For your own wallet, a HW wallet is the only way to go. For 2FA stuff, there are only going to be 'less bad' answers. I can't really think of a good one.

-Dave

[DireWolfM14]

Once upon a time there was a bitcoin mixer that used PGP to generate a one-time password.  I can't remember their name (bitcoin blender?,) but they shutdown a couple of years ago when there was a law enforcement crack-down on mixers.  I thought that was probably the most secure 2FA process I had ever used.

PGP may not be ready for main-stream adoption, or maybe it's more accurate to say that the "Main-Stream" aren't ready for PGP adoption, but this is crypto!  You would think that more businesses involved in crypto would at least provide PGP as one of the 2FA options.  I can't wait for the day when MainStreet Bank implements PGP security options for those of who use it.

For a while my bank REQUIRED their phone app to be able to log into their web portal.
Don't know if it really was secure or how the phone app worked, but it seemed like a good idea.

Phone apps are really the downfall of a lot of security, Google auth, Authy, Email, SMS whatever since for too many people your phone does have it all.

A centralized phone app controlled by the organization, sending encrypted data could be a good solution.  If you're already doing business with the organization your trust is implied.  It's certainly more secure than using SMS or email 2FA.  The only trouble is if you lose your phone, you're screwed.

Going back to the Coinbase hack.
Lets assume that to change you CB password or do certain transactions you need ALL of the following

1) Email access
2) Google / Authy access
3) SMS access

Raise your hands if all of those are on one device.

PGP works to a point, but too many people use it and assume they are safe, when if the PC that you have it on is compromised it's just a bad as any other authentication. Could be worse, if you are doing everything on that 1 PC.

For your own wallet, a HW wallet is the only way to go. For 2FA stuff, there are only going to be 'less bad' answers. I can't really think of a good one.

-Dave

*Hand Raised.  As o_e_l_e_o is apt to do, he gave some really good advice about using multiple devices.  Most of us here are aware of many security pitfalls that we face every day, yet we continue to take shortcuts for the sake of convenience.  It's a choice we all need to make for ourselves.

[o_e_l_e_o]

Raise your hands if all of those are on one device.

*Hand Raised.

Heh. At least you're honest.

This is a key thing that a lot of people, maybe even most people, don't appreciate with 2FA. It must require the compromise of two different factors to actually be 2FA. If you think as the second factor as just an additional password or something like that, then why not just set two passwords and store them both in the same password manager. If both your password and your 2FA can be compromised by the compromise of a single physical device or a single email account, then it isn't 2FA at all.

Do you log in to your exchange account from your phone, and have the login details saved in your phone's browser or password manager? If so, then anything involving that phone is not a second factor, be that SMS, receiving emails to that phone, or a 2FA app on that phone.* If you log in from your computer, then receiving emails to an account you also log in from the same computer is not secure. This is part of the reason that a hardware key is such a good 2FA method, because it is by design a second factor, and cannot possibly be part of a single point of failure (unless you do something stupid like leave it permanently plugged in to your laptop).

*This is all obviously separate from the fact that SMS is never secure as a 2FA method.

[Welsh]

To this day, banks are using two factor authentication (2FA) as a way of securing your bank account, i.e authorising who can log in, send payments, and whatever else you can do with a bank account these days. The fact that they even offer this should have you questioning the true security of banks, it's often said that security specialists have a stronger, and more secure network at home, than many of the workplaces they work in, even government based ones.

Plus, the fact is that you can take control of your money completely, without actually making it any less insecure, in fact you can make your money more secure with Bitcoin. This is something that I've tried explaining over the years to anyone who said that I wouldn't be as qualified as a multi billion pound bank securing my money, but despite trying to explain, they never really grasp the idea of storing your money inside an address that was generated offline, the fact that you can get air gap computers, use non digital ways of key generation, and there's a whole lot of headaches when you try, and explain it this way. However, bringing up the issue with 2FA with SMS, and the fact that banks are still using this today, could be a way of explaining the security flaws in traditional banks, and how they could actually make it more secure by securing the money themselves inside Bitcoin, whether or not they intend on using it as a currency or a reserve doesn't matter for this point (ignoring volatility).  

This is part of the reason that a hardware key is such a good 2FA method, because it is by design a second factor, and cannot possibly be part of a single point of failure (unless you do something stupid like leave it permanently plugged in to your laptop).

This is something I'm actually incredibly passionate about; compartmentalization either via physical breaks, i.e completely different computers or virtualisation via Qubes OS. You could potentially come up with a decent 2FA method via Qubes OS, and depending on your threat model that could suffice. However, I would always recommend physical isolation whenever possible. You could go as far to say that a device on the same network, could become a problem if your trying to use two factor authentication, though I think I'll leave that for another day.  

*Hand Raised.

It almost always comes down to convenience. I'll use the cliche saying of; the human is the point of failure. That's true for almost every thing I can imagine, there are ways to secure your Bitcoin, accounts or whatever you want, however the vast majority, even those that are security conscious ignore it, simply due to it being not convenient.  

It all comes down to the risk associated, and your personal threat model as I mentioned above. If you are a pretty low target, aren't someone famous, then your unlikely to be targeted, and that might be a reason to lower your threat model. That's just one of the examples I could think of off the top of my head, but I'm sure there's plenty more.

I think each, and everyone one of us at some point has ignored some sort of security concern, this might be due to laziness, not fully understanding the issue at hand or simply because you didn't deem the risk high enough to take action.

I absolutely second the idea of a hardware key though. It's specifically designed for it, and it somewhat removes the inconvenience that you might run into with other methods.

[DaveF]

...It almost always comes down to convenience. I'll use the cliche saying of; the human is the point of failure. That's true for almost every thing I can imagine, there are ways to secure your Bitcoin, accounts or whatever you want, however the vast majority, even those that are security conscious ignore it, simply due to it being not convenient....

Or we are humans and do stupid things now and then. What I did in the beginning of the year:

So...I screwed up a bit...
Yesterday I had to PM Hhampuz to change the payout address for me in the campaign I am in that he is managing.

Hey Dave!

Updated the addy, what did you do?  

Best,
Hhampuz

I have to leave my phone with security when I go into certain areas for one of our clients. Nothing exciting just legal records but, they don't want you to be able to take pictures.

Was moving BTC when the guard came to escort me in and I left my phone with at the guard station.....unlocked and with the wallet authenticated. Just dropped it in the tray and walked away. Total idiot move. Anybody at the guard station could have gotten to the private keys in about 10 seconds.

That's why I am always saying don't leave more funds in a mobile wallet then you are ready to loose. Because sooner or later you are going to screw up.

I'm 99.999% sure it's safe. To be sure I am going to move everything out later hopefully when fees drop a little overnight.

-Dave

I guess that brings up the next point; we have to make to new users are drill into their heads, you are usually your own worst enemy.
No harm done, except I lost a bit in TX fees since I had to move BTC for no reason when fees were higher, but still. I have my phone protected with pin & fingerprint. I have the app protected with and different pin and I still could have lost money.

And if I didn't realize that *I* left everything unlocked when I handed the phone over, and I did loose money, I would have been wiping the phone and going insane trying to figure out how the hell it happened.

-Dave

Was actually thinking while driving home, how difficult would it be for an exchange (or bank) to have an 2FA app that is tied to a phone or device by IMEI or serial number.
I don't actually know what privilege's apps have on which mobile OS but I think that could help a lot of security issues. You would need a semi secure way of installing it. But, beyond that it should work. Even if someone clones your device they would still need to get by the initial secure installation issue, which should be obvious. Say a automated phone call. Followed by a 48 hour timeout before anything could be switched.

-Dave