For All Of You That Still Think SMS For 2FA For Wallets Is Or Was Safe.

[Welsh]

Was actually thinking while driving home, how difficult would it be for an exchange (or bank) to have an 2FA app that is tied to a phone or device by IMEI or serial number.
I don't actually know what privilege's apps have on which mobile OS but I think that could help a lot of security issues.

If your using a recent version of Android then it needs to specifically request, and be granted the privileges. Though, I can't actually verify that, since I use custom operating systems on my phone, which have this ability, though I'm pretty sure since Android 10 you have to give permissions for most things.  

Although, I'm pretty sure it's relatively easy to spoof a IMEI number, and you shouldn't really be giving it out if you don't want to open up yourself to attacks via that method, or be identified through the IMEI. Most apps, if not all non system applications shouldn't have access to it.

I can't speak for Apple or any other variation of operating systems for mobiles. However, for anything involving Bitcoin, especially when your acting as your own bank, you should probably be looking for the most secure way possible, so physical isolation, and using a hardware key would be the best approach. I personally, wouldn't recommend using something like your phone that you use for other things, and could potentially be compromised through negligence. For example, I've seen android users be very negligent in the permissions they give to applications, even with the improved permissions system that custom operating systems have, and I believe the latest Android versions.

[1715004557]

1715004557

[1715004557]

1715004557

[1715004557]

1715004557

[n0nce]

I can't speak for Apple or any other variation of operating systems for mobiles.

Let's be honest, anything outside of Android and iOS is dead in terms of mobile OS

From my knowledge of iOS programming, it's not trivial. An App can identify a device, but that identifier is bound to the application; so different applications see different identifiers, which is good for privacy. There is no way to extract the IMEI via app.

Given the above there’s no single value that uniquely identifies an iOS device, now and forever, across unrelated apps.

However, it might be enough to have this application- and device-bound ID for this use case. I'm not 100% sure about what the attacker model is, though.

[o_e_l_e_o]

This is something I'm actually incredibly passionate about; compartmentalization either via physical breaks

Speaking of banks, I know there are some which offer using your debit card as a 2FA method. You either connect up a card reader via USB to your computer to prove possession of the debit card, or your card reader uses your debit card as the shared secret to produce a 2FA code, before you are allowed to log in to your online bank account. It's a nice solution since it is effectively a hardware key but using something that everyone has in their possession already.

I personally, wouldn't recommend using something like your phone that you use for other things, and could potentially be compromised through negligence. For example, I've seen android users be very negligent in the permissions they give to applications, even with the improved permissions system that custom operating systems have, and I believe the latest Android versions.

Another bugbear of mine. Everyone should go in to the app permissions setting on their phone and just look at what apps are accessing what. Tell me why Facebook needs access to your microphone? Or why WhatsApp needs access to your location? Or why some random wallet app needs access to all your files? It's a huge privacy and security risk. The same applies to browser extensions. The fewer apps and extensions you install, the better.

If you are going to use an authenticator app as your 2FA method, then ideally it should be on an old phone after you reset it to factory settings, remove all the bloatware, and turn off all connectivity.

[DaveF]

This is something I'm actually incredibly passionate about; compartmentalization either via physical breaks

Speaking of banks, I know there are some which offer using your debit card as a 2FA method. You either connect up a card reader via USB to your computer to prove possession of the debit card, or your card reader uses your debit card as the shared secret to produce a 2FA code, before you are allowed to log in to your online bank account. It's a nice solution since it is effectively a hardware key but using something that everyone has in their possession already.

American Express had something like that over 20 years ago:
https://bits.blogs.nytimes.com/2008/12/05/a-credit-card-loses-its-high-tech-cred/
Almost nobody used it at the time.

I would not mind if the NFC/RFID in my phone needed a card to activate some things.
Would kind of be nice, you get a phone it comes with "X" number of cards. On top of PIN / fingerprint / faceID / whatever you can have some security things tagged to the card.

As for why some things need access to parts of your phone data. There are a few reasons.
The biggest one I see is crappy coders re-using parts of code or just using pre-packaged things.

My door access access app does not need access to the speaker & microphone, but it does need the camera & NFC. The people who wrote it, bought a package called media access that wants access to all 4, just so they did not have to write something that can get camera & NFC access

-Dave

[Welsh]

Let's be honest, anything outside of Android and iOS is dead in terms of mobile OS

Pretty much, I wouldn't recommend any other operating system to anyone, and the beauty about it, there's various open source ROMs out there for all your customization needs, without need to root your phone. Whether you want a custom rom for the customization it offers aesthetically, or the added functionality. As far as I know, Apple doesn't allow you to do this, without rooting the phone which is a security risk in itself, at least if it isn't used correctly, and not carefully managed.

Speaking of banks, I know there are some which offer using your debit card as a 2FA method. You either connect up a card reader via USB to your computer to prove possession of the debit card, or your card reader uses your debit card as the shared secret to produce a 2FA code, before you are allowed to log in to your online bank account. It's a nice solution since it is effectively a hardware key but using something that everyone has in their possession already.

Yeah, my old bank used to have this facility. It kind of looked like a hardware wallet, except it had numbers directly on it, rather than using a interface like Trezor does. I do prefer Trezor's approach, though banks might have significantly improved these days.

[ABCbits]

Let's be honest, anything outside of Android and iOS is dead in terms of mobile OS

Pretty much, I wouldn't recommend any other operating system to anyone, and the beauty about it, there's various open source ROMs out there for all your customization needs, without need to root your phone. Whether you want a custom rom for the customization it offers aesthetically, or the added functionality. As far as I know, Apple doesn't allow you to do this, without rooting the phone which is a security risk in itself, at least if it isn't used correctly, and not carefully managed.

Since you mentioned open source, there are few linux-based OS (not Android) for mobile device such as PureOS (https://pureos.net/). AFAIK the security is comparable with Android, but it's not option for most people due to lack of application.

[Thomas29]

As Welsh said


[/quote]
"You could go as far to say that a device on the same network, could become a problem if your trying to use two factor authentication, though I think I'll leave that for another day."


What is one to do regarding this is?

[Pmalek]

What is one to do regarding this is?

About a possible threat because one uses the same network? I assume we are talking about internet networks. Instead of one, use two different internet networks. Don't connect your phone to the same network that your computer is connected to. You could use your mobile data, for example, when you want to access your 2FA codes instead of WIFI. 

[o_e_l_e_o]

You could use your mobile data, for example, when you want to access your 2FA codes instead of WIFI.

Better still: Your phone does not need an internet connection for a good 2FA app to generate the correct codes. All it needs to do is have the shared secret (which can be entered either by scanning the QR code or by entering the 16 character back up code), and the correct time (which you can adjust manually if your phone is out of sync). If you want to be extra secure with a phone, then use one on permanent flight mode to store your 2FA app. If you want to be more secure than that, then do away with the phone altogether and use a hardware key.

[DaveF]

Just a bit of a bump and a note for all those people who use RFID for security things like doors, elevators and such:
https://twitter.com/jjx/status/1475493289021292551

Nope, that is not secure either. If you thought you could control access to your stuff, through access control devices, make sure they are up to the task.
Just one more thing to think about as you try to make your life more secure.

-Dave

[Kakmakr]

I think the biggest threat to SMS verification linked to 2FA has always been a Sim Swap and this is something that is happening a lot in my country. The Banks and other financial institutions are struggling with the exact same problem. There are syndicates working inside mobile phone operators that will assist these criminals to do Sim swaps and that is difficult to stop.

In most cases, these syndicates cannot swap the SimCard, whilst your phone is operational, so they find ingenious ways to get you to reboot or to switch off your phone, so that your cloned Sim card could be linked to another phone. (Tip : Do not switch off your phone, if you are being harassed to do it)  

[PrimeNumber7]

2FA should be mandatory on all your online accounts which hold anything sensitive or valuable, especially any accounts holding bitcoin. But that 2FA should never be either SMS or email based.

Some services will email you a PGP encrypted 2FA code to your email. So an adversary would need to access both your email and have access to your (unencrypted) PGP key. Generally speaking, this will be just as good as using google authenticator, if you keep both keys similarly safe.

Just a bit of a bump and a note for all those people who use RFID for security things like doors, elevators and such:
https://twitter.com/jjx/status/1475493289021292551

They can probably also make a copy of your private keys if you give them physical access to them.

Keep in mind that something like an RFID badge can be trivially deactivated. If an RFID badge gives a person access to an especially sensitive location, you can track access times to try to detect if it appears that a badge was duplicated, or is being used by more than one person. Also, some RDIF badges will only let you "out" of a door if you have "entered" a set of doors last, and will only let you "in" a door if you have last "entered" a door without exiting the door.