Shortened version of the ensuing attempt at phishing:
The sms message with a password reset code (which actually comes from the bank), while claiming “we’ve sent you a code to verify you’re you” is the slickest part here, I think.
My personal rule of thumb is that if I get an unsolicited call from a company that then asks me questions to “confirm who they are speaking to”, I ask them if I can call them back at one of the available contact numbers for the company. Doubly so for government agencies.
Honestly I would not have fallen for that just because I’m too lazy. That’s my safeguard - I’m lazy as shit. It’s probably not the best safety, but eh.
Some what related…
Most widely used other factor: sms text
Not great, but better than no MFA.
How much you are screwed if someone ports your number and takes all of your MFAs with them.
Really, really bad day ahead.
If you take a moment and stop and really think about it, it wouldn’t make sense for them to verify your identity this way (you answered your phone at the same number they’re texting; of course you can receive a text message at that number), but if everything else sounds on the up-and-up, that might only be obvious in hindsight.
For me, it’s that I’ve stopped answering the phone altogether for numbers that aren’t in my contacts. And lately I’ve been deleting messages w/out even listening to them. I’m sure I’ve missed legitimate calls, but I don’t care. The spammers/scammers have poisoned that well.
It seems like something should be better than nothing, but I’m increasingly less convinced of that with respect to SMS for two-factor authentication. It makes some of your accounts more secure, but it also makes your phone number that much more of a rich target, and puts you in the position of relying on your wireless carrier not to give the game away. Or maybe I’ve just read one too many sim-swapping horror stories?
That being said, I’m definitely not a security expert. I do have to think about such things at work, however, and I find that the hardest part is trying to evaluate the relative risks when you have more than one option for mitigation, and those options have wildly different costs. It’s one thing to understand how an attack might work, but trying to figure out how likely you are to get burnt is a whole other realm of uncertainty.
To quote the great Lesley Carhart
“My threat model is not your threat model.”
Everyone needs to balance convenience and security.
Where offered, I’ve gone to using an authentication app. Still on my phone, but if someone ports my sim, it isn’t the FIRST option for authentication.
Granted, the fallback is always, “Send SMS” so I’m probably just as screwed.
I tried to get work to bite of on Yubi Keys as an option but the people who would need to configure it are too overbooked to make it happen.
Yeah, I have two different authentication apps on my phone for various work systems, but they’ve never failed so I’m genuinely not sure if we allow SMS as a fallback method.
My personal stuff is a lot less sophisticated, and sometimes the convenience/security balance tilts decidedly analog. Yubi keys look cool, but I haven’t gotten around to trying one out, yet. My main security concern would be losing it, I think.