On Mon, 28 Oct 2024 11:47:44 -0400 Lennart Sorensen <lsorense@csclub.uwaterloo.ca> wrote:

...

for the short term, personally, i rely on platforms and sites still supporting text messages, these are becoming fewer though and is beng phased out. I really hope they stop supporting text messages. It is the one method

On Mon, Oct 28, 2024 at 11:12:25AM +0200, ac via talk wrote: that is extremely insecure. SIM swapping is a huge problem making text messages something you really shouldn't be relying on for security at all.

hmm, Yes, I guess for .ca and for .us and many 5 eyes Geo, sim swaps are still a little problematic, but is not 'extremely' insecure as you claim, just somewhat 'insecure' in terms of criminal activity, in .ca sim swap fraud is a tiny and very small fraction of total Internet fraud. In the entire USA it totals less than 100m and, except for a huge spike between '22 and '23, is on the DECLINE (as in getting less year to year in $ value) in some other geo's, criminals operating in this space are actually caught and it is quite a challenging fraud as you have to steal the entire identity and do a lot of hoops before you can succeed in performing a sim swap. Even then you stand a good chance of being caught as many Geo's have no way of doing sim swaps except in person. In my current Geo some providers use combinations of biometrics, including face recognition, fingerprints and other security measures (sim swaps can only be done in person and could take many hours as there are multiple levels of approvals in the provider itself) But, I do agree that text messages are not secure, they are transmitted in plain text by many operators and, depending on device, is not secure at all. the elephant in the room is that otp and 2f provides no extra security on ONE device (where the password and otp/2f is on one device or one laptop or one pc) So, this is MUCH less than having a dumb phone with otp/2f or a smart phone with google auth or an external dongle or yubikey or somesuch and you are USING a different device on whatever platform which has the password on that other device. In my case, all different passwords for all different things, storing passwords using strong encryption on secondary storage, generating and changing to new passwords regularly and, only because the platform requires 2f or otp, using a dumb phone with text messages for that, provides a lot more real security than anything else. Either way, all user security is only as secure as the platform itself... For my own stuff I use my own stuff as in I use a bag of onions and then some. i rely on myself, so my security is as secure as the platform provides.