undefined | Better HN

0 pointsomginternets9y ago0 comments

I can make the same argument for 2FA: social engineering can defeat it, or I can turn to some other attack vector.

This isn't to say that 2FA doesn't add security. The point is rather twofold:

1. with a little extra attention, I can secure my system without 2FA and achieve comparable security

2. it's absolutely scandalous that the proverbial well has been poisoned and we are, by virtue of the fact that extra attention is required and that most people won't put in the work, in a less secure state. Again, this is due to the irresponsible data-policy of the overwhelming majority of service providers.

So again: 2FA is a valid security layer, but I'll pass. :/

0 comments

6 comments · 1 top-level

snowwolf9y ago· 5 in thread

> with a little extra attention, I can secure my system without 2FA and achieve comparable security

How? Lets play devils advocate here and pretend your email is compromised (account takeover or redirect). What have you done on any of the services you use that has given you comparable security to enabling 2FA on them that now prevents the attacker from resetting your password?

omginternetsOP9y ago

>How?

By hardening your email server. Yes, assuming the email server is compromised implies a compromised system in this scenario, but that is tautological and therefore uninteresting.

The extra attention should go towards hardening the weak link, in this case the email server that, de facto, provides authentication services.

Server hardening is a vast topic, so I leave it as an exercise for the reader to research what can be done. Surely you don't deny that "a little extra attention" to server configuration can provide additional security without necessarily resorting to 2FA?

But again, 2FA is valid security, so why not host it yourself? I have nothing against 2FA in principle, but I don't trust Google, Github, Facebook et al with my phone number.

While we're on the subject, the inherent insecurity of the SMS protocol should also be weighed in any serious endorsement of phone-based 2FA: http://www.itnews.com.au/news/telcos-declare-sms-unsafe-for-...

snowwolf9y ago

So you're running your own DNS server then too right? A hardened email server doesn't prevent a targeted attacker from just redirecting your mx records (as happened to OP).

> but I don't trust Google, Github, Facebook et al with my phone number

Github doesn't require a phone number to use 2FA. And if you don't trust Google or Facebook with your phone number then that means you don't use either of them at all? Because otherwise holding back your phone number from them is a rather pointless exercise as they already know everything about you [1]

[1] https://en.wikipedia.org/wiki/AOL_search_data_leak

omginternetsOP9y ago

I'm assuming a setup similar to that of the OP's.

>And if you don't trust Google or Facebook with your phone number then that means you don't use either of them at all?

More or less. Email I can handle, and there's stuff I stupidly gave up in the past, but I see no reason to provide them with additional info.

>Github doesn't require a phone number to use 2FA

Are you referring to the application? That might be a fair compromise depending on what kinds of permissions the application requires.

>A hardened email server doesn't prevent a targeted attacker from just redirecting your mx records (as happened to OP).

What on earth are you on about? Of course it does. The OP had a crappy password, which is about as fundamental as it gets with regards to server hardening...

2 more replies

redbeard0x0a9y ago

Having a hardened email server and good passwords does nothing for your security if the attacker targets and takes over either:

* Your DNS Records - MX records point to your email server, the attacker just changes the record to point to their email server, taking your hardened email server out of the loop.

* Your Domain Registrar - the attacker can just change your DNS records to point to their own DNS servers (with their own MX records pointing to their own email server).

Do you trust your DNS provider is completely secure from hacking and social engineering?

Do you trust your Domain registrar to adequately secure their systems from hacking and social engineering? Remember, you only pay them ~$10/year for your domain.

catwell9y ago

In theory, if the receiving end enforces TLS and if the sending end checks that the certificate is valid for the domain, you don't need to trust the DNS or the registrar. But nobody does that, and you still have to trust the sender.

j / k navigate · click thread line to collapse

0 comments

6 comments · 1 top-level

snowwolf9y ago· 5 in thread

> with a little extra attention, I can secure my system without 2FA and achieve comparable security

omginternetsOP9y ago

>How?

By hardening your email server. Yes, assuming the email server is compromised implies a compromised system in this scenario, but that is tautological and therefore uninteresting.

The extra attention should go towards hardening the weak link, in this case the email server that, de facto, provides authentication services.

But again, 2FA is valid security, so why not host it yourself? I have nothing against 2FA in principle, but I don't trust Google, Github, Facebook et al with my phone number.

snowwolf9y ago

So you're running your own DNS server then too right? A hardened email server doesn't prevent a targeted attacker from just redirecting your mx records (as happened to OP).

> but I don't trust Google, Github, Facebook et al with my phone number

[1] https://en.wikipedia.org/wiki/AOL_search_data_leak

omginternetsOP9y ago

I'm assuming a setup similar to that of the OP's.

>And if you don't trust Google or Facebook with your phone number then that means you don't use either of them at all?

More or less. Email I can handle, and there's stuff I stupidly gave up in the past, but I see no reason to provide them with additional info.

>Github doesn't require a phone number to use 2FA

Are you referring to the application? That might be a fair compromise depending on what kinds of permissions the application requires.

>A hardened email server doesn't prevent a targeted attacker from just redirecting your mx records (as happened to OP).

What on earth are you on about? Of course it does. The OP had a crappy password, which is about as fundamental as it gets with regards to server hardening...

2 more replies

redbeard0x0a9y ago

Having a hardened email server and good passwords does nothing for your security if the attacker targets and takes over either:

* Your DNS Records - MX records point to your email server, the attacker just changes the record to point to their email server, taking your hardened email server out of the loop.

* Your Domain Registrar - the attacker can just change your DNS records to point to their own DNS servers (with their own MX records pointing to their own email server).

Do you trust your DNS provider is completely secure from hacking and social engineering?

Do you trust your Domain registrar to adequately secure their systems from hacking and social engineering? Remember, you only pay them ~$10/year for your domain.

catwell9y ago

j / k navigate · click thread line to collapse