cancel
Showing results for 
Search instead for 
Did you mean: 

2FA in Self-Serve Account

Oblivious
Good Citizen / Bon Citoyen

Hi,

 

Just wondering if anyone knows if Public Mobile has plans to implement two-factor Authentication (2FA) to the Self-Serve My Account login anytime soon?

Like either a code sent to text message, code sent to email, or an authenticator app?

 

It seems like a basic security measure these days. 

19 REPLIES 19

Oblivious
Good Citizen / Bon Citoyen

@korb 

 

I understand what you mean that if they have access to your account then 2FA has no point. But are you not just dismissing that 2FA has no point in existing because of this single scenario?

 

What if a data breach credential leak happened at PM and passwords and emails have been exposed? Or a data breached happened else where and passwords were leaked? Not everyone uses different passwords for every website even though they should.

 

Those cases 2FA would help as a hacker would not be able to access the Self-Serve accounts, and 2FA would notify users that someone else is enter their credentials without them knowing.

 

There are flaws in a lot of technologies, especially when physical access can trump all of it. But just because there are flaws, it doesn't mean that they should not be used at all or have zero use.

kb_mv
Mayor / Maire

@Korth wrote:

@kb_mv wrote:
How can someone steal my phone number if they can't get in to see my account number and name on the account?

If someone already has access to your Self-Serve then they've already "authenticated" their identity (your identity) to Public Mobile. They're already able to provide whatever password, PIN, registered email, and "private" personal info PM requires. And they're able to change this information to lock you out, they're able to request a new SIM and/or new phone number if they like. They're even able to report the old phone (your phone) as stolen so it gets blacklisted and deactivated on the network.


@Korth I'm confused. This whole discussion is about a way to secure my account. If my account supported 2FA via authenticator app, then no, they could not get in again once I turned on 2FA. Even with the username and password. A specific 6 digit code is required every time I/you/anyone tries to sign into my account. Thats why Google and Amazon and PayPal and hundreds of other sites support it.

 

Now granted if they are already inside my account and have all the info they need to steal my number then yes, there is nothing I can do about it. But this isn't about someone already in my account. This is about the thousands or tens of thousands? of PM customers that have accounts that have not been compromised and may wish to keep it that way. 

Korth
Mayor / Maire

@kb_mv wrote:
How can someone steal my phone number if they can't get in to see my account number and name on the account?

If someone already has access to your Self-Serve then they've already "authenticated" their identity (your identity) to Public Mobile. They're already able to provide whatever password, PIN, registered email, and "private" personal info PM requires. And they're able to change this information to lock you out, they're able to request a new SIM and/or new phone number if they like. They're even able to report the old phone (your phone) as stolen so it gets blacklisted and deactivated on the network.

kb_mv
Mayor / Maire

@Korth wrote:

@kb_mv wrote:

If someone finds your phone then of course no 2FA method will help.


That was the whole point I was trying to make.

 

If someone wants to steal your social media account then 2FA will obstruct them. Unless they already stole your phone along with all the passwords stored on it.

 

If someone wants to steal your phone number then 2FA won't help. They've already stolen the phone itself, and/or they can already login (and steal) your Self-Serve, email, etc - so 2FA wouldn't do anything useful, it wouldn't stop them, it wouldn't alert you.


@Korth I think we are on the same page. Barring someone getting a hold of your phone or your home computer, 2FA via authenticator app most certainly stops bad guys from accessing your accounts. There would be no way for them to get into my self serve account without it. Even if they have the username and password. Unless I am misunderstanding your point? How can someone steal my phone number if they can't get in to see my account number and name on the account?

Korth
Mayor / Maire

@kb_mv wrote:

If someone finds your phone then of course no 2FA method will help.


That was the whole point I was trying to make.

 

If someone wants to steal your social media account then 2FA will obstruct them. Unless they already stole your phone along with all the passwords stored on it.

 

If someone wants to steal your phone number then 2FA won't help. They've already stolen the phone itself, and/or they can already login (and steal) your Self-Serve, email, etc - so 2FA wouldn't do anything useful, it wouldn't stop them, it wouldn't alert you.

kb_mv
Mayor / Maire

@Korth wrote:

The reason it wouldn't work here is that the 2FA confirmation channel (the phone number) is itself the thing at risk of being targeted or changed or stolen.

 

If you already have access to Self-Serve - or can gain access through "backdoor" methods like "I forgot my password", etc - or if you can gain access to the SIM card (the old one or a new one), the phone number, or even the (stolen) phone/device itself - then 2FA won't accomplish anything helpful. In practice it will actually help the thief while hindering the victim.

While if you already don't have access to any of these things then you can't steal anything, while again 2FA doesn't accomplish anything.


@Korth In order for someone to get into my account to change a sim or a number, they have to actually get into the account. Front door or back door, an authenticator app would prevent this. If the site senses you are trying to access an account from a new IP address or app or browser it triggers the 2FA request. You can click the lost password link all you want on my Facebook, Paypal, Amazon, Google etc etc etc. You might even have my user name and password. Unless you have the 6 digit code from my authenticator app that is used for that 30 second block you still can't get in. I am not a fan of using SMS / phone call for these.

 

If someone finds your phone then of course no 2FA method will help.

BeachNBeer
Deputy Mayor / Adjoint au Maire

@Korth  Thank you for explaining!


@BeachNBeer wrote:

Sorry I'm lost.  Is 2FA not the same as what Facebook uses? If I log into my account from another IP/device. A text is sent to my phone with a code that I enter before I can access Facebook. Would this not stop attacks for simjacks? How would they get into my Public Mobile account to change the sim number if they don't have the text code? 


It is basically the same thing.

 

The reason it wouldn't work here is that the 2FA confirmation channel (the phone number) is itself the thing at risk of being targeted or changed or stolen.

 

If you already have access to Self-Serve - or can gain access through "backdoor" methods like "I forgot my password", etc - or if you can gain access to the SIM card (the old one or a new one), the phone number, or even the (stolen) phone/device itself - then 2FA won't accomplish anything helpful. In practice it will actually help the thief while hindering the victim.

While if you already don't have access to any of these things then you can't steal anything, while again 2FA doesn't accomplish anything.

BeachNBeer
Deputy Mayor / Adjoint au Maire

@Korth  Sorry I'm lost.  Is 2FA not the same as what Facebook uses? If I log into my account from another IP/device. A text is sent to my phone with a code that I enter before I can access Facebook. Would this not stop attacks for simjacks? How would they get into my Public Mobile account to change the sim number if they don't have the text code? 

Oblivious
Good Citizen / Bon Citoyen

@Korth wrote:

If you couldn't login to your account - forgot your password or whatever - then how would you prove your identity to PM? What information would you need to provide, and how could others obtain that information?


For Public Mobile, isn't Email access pretty much the proof of identity?

If you use the forgot your password, it requires you to have access to the email to get it.

If email was used for 2FA, the process would require you to have access to your email to log in to your PM account. So if the hacker only had login info for PM account and not email, the hacker wouldn't be able to get in without email access?

 

Would this not secure the account a bit more unless hacker has login for PM account and email?


@BeachNBeer wrote:

Wouldn't the attacker need to log into the account first to change the sim #? If PM had 2fa would that not mean the original owner would get the text? 


Think about it from the thief's perspective. The mental exercise of what you would do to "steal" your own account and phone number.

 

If you couldn't login to your account - forgot your password or whatever - then how would you prove your identity to PM? What information would you need to provide, and how could others obtain that information?

 

And without some sort of physical identity confirmation - face-to-face and photo ID check, etc - how can PM truly know that a person on the internet is actually who they claim to be?

 

(I'm ignoring technical "envelope metadata" like IP addresses, etc. We are not obligated to login from our own devices or home networks, we don't need to use uniquely-fingerprinted hardware or software, we can even use technical things like IP masking and TOR clients and VPNs to retain legal anonymity. And if we have those abilities then so do tech-savvy hackers and thieves.)

mh1983
Deputy Mayor / Adjoint au Maire

Would be nice to have extra layers of security, for sure.

 

Meanwhile, I'd strongly suggest to use a secure password generator for all your accounts. I use Lastpass so it works across platforms, but if you have Chrome or Firefox, those can now auto-generate secure passwords too.

Oblivious
Good Citizen / Bon Citoyen

@Korth wrote:

Unless the 2FA uses some other resource (another email, another phone number) which PM keeps on record for recovery purposes but does not reveal or display anywhere on Self-Serve account.


For Mobile Services not just Public Mobile, 2FA probably has to be using email, a third-party authenticator app or a hardware key. Email would probably be cheapest.

BeachNBeer
Deputy Mayor / Adjoint au Maire

@Korth  Wouldn't the attacker need to log into the account first to change the sim #? If PM had 2fa would that not mean the original owner would get the text? 


@BeachNBeer wrote:

Would help avoid all the sim jacks.


Not really. If the attacker already knows the SIM ID, the phone number, the email or password or PIN for the account, and/or "three pieces of private information to confirm identity" then theft of the SIM, the phone number, and the account can proceed anyways.

 

The only thing 2FA (through the customer phone number) would accomplish is make it easier for the thief to "prove" identity while making it harder for the victim to prove identity - because the victim isn't even aware of the theft until working phone service has been fully transferred to the thief's phone. Unless the 2FA uses some other resource (another email, another phone number) which PM keeps on record for recovery purposes but does not reveal or display anywhere on Self-Serve account.

 

Putting an extra deadbolt on the front door doesn't add any real security if the backdoor is always left unlocked.

Staliger
Mayor / Maire

@Oblivious for now, it is unknown. Only PM knows that. Maybe in some future this feature would be added.

benfatto
Deputy Mayor / Adjoint au Maire

Nothing even hinted. So, best you can do is use a fake name on your account and a password used nowhere else. 
Then secure all your bank/PayPal etc. accounts with any 2fa other than SMS where possible. PayPal, for example, accepts Authy. 

BeachNBeer
Deputy Mayor / Adjoint au Maire

Would help avoid all the sim jacks.

Quigley
Mayor / Maire

No plans for that. Sorry

Need Help? Let's chat.