cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Oblivious
Good Citizen / Bon Citoyen

Re: 2FA in Self-Serve Account


@Korth wrote:

If you couldn't login to your account - forgot your password or whatever - then how would you prove your identity to PM? What information would you need to provide, and how could others obtain that information?


For Public Mobile, isn't Email access pretty much the proof of identity?

If you use the forgot your password, it requires you to have access to the email to get it.

If email was used for 2FA, the process would require you to have access to your email to log in to your PM account. So if the hacker only had login info for PM account and not email, the hacker wouldn't be able to get in without email access?

 

Would this not secure the account a bit more unless hacker has login for PM account and email?

BeachNBeer
Town Hero / Héro de la Ville

Re: 2FA in Self-Serve Account

@Korth  Sorry I'm lost.  Is 2FA not the same as what Facebook uses? If I log into my account from another IP/device. A text is sent to my phone with a code that I enter before I can access Facebook. Would this not stop attacks for simjacks? How would they get into my Public Mobile account to change the sim number if they don't have the text code? 

Korth
Mayor / Maire

Re: 2FA in Self-Serve Account


@BeachNBeer wrote:

Sorry I'm lost.  Is 2FA not the same as what Facebook uses? If I log into my account from another IP/device. A text is sent to my phone with a code that I enter before I can access Facebook. Would this not stop attacks for simjacks? How would they get into my Public Mobile account to change the sim number if they don't have the text code? 


It is basically the same thing.

 

The reason it wouldn't work here is that the 2FA confirmation channel (the phone number) is itself the thing at risk of being targeted or changed or stolen.

 

If you already have access to Self-Serve - or can gain access through "backdoor" methods like "I forgot my password", etc - or if you can gain access to the SIM card (the old one or a new one), the phone number, or even the (stolen) phone/device itself - then 2FA won't accomplish anything helpful. In practice it will actually help the thief while hindering the victim.

While if you already don't have access to any of these things then you can't steal anything, while again 2FA doesn't accomplish anything.

BeachNBeer
Town Hero / Héro de la Ville

Re: 2FA in Self-Serve Account

@Korth  Thank you for explaining!

kb_mv
Mayor / Maire

Re: 2FA in Self-Serve Account


@Korth wrote:

The reason it wouldn't work here is that the 2FA confirmation channel (the phone number) is itself the thing at risk of being targeted or changed or stolen.

 

If you already have access to Self-Serve - or can gain access through "backdoor" methods like "I forgot my password", etc - or if you can gain access to the SIM card (the old one or a new one), the phone number, or even the (stolen) phone/device itself - then 2FA won't accomplish anything helpful. In practice it will actually help the thief while hindering the victim.

While if you already don't have access to any of these things then you can't steal anything, while again 2FA doesn't accomplish anything.


@Korth In order for someone to get into my account to change a sim or a number, they have to actually get into the account. Front door or back door, an authenticator app would prevent this. If the site senses you are trying to access an account from a new IP address or app or browser it triggers the 2FA request. You can click the lost password link all you want on my Facebook, Paypal, Amazon, Google etc etc etc. You might even have my user name and password. Unless you have the 6 digit code from my authenticator app that is used for that 30 second block you still can't get in. I am not a fan of using SMS / phone call for these.

 

If someone finds your phone then of course no 2FA method will help.

Korth
Mayor / Maire

Re: 2FA in Self-Serve Account


@kb_mv wrote:

If someone finds your phone then of course no 2FA method will help.


That was the whole point I was trying to make.

 

If someone wants to steal your social media account then 2FA will obstruct them. Unless they already stole your phone along with all the passwords stored on it.

 

If someone wants to steal your phone number then 2FA won't help. They've already stolen the phone itself, and/or they can already login (and steal) your Self-Serve, email, etc - so 2FA wouldn't do anything useful, it wouldn't stop them, it wouldn't alert you.

kb_mv
Mayor / Maire

Re: 2FA in Self-Serve Account


@Korth wrote:

@kb_mv wrote:

If someone finds your phone then of course no 2FA method will help.


That was the whole point I was trying to make.

 

If someone wants to steal your social media account then 2FA will obstruct them. Unless they already stole your phone along with all the passwords stored on it.

 

If someone wants to steal your phone number then 2FA won't help. They've already stolen the phone itself, and/or they can already login (and steal) your Self-Serve, email, etc - so 2FA wouldn't do anything useful, it wouldn't stop them, it wouldn't alert you.


@Korth I think we are on the same page. Barring someone getting a hold of your phone or your home computer, 2FA via authenticator app most certainly stops bad guys from accessing your accounts. There would be no way for them to get into my self serve account without it. Even if they have the username and password. Unless I am misunderstanding your point? How can someone steal my phone number if they can't get in to see my account number and name on the account?

Korth
Mayor / Maire

Re: 2FA in Self-Serve Account


@kb_mv wrote:
How can someone steal my phone number if they can't get in to see my account number and name on the account?

If someone already has access to your Self-Serve then they've already "authenticated" their identity (your identity) to Public Mobile. They're already able to provide whatever password, PIN, registered email, and "private" personal info PM requires. And they're able to change this information to lock you out, they're able to request a new SIM and/or new phone number if they like. They're even able to report the old phone (your phone) as stolen so it gets blacklisted and deactivated on the network.

kb_mv
Mayor / Maire

Re: 2FA in Self-Serve Account


@Korth wrote:

@kb_mv wrote:
How can someone steal my phone number if they can't get in to see my account number and name on the account?

If someone already has access to your Self-Serve then they've already "authenticated" their identity (your identity) to Public Mobile. They're already able to provide whatever password, PIN, registered email, and "private" personal info PM requires. And they're able to change this information to lock you out, they're able to request a new SIM and/or new phone number if they like. They're even able to report the old phone (your phone) as stolen so it gets blacklisted and deactivated on the network.


@Korth I'm confused. This whole discussion is about a way to secure my account. If my account supported 2FA via authenticator app, then no, they could not get in again once I turned on 2FA. Even with the username and password. A specific 6 digit code is required every time I/you/anyone tries to sign into my account. Thats why Google and Amazon and PayPal and hundreds of other sites support it.

 

Now granted if they are already inside my account and have all the info they need to steal my number then yes, there is nothing I can do about it. But this isn't about someone already in my account. This is about the thousands or tens of thousands? of PM customers that have accounts that have not been compromised and may wish to keep it that way. 

Oblivious
Good Citizen / Bon Citoyen

Re: 2FA in Self-Serve Account

@korb 

 

I understand what you mean that if they have access to your account then 2FA has no point. But are you not just dismissing that 2FA has no point in existing because of this single scenario?

 

What if a data breach credential leak happened at PM and passwords and emails have been exposed? Or a data breached happened else where and passwords were leaked? Not everyone uses different passwords for every website even though they should.

 

Those cases 2FA would help as a hacker would not be able to access the Self-Serve accounts, and 2FA would notify users that someone else is enter their credentials without them knowing.

 

There are flaws in a lot of technologies, especially when physical access can trump all of it. But just because there are flaws, it doesn't mean that they should not be used at all or have zero use.

Need Help? Let's chat.