|
| ▲ | jasode 5 days ago | parent | next [-] |
| >I’ve personally never had that happen. It should go on a name and shame list The key situation for giving out an SMS code that the gp is pointing out is the customer initiates the call to the support center. For example, suppose somebody wants to add a credit-card to their smartphone digital wallet. They have to call the bank issuing their credit-card to do that. Once the customer support person answers the call, a common security verification (e.g. Chase Bank does this) is for them to send you a 6 digit code to your phone. You then repeat this code back to the support person on the call. They want proof of your identity and also proof that you physically have the smartphone with you. Repeating the SMS code to the customer support person is safe because the customer called the official 1-800 number on the back of their card. That's a totally different sequence of steps from receiving a random call from somebody claiming they are from Chase Bank. Yes, in those cases, you never give out SMS codes to that untrusted person on the phone. |
| |
| ▲ | NikolaNovak 5 days ago | parent | next [-] | | I agree with everything you said. Note, however, that those are two "totally different sequences of steps" to you and I, and "completely analogous / equivalent sequences of steps" to my father in law :-/ | |
| ▲ | vehementi 4 days ago | parent | prev | next [-] | | Justifiable in a vacuum, but the end result is grandma knows "sometimes it's OK to give the code to the person on the phone" | | |
| ▲ | cced 4 days ago | parent | next [-] | | They should have users receive the code and then submit said code into the application for verification, with clear instructions that this code is produced as a result of a support call, and to confirm you are on an existing call when submitting the code. Doing so would not force users to divulge codes over the phone, and enable support staff to verify identity all without training users that reading codes over the phone is acceptable. Thoughts on that? | | |
| ▲ | 4 days ago | parent | next [-] | | [deleted] | |
| ▲ | Ajedi32 4 days ago | parent | prev [-] | | Still not foolproof. Attacker can MITM the connection by initiating their own call to the real support line and relaying instructions between the user and support. |
| |
| ▲ | Ajedi32 4 days ago | parent | prev [-] | | How else are you supposed to do identify verification over the phone? I think if the war against phishing online has taught us anything, it's that humans can't be trusted to not reveal secrets to scammers. Only machine-to-machine public key authentication (like TLS or WebAuthn or U2F) is truly phish-proof. |
| |
| ▲ | dpifke 4 days ago | parent | prev [-] | | The signin 2SV SMS verbiage used by Chase is: "Chase: DON'T share. Use code 12345678 to confirm you're signing in. We'll NEVER call to ask for this code. Call us if you didn't request it." I assume in the case where the customer initiates the call and support is verifying their identity via SMS, they use different text (i.e. not "to confirm you're signing in"). Otherwise, that'd be pretty ridiculous. | | |
| ▲ | eep_social 4 days ago | parent [-] | | found today’s optimist, congrats you win one warm fuzzy feeling. the verbiage is the same. | | |
| ▲ | ameliaquining 4 days ago | parent [-] | | I think I at one point ran into this with Chase and the verbiage was not the same. Are you speaking from experience? | | |
| ▲ | eep_social 15 hours ago | parent [-] | | I am; I seem to recall it was Chase (and I do have a Chase account) but it could have been another bank or financial institution. |
|
|
|
|
|
| ▲ | UncleMeat 5 days ago | parent | prev | next [-] |
| Chase did this to me. A million alarm bells but even after hanging up and restarting the conversation from a phone number publicly listed on their website as a support contact they still did it. Wild. |
|
| ▲ | scrollaway 5 days ago | parent | prev | next [-] |
| Stripe Support does it for certain specific cases (email & phone). However, whenever they do it, it's a bilateral code generation: The support agent also gets a code they have to read out to the end user, which is featured prominently to them, saying the agent will have to read it out to get authentified. |
|
| ▲ | rscrawfo 5 days ago | parent | prev | next [-] |
| Fidelity does as well, although the message switches to state only read the code if you've called them directly. |
|
| ▲ | delfinom 4 days ago | parent | prev | next [-] |
| A lot of credit unions using a certain call center / credit card provider use this exact authentication mechanism over the phone. |
|
| ▲ | adrr 5 days ago | parent | prev | next [-] |
| My bank does it. Chase will send OTP via the bank app to verify you're identity for phone support. |
|
| ▲ | clysm 5 days ago | parent | prev | next [-] |
| Chase bank… |
|
| ▲ | troc 5 days ago | parent | prev [-] |
| - godaddy
|
| |
| ▲ | octo888 5 days ago | parent [-] | | Who still uses GoDaddy LOL | | |
| ▲ | koakuma-chan 4 days ago | parent [-] | | Small business owners | | |
| ▲ | jay_kyburz 4 days ago | parent [-] | | Also me. Every 10 years my domains expire, and I can just pay a few hundred bucks again and forget about it, or I can do a bunch of work to move them somewhere and adjust A records and fuck around with stuff I don't remember and potentially have downtime. | | |
| ▲ | UltraSane 4 days ago | parent [-] | | Use AWS Route53 it is so much better. | | |
| ▲ | koakuma-chan 4 days ago | parent [-] | | Better than CF? | | |
| ▲ | UltraSane 4 days ago | parent [-] | | If you mean cloudflare I have never used it. | | |
| ▲ | koakuma-chan 4 days ago | parent [-] | | Check it out, it's much easier to use and they don't charge any markup. | | |
| ▲ | UltraSane 4 days ago | parent [-] | | One thing I like about Route53 is how granular the permission can be. This lets you automate things more easily and securely. | | |
| ▲ | koakuma-chan 4 days ago | parent [-] | | Yeah AFAIK people use Route53 when, e.g., there is a need to automate making subdomains for customers and stuff like that. | | |
| ▲ | UltraSane 4 days ago | parent [-] | | IAM permissions are almost always a pain to get right but they can be so useful when you can create an API key with permissions to do only exactly what it needs to do. |
|
|
|
|
|
|
|
|
|
|
