Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
jasode 5 days ago

>I’ve personally never had that happen. It should go on a name and shame list

The key situation for giving out an SMS code that the gp is pointing out is the customer initiates the call to the support center.

For example, suppose somebody wants to add a credit-card to their smartphone digital wallet. They have to call the bank issuing their credit-card to do that. Once the customer support person answers the call, a common security verification (e.g. Chase Bank does this) is for them to send you a 6 digit code to your phone. You then repeat this code back to the support person on the call. They want proof of your identity and also proof that you physically have the smartphone with you. Repeating the SMS code to the customer support person is safe because the customer called the official 1-800 number on the back of their card.

That's a totally different sequence of steps from receiving a random call from somebody claiming they are from Chase Bank. Yes, in those cases, you never give out SMS codes to that untrusted person on the phone.

NikolaNovak 5 days ago | parent | next [-]

I agree with everything you said.

Note, however, that those are two "totally different sequences of steps" to you and I, and "completely analogous / equivalent sequences of steps" to my father in law :-/

vehementi 4 days ago | parent | prev | next [-]

Justifiable in a vacuum, but the end result is grandma knows "sometimes it's OK to give the code to the person on the phone"

cced 4 days ago | parent | next [-]

They should have users receive the code and then submit said code into the application for verification, with clear instructions that this code is produced as a result of a support call, and to confirm you are on an existing call when submitting the code.

Doing so would not force users to divulge codes over the phone, and enable support staff to verify identity all without training users that reading codes over the phone is acceptable.

Thoughts on that?

4 days ago | parent | next [-]
[deleted]
Ajedi32 4 days ago | parent | prev [-]

Still not foolproof. Attacker can MITM the connection by initiating their own call to the real support line and relaying instructions between the user and support.

Ajedi32 4 days ago | parent | prev [-]

How else are you supposed to do identify verification over the phone?

I think if the war against phishing online has taught us anything, it's that humans can't be trusted to not reveal secrets to scammers. Only machine-to-machine public key authentication (like TLS or WebAuthn or U2F) is truly phish-proof.

dpifke 4 days ago | parent | prev [-]

The signin 2SV SMS verbiage used by Chase is: "Chase: DON'T share. Use code 12345678 to confirm you're signing in. We'll NEVER call to ask for this code. Call us if you didn't request it."

I assume in the case where the customer initiates the call and support is verifying their identity via SMS, they use different text (i.e. not "to confirm you're signing in"). Otherwise, that'd be pretty ridiculous.

eep_social 4 days ago | parent [-]

found today’s optimist, congrats you win one warm fuzzy feeling.

the verbiage is the same.

ameliaquining 4 days ago | parent [-]

I think I at one point ran into this with Chase and the verbiage was not the same. Are you speaking from experience?

eep_social 15 hours ago | parent [-]

I am; I seem to recall it was Chase (and I do have a Chase account) but it could have been another bank or financial institution.