Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

There are valid use cases to ignore the text message security advice. When I set up an account with my bank, I got an SMS security code that I had to read out to my banker to proceed with the account. The SMS did say not to share the code with anyone, I knew he was signing into the banks system, and I deduced that the system bankers use must be the same system normal users use, so this made sense to me. But an unsophisticated user would not know this, and would become to trusting of the helpful stranger asking for the SMS code despite the message text.

There are institutions out there that are training your users to ignore your security advice.



This sort of thing is so frustrating to me.

They phish users with horribly made emails with no formatting, then they send the same sort of emails for legitimate things. They give security advice and then break their own security advice.

Unless you’re a government (or contractor) your threat model isn’t some side channel timing attack on your CPU, its users complacent with security created by you. Legitimate emails should look legitimate the first time, security advice applies always and everywhere. It’s not that hard.


I did exactly this with Fidelity's customer service, and I was impressed to see that the text message I received did NOT say "don't share this with anyone", like their normal login messages do. Instead, it said "give this code to the customer service representative". I was so pleasantly surprised I actually had to commend them on it.


Even better would be: ask your rep what his or her favorite animal is. If he or she answers giraffe, then share this code. Otherwise hang up and dial the number on the back of your card.


If the warning not to are is not worded carefully enough then a second message could be sent by an attacker before or after instructing the user to disregard the warning.


Hello, this is Fidelity customer service, and to confirm this, we will send a text message with a code to the phone number you registered with us. For security, please confirm you are our customer by responding with the code.

Narrator: No, it was not Fidelity, but a scammer who needed the code to drain the customer's Fidelity account.


The attacker doesn't control that message. If they did, they would already know the code and wouldn't need you to give it to them.


How will scammer initiate the SMS? Considering online and customer care messages are different enough.


The same happened to me. Every time it happens, I end up hanging up and calling again to ensure I have the right number.

It’s a horrible system. They’re shouting themselves in the foot on security.

In my experience, it was also a bank that used this practiced.

Thank goodness it’s not a big deal to gain access to someone’s bank account. /s


We are training a large group of users to automatically click "agree" on a random box that appears on the bottom of the page (GDPR). Absurd.


> We are training a large group of users to automatically click "agree" on a random box that appears on the bottom of the page (sites violating GDPR). Absurd.

FTFY.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: