The RISKS Digest
Volume 30 Issue 65

Saturday, 14th April 2018

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Half of European flights delayed due to system failure
Atlanta Airport Shuts Down Wi-Fi Following Cyber Attack on City
Bridges and privacy
Chinese man caught by facial recognition at pop concert
Is Science Hitting a Wall?
Scientific American
Prescribing error in EHR results in death of man
Healthcare IT
Elon Musk: Do you trust this computer?
Ed DeWath
Grady Booch
"Flaw exposes cities' emergency alert sirens to hackers"
"How safe is your air-gapped PC? Attackers can now suck data out via power lines"
Liam Tung
DHS finds suspected phone spying in Washington
ABC News
"Windows security: Microsoft patch for Outlook password leak bug 'not a full fix'"
Liam Tung
The biggest Black Lives Matter page on Facebook is fake
Fox News accidentally puts up a poll graphic that shows how they are the least trusted network
"On Facebook, Zuckerberg gets privacy and you get nothing"
Zack Whittaker
Facebook exec: If you want privacy, expect to pay for it
Facebook Suspends Another Data Analytics Firm As Scandal Widens
Cambridge Analytica Could Also Access Private Facebook Messages
Protecting Democracy Using Firewalls
Mark Rockman
A New AI "Journalist" Is Rewriting the News to Remove Bias
Kristin Houser
People must retain control of autonomous vehicles
Waze's crazy routing over a 32% grade road
Gabe Goldberg
Relevant Comic?
"LG's 'Software Upgrade Center' feels slightly too familiar"
J.R. Raphael
Richest 1% on target to own two-thirds of all wealth by 2030
Michael Savage
The dots do matter: how to scam a Gmail user
James H Fisher
"A bad day with mobile 2FA"
Evan Schuman
Info on RISKS (comp.risks)

Half of European flights delayed due to system failure (BBC)

Jose Maria Mateos <>
Tue, 03 Apr 2018 20:27:26 -0400
The unspecified problem was with the Enhanced Tactical Flow Management
System, which helps to manage air traffic by comparing demand and capacity
of different air traffic control sectors.

It manages up to 36,000 flights a day. Some 29,500 were scheduled on Tuesday
when the fault occurred.

When the system failed, Eurocontrol's contingency plan for a failure in the
system deliberately reduced the capacity of the entire European network by
10%. It also added what it calls "predetermined departure intervals" at
major airports.

Atlanta Airport Shuts Down Wi-Fi Following Cyber Attack on City (Conde-Nast Traveler)

"Dave Farber" <>
Thu, 5 Apr 2018 08:07:49 -0400

Bridges and privacy (Gizmodo)

"Arthur T." <>
Tue, 03 Apr 2018 00:40:20 -0400
Here's an article about a city about to install a pedestrian bridge built
with a new technique. The article doesn't mention the collapse of a
pedestrian bridge with a new design which collapsed in Florida just a few
weeks ago.

But of more interest to this RISKS group is the fact that they'll be
installing a "series of smart sensors [...] so the bridge will actually know
how many people are walking on it and how quickly they're moving." I wonder
if this could be a privacy concern, especially since it's being built in
"the largest and best-known red-light district in Amsterdam."

Chinese man caught by facial recognition at pop concert (BBC)

Richard M Stein <>
Sat, 14 Apr 2018 18:08:37 +0800

  "Chinese police have used facial recognition technology to locate and
  arrest a man who was among a crowd of 60,000 concert goers."  "China has a
  huge surveillance network of over 170 million CCTV cameras."

1 - (1/60000) ~= 0.999983; an impressive match rate given historically
published facial recognition achievement. CIA's World Fact Book states, as
of 2017, PRC population @ ~1.38B folks. 1.38 Bpeople/170 Mcameras ~= 8.1
people/camera surveillance density!

Is Science Hitting a Wall? (Scientific American)

John Horgan <>
April 7, 2018 at 5:20:24 PM EDT
Economists show that increased research efforts are yielding decreasing

Once again, I'm brooding over science's limits. I recently posted Q&As with
three physicists with strong opinions on the topic—David Deutsch, Marcelo
Gleiser and Martin Rees—as well as this column: Is Science Infinite?
Then, in March I attended a two-day brainstorming session—which I'll call
The Session—with 20 or so science-y folks over whether science is slowing
down and what we can do about it.

The Session was inspired in part by research suggesting that scientific
progress is stagnating. In Are Ideas Getting Harder to Find?, four
economists claim that “a wide range of evidence from various industries,
products, and firms show[s] that research effort is rising substantially
while research productivity is declining sharply.''  The economists are
Nicholas Bloom, Charles Jones and Michael Webb, all from Stanford, and John
Van Reenen of MIT.

As an counter-intuitive example, they cite Moore's Law, noting that
the “number of researchers required today to achieve the famous
doubling every two years of the density of computer chips is more than 18
times larger than the number required in the early 1970s.''  The
researchers found similar trends in research related to agriculture and
medicine. More and more research on cancer and other illnesses has produced
fewer and fewer lives saved....

Prescribing error in EHR results in death of man (Healthcare IT)

Stephen McCallister <>
Thu, 5 Apr 2018 22:36:41 -0700

Elon Musk: Do you trust this computer?

Dewayne Hendricks <>
April 7, 2018 at 1:19:27 PM EDT
  [via Dave Farber]

Note: This item comes from friend Ed DeWath.  Again, the window to view this
video on YouTube is just this weekend.  Have at it!  DLH]

Elon Musk, YouTube, 6 Apr 2018
Do you trust this computer?

Elon Musk—who believes artificial intelligence could help trigger the
next world war—has issued another severe warning about how
super-intelligent machines could come to dominate the world. Those super
computers could become "an immortal dictator from which we would never
escape," Musk passionately warns in the new documentary "Do You Trust This

In the documentary, directed by Chris Paine (the man behind 2006's "Who
Killed The Electric Car?"), Musk joins a growing chorus of experts warning
that intelligent machines are already fundamentally changing our society by
amassing personal data, advancing science and medicine and beginning to
create new forms of super intelligence.

Musk paid for "Do You Trust This Computer" to be streamed free on YouTube over the weekend.

Elon Musk—Do you trust this computer?

Grady Booch <>
April 7, 2018 at 2:34:31 PM EDT
  [Follow-up in Dave Farber's IP list]

I followed Elon's thread in Twitter, and had an extended dialog with some
there after.

Here is partly what I had to say:

While well-produced, it is indeed rather alarmist (and offers little balance
as to the good therein); it also muddles the role of AI (many of the moments
in the documentary could be said of non-AI software-intensive systems).
Furthermore it radically ignores history (one gets the impression that AI
began in Silicon Valley with Google/Facebook/etc.) and finally, while it
hammers the emotional elements, it offers nothing actionable for the viewer.

"Flaw exposes cities' emergency alert sirens to hackers" (ZDNet)

Gene Wirchenko <>
Tue, 10 Apr 2018 10:17:07 -0700

Zack Whittaker for Zero Day, Apr 10, 2018
San Francisco—and other cities and campuses—had hackable
radio-controlled sirens.

"How safe is your air-gapped PC? Attackers can now suck data out via power lines" (Liam Tung)

Gene Wirchenko <>
Thu, 12 Apr 2018 09:50:48 -0700
Liam Tung, ZDNet, 12 Apr 2018
You'll now need to monitor the power cables connecting to isolated
computers holding sensitive information.

selected text:

Researchers from Israel's Ben Gurion University of the Negev have shown once
again that air-gapped PCs are not safe from a determined and patient

Techniques they've proven work include a drone-assisted attack on a
computer's flashing LEDs, using a CPU's low-frequency magnetic radiation to
leak data through a Faraday cage, and attacking the very CCTV cameras used
to monitor air-gapped computers.

  [Another bonus risk in a risk with the CCTV cameras being subverted.]

DHS finds suspected phone spying in Washington (ABC News)

Lauren Weinstein <>
Tue, 3 Apr 2018 11:10:45 -0700
[DUH!] via NNSquad

  For the first time, the U.S. government has publicly acknowledged the
  existence in Washington of what appear to be rogue devices that foreign
  spies and criminals could be using to track individual cellphones and
  intercept calls and messages.  The use of such cellphone-site simulators
  by foreign powers has long been a concern, but American intelligence and
  law enforcement agencies—which use such eavesdropping equipment
  themselves—have been silent on the issue until now.

"Windows security: Microsoft patch for Outlook password leak bug 'not a full fix'" (Liam Tung)

Gene Wirchenko <>
Wed, 11 Apr 2018 09:40:28 -0700
Liam Tung, ZDNet, 11 Apr 2018
Attackers can make Outlook leak password hashes just by previewing an
RTF-formatted email.

selected text:

Microsoft has fixed an important Outlook bug it's known about for over a
year, capable of leaking password hashes when users preview a Rich Text
Format (RTF) email with remotely hosted OLE objects.

However, Dormann notes that Microsoft's fix for the vulnerability
CVE-2018-0950 doesn't prevent all remote SMB attacks.

Microsoft is of the view that this bug is "more likely" to be exploited now
that it's known.

  [Really?  (Did the Microsoft spokesperson think about the matter before
  stating this last bit?)]

The biggest Black Lives Matter page on Facebook is fake (CNN) NNSquad

Lauren Weinstein <>
Mon, 9 Apr 2018 15:28:51 -0700
  The page, titled simply "Black Lives Matter," had almost 700,000 followers
  on Facebook, more than twice as many as the official Black Lives Matter
  page. It was tied to online fundraisers that brought in at least $100,000
  that supposedly went to Black Lives Matter causes in the U.S. At least
  some of the money, however, was transferred to Australian bank accounts,
  CNN has learned. Fundraising campaigns associated with the Facebook page
  were suspended by PayPal and Patreon after CNN contacted each of the
  companies for comment.  Donorbox and Classy had already removed the
  campaigns. The discovery raises new questions about the integrity of
  Facebook's platform and the content hosted there.

Fox News accidentally puts up a poll graphic that shows how they are the least trusted network

Lauren Weinstein <>
Mon, 9 Apr 2018 15:52:04 -0700
[Oops!] via NNSquad

  When host Howard Kurtz asked for a poll to be put up on the screen that
  asks if the media reports fake news, viewers got a look at the wrong poll
  - one put out by Monmouth University that asks people which network they
  trust more, CNN, MSNBC, or Fox News. Not surprising but a knee-slapper
  nonetheless, the graphic for the poll showed that people trusted CNN most,
  at 48%, followed by MSNBC at 45%. Fox came in last place with a mere 30%
  of those polled thinking that the network was trustworthy. Kurtz quickly
  said, "This is not the graphic we're looking for - hold off. Take that
  down please!"

"On Facebook, Zuckerberg gets privacy and you get nothing" (Zack Whittaker)

Gene Wirchenko <>
Wed, 11 Apr 2018 10:08:06 -0700
   [Not that this is a surprise, but.]

Zack Whittaker for Zero Day, 10 Apr 2018
Opinion: Facebook's way of showing how little it cares about its users'
privacy is by doing something only when it gets caught.

Facebook just can't catch a break—not that many think it should.

BuzzFeed described it best: Facebook has a "two-tier privacy system" that
favors its leaders and executives.

The rest of us can, in other words, go to hell.

What's clear is that there's a trend of Facebook and its executives
distancing themselves from facing up to their users and taking
responsibility for their mistakes. Facebook isn't even trying to get ahead
of the story—or stories, as the scandal keeps getting bigger—and only
acts when it's caught with its hand in the cookie jar.  And, even then, the
company is only slapping a Band-Aid on to save face amid pressure from
governments and shareholders—the only two things that Facebook is
vulnerable to.

What better way to show how little the company cares about its users'
privacy than by acting only when it gets caught.

Facebook exec: If you want privacy, expect to pay for it (NYPost)

Lauren Weinstein <>
Sat, 7 Apr 2018 00:01:08 -0700

  Want privacy on Facebook? Cough up some cash. The social-media site plans
  to extort users who want to keep their personal data away from advertisers
 —by demanding they pay for the privilege, the company's second in
  command, Sheryl Sandberg, revealed on Friday.

I've got a better idea. Get the hell off of Facebook!
"Seriously, It's Time to Ditch Facebook and Give Google+ a Try"

Facebook Suspends Another Data Analytics Firm As Scandal Widens (NPR)

Lauren Weinstein <>
Mon, 9 Apr 2018 11:40:21 -0700
via NNSquad

  As the Facebook scandal over Cambridge Analytica's misuse of the personal
  data of millions of users continues to unfold, Facebook is suspending
  another data analytics firm over similar allegations.  According to
  reporting by CNBC, Cubeyou collected data from Facebook users through
  personality quizzes "for non-profit academic research" developed with
  Cambridge University—then sold the data to advertisers.

Cambridge Analytica Could Also Access Private Facebook Messages (WiReD)

Lauren Weinstein <>
Tue, 10 Apr 2018 09:55:22 -0700
[Worse and worse] via NNSquad

  The Data Consulting firm Cambridge Analytica, which harvested as many as
  87 million Facebook users' personal data, also could have accessed the
  private inbox messages of some of those affected. Facebook slipped this
  previously undisclosed detail into the notifications that began appearing
  at the top of News Feeds on Monday. These alerts let users know whether
  they or their friends had downloaded a personality quiz app called This Is
  Your Digital Life, which would have caused their data to be collected and
  passed on to Cambridge Analytica.  Facebook buried the disclosure in the
  details about what information was compromised: "A small number of people
  who logged into 'This Is Your Digital Life' also shared their own News
  Feed, timeline, posts and messages which may have included posts and
  messages from you."

Protecting Democracy Using Firewalls

Mark Rockman <>
Sun, 8 Apr 2018 20:37:02 -0400
In the United States federal elections are managed separately by the 50
states.  Protections from hacking into voter registration rolls are left in
the hands of state legislatures and understaffed IT departments.  The state
legislatures provide just enough money to get the elections done. They don't
provide for upgrading equipment and software to keep hackers out.  They
don't provide guidelines on configuration.  They don't advise people to
change their passwords frequently nor enforce such policy nor advise
rightful end users not to reply to an e-mail or phone call with a password.
And how about rules against running operating systems that don't get regular
patches to plug holes called "vulnerabilities."  There are appliances that
can be stationed between a LAN and the Internet that are very effective, if
properly configured, in keeping the Russians out.  SSLs and VPNs are very
handy.  News reports make hacking sound as if it is the inevitable result of
using high technology when the problem is really with ignorance and
technophobia on the part of election managers and pennywise-pound-foolish
state legislatures.

A New AI "Journalist" Is Rewriting the News to Remove Bias (Kristin Houser)

Dewayne Hendricks <>
April 8, 2018 at 8:15:36 AM EDT
  [Note:  This item comes from friend Robert Berger.  DLH]

Kristin Houser, Futurism, 6 Apr 2018

Want your news delivered with the icy indifference of a literal robot? You
might want to bookmark the newly launched site Knowhere News. Knowhere is a
startup that combines machine learning technologies and human journalists to
deliver the facts on popular news stories.

Here's how it works. First, the site's artificial intelligence (AI) chooses
a story based on what's popular on the Internet right now. Once it picks a
topic, it looks at more than a thousand news sources to gather
details. Left-leaning sites, right-leaning sites—the AI looks at them

Then, the AI writes its own *impartial* version of the story based on what
it finds (sometimes in as little as 60 seconds). This take on the news
contains the most basic facts, with the AI striving to remove any potential
bias. The AI also takes into account the trustworthiness of each source,
something Knowhere's co-founders preemptively determined. This ensures a
site with a stellar reputation for accuracy isn't overshadowed by one that
plays a little fast and loose with the facts.

For some of the more political stories, the AI produces two additional
versions labeled Left and Right.  Those skew pretty much exactly how you'd
expect from their headlines:

 * Impartial: U.S. to add citizenship question to 2020 census
 * Left: California sues Trump administration over census citizenship
 * Right: Liberals object to inclusion of citizenship question on 2020

Some controversial but not necessarily political stories receive
Positive and Negative spins:

 * Impartial: Facebook scans things you send on messenger, Mark Zuckerberg
 * Positive: Facebook reveals that it scans Messenger for inappropriate content
 * Negative: Facebook admits to spying on Messenger, scanning' private
   images and links

Even the images used with the stories occasionally reflect the content's
bias. The Positive Facebook story features CEO Mark Zuckerberg grinning,
while the Negative one has him looking like his dog just died.

Knowhere's AI isn't putting journalists out of work, either.

Editor-in-chief and co-founder Nathaniel Barling told Motherboard that a
pair of human editors review every story. This ensures you feel like you're
reading something written by an actual journalist, and not a Twitter
chatbot. Those edits are then fed back into the AI, helping it improve over
time. Barling himself then approves each story before it goes live. “The
buck stops with me,'' he told Motherboard.

This human element could be the tech's major flaw. As we've seen with other
AIs, they tend to take on the biases of their creators, so Barling and his
editors will need to be as impartial as humanly possible—literally—to
ensure the AI retains its impartiality.

People must retain control of autonomous vehicles (Nature)

Lauren Weinstein <>
Fri, 6 Apr 2018 08:35:39 -0700

  Policymakers need to work more closely with academics and manufacturers to
  design appropriate regulations. This is extremely challenging because the
  research cuts across many disciplines.  Here, we highlight two areas --
  liability and safety—that require urgent attention.

Waze's crazy routing over a 32% grade road

Gabe Goldberg <>
Sat, 7 Apr 2018 11:47:13 -0400
It's a common story of small towns and residents living on once-quiet
streets are sometimes annoyed by the influx of traffic that Waze, traffic
way-finding apps, and ride-hailing services have wrought.

But residents along Baxter Street in Los Angeles' Echo Park neighborhood --
reportedly one of the steepest streets in America (comprising two
major hills)—are now banding together to try to change local traffic
patterns. Neighbors have contacted city officials and Waze's parent company,
Google, to try to mitigate the problem. ...

According to a Wednesday report in the *Los Angeles Times*, locals say that
they've noticed an uptick in serious accidents.

“The car came through our garden, went through two fences, and ended up
backwards hanging over our driveway,'' resident Jason Luther told the paper.
“Rain is a huge problem,'' another resident, Robbie Adams, said.  “People
start skidding and spinning. We had our garden wall knocked down twice, and
my wife's car got hit in our own driveway. I've seen five or six cars smash
into other cars, and it's getting worse.''

The street, which dates back to 1872, has a 32-percent grade—more than
double what current city law allows for today.

Relevant Comic? (Freefall)

Gene Wirchenko <>
Tue, 03 Apr 2018 14:12:54 -0700
Scotty and La Forge never had this problem:
What a tangled Web we weave.

"LG's 'Software Upgrade Center' feels slightly too familiar" (J.R. Raphael)

Gene Wirchenko <>
Fri, 13 Apr 2018 10:09:10 -0700
JR Raphael, Computerworld. 12 Apr 2018
How many times can a company cry wolf before we all stop listening?

selected text:

By my calculations, seeing this morning's news that LG is opening up a
"Software Upgrade Center"—the industry's "first such facility aimed at
providing customers worldwide with faster, timelier smartphone operating
system and software updates" (!)—could result in three distinct

First is the woefully uninformed, overly positive reception—the one LG
clearly hopes to elicit with its over-the-top press release: "Whoa! Look at
LG! It's breaking new ground and showing just how committed to customers it
really is."

Second is the guardedly optimistic view: "Look, I know LG has never been the
best with Android upgrades, but it always tries. Maybe this will be a new
beginning. Maybe things are about to get great!"

And third is the seriously skeptical view: "Riiiiight. LG always talks a
good game with Android upgrades, but it never actually delivers.  Looks like
more of the same ol' silliness we see every year."

Me? As someone who's tracked and analyzed Android upgrades closely since the
start, I tend to veer more toward that final view of skepticism.

As a certain smart-alecky writer once put it, the company truly does excel
at one thing in this domain: being the first to announce a new OS
rollout. ["announce" was in italics.]

Richest 1% on target to own two-thirds of all wealth by 2030 (Michael Savage)

Dewayne Hendricks <>
Sat, Apr 7, 2018 at 3:42 PM
[Note:  This item comes from friend Robert Berger.  DLH]

Michael Savage, *The Guardian*, 7 Apr 2018
World leaders urged to act as anger over inequality reaches a `tipping

The world's richest 1% are on course to control as much as two-thirds of the
world's wealth by 2030, according to a shocking analysis that has lead to a
cross-party call for action.

World leaders are being warned that the continued accumulation of wealth at
the top will fuel growing distrust and anger over the coming decade unless
action is taken to restore the balance.

An alarming projection produced by the House of Commons library suggests
that if trends seen since the 2008 financial crash were to continue, then
the top 1% will hold 64% of the world's wealth by 2030. Even taking the
financial crash into account, and measuring their assets over a longer
period, they would still hold more than half of all wealth.

Since 2008, the wealth of the richest 1% has been growing at an average of
6% a year—much faster than the 3% growth in wealth of the remaining 99%
of the world's population. Should that continue, the top 1% would hold
wealth equating to $305 trillion—up from $140 trillion today.

Analysts suggest wealth has become concentrated at the top because of
recent income inequality, higher rates of saving among the wealthy, and the
accumulation of assets. The wealthy also invested a large amount of equity
in businesses, stocks and other financial assets, which have handed them
disproportionate benefits.

New polling by Opinium suggests that voters perceive a major problem with
the influence exerted by the very wealthy. Asked to select a group that
would have the most power in 2030, most (34%) said the super-rich, while 28%
opted for national governments. In a sign of falling levels of trust, those
surveyed said they feared the consequences of wealth inequality would be
rising levels of corruption (41%) or the “super-rich enjoying unfair
influence on government policy'' (43%).

The research was commissioned by Liam Byrne, the former Labour cabinet
minister, as part of a gathering of MPs, academics, business leaders, trade
unions and civil society leaders focused on addressing the problem.

The actor Michael Sheen, who has opted to scale back his Hollywood career
to campaign against high-interest credit providers, was among those
supporting the calls.

The hope is to create pressure for global action when leaders of the G20
group of nations gather for a summit in Buenos Aires in November. Byrne,
who organised the first OECD global parliamentary conference on inclusive
growth, said he believed global inequality was “now at a tipping point''.

“If we don't take steps to rewrite the rules of how our economies work,
then we condemn ourselves to a future that remains unequal for good.  That's
morally bad, and economically disastrous, risking a new explosion in
instability, corruption and poverty.''

In a sign of the concern about the accumulation of wealth in the hands of
so few, the move has gained support from across the political divide.

George Freeman, the Tory MP and former head of the prime minister's policy
board, said: “While mankind has never seen such income inequality, it is
also true that mankind has never experienced such rapid increases in living
standards. Around the world billions of people are being lifted out of
poverty at a pace never seen before. But the extraordinary concentration of
global wealth today—fueled by the pace of technological innovation and
globalisation—poses serious challenges.

“If the system of capitalist liberal democracy which has triumphed in the
west is to pass the big test of globalisation—and the assault from
radical Islam as well as its own internal pressures from post-crash
austerity—we need some new thinking on ways to widen opportunity, share
ownership and philanthropy. Fast.''

Demands for action from the group include improving productivity to ensure
wages rise and reform of capital markets to promote greater equality. [...]

The dots do matter: how to scam a Gmail user

Lauren Weinstein <>
Sat, 7 Apr 2018 18:40:51 -0700

  Where is the security flaw here? Some would say it's Netflix's fault; that
  Netflix should verify the email address on sign up. But using someone
  else's address on signup only cedes control of the account to that
  person. Others would say that Netflix should disallow the registration of, but this would force Netflix and every other
  website to have insider knowledge of Gmail's canonicalization algorithm.
  Actually, the blame lies with Gmail, and specifically Gmail's "dots don't
  matter" feature.  The scam fundamentally relies on the Gmail user
  responding to an email with the assumption that it was sent to their
  canonical address, and not to some other address from their infinite
  address set.

This has been a problem with Gmail for ages. Even if you are not scammed by
crooks exploiting this, it can be a vector for yet more spam, not all of
which Gmail will detect. Gmail users have long needed a way to control this
feature, and to specify precisely which dotted forms should be considered as
their valid Gmail addresses.

"A bad day with mobile 2FA" (Evan Schuman)

Gene Wirchenko <>
Mon, 09 Apr 2018 10:45:47 -0700

Evan Schuman, Computerworld, 9 Apr 2018
Texting confirmation numbers is a very weak link;
texting them to my landline is just dumb.
The Zen of Mobile

selected text:

One of my favorites—a small and little-known site—asked for my login
and password. I complied, and it then escalated to 2FA. It didn't give me
any options about the second factor (which is mobile 2FA problem number one)
and insisted on texting me a confirmation number.

I waited but nothing arrived. So I asked it to do it again and again.
Nothing. That's when I realized that the site was likely trying to text my
landline. And that is mobile 2FA problem number two: If you're asking for my
phone number so that you can text me sometime down the road, tell me that,
and I'll give you my cellphone number. Otherwise, you'll get the number I
most often answer, my landline, and it will do you no good when it's really

And this is where problem number one bumps up against problem number two: If
texting doesn't work, users need another option, at the very least a support
number to call.

But wait, there's more. I next tried to post to Google Plus. Thoughts of my
recent 2FA problem flitted through my head, but I thought to myself, fear
not, Google uses an excellent 2FA that doesn't rely on texting confirmation
numbers. It knows that process is far too susceptible to man-in-the-middle
attacks. No, for Google, I have a trusty USB fob. And when I tried logging
in, it insisted on the fob. But it was just not my 2FA day; when the fob was
inserted, nothing happened.

And that's when I learned that I was giving Google too much credit for being
security-conscious. When Google couldn't see the fob, it just defaulted to a
texted confirmation number. (It turned out that a laptop reboot made the
invisible USB device visible again.)

Companies need to have a human-managed backup to security so that legitimate
users aren't locked out with no way back in. If you can't justify a call
center, then at least have an email address pop up—and make sure that
inbox is watched aggressively.

2FA is a great idea, but companies need to think through these issues
better. For starters, if you want a mobile phone number, just say so.

Please report problems with the web pages to the maintainer