The RISKS Digest
Volume 30 Issue 67

Sunday, 29th April 2018

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Lightning Hazards Prompt Boeing to Fix 787 Jets
WSJ
Facebook's dark-ads problem is systemic
Techcrunch
Facebook's Ties With Kogan and Cambridge Were Even Cozier Than We Thought
Slate
How merchants use Facebook to flood Amazon with fake reviews
WashPo
How Looming Privacy Regulations May Strengthen Facebook and Google
NYTimes
How Fake Mark Zuckerbergs Scam Facebook Users Out of Their Cash
NYTimes
Malicious Amazon Alexa Skills Can Record Everything a User Says
EWeek
The Golden State Killer Is Tracked Through a Thicket of DNA, and Experts Shudder
NYTimes
TSB fiasco
Charles Mann on Naked Capitalism
TSB week-long disruption
The Guardian
Brain-Computer Interfaces: 'The Last Frontier of Human Privacy'
WSJ
Viewpoint: The pitfalls of India's biometric ID scheme
BBC
Zelle, the Banks' Answer to Venmo, Proves Vulnerable to Fraud
NYTimes
Blockchains for journalism
CJR via Prashanth Mundkur
ISO blocks NSA's latest IoT encryption systems amid murky tales of backdoors and bullying
The Register
Cyberwarfare may be less dangerous than we think
WashPo
Defending Hospitals against Life-Threatening Cyber-attacks
Scientific American
'Operation GhostSecret': North Korea Is Suspected in Intensifying Global Cyberattack
WSJ
"Mysterious cyber-worm targets medical systems, is found on X-ray machines and MRI scanners"
ZDNet
Comcast partners with Independence Health to create digital health company
Healthcare IT News
Medical transcription service leaves patient records open
Krebs
Suspicious event hijacks Amazon traffic for 2 hours, steals cryptocurrency
Ars Technica
Amazon Launches In-Car Delivery
Business Wire
A One-Minute Attack Let Hackers Spoof Hotel Master Keys
WiReD
Hackers have found a way to jailbreak the Nintendo Switch
WashPo
The state of patch management
HPE
Backlash prompts Eventbrite to drop demand to crash events, record them
Ars Technica
Re: Regulate AI?
Craig Burton
Re: ACM ICPC Programming Contest
Martyn Thomas
Re: Instant Runoff Voting
Wols
Re: American elections are too easy to hack. We must take action now
Mark E. Smith
Re: "A bad day with mobile 2FA"
John Levine
Dimitri Maziuk
Info on RISKS (comp.risks)

Lightning Hazards Prompt Boeing to Fix 787 Jets (WSJ)

Monty Solomon <monty@roscom.com>
Wed, 25 Apr 2018 09:50:46 -0400
Manufacturer aims to eliminate chances of cockpit displays failing due to
lightning events

http://www.wsj.com/articles/lightning-hazards-prompt-boeing-to-fix-787-jets-1524652201


Facebook's dark-ads problem is systemic (Techcrunch)

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 28 Apr 2018 16:41:14 PDT
  via Lauren Weinstein's Network Neutrality Squad
  http://techcrunch.com/2018/04/28/facebooks-dark-ads-problem-is-systemic/

  Facebook's admission to the UK parliament this week that it had unearthed
  unquantified thousands of dark fake ads after investigating fakes bearing
  the face and name of well-known consumer advice personality, Martin Lewis,
  underscores the massive challenge for its platform on this front. Lewis is
  suing the company for defamation over its failure to stop bogus ads
  besmirching his reputation with their associated scams.

The Dark-ads might be thought of as similar to the Naryads, the Leeryads,
the Purseyads, and other meatier showers—except that they are largely
invisible to Facebook and ubiquitously visible to everyone else.  Besides,
they are not like (scattered) showers at all—more like uninterrupted
monsoons and biblical deluges.  At least Noah's Ark did not have the World
Wide Web to blare at the hoofers and tweeters on board, or TV speakers
offering fake gnus.  We might want to take a lesson from the Hindu
U-punish-ads.  PGN


Facebook's Ties With Kogan and Cambridge Were Even Cozier Than We Thought (Slate)

Lauren Weinstein <lauren@vortex.com>
Mon, 23 Apr 2018 09:57:15 -0700
via NNSquad

http://slate.com/technology/2018/04/60-minutes-interview-facebooks-ties-with-aleksandr-kogan-and-cambridge-were-cozier-than-we-thought.html

  What Zuckerberg didn't mention was that Facebook itself had worked
  directly with Kogan and his Cambridge colleagues for years--and that it
  continues to this day to employ two of Kogan's close research
  associates. In an interview with CBS' 60 Minutes on Sunday, Kogan said one
  of them, his former co-worker Joseph Chancellor, was fully involved in
  harvesting the user data that they then sold to Cambridge Analytica. On
  Monday, Facebook spokesman Andy Stone confirmed to Slate that, with
  respect to Chancellor, "a review of the situation is ongoing."


How merchants use Facebook to flood Amazon with fake reviews (WashPo)

Lauren Weinstein <lauren@vortex.com>
Mon, 23 Apr 2018 10:53:03 -0700
via NNSquad

http://www.washingtonpost.com/business/economy/how-merchants-secretly-use-facebook-to-flood-amazon-with-fake-reviews/2018/04/23/5dad1e30-4392-11e8-8569-26fda6b404c7_story.html

  But a Washington Post examination found that for some popular product
  categories, such as bluetooth headphones and speakers, the vast majority
  of reviews appear to violate Amazon's prohibition on paid reviews. They
  have certain characteristics, such as repetitive wording that people
  likely cut and paste in.  Many of these fraudulent reviews originate on
  Facebook, where sellers seek shoppers on dozens of networks, including
  Amazon Review Club and Amazon Reviewers Group, to give glowing feedback in
  exchange for money or other compensation. The practice artificially
  inflates the ranking of thousands of products, experts say, misleading
  consumers.


How Looming Privacy Regulations May Strengthen Facebook and Google (NYTimes)

Monty Solomon <monty@roscom.com>
Tue, 24 Apr 2018 06:06:05 -0400
http://www.nytimes.com/2018/04/23/technology/privacy-regulation-facebook-google.html

Facebook and Google are dealing with a privacy backlash and new European
rules on data collection. The rules, though, may not be as damaging to the
companies as they appear.


How Fake Mark Zuckerbergs Scam Facebook Users Out of Their Cash

Monty Solomon <monty@roscom.com>
Thu, 26 Apr 2018 09:30:33 -0400
http://www.nytimes.com/2018/04/25/technology/fake-mark-zuckerberg-facebook.html

The Facebook chief executive has vowed to clean up the social network, but his company has failed to stop even those impersonating him from swindling people.


Malicious Amazon Alexa Skills Can Record Everything a User Says (EWeek)

Gabe Goldberg <gabe@gabegold.com>
Sun, 29 Apr 2018 13:23:15 -0400
Security firm Checkmarx reports that malicious Amazon Alexa skills could
have enabled an attacker to record everything a user says. Amazon has taken
steps to mitigate the issue.

http://www.eweek.com/security/researchers-find-amazon-alexa-can-be-hacked-to-record-users

Of course, how secure are other listening devices?


The Golden State Killer Is Tracked Through a Thicket of DNA, and Experts Shudder (NYTimes)

Lauren Weinstein <lauren@vortex.com>
Sat, 28 Apr 2018 08:06:42 -0700
via NNSquad

http://www.nytimes.com/2018/04/27/health/dna-privacy-golden-state-killer-genealogy.html

  Even as scientific experts applauded this week's arrest of the Golden
  State Killer suspect, Joseph James DeAngelo, 72, some expressed unease on
  Friday at reports that detectives in California had used a public
  genealogy database to identify him. Privacy and ethical issues glossed
  over in the public's rush to embrace DNA databases are now glaringly
  apparent, they said.

Apparently they also got a false genetic hit on this case last year
and harassed a sick and elderly innocent man as as result. I've been
saying for years that anyone voluntarily submitting genetic data to
publicly accessible databases is worse than an idiot. DNA-based
genealogy as a hobby is for suckers. You're selling the current and
future generations of your relatives down the goddamned river, you
morons!

  [Also noted by Mark Thorson.  PGN]


TSB fiasco (Charles Mann on Naked Capitalism)

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 24 Apr 2018 8:42:56 PDT
http://www.nakedcapitalism.com/2018/04/tsb-train-wreck-massive-bank-it-failure-going-into-fifth-day-customers-locked-out-of-accounts-getting-into-other-peoples-accounts-getting-bogus-data.html

Snippet:

The very short version is that a UK bank, TSB, which had been merged into
and then many years later was spun out of Lloyds Bank, was bought by the
Spanish bank Banco Sabadell in 2015. Lloyds had continued to run the TSB
systems and was to transfer them over to Sabadell over the weekend. It's
turned out to be an epic failure, and it's not clear if and when this can be
straightened out.

It is bad enough that bank IT problem had been so severe and protracted a
major newspaper, The Guardian, created a live blog for it that has now been
running for two days.

The more serious issue is the fact that customers still can't access online
accounts and even more disconcerting, are sometimes being allowed into other
people's accounts, says there are massive problems with data
integrity. That's a nightmare to sort out.

Even worse, the fact that this situation has persisted strongly suggests
that Lloyds went ahead with the migration without allowing for a
rollback. If true, this is a colossal failure...


TSB week-long disruption (The Guardian)

"Wendy M. Grossman" <wendyg@pelicancrossing.net>
Sat, 28 Apr 2018 12:12:17 +0100
People outside the UK may not be aware that customers of one of the largest
banks, TSB, has had a week-long IT disaster that has locked people out of
accounts, cash, mortgages, staff payments...you name it.  The Guardian says
an inside source claims that the warning signs were there a year ago when
TSB was forced to divest itself of Lloyds Banking Group (in the financial
crisis taxpayer bailout) because after many mergers the IT system was a
"bodge of many old systems" (banks here went on a consolidation spree in the
1990s and early 2000s). The risk that *The Guardian* highlights is
interesting: IT systems that are forced into working together by business
decisions, then forced apart by regulatory ones...compounded by IT mistakes
and internal divisions.

http://www.theguardian.com/business/2018/apr/28/warning-signs-for-tsbs-it-meltdown-were-clear-a-year-ago-insider

  [Richard Stein also notes
    TSB chaos: 'We are on our knees,' says boss (BBC)
    http://www.bbc.com/news/business-43904267
  PGN]


Brain-Computer Interfaces: 'The Last Frontier of Human Privacy' (WSJ)

Monty Solomon <monty@roscom.com>
Wed, 25 Apr 2018 10:45:49 -0400
Bryan Johnson, the founder and CEO of neurotech company Kernel, on the
issues surrounding direct access to our most valuable data

http://www.wsj.com/articles/brain-computer-interfaces-the-last-frontier-of-human-privacy-1524580522


Viewpoint: The pitfalls of India's biometric ID scheme (BBC)

Gabe Goldberg <gabe@gabegold.com>
Tue, 24 Apr 2018 12:17:38 -0400
http://www.bbc.com/news/world-asia-india-43619944


Zelle, the Banks' Answer to Venmo, Proves Vulnerable to Fraud (The New York Times)

Gabe Goldberg <gabe@gabegold.com>
Tue, 24 Apr 2018 17:11:27 -0400
Bob Sullivan, an author who specializes in cybercrime and consumer
protection, said he was stunned by how poorly the banks had communicated
Zelle's risks ” and by their failure to learn from the painful lessons of
the past.

http://www.nytimes.com/2018/04/22/business/zelle-banks-fraud.html

  [Monty Solomon added this from that:
  The personal payment platform Zelle is flourishing. But so are fraudsters,
  who are exploiting weaknesses in the banks' security.  PGN]


Blockchains for journalism (CJR)

Prashanth Mundkur <prashanth.mundkur@gmail.com>
Mon, 23 Apr 2018 09:03:29 -0700
  [Apparently, it's a thing!]

Civil says the future of media is blockchains and cryptocurrencies
Mathew Ingram, December 4, 2017, CJR

http://www.cjr.org/business_of_news/civil-says-the-future-of-media-is-blockchains-and-cryptocurrencies.php

Mathew Ingram, March 2, 2018, CJR
Jarrod Dicker on what the blockchain can do for news

http://www.cjr.org/innovations/blockchain-poet.php


ISO blocks NSA's latest IoT encryption systems amid murky tales of backdoors and bullying (The Register)

Gabe Goldberg <gabe@gabegold.com>
Fri, 27 Apr 2018 15:24:17 -0400
Experts complain of shoddy tech specs and personal attacks.

http://www.theregister.co.uk/2018/04/25/nsa_iot_encryption

Those experts with their high standards...


Cyberwarfare may be less dangerous than we think (WashPo)

Richard M Stein <rmstein@ieee.org>
Thu, 26 Apr 2018 19:41:41 +0800
https:/www.washingtonpost.com/news/monkey-cage/wp/2018/04/26/what-can-cybergames-teach-us-about-cyberattacks-quite-a-lot-in-fact/

  "Frankly, the United States is under attack.

  "This February 2018 warning to the Senate from Director of National
  Intelligence Dan Coats included a message that "there should be no doubt"
  that Russia, emboldened by its 2016 cyberattacks and informational warfare
  campaign, will target the U.S. midterm elections this year.

  "We agree. However, our research suggests that, although states like
  Russia will continue to engage in cyberattacks against the foundations of
  democracy (a serious threat indeed), states are less likely to engage in
  destructive "doomsday" attacks against each other in cyberspace. Using a
  series of war games and survey experiments, we found that cyber operations
  may in fact produce a moderating influence on international crises.

  "Here's why: Cyberspace offers states a way to manage escalation in the
  shadows. Thus, cyber operations are more akin to the Cold War- era
  political warfare than a military revolution."

Daniel Ellsberg's latest, "The Doomsday Machine: Confessions of a Nuclear
War Planner," supplies sober discourse about his persistent and successful
effort, during the first Cold War, to implement permissive action links
(PALs) as part of US strategic nuclear war planning. Are similar protocols
and devices applied to constrain cyber weaponry?

The article does not discuss how delegation of authority may initiate an
offensive cyber attack, or escalate into a limited or general war, if  or
when established command and control channels are disabled or compromised.


Defending Hospitals against Life-Threatening Cyber-attacks (Scientific American)

Richard M Stein <rmstein@ieee.org>
Thu, 26 Apr 2018 11:21:13 +0800
http://www.scientificamerican.com/article/defending-hospitals-against-life-threatening-cyber-attacks/

"We found that despite widespread concern about lack of funding for
cybersecurity, two surprising factors more directly determine whether a
hospital is well protected against a cyberattack: the number and varied
range of electronic devices in use and how employees' roles line up with
cybersecurity efforts."

Heterogeneous infrastructure broadens ransomware attack surface area and
malicious service denial takedown. Role privilege allocation/restriction
gaps elevates computerized medical device configuration and usage error
risks. 

"Getting hospital administrators to understand the importance of
cybersecurity is fairly straightforward: They told us they're worried
about costs, institutional reputation and regulatory penalties. Getting
medical staff on board can be much more difficult: They said they're
focused on patient care and don't have time to worry about
cybersecurity."

Professionals shirk their oaths and obligations to protect patients,
compromising ethical practice with impunity; an alarming standard operating
procedure that begs for enforcement and strictly monitored, corrective
measures. Business operations that neglect risk mitigations in the name of
profit and expenditure reduction, and a criminal exploiting these
vulnerabilities are linked by more than metaphor.  Hospital administrators
fear brand outrage, yet demure to proactively suppress this
potential.  Dysfunctional organizational behavior is inimical to patient
health and resilient operations. 

Digital medical records are integral components of the surveillance
economy, and apparently easy to monetize. The notorious bank robber
Willie Sutton said, "I rob banks because that's where the money is."
Electronic medical record banks are sweeter targets, and
software is the criminal's weapon of choice. 


'Operation GhostSecret': North Korea Is Suspected in Intensifying Global Cyberattack (WSJ)

Monty Solomon <monty@roscom.com>
Wed, 25 Apr 2018 10:04:46 -0400
Pyongyang-linked data-theft campaign has hit 17 countries, including the
U.S., report says

http://www.wsj.com/articles/operation-ghostsecret-north-korea-is-suspected-in-intensifying-global-cyberattack-1524629807


"Mysterious cyber-worm targets medical systems, is found on X-ray machines and MRI scanners" (ZDNet)

Gene Wirchenko <genew@telus.net>
Tue, 24 Apr 2018 09:37:46 -0700
http://www.zdnet.com/article/mysterious-cyber-worm-targets-medical-systems-found-on-x-ray-machines-and-mri-scanners/

Danny Palmer, ZDNet, 23 Apr 2018
Orangeworm hacking group carefully selects victims in highly targeted attacks.

selected text:

A newly-discovered cybercriminal group is installing custom malware onto the
systems of organisations in healthcare and related sectors in order to
conduct corporate espionage.

"The targeting of large multinational corporations that work directly in or
related to the healthcare space has been a consistent theme with Orangeworm
since their discovery," Alan Neville, threat researcher at Symantec told
ZDNet.

Within the healthcare sector, Kwampirs malware was found installed on a wide
variety of systems, including X-Ray and MRI machines, as well as machines
used to assist patients in completing consent forms.  However, rather than
stealing information stored upon these systems, it is suggested that
attackers are mostly interested in learning about the devices themselves.


Comcast partners with Independence Health to create digital health company (Healthcare IT News)

Gabe Goldberg <gabe@gabegold.com>
Tue, 24 Apr 2018 12:36:33 -0400
http://www.healthcareitnews.com/news/comcast-partners-independence-health-create-digital-health-company

Use terrible/hated consumer brand for healthcare. What could go wrong?


Medical transcription service leaves patient records open (Krebs)

danny burstein <dannyb@panix.com>
Wed, 25 Apr 2018 11:37:11 -0400
Courtesy of Krebsonline, 18 Apr 2018
 (URL at end),

Transcription Service Leaked Medical Records
https:/krebsonsecurity.com/2018/04/transcription-service-leaked-medical-records/

MEDantex, a Kansas-based company that provides medical transcription
services for hospitals, clinics and private physicians, took down its
customer Web portal last week after being notified by KrebsOnSecurity that
it was leaking sensitive patient medical records - apparently for thousands
of physicians.

On Friday, KrebsOnSecurity learned that the portion of MEDantex's site which
was supposed to be a password-protected portal physicians could use to
upload audio-recorded notes about their patients was instead completely open
to the Internet.

What's more, numerous online tools intended for use by MEDantex employees
were exposed to anyone with a Web browser, including pages that allowed
visitors to add or delete users, and to search for patient records by
physician or patient name. No authentication was required to access any of
these pages.


Suspicious event hijacks Amazon traffic for 2 hours, steals cryptocurrency (Ars Technica)

Monty Solomon <monty@roscom.com>
Tue, 24 Apr 2018 15:49:00 -0400
Almost 1,300 addresses for Amazon Route 53 rerouted for two hours.

http://arstechnica.com/information-technology/2018/04/suspicious-event-hijacks-amazon-traffic-for-2-hours-steals-cryptocurrency/


Amazon Launches In-Car Delivery (Business Wire)

Monty Solomon <monty@roscom.com>
Tue, 24 Apr 2018 08:50:02 -0400
http://www.businesswire.com/news/home/20180424005509/en/Buckle-Prime-Members-Amazon-Launches-In-Car-Delivery


A One-Minute Attack Let Hackers Spoof Hotel Master Keys (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Sat, 28 Apr 2018 14:32:45 -0400
Master Key

At the Infiltrate conference in Miami later this week, Tuominen and Hirvonen
plan to present a technique they've found to not simply clone the keycard
RFID codes used by Vingcard's Vision locks, but to create a master key that
can open any room in a hotel.

With a $300 Proxmark RFID card reading and writing tool, any expired keycard
pulled from the trash of a target hotel, and a set of cryptographic tricks
developed over close to 15 years of on-and-off analysis of the codes
Vingcard electronically writes to its keycards, they found a method to
vastly narrow down a hotel's possible master key code. They can use that
handheld Proxmark device to cycle through all the remaining possible codes
on any lock at the hotel, identify the correct one in about 20 tries, and
then write that master code to a card that gives the hacker free reign to
roam any room in the building. The whole process takes about a minute.

http://www.wired.com/story/one-minute-attack-let-hackers-spoof-hotel-master-keys


Hackers have found a way to jailbreak the Nintendo Switch (WashPo)

Monty Solomon <monty@roscom.com>
Wed, 25 Apr 2018 00:00:25 -0400
The hack can turn the Switch into a tablet that can run pirated programs and
grant hackers far greater control over the system than Nintendo intended.

http://www.washingtonpost.com/news/the-switch/wp/2018/04/24/hackers-have-found-a-way-to-jailbreak-the-nintendo-switch/


The state of patch management (HPE)

Gabe Goldberg <gabe@gabegold.com>
Thu, 26 Apr 2018 19:44:11 -0400
http://www.hpe.com/us/en/insights/articles/the-state-of-patch-management-1804.html

It's automated so it's wonderful. That takes more faith than I have.


Backlash prompts Eventbrite to drop demand to crash events, record them (Ars Technica)

Monty Solomon <monty@roscom.com>
Tue, 24 Apr 2018 22:56:05 -0400
http://arstechnica.com/information-technology/2018/04/eventbrite-rolls-back-policy-that-would-have-given-it-right-to-record-events/


Re: Regulate AI? (Thomas, R 30.66)

Craig Burton <craig.alexander.burton@gmail.com>
Mon, 23 Apr 2018 11:04:42 +1000
Regulate AI: laudable and important goal, but the Three Steps in the
Nature article sound the same as proposals for nuclear non-proliferation.
Nukes are hard to make and hard to hide.  AI code can be emailed to North
Korea.

Is any kind of prohibition going to work for AI?  What about the opposite:
Open and promote AI development so that a pretty good system is freely
available.  People worried about secret AI systems can turn their efforts
to improving the open system.  This may put pressure on dark AI systems.
Or is the risk really in applications - that 20 year old AI in textbooks is
being keyed into missile guidance software?  Then the prohibition needs to
be on guided missiles?


Re: ACM ICPC Programming Contest (RISKS-30.66)

Martyn Thomas <martyn@thomas-associates.co.uk>
Mon, 23 Apr 2018 09:47:27 +0100
The Risk? That someone will confuse this achievement with professional
software development.


Re: Instant Runoff Voting (Unger, R 30 66)

Wols Lists <antlists@youngman.org.uk>
Mon, 23 Apr 2018 16:33:53 +0100
What about Condorcet, as used by Debian? Basically, for any pair of
candidates, you say which one you prefer. This will give you a candidate who
is preferred above everyone else, or alternatively an "anyone but" candidate
to be eliminated.

The trouble with Condorcet is you really need a computer to count the votes.

Personally, my favourite where there are multiple positions available (such
as our parliamentary elections) would be "top up" places. Keep the current
"first past the post" voting for constituencies, then based on the national
vote share out the top-up seats to candidates who came second in the
constituencies. That's not perfectly fair, it is intended to ensure that two
or three parties get most of the seats, but it makes it much easier to
unseat an unpopular party.

It also prevents the instability that Italy experienced a decade or two when
a system, intended to be as fair as possible, resulted in even the largest
party not having many seats, and thus the country lurched from one
short-lived coalition to another.


Re: American elections are too easy to hack. We must take action now (Schneier, R 30.66)

"Mark E. Smith" <mymark@gmail.com>
Mon, 23 Apr 2018 08:44:53 -0700
> "The politicians running in the election shouldn't have to argue their
> challenges in court."

If they are Congressional candidates, they cannot argue their challenges in
court.  Article I, Section 5 of the U.S. Constitution says, "Each House
shall be the Judge of the Elections, Returns, and Qualifications of its own
Members..."

Candidates who lose Congressional elections due to fraud can appeal only to
Congress.  Not even the Supreme Court can intervene, as the power to judge
Congressional elections rests solely with Congress.  Does anyone know if a
candidate has ever won one of those appeals?


Re: "A bad day with mobile 2FA" (Maziuk, R 30.66)

"John Levine" <johnl@iecc.com>
22 Apr 2018 22:10:01 -0400
If this is an actual problem you must have a remarkably bad local clock.
Google uses the standard TOTP algorithm that generates a new key every 30
seconds, and I am reasonably sure they will accept either the current or the
previous code to give you time to switch apps and type the code in.  So as
long as your phone's clock is within a minute of the correct time, the code
should work.

One time I lost my phone in an airport parking garage shortly before getting
on a plane.  It was easy enough to buy another phone and port my number to
it, thereby recovering any 2FA keyed to my phone number, but I'd lost all
the Authenticator codes.  So I made sure that wouldn't happen again.  When
Google or anyone else shows you a QR code to set up in Authenticator, it
contains a base32 seed string along with a comment.  If you save or write
down that seed string, you can later enter it into Authenticator or any
other TOTP application.  I have all my seeds both in the phone app and in a
python script on my laptop.

Adding to the confusion, I have SIM cards for countries I visit so my
phone has a Canadian phone number when I'm in Canada, and a UK phone
number when I'm in Europe.  This means when I'm traveling, the TOTP
2FA works fine, but anyone who sends a SMS to my US phone number will
have to wait until I get home.  So overall I like TOTP a lot better,
clock issues and all.


Re: "A bad day with mobile 2FA" (Levine)

Dimitri Maziuk <dmaziuk@bmrb.wisc.edu>
Tue, 24 Apr 2018 14:33:30 -0500
My bank has an even better option, actually: they'll print you a card with 2
rows of symbols for a challenge-response authentication. It's not quite
one-time: it's good for a couple of months or until you call them and ask
for a new one, whichever comes first. :)

Please report problems with the web pages to the maintainer

x
Top