[HN Gopher] Twilio confirms data breach after hackers leak 33M A...
___________________________________________________________________
Twilio confirms data breach after hackers leak 33M Authy user phone
numbers
Author : mindracer
Score : 622 points
Date : 2024-07-04 12:26 UTC (1 days ago)
(HTM) web link (www.securityweek.com)
(TXT) w3m dump (www.securityweek.com)
| infecto wrote:
| Good motivation to stop using Authy.
| fauigerzigerk wrote:
| What is a good alternative?
| infecto wrote:
| Most likely whatever password app you use supports these now.
| I know for myself, I started using Authy long long ago when
| there were not really many options.
|
| In my case, 1 Password can do this now. I believe the same is
| true for Bitwarden and Apple passwords.
| fauigerzigerk wrote:
| I hesitate to use the same app for both authentication
| factors.
|
| The reason why I started using Authy a long time ago is
| that it supports multiple devices and isn't linked to any
| other account (such as Google or Microsoft).
| lozf wrote:
| Also KeePassXC -- if you don't like the idea of 2FA codes
| being in the same db as passwords, it's straightforward to
| use a separate db for 2FA only.
|
| Manage your own sync between devices with syncthing,
| dropbox or whatever you prefer.
| sofixa wrote:
| Personally I dislike the idea of putting the other
| factor(TOTP) alongside the main two ones (email/password).
| Kind of ruins most of the purpose of TOTP and MFA in
| general.
| imrehg wrote:
| Besides all the other advice of using the password manager as
| a 2FA store as well, on the stand-alone side there is Aegis.
| I have good experience with it, and allows better
| interoperability than Authy as well.
| haswell wrote:
| On iOS, I've been using "OTP Auth".
|
| While it's nice that password managers can handle this as
| others have mentioned, the whole point of a 2nd factor is to
| ensure an attacker can't get in if they somehow get your
| password. Storing the second factor along with the 1st factor
| doesn't make much sense to me.
| attendant3446 wrote:
| Aegis (Android), supports automatic backups. There is also
| Ente Auth (it's been mentioned on this site), but I haven't
| used it much.
| cess11 wrote:
| I'll join the choir and recommend Aegis. It's slick, got
| features, code on Github.
| rvz wrote:
| My goodness, for the 100,000th time, just stop using phone
| numbers for 2FA. (I know you won't anyway)
|
| There are no more excuses other than asking for your phone to be
| sim-swapped and your bank accounts or your wallets to be drained
| by call centers.
|
| If this breach doesn't scare you from using phone number for 2FA,
| then maybe nothing ever will and AI and deep fakes will make this
| even worse.
| AceyMan wrote:
| Authy doesn't implement SMS 2FA (how could it). A phone number
| is part of your user profile for registered mobile devices
| hosting the app.
| Justin_K wrote:
| Even worse... Sounds like phone number is irrelevant, yet
| they collect it.
| oldmariner wrote:
| How else are they going to track people with a hard-to-
| change identifier?
| Terretta wrote:
| > _How else are they going to track people with a hard-
| to-change identifier?_
|
| Using the device advertisee ID that the user is entitled
| to change.
|
| // Sorry, for a moment I thought you were serious.
| prng2021 wrote:
| I just did some quick research on these IDs. Correct me
| if I'm wrong, but it seems like each user account would
| be tied to one device. It also seems like the user, at
| least on Apple devices, has to opt into advertising
| tracking in order for your app to even get access to
| this.
|
| Ignoring the security pitfalls of phone numbers, it
| really doesn't seem like these advertising IDs are a drop
| in replacement for using phone numbers.
| jokethrowaway wrote:
| It's used to store and retrieve your 2fa secrets in case
| you lose your device
| Terretta wrote:
| > > _Even worse... Sounds like phone number is
| irrelevant, yet they collect it._
|
| > _It 's used to store and retrieve your 2fa secrets in
| case you lose your device_
|
| The _phone number_ doesn 't store anything?
|
| But if somehow knowing that phone number is a key to
| getting your 2FA secrets, you'd have a bigger problem.
|
| Except it often is, and that's the problem.
| ezekg wrote:
| Do what I do and turn off "allow multi-device." Problem
| solved -- even if your phone number is stolen, they can't
| recover your 2FA because it's locked to the device too.
| FabHK wrote:
| You can enable multi device, and have it on multiple
| devices, then disable it.
|
| https://authy.com/blog/understanding-authys-multi-device-
| fea...
| ezekg wrote:
| Yep. I've done this. Lots of people I know use "burner"
| phones without cellular for 2FA.
| rvz wrote:
| That is brilliant news for SIM swappers and criminals now
| that they can gain access to your codes directly with your
| phone number!
|
| A terrific reason to avoid anything Twilio / Authy
| Ayesh wrote:
| In fairness, you cannot. It requires a backup password.
| ceejayoz wrote:
| > Authy doesn't implement SMS 2FA (how could it).
|
| https://www.authy.com/integrations/ssh/
|
| "Someone in your organization doesn't have a smartphone? We
| got you covered. Authy SSH can send them the token via SMS or
| a phone call."
| ezekg wrote:
| If you use Authy, turn off "allow multi-device" and SIM-
| swapping isn't an issue. This should be on regardless of the
| leak.
| SketchySeaBeast wrote:
| But one of the selling points for me was to allow multiple
| devices so that if one broke I'd still have access.
| greenchair wrote:
| people with this use case would need to be comfortable
| taking on the extra risk.
| FabHK wrote:
| You can enable multi device, and have it on multiple
| devices, then disable it (and keep it on multiple devices -
| it's just that then adding yet another device needs
| toggling multi-device on from an existing device, a
| confirmation SMS is not enough).
| SketchySeaBeast wrote:
| Perfect. I can just toggle it on when I add another
| device. Thank you, great solution.
| tamimio wrote:
| > for the 100,000th time, just stop using phone numbers for
| 2FA.
|
| I agree, and I say this to whoever asks me too, and I avoid any
| services that still use phone numbers as a way to associate it
| to you (Signal, I'm looking at ya!)
|
| However, easier said than done, some services still require you
| to use a phone number, like banks, some government agencies,
| insurance companies, etc., the services that actually matter if
| your data get leaked. I believe there should be a regulation to
| prevent using the phone in any way to confirm your ID, and
| never force you to provide one to access such services.
| k8sToGo wrote:
| It doesn't scare me because in Authy you also set a password
| which without you cannot access the codes.
|
| The phone number here just acts as a username.
| simcollect wrote:
| How come companies don't care about encrypting their users' data
| in their databases?
|
| It's been possible for a very long time now.
|
| Yet, companies keep leaking. And people keep sleeping.
| sethammons wrote:
| Why would that have helped? The endpoint was exposing the data,
| not the database. The endpoint would have simply decrypted.
|
| encryption of data at rest is for hard drives that walk off,
| not for access.
| Dma54rhs wrote:
| How to confirm if my number was one of the leaked ones?
| sofixa wrote:
| I suppose https://haveibeenpwned.com/ will add the information
| when it can be verified.
| blackeyeblitzar wrote:
| Authy makes it hard to migrate away. Anyone know how to get the
| seed of the 2FA codes? Is there really no export option?
| conception wrote:
| Maybe?
| https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d...
| hypeatei wrote:
| Authy desktop is no longer available and you need a specific
| version.
| tamimio wrote:
| I had that exact needed version when I migrated, if you
| need it, I can look it up, but there's a slim chance that I
| deleted it.
| zenbane wrote:
| https://community.chocolatey.org/packages/authy-
| desktop/2.2....
| deegles wrote:
| You'll have to reset them one by one.
| drooopy wrote:
| I finished that process recently for 50+ accounts. It's
| something that I would definitely wish on my worst enemy.
| tamimio wrote:
| Ha! when I finished mine, I actually bought myself some
| treats and snacks for celebration.
| hipadev23 wrote:
| I slowly migrated away from Authy when they decided to shut
| down their desktop authenticator. You can painfully export
| codes, though I generated new 2FA codes at every vendor.
| slightwinder wrote:
| Some months ago, I used https://github.com/alexzorin/authy to
| export them. It basically creates a dummy-device to access the
| tokens, and then exports them to some format. But I have not
| figured out how to import them now into another app.
| hypeatei wrote:
| Use the plaintext export option on that project. Most TOTP
| apps should accept the URIs that are exported. Maybe not en-
| masse but individually for sure.
| slightwinder wrote:
| Ah, thank you, that worked in Aegis. I just missed the
| option for plaintext because of the long list of supported
| apps. So all it needs is a textfile with one
| otpauth://-entry per line and it imports them all at once.
| prevent6672 wrote:
| I thought I had a lot of totp codes to migrate but then it
| turned out I didn't use many of them. After deducting them,
| there remained 10 apps that I needed to migrate. It took me an
| hour to port them to bitwarden manually.
| EVa5I7bHFq9mnYK wrote:
| Just write down any key before you store it in the Authy.
| snowwrestler wrote:
| I use Authy's iOS app to generate 2FA tokens for a few accounts.
| I cannot remember ever entering my phone number into it, or
| establishing an Authy account of any kind. Is there some other
| way they would have acquired my phone number?
|
| I'm trying see if the issue is some unanticipated issue with the
| iOS client app itself, or if it is only affecting people who
| created online accounts with Authy to sync their 2FA credentials
| across devices.
| inhumantsar wrote:
| Authy is both a SaaS and a consumer-facing authenticator app.
|
| When companies integrate Authy into their system, they can use
| it for SMS OTP (also deliverable by phone call + TTS iirc) as
| well as regular TOTP, Authy's proprietary TOTP, and others.
|
| Your phone number would only be at risk if you used a service
| which used Authy for SMS 2FA
| ffsm8 wrote:
| The consumer app also wants your phone number... It prompts
| you to "backup" your codes, so that they're not gone if you
| reinstall the app or switch devices
|
| you probably gave them your phone number at some point if
| youve got authy on multiple devices.
|
| /Edit: just checked on a clean install. It prompts for a
| phone number instantly and won't let you scan codes without
| creating an account. Not sure when that happened, as I
| haven't really used it in years.
| inhumantsar wrote:
| Figures. I stand corrected then.
|
| We used Authy for 2FA at my last company and migrated off
| it to use a complete auth platform. The amount of user
| (consumer and business) hostile shit we found in the
| process was astounding.
|
| Twilio was nice to work with way back when it was the only
| decent API-driven POTS connection service out there.
| They've steadily gotten worse over the years and
| acquisitions though. Wouldn't recommend them to my worst
| enemy these days.
| razakel wrote:
| You know, one thing I learned from my patients... they
| all hate the phone company. It's interesting; even the
| stock holders of the phone company hate the phone
| company!
| inhumantsar wrote:
| As a former telco employee and current telco shareholder,
| can confirm.
| stogot wrote:
| What do you recommend now
| inhumantsar wrote:
| For authentication services to integrate into
| apps/services, Zitadel.
|
| For consumer password/2FA management, Bitwarden and
| Yubikey.
| jordigh wrote:
| What's Authy's proprietary TOTP protocol? Is it just in fact
| HOTP, like Duo?
|
| https://news.ycombinator.com/item?id=20936222
| slightwinder wrote:
| Have you looked into the settings? On android you can see a
| cellphone-number and e-mail there. If they are missing, I guess
| it's not known to them.
| snowwrestler wrote:
| Nothing in the iOS Settings app for Authy, but tapping the
| little gear icon in the app UI shows my phone number and
| email! I guess I did enter them at some point and forgot.
| Thanks.
| k8sToGo wrote:
| If you use cloud sync I think it requires your phone number
| toomuchtodo wrote:
| Cloudflare should probably deprecate their Authy provider,
| considering they support other more secure MFA options
| (hardware and virtual WebAuthN). I believe Wise (ex
| TransferWise) and Plastiq also use Authy natively for SMS OTP
| server side, but provide no mechanism to disable SMS 2FA (boo).
|
| https://authy.com/guides/cloudflare/
| jgrahamc wrote:
| There's no "Use Authy" option any more in Cloudflare. It just
| says: Mobile App Authentication
| Secure your account with TOTP two-factor authentication.
|
| And clicking the button gives you a generic QR code to use
| with app of your choice.
| toomuchtodo wrote:
| Thank you for correcting me, Cloudflare was presented as an
| Authy token that would be destroyed when I deleted my Authy
| account and some of the docs I found led me to believe this
| was still actively in use. I retract the Cloudflare part of
| my above comment.
| jgrahamc wrote:
| No need to apologize. We did use Authy for a long time
| but allowed more general TOTP solutions from 2017 and
| have really pushed hard for people to use hardware keys.
| ayewo wrote:
| > I cannot remember ever entering my phone number into it, or
| establishing an Authy account of any kind. Is there some other
| way they would have acquired my phone number?
|
| Entering your phone number was mandatory. This was what turned
| me away [1] from Authy to Duo Mobile on my Apple devices.
|
| https://news.ycombinator.com/item?id=33244324
| MenhirMike wrote:
| Does anyone have a recommendation for an Open Source 2FA OTP app?
| That's the only thing I use Authy for, to scan the QR Codes into
| the App and generate the 2FA tokens, but in a way that allows me
| to migrate to another phone without having to re-set all the 2FA
| tokens on the vendor side.
| WanderPanda wrote:
| I'm using Raivo. It hasn't let me down, yet
| pxeger1 wrote:
| Raivo was bought by a shady developer last year and is no
| longer open source. If that wasn't enough, a few weeks ago
| they released an update which deleted all your codes -
| failing at literally the one job a 2FA app has!
| mm263 wrote:
| The same Raivo that was sold to some shady dev who proceeded
| to delete all of the OTPs that I had in the app?
|
| https://www.reddit.com/r/privacy/comments/1d3zqvv/raivo_auth.
| ..
| TheBozzCL wrote:
| I use a YubiKey with their Authenticator app.
| notatworkbro wrote:
| I've implanted my 2FA token in my arm and just hope it never
| breaks :D
| fragmede wrote:
| Which one did you get? Did you get the Apex Flex from
| Dangerous Things? How do you like it/how was the process?
|
| https://dangerousthings.com/product/apex-flex/
| MaxMatti wrote:
| I used Aegis for a while and really liked it, switched to
| Bitwarden now but the UX was better
| hypeatei wrote:
| I use both and make offline backups regularly.
| bobbylarrybobby wrote:
| I'm of the opinion that it's basically fine yo store them in
| your password manager. Yes if your password manager is broken
| into you lose everything (same as having no 2fa in that case),
| but you still prevent people from guessing your password and
| often avoid having to deal with email- or text-based 2fa. And
| if your password manager is broken into, there's a good chance
| your device has been broken into, in which case it doesn't
| matter where you store your 2fa.
| brightball wrote:
| I mix it up and store some 2FA on different apps.
|
| When it's not a system I'm deeply concerned about I will just
| use the 2FA on the password manager.
| nwhale wrote:
| If you do not need QR codes, _oathtool_ is great. You can
| protect your tokens, recovery codes etc. with _gpg -c_ or
| similar, so the encryption is entirely separate from the
| authentication mechanism.
|
| And you actually know what is going on. Works for GitHub.
|
| https://www.nongnu.org/oath-toolkit/
| SushiHippie wrote:
| For Android I'd recommend Aegis
|
| https://f-droid.org/packages/com.beemdevelopment.aegis/
|
| Or if you have a YubiKey you could also use it for TOTPs
|
| Windows, Linux, Android: https://github.com/Yubico/yubioath-
| flutter
|
| iOs: https://github.com/Yubico/yubioath-ios
|
| I personally use Bitwarden for TOTPs (with a self hosted
| vaultwarden instance), it's by far not the most secure way to
| store your passwords and TOTPs next to each other, but it saves
| so much time.
| alias_neo wrote:
| This.
|
| I migrated to Aegis a while back because I wasn't happy with
| how hard it is to get secrets out of Authy, or that someone
| else is managing them, and they they need my phone number
| (guess I was right, again).
|
| I use Folder Sync on my Android to sync the Aegis auto-
| backups to a MinIO bucket I host at home.
| mrb wrote:
| I use andOTP https://github.com/andOTP/andOTP and my favorite
| feature is the database of 2FA can be backed up PGP-encrypted
| and reimported on another device. But sadly it is no longer
| maintained. The latest version on Google Play Store is from
| 2021 and can still be installed and works fine on Android 14.
| tamimio wrote:
| Ente Auth or bitwarden builtin one or keepassXC builtin one.
|
| Migrating from Authy is a headache, though you don't have to
| reset the tokens. I found a way to do it (1), but I had to do
| it manually because Authy only exported the email/user and the
| token. Now, if you are like how I used to be, having the same
| email for different accounts, the exported JSON will be
| confusing and there's no way to tell which account is for which
| service. Only in the Authy UI can you tell. I had to follow the
| order of the JSON and the app, one by one, for my 700+
| accounts, and verify that it works by going to the service site
| and testing the generated code from the new app, and also
| changing the email to a unique one. It took a whole week!
|
| Edit: to add, I wouldn't recommend using Yubico or hardware-
| based ones unless you will have two or more replicas, losing
| them is easy compared to having your tokens backed up in an
| encrypted KeepassXC db for example.
|
| (1)
| https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d...
| prophesi wrote:
| For Android, if you happen to use Keepass as your password
| manager, I really like KeePassDX[0]. If the camera app you use
| doesn't support QR scanning, though, you'd need an app for that
| (and I don't think any FOSS camera apps implement this, as for
| as I can tell).
|
| This one[1] seems the most up-to-date, by a German research
| group. You'd share the link as text to the KeePassDX app,
| search for the entry it's for, and it populates it with the
| HTOP/TOTP secret.
|
| There are iOS Keepass clients that support this as well, though
| from what I can tell there's some drama with source code[2][3]
| in the landscape.
|
| [0]
| https://f-droid.org/en/packages/com.kunzisoft.keepass.libre/
|
| [1]
| https://f-droid.org/en/packages/com.secuso.privacyFriendlyCo...
|
| [2] https://github.com/MiniKeePass/MiniKeePass/issues/606
|
| [3] https://keepassium.com/articles/keepass-apps-for-
| ios/welcome...
|
| And other allegations under the ethics & transparency sections
| of KeePassium's list of iOS alternatives
| https://keepassium.com/articles/keepass-apps-for-ios/
| etoulas wrote:
| https://2fas.com/
| izacus wrote:
| As mentioned elsewhere, Aegis and Authenticator Pro are both
| good on Android. Both are available on Play Store and on
| F-Droid.
| localfirst wrote:
| There really has to be steep repercussions for companies that
| fail to protect user data like this. At this point I can't help
| but feel that there is wilful neglect with the aim of
| exfiltrating data with unknowable aim.
|
| Our digital data must be recognized as human rights but lately
| the world has been vocal about it but silent when it comes to
| action and enforcement.
|
| More and more reason why people no longer trust cloud hosted
| solutions. Offline-first, local-first with optional data sync is
| the _only_ path forward to combat violation of our rights to our
| own digital data.
|
| Case in point, feeding haveibeenpwned with a bunch of HN user
| handles reveal a good chunk of you aren't even aware your data
| has been leaked, especially ironic since I see comments from
| those handles are very anti-regulation when it comes to user data
| ownership.
| cj wrote:
| I agree the US in particular should have better data protection
| laws and consequences.
|
| But phone numbers aren't something I'd consider confidential in
| most cases. Hell, we used to publish our phone numbers in
| physical books and give them to the whole town for free
| (literally).
|
| The data was even monetized with ads plastering every page. I
| guess the digital age isn't all that different from the analog
| age (in certain ways!)
| localfirst wrote:
| that was before internet now phone number leaks can be way
| more troublesome due to the way all of our data is connected
| to it via 2FA
| olyjohn wrote:
| We didn't use phone numbers to prove our identity back then.
| It was only used to call you. You often wanted it to be
| public so you could be reached. Now it's a critical piece of
| information required to access services online and prove who
| you say you are.
| duckmysick wrote:
| > Twilio has detected that threat actors were able to identify
| data associated with Authy accounts, including phone numbers, due
| to an unauthenticated endpoint. We have taken action to secure
| this endpoint and no longer allow unauthenticated requests
|
| How do I avoid such problems in my own app? Force authentication
| for all requests with row-level security? Rate limiting?
|
| Any testing frameworks that would catch this? Something like
| "given endpoint /user/phone-number-validate make sure only <user>
| can access it".
| jmvoodoo wrote:
| One step we have taken is to build an auth system that requires
| you as the developer to explicitly specify the security of an
| endpoint using a decorator. If no decorator is provided, then
| the endpoint is completely locked down even to admins
| (effectively disabled).
|
| If an endpoint is decorated with something that is considered
| dangerous (i.e. public access), that triggers additional review
| steps. In addition, the authentication forbids certain
| combinations of decorators and access patterns.
|
| It's not perfect, but it has saved us a few times from securing
| endpoints incorrectly in code.
| hypeatei wrote:
| .NET web apps / APIs have an option where you can require
| authorization on all controllers (and their actions) by
| default. If you need an anonymous controller/action, you can
| use the `[AllowAnonymous]` attribute on it.
| api_or_ipa wrote:
| You can easily do the same with most (all?) routers using
| middleware. Whether you get it slotted in your roadmap is a
| different story.
| duckmysick wrote:
| That's pretty cool.
|
| > that triggers additional review steps
|
| Is this done by some sort of a linter running in CI?
| brunoarueira wrote:
| It's a common problem. On a previous job, I'd found one
| unauthenticated endpoint just because I want to add some
| integration tests on it and my tests failed! After that, I'd
| created a script which lists all endpoints and curl each one
| with invalid credentials and expecting them to return 401.
| kardianos wrote:
| This is really, really, simple.
|
| 1. build a single endpoint handler that handles auth, then
| looks up the endpoint on the path. 2. Never create direct
| endpoints, just register endpoints in the system that the auth
| endpoint works under.
|
| You know table driven tests?
|
| Use table driven endpoints. It works and makes things so much
| simpler and secure.
| znpy wrote:
| > 1. build a single endpoint handler that handles auth, then
| looks up the endpoint on the path. 2. Never create direct
| endpoints, just register endpoints in the system that the
| auth endpoint works under.
|
| So like, an authn/authz middleware ?
| cmgbhm wrote:
| This is actually a use-case I use for interviews.
|
| 1. Everyone tests authenticated user can do the right thing.
|
| 2. Can <wrong|expired> authenticated user access the data?
|
| 3. Can an unauthenticated user access data?
|
| If there's a testing framework that does this scaffolding
| automatically, I'd love to hear it.
| tmpz22 wrote:
| Holy shit why is this even a question?? You. Write. Tests.
|
| You build into your testing framework/library a mechanism that
| will craft sessions across your range of authentication-levels
| - unauthenticated (no-session), authenticated but unauthorized,
| etc. You mandate new endpoints must have permissions test in
| code review.
|
| Simple, straight forward, and absolutely the bare minimum of
| competency for any endpoint returning personal data.
| arp242 wrote:
| And then someone forgets to test that one thing for that one
| endpoint and no one notices ("mandate in code review" is not
| going to be fool-proof), or lines get crossed and they test
| the wrong thing.
|
| This kind of arrogance is exactly how these mistakes get
| made.
| tetha wrote:
| Mh, I'm probably comparing apples to oranges and such.
|
| But the last 2-3 times I setup a config management, I made sure
| to configure the local firewalls as deny-all by default, except
| for some necessities, like SSH access. And then you provide
| some convenient way to poke the necessary holes into the
| firewall to make stuff work. Then you add reviews and/or
| linting to make sure no one just goes "everything is public to
| everyone".
|
| This way things are secure by default. No access - no security
| issues. And you have to make a decision to allow access to
| something. Given decent developers, this results in a pretty
| good minimum-privilege setup. And if you fuck up... in this day
| and age, it's better to hotfix too little access over losing
| all of your data imo.
| mdaniel wrote:
| > necessities, like SSH access.
|
| SSM for life. Fun fact, one can also register non-AWS assets
| as SSM targets, so I could imagine a world in which it makes
| sense to create an AWS account, wire up federated auth,
| _just_ to dispense with the hoopjumpery of SSH attack surface
| and Internet exposure
|
| The break-glass is always a consideration, so it's no panacea
| but I still hope one day the other clouds adopt the SSM
| protocol same as they did with S3Api
|
| I believe a lot of folks have had good experiences with
| Wireguard and similar, but thus far I haven't had hand-to-
| hand combat with it to comment. We use Teleport for its more
| fine-grained access and auditing, but I've had enough onoz
| with it to not _recommend_ it in the same way as SSM
| otachack wrote:
| As alternatives: I use Authenticator Pro on my phone and keep
| encrypted backups whenever I modify it. I know others have
| pointed out Aegis.
|
| The issue is starting the migration out of Authy. Assuming Authy
| has no easy export, I suggest you migrate over a few entries at a
| time (maybe from top down) while keeping account of transfers
| somehow. You can have authenticators live side by side in the
| meantime!
| cmgbhm wrote:
| You can rename them as they are migrated
| jmbwell wrote:
| iOS/iCloud has a built-in TOTP function also. Maybe better for
| friends and family than some people here.
|
| https://support.apple.com/guide/iphone/automatically-fill-in...
| delduca wrote:
| I have been using Apple's Passwords, it is great.
| blueelephanttea wrote:
| It's good. And the introduction of the Passwords app this fall
| will make it better.
|
| But it seems to me that Apple only supports adding TOTP codes
| if you have a password for the account. Which is annoying if
| you want to split your passwords and second factor into two
| different places. (For example if you wanted Bitwarden for
| passwords and TOTP/Passkeys in Apple.)
|
| You can of course put a dummy password in Apple. But that is
| kind of annoying.
| hypeatei wrote:
| I just migrated off of Authy last week but I was probably caught
| in this breach, ugh. Never liked it but they make it extremely
| difficult to export your data.
|
| I used this project for exporting:
| https://github.com/alexzorin/authy
|
| EDIT: it appears this project was actually using the
| unauthenticated endpoint (used in breach, too) to facilitate
| exporting, lol. Good luck to anyone trying to get off of Authy,
| Twilio really doesn't want you to export your data for "security"
| reasons.
| Zetaphor wrote:
| I also just recently left for Aegis and have been very happy. I
| feel much better knowing that my 2FA is completely offline
| teamspirit wrote:
| Right, I did the same a while back. Aegis for Android and
| 2FAS for iOS. Never looked back.
|
| Also, if anyone is going either direction, Android <-> iOS,
| both of these open source options allow easy export.
| lifeinthevoid wrote:
| 2FAS also exists for Android, is Aegis superior or you
| don't use 2FAS on Android for another reason?
| teamspirit wrote:
| Didn't realize it exists for Android. I use ios now but
| Aegis was great on Android.
| eviks wrote:
| Do they offer a device-to-device sync with the desktop? Or is
| it all gone if you lose your phone?
| NelsonMinar wrote:
| The lack of export in Authy is a really ugly choice they made.
| When I migrated to Aegis I used some hack that involved a
| desktop Electron app's javascript console. I wonder if that
| still works?
| hypeatei wrote:
| They don't offer Authy Desktop anymore officially and you
| need a specific version. Not sure if the hack still works if
| you have it installed.
| Yhippa wrote:
| What did you end up moving to?
| hypeatei wrote:
| Storing 2FA in Bitwarden (my password manager) and Aegis as a
| fallback. Also making offline backups of each periodically.
| mort96 wrote:
| Doesn't Bitwarden require you to be on the paid
| subscription plan to use 2FA? That's what I concluded
| anyway from trying to research this garbage when Microsoft
| was threatening to lock me out of my Github account. It's
| why I ended up on Authy.
| hypeatei wrote:
| > Doesn't Bitwarden require you to be on the paid
| subscription plan to use 2FA?
|
| I believe they do, yes. Been on the $10/year plan and
| have forgotten the details on their tiers, though.
|
| > It's why I ended up on Authy.
|
| All 2FA really boils down to is a "otpauth://totp" URL
| that clients use to generate time based tokens. Once you
| have those exported somewhere, you can move to any TOTP
| app you want (desktop or mobile)
| pnw wrote:
| Has anyone found a single open-source app that supports both
| mobile and desktop though? That was the attraction of Authy
| before they killed their desktop apps.
| hypeatei wrote:
| Most password managers support it and offer mobile + desktop
| clients.
| EVa5I7bHFq9mnYK wrote:
| The desktop version somewhat contradicts the purpose of 2FA.
| hypeatei wrote:
| Not really, 2FA is literally just that: a second factor.
|
| It makes it unlikely someone has access to both your
| password and the TOTP URI. So, if you leak your password on
| a public forum (for example), the person who gets that is
| not likely to also have your TOTP info.
| mort96 wrote:
| Good thing that 2fa is entirely unnecessary.
| mewpmewp2 wrote:
| In this case what if you use 2FA while browsing with your
| phone. Wouldn't that also contradict the purpose?
|
| The main purpose is that people won't get phished as easily
| or if they reuse passwords it can't be abused. Or if
| password was to leak for any reason.
| aPoCoMiLogin wrote:
| i've switched to keepass right after first breach. it's not
| convenient to store the db on eg gdrive and sometimes it
| doesn't work, but that is way better than another SaaS app
| that will eventually leak my passwords/2fa codes.
| nsajko wrote:
| Why do you need it to be a _single_ app?
| smaddox wrote:
| No wonder I've seen such a major spike in spam calls / texts.
| 29athrowaway wrote:
| > due to an unauthenticated endpoint.
|
| This is truly unacceptable for an authentication product.
|
| An authentication product that doesn't implement authentication
| correctly in their own APIs?
| flutas wrote:
| IMO: I'm pretty sure this is less of an auth issue, than it is
| a rate limiting issue.
|
| I haven't been able to find anything about the endpoint, but
| based on the data exposed[0] I think the endpoint they are
| talking about is the register one which requires a phone
| number.
|
| I'd bet they didn't rate limit it, and someone just blasted
| through all phone numbers with it and stored the data for ones
| that didn't error out.
|
| [0]
|
| The CSV data columns:
|
| account_id
|
| phone_number
|
| device_lock
|
| account_status
|
| device_count
| 29athrowaway wrote:
| So it's wardialing via the API then.
| ilrwbwrkhv wrote:
| Jesus fucking Christ. Can these companies learn how to write
| software? Quality is dropping like dogs. Twilio used to be a good
| company and now they are utter shite. Such a shame. Leetcode and
| bad hiring practices have done this to our industry.
| sethammons wrote:
| Neither bad hiring not leet code is a problem with Twilio
| properties in my experience. Quality however, that gets
| railroaded by "deliverables" -- the problem is craftsmanship is
| hard to maintain and manage as companies scale while priority
| shifts to product announcements.
| ilrwbwrkhv wrote:
| There needs to be penalties. Massive penalties for breaches
| like this. That is the real problem. Nothing will happen to
| Twilio even though they caused such loss. They need to suffer
| economically for this, then quality will improve.
| Zambyte wrote:
| It seems much easier to pin the ever-decreasing quality of
| software on the practice of trying to keep everything secret
| (propriety). Like, obviously it's not secure if they don't let
| people audit it...
| cageface wrote:
| Agile practices and the elimination of proper QA are also part
| of the problem.
| okokwhatever wrote:
| I still remember how hard was the process to be hired in this
| company. Maybe just a mask to hide the sad truth.
| delduca wrote:
| I never trusted them, I hated the fact of having to use SMS.
| ndneighbor wrote:
| I guess this explains the recent uptick in spam...
| pembrook wrote:
| While this sucks, my phone is in so many data breaches at this
| point it doesn't matter.
|
| The spam-to-ham ratio on my phone number is now far worse than
| any other channel for me. The traditional phone network is at
| risk of going the way of the fax machine if we don't do something
| about the spam problem like we did with email.
|
| If I'm on a call, even with family, it's now almost exclusively
| on FaceTime/zoom/meet/etc. I can't remember the last time I
| talked on the traditional phone network or received a legitimate
| call. Which isn't great because those aforementioned platforms
| are all proprietary walled gardens with terrible incentives --
| once they capture the market fully they will eventually dump ads
| all over your calls. Don't believe me? Just look at what Gmail
| did to monetize the lock-in on your inbox.
| cjbgkagh wrote:
| I think that is intentional, AFAIK phone communication is more
| protected than other types so allowing spam to continue
| unabated is in the governments interest. Outsourcing the
| harassment to 3rd parties, similar to how prison torture is
| outsourced to the inmates. The government could fix these
| things but would rather not.
| darby_nine wrote:
| I think we just don't have very much competition in
| telecommunications so things never get fixed. Why bother?
| It's easier to extract rent off largely the same offerings as
| the rest of your market (difficult to understand pricing
| tiers that function as a congestion tax more than a
| transaction, often region-specific monopolies or duopolies,
| indistinguishable quality of service) and bring home large
| profits, market efficiency damned.
|
| Yes, I'm exaggerating. No, it's not by much.
| cjbgkagh wrote:
| Almost no-one is pro-spam, it's pretty much universally
| hated, and in many cases it's already illegal so it's more
| of a matter of enforcement. It is also trivial to detect.
|
| Sure there probably is some regulatory capture but if
| anything at all can be regulated it's spam calls /
| messages. If the government can't regulate spam then what
| could it be expected to regulate.
|
| The general population is increasing worried about scam
| calls for their elderly relatives, it's already a big deal.
| ToucanLoucan wrote:
| > Almost no-one is pro-spam
|
| In fact there are really only two groups that are pro-
| spam: spammers, obviously, and the entities that provide
| them services from which they may spam.
|
| Oh sure basically any provider of any service be it
| phone, web hosting, email, etc. will _say_ they don 't
| want spammers, and the email providers _may actually mean
| it_ what with them not wanting their server 's scores
| trashed and be unable to get email to anyone (though
| plenty others don't give a shit), but website hosts,
| telephone companies, and SMS providers? They utterly do
| not care and in fact go out of their way to not know when
| spammers are (mis)using their services.
|
| Meanwhile like that other commenter said, everyone is
| incentivized to enter walled garden services that
| actually do the barest minimum of enforcement for spam
| activity. I doubt they're conspiring in a dark room
| somewhere, but neither side is going to upset at the
| other in that situation.
| cjbgkagh wrote:
| Hence my other example of the inability to police prisons
| enough to prevent abuse, I didn't allege an explicit
| scheming but a happy little accident. Allowing a problem
| to fester when it benefits you is totally normal and
| expected behavior. But if there is a role for government
| at all it would be regulate such dysfunctions.
| iudqnolq wrote:
| Not quite. For example politicians benefit from being
| able to solicit donations over mass text.
| shiroiushi wrote:
| >If the government can't regulate spam then what could it
| be expected to regulate.
|
| The (US) government does an excellent job of regulating
| many things, such as commercial airplane design and
| construction. Oh wait...
| treflop wrote:
| Email is easier to mitigate spam with. The whole body of
| the message is given upfront.
| varjag wrote:
| It's easy now. It was an unsolved problem two decades
| ago.
|
| And it's not like there's no technical means for the
| phones either. Just enforcing caller ID would go a long
| way to curtail spam. Like in our great Red Tape Europe,
| even with uptick in recent years we have a tiny fraction
| of spam calls compared to the United States.
| SoftTalker wrote:
| I make and receive regular phone calls all the time. However I
| only answer those that are from numbers I have in my address
| book. I do the same with text messages, I have my default view
| set to "Known Senders" so I'm not even really aware of others.
| If I'm expecting an unknown sender message, such as a TFA code,
| it's easy enough to just look in "Unknown Senders" for it.
| Ghexor wrote:
| How convenient for the data collecting companies that so
| generously sponsor the new & free services, that our
| democratically controlled communication infrastructure looses
| in value.
| TeMPOraL wrote:
| Advertising is a cancer on modern society. It will
| metastasize to any new communications medium, public or
| private, and destroy it from within. People will switch to
| new medium that offer less spam, but advertisers quickly
| follow to strip-mine the new channel. A cycle of life, so to
| speak.
| lovethevoid wrote:
| It's also so annoying circular. We spend money to get more
| clients but this stops being effective at a certain point
| so now you're just spending money to advertise for the sake
| of it or the status, and could even be losing money by
| doing so.
| _heimdall wrote:
| In my experience, the fear of missing out is a big driver
| for companies to continue to throw good money after bad
| in marketing. Maybe Facebook ads aren't driving as much
| traffic to your company as it used to, _but_ if you give
| it up and all your competitors still use it it 's pretty
| understandable to worry about falling behind the market.
| pembrook wrote:
| I don't have a problem with advertising generally, as long
| as I know upfront that's what funds a tool I'm using, and
| isn't disguised like a non-ad (eg. Unlike what Google does,
| which is outright deception). Advertising and spam are two
| separate things in my book.
|
| However, my real problem is with what I call "The Google
| Strategy." Basically, they take publicly funded
| infrastructure like HTTP and SMTP, capture the network by
| dumping "free" products on the market (with basically no
| advertising), kill off competitors, then monetize their
| market capture by removing the "free" part, packing these
| products with ads, making them worse and worse over time in
| the process. And everyone is trapped, since they captured
| the network of this public infrastructure. This is the
| story of Google Search, Gmail, YouTube, etc.
|
| It's anti-competitive, anti-markets, and quite frankly
| should have been regulated away as a strategy a long time
| ago.
|
| Google basically ran Microsoft's classic anti-competitive
| B2B strategy to capture the consumer internet, and got away
| with it!
| mort96 wrote:
| > I don't have a problem with advertising generally
|
| You should, honestly.
| jhonkola wrote:
| This process has a descriptive name, enshittification
| (https://en.wikipedia.org/wiki/Enshittification), and it
| seems to apply to most internet services.
| pembrook wrote:
| That might be the trendy term for it now, but the
| strategy is as old as time.
|
| In old school economic terms its called "dumping." When
| international trade started becoming a major thing,
| aspiring monopolists would flood foreign markets with
| goods sold below-cost to push out local competitors, then
| ratchet up prices and reduce quality once they'd captured
| the market (basically the Google strategy).
|
| Just like crypto people had to learn that financial
| regulation was in place for a reason, internet people
| have had to learn that industrial age anti-trust rules
| were also put in place for a reason. Now we just need to
| enforce them.
| kelnos wrote:
| Agreed. Advertising is psychological manipulation. I would
| be happy if all forms of it were just outlawed.
| AnthonyMouse wrote:
| "Our democratically controlled communication infrastructure"
| honestly deserves to be deprecated and replaced with some
| kind of federated voice system that comes out of the IETF
| instead of the telcos. What kind of antediluvian nonsense
| doesn't use end-to-end encryption in 2024?
| _heimdall wrote:
| AT&T has a long history with three letter agencies. If they
| ever did implement e2e encryption it would certainly come
| with backdoors that make it e2e only by name.
| AnthonyMouse wrote:
| All the more reason to have the IETF do it and leave AT&T
| out of it.
|
| Any modern system is going to use IP as a transport. Even
| the traditional phone network is VoIP under the hood in
| modern networks. The replacement system should be kept as
| far from the influence of the last mile providers as
| possible.
|
| The thing that _definitely_ shouldn 't happen is that you
| get your phone number from them. Let it be "user@host"
| like email or otherwise assigned via DNS.
| _heimdall wrote:
| Is our communication infrastructure democratically
| controlled? At least in the US, we may have federal
| regulators but isn't the infrastructure still owned by a few
| massive telecoms corporations?
| bonestamp2 wrote:
| > I can't remember the last time I talked on the traditional
| phone network or received a legitimate call
|
| Doctors and dentists.
|
| Most of the calls I get are spam, but then the MOST important
| calls I get are from doctors, labs, and dentists. I do as much
| as possible online of course, but not all of these
| professionals have good online systems and phone calls are
| often required.
|
| Sometimes you know what number they're going to be calling from
| ahead of time, but often you don't... especially if you're in a
| large medical network that has different offices for different
| specialists, etc. It's a really sad situation if you get sick
| and you're trying not to miss these important calls, especially
| when it's a long wait for a specialist and then you miss their
| call when they get to your name on the waiting list.
|
| This will literally cost some people their lives and
| legislators need to act on making spoof calls impossible --
| there's no reason why anyone should be allowed to spoof a
| number that they can't receive calls at.
| tmpz22 wrote:
| > I can't remember the last time I talked on the traditional
| phone network or received a legitimate call
|
| Social services are another example. Many services are
| county-administered and thus don't have a centralized online
| platform. As always our most vulnerable populations suffer
| the most from techno-greed. Not the families of software
| engineers who built the system.
| thephyber wrote:
| I recently had to help my father organize his medical visits.
|
| Dealing with his healthcare providers was a bit of a pain,
| but it was _way_ worse because he has stopped answering
| calls, primarily because of the call spam rate. I think
| because he owns his own business, he never fails to hand out
| his contact info when he is shopping, and he owns his own
| business (so his contact info is published by the city).
|
| His phone provider has a feature to opt into spam filtering,
| his phone has another, and I downloaded a spam list filtering
| app for him. I disabled the ringer for numbers not in his
| contact list. I did similar actions to reduce spam in his
| text messages.
|
| This was a good triage, but the damage is already done to his
| psyche. He doesn't answer the phone anymore.
| codersfocus wrote:
| Why not get a second sim? Most phones can have 2 sims
| active, and a phone / text only plan is dirt cheap
| (3-6$/m).
|
| Offer the second number with much greater discretion.
| qingcharles wrote:
| From experience it seems to be semi-random.
|
| I've never had a single spam call on my main phone
| number, but friends who have got a new number get maybe
| 20 spam calls per day, with only having given their
| number to their closest friends and family.
|
| I think one factor that weighs in heavily is if your
| contacts download thousands of spam apps onto their
| phones and click YES to every permission. Then your phone
| number is harvested from your contact's phone and sold.
| TikTok, for instance, will beg me multiple times on a
| frequent basis to see my contacts. I don't think you can
| even install WhatsApp without giving it your entire phone
| book, can you?
| toast0 wrote:
| I don't know about most phones supporting that, probably
| depends on the market.
|
| But best I can tell, 80% of my spam calls are just war
| dialing; a new number would get war dialed just as much.
| Probably wouldn't get collections calls for my deadbeat
| cousin though.
| paranoidrobot wrote:
| Physical dual-SIM support is very market based (Popular
| in Asia).
|
| I believe most reasonably modern phones should support at
| least one active eSIM in addition to the physical SIM
| now.
| doubled112 wrote:
| That's the worst! I had a collection agency keep calling
| consistently for a particular family member.
|
| I got fed up, told the caller that I hadn't seen her in
| years and she could be dead in a ditch for all I knew,
| then asked if he could call me if he got a hold of her.
|
| They never called again.
| WarOnPrivacy wrote:
| > a new number would get war dialed just as much.
|
| I switched to low population area codes and that helped a
| lot. Currently getting 0-3/mo.
|
| 308 is low pop.
| https://en.wikipedia.org/wiki/Area_code_308
| _heimdall wrote:
| I do basically this with a subscription to MySudo. I
| always get funny looks when giving out a number, living
| in a small town people are surprised when it isn't one of
| the two or three area codes around here.
|
| It works like a charm though. I have three tiers of
| numbers - one that I'll keep and goes to only friends and
| family, one that I will likely keep for a couple years
| until it starts getting too much spam, and a third tier
| that I cycle regularly and use for one off things like
| online orders.
| chx wrote:
| Distant area code SIMs do wonders.
|
| I was still living in Vancouver, Canada when I learned
| maybe six or so years ago AT&T has removed all roaming
| restrictions in North America. So a few of us banded
| together, one of us crossed over to New York picked up a
| group subscription of sorts and we had very cheap
| subscriptions. Only the last 1-2 years did Canadian
| providers caught up, somewhat.
|
| But the real advantage was if anyone called from a
| "local" number, local to my SIM at least, I immediately
| knew it was spam. I do not know anyone in Buffalo, I do
| not do business in Buffalo, there's no authority which
| has anything to do with me there, nothing. It's spam.
| bonestamp2 wrote:
| Reminds me of my parents... they live close enough to the
| US border that they just have a US cell phone plan. The
| plan is $50/mo/line USD and includes unlimited
| data/calling/text in Canada/US/Mexico. But because they
| live so close they're not actually roaming most of the
| time, and they're snow birds so they're in the US half
| the year anyway. They found the same thing as you... any
| calls from the same area code as their phone numbers was
| definitely not for them since it was somewhere very far
| away and they don't have any business there.
| kelnos wrote:
| That doesn't always work. A lot of phone numbers out
| there are "dirty": they are on various marketing lists
| and will get spam calls and texts.
|
| Some carriers do try to keep excessively dirty numbers
| inactive for a while after a customer cancels a plan and
| returns the number, in the hopes that the spam will fall
| off after to many "this number is disconnected"
| responses.
|
| But sometimes they don't bother, and sometimes it just
| doesn't help all that much, because spammers are just
| running through the phone number space.
|
| This is a long way of saying that even getting a new
| number doesn't always work. The number you end up with
| might already be inundated with spam.
| OkGoDoIt wrote:
| Because the new Sim card is going to be assigned a phone
| number that's been used by someone else in the past and
| will get even more spam. That's been my experience on
| several new phone numbers I've gotten over the last few
| years.
| AdamJacobMuller wrote:
| I haven't answered my phone for anyone not in my VIP list
| in a year or two.
|
| I can see when someone is calling and in realtime see them
| leaving a voicemail via speech-to-text and pick up the call
| if I want but 99.999% of the time it's spam.
| orev wrote:
| Th topic of this subthread is exactly that one cannot
| rely on the contact list method because doctors may call
| from any unknown number. Maybe you haven't had to deal
| with that (yet), but once you do you'll realize that your
| method doesn't work for that.
| brewdad wrote:
| Same with home repair contractors. The person coming over
| to do the work is unlikely to call from the same number
| the business hands out that rings an office manager or
| the owner. Same goes for the person calling me back with
| an estimate I requested.
| tracker1 wrote:
| For contractors, this is where SMS tends to come in a lot
| as they'll usually text if they cannot get a voice call
| through, which helps.
|
| For doctors offices, it's a whole different bag and a
| true pain... you'll get voicemails with half a message
| that has none of the important details.
| A4ET8a8uTh0 wrote:
| Which app did you use ( I seem to have similar issue with
| my other parent )?
| AuryGlenz wrote:
| I have a business with a published phone number and I
| probably get 20 spam calls a day, at least half of which
| leave "voicemails," some of which are just really loud high
| pitched noises for whatever reason.
|
| It's absolutely ridiculous. I wish I would have used a
| different number than my personal one back when I had
| started.
| webninja wrote:
| If our government can't protect us from spam calls, how
| can they can protect us from anything else?
| shiroiushi wrote:
| >I probably get 20 spam calls a day, at least half of
| which leave "voicemails," some of which are just really
| loud high pitched noises for whatever reason.
|
| That sounds like fax spam.
| TheNewsIsHere wrote:
| Depending on his age the business may be a red herring.
|
| Shady outbound call based operations purchase, trade, and
| mine data all day long. You can have Equifax directly sell
| you reams of demographic specific contact information. God
| help anyone who ordered from a catalog.
|
| My grandparents received easily 30 scam/spam calls a day.
| Mostly from Medicare scammers and sketchy organizations
| that operate right at the edge of illegality. Not even
| counting the outright fraudulent "Microsoft Support" scams.
| unshavedyak wrote:
| Getting a new, out of state number can sometimes help.
|
| My phone is out of state due to my previous address, and 95%
| of spam i get is spoofed to that old town or the surrounding
| area.
|
| No doctors office/etc calls me from that area. It works
| pretty nice
| alister wrote:
| > _Getting a new, out of state number_
|
| The problem with that idea is that when you make _local_
| calls, people think that _you_ are the spammer.
|
| I too have an out-of-state number after having moved, and I
| can definitely confirm that when I make a local call, some
| people will not pick up after seeing the unusual area code
| on their caller ID. They told me so.
|
| There's another problem too: Even when I leave voicemail
| for a local business (plumber, dentist, replying to a "for
| sale" ad), some people will be thinking, Why does this guy
| need a plumber or want to buy my kayak if they live 1500
| miles away?
|
| I've resorted to leaving an explanation saying "Even though
| my area code is XYZ, I'm in the same city as you".
| basil-rash wrote:
| > Even though my area code is XYZ, I'm in the same city
| as you
|
| The area code wouldn't be a red flag for me, but this
| absolutely would.
| Sanzig wrote:
| I moved from British Columbia (250 area code) to the
| Montreal suburbs (450 area code). The one digit
| difference was a huge issue: the number of times
| businesses and government agencies would helpfully
| "correct" my phone number when I gave it to them or when
| they tried to call it meant I missed a substantial number
| of important phone calls. I get it, my French isn't the
| greatest and I have a thick Anglo accent, but "deux cinq
| zero" sounds very different from "quatre cinq zero."
| Eventually I just gave up and got a local number (I
| ported my old one to VOIP.ms and forwarded it so I
| wouldn't miss calls).
| chefandy wrote:
| Wow that seems crazy to me. I grew up in the northeastern
| US where even 3 decades ago, before a large expansion, we
| had 7 area codes within an hour drive. It would be
| bizarre to make such an assumption about someone, even
| then. When I lived in Boston, there was tons. Eastern
| Massachusetts alone has 339, 351, 508, 617, 774, 781,
| 857, and 978 as local area codes.
| MathMonkeyMan wrote:
| Almost all of the spam calls I receive have the same area
| code as my phone, which is in a different state from
| where I currently live.
|
| These people who don't pick up for an unusual area code:
| don't they know that spammers are more likely to call
| from a "usual" area code? Am I mistaken?
| bonestamp2 wrote:
| Exactly, and not just the same area code, the spammers
| often have the same prefix as my phone number too... so
| it looks like someone "just around the corner".
| ranger_danger wrote:
| > I can't remember the last time I talked on the traditional
| phone network or received a legitimate call
|
| I think a whole lot more people still make regular phone
| calls than the ones who don't. Anyone who runs a business for
| example is usually on the phone ALL the time.
| deepGem wrote:
| It's high time someone disrupted the damn desk phone network
| of these hospitals. It's definitely not a technical hurdle in
| 2024. All calls go on the data network. You route your calls
| out of the main router and any call that gets routed in such
| manner will have the ID of the router. Tag the router id to
| the hospital or hotel and be done with.
|
| Is it not this simple ? With dual SIMs any phone can serve 2
| lines so employees officially switch to the hospital e-sim
| within the hospital premises.
| bonestamp2 wrote:
| Or maybe telecommunications in general need disruption.
| Instead of having a number that anyone in the world can
| call, I should provide an abstract identity to a contact.
| When I approve that entity to contact me, and they get a
| unique identifier that only their identity can use to
| contact me, I decide how important their calls are to me:
|
| 1. Phone rings no matter what (doctors and other high
| profile contacts that I do not want to miss a call from)
|
| 2. Phone rings unless sleep mode active (family/friends). A
| second call within 3 minutes rings through in case of
| emergency.
|
| 3. Call goes straight to pre-recorded message (generic or
| unique to that identity) that tells them to text me their
| message/request (or when AI gets good enough, and it
| doesn't seem like it there yet for all accents, it
| transcribes their voicemail message).
|
| 4. Caller can leave a message but it is completely ignored
| by me and I don't know they left a message unless I go and
| check my spam folder.
|
| I can change the call handling of any identity at any time,
| and there should also be an email and text message layer on
| top of this system so the same rules apply and I choose who
| can contact me with those methods as well.
| Tepix wrote:
| It's an american problem. Spam calls aren't a big issue in
| Germany.
|
| Complain to your government.
| deepGem wrote:
| It's a huge problem in India. 10 times worse than US.
| gryn wrote:
| Not sure, I get them in france at the very least twice a
| week. Other people I know complain about the same thing.
|
| I settled on never answering my phone if not in my
| contact list, if the caller is not a spammer they leave a
| voicemail.
| Tainnor wrote:
| I never get spam calls, but I do get a lot of spam SMS
| messages - also in Germany. (They're almost always fake
| 2FA activation messages from some bank I'm not a customer
| of)
| sneak wrote:
| I have a dedicated phone I use solely for healthcare.
|
| The number in my main phone changes every 90 days.
| WarOnPrivacy wrote:
| > The number in my main phone changes every 90 days.
|
| I get a new starter SIM every month.
| paradite wrote:
| Where I live, they moved to Whatsapp (dentist) and dedicated
| app (public hospitals) for messaging and notification.
| maxwell wrote:
| Doctors and dentists are shifting to apps with integrated
| VoIP calls and dropping PSTN.
| deepsun wrote:
| And I really like that. Instead of having to use some
| social network product just to receive my lab results.
|
| Or we may end up in a world when doctors send us important
| Tiktoks.
| SAI_Peregrinus wrote:
| My dentist texts me. My doctor uses MyChart, so I get
| notifications. Neither one calls me on the phone.
|
| Even if they do want to call, they all have to support deaf
| people using TTYs, and phones all support RTT (TTY to cell).
| There's no need to take voice calls from legitimate
| businesses in the US.
| DougN7 wrote:
| I've been impressed with my iPhone and/or carrier (AT&T in the
| US) for tagging incoming calls as spam or telemarketing. The
| phone does still ring but I know not to answer it.
| joe_the_user wrote:
| My phone number is from a different area code than I currently
| live in and I know no one from that area anymore. I can filter
| out 80% of spam just by ignoring calls from that area.
|
| I wind-up using the phone because so many organizations
| malevolently misfeature they websites - doing what you want to
| (pay basic bill or whatever) is hard but upselling and new
| features, those you can do instantly.
| yread wrote:
| Is this like an American thing? I'm in the Netherlands and i
| get like 1 spam call per two months (business
| internet/electricity salesperson usually)
| xyst wrote:
| America doesn't have privacy laws that prevent robot spam.
| Repercussions for violating the SPAM Act are not prosecuted
| very often.
|
| Personally, the only "spam" I get is flagged by the cellular
| provider and 99% of the time the calls are silenced. Not
| really an issue for me. The only people that "call" me are in
| my contacts list anyways. Everyone else can leave a VM or
| text message.
| kalleboo wrote:
| It's also far, far cheaper to make calls to US mobiles than
| mobiles in any other developed country. Like call
| termination to an EU mobile is 10x+ than a US mobile.
| grardb wrote:
| Definitely. I'm American and I've lived in the Netherlands
| for the past three years. The difference is night and day.
|
| Whenever I visit, I switch to my US SIM card and am
| immediately bombarded with spam texts (mostly from political
| parties) and scam calls. In my experience, Android is pretty
| good at marking calls and texts as "potential scams," but
| they're still there. In the Netherlands, I've gotten a few
| scam attempts via WhatsApp. Other than that, I think I've
| received one phone call soliciting donations to the Red
| Cross, and nothing else.
| cordenr wrote:
| In Spain I get at least 4 or 5 calls a week from different
| providers.
|
| Luckily at the moment, there's still a delay after you answer
| the call as (I assume) you're being connected to a human. How
| long will this last....?
|
| Currently, when I don't hear a voice within 1s or so, I hang
| up. A legitimate caller will (hopefully) call back pretty
| quick.
| bozey07 wrote:
| The experience is pretty poor in Australia too. Texts are
| more common than calls, but the rate is roughly 1/day.
| xyst wrote:
| > Gmail did to monetize the lock-in on your inbox
|
| This is why I have my own mail server and domain. Full control
| over mail, and access to features that you pay for (ie,
| unlimited e-mail aliases, control over mailbox size). No more
| worrying about "google decided to shut your free account down
| for whatever reason. Bye bye decades of emails and loss to
| services that use email based OTP or magic link login.
| TacticalCoder wrote:
| > If I'm on a call, even with family, it's now almost
| exclusively on FaceTime/zoom/meet/etc.
|
| I really don't get that. I don't get these, on neither of my
| phones (I've got two numbers). When it rings, it's virtually
| always friends or family. Sometimes the bank/insurance/doctor.
| Very exceptionally do I get a commercial or scam call.
|
| I think it's not an argument good enough to excuse to excuse
| Authy here: _" my phone already leaked, so what's one more
| leak!?"_.
|
| > Which isn't great because those aforementioned platforms are
| all proprietary walled gardens with terrible incentives
|
| Oh I fully agree. I'm using Telegram for chat but zero
| FaceTime/meet/WhatsApp here. People want to call me, they
| usually phone me. Once in a rare while Telegram.
| iamtheworstdev wrote:
| i'm jealous of you. I recently had a day where I got 25 phone
| calls. 23 were spam. Turning on iOS "ignore unrecognize phone
| numbers" has been amazing (i assume android has the same
| feature)
| graemep wrote:
| Wow. I was wondering why people were fussing about the odd
| spam call! The most I have had is 2 in a day and my number
| is in websites, social media, whatever.
|
| Almost all spam is instantly recognisable. Mostly visa and
| parcel delivery scams.
|
| In do not block unknown numbers because lots of
| organisations use them here (UK) This includes people I
| really do want to be able to contact me if they want to
| such as the police.
| kalleboo wrote:
| > _here (UK)_
|
| I think it's mostly just an issue in the US/North America
| katbyte wrote:
| I'm in Canada and get maybe a couple scam calls a month
| commodoreboxer wrote:
| Occasionally I'll get spam from numbers in my contacts. I
| got a virtual kidnapping call from my wife's number the
| other day, which would have been terrifying if she wasn't
| sitting right next to me.
| snailmailman wrote:
| I have 5+ spam calls every day. Looking at my call history
| it's been that way as far back as it lets me scroll. Blocking
| doesn't make a ton of difference, as it's almost always a
| different number.
|
| I don't understand what they are calling for either. I've
| answered a few and most of the time it's a dead line when I
| answer. Just silence.
| brewdad wrote:
| Those are usually robo dialers looking for active numbers
| to resell to spammers/scammers. You answering puts you on
| their good list. These are also the calls that never leave
| any type of voicemail. I'm not sure what list VM gets you
| on.
| RulerOf wrote:
| This sounds intuitive, but isn't true in my experience.
| It's a natural consequence of aggressive dialing with a
| limited pool of agents. See my sibling comment:
| https://news.ycombinator.com/item?id=40882163
| RulerOf wrote:
| > I don't understand what they are calling for either. I've
| answered a few and most of the time it's a dead line when I
| answer. Just silence.
|
| The primary operating goal of a predictive dialing system
| is minimizing agent downtime. Ideally, when an agent
| transitions into being ready to talk, they want as little
| time as possible before they're connected to a live lead.
|
| In above-board telemarketing, where there's a finite list
| of leads instead of 000-000-0000 through 999-999-9999, the
| administrator will adjust dialing aggressiveness to
| minimize the chance that a lead picks up the phone but no
| agent is available to take the call. Because when that
| happens, the answering party experiences nothing but dead
| air, followed by a timeout, and a hangup.
|
| The one nice consequence from this, though, is that if you
| _do_ answer a spam call and get connected to a live person,
| chances are very high that several other potential marks
| got dead air instead. Maybe you saved grandma for another
| day.
| Angostura wrote:
| Interesting. Here in the UK I get about 1 spam phone call a
| year.
| kccqzy wrote:
| > I can't remember the last time I talked on the traditional
| phone network or received a legitimate call
|
| Doctors, dentists, moving companies, home improvement
| contractors, recruiters, etc. These are some of the most
| important phone calls I've received in recent memory.
|
| I don't know what world you live in, but I religiously block
| phone numbers after just one spam call. And I usually don't
| give out my phone number. (I'm much happier giving out email
| addresses since I have an infinite supply of addresses.) I
| never get enough spam calls that I feel like the phone system
| is going the way of the fax machine.
| averageRoyalty wrote:
| Agreed. Phone calls are quite common in my circle. Spam calls
| have definitely risen in the last 10 years, but the ratio is
| nothing like the GP.
| 9cb14c1ec0 wrote:
| The solution to phone spam is voicemail transcription. Every
| call goes to voicemail, I get the transcription in a minute or
| two, and can call back if I want to.
| sebastiennight wrote:
| With the caveat that this now adds a third-party transcriber
| that logs the content of every single voicemail you get.
|
| Which will definitely end up in some data breach at some
| point.
| K0HAX wrote:
| The telephone companies make money based on minutes of usage.
| There is a very large financial incentive for the really big
| telcos to allow spam calls.
|
| Spam callers are likely the most lucrative customer of the
| telephone network for the telephone companies.
| ternaryoperator wrote:
| > The telephone companies make money based on minutes of
| usage.
|
| I don't see how that could be correct. Once you pay your
| monthly fee, the fewer minutes you tie up the company's
| resources the better for them. That's true too for pay-ahead
| plans.
| wasmitnetzen wrote:
| Your provider get paid by the caller's provider for taking
| the call, and the marginal costs of a phone call are close
| to zero.
| ranger_danger wrote:
| IMO The problem with data breaches is not the phone number
| being exposed, it's the other data around it that one can
| combine with other breaches to make full profiles of a person's
| comings and goings, their location/purchase history, their
| associations and preferences, etc.
|
| This is very valuable data to have, not only for advertisers,
| but also criminals and other bad actors.
|
| Also, the fact that nobody ever questions the authenticity of
| leaked data should be VERY alarming. Imagine what power someone
| can hold over someone with _manipulated_ leak data.
| brewdad wrote:
| Doesn't even have to be manipulated just incorrect. I share a
| rather uncommon name with at least two others within five
| years of my age. I get emails intended for either of them
| almost daily. One holds political views completely opposite
| my own. The other is rebuilding his life after a couple years
| in prison.
|
| I would rather not have my own life intertwined with either
| of them but undoubtedly it already is to some degree.
| bottled_poe wrote:
| Yet another reason the digital world is marching towards a
| closed-by-default model.
| paul7986 wrote:
| The phone network we once knew is useless in terms of answering
| or bothering with any calls or text from those not in your
| contacts. If you do .. you do so at your own risk!
| bad_user wrote:
| I'm an European and I get zero spam calls.
|
| I used to get a couple of cold calls per year for surveys, but
| I got unlisted via GDPR requests and now its down to zero.
|
| Companies do try collecting your phone number, but then I
| answer NO to the obligatory "do you want the latest offers"
| question (in the EU, this is opt-in not opt-out). And it
| doesn't matter if my phone number leaks.
|
| This is similar to my email address use. I used to get emails
| from recruiters, but after a couple of replies informing them
| that whatever profile they have is illegal, with my email
| address not being public, asking them to delete it, the emails
| stopped. I still get spam, but it's mostly fraud and US
| companies. Fastmail's spam filters are good enough, BTW.
|
| My phone number works just fine, and the phone network is
| valuable given the better signal 2G can have, or the fact that
| not everyone is on the app du jour. And I find it odd when
| people call me on WhatsApp.
|
| I frequently see US folks criticising GDPR, so I'm guessing
| this is one of those "the US mind can't comprehend" moments.
| shiroiushi wrote:
| >And I find it odd when people call me on WhatsApp.
|
| Given that you're European, do you not have any
| friends/family outside your country, in neighboring EU
| countries? Wouldn't they have to pay high per-minute rates to
| call you?
| arkh wrote:
| https://mobile.free.fr/fiche-forfait-free
|
| Example from one provider: nope with 100 countries.
| Including the US, Canada, China etc.
| shiroiushi wrote:
| Looks expensive. What about the regular phone plans? For
| instance, the plan I use currently in Japan has high per-
| minute or per-SMS charges for international numbers. The
| trade-off, of course, is that it's dirt cheap as long as
| you don't call international numbers, and basically just
| use it for mobile data. In a place where everyone uses
| LINE for communication, this works well.
| usr1106 wrote:
| In Finland I see the opposite problem. Traditional
| calling is dead, so there is absolutely no competition on
| international calls.
|
| National calls and calls to nordic and Baltic countries
| are typically included in the subscription. But once you
| have to call to let's say central Europe per minute rates
| are exorbitant compared to today's data volume pricing.
| bad_user wrote:
| Inside the EU / EES we usually have minutes included.
|
| Right now my plan, with Orange, costs 7.5 EUR / month with
| unlimited 5G (for real), 16 GB of data when roaming,
| unlimited minutes when roaming in EU/EES, and 600
| international minutes in EU/EES. We do have great deals
| here, BTW, I'm sure it's more expensive in other EU
| countries.
|
| I'd have to upgrade for another 100 minutes with US /
| Canada, however, I have another plan from Digi that charges
| per minute but that's dirt cheap.
|
| I do have acquaintances from US with which I communicate
| primarily via WhatsApp, but I don't need it for my family
| within EU.
| sebastiennight wrote:
| Everything you mentioned is the beauty of the EU privacy laws
| (so far), however there is another negative externality you
| haven't planned for maybe.
|
| Giving your phone number out to all these services also means
| that it can be used as a single identifier to track you and
| your behavior across all those services.
|
| I'm not sure that GDPR is helping us a lot there.
| squigz wrote:
| > While this sucks, my phone is in so many data breaches at
| this point it doesn't matter.
|
| Yes, and this is the slope that we keep sliding down with these
| data breaches not being taken seriously. First it was your name
| and email. Now phone numbers. What's the next bit of our
| private info that we'll normalize leaking?
| hansvm wrote:
| Currently, any password from more than 6 months ago, names of
| all my acquaintances, photos of all my paystubs over the last
| 6yrs (thank you Equifax and dishonest HR platforms), ....
| Astounding amounts of misconduct are normalized. They're just
| not widely known yet.
| dapago wrote:
| I've found some success is curbing spam calls with the "Silence
| Unknown Callers" feature in iPhone. However this presents a few
| challenges. Mainly missing calls from delivery agents, who's
| number is obviously not in my iPhone contacts
| raxxorraxor wrote:
| I have never shared my phone number with any online service
| aside from my bank and I don't get any spam on my phone.
|
| I still don't recommend to do that and just toss those that
| demand your phone number away. Get a business phone if your
| work demands it.
| p51-remorse wrote:
| Easy trick: Every time you get a spam call, answer it. Talk to
| them until _they_ hang up. String them along. Put them on
| speakerphone and keep working. Feed them fake credit card
| numbers (there are generators out there that create numbers
| that checksum correctly, so they type them into whatever
| they're using to bill numbers. Hopefully this helps flag them
| as a bad actor to the processors, idk).
|
| It sounds like a lot of work, but when I started doing this
| about two years ago it took about two weeks for the calls to
| just... stop. Now I get a spam call maybe once a month. It's
| glorious.
|
| My theory is this is the only route to get put on the _real_
| do-not-call lists - the ones that spam companies in India have
| labelled "unprofitable numbers.txt". Seems like once you're on
| those, you're good.
|
| Every minute they're listening to you use them for rubber-duck
| debugging is a minute they're not scamming Granny out of her
| 401k. Be prepared to get called bad names in foreign languages.
| Bonus points if you learn some phrases in their language to
| really get under their skin.
| jollofricepeas wrote:
| This works.
|
| I started doing this as well.
|
| I mimic the Jolly Roger call service and they usually hang up
| in less than a minute.
|
| Ex...
|
| - Act like you can't hear them
|
| - Ask them to restart what they were saying
|
| - Start a conversation with a fictional person in the
| background
|
| It's fun and makes getting spam calls enjoyable.
|
| https://jollyrogertelephone.com/
| tracker1 wrote:
| Very similar here... same for my primary gmail address... the
| most annoying thing is the "credit monitoring" that comes with
| a few of my credit cards is all but worthless... I get constant
| notices that my "email is compromised" but absolutely no detail
| on how/where/what exactly is compromised, with is like saying,
| your email is public.
|
| While I do get a few regular phone calls a week, they're all in
| my contacts and I don't answer if the number isn't... at least
| 2/3 the time if I decide to answer as I'm expecting an out of
| band call, it's spam. On the flip side, I am wanting to setup
| for "your code is XXXXXX" as a verification on a personal
| website I'm working on to allow for public users. I know it
| doesn't add too much, but it's enough to reduce the noise. I'm
| not even sure what more hoops I need to jump through with
| Twilio to get to send said messages. I'm not a company, and not
| sending any kind of marketing campaign.
| knodi wrote:
| Really? I get nearly zero spam text maybe 1-2 per year, even
| voice calls now. I get maybe 1 per month now. I'm with US
| carrier TMobile and on iOS.
| gregcohn wrote:
| Anyone who has kids has to answer the phone from strangers
| routinely. School staff and camp counselors are routinely using
| their own cell phones these days to communicate with parents.
|
| Doing it the opposite way - tying all outbound school/camp
| calls to a single callerID - risks blending the important with
| the automated reminders. LAUSD abuses their automated calling
| system to the extent that my wife and I have both screened
| calls from the front office involving an injured child, more
| than once.
|
| The real issue here is getting to the root cause, which is
| carriers and their intermediary aggregators having incentives
| to carry large volumes of spam.
|
| In a number of markets, operators have increased the cost of
| SMS messages to deter spam, only to find a massive increase in
| traffic pumping fraud that mysteriously appears in the system
| of trusted intermediaries. Everyone's making a goddamn fortune
| off it, and no one actually cares to fix it.
| EasyMark wrote:
| I feel the same way. I get far too many "hey!" Or "Hello?"
| "What's up?" messages on my phone that never say another thing.
| Any family/friend of mine knows me well enough to try more than
| once to get my attention via messages, and 99% of them should
| probably be in my contact list already and I'll hear the beep.
| jonathanlydall wrote:
| When I tried SendGrid it was super annoying that I had to install
| yet another Authenticator app on my phone. Now it's become a
| point of data loss.
|
| It's bizarre to me that Twilio decided to get into the
| Authenticator business at all, especially while SendGrid had
| plenty enough problems to keep them busy.
| sethammons wrote:
| What are some of the SendGrid problems you're thinking about?
| deegles wrote:
| I have removed all SMS based 2FA from every account that allows
| it and you should too.
| yieldcrv wrote:
| and we should do product liability lawsuits on every service
| that only allows SMS based one time passwords, if they don't
| allow a client side only option
| mort96 wrote:
| Why? 2fa doesn't meaningfully add security if you're using
| decent passwords, and SMS-based 2fa is no less secure than no
| 2fa
| yieldcrv wrote:
| just because SMS is vulnerable to SS7 attacks
| selbyk wrote:
| I'm a bit confused how this is relevant. Authy is a OTP app,
| nothing to do with SMS.
| yieldcrv wrote:
| Authy uses SMS based recovery of your entire account, a
| weaker link that a single service using SMS based OTP
| ingatorp wrote:
| You can always disable multi-device, so it can act like a
| regular OTP auth app.
| yakito wrote:
| We should have something similar to Apple's hide my email for
| phone numbers
| al_borland wrote:
| We'd probably need dedicated country codes to handle the
| volume.
| moffkalast wrote:
| "Company who thought they'd lost all public trust loses last
| additional bit of trust they didn't even know they still had,
| more at 11."
| darkr wrote:
| This doesn't surprise me. I found an information exposure vuln on
| the user registration endpoint a while ago (given a phone number
| of an authy user who had previously registered via another
| customer, retrieve all other numbers/devices/timestamps, email
| addresses and other info for that user).
|
| It took them two years to fix it.
| rvnx wrote:
| > Twilio has detected that threat actors were able to identify
| data associated with Authy accounts, including phone numbers,
| due to an unauthenticated endpoint
|
| Isn't it what you are describing?
| darkr wrote:
| Based on the reports that I've read so far, this vuln was
| different to the one I found, which was on an authenticated
| endpoint.
|
| Definitely some similarities though, I'd love to see some
| concrete technical information on it.
| exabrial wrote:
| That app is so dumb. Completely negated the usefulness of TOTP.
| Needs just to die already. Some executive over at Twilio signed
| the check for Authy acquisition and is still trying to justify
| the expense.
| awahab92 wrote:
| what do people use instead of twilio today? they make 2dcp
| verifications take too long
| blackeyeblitzar wrote:
| What's a better 2FA product that is E2E encrypted and lets me
| export the seeds?
| godzillabrennus wrote:
| Authy is basically unsupported. Not surprised. I switched my
| accounts to 1Password when they announced the end of life of the
| macOS app.
| bonestamp2 wrote:
| That makes sense. In case it helps others... when they
| announced end of life of the mac app, that was because Apple
| Silicon macs can run the iOS version of Authy. So, if you have
| an M series mac then you can still use and get updates to
| authy.
| encom wrote:
| Authy is terrible. I recently tried to delete my account,
| because I've (finally) moved everything to Keepass, and they
| make it as difficult as possible. Then they make you wait 30
| days before they actually delete it, making sure to email you
| constantly in the mean time, to ask you to please reconsider.
| My 30 days expired a few days ago, so if they had actually
| deleted my account when I told them to, my info maybe wouldn't
| have been leaked.
|
| Dog shit company. Avoid.
| mort96 wrote:
| I chose Authy back in the day because that's what everyone was
| suggesting. I hate it. I hate the whole cyber"security"
| community.
| peblos wrote:
| > I hate the whole cyber"security" community.
|
| Why do you hate the whole community?
| mort96 wrote:
| Because it's them who have pushed so hard for this 2fa
| mess.
| bonestamp2 wrote:
| I recently setup a focus profile on my iPhone that only lets
| calls ring through from knowns contacts. There is going to be an
| adjustment period as I discover people and companies (such as
| doctors/hospitals) that I want to allow calls from and add them
| to the whitelist. But otherwise, it has been really nice to cut
| down on all of the interruptions.
| al_borland wrote:
| You can flip on the option in the settings to silence unknown
| callers. It does a decent job, and prevents a lot of the manual
| micro-managing. I will sometimes toggle it off if I'm expecting
| a call from an unknown number, but it will also pull numbers it
| sees in texts and email and known.
|
| I manually set this up several years ago, to only ring for
| contract in my address book. It was annoying, but worked. At
| the same time, I submitted the feature request to Apple and it
| came to iOS about a year later.
|
| I found my calls have gone down dramatically since using it. I
| used to get 3-4 calls per day. Now, even if I have the feature
| toggled off, I might get a couple calls in a month. Once the
| number appears inactive, I think it drops off a lot of lists.
| gz5 wrote:
| consider* putting endpoints on a private overlay network in which
| network access is cryptography-gated (e.g. x.509 cert based).
|
| then, a misconfigured endpoint (or a zero day etc.) can't be
| exploited by any_actor_on_the_internet - actors need to first
| complete the provisioning process you choose to enforce to be
| authorized to use the private overlay.
|
| *not one size fits all, e.g. bad option if endpoints need to
| accept requests from unknowns.
|
| however, many endpoints only need to accept requests from known
| (identified, authenticated, authorized) endpoints, and the added
| friction to id/authN/authZ get use the private overlay is not a
| business impediment.
|
| there is a stigma here due to the horrors of NAC on private
| enterprise WANs. but NAC goals can be accomplished without that
| baggage via internet overlays and modern cryptography.
|
| to be clear, i am by no means advocating to abandon traditional
| methods of endpoint auth - this it is just another layer which
| recognizes that single layers are rarely airtight (e.g. what just
| happened to Authy and Twilio).
| hypeatei wrote:
| > many endpoints only need to accept requests from known
| (identified, authenticated, authorized) endpoints
|
| Do you mean clients for the last part? I'm not a networking
| expert but I don't see how layering on certs here is going to
| help?
| mihaaly wrote:
| And they wonder in random organizations and businesses that I am
| not willing to give all my personal details right away on first
| contact despite their 'utmost importance' of handling my data
| very securely, all this just to be informed about their product.
| And they seems to be offended with a "but we did it so for many
| years now" on my refusal and saying goodbye if they try to insist
| this "company policy".
|
| Unluckily sooo many give zero or negative fack among their
| potential and existing customers. This includes businesses
| providing medical services sending all the clien't data and
| medical results in clear text email and even declaring for their
| own convenience that "The property and copyright or other
| intellectual property rights in the contents of any document or
| images provided to you shall remain our property", for your
| ultrasound results. Your medical results are their property for
| those use their services. So they do as they plase with their
| data, not your data, not your concern if it is protected or not.
| And people go there and rate this service 4.8 on google, insane.
| Of course no-one really reads TOC, not even for sensitive medical
| services. People do not learn.
| surfingdino wrote:
| British Gas has taken to removing their bank account details
| from their invoices so that you have to set up an online
| account with them and then set up a Direct Debit (permission to
| take arbitrary amounts of money from your UK bank account).
| ehPReth wrote:
| is this just like
|
| anotherservicetwilioruined.example.com/api/doesthispersonhaveanac
| count?phone=+12012000000
|
| and then the service says 'yeah that number has an account' (and
| nothing else?)? then whomever repeats that for every possible
| phone number?
|
| or... more than that?
| vishnumohandas wrote:
| We built ente.io/auth
|
| If you need a cross platform authenticator, do check it out.
|
| FOSS, optional e2ee backups.
| memset wrote:
| I switched to this from authy months ago and never looked back.
| Thank you!
|
| I followed this guide - basically, run an older version of
| authy with devtools enabled and use the js console to export
| your items.
|
| https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d...
| vishnumohandas wrote:
| Glad to hear Auth is being useful!
|
| If anyone else is considering a switch, our community has
| documented a migration guide here:
| https://help.ente.io/auth/migration-guides/authy
| kylehotchkiss wrote:
| Twilio requires Authy for 2fa for sendgrid and maybe even twilio
| itself instead of supporting more standardized 2fa that'd allow
| 1pass to be used. This is all the more frustrating because I was
| forced to use Authy to protect an account instead of my regular
| tooling and they still managed to screw it up. Twilio, take a
| hint and stop forcing people to use your custom thing
| https://www.twilio.com/docs/sendgrid/ui/account-and-settings/two-
| factor-authentication
| qingcharles wrote:
| Ugh. I hate that some apps require use of specific auth apps.
| This should not be a thing, we have great generic systems for
| this already.
| mort96 wrote:
| I just hate that some apps/services require 2FA. My 32 random
| characters which are unique to each service are secure
| enough. Adding another service on top just increases risk (as
| shown here; Authy was never going to do anything to protect
| me, but it has now leaked info about me.)
| cqqxo4zV46cp wrote:
| No. TOTP MFA's mechanics make it a significant security
| improvement regardless of how impressively large (???) your
| password is. It doesn't inherently implicate "another
| service". That's the beauty of it. This issue is
| SPECIFICALLY due to forced use of Authy. Forced MFA for
| high-value accounts is a good thing. "A long password will
| protect me" is 2006 thinking.
| raincole wrote:
| What happens when you lose your phone then?
|
| Do you have recovery code printed out? Do you carry them
| with you? If you do then what's the difference between
| this and a password?
| tssge wrote:
| Not the parent, but I write recovery codes down and store
| in a safe at my home.
|
| The difference compared to a password is that these
| recovery codes are single use, used only in exceptional
| cases and physically airgapped. On the other hand my
| password is multi use, is used daily by me and in the
| event of a breach will be exposed to the attacker.
|
| I will know if someone steals my recovery codes. I'll
| have no idea if someone gains knowledge of my password
| though.
| qingcharles wrote:
| I keep a second outdated Android phone secure with all my
| TOTP on it for now, plus I have another person I trust
| who I share my codes with.
| udev4096 wrote:
| Well, phishing attacks are still prevelent and it's still
| at the top for compromising credentials. And phishing
| attacks have evolved. Most of them will hijack your
| session, which will make TOTP useless (FIDO will protect
| you tho)
| jeromegv wrote:
| I just don't buy the argument that because most
| sophisticated attacks exist, then 2FA isn't useful.
|
| 2FA protects you from someone getting access to a leaked
| password. They still can't connect even with user and
| password, without doing a very elaborate hack. That's a
| huge benefit.
| Dudhbbh3343 wrote:
| > Forced MFA for high-value accounts is a good thing.
|
| No. I agree the MFA is big improvement and I use it for
| many of my accounts, but I still don't want you forcing
| me to do something "for my own good".
|
| Make it the default or show me scary warnings, but still
| give me the option to make my own decision in the end.
| Sometimes, it's okay for convenience to take precedence
| over security, and the user is the only one who should
| make that determination.
| pndy wrote:
| Long story time:
|
| There's this small web portal in Poland that for years
| provides a simple free email service (and an instant
| messenger with same login) with occasional "messages from our
| sponsors" in your inbox - you had to tick your "interests"
| during registration. In time banners started to appear and
| that was still fine because the Web was still a pretty
| innocent place and tracking was years ahead of us. At some
| point inbox was getting flooded with spam; either one you had
| to have or outside the service because the domain was popular
| and probably addresses were scrapped from the associated
| instant messenger. Then, banners started to be aware of inbox
| content and sponsored messages included tracking - milking
| your habits and activity become a thing.
|
| Fast forward to some 10 years ago the service offers a
| premium plan where you can turn off banners around inbox, the
| permanent banners that pretend to be emails at the top of the
| list. Of course paying turns off only these banners and
| sponsored messages and every other spam will pile up. There's
| a built-in filtering option but since people started to using
| it to get rid of these mandatory messages - it stopped
| working at all. And any filter entry is a dummy one. At this
| point it's more an ads and spam gallery with an optional
| email service. Instant messenger was killed off in 2016 as
| people preferred global networks, and so were small but
| popular discussions forums turned off.
|
| Around same time portal was bought by what for year was a
| bigger competition to them (not the only one ofc). The idea
| that both portals should use a single login appears. So
| people saw messages at login saying that you should transfer
| your account to this unified platform because it's more
| secure and there are some "benefits". Later, a darkpattern
| message was displayed saying that the unified login service
| will be the only way to use all services including email. And
| this unified login comes with company's own 2FA mobile app
| which you can't replace with a generic generator of any kind.
| Aaand in the end, nothing really happens. The darkpattern
| messages disappear and you can still log into the email with
| same plain password you used for years. The 2FA becomes
| suddenly optional but "recommended". People complaining in
| Appstore reviews about login issues and fact that no generic
| generator works are suggested to talk with support where
| apparently something can be arranged.
|
| What my hot guesses are is that the company believed that
| domestic service popularity combined with mandatory 2FA app
| that does collect a lot of additional unnecessary information
| will provide a steady source of money for this service.
| People accustomed for years to an attractive short local
| domain won't force themselves to move elsewhere. But that
| didn't work as planned and honestly, I don't know how they
| managed to survive till today.
|
| I did created few addresses there but over the years I
| managed to move elsewhere; what was once cool and fast and
| plausible become obnoxious to use.
|
| If you remember poczta o2 you surely remember tlen emoticon:
| [10ton] - that's the best way to sum up what happen to this
| portal and service.
| Kwpolska wrote:
| All the big email services in Poland (WP, Onet, Interia,
| O2, ...) were always crap riddled with ads. I don't know
| why people still stick with it instead of migrating to
| something like Gmail.
| mdaniel wrote:
| Yeah, _Steam_ get with the program
|
| My recollection is that someone reversed their algorithm and
| they used _almost_ TOTP which hurts me even more because that
| implies that they knew about the standard and still chose
| violence
| calderwoodra wrote:
| Even worse.. 2FA is mandatory on Twilio products, so either
| install authy or don't use Twilio - no exceptions.
| noman-land wrote:
| I use a normal authenticator app which is not Authy.
| original_idea wrote:
| Yeah, no. You don't need to use Authy.
| slhck wrote:
| Last time I checked, they did. In fact their 2FA system is
| so messed up that it thinks my mobile number is an
| authenticator app, and so I can't even request a code to
| delete the 2FA method, let alone add a new one:
|
| https://i.imgur.com/PoZ2ssc.png
| https://i.imgur.com/heiJer6.png
| original_idea wrote:
| Authy uses a standardized QR code to seed your TOTP. This isn't
| true.
| nloomans wrote:
| Have you tried it? They use a proprietary integration with
| Authy that prevents you from using anything else. No QR code
| is ever provided.
| edmn wrote:
| It's either Authy or 2FA through SMS, no other option.
| boesboes wrote:
| Not true. Look at the documentation, authy or sms.
| giancarlostoro wrote:
| They should be held fully liable for damages for this kind of
| nonsense when indeed it goes wrong.
| Featherknight wrote:
| Sucks that Twitch.tv still relies on it. My only service that
| uses it still, I've since migrated to other managers
| xyst wrote:
| Terrible. Glad I moved away from Authy a long time ago. Small
| reminder that I need to delete the account though.
| jordigh wrote:
| Took a while, but this commenter is finally correct:
|
| > Why does Authy require I provide my cell phone number and email
| address? Why do I have to have a user account? This is completely
| ridiculous. I do not need nor want cloud syncing or backup. You
| are making Authy a potential target for attacks by associating a
| user to cloud stored 2FA information.
|
| > This is not in the spirit of 2FA.
|
| https://news.ycombinator.com/item?id=9100560
| 8474_s wrote:
| You can't pick and choose "Not a real scotsman" since 99% of
| users will be on bigcorp 2FA that does it in most ass-backwards
| way possible. 2FA as mobile apps locked to hardware is not
| going to go away without 2FA being replaced by something else.
| brewdad wrote:
| The entire use case for Authy is the cloud backup and syncing
| across devices. If you don't want that, use any of the other
| free and more open 2FA apps.
| akamaka wrote:
| Twilio was forcing users to install Authy. See this thread:
|
| https://1password.community/discussion/116314/sendgrid-
| requi...
| j1elo wrote:
| Then make it an independent email+password thing, so in case
| of a leak, something as critical and personal as a phone
| number doesn't get involved in the stolen data.
|
| (I know the irony of this in particular being Authy, but
| nevertheless phone numbers should NOT be risked to be exposed
| anyhow)
| LtdJorge wrote:
| I use Authy _because_ it provides cloud sync. At the time,
| Google Authenticator didn't have it, and when I had to change
| phones it was a real hassle. Imagine if the phone had been
| stolen, no way to access the account normally to get a new QR,
| you'd have to "recover" every account.
| huggingmouth wrote:
| Good for you. Still doesn't answer gp's question. Why do we
| have to create a central account?
| ngetchell wrote:
| Yes it did. Authy provided cloud sync via phone number
| authentication. If you didn't want that, you stuck with
| Google Authenticator.
| giancarlostoro wrote:
| I have been transferring Google Authenticator from phone to
| phone for years though? Going back to at least 2016, and that
| was 8 years ago. In 2020 I copied it from Android to iOS even
| by doing an export I had no idea was there.
| edward28 wrote:
| It was a manual process requiring the phone to be working,
| which doesn't help when you have an accident that damages
| the phone.
| giancarlostoro wrote:
| Not to go too off-topic, but that post from 2015 has a response
| from 2019, how is that even possible? I thought HN auto locked
| posts after x number of days / years.
| mdaniel wrote:
| I don't want to go through the trouble of creating a
| throwaway to test it, but having worked in webdev long enough
| makes me believe it's possible that restriction is only on
| the frontend and some well placed curl may sidestep it
| PascLeRasc wrote:
| Twilio has an incentive to make "the spirit of 2FA" worse,
| because SMS-only is how they make money. Either OTP 2FA will be
| more complicated and adopted less, or they'll own the entire
| space, like in Sendgrid's case.
| instagib wrote:
| For iPhone, put the phone in do not disturb. It will send all
| calls to voicemail. If someone is on your emergency contacts,
| favorites, or 1by1 focus then a repeated call will actually ring
| your phone. Otherwise no notification. Not even a text counter
| increase unless the person taps (notify anyway).
|
| Tried to do the same on an android phone and it didn't work.
|
| You can also port your phone to google voice or Fi and give away
| all your call information to them. Very few spam calls get
| through their filter.
|
| I like the change phone area code to out of area and block all
| phone calls from that area that some call services provide.
| rcostin2k2 wrote:
| Actually, I have a Samsung S20+ and "Do not disturb" works
| pretty well, even scheduled
| denkmoon wrote:
| If you've got anything in Authy that isn't using the authy custom
| authentication scheme (ie. just regular TOTP) now is the time to
| get it out.
|
| Exporting the raw totp tokens can only be done from the desktop
| version that is currently deprecated and scheduled to be nuked
| from existence later this year. It requires getting the tokens
| loaded into the desktop app, then downgrading to an older version
| so you can use the chrome remote debugger to run a javascript
| function against the desktop app (embedded chromium) which pulls
| out the raw tokens and gives them to you.
| mort96 wrote:
| > Exporting the raw totp tokens can only be done from the
| desktop version that is currently deprecated and scheduled to
| be nuked from existence later this year
|
| Oh. Fucking great. So I'm locked in to using Authy forever now
| I guess.
|
| I hate 2FA. It literally does exactly nothing for security,
| it's just another tool for these big companies like Google and
| Twilio to put themselves between me and the services I need
| access to, all while locking me in to their services and
| siphoning out information they can sell to advertisers. I hate
| it. I hate the "security" people who are pushing this garbage.
| I hate everyone involved in this space. I hate that I now can't
| log in to anything without going to fetch my phone. I hate
| these people.
| denkmoon wrote:
| Haha, I see you manically rage posting in this topic. I
| empathise, it's fucking shit when "smart" people foist
| something unwanted on you because they think it's better for
| you. FWIW, I'm feeling pretty liberated to have moved my OTP
| codes out of authy and into multiple locations - my data, as
| much as I'd prefer not to use it, is now under my control.
|
| You can get the old desktop version from chocolatey/choco -
| https://community.chocolatey.org/packages/authy-desktop/
|
| If anyone wants to try this themselves, this is the recipe
| that worked for me;
|
| - Enable multi device for authy on my phone
|
| - Install the 3.0 desktop authy client from chocolatey
|
| - Get logged in and set up on the desktop client so that you
| can see the current OTP codes (not the lock symbol)
|
| - Uninstall the 3.0.0 desktop authy client
|
| - Install the 2.2.3 desktop authy client from chocolatey
| (https://community.chocolatey.org/packages/authy-
| desktop/2.2.... or choco install authy-desktop
| --version=2.2.3)
|
| - DISCONNECT FROM THE INTERNET AFTER OPENING 2.2.3 AND BEFORE
| IT POPS THE UPDATE DIALOG
|
| - The update dialog will block the program and you can't use
| the chrome remote debugger in the later steps
|
| - Start from step 2 of https://gist.github.com/gboudreau/94bb
| 0c11a6209c82418d01a59d...
| slivanes wrote:
| Great comment. Authy seems to be taking a user hostile
| stance by taking hostage peoples OTP's this way.
| mort96 wrote:
| Thank you for the time you took to write this out. I'm sure
| it'll help people. It would probably work if I used
| Windows, but I don't.
| izacus wrote:
| Well, then now might be a good wakeup call to move those
| tokens to one of the many opensource apps that allow exports?
| Like Aegins, Authenticator Pro, etc.?
| xolox wrote:
| I'm really sorry for the situation you find yourself in and
| agree that it sucks. I'm replying because I want to mention
| that it is possible to use 2FA without any form of vendor
| lock-in (although I realize this doesn't help you
| retrospectively fix your existing issue). I'm not trying to
| be a wise ass, I just want to share some pointers for folks
| who are interested in avoiding or remedying this problem
| (which is a bit of a tricky problem).
|
| I've been using pass (https://www.passwordstore.org/) for
| quite a few years now and it allows to use multiple GPG keys
| to encrypt secrets in different subfolders. So I have a
| default GPG key that encrypts all my regular passwords,
| protected by a master password that is easy enough that I can
| regularly type it in on my smartphone.
|
| Then I have a second GPG key with a much more complicated
| password that I use to encrypt my 2FA secrets (strings like
| "FX5D MJE8 F9F9 XFE0" that can be used to "seed" apps like
| Google Authenticator). These 2FA secrets I never access on my
| smartphone, I only access them on my laptop where I have a
| proper keyboard to type in the absurdly long password
| required to unlock these.
|
| I wrote a small Python script that takes a 2FA secret and
| uses it to generate a TOTP URL that is then fed to "qrencode"
| (a command line program available on Linux and MacOS) which
| renders a QR code that I can scan into a TOTP app like Google
| Authenticator (like if I was first signing up for 2FA via the
| original website or service, the only thing that changes is
| who generates the QR code and when).
|
| Because I saved the original 2FA "seeds" (my term, not sure
| what the proper term is here, but it's akin to the seed you
| feed into a random number generator) I can regenerate the QR
| code whenever I wish, which means that if my smartphone dies
| and I lose the 2FA secrets loaded into Google Authenticator,
| I can take an empty new smartphone, install Google
| Authenticator, and rescan all of the QR codes that bootstrap
| my 2FA sequences via my laptop. The other side (the website
| or service where I enabled 2FA) never needs to know I went
| through this procedure, in fact fundamentally it cannot know.
|
| I've been using this same scheme to share 2FA codes with a
| team of system administrators so that we can properly protect
| e.g. AWS root accounts while still providing multiple
| individuals access without being tied to a single smartphone
| or 2FA app.
|
| So long story short, it is possible, although admittedly (my
| way) it does require some cobbling together of different
| tools in order to get a workflow that handles this smoothly.
| But I sleep better at night knowing that all of my important
| accounts are protected by 2FA yet I can never be locked out
| of them, even if I lose my smartphone or laptop (the actual
| password store git repository lives on my server where it is
| backed up to several disks every couple of hours).
| nsajko wrote:
| TLDR: use a password manager to store your secrets. An OTP
| secret key is just a secret.
| 486sx33 wrote:
| Damn 2FA with telephone numbers, I hate it!
| Fire-Dragon-DoL wrote:
| I had to use authy for damn twitch which couldn't go for normal
| authenticator. Thank you -.-
| andrewstuart wrote:
| Can you imagine being the one to tell the CEO.
| ZunarJ5 wrote:
| I have to thank this hacker for motivating me to move fully off
| this app again. Stopped being useful without the desktop app.
| xarope wrote:
| I have resisted moving off Authy as I liked the idea of cross-
| platform cloud sync. That'll teach me. Any other suitable
| alternatives? Aegis is android only. I do run vaultwarden, but it
| means I need another 2FA to login to it, before I can use it as a
| 2FA for other sites.
| Inocez wrote:
| Bitwarden released a standalone authenticator app recently. You
| can give it a try.
|
| https://bitwarden.com/blog/bitwarden-just-launched-a-new-aut...
| eviks wrote:
| This doesn't sync across devices/os, does it?
| jszymborski wrote:
| KeePassXC (and the associated apps) can store TOTP, and you can
| sync it with SyncThing on any device. Add an always-on NAS with
| SyncThing and you'll always have an up-to-date vault, even when
| your other devices are offline.
| pndy wrote:
| 2FAS - https://github.com/twofas and I did replaced Authy with
| it some year ago; I'm using it mainly on iPhone while having a
| backup file on desktop and second app installed on Samsung
| phone
| eviks wrote:
| Could try that FOSS ente app
|
| And there is a FOSS app I forgot the name of to allow exporting
| Authy tokens from cli
| zenkan wrote:
| One major problem I see with this hack is that the phone numbers
| exposed in the leak is the single factor of authentication needed
| to get access to an Authy account, including all the MFA tokens
| that the account has saved.
|
| If there are any high-profile victims in this list SIM Swapping
| those phone numbers should be a very attractive approach.
|
| I think security cautious companies should consider turning off
| multi-device support and start planning for a migration. This
| leak feels way riskier to me than what media reports it to be.
| eviks wrote:
| But it's not the single factor?
|
| > There are account recovery options outside of multi-device,
| but those require the attacker to compromise your primary
| email. These also take a minimum of 24 hours, during which you
| would receive email notifications, and could request a
| cancellation
|
| https://help.twilio.com/articles/19753631468059
|
| And for multi device you can require current device to approve
| new ones
| zenkan wrote:
| I just had to try it out now to make sure I'm correct on this
| and I believe I am. Here's what I found:
|
| Multi-entity is enabled by default when creating an account.
| Enrolling a second device is possible via an OTP code
| received via a text message. This makes the phone number (in
| my mind at least) the default single-factor needed to access
| an Authy account.
|
| As far as I can tell, the user has to either enroll either a
| second device, or manually disable multi-device support to
| make Authy SIM swapping resistant. I have not been an active
| Authy user for many years now so I might be mistaken here,
| but I strongly suspect a majority of Authys non-technical
| users have not done either. Meaning they would be susceptible
| to SIM Swapping attacks.
|
| My old Authy account definitely was, at least.
| m00x wrote:
| It's sad how awful Twilio's engineering has become. I used it
| super early on and it was amazing, and while they had hiccups,
| they were never major and they were growing pains.
|
| Today they have incidents almost every week, and now data
| breaches.
| original_idea wrote:
| Yeah, its not surprising what a bunch of layoffs will do. The
| Authy people have been gone for a while.
| MaxHoppersGhost wrote:
| The company has had terrible profitability metrics and needed
| to cut a ton of fat. Maybe they laid off the wrong people
| though.
| maerF0x0 wrote:
| Not financial advice:
|
| Also having an investor base that demands removing as much
| equity compensation as possible. (Whilst, IMO, not being
| aggressive enough to cut executive compensation)
|
| But it's no surprise that when you ask management/executives
| "who needs to be laid off", the answer is not that many
| managers/executives...
|
| I do think Kho is the right person for the job though, and
| Aidan was surprisingly smart too, so I my[1] bet is that
| they'll get there.
|
| [1]: I'm long twilio btw.
| hi-v-rocknroll wrote:
| Auth0, Authy, Okta, and the like were and are the fail of
| delegating critical functions to third-parties.
|
| For authentication, authorization, and 2FA, run it yourself on-
| prem or go home.
| m4tthumphrey wrote:
| I only answer the phone now if I know the caller or if I'm
| expecting a call, and even then I would usually let it go to
| voicemail and call them back.
| tristor wrote:
| So fun story, I recently switched away from Authy for various
| reasons, but the key one was that I had to restore from a backup
| on a device and when I did so I realized the Authy had never
| actually deleted any of the 2FA/TOTP accounts I'd configured over
| the years, things that had been deleted on device literally 5+
| years ago were still stored and available on request via their
| API.
|
| In general, after that I started poking, and discovered a lot of
| things I hadn't bothered looking into before that make me
| extremely suspect of Authy's general security.
|
| For those looking for an alternative, I use 2FAS and Yubico
| Authenticator with a Yubikey now. Yubikey only allows you to
| store up to 32 TOTP slots, which is very limiting (I have more
| than 60 TOTP accounts for 2FA), so I use two apps and "tier" my
| 2FA.
| maerF0x0 wrote:
| It feels funny to say "Hacker" when it was just someone one using
| something on the open internet the way it was (defacto) designed
| for, and just used it a lot.
|
| Like if I crawl hackernews and download all the somethings am I a
| "hacker"?
|
| To me a hack is some kind of escalation of privilege beyond what
| I'm truly entitled to (such as stuffing passwords, tricking
| software to run a payload, crafting a payload for service A so
| that it tricks Service B) ...
|
| Not using curl on a loop.
| otterpro wrote:
| The main reason I didn't use Authy was that it requested phone
| number when signing up, and it didn't make any sense to me why
| they'd need it. Since then, I've been using 2FAS, since there's
| no personal data that can be leaked.
___________________________________________________________________
(page generated 2024-07-05 23:02 UTC)