Two Factor Security shouldn’t involve a mobile phone

If I were God for a day the piece of technology I’d uninvent in a heartbeat is the mobile phone, with a special mention for its bastard spawn the smartphone. It’s made rude shits of us all, because the phone trumps the person you’re talking to in meatspace right here right now. It enables zero hours contracts, things like Uber and pretty much anything that allows us to treat human beings more like pieces of machinery. It allows Facebook to track the proles all over the place and sell them shit they don’t need to impress people they don’t like…you  know the pack drill. Pretty much anything that’s good for Facebook¹ is bad for the common weal.

I give a few people I want to talk to my phone number, and even fewer a mobile number, along with the exhortation do not make the assumption that you can get me on this. One colleague summed it up perfectly when I was at work – he only uses a mobile when he is mobile. Well, yeah. Duh.  Unlike the rest of the human race it seems, I go about my business without carrying a mobile phone with me. I don’t want to be disturbed at anybody’s whim if I am doing something else. I think the AI guys can beat humans by just taking a break for a few years, then the gormless numpties that are us will lose the fight, like Idiocracy on speed.

Asimov missed the target in The Feeling of Power.

The congressman took out his pocket computer, nudged the milled edges twice, looked at its face as it lay there in the palm of his hand, and put it back.

It’s not just maths, it’s orientating ourselves spatially using a map, knowing shit that you ought to know without the Big G, all sorts. But this fight has been lost, the bad guys won. In the fight between Them and Us, Them routed Us comprehensively.

Increasingly seems that banks want, nay demand to have a mobile number, and they just can’t believe I don’t have one. So the blighters continually demand one, and say I can’t use t’internet to buy shit without. Sure I possess one, but since it spends most of its time in one place it’s not the vade mecum that it is for everyone else. I gotta switch the damn thing on, because I’m sick of the FAANGs “following me around with Rays²” otherwise.

2FA – what you have and what you know

I understand the point of 2FA³. Way back in the mists of time, you could present your credit card, and the spotty yoof would take a print from the embossed card and get you to sign it, and then inspect the signature with the one on the back to see if it matched. That was the something you have – the card – and the something you know, which is how to scrawl your moniker in such a way as to match the one on the back. The obvious problem was presumably visual artists could match anyone’s signature, so we went away and invented Chip and PIN, and all was well with the world.

Then some more spotty youths invented t’internet. Bless their idealistic souls, they built it along the models of some prelapsarian Eden where Bad Guys didn’t exist. It’s one of the reasons why email is so broken and you get all those letters from people you know, even those that are dead, saying they’re stuck in some God-forsaken place without money could you just Western Union⁴ over some cash.

So we all got on our computers to buy our consumer shit that we see people with on Instagram, and they had to invent some other sort of out of band authorisation, involving injecting spurious data from third party sites⁵ and calling it 3d secure, ‘cos obviously knowing the number on the front and the one on the back is trivially easy for some punk that’s just nicked your card, as long as it’s not something he wants delivered.

That’s not up to snuff for actually using your bank online. Obviously they could ask you to put your PIN in the computer the way you do at an ATM, but all sorts of Bad Guys are in your computer along with the NSA, GCHQ and some random assortment of Russian whatevers. You’re probably OK form the latter sort of Bad Guys but it’s the ones who don’t have enough money that you have to worry about. Sometimes it’s a wonder you can get the lid back on your computer, there are so many bad guys in there. So the banks give you a gizmo you stick your card in that has no ports for a keylogger etc. Yet, anyway. The whole point is you don’t plug it into your computer where all the Bad Guys are hanging out.

I was pretty much OK with that as an option, and I would have been OK to use that on the Web instead of 3D (in)secure. But the banks now want to send out text messages to a mobile phone.

A mobile is highly thievable, insecure and spoofable

Hoodied n’er-do-well on a bike about to half-inch a phone in London, as shown by the Metropolitan Police

Now I don’t spend time thinking about mobile security but it’s pretty obvious that mobes are highly liftable. Plus, it turns out, they are highly spoofable by design, which is a big Security Fail for the banks, because Mr Big Bank sends you a SMS text message to a phone number.

In an epic fail, Mr Big Bank failed to realise that the phone number is not an inalienable parameter of the mobile phone, it is a function of the SIM card. The clue’s in the name – Subscriber Identification Module⁶.

So there’s no security to be had by texting your mobile number, because Bad Guys can get your number reallocated to them. As happened to gobshite Jack Monroe. While she may sometimes talk rot in along with a fair amount of sense presented in an edgy manner, she doesn’t deserve to have Bad Guys run off with some of her hard-earned. There’s also an object lesson here, which is if you must put your birth date on Facebook then for God’s skae make it a day, month and year which are not the same as the ones you give to your bank, huh? HM the Queen can have a real birthday and an official birthday. If it’s good enough for Her Majesty, it’s good enough for her subjects. OK so she has managed a fail by blathering her real birthday on the website, but she has the advantage over you and I that she has staff to sort out her money, so it’s not like she has to ring up the Bank of England and some droid in another continent asks her for her birthday to let her know how many billions she has in the Bank light now. Don’t plaster your birthday over social media, peeps, and if you must, make sure it’s wrong. Sure, it’s an example of security by obscurity but don’t make it unnecessarily  easy for the bad guys, eh? At least make your Social Media Self a couple of years older or younger if you’ve already let the cat out of the bag.

Mr Big Bank., let’s have less of this garbage about enhancing security and making life twice as hard as it needs to be. You had a perfectly serviceable method with the card reader gizmo to get an out of band validation of the customer’s pin, which you spurned in favour of the mobile phone. There is absolutely nothing secure about a mobile phone, and the smartphone is known only for being a totally uncontrolled piece of computing hardware which has a totally uncontrolled set of software applications and an equally uncontrolled software patch status.

The one thing we know about the smartphone is that is does pretty much anything it does incompetently, it’s nickable as hell and there’s no process of nailing the phone number to the phone, even if that were desirable. So, banksters, quit the fetishisation of the smartphone as a way to add security. Use either the card readers you have already, or suck it up. As for the rubes that grizzled on the radio about not being able to use their bank details stored on their mobile phones due to yesterday’s Three outage, well, whaddya expect? A bank card just is. If you want to save yourself the burden of carry less than 1g of plastic by sticking it on your phone where you need a working network connection as well as the damn phone, well, you’ve just discovered that the extra requirement inherently reduces reliability. Live and learn, eh?

---

1. OK, let’s not pick on the Zuck. Anything that’s good for the FAANGs isn’t good for the common weal. ↩
2. Terry Pratchett, Soul Music, Foul Ole Ron ↩
3. Two Factor Authentication. ↩
4. The rule is simple. If it involves Western Union it’s a scam at best and criminal at worst. Presumably there is a correct use for Western Union but I’ve never run across it. Why the heck they don’t re-christen it Bank of Con-Artists and Thieving Scumbags is a mystery to me. ↩
5. how injecting cross-site scripting Javascript into a web page makes the system more secure beats the hell out of me because in pretty much every other application on the Web that’s a big No No. ↩
6. Else it would be called the PIM, huh? There is a phone identifier snazzily called the IMEI that is meant to identify the phone. No idea how spoofable that is. There’s still the problem that phones are small and valuable, thus attractive to thieving barstewards. ↩