Two Factor Security shouldn’t involve a mobile phone

If I were God for a day the piece of technology I’d uninvent in a heartbeat is the mobile phone, with a special mention for its bastard spawn the smartphone. It’s made rude shits of us all, because the phone trumps the person you’re talking to in meatspace right here right now. It enables zero hours contracts, things like Uber and pretty much anything that allows us to treat human beings more like pieces of machinery. It allows Facebook to track the proles all over the place and sell them shit they don’t need to impress people they don’t like…you  know the pack drill. Pretty much anything that’s good for Facebook1 is bad for the common weal.

I give a few people I want to talk to my phone number, and even fewer a mobile number, along with the exhortation do not make the assumption that you can get me on this. One colleague summed it up perfectly when I was at work – he only uses a mobile when he is mobile. Well, yeah. Duh.  Unlike the rest of the human race it seems, I go about my business without carrying a mobile phone with me. I don’t want to be disturbed at anybody’s whim if I am doing something else. I think the AI guys can beat humans by just taking a break for a few years, then the gormless numpties that are us will lose the fight, like Idiocracy on speed.

Asimov missed the target in The Feeling of Power.

The congressman took out his pocket computer, nudged the milled edges twice, looked at its face as it lay there in the palm of his hand, and put it back.

It’s not just maths, it’s orientating ourselves spatially using a map, knowing shit that you ought to know without the Big G, all sorts. But this fight has been lost, the bad guys won. In the fight between Them and Us, Them routed Us comprehensively.

Increasingly seems that banks want, nay demand to have a mobile number, and they just can’t believe I don’t have one. So the blighters continually demand one, and say I can’t use t’internet to buy shit without. Sure I possess one, but since it spends most of its time in one place it’s not the vade mecum that it is for everyone else. I gotta switch the damn thing on, because I’m sick of the FAANGs “following me around with Rays2” otherwise.

2FA – what you have and what you know

I understand the point of 2FA3. Way back in the mists of time, you could present your credit card, and the spotty yoof would take a print from the embossed card and get you to sign it, and then inspect the signature with the one on the back to see if it matched. That was the something you have – the card – and the something you know, which is how to scrawl your moniker in such a way as to match the one on the back. The obvious problem was presumably visual artists could match anyone’s signature, so we went away and invented Chip and PIN, and all was well with the world.

Then some more spotty youths invented t’internet. Bless their idealistic souls, they built it along the models of some prelapsarian Eden where Bad Guys didn’t exist. It’s one of the reasons why email is so broken and you get all those letters from people you know, even those that are dead, saying they’re stuck in some God-forsaken place without money could you just Western Union4 over some cash.

So we all got on our computers to buy our consumer shit that we see people with on Instagram, and they had to invent some other sort of out of band authorisation, involving injecting spurious data from third party sites5 and calling it 3d secure, ‘cos obviously knowing the number on the front and the one on the back is trivially easy for some punk that’s just nicked your card, as long as it’s not something he wants delivered.

That’s not up to snuff for actually using your bank online. Obviously they could ask you to put your PIN in the computer the way you do at an ATM, but all sorts of Bad Guys are in your computer along with the NSA, GCHQ and some random assortment of Russian whatevers. You’re probably OK form the latter sort of Bad Guys but it’s the ones who don’t have enough money that you have to worry about. Sometimes it’s a wonder you can get the lid back on your computer, there are so many bad guys in there. So the banks give you a gizmo you stick your card in that has no ports for a keylogger etc. Yet, anyway. The whole point is you don’t plug it into your computer where all the Bad Guys are hanging out.

I was pretty much OK with that as an option, and I would have been OK to use that on the Web instead of 3D (in)secure. But the banks now want to send out text messages to a mobile phone.

A mobile is highly thievable, insecure and spoofable

Hoodied n’er-do-well on a bike about to half-inch a phone in London, as shown by the Metropolitan Police

Now I don’t spend time thinking about mobile security but it’s pretty obvious that mobes are highly liftable. Plus, it turns out, they are highly spoofable by design, which is a big Security Fail for the banks, because Mr Big Bank sends you a SMS text message to a phone number.

In an epic fail, Mr Big Bank failed to realise that the phone number is not an inalienable parameter of the mobile phone, it is a function of the SIM card. The clue’s in the name – Subscriber Identification Module6.

So there’s no security to be had by texting your mobile number, because Bad Guys can get your number reallocated to them. As happened to gobshite Jack Monroe. While she may sometimes talk rot in along with a fair amount of sense presented in an edgy manner, she doesn’t deserve to have Bad Guys run off with some of her hard-earned. There’s also an object lesson here, which is if you must put your birth date on Facebook then for God’s skae make it a day, month and year which are not the same as the ones you give to your bank, huh? HM the Queen can have a real birthday and an official birthday. If it’s good enough for Her Majesty, it’s good enough for her subjects. OK so she has managed a fail by blathering her real birthday on the website, but she has the advantage over you and I that she has staff to sort out her money, so it’s not like she has to ring up the Bank of England and some droid in another continent asks her for her birthday to let her know how many billions she has in the Bank light now. Don’t plaster your birthday over social media, peeps, and if you must, make sure it’s wrong. Sure, it’s an example of security by obscurity but don’t make it unnecessarily  easy for the bad guys, eh? At least make your Social Media Self a couple of years older or younger if you’ve already let the cat out of the bag.

Mr Big Bank., let’s have less of this garbage about enhancing security and making life twice as hard as it needs to be. You had a perfectly serviceable method with the card reader gizmo to get an out of band validation of the customer’s pin, which you spurned in favour of the mobile phone. There is absolutely nothing secure about a mobile phone, and the smartphone is known only for being a totally uncontrolled piece of computing hardware which has a totally uncontrolled set of software applications and an equally uncontrolled software patch status.

The one thing we know about the smartphone is that is does pretty much anything it does incompetently, it’s nickable as hell and there’s no process of nailing the phone number to the phone, even if that were desirable. So, banksters, quit the fetishisation of the smartphone as a way to add security. Use either the card readers you have already, or suck it up. As for the rubes that grizzled on the radio about not being able to use their bank details stored on their mobile phones due to yesterday’s Three outage, well, whaddya expect? A bank card just is. If you want to save yourself the burden of carry less than 1g of plastic by sticking it on your phone where you need a working network connection as well as the damn phone, well, you’ve just discovered that the extra requirement inherently reduces reliability. Live and learn, eh?


  1. OK, let’s not pick on the Zuck. Anything that’s good for the FAANGs isn’t good for the common weal. 
  2. Terry Pratchett, Soul Music, Foul Ole Ron 
  3. Two Factor Authentication
  4. The rule is simple. If it involves Western Union it’s a scam at best and criminal at worst. Presumably there is a correct use for Western Union but I’ve never run across it. Why the heck they don’t re-christen it Bank of Con-Artists and Thieving Scumbags is a mystery to me. 
  5. how injecting cross-site scripting Javascript into a web page makes the system more secure beats the hell out of me because in pretty much every other application on the Web that’s a big No No. 
  6. Else it would be called the PIM, huh? There is a phone identifier snazzily called the IMEI that is meant to identify the phone. No idea how spoofable that is. There’s still the problem that phones are small and valuable, thus attractive to thieving barstewards. 

25 thoughts on “Two Factor Security shouldn’t involve a mobile phone”

  1. Spot on just had a somewhat heated discussion with Nationwide about not carrying a mobile, and locally no reception even if I did!
    I thought I was just a grumpy old *art

    Liked by 1 person

  2. I agree. I travel all the time and the 2 factor security thing can be a real pain. I had to buy a new phone with two sim slots so I could keep my home country sim active when I am abroad so I could receive the OTP codes without which I couldn’t use my credit cards online or log on to many accounts. In some places however there is no local mobile network partnered with my home country network and I am stuffed. I have increasingly reverted back to carrying large quantities of USD or other useful currencies depending on where I am in the world and using bureau de change like back in the dark ages. I reckon this is safe enough for now as most people no longer carry much cash because they use the internet and cards.

    What makes it all so much more frustrating is that my credit cards have repeatedly suffered from fraud of one sort or another and it seems to me that this is all because of bank incompetence. For example paywave. Amyone who steals your card can no use it easily as long as they stay under the limit for needing a pin. Cloning. The fact that credit cards only seem to have 8 unique digits are the first 8 simply ID the bank. Fraudsters simply keep typing in plausible combinations for tiny purchases (eg itunes) until they succeed and then make a big purchase. It is seems to be out of control and getting worse all the time. God knows how many billions the banks have to write off every year.

    In reply to your post about Nationwide though Andrew I would say they are way better than most banks. Their rliane on card readers is clever. I hated it when they introduced it but it actually works very well and avoids the need for the OTP.

    Like

    1. I’ll give you my super secret tip on the Nationwide card reader. If you carry a Nationwide card then don’t carry a Nationwide card reader. Instead carry one from the Co-op Bank, or RBS, or whomever. It works just as well but might perhaps confuse a crook in a distant land.

      Or does everyone know that already?

      Like

      1. Maybe I am being dense here but doesn’t the card have Nationwide on it already? However the card readers are interchangeable – I’ve had mine so long i had to change the batteries on it though i don’t use the supplying bank any more

        Like

  3. Totally agree with what you say. I also wish PS4 and YouTube hadn’t been invented, so I might get more than a disinterested grunt from my 16 year old when I try to involve him in my scintillating conversation.
    This generation are such technology addicts involving long hours on devices, I literally have to force my son off them. I really do fear for their mental and physical health. And he doesn’t even go on instagram and Facebook etc.

    Like

    1. Youtube is wonderful. I can listen to hours and hours of yer Jelly Roll Morton, yer Bix Beiderbecke, yer Satchmo, and dozens of others. Bliss. We civilised coves don’t want just your easily available Mozart and Beethoven, you know, we also want the much harder to find classical jazz. Play that thing! Yeah, man!

      Liked by 1 person

      1. Ha, never heard of any of them but seeing as I don’t particularly like jazz probably why. Though will look them up on YouTube to see if they change my mind.

        Like

  4. > banks want, nay demand to have a mobile number

    This is largely due to EU regulations. https://www.fintechfutures.com/2019/05/psd2-how-new-eu-regulations-will-change-the-e-commerce-game-from-september-2019/

    I’ve worked for banks and know they don’t really do security – they do compliance which means provided they keep some rules they plan to blame you for any losses.

    There are problems with mobiles as 2FA; and if you have your mobile signal boosted by your broadband your 2nd factor is coupled to the 1st and perhaps doesn’t gain any security anyway. Video from 10 years ago: https://fahrplan.events.ccc.de/congress/2009/Fahrplan/events/3555.en.html

    Liked by 1 person

    1. Blimey, it’s worse than I thought. Pretty much with any sort of phone if SS7 can’t be trusted 😦 Still, maybe offing this PITA may mean there’s one advantage to be had from Brexit, then!

      Like

  5. “Unlike the rest of the human race it seems, I go about my business without carrying a mobile phone with me.”

    I carry mine. But not switched on, normally. It’s for outgoing calls mainly, not incoming. Every now and again my provider texts me to say I’ve not made a call for 3 months and that if I don’t make one pronto I’ll lose my number. So I make one. This extortion costs me, oh, ten pounds every couple of years.

    Liked by 1 person

    1. I might add that lately my wife has acquired a hand-me-up smartphone. So now she often borrows my antediluvian phone when she goes out because smartphones, it seems, always have flat batteries.

      Maybe I should buy a new sim card for the spare clamshell phone we have lying around. It’s elegant: not quite as beautiful a piece of design as the original coke bottle or the English dimpled pint glass, but getting towards that standard.

      Like

      1. That clamshell is probably a better phone from a coverage POV – for hillwalking I have a dual-sim plastic phone, which is far better in marginal coverage than a smartphone. Fortunately I’ve never had to use it with that other than to confirm coverage.

        Like

  6. Agreed. Also, the need for a mobile disproportionately impacts more vulnerable people who have more to gain from internet banking and shopping. Bad eyesight, poor dexterity, people in controlling relationships…

    It’s all an annoying feedback loop where the assumption that everyone has a phone on them all the time increases the need to have a phone. Orwell thought that compulsory surveillance devices would be installed by force, instead we pay £100s for the privilege of carrying around our trackers and bugs.

    Liked by 2 people

  7. I like your point about date of birth. I actually go one further, with place of birth being Katmandu or Xanadu or something similar, make of 1st car being model T, or mother’s maiden name being Windsor. Trouble is, I often forget all the lies I’ve told, and so revert to writing them down, which kind of defeats the object!

    Liked by 3 people

    1. > I often forget all the lies I’ve told

      A password manager is your friend here… they even generate the random string of characters to make a decent pw, different for each website etc.

      Like

  8. After years of neo-Luddism, I recently got a smartphone. My wife has one and we can keep track of each other in our dotage via text messaging.
    So far in Canada the only 2-FA I have run into is with online banking if I happen to log in from a different device the bank doesn’t recognize. There does not appear to be anything beyond that – such as using credit cards for online purchases. Canada is primarily a chip and PIN country for bricks and mortar credit card use although we do also have those dam’ tap devices. The banks 2-FA can call me on a landline to give me the access code so a mobile phone isn’t essential.
    Recently my daughter and SIL were driving back from Quebec City to Ottawa and I was able to help them bypass Montreal by texting them directions on the go. That was pretty cool.

    Liked by 1 person

    1. Seems a more civilised way of doing things. The tax people use the landline call sort of thing here but not the banks. And it looks like that banks want to do this each and every time – I could live with it if it were on using a new device

      Like

  9. I have gone back to carrying cash too because the worst thing that can happen is that you lose it, and that’s probably less inconvenient than losing your bank card or phone. And it works while out of signal range.

    I travel a lot in far-off places and have bank accounts in 2 countries so I need 2 SIM cards, and I did manage to source a dual-SIM old Nokia dumb-phone which also has the advantage of going 2 weeks between charges. I might dig it out again.

    As for not being contacted on it, my voicemail message simply says that I rarely answer calls and never check voicemail, please send an SMS or email me.

    I had to laugh at a journalist who recently wrote up her tribulations: she said that she never even carries a wallet or cards or money, just pays for everything with her phone. Alas recently the battery ran out with her local bus ticket on it. So she got done for travelling without a ticket, followed by ignoring the penalty and then the summons. The resulting court judgement gave her a criminal record which invalidated her no-visa entry to the US and caused her to lose the cost of her non-refundable flights to New York….

    For want of a nail, the shoe was lost.

    Like

    1. Yikes. Bet that hurts! There is a secondary point about large sums of money in house purchases, when we bought this house cash we did it in two halves, stated up front to the solicitors that if any account changes had to be made then would be made in person at their office. I went to my bank to initiate the CHAPS transfer to the solicitor in the same town rather than use a cheque with their printed details so I couldn’t screw it up. And even then was paranoid about the deal.

      The more I read about mobiles as 2FA I come to regard them as an attack vector, not security improvement. Hopefully sense will prevail soon and banks will come to regard mobiles with the contempt and disgust they deserve. Great for Facetweeting but insecure as hell – should be kept as far away from your money as the guy with the blue and white striped sack.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s