UKC

Just pondering, after the latest scam call to the landline. A lot of banks are now using 2 factor SMS authentication, but most people, myself included, use their mobile number to get updates on deliveries so it's not particularly secure in terms of the number being skimmed and added to profiling information which I'm assuming is being compiled on the dark web somewhere.

Is there any benefit in having a second number for 2FA, as I've been considering getting an additional SIM for a dumb phone when out running/walking for making emergency calls? I.e. a number that is only shared with the banks and not used normally (other to ring my normal number to keep it active).

Thoughts or any other tips on keeping accounts secure.

I don't see much benefit in it, the security of this type of 2FA system does not rely on the phone number being kept secret, it relies on the difficulty for someone else to gain control over the phone number.

Thats the point they are making I think.

There have been several cases of people taking over the number. Personally I would rate the risk as fairly low although that would depend on how successful his coke and assault rifle emporium ends up being.

It isnt something which has been automated as far as I am aware so you would need to be interesting enough to be personally targeted. At which point I suspect you would be knackered anyway.

Thanks. The weak point is probably the phone company, with someone obtaining a deplicate SIM.

Thats my thinking. I did once have a scam email that had my old linkedin password (there was a data breach some years ago), which wasn't an issue as I don't use common passwords, so I figure it's only a matter of time before my mobile number is hacked from screwfix or some other supplier, and used in an attempt to port the number.

Mind you I'll probably be in jail for the online emporium by then, given the amount of advertising.

Yes, usually what happens is that the attacker would call the mobile network company, impersonating you using information found about you online, in order to transfer the number to a new SIM.

The thing is, the procedures for this have been reinforced in all the main mobile phone companies. They will not issue a transfer unless you confirm a code they send on the number itself, or by going in person to a branch to show a photo id.
But there have been report of employees ignoring procedure when the attacker was insistent enough.

One good thing though is that now mobile phone carriers share with banks mobile phone numbers that have been recently ported to a new sim. Using this information your bank can flag any  transaction as potentially fraudulent and is likely to put a stop on it or conduct extra checks.

I don't trust anything claiming to be from the bank, assume it's a scam and re-contact them using number on back of credit card or logging directly in to their website by typing in URL yourself (not clicking on a link). If these things can be done from a different phone/computer from the one they initially contacted you on, even better.

Running a second SIM sounds like a faff, complexity makes it easier to make a mistake.

Its not that easy so unless you have a ton of cash especially if its cryptocurrency and others know about it or you have a short twitter name I wouldnt be concerned currently. I guess if you are going to have the phone in use anyway it could be additional security but not sure it would outweigh the hassle of getting it out each time.

SMS is not recommended for 2FA anymore for the reasons discussed here.

It obviously depends on what banks support, but if possible use an OTP system like Google Authenticator, or even better a hardware security key (like Yubikey). 

Unfortunately, in most real-world cases, things like "being offered an affordable mortgage" take precedence offer such things and we end up being stuck with banks that do not support the best security practices. 

However, you can usually SMS on most other services.

I'm trying to avoid third party authentication software purely because many banks don't support it and I don' have the knowledge to assess how secure it is. 

Generally speaking, people are more at risk from reused passwords than SMS hijacking. So turn on two factor auth every where you can, regardless of it uses sms or not.

You can only remember so many passwords, and if you can remember them, they are probably not that random. Use a password manager and make all of your passwords at least 16 characters and random. Use something like the google authenticator app on anything that will accept it. For example: paypal, gmail, amazon and your password manager.

Your email account is a high priority target, as many sites will send a password reset link to your email account.

Not that it would apply to anyone here, but don't use your machine to visit dubious sites. If you feel the need to visit 'one handed' web sites, then you can run a 'dirty' (no pun) machine as a virtual machine. What that means is that you can run windows, within windows. Check out Virtual box or Vmware. That way, your VM can get infected, and it wont compromise your main machine.

And take backups. Frequently. In multiple ways. Have a physical disk you plugin, backup, then remove. Having it not connected all the time is important. Also some places will give you free cloud disk space. For example you can store photos amazon for free, if you have prime.

You're running an antivirus, right?

I'm pretty much there on most things, banking apps running on a dedicated ipad, email address used for important stuff is a random load of characters rather than a variant of my name. No spam as yet, but will probably change if any arrives.

I do have a distrust of password managers though. Probably unfounded, but you're putting everything in one basket. Happy to be convinced otherwise by more tech savvy people.

The easy way to check is to search for: <password manager name> and hack.

Where <password manager name>, is the brand of the manger you're considering. Look for recent results. When one get compromised, its a big thing, so there will be lots of publicity.

Some of them store everything on your local machine. Which solves one problem, but creates another. If your machine dies, you loose access to everything, unless you have backups. With some password managers, you can allow a trusted party to access your passwords. So if you get hit by a bus, your next of kin can access your accounts. 

You can always use password managers for less sensitive sites, if you don't trust them. That way, you'll only have a few passwords to remember for bank accounts and the like.

I’m a bit surprised that there are still companies that don’t allow that length of password and/or have restrictions on the random part, both of which can stop use of a password manager random generated password.

Just last week I was forced to reset password by a company due to their system upgrade, and the new one had to be only 6-10 characters and couldn’t have capitals, and some symbols for example.

Problem is once the length is baked into the system it can be an arse to update.

Some companies are still running 60-70s era software at the heart of their system with various bandaided systems on top making it even more tricky.

That is a really good idea.