Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Google Privacy Security The Internet

Google To Replace SMS Codes With Mobile Prompts in 2-Step-Verification Procedure (bleepingcomputer.com) 181

Starting next week Google will overhaul its two-step verification (2SV) procedure and replace one-time codes sent via SMS with prompts shown on the user's smartphone. From a report: This change in the Google 2SV scheme comes after an increase in SS7 telephony protocol attacks that have allowed hackers to take over people's mobile phone numbers to receive one-time codes via SMS and break into user accounts. The rollout process for this feature is scheduled to start next week when Google will invite users to try mobile prompts instead of receiving a one-time code via SMS. Users need an Internet-connected smartphone to use this feature. Every time users will try to log in, Google will show a prompt on their phone asking the account owner to approve the login request. There's no one-time code that users have to fill in, and users can authorize a login request with the tap of a button.

Google To Replace SMS Codes With Mobile Prompts in 2-Step-Verification Procedure

Comments Filter:
  • Terrible editors (Score:2, Insightful)

    by Anonymous Coward

    I know stories are posted farther apart at night, but it's embarrassing to have stories three hours apart on a weekday afternoon. These editors suck. There used to be a lot of pornographic fiction involving Slashdot editors. I'd like to see what you guys can come up with to explain why the editors weren't posting stories.

    • by creimer ( 824291 )
      Some of my coworkers go out for a three-martini lunch on Fridays. A few might even return to work after lunch is over.
    • I know stories are posted farther apart at night, but it's embarrassing to have stories three hours apart on a weekday afternoon. These editors suck.

      Did you check the Firehose?

      Maybe there wasn't anything else WORTHY of being posted.

      When that happens I'd rather they DON'T post crummy junk articles just to make a quota.

      And I bet, if they DID post such junk, we'd hear even more complaining about the quality of the editorial staff.

      Once upon I time I was one of the sysops on an early conferencing system. You wo

      • by Anonymous Coward

        Normally they do post to try to hit a quota. As I just posted elsewhere in this thread, posts on weekdays are almost always 40 minutes apart and it's very periodic and regular. Often times, the stories show up at the same time each day. And when they deviate, the posts still show up at times that are divisible by five, such as 1:45 or 3:10. The weekends are a little more irregular, but it's probably because EditorDavid is posting instead of BeauHD and msmash. Even on weekends, they're usually spaced just ab

        • Maybe he's sick.

          My wife's sick. I'm sick. Our pets are sick. (Different things for the pets, but still...)

          One reason gantt charts don't work as well as people think they should is that they never allocate time for plague.

    • by ls671 ( 1122017 )

      hehe it's now been 5 hours since this FA was posted and still no new FA posted. What did you do you to miss Mash A.C.?

      This looks like a frame-up. Nice try.

  • I usually don't keep have my iPhone with me when I'm working in my home office. Whenever I log into a website that requires me to look at my iPhone, I have to stop everything while I got fetch my iPhone from the kitchen table. A security token would be more convenient.
    • by xxxJonBoyxxx ( 565205 ) on Friday July 14, 2017 @05:23PM (#54811367)
      >> I have to stop everything while I got fetch my iPhone from the kitchen table

      That will teach you to put your personal tracking device down, citizen.
    • by Calydor ( 739835 )

      I have my cellphone literally only in case of emergency - car breaks down or something like that. As a result it's often left to drain the battery even in standby, and I won't notice for days. So not only do I need to remember where I put it, I also need to charge it enough to turn it on and GET that login message!

      • Re: (Score:3, Insightful)

        Then you aren't the target user. I doubt you even use 2FA, if you don't keep track of your phone. So this won't affect you.
      • by Misagon ( 1135 ) on Friday July 14, 2017 @05:45PM (#54811455)

        That exact use case - as an emergency phone in the car or summer cottage etc. - is why people still have "dumbphones" that can't run apps.
        Batteries in those can last for six months or more, where as a "modern" smartphone won't even last for a couple days when turned "off".

        • A modern smart phone has no problem lasting up to 2 weeks while ON and on low power mode. As for being off, my old S6 which has been lying in my draw unused for a year still has 70% charge.

          Please don't spread ignorance. This site is new for nerds.

        • by jez9999 ( 618189 )

          Batteries in those can last for six months or more

          6 months?? Don't US phone lines have power running down them? In the UK I have landline phones that take no batteries, and just operate once plugged into the phone line.

      • by grimr ( 88927 )

        "I have my cellphone literally only in case of emergency" "So not only do I need to remember where I put it, I also need to charge it enough to turn it on"

        Not sure but I think there may be a couple of flaws in your emergency plan.

        • by Calydor ( 739835 )

          I never claimed to be well prepared!

          Thing is it can often be a full week between getting in the car, so if the phone was only at half charge last time it's DEFINITELY dead now.

    • I can just imagine how upset you'd be if you got a phone call.

      • by creimer ( 824291 )

        I can just imagine how upset you'd be if you got a phone call.

        I get 20+ phone calls and emails per day from recruiters, so I keep my ringer turned off all the time. The fastest way to get a hold of me is email or IM.

    • Get an Apple Watch...

      • by creimer ( 824291 )

        Get an Apple Watch...

        I haven't worn a watch in 30 years. I'm not going to shatter an Apple Watch at $300 a pop.

        • Then keep the phone close; it isn't rocket science! While it might not work especially well, put the watch on the inside of your wrist if you are that abusive. Or, go for the ceramic one that is pretty frigging robust.

  • by J. T. MacLeod ( 111094 ) on Friday July 14, 2017 @05:25PM (#54811379)

    Google has been doing phone app prompts for 2FA for a while.

    Is anything actually different with this system? Or is this just a campaign to encourage SMS code users to switch?

    • by mhkohne ( 3854 )

      Yea, this is 'we need to stop doing the SMS thing, you need to switch over' as opposed to 'hey would you like to try a different thing'.

    • by AHuxley ( 892839 )
      Advertising. The accounts and usage patterns are worth more if they are really 100% human.
      • Except 2FA is optional. This is just saying when enabled it won't work on SMS anymore. So much for your rant on everything being the result of capitalism.

        • Except 2FA is optional. This is just saying when enabled it won't work on SMS anymore. So much for your rant on everything being the result of capitalism.

          It is *for now*, sure. Who's to say that at some point it won't be required and the only platform that is supported is Android.

          • Antitrust regulators and basically anyone with a functioning brain who requires that Google isn't about to cut off 1/3rd of mobile users from its services.

    • by PCM2 ( 4486 ) on Friday July 14, 2017 @07:46PM (#54811897) Homepage

      Google has been doing phone app prompts for 2FA for a while.

      If you're talking about the Google Authenticator app, then yes, this is different. I started using it on my Galaxy S7 this week.

      The way it works is, you hit your username and login, and instead of a screen that asks you to type in the code you received, it basically just says "Wake up your phone." When you do, you immediately see a screen saying, "Is this you trying to login? Yes/No." You hit the Yes button and the site instantly logs you in. It's pretty slick, actually.

      • To clarify, I wasn't referring to the Google Authenticator app, but to an experience as you describe.

      • by Anonymous Coward

        It's pretty slick, actually.

        And completely useless.

        The original "one time code" implementation was broken to begin with.* This just replaces the code with a button.

        Worse, due to the button being on the phone now there is the possibility for Google to know the phone's location that wasn't there before.** That's a new information leak that wasn't there before. One that I'm sure Google (and their advertisers) will love to have. (Hey! He shops online while at work / school!)

        *Originally one time codes we're gene

        • by chihowa ( 366380 )

          Worse, due to the button being on the phone now there is the possibility for Google to know the phone's location that wasn't there before.** That's a new information leak that wasn't there before.

          You don't use Google services without fully buying into the idea that privacy is a quaint anachronism or that Google is a benevolent big brother. Nobody who is already living happily in Google-land will care at all about just another information leak.

      • Your second scenario is how it's been for me for quite some time now... I'm also not sure what the purpose of this "news" is
  • So what am I? Chopped liver?

    • As the article mentions, you can decline the invitation to switch to mobile prompts and continue to use SMS codes.
      • by Misagon ( 1135 )

        But what will you do when you are doing tech support for your mom who had managed to tap "accept" by mistake?

        I have been in exactly that situation when helping my mom when she unintentionally got 2FA on Microsoft's Outlook.com.

        • There will certainly be fallback methods-- authenticator apps (which your mom won't understand either), a backup email address to send codes to or fall back to SMS codes as a last resort.
          • by Misagon ( 1135 )

            You could hope that the fallback mechanism would be designed by competent engineers and easy to understand.
            My mom was certainly very confused about the whole thing. She did not even understand why she could not log in, so she relied on my completely.
            Even following the instructions, it took around a month before it was restored. My mom could live a month without access to her primary email account, but could you?

        • You will do your best to help her, you might do a couple google searches before you come to a solution. Nothing new here.
    • So what am I? Chopped liver?

      I don't own a cell phone at all. Apparently I am chopped liver, as apparently it is impossible for (nearly) anyone to come up with a 2FA mechanism that doesn't involve a cell phone!

      Yaz

  • ...if I don't have Gapps installed?
  • If one uses Thunderbird and POP/IMAP will they get prompted every time the client downloads mail or just when done from a "new" system?

    • I truly love it when Google sends me an email to my gmail account telling me that it didn't allow my device to log in to get my gmail because it was coming in from an unknown IP address. This truly is Dilbert levels of customer support.
      • by swillden ( 191260 ) <shawn-ds@willden.org> on Saturday July 15, 2017 @01:06AM (#54812743) Homepage Journal

        I truly love it when Google sends me an email to my gmail account telling me that it didn't allow my device to log in to get my gmail because it was coming in from an unknown IP address. This truly is Dilbert levels of customer support.

        Nonsense.

        Those emails are important. Not when it actually was your device that was prevented from logging in, but when it wasn't. In that case, the email informs you that someone is trying to get into your account, and that they have your password. Which means you should change your password, right the hell now. Unless of course, you recognize the login attempt because you were the one that made it.

        If you want to stop getting those emails, turn on 2FA.

        • Nonsense. Those emails are important.

          Given that the only person who is hindered from reading it is me, I don't think so. The chances of me seeing it depend on me accessing my gmail in the very short bit of time between the one failed login attempt and the second successful one when the hacker deletes it.

          He's actively accessing my account. I'm not. Who is going to get to that email first, do you think?

          Now, you might think that gmail will continue to block logins from that location, but they don't. I routinely see the "we blocked a login" em

    • If one uses Thunderbird and POP/IMAP will they get prompted every time the client downloads mail or just when done from a "new" system?

      If you're using 2FA and want to use POP/IMAP or other protocols that don't know how to deal with 2FA, you have to set up an application-specific password. This is a high-entropy password that Google generates for you, and which should only be used on one machine and one application. You have it generated, copy/paste it into Thunderbird, tell Thunderbird to save the password, then you never see it again. The Google POP/IMAP servers do some additional checking to try to verify that the password only comes fro

  • ..and that the phone I do have (cheap-ass $50 plastic LG dumbphone, LOL) is turned off most of the time. Turn it on a couple times a day just to see if there are any messages for me. Physically shorted the GPS antenna on the main board to ground, so no GPS tracking when it's on anyway, just what tower it's connected to.

    I'd never bothered to learn how worldwide PSTN actually worked until I read this article and looked up SS7. Scary, that all that has been done for decades in the clear.
    • by ledow ( 319597 )

      Cell-tower triangulation. Who pays the bill for the phone. "They" probably aren't at all hindered by your smart-arsery.

      But, to be honest, it's nice that you think you're that important that literally anybody would bother to track you.

      • I'd rather be me and take what steps I can take to preserve and protect what I can of my personal privacy and security, than be someone like you, who I'm assuming from the piss-and-vinegar butthurt tone of your comment has completely given up, given in, and gone the way of the yellow-bellied, lilly-livered coward, and just goes along with all the monitoring, tracking, surveilling, and rampant, unabated data collection on you, and likely your family, too. Sad, because you're probably a decent person otherwis
  • And routing for sms to the handset is hijacked, how is routing for the voice path not also hijacked?

    Something isn't kosher here.

    • I doubt they're using routing for voice or SMS. I suspect they're having the device "phone home" where it is, so that it can ask it the question. Not idea how you'd secure that connection tho.
      • In order to locate the handset via ss7 some form of routing is used to a.) send the "message" to the cell site currently connecting the handset.

        "special app" or no, ss7 IS used to locate the handset, allow it to connect to a cell site and determine if traffic is allowed to flow to and from it. Again, if SS7 is hijacked, how are those processes NOT compromised?

        This is not unlike saying the plane has been hijacked to cuba, but the crew is still enroute to new york.

      • The article says SS7 is being used to intercept sms messages sent to the handset i.e. redirecting them to an alternate endpoint. If that can happen, how can the voice call not also be redirected to an alternate endpont via ss7. That IS what SS7 was made for... To direct (route) traffic (voice calls, sms message and even connect tcp/ip channels between internet gateways and handsets) to and from specific points in the network.

        To state it bluntly, I call bullshit to the stated premise. If sms is being inte

        • by Lancer ( 32120 )
          You're ignoring the fact that the app on your phone is (presumably, since it would be nuts to do it any other way) responding to Google's servers with a cryptographically signed response; even if somebody were to route the authentication request to a different end point, they would not be able to answer with an appropriately signed response. And then Google would know that it wasn't you. The benefit of this sort of system is that it could be implemented over completely insecure networks (which is good, bec
          • I agree, an app with a crypto handshake, defeats this. Rereading the article, while not explicitly stated it does look like they're using integrated 2FA or 2FA app. Those don't even have to communicate except at initial setup time.

            I read it to mean voice prompts, which just plain struck me as dumb.
            I'll go sit in the corner now.

You do not have mail.

Working...