TPG Community

Get online support
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Multi-Factor Authenication when no mobile connection

Joe2
Level 2
Level 2
‎22-09-2022 04:40 PM

I thought the exact same thing when I got my email verification over SMS to register here. 
In addition TPG still send regulaur emails to me with my provate information in it (name, accoutn number). If emails are so high risk, why are they sending my info here?

Reply
Ahra_G
Moderator Moderator
Moderator
‎22-09-2022 05:27 PM

Hi @Joe2

 

Our customers' security and privacy is something that is very important to us.

 

The use of MFA aims to securely process high-risk transactions such as updating of account details (changing of mobile number, email address) as well as updating card information.

 

At this point, MFA via SMS is the only option available. Your account details are safe via so long as we send it to the account holder's email address and no other action is required (and of course, your email should be well protected by your own password, too)

 

Please be assured that we are continuously working on our security processes to protect our customers.

 

Thanks! 

Ahra_G

0 Likes
Reply
Joe2
Level 2
Level 2
‎22-09-2022 07:29 PM

Hi Ahra_G,
I do not see the logic that my password protected email is good enough to send my personal information to (must be considered VERY secure by your team if you willing to expose my details there) but for some reason is so inferior and high rish compared to SMS for tasks you deem mre inportant than my personal info.

 

Either allow emails to verify accounts, or stop sending personal info to emails. There is no logic to do both. 

 

Reply
Pij
Level 3
Level 3
‎30-09-2022 06:55 PM

I see your problem, now. Actually, I see your multiple problems.

 

1) You type with almost perfect English.

2) You raise reasonable points, and expect reasonable responses.

3) You use impeccable logic to formulate your positions and enquiries.

 

You really don't fit in here at TPG. Have you considered alternatives?

 

 

0 Likes
Reply
rygle
Level 3
Level 3
‎14-11-2022 03:25 PM
SMS is highly insecure. I posted links to articles about this but TPG took my posts down, possibly because they had links to dangerous sites like Wikipedia.

If you want some facts on this, Google "SMS insecure" and read some of the articles you find. Also, Google "ss7 insecure". SMS is built on the SS7 protocol and Wikipedia among many others have a whole section on security issues with SS7 - Google "SS7 Wikipedia" and scroll down the page.

You could also Google "IMSI catcher" to see how secure mobile call protocols in general are, and it's not happy news.

Now, 2FA/MFA via SMS is more secure than no MFA. I think I read that Google initially had a drop in hacks by 30% by requiring SMS MFA. The thing is, the fact that you secure something now with something that is inherently insecure means that you are only giving yourself a false sense of security, which in my opinion is far worse than no MFA. That's why Google (and Amazon, and many others like BitWarden, PayPal, Steam) now send messages to your emails and phones (through the Google app) to ask of it was really you who did that new login *even after* you used MFA. So that is actually at least 3 Factor Authentication in that case.

Apps like Authy, which uses the same algorithm as Google Authenticator and Microsoft Authenticator but is more flexible in my opinion, are much more secure than SMS. One of the main reasons Authy is better than the Google and Microsoft authenticator is that it can be logged into from your phone or desktop or tablet, so in the event you lose your phone you won't be locked out because you will still have access to your MFA codes.

In my opinion, everyone should be using one of these authenticator apps for every service you use that poses even the slightest risk of giving away personal information, let along being logged into by a hacker. I use Authy for Paypal, Microsoft, and about 20 other services.

You should also use a secure password manager like the free and excellent BitWarden, which has apps and plugins for numerous operating systems and browsers. Don't use your Browser's built in password storage for anything that is remotely important as they are not as secure. Also, *never* store your bank password in *any* password manager.
0 Likes
Reply
rygle
Level 3
Level 3
‎14-11-2022 11:37 PM
Just read an article on The Register about MFA vulnerabilities that linked to cisa.gov (US cyber security govt agency). Two of four of the vulnerabilities of MFA relate to the use of SMS as the MFA.

The article on the CISA site states;
"CYBER THREATS TO MFA
Cyber threat actors have used multiple methods to gain access to MFA credentials:
• Phishing. Phishing is a form of social engineering in which cyber threat actors use email or malicious
websites to solicit information. For example, in a widely used phishing technique, a threat actor sends
an email to a target that convinces the user to visit a threat actor-controlled website that mimics a
company’s legitimate login portal. The user submits their username, password, as well as the 6-digit
code from their mobile phone’s authenticator app.
• Push bombing (also known as push fatigue). Cyber threat actors bombard a user with push
notifications until they press the “Accept” button, thereby granting threat actor access to the network.
• Exploitation of SS7 protocol vulnerabilities. Cyber threat actors exploit SS7 protocol vulnerabilities in
communications infrastructure to obtain MFA codes sent via text message (SMS) or voice to a phone.
• SIM Swap. SIM Swap is a form of social engineering in which cyber threat actors convince cellular
carriers to transfer control of the user’s phone number to a threat actor-controlled SIM card, which
allows the threat actor to gain control over the user’s phone"
0 Likes
Reply