Surprisingly many reasons, have a big one:
Firefox has a whole lot more than chrome too. 
But yeah, chrome has a ton more than safari.
2 Likes
2 Likes
Still ok to send verification codes tho I reckon, if anyone gets one out of the blue the alarm bells would almost certainly start ringing and if there was a systems hack to send them when someone actually requested it via an official app or website, well then they probably have bigger things to worry about 
1 Like
Except a big BIG issue with SMS is how incredibly easy it is to social-engineer phone providers to swap SMS to a new, scammer-controlled phone, so you would never see your SMS message, they would.
2 Likes
I wouldnât trust anything that comes over the phone network these days. I have seen scam calls originate from my own number, it is as bad as email.
2 Likes
Yep, you can put anything you want into the âsenderâ field of things like SMS, itâs horrifying, that should never have been allowed, or at least let it be an âaddonâ to the main number. ^.^;
2 Likes
True, i have even done it when setting things up for alerts etc for customers. To compare it to email is probably unfair given todays very aggressive main mail servers that effectively raise the standards for everyone(a sword with more than one side), it is probably fairer to say it is like email in the mid-90s
2 Likes
Well the SMS replacement, RCS, fixes this I hear, now if only Apple was capable of updating to modern standards as they are the only holdout left, lol, then kill SMS!
2 Likes
It isnât like it is a problem free solution, or like Google has ever succeeded in a messaging solution ever. Iâm not sure why Apple would adopt another solution that is worse than their own and less universal than their fallback while being worse for their ecosystem and better for their competitors. I mean you can blame them if you want, but it isnât in their interest at all and the free market doesnât seem to be changing that.
2 Likes
RCS may have been pushed by google but thatâs only because the industry was being lazy (it was a standard for over 8 years before google decided to shim it on android phones because cell providers were lazy, and by doing so they pushed the providers to actually do their job and implement it). The industry supports it pretty well at this point without any google infrastructure at all, it is a standard and has been a standard for a long time now.
Itâs not a competitor, itâs literally the SMS replacement, itâs standard spec, it is THE message standard on cell networks along with SMS (different usages). Itâs not tied to any competitor or anything, itâs the standard SMS replacement.
2 Likes
And yes, just checked, RCS v11 (2019) added the verified sender spec that does fix that SMS spoofing issue.
But yeah, iMessages is not comparable. First of all the apple stuff requires a data connection, RCS does not, it only needs the base voice connection like SMS. Second of all the apple stuff doesnât work elsewhere as itâs not an open network. Third, the apple stuff was built for E2E, which RCS is not (the voice data space isnât that large, BUT you can split an encrypted message among multiple messages so individual clients can add E2E easily enough, like they could on SMS, though on SMS it ate messages like crazy due to SMSâs tiny size so not often done there).
Still, RCS doesnât fix the issue of SMS Swapping, thatâs not something easily fixable until the phone carriers themselves stop being stupid. ^.^;
And until that point, nothing on a phone connection should be required for 2fa, EVER.
2 Likes
It was pushed by Google because it is in their interests, not because it is a standard, or because it is good for anyone other than them. The fact that carriers are on board makes it easier. It is reasonable to say that RCS is better than SMS but that isnât relevant, all the players are choosing a business strategy not a social good and it doesnât take much to speculate why a solution without a half decent end to end encryption solution is in favour with this group of supporters.
So what? Itâs their competitors who adopt it, it is their competitors who may have an advantage or disadvantage depending on its support. It may or may not be better for everyone, in an ideal world that would matter but the market systems donât work like that, if it isnât better for them to adopt it⊠why would they?
2 Likes
It was indeed in there interest to make a better SMS as it makes for a better phone messaging system for users, but they did not make the spec, GSMA did, way back in 2008 (my phone provider was the only one in the USA that supported RCS for many many years back in the day, some others outside of the USA did too though).
Them being on board has nothing to do with it, itâs part of the GSMA spec, they are supposed to implement it.
You can still easily build E2E on top of it, itâs not an encryption spec, itâs a wireline cell tower communication spec, in the same class as SMS (no data connection needed as it works over the voice control space). Things can be built on top of it, like E2E. E2E was specifically NOT built in to it because encryption standards change over time so that should be up to and controlled by the clients being used (was their reasoning).
What it does mean is that apple users canât get verified messages, so they are still extremely susceptible to spoofed SMS (in addition to its other limitations), since no one can send 2fa message over iMessage anyway (nor would that be reliable as not everyone has a reliable data line, like in my area, SMS/RCS works fine even with the data connection down). It is user hostile of them because they are making it easier for malicious parties to spoof things on apple devices that canât be done elsewhere as such.
2 Likes
They tried and failed many other approaches that were much closer to apples prior to embracing the spec as a way forward. They point is more that if they could succeed in the way Apple did with iMessage, they wouldnât have backed RCS at all. It isnât about making a better solution for users, it is about making sure the prevalent solution is one that they are at least an equal contributor in when they fail to control it. It doesnât matter who made the spec really because no one cared until Google got behind it.
I mean Iâm not arguing that it isnât an improvement Iâm only arguing that
- it isnât perfect, which presumably since it doesnât solve the problem at hand is agreeable.
- that it doesnât make sense for Apple to spend money adopting things they think arenât worth spending money on because why would they?
- Google didnât side with it because they are saints (embrace extend extinguish are about the only three words in their vocabulary).
Again they push alternative approaches. It is unfortunate that they always have a bespoke solution to these things ( iMessage included) and I would like to see them open up an participate in making these things globally better for the benefit of those both inside and outside their ecosystem. They get some parts of it in my opinion wrong, but they generally get right a fairly seemless and deeply integrated experience. It would be good to see them bring solutions for making the experience seemless and deeply integrated in open standards so that everything can move forward on both sides⊠Still that isnât the game that is being played. On this particular point using OTP apps (including the ones built in to macos) is generally the only decent solution at the moment for 2fa codes. The confirm login app with biometricsthat PayPal (and some others do) is probably reasonable as well. Sending them via message on any form isnât really acceptable.
2 Likes
As the old saying goes, âPerfect is the enemy of goodâ, use stuff if itâs better, even if its not perfect. At least RCS is designed to be versioned and advance over time (itâs up to version 11 now after all, itâs not new, itâs been a standard since 2008 and talked about before that as well). Just doing nothing is hostile and dangerous.
This is why the FIDO spec is important, itâs an actually secure, easy to implement 2fa. No weird insecure SMS messaging, no proprietary systems, itâs a Standard now and even getting enforced at various government levels, it is Good, it is dang near Perfect. Yes apple supports FIDO, android supports FIDO, hell this pinephone supports FIDO, my hardware authenticator supports FIDO, it is a very well set spec, there is NO reason for any place to be using anything related to something phone number specific for 2fa.
Screw texting for 2fa! Screw ANY connection to a phone number for 2fa at all!!! ^.^
2 Likes
I have mixed feelings on this. The argument at hand aside even as a concept in general. It is often the case that making things slightly better seems to be a good idea but it leads to a consequence where people think it is good or trustworthy at least enough as to not worry about it when it really is not the case. Iâd much rather have a bad solution that people know is a bad solution than a quite bad solution that everyone trusts and thinks is great, because that is a much more dangerous situation. It is unfortunate that more people trust SMS than they should, Iâd hate to think how much they would trust RCS when they (in general) absolutely should not trust it as much as they already trust SMS now. As a technical argument better solutions make sense, as a social one Iâm not so sure, even as a technical one often worse is better at least according to a ton of things that almost everyone appears to have jumped on (not that I agree with them in principle but it seems that is how you get things to become standards or defacto standards).
This, 100%!
2 Likes
How can they do that?
But even if they did, they would still need to know your username, password and memorable word:
Iâm not sure what else they could do that is accessible to most people⊠other than also send a code via email, but that has itâs own potential problems
Ooooo you should youtube it, and lookup articles, lol.
In short, scammers look up some info about you, then call your cell provider, pretend to be you and your phone had an accident or whatever and you need to switch SIM cards right now, supplying enough information to trick the person on the other side that it is you, sooooo, they do, and they now have your number on their own SIM card. No, a âpasswordâ or âmemorable wordâ doesnât help, thatâs the point of social engineering, they just need to pretend that they are freaking out enough to make the other person upset enough to not go through their entire secure procedures. And if they fail with one tech then they will just call back and keep calling back until they get a person that will.
Modern E-Mail is far FAR more secure than SMS, to a HUGE degree, lol.
2 Likes
Wonder if thatâs what happened to you @mindriot?
Generally here if you have lost your phone/sim, they will send you out a replacement in the post.
Iâm not sure what their procedures are for porting a number to a new provider tho⊠I vaguely remember there was a loophole where ânewâ companies were stealing numbers but they quickly came up with a system to prevent that⊠so maybe itâs more of a US issue right now?
1 Like
Not really, that comment was somewhat adjacent to this particular issue and more speaking to the overall state of security on the phone network. That specific example was because a lot of scam callers use numbers similar to the target so that they look local or partly familiar, though occasionally they mess that up and use the actual targets number though that is more about spoofing rather taking over the SIM. The point was just that you canât trust anything.
1 Like