eneq

Pretty much this. Especially considering so many people re-use credentials. Yes, its possible to spoof cell phone numbers, but it takes a lot more time than just plugging in stolen credentials. IMO, most "hackers" won't spend the time necessary to hack into a skymiles account.

LowValueCustomer

re: that tweet -- Not sure this gets you a whole lot unless you're salting your hashes

gooselee

I find them salty enough on their own. Melted cheese and onions, plus a bit of black pepper....now you're talkin'.

eneq

It protects you from others guessing your security questions. Since most answers are fairly easy to acquire with the power of social media, using hashes like the example will greatly reduce the ability for someone to guess the answers.

WillBarrett_68

it seems that way, but SMS can be spoofed

WillBarrett_68

right, which is why 2FA is probably not necessary here in the first place. using strong unique passwords is way more than enough, especially considering the potential loss for customers (near zero).

WillBarrett_68

authenticator and SMS aren't even in the same universe. it's like comparing an 18-wheeler to a radio flyer

gooselee

Sure, but at the end of the day, it's still an extra step a malicious user would need to clear.

WillBarrett_68

an extra step that adds basically zero security and that can potentially prevent you from accessing your account (as the other poster above noted)

WillBarrett_68

SMS is essentially like the TSA. It looks like it's helping but it's just security theatre

gooselee

Fair points. My counter would be that even TSA (and I am certainly not a fan) finds someone with a gun every now and then.

But, what you say does make sense.

ethernal

Apologies but this (and the mindset from others) is just garbage regarding SMS 2FA. Security is all about defense in depth, and SMS 2FA is pretty good depth.

SMS 2FA is a HUGE step up from username+password security.

Is SMS perfectly secure? No. BUT 99% of SMS hijacks today require breaking another attack surface (the carrier) to do a SIM-swap or port-out. Pretty much the only other alternative is to either hack the user's physical phone device (not easy for a typical phone user without physical access given that they are walled gardens - although phishing can work here at times) or have already pwned an app server for one of those garbage apps that asks for permissions to read SMS messages.

There are other more esoteric solutions (think Stingray) but those are even more out of reach for a typical hacker.

The point is that SMS 2FA is 100x better than passwords alone. It is another significant step for a hacker to do - the typical SkyMiles account hacker is likely just buying credentials. If they don't work, they move on to the next one. It's the right level of security with a high degree of user convenience for a relatively low security need - while there is a risk to travel disruption and/or loss of SkyMiles, this is nothing like losing access to a bank account where $500K can be wired out into a black hole.

That said, I hate SMS 2FA if there is no alternative given the amount of time I spend in the air. I do think this is why Delta has not implemented it themselves - given that they are in the travel business, a disproportionate number of their users will be in the air or overseas where text messages may not work.

cre95

I don't know about that. I think it would be interesting to get a poll going at this site as how often you've see a gun found at the TSA during your travels. I know we go through security faster than your typical person but given the frequency of travel, I would think I should have seen an alarm going off at least one time. From my end, I have not seen a single event ever. The only time I was in an alarm setting where they asked everybody to stop where they were ... I figured that would be my event to notice ... but, it was only a drill.

findark

This is my biggest issue with SMS-only TFA. Sometimes I can't receive a text.

gooselee

We're getting off-thread, but just because you haven't personally observed something doesn't mean it hasn't happened. First google result I came across: https://www.usatoday.com/story/travel/flights/todayinthesky/2019/02/07/guns-airports-tsa-record-2018/2799757002

My point is not that TSA is good or consistent at finding guns or anything else, just that they do find them from time to time.

For the sake of argument, say that the ~4,000 guns found by TSA in 2018 only represents 1% of the total guns people attempted to bring through security. That would unquestionably be an overwhelming failure by TSA, and would mean that 396k other guns did make it past the checkpoint. But the fact remains that 4k guns were still blocked.

Remove TSA entirely and replace it with nothing else (which would be the corollary of not using SMS 2FA and also not using anything else), and you now have 400k guns inside airport terminals. By any measure I can think of, 400k > 396k.

In this example, the username/password combination could be compared to physical keys to the curbside door of the airport, and the malicious actor has already purchased/stolen a copy of these keys from somewhere.

(This is meant to be a ridiculously oversimplified comparison. We're all aware that there are multitudes of other issues with TSA and that some of their practices may hurt rather than help. But at an exceptionally basic level, I'd still contend that having a poorly-run security checkpoint provides a more of a barrier than no checkpoint at all.)