Is 2FA via mobile phone still a good idea when phones are the most exposed device?

Everyone knows that two factors are better than one. My problem is that often the only second factor allowed is text messages to your mobile phone. This creates two concerns:

1) I travel frequently overseas and lose access to 2FA accounts any time the associated SIM card can’t touch a network.

2) Your phone is inherently your least secured device. I install way more software and download way more files on my phone than anywhere else with much less ability to verify sources or control access. For example, nearly every app requests sweeping permissions to function correctly. Even apps that aren’t granted explicit permissions have been found to backdoor those permissions through google services.

I feel like linking my phone to sensitive accounts (such as banking) would actually make them more exposed to attack and more difficult to maintain legitimate access.

Can an stolen Android phone with USB debugging enabled have screen lock bypassed?

My Android (8.0) phone was pickpocketed from me yesterday, it was immediately turned off by the thief, when I tried to locate it using Find My Device it shows as offline.

As being a programmer and a security enthusiast, I started to worry about what data can be vulnerable on the phone. I had a screen lock on but it didn’t have full-disk encryption enabled (my bad, I know).

I saw on the internet that people can bypass the screen lock using fastboot and deleting some files, is this only for rooted phones? or am I vulnerable too?

I probably had USB Debugging enabled as I developed an Android app in the past and tested it on my device (although I remember that you must trust the computer before using it, does it makes the phone vulnerable?).

My phone wasn’t rooted though, so I believe that for the thief to bypass the screen lock they would need to unlock my bootloader which would definitely wipe my data.

I’m only worried about the data, if the only way to bypass the screen lock would be to wipe the data, then I’m ok.

What are your thoughts on this?

How to get videos off Android phone with USB cable?

I’m on the newest KDE Ubuntu and just trying to move some large videos from the phone to my computer. The KDE connect works great but is too slow for videos.

When I connect to the phone with USB, the “Storage” folder is locked and I get the error message when I try to open the folder: Could not enter folder /media/l/disk/storage and can’t open Dolphin with Sudo.

Thanks.

Desktop screenshot

Why on all real estate websites you need to click to show the phone number?

I’ve noticed that on all real estate websites, any country, in the details page of a property, there’s always a button/field that says “show phone number“… and all it takes to see the phone number is just a click! I haven’t seen any website where it takes more than a click to show the phone number… no login/signup required, no restrictions such as “first match” (a bit like on Airbnb)…

Seems kind of pointless of hiding the phone number in the first place. Is it just an easy gimmick to track interest? Is it a “manufactured” CTA?

unable to open office files from SharePoint 2013 using mobile phone

We are seeing weird issue where users are not able to open any office file from their mobile. They are trying to access them through SharePoint 2013 Intranet site which can be accessed through VPN.

Users can able to browse sites, but cannot open the office files. And this is for entire farm.

When we open document the browser screen shows bank and sits in there and do nothing.

not sure what changes caused this issue, it use to work fine properly.

I verified OWA server and it seems to be working fine. and I even changed library settings to “open document using client apps”

unable to open office files from SharePoint 2013 using mobile phone

We are seeing weird issue where users are not able to open any office file from their mobile. They are trying to access them through SharePoint 2013 Intranet site which can be accessed through VPN.

Users can able to browse sites, but cannot open the office files. And this is for entire farm.

When we open document the browser screen shows bank and sits in there and do nothing.

not sure what changes caused this issue, it use to work fine properly.

I verified OWA server and it seems to be working fine. and I even changed library settings to “open document using client apps”

Step by step guide for doing Wireguard VPN security and setup properly, for Android phone to LAN

Truism: Doing security right, is subtle and full of snags for the clueless.

Concern: I haven’t ever set up a connection between 2 computers using RSA/SSH keys or certificates, in my life. Realistically, I’m very aware of the theory, and I’ve read most of the steps piecemeal in security writeups, but for practical purposes, I’m still one of the clueless (for now).

Conclusion: Step by step help appreciated, so I do my Wireguard setup right, and also begin to learn “properly” and gain confidence for future connections (whether they are certificate or key based – SSH, 802.1X, web HTTPS certs, etc).

My setup

I’ve tried to follow the principle that what I can’don’t know enough to do reasonably safely, I at least try to avoid and not do insecurely.

LAN gateway – runs OPNSense FreeBSD soft router (fork of pfSense running on HardenedBSD, a hardened derivative of FreeBSD, so I can use pfSense analogies and find the same functionality on mine if needed). There’s separate NICs for wired and wireless LAN. Almost all wireless traffic is blocked from the LAN, so I’d open a port for “trusted device” traffic and then limit its access according to minimum needs (no help sought on that).

Wifi AP – The router’s wifi NIC is connected by ethernet to an OpenWRT Wifi router. Because it’s got virtually zero access to the LAN (ping router NIC and reach one dumb isolated printer server IP/port) and can only reach the WAN, there’s actually no security on this at all at the moment (I don’t have a problem running an open wifi network where I am; I’m also running a public tor exit node on one IP on the LAN).

Network services – DHCP4 and Unbound (resolver) on the router. No AD/directory services. No certificates/CA/RSA in use currently except automatically created ones for router/file server WebUI etc. Password based logins (ugh! Hope to learn + fix that someday!).

Mobile phone – Runs LineageOS 16 (Android Pie) with MicroG (FOSS Google services package replacement). Would like to move to 802.1X but again, lack knowhow of the certificate or key setup process done right.

VPN software – Wireguard seems quite well suited to my situation – I use public transport a lot, and theres a lot of intermittent disconnection and short lived reconnects, so a FOSS VPN that needs less config, auto uses decent tunneling setup, seems well reputed, and is designed for quick reconnects, seems better for me than, say, OpenVPN, although I’m sure both would work.

VPN endpoint/IPs – The VPN terminates on the OPNSense router so the open Wifi device isn’t an issue. The LAN uses 192.168.0.0/16, with 192.168.0.1/20 allocated for router, static, DHCP, and all non-VPN devices. So I can use 192.168.32.0/24 for any VPN-connected devices.

Broadcast domain – I’d like to have level 2 OSI broadcast not just switching, I * think * this is typical with VPN but not sure? I don’t expect broadcasts to flood the network 🙂

Likely usage/purposes

  1. SSH/FTP/SMB/RDP/ADB-over-TCPIP and perhaps media streaming between phone and LAN devices. Moving 20-40 GB dirs between phone and file server will become much quicker if I can use Wifi (when available) instead of waiting till home and using USB/SDCard.
  2. VPN tunnel to route all phone network traffic via LAN when away from home when using unknown wifi networks
  3. Moving some functionality from phone to LAN (Example: calendar/notes/feed via a LAN-based web server rather than locally as phone apps).
  4. Once more confident, doing similar for laptop, to allow remote working from laptop via VPN to LAN via RDP.

VPN security choices

A large part of any key/cert setup is about “how secure/hardened do you want to make it?” To make this simple, assume “hard enough that I probably don’t have to worry for 15 years”, other than deal with any publicly identified vuls (which I’ll leave to the software writers to fix). Assume plenty of CPU power for more rigorous at both phone+LAN ends, and roughly, enterprise level rather than home LAN style security for the VPN aspect. Meaning, I’d like to begin learning to do it right, even if patchwork/piecemeal at first (I’d like to avoid “no point in doing much, as more serious vuls exist”).

So I’m happy to use RSA 4096 rather than 2048, or more processor intense but secure algorithms; if a cert is needed, I’d rather have steps that create an intermediate CA so I can keep my top level CA totally offline. If there’s additional hardening options that a conscientious security pro would choose for say, CEO/CFO of a SME size business, that’d be about my kind of level.

Threat model

Mobile phone – overall I’d treat it as trustworthy. AFAIK I haven’t ever had a security issue with it, or an unsafe app, and in a way it’s unavoidable that I need to trust it somewhat. I can also set rules to block all but limited usage, either in the router or in my main servers, so that it’s got limited capacity for usage/harm and no root access to any device even if exploited. But that’s separate.

Connectivity/tunnels – I don’t feel comfortable just with WPA2/PSK. I’d like to ensure its the actual expected device, via some form of mutual authentication, if there’s a way to do it. Hence even where I can trust the network, at home, I’d like not to just connect via WPA2, but only via VPN, even if I’m going to access the LAN from my phone while at home, using my home router.

Own ignorance of correct setup+security processes/good practices for this – See below. I think this, and threats arising from it, are the main risk. I’m especially thinking, if I open the LAN to one device, I’ve potentially opened it to all, so I need to make sure I do only open it to that one device, as best I can, and not to others. I think that’s the biggest risk, and the motive for the question.

SUMMARY WHAT I AM HOPING FOR

I’m worried about my “Unknown unknowns”.

I don’t know what keys/certs I might need, nor how to correctly generate them. There are writeups but not a good start-to-end walkthrough I feel comfortable with. Basically, what recommended software+commands to use? What is good practice for the settings/CLI options/config used to generate them? What .conf settings should I also consider setting in Wireguard’s server/client?

I also don’t know which if any keys/files to generate on a “known safe” machine, and which if any files generated, should be stored airgapped/offline. I think it’s pretty much that simple.

So what I’m hoping for is a step by step recipe for my 1st time. A bit like this –

“Use package X or Y on BSD. These are the important switches/config choices. Use (or don’t use) a password. These are the commands to run on package X, or these commands on package Y. 3 files/keys will be generated. Put this one here and that one there. Hide this one on an airgapped system or USB stick. Configure Wireguard server/client .conf with these extra options. Done.”

I’d like to use CLI packages such as OpenSSL (already installed) rather than the router’s built-in GUI functionality, to generate any keys/certs, as this will help me be more competent in future.

Hopefully if I get this right, I’ll also learn quite a lot of what I need, to do other (certificate|priv+public key) based connections like 802.1X and SSH properly, both between the mobile devices and the OpenWRT bridge, and between LAN devices, and also be well on my way to getting RADIUS or other AAA running at some time to harden the LAN a bit more internally.

How secure is the phone dial?

A renown online bank uses a phone dial login system (input your login and password via the phone dial pad). How secure is this communication against MitM and similar attacks?

Considering I recently read how many major telecommunication networks had backdoors in them I am considering this to be bad news.