Rivian Two-Factor Authentication (2FA) Beginning Dec 13, 2024

Greg Chick · Dec 4, 2024

I think we have a vocational social problem people are becomming cyber criminals causing others to be cyber security experts. I think desperate people do desprate things. Billionairs have too much, others have too little. OK, censor my opinion, I appologise.

electruck · Dec 4, 2024

SANZC02 said:
My 2 cents on why saying sms/2fa is less secure than no 2fa is simply false…

Steps for No 2FA

Get my account ID
Get my password
you have access 2 my account

Steps for SMS/2FA

Get my account ID
Get my password
Figure out if my 2FA is email or SMS
get access to my email or phone to access code
now you have access to the account

Second benefit is someone tries to log into my account I get the 2FA prompt so I know someone is trying to access my account.

Is it super secure, no but is it less secure, certainly not.

Spot on. No single defense is ever likely to be foolproof, that's why the cybersecurity industry advocates for what we refer to as defense in depth security. The more layers of security, the more likely you are to successfully protect a resource. The fact that so many people tend to re-use the same username/password across sites has made credential stuffing attacks immensely effective but even email/sms based MFA can go a long way towards mitigating that. But yes, we can absolutely do better.

godfodder0901 · Dec 4, 2024

zefram47 said:
Technically the SMS capability *does* make it worse since it's apparently not difficult to play man in the middle games, get a duplicate/replacement SIM, or spoof a a phone number to the effect that someone else could receive the SMS without you even knowing it was requested in the first place. SMS is a terrible way to do 2FA and has been for a long time.

Just one example of what's possible.

diranged said:
> But is it somehow less secure than not having it? Absolutely not

But it really is. Email and SMS 2FA are easily hackable, which means that you can lose control of your account without ever even knowing about it. This is why you see so many accounts on social media platforms that get hacked. I have close friends in the security industry who have themselves had their SIM's stolen and then personal accounts (bank accts, etc) stolen entirely while they were unaware of it.

An extremely strong randomly generated password that is unique for every website is the fundamental best practice... Email and SMS 2FA is just a backdoor to that secure practice that lets someone get past it without you ever even knowing.

I think you are both missing the point the 2 in 2FA means a second, or supplementary, authentication method; it doesn't replace the original authentication method. In order to compromise the account, an attacker would need to compromise both the standard credentialed authentication method and the secondary method. This makes even a less-secure 2FA method more secure than no 2FA. And let's not forget, it's not exactly trivial to breach major tech and Telcom providers in order to execute this attack.

diranged · Dec 4, 2024

godfodder0901 said:
I think you are both missing the point the 2 in 2FA means a second, or supplementary, authentication method; it doesn't replace the original authentication method. In order to compromise the account, an attacker would need to compromise both the standard credentialed authentication method and the secondary method. This makes even a less-secure 2FA method more secure than no 2FA. And let's not forget, it's not exactly trivial to breach major tech and Telcom providers in order to execute this attack.

godfodder0901 said:
In order to compromise the account, an attacker would need to compromise both the standard credentialed authentication method and the secondary method.

The "Forgot Password" button is extremely powerful ... just saying. That combined with a weak second factor auth format makes the entire system pretty much useless. Especially Rivian's plan to automatically opt people in to email-based 2fa .. which means that if your email is compromised, someone can reset your password and log in all without ever knowing your Rivian password.

godfodder0901 said:
And let's not forget, it's not exactly trivial to breach major tech and Telcom providers in order to execute this attack

I know multiple who have had this happen to them. It's not "breaching" a major tech company to do SIM stealing.. it can be done through social engineering, as well as a number of other methods (see https://www.astound.com/learn/mobile/hacking-sim-cards for a good runthrough). Hell, I accidentally ported my wife (then-girlfriend)'s phone number to my new phone and provider a while back all because of a paperwork mistake where I wrote her number down... the phone company tech just moved the number, without even double checking the information on the target account.

Donald Stanfield · Dec 4, 2024

Greg Chick said:
I think we have a vocational social problem people are becomming cyber criminals causing others to be cyber security experts. I think desperate people do desprate things. Billionairs have too much, others have too little. OK, censor my opinion, I appologise.

There is no justification for stealing people's identites. These people do this as a career because it's easier than doing something else.

godfodder0901 · Dec 4, 2024

diranged said:
The "Forgot Password" button is extremely powerful ... just saying. That combined with a weak second factor auth format makes the entire system pretty much useless. Especially Rivian's plan to automatically opt people in to email-based 2fa .. which means that if your email is compromised, someone can reset your password and log in all without ever knowing your Rivian password.

I know multiple who have had this happen to them. It's not "breaching" a major tech company to do SIM stealing.. it can be done through social engineering, as well as a number of other methods (see https://www.astound.com/learn/mobile/hacking-sim-cards for a good runthrough). Hell, I accidentally ported my wife (then-girlfriend)'s phone number to my new phone and provider a while back all because of a paperwork mistake where I wrote her number down... the phone company tech just moved the number, without even double checking the information on the target account.

The "forgot password" issue you speak of also applies to a single factor authentication protocol. Again, adding a 2nd factor makes it more secure.

Just because it has happened doesn't mean it's easy. Or common.

It sounds like you accidentally ported a number that you were authorized to port. Not really a breach of security IMHO.

diranged · Dec 4, 2024

godfodder0901 said:
The "forgot password" issue you speak of also applies to a single factor authentication protocol. Again, adding a 2nd factor makes it more secure.

I'm not sure I understand your point ... Rivian is planning on automatically opting everyone in to an email-based "second factor" authentication method... sure, some people will set up the SMS method (which might be mildly better?), but fundamentally they're automatically opting us into a system where now my email account can be used to breach access to my Rivian account.

Ultimately if I haven't convinced you ... no problem, that's fine.. but I hope that this conversation has educated some people who may not have previously been aware of the risks and choices here.

godfodder0901 said:
It sounds like you accidentally ported a number that you were authorized to port. Not really a breach of security IMHO.

I certainly did not have "authorization" to port a number that had nothing to do with me... we were not married, it was not on my account.

Was it a mistake? Sure
Does it mean it can't be abused? Absolutely not... I am pointing out that humans are fallible and that's how most hacking is done to begin with.

Greg Chick · Dec 4, 2024

Donald Stanfield said:
There is no justification for stealing people's identites. These people do this as a career because it's easier than doing something else.

"Hang um high" in public is ok with me, but part of cause of the problem is my only point. Your point is correct, theft is easier than something else. If it was easier to get a living wage, there might be more people doing such. As they say, "It's a living", if it was.

Donald Stanfield · Dec 4, 2024

Greg Chick said:
"Hang um high" in public is ok with me, but part of cause of the problem is my only point. Your point is correct, theft is easier than something else. If it was easier to get a living wage, there might be more people doing such. As they say, "It's a living", if it was.

I don't buy that man, and I can't believe you do either. I too spent 17 years as a plumbing contractor before transitioning to white collar. The things I've had to do for a living, I didn't steal. If I was willing to do some of the things I did to make sure my money was honest they have no excuse.

HaveBlue · Dec 4, 2024

2FA isn't for us who hide our written passwords on a piece of paper under our keyboards. Credential breaches of staggeringly large proportions happen on the server end more often. Millions of credentials stolen at once. Matters not how complex your password is. If Yahoo is breached, everyone is screwed. (No I don't use Yahoo and they aren't under my keyboard haha.)

2FA has it's drawbacks in a practical sense. I was on a 10 day trip from LA through most of UT parks and Death Valley. I got as far as Zion and my phone crapped out. Had to wipe it to get it functional. It wasn't sim 2FA. All my reservations and info were on my phone. No way to get into Gmail. Used my wife's phone to log into my Exchange work calendar and was able to retrieve enough info as I didn't even remember the names of hotels/campgrounds I'd reserved.

I don't leave home without a keycard for the Rivian. This update makes that scenario worse if your phone is lost or damaged.

godfodder0901 · Dec 4, 2024

diranged said:
I'm not sure I understand your point ... Rivian is planning on automatically opting everyone in to an email-based "second factor" authentication method...

Yes, they are automatically opting you in.. to a more secure authentication method.

diranged said:
sure, some people will set up the SMS method (which might be mildly better?), but fundamentally they're automatically opting us into a system where now my email account can be used to breach access to my Rivian account.

Please tell me how that's different than them breaching your email account right now and resetting your password without 2FA?

diranged said:
Ultimately if I haven't convinced you ... no problem, that's fine.. but I hope that this conversation has educated some people who may not have previously been aware of the risks and choices here.

Misinformation is not education. Please leave the cybersecurity education to us cybersecurity professionals.

godfodder0901 · Dec 4, 2024

HaveBlue said:
2FA isn't for us who hide our written passwords on a piece of paper under our keyboards. Credential breaches of staggeringly large proportions happen on the server end more often. Millions of credentials stolen at once. Matters not how complex your password is. If Yahoo is breached, everyone is screwed. (No I don't use Yahoo and they aren't under my keyboard haha.)

This isn't entirely factual. Your personal data stored on servers are generally encrypted using, in part, your supplied credentials. This means that even if the server is breached, your data is more secure if you use a stronger password.

Greg Chick · Dec 4, 2024

Donald Stanfield said:
I don't buy that man, and I can't believe you do either. I too spent 17 years as a plumbing contractor before transitioning to white collar. The things I've had to do for a living, I didn't steal. If I was willing to do some of the things I did to make sure my money was honest they have no excuse.

Same here, but 50 years as a licensed contractor 3 rd generation Plumber. I do not support theft of any kind what so ever. I just say some people do not use the right judgment and have an easier time being a crook than getting a real job.
I never took the easy road, never filed bankruptcy, never sued always took the high & hard road. Some people are not that strong. But again, I hate rip offs of all kinds.

HaveBlue · Dec 4, 2024

godfodder0901 said:
This isn't entirely factual. Your personal data stored on servers are generally encrypted using, in part, your supplied credentials. This means that even if the server is breached, your data is more secure if you use a stronger password.

You might want to browse the dark web as password hashes are compromised by the millions due to poor server configurations and security. Don't assume that there aren't Rivian owners here with degrees in computer science. There are plenty of examples of companies losing plain text passwords and hacking stores that bypass hashes. We have no way of knowing as users on our end how business is conducted.

Coincidentally came across this morning and it is pertinent to this thread since 2fa is often sim based.
https://www.zdnet.com/article/fbi-c...essaging-apps-in-wake-of-massive-cyberattack/

SwampNut · Dec 4, 2024

HaveBlue said:
2FA isn't for us who hide our written passwords on a piece of paper under our keyboards.

yup, that’s who it’s for. That level of idiocy is what has caused this problem.

Rivian Two-Factor Authentication (2FA) Beginning Dec 13, 2024

Greg Chick

Well-Known Member

electruck

Well-Known Member

godfodder0901

Well-Known Member

diranged

Well-Known Member

Donald Stanfield

Well-Known Member

godfodder0901

Well-Known Member

diranged

Well-Known Member

Greg Chick

Well-Known Member

Donald Stanfield

Well-Known Member

HaveBlue

Well-Known Member

godfodder0901

Well-Known Member

godfodder0901

Well-Known Member

Greg Chick

Well-Known Member

HaveBlue

Well-Known Member

SwampNut

Well-Known Member

Similar threads