Post by: Rush on June 14, 2022, 09:14:20 AM
Next I go to my phone and try to open the Uber App. On my PHONE, got that? The Uber app says it wants the secret code, and it texted the secret code TO MY PHONE. The same phone I'm trying to open the app on. There it is, right above the box I'm supposed to type it into. Put the code in, it opens. Never even asks for the new password.
Somebody 'splain to me the security of texting the code to the same device I'm opening the app on.
Post by: jb1842 on June 14, 2022, 10:00:38 AM
So because I'm traveling and haven't used Uber in a while, I opened it on my desktop and changed the password, checked to see if my credit card is current, and closed that out.
Next I go to my phone and try to open the Uber App. On my PHONE, got that? The Uber app says it wants the secret code, and it texted the secret code TO MY PHONE. The same phone I'm trying to open the app on. There it is, right above the box I'm supposed to type it into. Put the code in, it opens. Never even asks for the new password.
Somebody 'splain to me the security of texting the code to the same device I'm opening the app on.
It was probably developed by what I like to call stupid smart people. They may be intellectually smart, but are completely stupid when it comes to common sense and the real world.
Post by: Rush on June 14, 2022, 10:27:59 AM
It was probably developed by what I like to call stupid smart people. They may be intellectually smart, but are completely stupid when it comes to common sense and the real world.
Probably the same people that developed my washing machine. It has two water levels, low and high. The delicate cycle is limited to the high water level. Anyone who has ever actually done laundry in real life knows that your “delicates” are often a very small load. So I end up with a couple of skimpy lingerie floating around in 25 gallons of water.
Post by: Bob Noel on June 14, 2022, 10:29:45 AM
;D
Post by: Jim Logajan on June 14, 2022, 10:52:09 AM
So because I'm traveling and haven't used Uber in a while, I opened it on my desktop and changed the password, checked to see if my credit card is current, and closed that out.
Next I go to my phone and try to open the Uber App. On my PHONE, got that? The Uber app says it wants the secret code, and it texted the secret code TO MY PHONE. The same phone I'm trying to open the app on. There it is, right above the box I'm supposed to type it into. Put the code in, it opens. Never even asks for the new password.
Somebody 'splain to me the security of texting the code to the same device I'm opening the app on.
If I understand the situation, it looks to me that you had once confirmed to their servers that your phone number is on a phone in your possession. But there is no secure way for their servers to know that a communication they get from a mobile phone came from your phone unless you send a known login/password credential or a secret code sent to a device you claimed was in your possession.
Post by: Rush on June 14, 2022, 11:05:28 AM
If I understand the situation, it looks to me that you had once confirmed to their servers that your phone number is on a phone in your possession. But there is no secure way for their servers to know that a communication they get from a mobile phone came from your phone unless you send a known login/password credential or a secret code sent to a device you claimed was in your possession.
You mean that the app I just opened with my account info in it contacted their server and they don’t know it’s coming from my phone? They don’t have caller ID? They think my number was spoofed?
Post by: Jim Logajan on June 14, 2022, 11:41:42 AM
You mean that the app I just opened with my account info in it contacted their server and they don’t know it’s coming from my phone? They don’t have caller ID? They think my number was spoofed?
When all the third party apps on your phone need to talk to the rest of world they communicate using the Internet Protocol(IP). The IP rides on top of a cell phone protocol, likely GSM. When the GSM packet gets to either the cell tower or more likely the first telephone switching station the IP packet is extracted and sent on its merry way over another physical network layer. In the process the GSM packet header containing the originating phone info is lost. That's reasonable since IP should be able to ride on top any link or physical layer as it hops across the internet (other physical layers include ethernet, wifi, microwave, satellite, etc.)
Lastly, as a general security rule all the apps on your phone are "walled off" from each other - that is not allowed to share info. So if the phone gets SMS text messages via the call phone GSM protocol it will display in the Apple app for that (the app is not third-party - it is special and allowed to access SMS over GSM while most other apps are only allowed access to IP over GSM). Human intervention, such as copy and paste, is deliberately required to move such security related info from one app to the other.
P.S. I'm a little loose on what protocol layers travel over which other layers, but trying to communicate the essence of the ideas.
Post by: Anthony on June 14, 2022, 12:02:22 PM
Anyone who has ever actually done laundry in real life knows that your “delicates” are often a very small load. So I end up with a couple of skimpy lingerie floating around in 25 gallons of water.
That's happened to me before.
Post by: Rush on June 14, 2022, 12:10:42 PM
That's happened to me before.
There ya go, I knew I wasn’t alone. :D
Post by: Rush on June 14, 2022, 12:28:09 PM
When all the third party apps on your phone need to talk to the rest of world they communicate using the Internet Protocol(IP). The IP rides on top of a cell phone protocol, likely GSM. When the GSM packet gets to either the cell tower or more likely the first telephone switching station the IP packet is extracted and sent on its merry way over another physical network layer. In the process the GSM packet header containing the originating phone info is lost. That's reasonable since IP should be able to ride on top any link or physical layer as it hops across the internet (other physical layers include ethernet, wifi, microwave, satellite, etc.)
Lastly, as a general security rule all the apps on your phone are "walled off" from each other - that is not allowed to share info. So if the phone gets SMS text messages via the call phone GSM protocol it will display in the Apple app for that (the app is not third-party - it is special and allowed to access SMS over GSM while most other apps are only allowed access to IP over GSM). Human intervention, such as copy and paste, is deliberately required to move such security related info from one app to the other.
P.S. I'm a little loose on what protocol layers travel over which other layers, but trying to communicate the essence of the ideas.
Wow, thanks, I didn’t know that’s how it works. Makes sense then if an app is using an IP packet that gets stripped of originating information. And then the text I get has “no idea” it’s actually on the same phone the request is coming from. Maybe the tech people aren’t as stupid as I thought. The washing machine people still are though.
So why doesn’t the Uber server just ask the NSA where the app they got the request from is residing? Surely the NSA is tracking all this stuff around and knows what all my apps are doing even if the apps can’t share info with each other.
Post by: Jim Logajan on June 14, 2022, 02:42:07 PM
Wow, thanks, I didn’t know that’s how it works. Makes sense then if an app is using an IP packet that gets stripped of originating information. And then the text I get has “no idea” it’s actually on the same phone the request is coming from. Maybe the tech people aren’t as stupid as I thought. The washing machine people still are though.
So why doesn’t the Uber server just ask the NSA where the app they got the request from is residing? Surely the NSA is tracking all this stuff around and knows what all my apps are doing even if the apps can’t share info with each other.
Actually the phone company has routing tables with phone number/IP address pairs so they can route packets both ways. But they don't allow access to that table to any machine outside their network (excepting law enforcement and NSA.)
That said, when you use email or a web browser on your cell phone and the IP packets have to go over the cell phone network rather than wifi (which is assigned its own unique IP address,) the cell phone's carrier-assigned IP address is exposed. Notice there can be at least two unique IP addresses assigned your phone, one for each physical layer (one for wifi and one for cell phone data network - using two different incompatible radio transceivers.) In the case of email the source IP address (the wifi one or the cellular one) actually appears in the email headers. But the associated phone number is not exposed. So if you sent me email from your phone I still wouldn't know your phone number.
By the way - if you don't even want the cell carrier's IP address of your phone exposed, you can normally limit its exposure. On an iPhone go to Settings, then Cellular, then Cellular Data Options. Make sure the "Limit IP Address Tracking" setting is ON. I'm not sure what technique they use but suspect it is probably similar or the same as NAT (Network Address Translation) which is common in wifi router firewalls.
Post by: Rush on June 14, 2022, 02:58:58 PM
Actually the phone company has routing tables with phone number/IP address pairs so they can route packets both ways. But they don't allow access to that table to any machine outside their network (excepting law enforcement and NSA.)
Ah ha! So I was right!
Quote
That said, when you use email or a web browser on your cell phone and the IP packets have to go over the cell phone network rather than wifi (which is assigned its own unique IP address,) the cell phone's carrier-assigned IP address is exposed. Notice there can be at least two unique IP addresses assigned your phone, one for each physical layer (one for wifi and one for cell phone data network - using two different incompatible radio transceivers.) In the case of email the source IP address (the wifi one or the cellular one) actually appears in the email headers. But the associated phone number is not exposed. So if you sent me email from your phone I still wouldn't know your phone number.
By the way - if you don't even want the cell carrier's IP address of your phone exposed, you can normally limit its exposure. On an iPhone go to Settings, then Cellular, then Cellular Data Options. Make sure the "Limit IP Address Tracking" setting is ON. I'm not sure what technique they use but suspect it is probably similar or the same as NAT (Network Address Translation) which is common in wifi router firewalls.
What happens if I use a VPN?
Post by: Anthony on June 14, 2022, 03:13:36 PM
There ya go, I knew I wasn’t alone. :D
Oh wait. That was in a swimming pool. Never mind.
Post by: Jim Logajan on June 14, 2022, 03:28:41 PM
What happens if I use a VPN?
That would hide your originating IP address - at least from the VPN's server to the rest of the world. But for routing purposes your phone's IP address has to appear in all the packets between your phone and the VPN server. But you are guaranteed encryption of the packet payload from at least your phone to the VPN server. Personally I don't see VPN encryption as terribly sales-worthy these days since email and web connections now provide both encryption and authentication (e.g. ensuring you really connected to your bank rather than being tricked into connecting to a hacker's machine acting as your bank.)
Post by: Rush on June 14, 2022, 04:37:30 PM
That would hide your originating IP address - at least from the VPN's server to the rest of the world. But for routing purposes your phone's IP address has to appear in all the packets between your phone and the VPN server. But you are guaranteed encryption of the packet payload from at least your phone to the VPN server. Personally I don't see VPN encryption as terribly sales-worthy these days since email and web connections now provide both encryption and authentication (e.g. ensuring you really connected to your bank rather than being tricked into connecting to a hacker's machine acting as your bank.)
I never thought of VPN as being useful for banking.
Post by: nddons on June 15, 2022, 07:42:05 AM
Probably the same people that developed my washing machine. It has two water levels, low and high. The delicate cycle is limited to the high water level. Anyone who has ever actually done laundry in real life knows that your “delicates” are often a very small load. So I end up with a couple of skimpy lingerie floating around in 25 gallons of water.Picture or it didn’t happen.
Post by: Rush on June 15, 2022, 01:03:21 PM
Picture or it didn’t happen.
You’ll have to wait til I get back home.
Post by: nddons on June 15, 2022, 10:10:31 PM
You’ll have to wait til I get back home.(https://media2.giphy.com/media/QBd2kLB5qDmysEXre9/giphy.gif)