Hashtag threat model

My dentist just did in-person 2FA! "I just texted you a code, can you read that back to me?"

It was for security, the receptionist assured me.

I guess I might be trying to smuggle someone else's teeth in for a cleaning?

Fortunately my dentist does not have extremely detailed records of any of my biometrics that might be useful for identifying me.

Previously, previously, previously, previously, previously.

Tags: , ,

16 Responses:

  1. squabbled says:

    They want to make sure a phony horse isn't getting dental cleaning. Infamous phony horses.

  2. CSL3 says:

    "Before we proceed with your bi-annual cleaning, please fill out this CAPTCHA".

  3. jal says:

    You reused your password on the dentist portal., and that 2FA code was from your bank.

  4. Zygo says:

    That's an unusually rigorous way to validate the correctness of your phone number!

  5. cmt says:

    You do know that people can by identified by their dental patterns? Forensic Odontology is a thing, especially when there's not much else left to work with (Disaster Victim Identification for example).

  6. Nick Lamb says:

    In a world where people get confused and write somebody else's email address, but then are astonished that doesn't work, it seems like verifying that you gave them your actual phone number, rather than "Ooops, I keep saying it wrong, sorry" is worth their time.

    Not to mention it shortcuts the step where Karen is angry because the surgery's receptionist didn't give her a courtesy reminder (because Karen intentionally provided a bogus number since she doesn't want those stupid reminders) and now Karen missing her appointment is the receptionist's fault.

    • jwz says:

      Plausible apologia, except for the fact that I have been confirming my appointments with them by replying to their text messages for over three years including 48 hours ago. They fucking well know that they have my phone number, ok?

      Also "it's for security" was the explanation. Not "we want to make sure you don't miss your appointment." If that's what they meant, that's what they would have said.

      But keep trying, corporations still need your help justifying all the stupid security theatre shit that they do!

      • Eric TF Bat says:

        It's just the next step in the sequence that began with paper forms, to be filled out with a pen, that include an "I Am Not A Robot" checkbox (which you MUST fill in or else the receptionist will go "tch" and tick it for you, but with poorly-concealed ill grace).

  7. Carlos says:

    My bank (small) is launching a new online banking system in a week.

    They gave a heads-up about this a few months ago. It included the worrying instruction to "ensure your cell phone number and email address in the system are correct and up to date".

    I wrote to them, asking:

    (a) is a cell phone number required? (I don't have one)
    (b) you're not actually dumb enough to be using SMS or unencrypted email for not-really-2fa bullshit-security theatre on something as critically important and personal as a person's assets and financial security, are you? (slightly more polite than this)
    (c) if the answer to either of A or B is "yes", could they have whoever's in charge of security for the new site contact me?

    Mostly crickets in response, just the standard "We're taking all these things into consideration" type boilerplate from a flunky with no insight into the design and operation of the system, much less ability to influence it.

    And today? "Here's a preview of the changes, with handy click-through animated tutorials for things like 'how to log into your account'".

    Step 1? 2fa via SMS or unencrypted email. FFS.

    Oh, and the "account view" is now an acre of whitespace with a literally-meaningless pie chart in the middle of it, and a small "current balance" text off to one side, pointing meaninglessly to an arbitrary pie chunk. Thanks, that's great, much better than the list of recent transaction values and balances that has been the standard way to look at a bank account since the bloody steam traction engine was invented.

    Goddamn web designers still think "pretty" matters, and "functional" doesn't.


    • ATXWino says:

      Makes me wonder of the viability of starting a bank with truly good security...

      • Dave says:

        Speaking as someone whose job it is to get people to do the bare fucking minimum security for their own good, you'd get terrible compliance and complaints about how difficult it is to use. Unless you're a swiss bank and can tell them "we don't need your custom, go pound sand".

  8. sobuy says:

    Fortunately my dentist does not have extremely detailed records of any of my biometrics that might be useful for identifying me.

    Also known as "tooth-factor authentication".

    • 205guy says:

      Bravo, the real joke is always in the comments these days.

    • prefetch says:

      So close - 13 minutes later and you would have had a twofer...

      Maybe they/the building got a new IMEI tracker and they need to prime the pump? Remember, kids: rich data = rich seller!

  • Previously