Vip token1/16/2024 I patiently explained to him that it wasn't me that was hacker when someone logged in as my account and had a debit card sent to themselves so they withdraw $7K, that it was in fact them. Also, because of the previous hack email 2FA was not an option according to USAA policy. The rep told me everyone is moving to their "2FA" and that if you have ever been hacked (account wise) you cannot remove it. The executive escalation team called me back about 15 minutes after posting. Let me know if you have any questions - otherwise have a happy and secure weekend. It's a risk that we choose to take that is mitigated by the fact that the token generator app we choose to use (Authy) allows for some pretty specific means to disable remote tokens at any time, in addition that these generators are on devices with strong logon credentials themselves (iOS devices with FaceID and unique, long PIN codes as backups for example).Īll this is to say that I have successfully implemented the python-vipaccess Python Module to create a Symantec VIP token for use with our USAA account, and have imported that token into our third party token generator of choice - Authy, which allows the token generation to be synced to any authorized device logged into our Authy account. TLDR, Symantec uses an open source token generation standard which the Python community repackaged into a Python module.Īdditionally, the Symantec VIP app only allows for installation on one device to generate tokens, which is great for security but a pain for backing up your code generation protocols to another device in case you lose or break your token generator, or if you'd like to grant access and install your token generator on another device (your home PC, another mobile device, family member device, etc).Īnd yes, I get it that sharing your token generator with someone is introducing insecurity. The crux of why I'm posting to the subreddit is that I also discovered in my security pilgrimage that in the Python community, someone has reverse engineered the protocol that Symantec VIP utilizes (which is the 2FA token generation that USAA implements). Additionally, you can override any form of log on security, INCLUDING 2FA code generation, by requesting one of these codes be sent out to the email or phone on file, which absolutely baffles me. If you didn't know, USAA effectively REQUIRES these "cyber code texts" as a means to verify the identity of a caller or person logging into an account. The second article is a detailed how-to in how I managed to secure my family's USAA account to my own personal security standards: requiring a user name, and a 2FA token generator to log onto our accounts, with no other means of logging in (including USAA's required 2FA "cyber code text" garbage sent to either your email or via SMS text). The first article is intended to be for anyone who really doesn't understand the security landscape, specifically around two factor authentication, and why USAA's (and many, many other companies) use of 2FA codes sent via text message or to an email address are just inherently insecure. Wrote two brief articles on the USAA Community Website hoping they'd get some traction, but considering I didn't even know USAA had member-only forums until I looked for them, I figured they wouldn't get many views.ĭropping them here in hopes they can help some additional members out.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |