Nothing new there! When we setup a new in-house account, we either telephone the user or go to see them with their password. If it's a senior Manager with a corporate phone they get their password texted to them - Ok, not ultimately as secure as possible but a darn sight more secure than a plaintext email.
In my previous job I was asked to FTP our full client list (with financial information) to a third party acting on behalf of the company that had just acquired us. The IT Director of our new owners kicked up a hell of a stink and accused me of being 'unhelpful' because I insisted on the third party signing an NDA and installing AxCrypt so that I could encrypt the data for transmission. In the end I just said that if they insisted I send everying without encryption, I wanted it in writing with a disclaimer that I was acting on their instructions and they would assume responsibility for any possible liabilities arising with respect to UK Data Protection Laws.
By the time the IT Director had deliberated the point, the third party (who fully appreciated my position) had sent me a stock NDA, installed AXCrypt and we'd completed the transfer.
Worse, GSM encryption is pretty broken, people could be listening in, etc. Phoning people is still sensible in that attackers have to be close to the target, though (or get a wiretap).
Surprisingly not, mostly due to some very strange bits of the GSM protocol.
Basically, as long as you have enough signal such that the victims handset can hear your commands, you can tell it that you are stronger then any other signal, and the handset will instantly switch to your cell.
What's worse is that there exist secure GSM encryption/etc. standards, however as the cell tower chooses what encryption to use, it is mostly pointless. (I remember watching a video about this. Apparently your phone is meant to show a massive warning if they are using unencrypted GSM. None do).
There is a lot wrong with GSM, and I didn't even know about this particular attack (thanks!), but you still have to be reasonably close to the victim - it's harder than "attack from anywhere on the internet".
Most certainly agree. Unfortunately, dropping the range limit from "Anywhere on earth" to "From a nearby mountain" doesn't fill me with all that much confidence.
That pretty much covers it. We telephone them in house on their extension number and there's only 60-ish employees so we know their voices. Externally they have to call back.
In enabling my Gmail account to use 2 factor authentication, Google required me to hand over my text-enabled cell phone number, and they texted me a code which I was required to input in a form. Similar to having the client call you back, but this can be automated.
In my previous job I was asked to FTP our full client list (with financial information) to a third party acting on behalf of the company that had just acquired us. The IT Director of our new owners kicked up a hell of a stink and accused me of being 'unhelpful' because I insisted on the third party signing an NDA and installing AxCrypt so that I could encrypt the data for transmission. In the end I just said that if they insisted I send everying without encryption, I wanted it in writing with a disclaimer that I was acting on their instructions and they would assume responsibility for any possible liabilities arising with respect to UK Data Protection Laws.
By the time the IT Director had deliberated the point, the third party (who fully appreciated my position) had sent me a stock NDA, installed AXCrypt and we'd completed the transfer.