[kictanet] Poor show by IEBC: Data Protection in year 2017 and the case of raw voter registration data

Mark Kipyegon mkipyegon at outlook.com
Fri Jun 30 20:33:26 EAT 2017 

SMS's and calls over cell phone networks are known to be vulnerable to spoofing and interception making them unsuitable for 2FA. As a matter of fact there have been high profile media reports of attacks against social media accounts and online banking that took advantage of said flaws.

On 30 Jun 2017, at 19:14, "Ngigi Waithaka" <ngigi at at.co.ke<mailto:ngigi at at.co.ke>> wrote:

Mark,

On a security vs affordability basis, how exactly would SMS 2FA not be an effective solution?

Unless you are going to hack the Telco SMS Gateway where the SMS is in clear txt, in which case I would think even our M-Pesa Pins would be vulnerable, where else is do you have a credible attack surface?

Rgds

On Fri, Jun 30, 2017 at 3:25 PM, Mark Kipyegon via kictanet <kictanet at lists.kictanet.or.ke<mailto:kictanet at lists.kictanet.or.ke>> wrote:
SMS as a form of 2FA is unsuitable considering the sensitivity of such information. On the other hand a government backed smart card would offer the appropriate level of authentication without locking out access to a section of users.

On 30 Jun 2017, at 12:30, "Denis G. Wahome" <dwahome at gmail.com<mailto:dwahome at gmail.com>> wrote:

Mark,

While I do concur completely with your observation. I was considering the user group for the service. Other more advanced mechanisms would reduce the usability/accessibility by a large portion of the Country.

A better way would be a registration process to access your records where one can select a Channel for 2FA

Denis

On Fri, Jun 30, 2017 at 10:54 AM, Mark Kipyegon via kictanet <kictanet at lists.kictanet.or.ke<mailto:kictanet at lists.kictanet.or.ke>> wrote:
SMS is not a secure implementation of two factor authentication.

On 30 Jun 2017, at 10:40, "kictanet-request at lists.kictanet.or.ke<mailto:kictanet-request at lists.kictanet.or.ke>" <kictanet-request at lists.kictanet.or.ke<mailto:kictanet-request at lists.kictanet.or.ke>> wrote:


>
> A simple 2 Factor Authentication mechanism via SMS would suffice to start
> with.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20170630/8b0569a7/attachment.htm>

More information about the KICTANet mailing list