site banner

Culture War Roundup for the week of November 28, 2022

This weekly roundup thread is intended for all culture war posts. 'Culture war' is vaguely defined, but it basically means controversial issues that fall along set tribal lines. Arguments over culture war issues generate a lot of heat and little light, and few deeply entrenched people ever change their minds. This thread is for voicing opinions and analyzing the state of the discussion while trying to optimize for light over heat.

Optimistically, we think that engaging with people you disagree with is worth your time, and so is being nice! Pessimistically, there are many dynamics that can lead discussions on Culture War topics to become unproductive. There's a human tendency to divide along tribal lines, praising your ingroup and vilifying your outgroup - and if you think you find it easy to criticize your ingroup, then it may be that your outgroup is not who you think it is. Extremists with opposing positions can feed off each other, highlighting each other's worst points to justify their own angry rhetoric, which becomes in turn a new example of bad behavior for the other side to highlight.

We would like to avoid these negative dynamics. Accordingly, we ask that you do not use this thread for waging the Culture War. Examples of waging the Culture War:

  • Shaming.

  • Attempting to 'build consensus' or enforce ideological conformity.

  • Making sweeping generalizations to vilify a group you dislike.

  • Recruiting for a cause.

  • Posting links that could be summarized as 'Boo outgroup!' Basically, if your content is 'Can you believe what Those People did this week?' then you should either refrain from posting, or do some very patient work to contextualize and/or steel-man the relevant viewpoint.

In general, you should argue to understand, not to win. This thread is not territory to be claimed by one group or another; indeed, the aim is to have many different viewpoints represented here. Thus, we also ask that you follow some guidelines:

  • Speak plainly. Avoid sarcasm and mockery. When disagreeing with someone, state your objections explicitly.

  • Be as precise and charitable as you can. Don't paraphrase unflatteringly.

  • Don't imply that someone said something they did not say, even if you think it follows from what they said.

  • Write like everyone is reading and you want them to be included in the discussion.

On an ad hoc basis, the mods will try to compile a list of the best posts/comments from the previous week, posted in Quality Contribution threads and archived at /r/TheThread. You may nominate a comment for this list by clicking on 'report' at the bottom of the post and typing 'Actually a quality contribution' as the report reason.

16
Jump in the discussion.

No email address required.

Does Chipotle have real, legitimate reason to enforce 2FA on its customers? And is it at all possible there is non-security motivation behind its phone requirement?

No and no. Or rather, there is a vanishingly small chance they have a good reason for any of this.

Given the fact that the majority of purchases will be through the mobile app (i.e. most likely the same device receiving the 2FA code as the one signing in and ordering), it's quite useless, actually. This is on top of the fact that SIM-based 2FA is horrendous for being extremely susceptible to social engineering, i.e., a random person calling up your phone company pretending to be you and have "lost" your SIM card, then obtaining access to it. (In contrast, TOTP 2FA does not have this vulnerability, but there's still not much to gain from using it here unless you have two phones).

Googling Chipotle and 2FA, there are a couple of Reddit threads that claim their accounts were hacked, and somehow a hacker ordered $60 or $120 worth of food through their app. I have no idea if these examples of being "hacked" is truly a matter of Chipotle's back end being compromised, or just someone whose credentials were phished, a reused password sold on the dark web, or a lost or stolen phone being used. My prior is it's overwhelmingly the latter and not the former.

If the backend is compromised, everyone's credentials are compromised, 2FA or not. Without knowing more details I can't say for sure, but it is likely their phones were simply stolen and the 2FA was useless because it went to the same device as the one signing in. Or it could be that people were phished to hand over not only their password but also the 2FA code for authentication (social engineering is surprisingly powerful and 99% of the time humans are the weak link in the system).

Your threat model is wrong. Here's the threat model:

https://www.themotte.org/post/205/culture-war-roundup-for-the-week/38246?context=8#context

Given the fact that the majority of purchases will be through the mobile app (i.e. most likely the same device receiving the 2FA code as the one signing in and ordering), it's quite useless, actually. This is on top of the fact that SIM-based 2FA is horrendous for being extremely susceptible to social engineering,

...Or it could be that people were phished to hand over not only their password but also the 2FA code for authentication...

Current attack: an attacker with 10k stolen CCs, 50%+ of which are already reported as stolen, and he's buying burritos to determine which ones are still live. This attacker is running a python script on his laptop and placing orders either with selenium in the browser or an android VM.

Effort: python test_on_chipotle.py todays_batch.csv

Reward: 5k valid CCs.

Your proposed new attack: make 10,000 phone calls to either T-Mobile/actual Chipotle customers, perhaps half of which will be successful in convincing the customer to hand over the OTP.

Effort: 10k cold calls

Reward: 2.5k valid CCs.

Even assuming the 10k cold calls are still worth the effort to the scammer (they probably aren't), chipotle has just cut phony orders in half.

This is on top of the fact that SIM-based 2FA is horrendous for being extremely susceptible to social engineering, i.e., a random person calling up your phone company pretending to be you and have "lost" your SIM card, then obtaining access to it.

In this specific instance I don't think this vulnerability is a problem. No one is going through all that effort to hack a chipotle account and get a few free burritos