
Ask HN: Why is Stripe's 'Remember Me' considered secure? Or Lyft's sign up flow? - msencenb
Traditionally an account is secure when the user gives something publicly available (email) coupled with something only they know (password).<p>With Stripe&#x27;s Remember Me feature (https:&#x2F;&#x2F;stripe.com&#x2F;checkout&#x2F;info) an invisible &#x27;account&#x27; is created for you by the unique between the email and phone number. Then when you type in your email the next time, you get texted a code that you can use to auto fill in your payment methods. Why is this considered a secure experience? Can the code be thought of as a one time password? It seems a little crazy that two publicly available pieces of information can be used to authenticate (although admittedly you would have to intercept the text message code).<p>Even worse is Lyft. When you install the app you enter a phone number, verify with a code, and then enter your credit card info -- no password anywhere. What happens if you change phone numbers and it gets recycled? Now a new user installs Lyft and my credit card is already on file! How can this possibly be justified?
======
prostoalex
> although admittedly you would have to intercept the text message code

This is the key. Unless you are the mobile operator or a government entity,
your only other options are fake cell phone towers, i.e. stingrays, which are
monopolized by government, or incredible circumstantial luck (the user happens
to use a virtual phone number for texting, so SMS is going over WiFi, and you
have man-in-the-middled the router). I guess you could also root user's phone
or gain access to Stripe's/Lyft's infrastructure, but then the question of
intercepting a confirmation SMS wouldn't pop up.

The next level for either of those services is to support message-less second-
factor auth (Authy, Google Authenticator, Microsoft Authenticator).

------
ikonst
re Lyft: We detect recycled phone numbers, and we'll challenge you (or "not
you") for further identification.

Phone recycling has been a much bigger problem for non-fraudulent cases, e.g.
you pop-in a new SIM card and naively sign up for Lyft, getting the account of
someone else (e.g. a tourist's). Fraudulent takeover of passengers' Lyft
accounts hasn't been happening that much — fraudsters have a much easier time
stealing credit card numbers than Lyft accounts.

------
kradem
< What happens if you change phone numbers and it gets recycled? Now a new
user installs Lyft and my credit card is already on file! How can this
possibly be justified?

There's an account you may access if you know the username and respective
password or if you may access account's primary email.

So, just think of the account as your locker in Lyft's building. When someone
with your telephone number enters that number and enters back received code,
that implies he's the owner of the number.

The credit card is still under your account and there could be no relation to
the other user's telephone number. The triggered routine would confirm the
connection of the user and their telephone and nothing else.

