site banner
naraburns  nihil supernum  1yr ago (text post)   34986 thread views

Culture War Roundup for the week of November 28, 2022

This weekly roundup thread is intended for all culture war posts. 'Culture war' is vaguely defined, but it basically means controversial issues that fall along set tribal lines. Arguments over culture war issues generate a lot of heat and little light, and few deeply entrenched people ever change their minds. This thread is for voicing opinions and analyzing the state of the discussion while trying to optimize for light over heat.

Optimistically, we think that engaging with people you disagree with is worth your time, and so is being nice! Pessimistically, there are many dynamics that can lead discussions on Culture War topics to become unproductive. There's a human tendency to divide along tribal lines, praising your ingroup and vilifying your outgroup - and if you think you find it easy to criticize your ingroup, then it may be that your outgroup is not who you think it is. Extremists with opposing positions can feed off each other, highlighting each other's worst points to justify their own angry rhetoric, which becomes in turn a new example of bad behavior for the other side to highlight.

We would like to avoid these negative dynamics. Accordingly, we ask that you do not use this thread for waging the Culture War. Examples of waging the Culture War:

  • Shaming.

  • Attempting to 'build consensus' or enforce ideological conformity.

  • Making sweeping generalizations to vilify a group you dislike.

  • Recruiting for a cause.

  • Posting links that could be summarized as 'Boo outgroup!' Basically, if your content is 'Can you believe what Those People did this week?' then you should either refrain from posting, or do some very patient work to contextualize and/or steel-man the relevant viewpoint.

In general, you should argue to understand, not to win. This thread is not territory to be claimed by one group or another; indeed, the aim is to have many different viewpoints represented here. Thus, we also ask that you follow some guidelines:

  • Speak plainly. Avoid sarcasm and mockery. When disagreeing with someone, state your objections explicitly.

  • Be as precise and charitable as you can. Don't paraphrase unflatteringly.

  • Don't imply that someone said something they did not say, even if you think it follows from what they said.

  • Write like everyone is reading and you want them to be included in the discussion.

On an ad hoc basis, the mods will try to compile a list of the best posts/comments from the previous week, posted in Quality Contribution threads and archived at /r/TheThread. You may nominate a comment for this list by clicking on 'report' at the bottom of the post and typing 'Actually a quality contribution' as the report reason.

16
Top Bottom Old Controversial Comments
Jump in the discussion.

No email address required.

Not sure what happened to this week's Friday Fun thread? Are these manually posted instead of automated? Anyway, was going to throw this on the fun thread--

Does Chipotle have real, legitimate reason to enforce 2FA on its customers? And is it at all possible there is non-security motivation behind its phone requirement?

I don't recall exactly when the change was implemented, but think it was sometime earlier this year, when, as an existing customer, I was forced to add a phone number to my account. I forgot about it until now, when I was logging into the website, and it texted me a code that I needed to enter. This was the same device I've previously logged on, with the same IP etc. Nothing suspicious that would warrant more stringent security.

Worst of all, it's not an option to disable it. The accounts/profiles section, under 2FA, just shows a sentence that says they use it to enhance security. So no way to opt out. And of course, a phone number is required on the account, so you can't remove it and somehow force 2FA to go through email. Granted, those using mobile apps are presumed to have a phone number, but for those ordering on the website, couldn't it be argued that the company "discriminates" against, uh, vulnerable, low-income populations who don't own phones? Cue Diablo Immortal no-phones meme.

Googling Chipotle and 2FA, there are a couple of Reddit threads that claim their accounts were hacked, and somehow a hacker ordered $60 or $120 worth of food through their app. I have no idea if these examples of being "hacked" is truly a matter of Chipotle's back end being compromised, or just someone whose credentials were phished, a reused password sold on the dark web, or a lost or stolen phone being used. My prior is it's overwhelmingly the latter and not the former.

My suspicion, therefore, is Chipotle wants to collect customer phone numbers for marketing or business intelligence purposes, and to ensure universal compliance, tacks on a security label. That, or their CISO is an idiot who thinks heavy-handed policies (reminiscent of password policies that require special characters and thus go against the probably-more-secure use of passphrases) are the only path to security. I would have no problem with a bank or work email enforcing 2FA, but I do have a problem for being required to do the same for a burrito joint. Unfortunately for me, there is no real recourse--I like their food still, and boycotting will realistically hurt me more than them, not to mention will unlikely signal to the higher ups that their so-called security policy is losing customer goodwill.

And it's death by a thousand cuts. With all the data breaches, protecting your SSN and birth dates seem increasingly futile. At some point random mobile games will require you to authenticate with phone numbers and maybe mailing addresses "for security purposes", and we'll all be too numb to notice anything unusual.

It's probably a mix of two things. First marketing, like you said.

But also I'd bet 2FA allows them to negotiate lower fees with the payment processor. Lower risk of fraud and chargebacks.

I have no idea if these examples of being "hacked" is truly a matter of Chipotle's back end being compromised, or just someone whose credentials were phished, a reused password sold on the dark web, or a lost or stolen phone being used. My prior is it's overwhelmingly the latter and not the former.

It's almost definitely the latter, or a relative used their phone or something like that. And 2fa is totally unnecessary, I agree. But in Chipotle's defence, if a customer claims they were hacked, you have to look like you are doing everything you can to fix the problem, and 2fa is cheaper than giving money to everyone who claims they were hacked, or the bad press that would follow if you told a customer to deal with it.

I'm not sure how it's a marketing ploy though - you already gave them your details to use the app, that's the marketing ploy.

Also for a forehead slap in the other direction on the topic of 2fa, the phone company my boss is with recently put it on their app, and she utterly lost her shit. She demanded I get it off, which I thought would be impossible. I was wrong however - you can not only disable 2fa, you can disable passwords altogether. I guess you just have to hope no one hacks or steals your phone.

Does Chipotle have real, legitimate reason to enforce 2FA on its customers? And is it at all possible there is non-security motivation behind its phone requirement?

No and no. Or rather, there is a vanishingly small chance they have a good reason for any of this.

Given the fact that the majority of purchases will be through the mobile app (i.e. most likely the same device receiving the 2FA code as the one signing in and ordering), it's quite useless, actually. This is on top of the fact that SIM-based 2FA is horrendous for being extremely susceptible to social engineering, i.e., a random person calling up your phone company pretending to be you and have "lost" your SIM card, then obtaining access to it. (In contrast, TOTP 2FA does not have this vulnerability, but there's still not much to gain from using it here unless you have two phones).

Googling Chipotle and 2FA, there are a couple of Reddit threads that claim their accounts were hacked, and somehow a hacker ordered $60 or $120 worth of food through their app. I have no idea if these examples of being "hacked" is truly a matter of Chipotle's back end being compromised, or just someone whose credentials were phished, a reused password sold on the dark web, or a lost or stolen phone being used. My prior is it's overwhelmingly the latter and not the former.

If the backend is compromised, everyone's credentials are compromised, 2FA or not. Without knowing more details I can't say for sure, but it is likely their phones were simply stolen and the 2FA was useless because it went to the same device as the one signing in. Or it could be that people were phished to hand over not only their password but also the 2FA code for authentication (social engineering is surprisingly powerful and 99% of the time humans are the weak link in the system).

Your threat model is wrong. Here's the threat model:

https://www.themotte.org/post/205/culture-war-roundup-for-the-week/38246?context=8#context

Given the fact that the majority of purchases will be through the mobile app (i.e. most likely the same device receiving the 2FA code as the one signing in and ordering), it's quite useless, actually. This is on top of the fact that SIM-based 2FA is horrendous for being extremely susceptible to social engineering,

...Or it could be that people were phished to hand over not only their password but also the 2FA code for authentication...

Current attack: an attacker with 10k stolen CCs, 50%+ of which are already reported as stolen, and he's buying burritos to determine which ones are still live. This attacker is running a python script on his laptop and placing orders either with selenium in the browser or an android VM.

Effort: python test_on_chipotle.py todays_batch.csv

Reward: 5k valid CCs.

Your proposed new attack: make 10,000 phone calls to either T-Mobile/actual Chipotle customers, perhaps half of which will be successful in convincing the customer to hand over the OTP.

Effort: 10k cold calls

Reward: 2.5k valid CCs.

Even assuming the 10k cold calls are still worth the effort to the scammer (they probably aren't), chipotle has just cut phony orders in half.

This is on top of the fact that SIM-based 2FA is horrendous for being extremely susceptible to social engineering, i.e., a random person calling up your phone company pretending to be you and have "lost" your SIM card, then obtaining access to it.

In this specific instance I don't think this vulnerability is a problem. No one is going through all that effort to hack a chipotle account and get a few free burritos

I would kill to have all these sites and apps just support OIDC. Even better if BYOID was actually a thing. Combine that with passwordless auth and a SK, and the vast majority of security issues would be fixed and everything would be be more convenient for the end user.

for a second I thought this had to do with guns..

The two-factor amendment, where security depends on something you know + something you have.

Ditto

You can walk in the store and order, you usually get more food this way too.

Not sure what happened to this week's Friday Fun thread?

Sorry. They're not automated yet, and at least one member of the mod team thought it was still Thursday...

In my defense I am recovering from a concussion ;)

There's a very legit purpose here. No one is stealing burritos, but quite possibly Chipotle is seeing lots of CC fraud.

Suppose you have a bunch of stolen CCs, about 75% of which have already been reported stolen, and you plan to buy a bunch of x-boxes from Walmart with them. If you pickup an order placed online with card reported as stolen, you face the risk of Walmart calling the cops who walk out to the online order pickup parking and arrest you.

So what you do is before buying the x-box you want to test the credit card by making a low value/low suspicion purchase that you don't face the risk of arrest for. A burrito from a national chain (which you never pick up) works nicely.

This is a huge pain for chipotle. They pay penalties on the shady purchases and have the fraudulent transactions eventually clawed back (messing with cashflow). Also uneaten burritos aren't free to produce.

By requiring 2FA you make it costlier for scammers to play this game. (And "costlier" != "impossible". I know you can get a SIM card for $20 at the tmobile store, but now you've just made using a stolen card $20 more expensive and required the scammer to make an extra trip.)

We don't really have a way to "set it to be posted". I've actually wanted one, and there's been some discussion on how to build it. We just haven't done so yet; we've got other things on our plate.

(for example, I'm actually reading this as a break while putting together a new meta post)

Right now it's just the mods, and I think practically Naraburns has been the one doing it for a while.

The worst part is that this doesn't even need to be nefarious - We've all seen so many scams ourselves that I can only imagine what these bigger companies are dealing with. Phone numbers are really the only other way to reliably check someone's ID or real existence without resorting to other measures (and even then phone numbers are getting worse and worse when it comes to security).

It really is a slow fade. It's too late to boycott and we've become so reliant on these stupid technologies that boycotts just hurt us in the end. Ggs, hopefully the metaverse will be better.

What is this place?

This website is a place for people who want to move past shady thinking and test their ideas in a court of people who don't all share the same biases. Our goal is to optimize for light, not heat; this is a group effort, and all commentators are asked to do their part.

The weekly Culture War threads host the most controversial topics and are the most visible aspect of The Motte. However, many other topics are appropriate here. We encourage people to post anything related to science, politics, or philosophy; if in doubt, post!

Check out The Vault for an archive of old quality posts. You are encouraged to crosspost these elsewhere.


Why are you called The Motte?

A motte is a stone keep on a raised earthwork common in early medieval fortifications. More pertinently, it's an element in a rhetorical move called a "Motte-and-Bailey", originally identified by philosopher Nicholas Shackel. It describes the tendency in discourse for people to move from a controversial but high value claim to a defensible but less exciting one upon any resistance to the former. He likens this to the medieval fortification, where a desirable land (the bailey) is abandoned when in danger for the more easily defended motte. In Shackel's words, "The Motte represents the defensible but undesired propositions to which one retreats when hard pressed."

On The Motte, always attempt to remain inside your defensible territory, even if you are not being pressed.


New post guidelines

If you're posting something that isn't related to the culture war, we encourage you to post a thread for it. A submission statement is highly appreciated, but isn't necessary for text posts or links to largely-text posts such as blogs or news articles; if we're unsure of the value of your post, we might remove it until you add a submission statement. A submission statement is required for non-text sources (videos, podcasts, images).

Culture war posts go in the culture war thread; all links must either include a submission statement or significant commentary. Bare links without those will be removed.

If in doubt, please post it!


Rules


Recommended Posts And Communities

Recommended Realtime Chats