[HN Gopher] How to bypass Sprint/T-Mobile 2FA in under 5 minutes
___________________________________________________________________
How to bypass Sprint/T-Mobile 2FA in under 5 minutes
Author : OJFord
Score : 168 points
Date : 2021-08-23 17:38 UTC (5 hours ago)
(HTM) web link (www.reddit.com)
(TXT) w3m dump (www.reddit.com)
| mikece wrote:
| While I never want to see companies suffer data breaches and
| breakdowns in security, it's possible that the merging of Sprint
| and T-Mobile's subscriber base and systems might be the kind of
| cautionary tale told to management in the future to justify more
| spending on security budgets, especially around the merging of
| systems.
| robohoe wrote:
| Problem with security spending is that a lot of it comes down
| to useless audits which really don't find any holes - they just
| "enforce" compliance. Yes, PCI compliance is important but how
| many PCI compliant companies have been breached in the past
| decade?
| toomuchtodo wrote:
| Nah. As long as costs are negligible and there's no corporate
| death sentence for repeat offenders (T-Mobile has had 5
| breaches in roughly the same number of years), nothing changes.
| Equifax is still around, right [1]?
|
| [1] https://en.wikipedia.org/wiki/2017_Equifax_data_breach
| knodi wrote:
| Fucking idiots!! This is negligence.
| frankosaurus wrote:
| I recently set up yubikey 2FA for several of my important
| accounts. I was dismayed to find that several of them (Vanguard,
| BofA, etc.) require SMS security codes as a backup.
| Someone1234 wrote:
| I'd like to use a Yubikey, but too few of the accounts I'd want
| it on allow multiple concurrent 2FA sources, and since I won't
| have my Yubikey on all devices/with me 24/7 it gets cut for
| HOTP/TOTP which I can have in multiple places.
|
| I feel like failure by services to allow multiple 2FA providers
| concurrently is a common weakness that is rarely criticized.
| staticassertion wrote:
| Vanguard also has traditional security questions too. So shit
| like "where were you born?".
| bcraven wrote:
| Remember that your answer to that need not necessarily be
| accurate. You can invent a 'security city' perhaps and always
| give that... or just give a randomly generated password that
| you store alongside in your password locker.
| OJFord wrote:
| And if you use a long pseudo-randomly generating string,
| you will amuse support (and annoy yourself) when you have
| to read it all out...
|
| (Switched to correct-horse-battery-staple style for those
| after that.)
| InitialLastName wrote:
| Support Operator: We need to answer some security
| questions. To start with, what was your mother's maiden
| name?
|
| Scammer: "Oh, I just entered a long stream of random
| digits, but I can't find where I wrote it down"
|
| Operator: "Good enough. How large a credit line did you
| say you wanted?"
| OJFord wrote:
| What happened in my case (password reset for the online
| account for a credit card) was rather:
|
| Operator: ...
|
| (Real) me: Err.. _all_ of it? [hoping p,q,r-th characters
| will be enough]
|
| Operator: Yes please.
| staticassertion wrote:
| I use a random string and store it in a password manager
| per-site.
| magicalhippo wrote:
| I use KeePass, so I make it generate a long random string and
| just put that as the the answer. It has encrypted storage of
| additional name value pairs, so I can label each string with
| the appropriate question.
| r1ch wrote:
| I suggest using diceware or similar random words, not
| random strings. Humans are typically processing these, not
| machines. "What's your mother's maiden name" can be
| answered by "Oh, I just put a bunch of random letters" if
| someone knows your stance on security questions.
| sk5t wrote:
| Yes! It should be much harder to convince a CSR who can
| see your plaintext answers that you're legit and don't
| know you were born in "Peoria" vs "eH2ochomheeVe6ti".
| magicalhippo wrote:
| I admit I've only had to fall back to the "security
| questions" a few times, but I haven't had any issues with
| the random strings.
| SAI_Peregrinus wrote:
| KeepassXC at least includes passphrase generation using
| the EFF diceware list. I use that for "security"
| questions.
| ravenstine wrote:
| It's interesting to hear they even support that form of 2FA.
| Few services outside of Silicon Valley in my experience don't
| support Yubikey or TOTP besides for enterprise, probably
| because they either don't understand it themselves or think it
| will confuse and scare off their customers.
| BarryMilo wrote:
| I think your sentence contradicts itself? Do you mean Yubikey
| is _not_ supported outside of SV?
| jandrese wrote:
| The most infuriating thing is when you go to the trouble of
| setting up 2FA and a strong password only to discover that the
| helpdesk will happily turn off 2FA, change your email, and
| reset your password if you call them on the phone with a sob
| story. They won't even send a notification to the old email
| address telling you that it was changed.
| city41 wrote:
| I once had a representative from Vanguard call me, and the
| first thing he asks me for is my security questions. I
| responded with "I can't be certain you're actually from
| Vanguard" and he got really annoyed. He was legit, I called
| them and got him on the line and we went from there, but it
| was obvious from the exchange most people just happily oblige
| their info.
| scottmcdot wrote:
| What use is a PUK for sim swapping? Sorry, am I missing something
| here? What would be the next step after knowing the PUK of a
| mobile phone number?
| walrus01 wrote:
| If you know the PUK you can easily port out the number or
| obtain a new SIM card with the number and put it in your own
| burner phone.
| crottypeter wrote:
| That's the PAC (Porting Authorisation Code). Not the PUK
| (Personal Unblocking Key).
| scottmcdot wrote:
| Thanks. But to "easily port out the new number", how is that
| done using the PUK?
| OJFord wrote:
| It's exactly (afaik?) what it's for - you want to transfer
| your number to a different network, you have to request the
| PUK from the old one and give it to the new one.
|
| So if I know yours (and your number) I can transfer it to a
| different network, registered to an account in my control.
| dataflow wrote:
| I thought PUK was for (un)locking the SIM to manage its
| usability, not for porting a number out of a carrier?
| Never heard of them being related before... I thought
| they're different things entirely?
| scottmcdot wrote:
| I see. I've changed carriers before but this is something
| they've managed. Maybe it's different in Australia.
| snuxoll wrote:
| PUK is Pin Unlocking Key - it's a burned-in passcode on
| your sim card that can be used to unlock it should you
| enter your pin incorrectly too many times.
| naturalauction wrote:
| A few years ago many of the captchas on t-mobile's site had a
| massive security flaw (no idea if this is still the case). You
| could request the captcha image multiple times (using the image
| url) and each time the captcha would be differently generated on
| demand while still having the same letters/numbers. This meant
| you could just request the captcha a few times, put each image
| through an ocr reader, and see what the captcha was most commonly
| read as (the correct answer almost every time).
|
| I was astonished to find that a multi-billion dollar company had
| such a massive flaw in their captcha system. That being said
| these kind of errors are really far too common.
| post_break wrote:
| We should have the option to require sim swaps only be done at a
| physical store with state issued ID. But that will never happen.
| raldi wrote:
| Why does the customer-service system even reveal the sensitive
| info before the agent inputs the code? It could be sent out-of-
| loop so it wouldn't even be possible for them to bypass.
|
| Related question: What should happen to a customer who
| legitimately encounters this problem?
| exabrial wrote:
| SMS as a second factor needs to be illegal. Apple, Twilio, and a
| myriad of other companies cling to it like it's safe when it's
| not.
| toomuchtodo wrote:
| Digital identity, digital identity, digital identity. Until
| digital identity is a first class citizen in the United States
| (with support through the various layers of gov from local to
| federal), private enterprise will continue to lean on
| suboptimal identity systems (SMS, pictures of government photo
| ID for proofing a la ID.me and Stripe Identity).
|
| https://news.ycombinator.com/item?id=28203374
|
| https://news.ycombinator.com/item?id=28194815
|
| https://www.gsa.gov/blog/2021/02/18/logingov-to-provide-auth...
|
| https://www.congress.gov/bill/116th-congress/house-bill/8215...
|
| https://billhunt.dev/blog/2020/12/18/federal-policy-recs/#4-...
| kube-system wrote:
| I'd be surprised if it happened any time in the next quarter-
| century. RealID was passed in 2005 and it's not even fully
| implemented yet, and only about 1/3 of Americans have one.
| Even if the Feds launched a digital ID, consumer services
| aren't going to hop on the bandwagon immediately; most people
| in the US don't have a need for a federal ID, and millions of
| them don't have any ID at all. Private enterprise is leaning
| on weak identity because they want more customers with little
| friction. There's nothing stopping private industry from
| issuing cryptographic tokens or similar, and many already do.
| The problem with selling anything to the general public is
| that you will a very high number of customers who will lose
| every token you give them, forget every password, and won't
| be able to produce good proof of ID.
| dntrkv wrote:
| I think a digital ID will be impossible to implement for
| the sole reason of evangelicals and the conspiratorial
| atmosphere in the country. There are already a ton of
| conspiracies floating around regarding ID2020. Get the
| government involved, and this shit is dead in the water.
| toomuchtodo wrote:
| Progress occurs one funeral at a time.
|
| https://www.pewforum.org/2019/10/17/in-u-s-decline-of-
| christ...
|
| https://news.gallup.com/poll/341963/church-membership-
| falls-...
| toomuchtodo wrote:
| > The problem with selling anything to the general public
| is that you will a very high number of customers who will
| lose every token you give them, forget every password, and
| won't be able to produce good proof of ID.
|
| The US Postal Service (USPS) has successfully piloted a
| service to check people's identity in-person at both USPS
| locations and at people's homes using their existing
| portable tablets used for mail delivery [1]. I'd agree that
| it's uphill, but it (competent digital identity
| implementation) is necessary for the reliable functioning
| of government and commerce in the twenty first century.
| Otherwise, SIM swaps, identity fraud, and similar will
| continue to be a (costly) thing.
|
| iOS 15 is rolling out digital IDs in Wallet. I'm excited to
| see if this enabled a faster deployment with solid
| primitives.
|
| [1] https://gcn.com/articles/2013/01/28/usps-pilot-cloud-
| federal...
| kube-system wrote:
| The descendent of that 2013 pilot is today's login.gov,
| which is not really the kind of 'digital identity' that
| solves the problems at hand here. It's basically just SSO
| for government systems and has many of the same security
| concerns as other SSO systems. Login.gov passwords can be
| reset by email.
| rexf wrote:
| It does not need to be illegal. It's not ideal 2FA, but it does
| not _need_ to be legislated away.
|
| Apple has a second factor system where you can authorize a new
| device using another Apple device. While this is convenient,
| not everybody has 2 Apple devices (for each Apple login).
| Worse, they use a dark pattern to make enabling this (other
| device auth) the default choice, so it's really easy to setup
| when you update your iPhone.
| dheera wrote:
| I firmly want it to be legislated away, but for a slightly
| different reason. Specifically, you should never be
| _required_ to disclose a phone number to a business that
| doesn 't absolutely need your phone number to directly render
| services.
|
| I was eating at a restaurant once -- IN PERSON -- and the
| fucking web interface they force everyone to use to order
| food wanted a SMS 2FA. WTF? No. I don't require your waitress
| to disclose her phone number to order food. And in return,
| you don't ask for mine. Just take my food order, swipe my
| credit card, and bring the food to the table, there is no
| need to disclose a phone number.
|
| I think the ideal law should be: Any business that wants 2FA
| MUST support at least U2F hardware keys. It's okay to also
| offer SMS but not okay to offer only SMS.
| flatiron wrote:
| At least at the AppleCare call center it's called "itsme" and
| it's a push message. Sadly only works on iOS or macOS
| jandrese wrote:
| SMS isn't about security. It's about making it harder for bots
| to set up accounts. The first thing you should do after SMS
| verifying an account is delete the phone number so it doesn't
| leave a back door open.
| sentrysapper wrote:
| So while Sprint and T-Mo are culpable in this poor training, I
| feel bad for the tech support agent. She clearly just wanted to
| help this person out.
| kube-system wrote:
| That's precisely the human flaw that most social engineering
| relies on.
| parhamn wrote:
| Am I the only one that'd rather we fix the vulnerabilities with
| SMS verification instead of killing it? The cross platform
| password manager + OTP (and sidecaring OTP with your passwords is
| sketchy to begin with) UX is just terrible. Adoption is very
| important for this stuff and SMS does that best.
| seniorivn wrote:
| Fido2 hardware 2fa keys are the right solution
|
| as to solving sms 2fa security, it's flawed by design, even if
| it was e2ee
| walrus01 wrote:
| This is why SMS-based "2FA" is not real 2FA. Anything vulnerable
| to social engineering customer service reps at some giant
| telecom, or faking documents to port out a number (SS7/PSTN are
| woefully insecure and should not be trusted by anyone), is a huge
| gaping hole.
| neither_color wrote:
| This is the text I got from T-Mobile:
|
| _T-Mobile has determined that unauthorized access to some of
| your information, or others on your account, has occurred, like
| name, address, phone number and DOB. Importantly, we have NO
| information that indicates your SSN, personal financial or
| payment information, credit /debit card information, account
| numbers, or account passwords were accessed. We take the
| protection of our customers seriously. Learn more about practices
| that keep your account secure and general recommendations for
| protecting yourself: t-mo.co/Protect_
|
| It's such a shit feeling knowing my name and info are out there
| and that it's only a matter of time before they make attempts on
| my accounts or identity, I'm one of tens of millions and can only
| hope that I'm far down the list. I'm usually pretty good with
| online security, I don't even reuse usernames or emails to sign
| up for different services, use 2fa for anything important, use
| containerized tabs for social websites, use VPNs on non-familiar
| site so some random guy's blog doesn't have my IP, etc... and
| there goes my cell phone provider fucking things up for me
| anyways. I don't even know if this is actionable info, should I
| even bother? Should I get a new number and replace my number at
| all services that use this number?
| MeinBlutIstBlau wrote:
| The only time it's actionable is if you inquire damages
| honestly. And even then it's an uphill battle cause you'll have
| to prove it was because of the leak and not something else.
| brightball wrote:
| Name, address and phone number has been available for a long
| time in the phone book. People throw parties and post birthday
| information all over social media constantly.
|
| That information shouldn't be a risk. It's too easy to get for
| everybody.
| dylan604 wrote:
| I never posted my real birthday on social media, but then one
| day it magically showed up on IMDB. That one still pisses me
| off.
|
| Information posted in the phone books during the time of
| phone books couldn't really be weaponized against you like it
| can be now. So yes, times have changed. Just because
| something used to be done doesn't mean it should still be
| done that way.
| kevin_thibedeau wrote:
| You can edit IMDB data about yourself.
| dylan604 wrote:
| please, show me how. i have tried long in the past and
| was not able.
| taeric wrote:
| I think the aim of who you responded to was that we should
| find ways to blunt the weaponization of this information.
|
| For my part, I think both can be pursued. Let's do what we
| can to help keep things private. Let's also do what we can
| to keep things irrelevant.
| dylan604 wrote:
| The fact that previous address is relevant is such a
| strange thing to me. I can't think of anything this
| actually solves by using, yet it is everywhere with
| "confirming" you are you. I know I am me, and here's all
| of these other government issued IDs that say I am me.
| Prior address does not.
| acomjean wrote:
| Lamentably, we're at the point where your information is likely
| out there. It is a shitty feeling, being the victim.
|
| I got the email from my employeer this year that my application
| for unemployment was reject because I'm still working (I didn't
| apply). I had an tax check stolen and attempted to cash.. (the
| bank stopped that one.. Dominican Republic bank cashed that
| one..), IBM backup tapes with maybe my personal information
| went missing..
|
| A friend who is supper vigilant had someone apply for a credit
| card with his credentials.. The card company sent him a letter
| asking if he had moved.. The card was approved and ready to go.
|
| Its sad, but you have to stay vigilant. I don't know if its
| worth getting a new cell number. It is kinda your identity now.
| chris37879 wrote:
| Are you an adult over the age of 21? Cause if so all your info
| was likely dumped in the Equifax breach a couple years ago if
| you had interacted with credit in anyway. It's one of those
| things that you just have to accept its out there and secure
| yourself the best you can, 2fa everywhere, password manager,
| don't re-use passwords, etc. Most of that info is most
| dangerous when it can be used to break into a weaker account
| that may be used as auth for a stronger account, like T-Mo
| redirecting your 2fa texts to an attacker that paid off a
| customer support agent to sim swap your number. Your phone line
| is a huge security liability because of 2fa texts and the lax
| policies around line transfers. And this basically extends to
| any server, if they can get into your email, they can get into
| any account that uses your email as auth.
| nonfamous wrote:
| I got the same text, and I've never had a prepaid phone. The
| exposure clearly goes beyond the credit applications T-mobile
| claims.
| zz865 wrote:
| I got a message that they changed my pin and put the new pin in
| the sms message. Kinda shocked.
| tmaly wrote:
| I got the same text. I think if people get access to your
| number, and your number is used as part of a 2fa for another
| service like your bank, then it is only a matter of time before
| you get hacked.
| slg wrote:
| Security and convenience are usually in direct competition with
| each other. Customer service people have to listen to people yell
| at them when convenience is sacrificed and aren't held
| accountable for security problems. They therefore optimize for
| customer convenience. I don't completely fault them for it. If
| anyone has had the frustration of sitting on the phone with a
| customer service rep trying to remember a PIN code that was setup
| 5 years ago when signing up with an ISP and was never thought
| about since, you can probably understand it.
|
| It is easy to blame a single person or a single company for poor
| practices, but I have yet to encounter any real solution to this
| problem that allows someone to prove they are who they say they
| are which is able to hit the sweet spot between too many false
| positives (hijacked accounts) and too many false negatives (valid
| customers locked out).
|
| If I was a security-minded person looking for startup ideas, this
| is the problem I would be looking to solve.
| lrvick wrote:
| We already have a solution: WebAuthn.
|
| Almost every phone and laptop today supports it, and you can
| optionally have a backup in the form of a $10 keychain device
| or 24 words written on paper.
|
| This does mean people will be best off to keep at least one
| backup safe with other things they can't afford to lose like
| their SSN card and drivers license.
|
| Once WebAuthn is setup then day to day as long as a person has
| not lost -all- their devices, then remote identity verification
| can be fast tracked.
|
| If they have lost all their devices it would be like if they
| lost all citizenship paperwork and will be a longer, generally
| in person, process involving reference verification and a
| waiting period.
| bbarnett wrote:
| People can't recall their 4 pin password, but you think they
| will store docs in a safe?
|
| The problem is, no matter what you tell the average person,
| they are not capable of such diligence.
| slg wrote:
| The ideal solution should hopefully handle a "mugged in a
| foreign country" hypothetical. If a normal person traveling
| abroad loses both their wallet and phone, would they be able
| to regain access to their digital life before they got home?
| With Sprint/T-Mobile's current approach, the answer would be
| yes. With WebAuthn, it is a big maybe and is probably a no
| for most people. We are back at the security versus
| convenience choice.
| jdavis703 wrote:
| I think most people carry their security keys on their
| keyring. And since most muggers don't demand keys I think
| people should generally be safe.
| eikenberry wrote:
| Except many people keep their keyring in their bag and
| muggers often just grab the bag.
| pishpash wrote:
| Then keep another key somewhere else, like with a fellow
| traveler or at the hotel. This is why people make copies
| of physical keys.
|
| All security is physical security. We need to end the
| delusion that it is not or can somehow be bypassed, and
| embrace it instead.
| haukem wrote:
| Why are only very few services supporting WebAuthn?
|
| Google and github supprot WebAuthn, but most services only
| support OATH-TOTP, OATH-HOTP or even worse only their own
| app.
| dheera wrote:
| If something doesn't support Web'n'Auth you can use TOTP
| with a Yubikey, the TOTP moves with the key, much better
| than those dumb authenticator possibly-spyware apps.
| chris37879 wrote:
| Since moving my totp keys onto a yubikey, I device hop
| with wild abandon since I know I can't accidentally bork
| my 2fa, it's great.
| vanburen wrote:
| "24 words written on paper."
|
| That's cool, I didn't realise it was possible to backup the
| webauthn secret this way.
|
| I googled but couldn't find any documentation on how to set
| this up, could you let me know how you set this up?
|
| Not being able to make backup of the Webauthn secret is why I
| have stuck with TOTP so far.
| chris37879 wrote:
| It's not exactly part of the webauthn standard. Or at least
| not a described part, it falls under the 'roaming
| authenticator' and 'backup credentials' mentioned in the
| spec, effectively it's a function that generates a crypto
| key where the key matter is the 24 randomly chosen words.
| It's basically just _another_ key that a service can setup
| and store for your, but encrypted with the secret they
| share with you up front in the form of those words.
| kube-system wrote:
| > If they have lost all their devices it would be like if
| they lost all citizenship paperwork
|
| If you're running something like a phone company in the US,
| millions of the people you service probably aren't citizens.
| If your process is "longer, generally in person, process
| involving reference verification and a waiting period", then
| your competitor will get those customers instead. Prepaid
| plans first became very popular in the US in part because
| they do not require bank accounts or SSNs.
| ummonk wrote:
| The ideal would be DNA-based authentication. You go to their
| store, they prick you and use rapid sequencing to verify that
| you are who you say you are.
| Jolter wrote:
| If you have to go to a store, wouldn't a government issued ID
| be sufficient and less invasive?
| ummonk wrote:
| What if you lose your government ID? What if someone fakes
| your ID?
| Jolter wrote:
| What if someone bribes the person taking the dna sample?
| Corrupt telecom employees have already been complicit in
| ID fraud by redirecting SMS traffic to attackers.
|
| How does the business know the DNA used to set up an
| account for Bob comes from him and not from attacker
| Bill? They would have to take his ID at his first visit
| so you're still vulnerable to ID fraud.
|
| We can argue back and forth but IMO the DNA idea has two
| problems: 1 It is too invasive as it requires customers
| to reveal their DNA to the business. 2 It is impractical.
| Firstly, the technology doesn't exist. Secondly, it
| requires a physical visit to authenticate.
| ipaddr wrote:
| Why not take cheek samples?
|
| Wouldn't a finger print be easier?
|
| Why would you need to go to the store plenty of dna
| sequencing happens over the mail for ancestry and alike.
| Partner with them and offer discounted dna results.
|
| Ideally you do this once and keep a card and use it
| everywhere.
| ummonk wrote:
| Yeah thinking about it more it's probably a cheek swab and
| not a blood prick. And yeah the card would be the more
| regularly used 2FA. The DNA test is just for when you lose
| your card.
|
| As to doing it by mail, that may be potentially doable, but
| one would need to think through how to prevent e.g. stolen
| saliva, MITM mail sample interceptions, etc.
| crazygringo wrote:
| I'm pretty sure I've seen sci-fi movies where they get around
| this with a fake layer of skin applied and engineered/stolen
| blood with the desired DNA.
|
| Biometrics are never perfect. Sometimes they can be forged
| (even something as simple as a _printout_ of a human face
| looking in a camera), other times you take advantage of a
| tech vulnerability to feed the desired biometric data in
| directly without needing to produce anything physical at all.
| FabHK wrote:
| Apart from SMS as a second factor, what's this with "What number
| would you like me to send this [code] to?", where clearly an
| attacker could give an arbitrary burner number under their
| control. They should only use numbers already associated with the
| account, and adding/changing one should by itself require
| authentication. Oh well.
| chrischen wrote:
| They send it to a number on the account.
| FabHK wrote:
| So the question is in case there are multiple numbers
| associated with the account?
| lotsofpulp wrote:
| It is common to be part of a family plan in the US. The
| person in the example must have been in one to have been
| offered that option. Family plans are much cheaper per
| phone number than individual plans.
| dylan604 wrote:
| Depends on the account type. I have had Microsoft and other
| systems ask me to send a code to a phone number. It wasn't
| specific, so I asked my co-worker if, for science, I could send
| the code to their phone. It worked.
| dathinab wrote:
| What I don't understand is why the service person can _see_ the
| PUK (1).
|
| There are just way too many ways this can go wrong.
|
| (1): Rhetorically, most likely because when their service system
| was developed this wasn't a concern and since then they never re-
| evaluated this part for security (or did and didn't care to
| change it).
| paulpauper wrote:
| tmobile + gmail + crypto accounts = someone about to lose crypto
___________________________________________________________________
(page generated 2021-08-23 23:00 UTC)