[HN Gopher] NY Man Pleads Guilty in $20M SIM Swap Theft
___________________________________________________________________
NY Man Pleads Guilty in $20M SIM Swap Theft
Author : picture
Score : 98 points
Date : 2021-12-16 18:06 UTC (4 hours ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| toomuchtodo wrote:
| Tangentially, the FCC is forcing the hand of mobile carriers on
| this. T-Mobile _just the other day_ has updated their policy so
| that two employees must be present and part of the process to
| swap a customer's SIM. The perils of your phone number being your
| identity.
|
| Refreshing to see these active theft and wire fraud prosecutions.
| thathndude wrote:
| Lawyers have been making bank filing claims against the
| Telecoms for sim swap losses.
|
| Never did any myself, but have friends who have done well with
| these cases. They essentially allow the lawyers to share in the
| appreciation of crypto.
| krebsonsecurity wrote:
| That's nice to hear. So the SIM swappers have to double their
| bribes.
|
| I think the best solution is to cut the mobile providers out of
| the equation altogether. I've long advised removing your phone
| number from anything you can, or at least substituting a voip
| service that can't be social engineered over the phone. Some
| services don't let you use voip services for multi-factor or
| signup, so your mileage may vary.
|
| Also, it's important where possible to use types of multi-
| factor that don't rely on your phone number. The tricky part
| is, so many sites will let you reset your password if you can
| receive a link via SMS at the phone number on file for the
| account. Which means anyone who SIM-swaps you then can reset
| the passwords on those accounts that allow SMS resets (which is
| a lot, still).
| ndesaulniers wrote:
| One thing I don't understand about the suggestion to remove
| my phone number from 2FA is that 1FA seems worse. I'd prefer
| something like Google authenticator, but none of my banks
| offer that. Did I misunderstand the suggestion? Is there
| something else I should do?
| chinathrow wrote:
| > but none of my banks offer that. Did I misunderstand the
| suggestion? Is there something else I should do?
|
| Yes there is: change your bank. If your bank is still using
| SMS based 2FA, get the hell out of there. If you really
| need to keep that account for reason X, move out all your
| assets to another bank and keep enough funds to fund X
| there.
| [deleted]
| kube-system wrote:
| > Yes there is: change your bank. If your bank is still
| using SMS based 2FA, get the hell out of there.
|
| Have any suggestions for a bank that supports TOTP? I
| have yet to find a decent bank in the US that supports
| this.
| chinathrow wrote:
| I am not in the US but I'm sure fellow HNers can help you
| out.
| vdqtp3 wrote:
| First Tech Federal Credit Union and Fidelity both support
| time/token based auth although it's Entrust or Symantec
| VIP, not open TOTP
| kube-system wrote:
| I really wish there was some bank would support plain
| TOTP. I don't want 5 different solutions to managing my
| TOTP tokens. I already have one.
| DarylZero wrote:
| You must have to pay more than double to bribe two people
| simultaneously -- since each one then has to rely on an extra
| person to cover up the corruption.
| dbancajas wrote:
| > one number on file for the account. Which means anyone who
| SIM-swaps you then can reset the passwords on those accounts
| that allow SMS resets (which is a lot, still).
|
| > reply
|
| Why not use a special phone number for 2FA? How do hackers
| know your phone number?
| rp1 wrote:
| Hackers can easily get anyone's phone number. Just Google
| <name> phone number. There are so many data brokers out
| there happy to sell this information.
| [deleted]
| ghaff wrote:
| One of the few things I miss about giving up my landline a
| couple years ago is that I pretty much have to give out my
| cell phone number for anything that needs a valid phone
| number. (yes, I could use Google Voice or some sort of VOIP
| number but that starts making things complicated.) I used to
| be very selective at giving out my cell number.
| mhb wrote:
| What about a second cell phone? Depending on whether
| ~20/month is worth it.
| Maursault wrote:
| > yes, I could use Google Voice or some sort of VOIP number
| but that starts making things complicated.
|
| You should soldier through it. Google Voice is a decent
| free service domestically, unless paranoid. I use it in the
| reverse manner as I expect you would intend (if you'd
| intend to generate many virtual throw away numbers to
| forward back to your phone until the forwarding is manually
| severed). My actual phone number has changed many times
| over the years, but my GV number stays the same.
| Eventually, I got rid of my phone altogether. That was
| January 2014. But jobs will often require I carry the on-
| call cell (which I almost never need to use and just for
| work). Boy I sure miss those cell phone bills every month,
| not. I just realized GV has saved me at least $10K since I
| cancelled my cell contract.
| walrus01 wrote:
| > or at least substituting a voip service that can't be
| social engineered over the phone
|
| unfortunately it's also very easy for somebody to submit
| falsified port documentation to port away your voip number to
| their own carrier.
|
| In many cases even easier than doing a SIM swap, since the
| oldschool way to do a port is to literally print out one page
| of a bill with your name on it (Anybody could edit this by
| inspect element on a legit bill of their own and swap your
| name), print it, sign it in ink, scan it, and send it to the
| carrier requesting the port-in
| menage wrote:
| One of the advantages of using Google Fi as your phone
| provider on a Google phone: there's no SIM, and you have to
| log in to the phone on your Google account in order to
| transfer phone/SMS service there. So an attacker can't use a
| SMS hijack to steal 2FA codes unless they've already
| compromised your Google account (which is hopefully a higher
| bar than convincing some random phone shop employee).
| e40 wrote:
| I have an iPhone with Google Fi and I have a SIM. The
| entire family does and they also have them.
|
| However, the point of needing to login to your Google
| account is well taken. And I have 2FA on that.
| Jerrrry wrote:
| >That's nice to hear. So the SIM swappers have to double
| their bribes.
|
| Most SIM-swappers are retiring with their ill-gotten crypto,
| but the ones remaining are at the "bribing prosecutors" level
| now.
|
| With crypto skyrocketing and the pitfalls of SMS becoming
| more apparent, I fully expect the jump to amateurs purchasing
| and leveraging state-level 0days against unwitting wallet
| holders.
|
| The gap between profit and cost is getting larger, and more
| crypto-millionaires are going to get their Teamviewer 0dayed.
| reactspa wrote:
| > Following the theft, Terpin filed a civil lawsuit against
| Truglia with the Los Angeles Superior court
|
| Request: can anyone help clarify why this needed to be civil and
| didn't qualify for criminal?
| paxys wrote:
| It may have qualified as a criminal case, but you as a citizen
| can't really do much to get the police, AG or a federal agency
| to devote their resources to it. Suing someone in a civil court
| is a pretty straightforward thing to do.
| [deleted]
| kingcharles wrote:
| I just posted this in another thread...
|
| Also, don't let your mobile phone number expire and someone else
| get it.
|
| I can log in to the previous owner's TikTok account with just his
| number.
|
| I signed up for a food delivery service two days ago and it
| autofilled all the details with his full name and address for me.
|
| How many other sites let you log in with just a phone number?
| Asking for a friend...
| tentacleuno wrote:
| > Also, don't let your mobile phone number expire and someone
| else get it.
|
| How would you do this, then? I believe old numbers are kept for
| a certain time (6 months?) and then put back into the public
| pool. If we had a more technical solution (think IPv6
| addresses, but for phone numbers) this shouldn't be an issue in
| theory. Of course, having to remember something resembling an
| IPv6 address to contact somebody would be a pain. I would say
| we could use a username system, but I believe we've seen the
| downsides of that way too many times already.
| jktogjfnn wrote:
| > _How would you do this_
|
| You port your number to a super-cheap carrier and keep paying
| for their lowest subscription, even if you don't need it
| anymore.
|
| I payed for 5 years $5 per month to keep a number alive, even
| if I wasn't living anymore in the country that issued it.
| wly_cdgr wrote:
| Such small potatoes. Enterprise software companies steal that
| much probably every day
| paulpauper wrote:
| I don't think people appreciate just how big the crypto fraud
| problem is, and how much bigger it will get.
|
| Crypto is so big, to put it in perspective, the gambling sector
| worldwide was estimated to be worth roughly $265 billion U.S.
| dollars in 2019. That is just 2/3 the market cap of Ethereum
| alone.
|
| Crypto is bigger than pretty anything right now. Bigger than pro
| sports. bigger than the entertainment industry. Only the tech,
| real estate, retail, and finance industries are bigger. But those
| are composed of thousands of companies.
| hoofedear wrote:
| It's almost some sort of very large, round thing that is just
| growing and growing
|
| I'm sure there's a better term for it
| dvt wrote:
| SIM swapping has really nothing to do with crypto per se,
| people use it to steal identities/fiat all the time.
|
| Crypto _is_ big, but to be fair "just" Apple is bigger than
| crypto. Compared to the NYSE or Nasdaq, it's small, and when
| compared to forex (maybe a more apt comparison), it barely
| registers. Incidentally, I think this is why crypto's here to
| stay (probably forever): it's huge and growing, very popular,
| and the masses seem to like it. It's like the McDonalds of
| financial instruments. I don't think governments care to (or
| can) regulate it, so as long as we're paying taxes on gains,
| they will let it slide.
| paulpauper wrote:
| crypto is money. So you got $2.2 trillion of money lying
| around. So of course criminals are going to go through any
| means to get some, including sim swaps, but soo much more.
| You cannot steal stock or real estate in the same way you can
| steal crypto. Crypto by definition is irreversible and
| unbreakable. SO even way more attractive to criminals just
| for that property.
| yborg wrote:
| >I don't think governments care to (or can) regulate it
|
| China has literally banned Bitcoin. Their approach is to roll
| out their own digicoin.
|
| Governments have been very slow to figure out how to approach
| crypto, but the current Wild West of tax evasion, money
| laundering and virtual bank robberies won't go on forever.
| Just like counterfeiting and money laundering exists today,
| there will continue to be exploitation of the financial
| system, but it will be explicitly criminalized.
| dvt wrote:
| > China has literally banned Bitcoin. Their approach is to
| roll out their own digicoin.
|
| China "banning" cryptocurrency is a meme at this point (I
| think they've banned it 4 times now).
|
| > Wild West of tax evasion
|
| You literally cannot evade taxes, so I'm not even sure what
| this means. All US exchanges report everything to the
| IRS/SEC. And if the exchanges don't, your bank certainly
| will. Moving money in your bank account and not reporting
| it as income is a big no-no so good luck to anyone that
| tries to do this.
|
| > Just like counterfeiting and money laundering exists
| today
|
| This is kind of a faulty analogy, it's not like cash is
| banned, and most of those things are done with cash. People
| seem to like crypto markets as a speculative instrument. Is
| that good/bad? I don't know, but it's probably here to
| stay.
| supernova87a wrote:
| I wonder if the following idea has occurred to anyone else?
|
| We have more and more kinds of accounts, financial products,
| online services, etc. that would benefit from some kind of real
| in-person verification at points in the process (initial
| application, maintenance, changes to account) that are
| imperfectly done with credit checks, questions/answers, logins,
| etc.
|
| We have Post Offices in nearly every corner of this country. How
| about turning them into a kind of value-added identity
| verification service where any company wanting/needing an
| identity verification could rely on the Post Office to accept
| someone in person to prove who they are (through fingerprint,
| document, etc) and be the 3rd party to make this proof easy?
|
| Sure you would need to have normal fraud protections, etc. but I
| bet the act of having to come to a post office would make things
| very secure / reliable. And it would give the post office a new
| function. I heard of this being done in some other countries.
|
| It seems like a way to avoid us all having to pay for fraud so
| frequently.
| pjc50 wrote:
| _cough_ national id scheme, anyone? Thinking of E-Estonia here.
| jjcm wrote:
| It's long, long overdue. That said a national ID scheme has
| long been opposed by a vocal part of the Christian population
| in the states. It's association with the new testament's
| prophesy of the mark of the beast prevents many lawmakers
| from pushing forward a proposal, especially since 65% of
| Americans in 2019 identified as having a belief in some
| variety of Christianity[0].
|
| The obvious reality here is that in the wake of no proper
| national identification system, social security numbers have
| been used instead. It's not a question of whether or not we
| have a national ID, it's really just a question of whether we
| have a functional one or an inadequate one. Nonetheless
| politicians would likely be committing suicide with their
| constituents in some districts if they were to support a push
| towards a better system.
|
| [0] https://en.wikipedia.org/wiki/Religion_in_the_United_Stat
| es#....
| ghaff wrote:
| >social security numbers have been used instead
|
| Historically that was sort of the case. I'd argue today
| that we mostly rely on state-issued IDs (especially but not
| necessarily driver's licenses) which are now overlaid with
| RealID requirements.
|
| As a practical matter it's probably indistinguishable from
| what a federally-issued ID would be and I'm mostly content
| with not adding any more layers of identity verification
| than are really necessary. I'd probably oppose a push for a
| broadly required federal ID--although I have a passport
| (and a global entry card).
| kevin_thibedeau wrote:
| Some states allow use of SSNs for drivers license
| numbers.
| dzhiurgis wrote:
| My National ID is valid for 10 years, but certificates expire
| 3 years after issue. Can only renew face to face, but I'm
| approx 30hours of flight time away from home, lol.
|
| But I agree - NFC passports are already kinda doing that, but
| there isn't enough services that support it.
| chrisin2d wrote:
| I lived in the Netherlands and admired how they offer a SSO
| service called DigiD for most--if not all--national and
| municipal services: personal tax, business tax, healthcare,
| pension, water, garbage, police and many other service
| portals. Yes, there is a nice online police portal where you
| can digitally file a police report, get a declaration for
| insurance, and ask questions.
|
| You also get a digital inbox--Berichtenbox--to organize and
| centralize all communications from those agencies.
|
| It is difficult to overstate how much life is made better
| when the government is well-organized and that organization
| is exposed to you through good UX. I'm now back in the US,
| it's been 2+ weeks since my renewed passport was supposed to
| have been mailed to me, and no one at the State Department
| knows anything.
| dzhiurgis wrote:
| Not having to depend on phone numbers would be so good,
| especially for citizen mobility.
| MichaelBurge wrote:
| The term you're looking for is "Notary". There are plenty of
| them around, and they're required to execute high-dollar
| contracts like buying a house or signing certain contracts.
|
| Every state has its own requirements to become a notary(with
| one requirement being posting a $10k bond or purchasing
| insurance, so you have something to lose if you make an
| egregious mistake).
|
| You can require counterparties notarize any documents you'd
| like, and reject anyone who declines. And you can do this
| without needing to change the law to increase the scope of
| responsibility of the USPS.
| ghaff wrote:
| I'd just observe that we saw the opposite happening with COVID.
| Based on a couple experiences of my own I was chatting with a
| friend who runs gift-giving strategy for a major university. I
| made the comment that a lot of things that just _had_ to be
| done in person with notaries etc. suddenly apparently didn 't
| have to be any longer and she agreed.
|
| While it's doubtless sometimes necessary, I'm generally a fan
| of not having to go into an office for money transfers and so
| forth. It's also worth remembering that this sort of thing may
| (normally) be pretty low overhead for a lot of us but isn't for
| e.g. people who aren't very mobile.
| fnord77 wrote:
| the USPS could be doing this and so much more for citizens.
|
| But lawmakers in this country are allergic to having the
| government manage anything
| MisterTea wrote:
| > But lawmakers in this country are allergic to having the
| government manage anything
|
| Congress has slowly been fucking the USPS to death at the
| behest of FedEx, UPS, et al lobbyists.
| tantalor wrote:
| Here's my Senator on the subject of postal banking:
|
| > "You would have to work very hard to come up with a worse
| idea than having the government become a national bank
| executed through the post office," [Sen. Pat Toomey, a
| Pennsylvania Republican] said. "Even if the U.S. Postal
| Service was the most competent, professional and best-run
| organization on the planet, they should not be in the
| business of banking.
|
| > "We have banks," Toomey continued. "The idea that the
| government is going to do a better job is just laughable."
|
| What a moron.
|
| https://www.oleantimesherald.com/news/gop-senators-oppose-
| id...
| throwaway946513 wrote:
| What's even funnier is that we actually used to have Postal
| Banking back in the 20th century.
|
| But like other things during the 'Regeanomics era', it was
| cut, along with forcing the USPS to pay pensions 10 years
| in advance. The context does help to explain the reason why
| our USPS Grumman vans are well over their service life, and
| no where near retirement yet.
| nerdponx wrote:
| Meanwhile the USPS instead funds itself by being an open
| channel for wasteful junk mail.
|
| Making money while doing something actually useful? Not _my_
| government, not when there 's a tiny sliver of profit to be
| funneled to wealthy special interests!
| magmastonealex wrote:
| Canada Post, the equivalent of the USPS in Canada, offers
| exactly this service [1]
|
| I've used it for Know-Your-Client type stuff with banks, but it
| is theoretically open to most if not all businesses. Every time
| I've needed to interact with it, it's been a straightforward
| process as a consumer.
|
| [1]: https://www.canadapost-
| postescanada.ca/cpc/en/business/posta...
| m4rtink wrote:
| Here in Czech Republic the CzechPoint system kinda does that:
|
| https://www.ceskaposta.cz/en/sluzby/egovernment/czechpoint
|
| Its usually situated on post offices or local government
| offices and makes it possible to get verified electronic
| signature that you can then use to prove your identity
| electronically. It can also access various government
| registries, etc.
| jptech wrote:
| Sagawa (a private courier in Japan) provides a similar
| service but at your doorstep. Basically the sender registers
| your info with them (mainly DoB) and upon delivery you have
| to provide an ID, which the driver checks that it matches
| with what's written on the envelope, then enters your DoB and
| other info and your ID number into a portable wireless POS
| device. Only if they match, you receive the package, and then
| I believe the info entered into the device gets relayed to
| the sender.
|
| (Use your translation service of choice if desired.)
| https://www.sagawa-exp.co.jp/service/kakunin/
| donmcronald wrote:
| It would be amazing to see the current trust / code-signing
| industry fail and for something that integrates services like
| the one you linked to replace them.
|
| I've always thought that a code-signing certificate tied to a
| natural person should be more valuable than one tied to a
| faceless corporation, but the industry is (poorly) built
| around selling high priced certificates to anyone with enough
| money to start a business.
|
| Imagine being able to get a code signing certificate in a
| single afternoon by signing up, taking your ID to Canada
| Post, and downloading your certificate after the identity
| verification is submitted. That would be quite the difference
| from the current awful experience where someone in a foreign
| country guesses and makes judgement calls based on the
| documentation you snail mail to them.
| jrockway wrote:
| Wouldn't people just get socially engineered into giving up
| their code signing certificate? Some ads along the lines of
| "give us your code signing certificate and be entered into
| a raffle for an iPhone" would probably work. Stand in line
| to get some document you'll never use, maybe win a gadget,
| and a few days later your name is being used to spread
| malware.
|
| Basically, I don't think a natural person is enough
| protection against malice. Something like "stick 1 million
| dollars into escrow, and if someone uses your cert to
| spread malware, we keep it" is a much stronger incentive.
| (Not what's done, of course.)
| celticninja wrote:
| You need to cater for those people, they will be the bulk
| of your clients and also need the most support. So make
| resetting it possible but not easy.
| scrollaway wrote:
| Here in europe we have several countries with digital ID
| cards. You put your ID in a smartcard reader, you put in
| your pin, and you can get your identity verified in a web
| browser.
|
| Belgium has an identity service based on this. Governmental
| OAuth. https://www.csam.be/en/about-csam.html |
| https://iamapps.belgium.be/sma/generalinfo
|
| They publish their own eID reader (middleware) and browser
| extensions. https://eid.belgium.be/en
|
| Even with an official Linux version. :)
| https://eid.belgium.be/en/linux-eid-software-installation
| xxpor wrote:
| Or we could just have a modern ID card that already has a
| cert embedded in it, and skip the whole go to the post
| office step. Most big companies and the US Federal
| government have already figured this out for their own
| employees.
|
| Keep the post office option for the folks that don't have
| an ID, but for most people, this would be the most
| straightforward option.
| lordnacho wrote:
| There's a number of KYC services where you're basically asked
| to be filmed and a person in a call centre looks at it and
| decides whether it's really you.
|
| When I went looking at them they were boasting with using AI,
| and then in the meeting it turned out it was mostly farmed out
| to someone in India.
| ribosometronome wrote:
| You misread. They're using Al, he's in Chennai and on call
| 24/7.
| Tenoke wrote:
| >We have Post Offices in nearly every corner of this country.
| How about turning them into a kind of value-added identity
| verification
|
| When I opened a bank account (n26) in Germany this is how they
| verified my identity (along with a brief video call) as a
| foreigner so the idea has merit.
| ews wrote:
| I thought about this too. My iteration of the idea is to have
| the USPS office to install a cert on a citizen's phone (upon
| verification in person) and make sure a cert is associated with
| one person only. This will allow easy and reliable online
| voting.
| paxys wrote:
| What you describe does exist, but not via the post office. For
| example when I started a new job I had to go to a tiny store
| that does fax, copy, postal, notary and similar services and
| have them physically verify my employment eligibility
| documents. Several similar providers exist all over the city
| (including FedEx, UPS, banks and more).
|
| This is such a high barrier to entry, however, that people will
| simply not do it for something that isn't absolutely critical.
| Online services compete with each other to be as frictionless
| as possible, whereas this is the exact opposite of that.
| dudus wrote:
| Going through some processes on DMV and USCIS recently I
| noticed both of them were using Id.me
|
| Seems like a private company providing services to these gov
| agencies on authentication. Seems like a better solution than
| showing up at the post office.
| noahtallen wrote:
| That's actually fascinating, because this official login
| solution exists, and it seems very nice: login.gov. It's from
| the GSA which seems to be doing some good work.
|
| I wonder how id.me differs, and how we haven't centralized on
| one solution yet
| toomuchtodo wrote:
| Over 200 federal agency web properties have adopted
| login.gov. Social Security Administration recently adopted
| them as their primary identity provider (and _appears_ to
| be phasing out id.me but I'm waiting on some ground truth
| to confirm that). Something is up with IRS as to why they
| went with with id.me, and someone has submitted FOIA
| requests to get more context.
| paxys wrote:
| login.gov is simply a user login mechanism. id.me does
| identity verification in many different ways.
| bckygldstn wrote:
| New Zealand Post does this: https://www.realme.govt.nz/
| schappim wrote:
| It is a good idea, that is why Australia Post have done just
| this: https://auspost.com.au/business/identity/voi-solutions-
| for-c...
| xur17 wrote:
| Taking this a step further, I'd love for them to be able to
| issue some sort of smart card that I could then utilize when
| signing up for other accounts that still wanted verification,
| but were okay with a slightly lower assurance.
| ErikVandeWater wrote:
| I'm all for it if they execute it well enough to make a profit.
| stopglobalism wrote:
| Sounds like a Notary service.
|
| "What is the meaning of notary service?
|
| A notary is a publicly commissioned official who serves as an
| impartial witness to the signing of a legal document. Document
| signings where the services of a notary are likely include real
| estate deeds, affidavits, wills, trusts, and powers of
| attorney. The main reason a notary is used is to deter fraud."
| mindslight wrote:
| There are already standard ways of doing brick and mortar
| identity verification, and in somewhat surveillance-resisting
| ways even! The most common is "notarization" - a state-
| deputized "notary" verifies that you are who you say you are,
| and then endorses your signed document with a special stamp and
| a signature. Another common one used for financial transactions
| is a "medallion stamp", wherein not only do they verify your
| identity, but the institution doing the medallion stamp also
| takes on the risk for a fraudulent transaction.
|
| Both are generally available for free by being a customer of
| your local small bank or credit union. These could be easily
| adopted by web companies for password resets, account
| withdrawals above self-set limits, etc.
| supernova87a wrote:
| Yes, but notarization feels like a much more cumbersome
| process, designed for more like "once in a lifetime"
| transactions (house purchase, will, etc). It also feels more
| like a proof, only needed if a transaction is disputed in
| court etc, it can be investigated back to the source.
|
| I mean the every day kind of verification that fuels our
| daily transactions and benefits from instantaneous info being
| transmitted back and forth, to easily get a credit card
| approved for example.
| mindslight wrote:
| The cumbersome part of notarization is having to physically
| go to the bank, which would be the same for the post
| office. The performance of showing up in person, and
| showing a physical hard-to-forge ID, is exactly what
| drastically raises the bar for an attacker.
|
| Doing this instantaneously implies skipping the heavyweight
| process. Which I assume means doing something like a one
| time (or periodic) cumbersome in-person process, and then
| repeating a quicker online process. Any private company
| could create such a system right now, bootstrapping off the
| notarization framework to do the heavy lifting.
|
| But credit cards and other traditional financial
| institutions don't actually care about identity in such a
| strong sense. The standard process for setting up online
| access for a new account at a brick and mortar bank
| involves leaving the bank, going to their website from
| home, and entering your not-particularly-private
| information to sign up. That could be easily modified to
| setting up initial access credentials right in the bank if
| they wanted to, but the traditional financial system is
| pretty forgiving for the most part.
|
| So we're really talking about custodians of new bearer
| instruments (eg cryptocurrency), which are more like cash.
| Hence my reference to these new holding companies being the
| ones that should be integrating notarization into their
| exceptional account access methods. Of course they could
| also just insist on the use of real security tokens,
| require a second one for backup purposes, and simply not
| use SMS at all.
|
| FWIW another more convenient way of doing brick and mortar
| verification is to snail mail out a letter with a code on
| it to the address of record. It obviously doesn't have
| super security properties (anyone can steal mail), but it's
| much better than electronic-only non-verification and much
| nicer than surveillance database verification.
| Jerrrry wrote:
| >Truglia is still being criminally prosecuted in Santa Clara,
| Calif., the home of the REACT task force, which pursues SIM-
| swapping cases nationwide. In November 2018, REACT investigators
| and New York authorities arrested Truglia on suspicion of using
| SIM swaps to steal approximately $1 million worth of
| cryptocurrencies from Robert Ross, a San Francisco father of two
| who later went on to found the victim advocacy website
| stopsimcrime.org.
|
| holy shit, no wonder people are going dark. yall better hide.
| syspec wrote:
| Silicon Valley REACT task force?
|
| In the end Truglia's bragging to gain /props/ for a /component/
| of this crime, is what lead to the REACT task force getting
| their /hooks/ into his /lifecycle/.
| vmception wrote:
| He only got caught because he bragged about it?
|
| Horrible deterrent, because it isnt a deterrent
| paulpauper wrote:
| He would have been caught eventually when cashing out. he does
| not seem careful enough.
| kumarski wrote:
| This is exactly why I gambled on Efani.
| cobrabyte wrote:
| > efani enforces 11-layer propriety military-grade client layer
| authentication
|
| I'm sure they're an upstanding company, but using the word
| 'propriety' instead of 'proprietary' is an instant turnoff for
| me. Security is a details-oriented endeavor, and everything
| from marketing to implementation needs to be squeaky clean.
| But, maybe that's just me!
| mikestew wrote:
| The phrase "military-grade" is used, and a _typo_ is what
| sets you off? :-)
| kevin_thibedeau wrote:
| The grammar checker is layer 12. The first 11 are nested
| ROT13. Ultra secure.
| shiado wrote:
| SMS-based 2FA needs to be eliminated completely. Authenticator
| apps need to come preinstalled as an essential utility on every
| OS. There doesn't seem to be a whole lot of pressure to improve
| 2FA security.
| kevin_thibedeau wrote:
| Apps just embolden employers to shirk on providing secure TOTPs
| or work phones. You should not be forced to use your personal
| property to conduct job duties.
| mikestew wrote:
| _There doesn 't seem to be a whole lot of pressure to improve
| 2FA security._
|
| I gave up on that ten years ago when I worked at a biometric
| authentication company. Banks were soon to be regulated to use
| 2FA, and our system was easy to use, we're all gonna be rich!
|
| Then the banks were allowed to use security questions as 2FA.
| Not only were the employees _not_ "all gonna be rich", everyone
| else was going to get fucked when they accidentally post
| something on Facebook about how their mother (nee Mary
| $MAIDEN_NAME) used to do $SOMETHING on $STREET_I_GREW_UP_ON. So
| the continued use of SMS-base 2FA, despite its frequently-
| published flaws, isn't going anywhere until a new way to fuck
| up 2FA is found.
|
| If I had a viable solution to it all, well, I'd be rich.
| nipponese wrote:
| I don't think it's too heavy handed to make the practice of
| implementing SMS 2FA straight-up illegal. If credit card
| processing requires PCI compliance why wouldn't we apply
| similar thought to 2FA?
| m4rtink wrote:
| Doesnt that force people to not only use smartphones, but
| "approved" smartphones (read Android/iOS) with locked
| bootloaders and no root access (or the bank authenticator app
| will refuse to run)?
| walrus01 wrote:
| 1) The ability to reset account credentials or get into a service
| just by using a phone number is not real 2FA and is a huge
| security risk generally. SMS based 2FA is not real 2FA.
|
| 2) Social engineering mobile phone first-tier customer service
| reps into doing a SIM swap is not hard at all.
| admn2 wrote:
| So is it recommended to remove your phone number from your Google
| account to ensure it's not used to ever reset the password?
| paulpauper wrote:
| never keep a lot of crypto on anything that is connected to a
| phone and or email
___________________________________________________________________
(page generated 2021-12-16 23:00 UTC)