[HN Gopher] Vitalik Buterin reveals X account hack was caused by...
___________________________________________________________________
Vitalik Buterin reveals X account hack was caused by SIM-swap
attack
Author : RadixDLT
Score : 185 points
Date : 2023-09-12 12:03 UTC (10 hours ago)
(HTM) web link (cointelegraph.com)
(TXT) w3m dump (cointelegraph.com)
| macNchz wrote:
| When I read that once they got into the account all the attacker
| did was post a link to a crypto giveaway scam, I briefly wondered
| why someone who managed to get into an account like this wouldn't
| try to pivot it into something more sophisticated. Then in the
| next sentence we learn they made $700k off of the scam!
|
| I've seen these giveaway scams on hacked popular Twitter accounts
| for years, I'm surprised they're still so effective. No need for
| an attacker to risk making $0 on a more involved attack when they
| can get easy cash like that, I guess.
| cdchn wrote:
| If there is a sophisticated attack pivot that is as profitable,
| quick, proven and safe, I don't think anybody knows what it is.
| netsharc wrote:
| $700k? I see that human idiocy is a large untapped source of
| wealth...
| eli wrote:
| And all those people had crypto wallets ready to go. Go
| figure.
| cdchn wrote:
| The crypto "degens" are pretty much the perfect cohort for
| pulling these kind of scams on. They're driven by fast money,
| unearned profit, and the premise of investment despite all
| rational signals pointing to it being a bad idea. Its a
| Condensation of Rubes.
| smeej wrote:
| Back in 2020, some teenage kid got access to "God mode" on
| Twitter and burned it on a crypto scam too.
|
| Easy money seems to be a pretty common goal.
|
| https://fortune.com/2020/07/16/hackers-blew-twitter-god-mode...
| [deleted]
| gmerc wrote:
| Crypto bros are self selecting for scams. If your world view
| has been degraded to see zero trust as a solution rather than a
| dystopian end state, meaning you've lost all trust in society,
| you're highly vulnerable to be conned by the authority figures
| you secretly crave to trust.
|
| It's much of what Elon, Trump and other populists actively
| foster and exploit in their fan base through relentless
| conspiracy theories and undermining of trust into anyone who
| isn't them.
|
| There's a paradox here - the more people have their trust
| violated, the more distrustful they get, the easier they get
| scam as the overhead of approaching every transaction /
| interact in life with an adversarial mindset exhausts critical
| capacity and drives people into desperate savior fantasies -
| technological miracles, charlatans. snakeoil, the twentieths
| coin or pump and dump.
|
| Zero trust (non security version - the inability to extend
| trust) is a miserable desperate state to be in as a human being
| and makes people highly vulnerable to getting taken advantage
| of and crypto signaling on social media either identifies you
| as a scammer or as a mark. You still believe technology can
| solve societies trust dilemma, you are asking for it at this
| point.
|
| And the longer the scamming goes on, the stronger the signal of
| this self identifying audience becomes. It's like responding to
| Nigerian prince emails at this point.
|
| Go reddit, look at the safemoon subreddit. It's ... wild how
| many times you can rip off some people and have them get more
| militant in their belief they are smart.
|
| As a footnote, more and more tech companies explore this to
| prop up shrinking profit margins. By selling previously
| valuable trust marks such as the top result on google (there
| was a time you could trust this) or flat out verification marks
| that previously were meant to foster Trust and Safety for
| money, erosion of trust becomes a profitable feature. It's good
| for platforms when users cannot tell placed / bought placement
| and fake news from actual valuable content.
|
| It's just terminal for society - each time someone is scammed,
| has their trust betrayed, they slide a little bit closer into
| that state that is so exploitable by populists.
| yokem55 wrote:
| The healthier attitude to trust issues in crypto (and society
| at large too), is to find mechanisms (cryptographic, game
| theory, economic, legal) to manage and constrain the trust
| assumptions that are made. You can't eliminate trust, and you
| probably shouldn't try. But you should figure out ways to put
| good seatbelts and airbags on that trust so that when you do
| use trust as a social lubricant (it is very good at that),
| the damage from when it goes wrong is constrained.
| ajonit wrote:
| Quote of the day - _If your world view has been degraded to
| see zero trust as a solution rather than a dystopian end
| state, meaning you've lost all trust in society, you're
| highly vulnerable to be conned by the authority figures you
| secretly crave to trust._
|
| Very well said.
| bannedbybros wrote:
| [dead]
| oefrha wrote:
| Pretty sure 95%+ of crypto "investors" are in it for get-
| rich-quick, rather than some sort of "zero trust" ideology.
| mzsmartpants wrote:
| > in their believe they are smart
|
| Nice. A happy user of Reddit, the platform, whose CEO edits
| messages of his opponents to win an argument, that shadow
| bans users for mentioning specific words ("Soros" is one,
| BTW), that automatically sends wrong-think posts to spam...
| would tell us about the dystopian future Musk is leading us
| into. What kind of trust do you have in mind, like the one
| built in soviet times Pravda and Moskovskiy Komsomolets?
| gmerc wrote:
| If you believe there is signal value in having consumed
| reddit content - or see a Soros conspiracy behind every
| criticism of certain idols, I have some crypto coins to
| sell you too.
|
| Speaking of Soviet Russia - the FSB has fascinating manuals
| on exactly this topic, how to break down people's ability
| to trust systematically to make them vulnerable to
| ideological hijacking via authority figures and contrarian
| messages. Highly recommended reading.
|
| As we say in German "getroffene Hunde bellen ".
| lcnPylGDnU4H9OF wrote:
| > Highly recommended reading.
|
| If one were interested in finding these to read where or
| how might they be found?
| mzsmartpants wrote:
| > or see a Soros conspiracy behind every criticism of
| certain idols
|
| Idols, Soros conspiracy... And you accuse others of being
| stupid. A simple idea, shady practices on the part of a
| platform are not OK if what you want, as you say, is
| trust.
|
| > I have some crypto coins to sell you too.
|
| I'm sure you have. You were left holding the bag in the
| subreddit you've mentioned.
|
| > the FSB has fascinating manuals on exactly this topic.
| Highly recommended reading.
|
| Right, they've sent you a copy. You and your government,
| the idiots who can be seen laughing [1][2] when told they
| should not depend on Russian energy. "I don't really
| understand what he means by that ha-ha-ha", tells your
| genius defense minister.
|
| [1]: https://www.youtube.com/watch?v=FfJv9QYrlwg
|
| [2]: https://www.youtube.com/watch?v=0CvQmWoog18
| dang wrote:
| Please don't take HN threads on generic flamewar tangents. It
| makes discussion more predictable and eventually more nasty.
|
| https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que.
| ..
|
| https://news.ycombinator.com/newsguidelines.html
| buildbuildbuild wrote:
| You'd be surprised at the typical profile of a crypto scam
| victim. I trace cryptocurrency professionally and try to help
| as many victims as possible. Most that I meet are far from
| the "crypto bro" archetype. Often they are people who trust
| others easily, are not very tech-savvy, and believe what a
| website tells them without second guessing.
| xwolfi wrote:
| Yup I think your definition of crypto bro is wrong: that's
| exactly who they are in their vast majority, people who
| read once the opinion that the "federal reserve is never
| federal nor a reserve" and believe it and start clicking on
| bullshit links. It's in the very name of it and they can
| still believe the first guy telling them, with no proof nor
| demonstration, that it's not.
|
| Trusting the first website they read is exactly the
| defining trait of crypto bros. Normal people just use
| experience to guide their decision, like say, do like their
| parents and stick to a bank account.
| yyyk wrote:
| $700k in NFTs I recall. Isn't that more like $70?
| quickthrower2 wrote:
| They were probably time limited. No long games. Smash and grab.
| frantathefranta wrote:
| Using the account of probably one of the few trustworthy people
| in crypto probably helps.
| baybal2 wrote:
| Ironically, every SIM card is a cryptographic secure element,
| and it would've been ideal to do public key login.
|
| If you plug SIM card into desktop, you can actually do
| signing with it, and TLS authentication.
|
| I recall, only Nokia S60 series, and A200 had a SIM card API
| exposed to apps. Ios does not give you access to SIM, Android
| does only for system apps.
| londons_explore wrote:
| Giving apps access to the sim is a privacy leak. Every app
| would use it to get a unique user identifier and track you
| between apps.
| skdk wrote:
| The API could return different identifiers per app
| eli wrote:
| While it's also signing things for you? That seems rather
| hard to implement.
| wiml wrote:
| It's what FIDO/U2F does, right?
| slashdev wrote:
| That's meaningless if you can also use it to compute a
| signature. Just use the signature of a constant string as
| the id.
| londons_explore wrote:
| Android could append the unique app identifier (ie.
| "com.myapp") to the end of any data to be signed. Then
| the user can't be tracked between apps. But it also
| prevents you using 'sim sign in' to sign in to the same
| service from a web browser and app for example.
| aleph_minus_one wrote:
| > Android could append the unique app identifier (ie.
| "com.myapp") to the end of any data to be signed. Then
| the user can't be tracked between apps. But it also
| prevents you using 'sim sign in' to sign in to the same
| service from a web browser and app for example.
|
| I doubt that: simply add two "SIM identities" (which on
| the mobile phone map to the same SIM card) to the account
| of the respective service.
| lawlessone wrote:
| My redmi has a sim card toolkit app, i've never used it .
| Reading this i am now more suspicious of it.
|
| Before you all warn me i know it is the worst possible
| brand to own, i am getting spied on by all the regulars
| that come with Android - Google/ US agencies but i also
| get the added bonus of China spying on the device. But i
| was broke.
| itiro wrote:
| [flagged]
| aleph_minus_one wrote:
| > Using the account of probably one of the few trustworthy
| people in crypto probably helps.
|
| The fact that some person is trustworthy by his personality
| traits does not imply that he does have the (also
| technological) skills not to become scammed or impersonated.
| callalex wrote:
| We're talking about people who still willingly use Twitter and
| pay for blue check marks here...
| londons_explore wrote:
| I could easily imagine the scam had 30 victims, with 29 of them
| losing $10 and the remaining one losing $700k.
| woadwarrior01 wrote:
| Twitter has had support for proper TOTP based 2FA ever since Jack
| Dorsey got SIM Swapped in 2019[1]. This was also the time when
| they added support for hardware tokens like Yubikeys. Of course,
| one needs to enable it.
|
| [1]: https://www.nytimes.com/2019/09/05/technology/sim-swap-
| jack-...
| wslh wrote:
| It is good to know that hardware wallets such as Trezor and
| Ledger supports 2FA protocols so if you have one there is no
| need to use another device.
| smeej wrote:
| If you're actually using them for their intended use (storing
| your crypto), the less you connect them to your computer, the
| better. Check them 2-4x a year to make sure they're updated,
| but I wouldn't want to carry my cold storage device on my
| keychain like I do my YubiKey.
| lhl wrote:
| The big problem is that apparently if you have a phone number
| linked to your account, it can be used to reset your password
| _even with TOTP 2FA enabled_ which to me, is bonkers:
| https://twitter.com/TimBeiko/status/1700659107764785336
|
| Twitter was requiring phone numbers for a while for account
| verification and I had mine attached from pre-history, but have
| obviously removed it after people have been pointing this out
| as an attack vector.
| hospitalJail wrote:
| I'm a bit paranoid about 2FA ever since my charging port got
| damaged and I literally couldn't charge my phone to get to
| authentication.
|
| Scary stuff, had to give sooo much personal information over
| the course of months to recover a single account.
|
| Not sure a solution, maybe have a wifi only phone that I only
| turn on for Auth?
| pimlottc wrote:
| You can enroll multiple devices using the same TOTP QR code,
| just scan it more than once. They will generate the same code
| sequence and the site won't know the difference.
|
| You can even save the QR code and enroll a new device later
| if you want.
| ticoombs wrote:
| > You can enroll multiple devices using the same
|
| You could even save it in an application like KeepassXC.
| Then you turn on the TOTP mode and presto, you have another
| TOTP device
| doogieboo wrote:
| bitwarden has TOTP built in as well. Apple has it built
| into their platform, but its tougher to use and only
| works with Chrome if you use windows too.....
| kej wrote:
| Authy solves this by putting all the TOTP keys behind a
| master password and then backing it up online, so you can get
| up and running on a different device quickly. It's the same
| trade-off as a password manager, where your eggs are all in
| one basket but hopefully it's a secure basket.
| jwells89 wrote:
| This is why it's good to also enroll a hardware key or two if
| the site/service offers the option. One could for example
| have a "rescue" YubiKey stuck away in their closet that could
| be added. MacBooks with Touch ID can also work if you have
| one of those handy -- some sites allow enrolling it via
| Safari and IIRC Chrome and its myriad clones present Touch ID
| as a generic key that can be enrolled anywhere WebAuthN is
| supported.
|
| For extra assurance get a hardware key that supports NFC so
| it can be used with your phone (and some laptops) even if it
| can't be plugged in for some reason.
|
| Multi-pronged 2FA also enables things like being able to
| remove a key from your account without issue if for example
| one turns up missing while traveling.
| theblazehen wrote:
| Have a paper backup of the codes?
| simiones wrote:
| And carry it with you at all times, of course.
| justsomehnguy wrote:
| All those proponents of a 'proper security with a strict
| 2FA' never been out of country, mugged, in an accident or
| in any combination of these.
|
| Hell, if I just lose my wallet and would be forced to
| reissue the IDs and SIM (retaining the number!) it would
| take _weeks_ to be back 'online'.
| TheDong wrote:
| Every competent TOTP implementation has backup codes. Use one
| of your backup codes when your phone breaks.
|
| You did write them down like the site told you to, right?
|
| Even if a site doesn't offer backup codes, you can extract
| the TOTP secret from the QR code, or most authenticator apps,
| quite easily, and then write it down.
|
| It's more secure to only save the backup codes though since
| they have a limited number of uses, while the TOTP secret has
| unlimited uses.
| twothamendment wrote:
| I know you said competent, so this doesn't apply to the
| service I used yesterday, but it blew my mind. I lost
| access to TOTP for a service, but no big deal, I'm a good
| person who kept the backup codes. The codes are all 4
| digits and the service wants a 6 digit code!
|
| Luckily it is some lame work account that someone else can
| unlock to get me back in. I couldn't believe that the
| backup codes provided are now obsolete!
| londons_explore wrote:
| Except Google. Google backup codes are near useless because
| a Google backup code will let you log in, but won't allow
| you to disable 2 factor or add a new 2 factor device -
| meaning if you ever lose a 2 factor device and have to use
| a backup code, there is no way to recover your account.
| lxgr wrote:
| Really? I'd imagine you'd need two codes (one for the
| login, one for access to your 2FA settings), but not
| being able to recover at all using them seems horrible!
| londons_explore wrote:
| It just gives some error like "this login method is not
| allowed for this action" or similar.
| jasonjayr wrote:
| QRcode TOTP, and print the QRcode out and store it in a
| safe/offline.
|
| That way you can easily re add the 2fa token to a replacement
| device.
| rgrmrts wrote:
| Just having a phone number added to Twitter means your account
| is at risk of being taken over with a sim-swap. This was not
| 2FA related AFAICT. Twitter also requires you to add a phone
| number, even on old accounts you can get locked out unless you
| add one.
| sschueller wrote:
| Doesn't Twitter force you to add a phone number now?
| lxgr wrote:
| As far as I remember they only use it for spam protection
| (i.e. the phone number serves as a moderate-level "proof of
| humanity"), but not for 2FA purposes (unless you pay for
| their premium service).
| throwaway290 wrote:
| Yes and they plan to require ID verification next, losing
| privacy-conscious users is clearly not a big issue for
| Musk.
| yomlica8 wrote:
| [dead]
| ssl232 wrote:
| I've got an account from 2009 and have never had to enter my
| phone number (if I ever get asked, that'll be the time when I
| stop using it).
| eddtests wrote:
| Nowadays if you create a new account it'll get briefly
| banned while they do additional checks to ensure you're
| human, which is fixed by giving a phone number. Id almost
| appreciate just asking for one on signup then the charade
| callalex wrote:
| The various Meta properties do this too, except instead
| of phone numbers they require government ID and
| headshots. It's all a scummy dark pattern relying on the
| sunk cost fallacy.
| fossislife wrote:
| That's not always the case. Sometimes it asked me for a
| phone number, but most of the time not when not using a
| VPN or something similar. But last year I managed to
| create two Twitter accounts with the Tor browser and some
| sketchy email address and never got asked for a number,
| just had to do some captcha after a few minutes.
| eddtests wrote:
| I created a few twitter accounts this year for various
| reasons and _all_ of them had the same number requirement
| after around 24 hours!
| littlestymaar wrote:
| I've used Twitter from 2013 to 2021, and have eventually
| been locked-out by Twitter requesting a phone number with
| no way to work around.
| ssl232 wrote:
| It'll be a shame if that happens to my account, as I lurk
| on Twitter every day (but never tweet or like), but I
| value privacy of my phone number more than I value the
| enjoyment I get from it.
| dorfsmay wrote:
| This makes me feel really good that the Canada Revenue Agency and
| most banks in Canada use SMS for second factor auth!
| lxgr wrote:
| The EBA (the European banking regulator in charge of specifying
| the technical details of the PSD2 regulation, which covers
| secure cardholder authentication, among other things) also
| stated a while ago that only SMS-OTP is a "true" factor; Email-
| OTP isn't.
|
| Ironically, my email account is so much better protected than
| my mobile phone number.
|
| I'm trying very hard to believe that the SMS lobby (i.e. mobile
| phone operators, which earn multiple cents per inbound SMS in
| Europe, as well as our friendly SMS verification providers
| adding their markup on that) didn't exert some pressure on the
| regulators here...
| FabHK wrote:
| Insofar as one of the factors should be something the user
| _knows_ , and one factor something the user _has_ , that
| makes perfect sense. You know your password (or the master
| password to your password manager), and you have your phone
| with the SIM card. With email (or Authy), the second factor
| is also something you _know_ , thus it's not 2F anymore.
|
| Note that NIST also recommends against email as a factor in
| 2FA (A-B11 here: https://pages.nist.gov/800-63-FAQ/ ), and
| says that SMS OTP must be directed to a phone, not an IP
| address (such as with VoIP, see A-B01 in the same document).
|
| "Methods that do not prove possession of a specific device,
| such as voice-over-IP (VOIP) or email, SHALL NOT be used for
| out-of-band authentication." (5.1.3.1 of NIST SP 800-63B)
| aftbit wrote:
| What do you mean? I "have" access to my SMSes via my phone,
| and I "have" access to my email or my Authy also via my
| phone. If you get my phone, you can:
|
| 1. start password reset via email
|
| 2. confirm via SMS 2FA
|
| So that makes this into 1FA not 2FA.
|
| At least for TOTP secrets, I can store them securely, and
| attackers cannot convince a human support agent somewhere
| to hand them over.
|
| If you want true 2FA, you need something like WebAuthn with
| hardware tokens where the private key is on the token, but
| then you need a recovery process, and that takes you right
| back to the lowest common denominator of SMS verification.
| lxgr wrote:
| > you have your phone with the SIM card.
|
| Yeah, or a fraudster that talked my provider in to SIM-
| swapping it or porting out my number (quite possible, since
| many phone providers don't have 2FA themselves!), or
| malware on my Android phone with access to incoming SMS, or
| (although much less likely) an SS7 attacker...
|
| A SIM is indeed a smart card theoretically capable of
| acting as a true "possession" factor (e.g. using EAP-
| AKA/EAP-SIM, although almost nobody uses that) - but
| calling it a possession factor for SMS-OTP is at least as
| much as a stretch as calling an email inbox a knowledge-
| only factor: Accessing _my_ inbox requires a FIDO
| authenticator and password.
|
| > Note that NIST also recommends against email as a factor
| in 2FA
|
| I guess bad decisions and/or lobbying aren't limited to
| European regulators/legislators then.
| [deleted]
| kotaKat wrote:
| I thought T-Mobile significantly cracked down on SIM-swapping
| internally so this couldn't happen again?
|
| I know there's still no patch for human stupidity, but I really
| am concerned that T-Mobile still apparently seems to be the
| carrier of choice for easy SIM-swap attacks.
| cl3misch wrote:
| SIM swapping is one thing, but the actual service (X in this
| case) allowing access to the account via access to the phone
| number, even without SMS 2FA enabled, is the real problem.
| AbrahamParangi wrote:
| Idk I mean there's a real trade off to making the app more
| secure. The causes of insecurity are largely user behavior,
| and the insecure things are things users want to do for
| practical reasons.
|
| For example, I have a foolproof way of preventing sim swap
| attacks: require 256bits of entropy and never allow a
| password reset, like in crypto. Lose your password? Account
| is gone forever.
|
| This is more secure but less user friendly. Except for large
| accounts, I don't know that anyone even particularly cares if
| their Twitter gets hacked. You could pretty easily make the
| argument that preventing sim swap attacks is an optimization
| for high profile users at the expense of everyone else.
| tyrfing wrote:
| A few years ago, my phone completely died. I walked into a
| store with it and my new phone, and got them to port the number
| to a new SIM without providing any information like the account
| PIN which I had set but didn't remember. It's good customer
| service, and even if they're supposed to check a bunch of info,
| that's still just a bit of social engineering to get around.
| The only solution is to not allow those lower level employees
| to do anything, which _will_ cause complaints.
| delfinom wrote:
| _Many_ complaints. People have to realize that people working
| in tech that can tolerate 2FA jumps are a small minority of
| people in the general population. Not to mention, the
| scenario of "person losing their 2fa device" will happen
| thousands of times more frequently across 300+ million people
| than the one person a month in a corporate environment.
| jmuguy wrote:
| Tinfoil hat in me says that T-Mobile has a real bad problem
| with their internal tooling allowing low level employees access
| that facilitates these sort of attacks. They claim social
| engineering because that allows them to blame a specific
| employee being "tricked" rather than a more widespread issue.
|
| This type of stuff is why I canceled my account with them. It
| just keeps happening.
| kotaKat wrote:
| > T-Mobile has a real bad problem with their internal tooling
|
| Oh, yes. 100%. I remember about 10 or so years ago about
| people selling guides on how to get access to WATSON (one of
| the dealer systems that let you provision accounts etc) by
| basically abusing a common username/password convention and
| making guesses based on the Store Lookup tool. IIRC it only
| let you set up _new_ accounts (eg, take a stack of blank SIMs
| and just make infinite lines) but was still just an absolute
| WTF that it was... somehow a thing.
| techsupporter wrote:
| > I thought T-Mobile significantly cracked down on SIM-swapping
| internally
|
| They've cracked down so hard that the only way to do SIM swaps
| is to talk to a human who can be (and still routinely is)
| socially engineered. Self-service changes have been blocked for
| over a year "to enhance security".
| tamimio wrote:
| I probably said it 100 of times, any thing relies on GSM protocol
| for authentication is not secure, the protocol is fundamentally
| broken from security perspective, but it's still there because
| someone wants to keep these phone numbers as the weakest possible
| way to link your real identity with the digital ones.
| 2devnull wrote:
| I guess reputation can be valuable but I'd rather have my Twitter
| account compromised than my email or banking.
| b0sk wrote:
| Trust us with all your money!!!
| mihaic wrote:
| How exactly does a scam like this work? Access to someone's
| Twitter account only means that you can just post a link. People
| seem to have connected their wallet, but they still would need to
| sign a transaction after that. Did the users just auto-pilot
| click yes?
|
| Tangential, I can't believe the name X is actually being used by
| journalists, it's even worse that I expected from a sentence
| readability standpoint.
| joncrocks wrote:
| You have to sign a transaction, but I _think_ the details of
| transactions can be obscure enough to not be clear what you're
| authorizing. Accidentally authorizing the transfer of
| tokens/NFTs, which are then drained.
| jeroenhd wrote:
| X is just a front for a phishing scam in these cases. No money
| or cryptocurrency is transfered directly. Scammers get access
| to a popular account with many followers, and tweet something
| like this: https://static.news.bitcoin.com/wp-
| content/uploads/2023/09/v...
|
| You don't need to get everyone in the cryptocurrency space to
| believe you, just a few people transferring funds from their
| wallet will make you rich.
| mihaic wrote:
| And the "this is free for 24h" is just a red herring, to make
| it legitimate for people to speculate?
|
| Still crazy that such a semi-anonymous scam got 700k, sounds
| like there's still a lot of money in crypto ready to gamble.
| jeroenhd wrote:
| There have been free or very cheap NFTs in the past, and
| handing out free coins is the easiest way to get your
| cryptocurrency flowing.
|
| I'm no criminal, but if I were, I would definitely target
| cryptocurrency enthusiasts. Many of them are the perfect
| target, having access to large sums of money, having the
| ability and willingness to transfer funds in a near
| untraceable way, and often looking for a get-rich-quick
| scheme like those cryptomultimillionaires.
|
| Things like NFT smart contract that would transfer all of
| your NFTs when trying to get rid of them, coupled with
| unpleasant pictures, coupled with cryptoclout, publicly
| accessible profiles, and no method to refuse a transaction,
| have produced some ingenious thefts that nobody would even
| think possible ten years ago. Millions of real world
| dollars have been spent on pictures of monkeys, and
| millions have been lost after someone stole those pictures.
| umeshunni wrote:
| Looking at that tweet, I can't tell if it's a scam or just
| your regular cryptard NFT pump post.
| jeroenhd wrote:
| I think that's why it's such an effective scam, these types
| of posts are everywhere around cryptocurrency fanbases, but
| this time it came from a reputable person within the
| community.
| michael_j_x wrote:
| I don't understand this sim-swapping concept. Where I am from (EU
| country), if you need to get a new sim for your number, you have
| to physically go to your service provider's stores with an
| official proof of identity (passport or identity card) and do the
| change. Upon changing, your previous sim immediately loses
| service
| callalex wrote:
| United States services are fundamentally broken in this way
| because there is literally no unified identification system for
| the United States. There are identity systems for most US
| states, but there are 50 of those and the requirements and
| features vary widely which makes it a nightmare to build on top
| of them.
| theragra wrote:
| In some more corrupt countries in EU, clerks can be bribed,
| unfortunately
| cypherpunks01 wrote:
| Does anyone here use Efani? They are a security-focused provider,
| and the only one that claims to have had zero SIM-swap attacks
| successfully executed against them. They are an MVNO.
| ahaseeb wrote:
| Efani CEO here. There are 100s of reviews online. Yes we've
| been able to defend against 100% of the SIM Swap attacks so far
| quickthrower2 wrote:
| Phone numbers. 99% Almost like ID.
| kalleboo wrote:
| Doesn't Xitter require you to have a paid account to use SMS
| authentication?
|
| So one way to secure your account is to refuse to pay for Blue.
| notyourwork wrote:
| > Xitter
|
| This is now what they call themselves?
| flotzam wrote:
| "A phone number is sufficient to password reset a Twitter
| account _even if not used as 2FA_ "
|
| This sucks because Twitter will sometimes force you to link a
| phone number to the account if it doesn't like your VPN or
| whatever
| thaumasiotes wrote:
| > "A phone number is sufficient to password reset a Twitter
| account _even if not used as 2FA_ "
|
| In other words, they don't have a 2FA system. They have a 1FA
| system, and the only factor is your phone number.
|
| This is a weird choice, since people are much more likely to
| know your phone number than they are to know your password.
| simiones wrote:
| If you have 2FA enabled, they can deny you access to your
| account, but they can't actually access it either (unless
| they also compromise your 2FA of course). That is, they can
| reset and change your password with only a phone number,
| but will still require a 2FA token to actually access the
| account.
| ttyyzz wrote:
| Cool, a wild vector appeared.
| woadwarrior01 wrote:
| I just tried it on my now account. It asks for the account's
| username, phone number, email and then sends an email to the
| email address. Perhaps he didn't add an email address to his
| Twitter account?
| simiones wrote:
| I also experimented a bit. I was able to reset my own
| password only with phone access when 2FA was not enabled:
| in the reset password flow, I started with my phone number,
| was then asked for my username and email, and then I was
| presented with an option to send the reset code either to
| my email or to my phone number.
|
| But, I then enabled 2FA (with an authentication app), and
| now when I try the flow again, I get to the screen for
| sending the reset code and I only have the email option
| left (but the screen still shows up as an extra step).
|
| So, it's possible that when you have 2FA enabled you can no
| longer do it. Or, it's possible I've triggered some
| internal rules by resetting my password twice in a short
| span of time (and enabling 2FA as well) and they've bumped
| me to some kind of "extra verification" flow that disabled
| phone-based password reset.
| [deleted]
| lxgr wrote:
| Every time I hear about yet another SIM swapping attack, I feel
| confirmed in my decision to use Google Voice for SMS-2FA as much
| as possible (only for services that don't support an actually
| secure method, of course).
|
| Except for one certain bank that won't even accept my "real
| [cell] phone number" for identity verification purposes, because
| "it's not verifiable" (probably because it's not with the big
| three cell providers).
|
| The state of "two-factor authentication" (a.k.a. something you're
| phished for and something you're social-engineered out of) and
| "identity verification" (a.k.a. "have a $80/month phone plan with
| these three companies or get lost") in this country makes me
| really sad.
| bdcravens wrote:
| > probably because it's not with the big three cell providers
|
| More likely because it's a VOIP number, which is easy to verify
| (Twilio's Lookup API will expose this info, and I'm sure
| there's other lower-level techniques)
| hammock wrote:
| Which bank?
| dylan604 wrote:
| Wells Fargo is one. You cannot unlock a card suspended for
| suspicious activity with the app. You must call the automated
| line and listen to the 5 most recent transactions. You can
| confirm you made them or deny you made them. If you deny, the
| card is immediately revoked, and a new card is issued. If you
| confirm, the suspension on your card is immediately removed.
|
| Maybe the don't let you unlock on the app in case someone is
| in possession of your device? Via the automated line, you
| have to provide ID'ing information that someone with the
| device might not no still. Just trying to find some logic
| lxgr wrote:
| > Just trying to find some logic
|
| My suggestion as somebody working in an adjacent industry,
| to protect your own sanity, is to not attempt that.
| wakeywakeywakey wrote:
| On their tech support page [1], Google Fi is said to be
| resistant/immune to SIM swap attacks because the attacker needs
| physical access to your device and Google account. Yet earlier
| this year [2], the Google Fi hack said to have exposed Fi users
| to SIM swapping. Can anyone shed light on how this can happen
| without someone having your phone?
|
| [1]: https://support.google.com/fi/answer/9834243?hl=en [2]:
| https://www.reddit.com/r/cybersecurity/comments/10rqtt2/goog...
| lxgr wrote:
| Implementation flaws like that are always possible, but my
| concern is that in so many cases, SIM swaps are ridiculously
| easy _by design_ (or more accurately, by absence) of the
| phone provider 's security procedures.
| lr1970 wrote:
| > Can anyone shed light on how this can happen without
| someone having your phone?
|
| I do not know specific details of this particular incident
| but I would like to emphasize the fact that Google Fi, at
| least in the US, is a virtual network on top of the
| T-mobile's physical one. There is some extra level of
| security via obscurity that makes simple social engineering
| attacks harder but fundamentally it is still T-mobile
| underneath.
| slashdev wrote:
| I try to avoid giving my cell number, precisely because it's
| not secure, but also because it changes or I travel, and then
| I'm locked out of my own account.
| lxgr wrote:
| It's not a real vacation if you don't get locked out of at
| least one bank account or credit card for the crime of
| accessing your balance from a foreign IP, with no way to
| recover :)
| Scoundreller wrote:
| Works great for my buy-and-hold portfolio.
| lxgr wrote:
| Same, but it works decidedly less than great for buying
| train or flight tickets while already abroad and on a
| travel SIM.
| mmmmmbop wrote:
| As someone who has been moving countries and subsequently
| changing phone numbers, every couple of years, SMS 2FA is
| such a pain.
|
| It's hard to recall all services that have your phone number
| for migrating them, and even if you do, many won't accept a
| foreign number.
|
| I've resorted to holding on to my old phone numbers by
| transferring them to prepaid SIMs.
| rhaps0dy wrote:
| Be careful with this, if you don't use the prepaid sim for
| too long, it'll get cancelled and you will lose access to
| all these accounts.
| f0e4c2f7 wrote:
| It's pretty wild how baked into modern life insecure 2fa is.
| Especially with the prevalence of sim swapping. I more or less
| model most auth as trivially insecure at this point.
|
| You think about someone like Vitalik of all people, if he can't
| keep his account secure...average person has their work cut out
| for them.
|
| Private key auth systems have security challenges of their own
| (losing access forever when you lose your key) but I wish they
| were an option in place of the current regime.
|
| In the 90s you could bypass security locally on a machine by
| clicking cancel and it would just log you in. Feels like today
| it's only slightly more complicated and costs a bit of money to
| access twitter, email, bank accounts etc.
|
| Seemingly little to no interest in resolving this state of
| affairs beyond obscure and increasingly less legal crypto based
| systems.
| lxgr wrote:
| That's what happens when we designate phone providers as the
| single point of identity verification without creating any
| incentives for them to actually fulfill that role.
|
| One of my banks basically only accepts what they call "phone
| number verification" to clear a false fraud alert on my cards
| (or generally talk to them about anything regarding my
| account).
|
| What that means is (at least I'm fairly sure) that the agent
| on the phone will ask me for _any_ phone number, they ask the
| carrier for the name on that line and compare it with mine,
| and if it's a match, they send an OTP to that number.
|
| This is even worse than SMS-OTP, since a fraudster doesn't
| even need to change my number on file with my bank - opening
| a phone line in my name with any of the big three carriers is
| enough!
| lr1970 wrote:
| > It's pretty wild how baked into modern life insecure 2fa
| is.
|
| And a solution to this is very simple. Make telcos legally
| liable for losses due to SIM-swap attacks and before the ink
| is dry on such a law, Telcos will ban using phone numbers for
| authentication in their TOS. The banks and alike will be
| forced to come up with another, hopefully, better auth
| system.
| buildbuildbuild wrote:
| Be careful, I trace cryptocurrency for scam and hack victims
| and have personally seen GV transfers used in attacks.
|
| The lack of a physical SIM does not give more safety. "SIM
| Swap" means "convincing a system or human to transfer a phone
| number." A GV number is just as easy to transfer as any other
| phone number.
| joecool1029 wrote:
| > A GV number is just as easy to transfer as any other phone
| number.
|
| There is nobody to social engineer (it's Google, they hate
| customer service) and the system rejects all port-out
| requests until you unlock the number by paying a few dollars
| which requires breaking into the Google Account to begin
| with. It is absolutely not the same as compromising an
| employee of a carrier.
|
| To be clear I'm describing Google Voice which is purely a
| VOIP service, not Google Fi which is a MVNO.
| theolivenbaum wrote:
| The only time where Google's absolute lack of customer
| service for end users might pay off
| lxgr wrote:
| True - can't social-engineer a person if there's no person!
| lxgr wrote:
| I'd call that a number porting attack. A SIM swap to me is
| convincing the current provider to provision a new SIM for an
| existing line, which the attacker can then use to receive
| texts addressed to the victim.
|
| Porting attacks are definitely possible against Google Voice,
| but these require confirming the port in the target account
| first, no?
|
| And the Google Voice equivalent to a SIM swap would just be a
| compromise of the Google account itself. Definitely not
| impossible, and I know I'm tying my availability to a company
| not exactly known for being the best custodian for that - but
| I'll take my chances with them over any phone provider.
| buildbuildbuild wrote:
| Google will not share how threat actors are pulling it off
| but it definitely is happening. (see the Terpin v. AT&T
| lawsuit for why they might not be disclosing the vector)
|
| There are "fingerprint" cookie marketplaces that sell
| tokens from malware-compromised computers and allow you to
| make HTTP requests from a victim's connection, this could
| be one approach. There are also scammer call centers that
| will call unsuspecting people pretending to be Google,
| Coinbase, AT&T, or whomever, and have them click buttons in
| user interfaces.
|
| I've seen entire Google accounts deleted with no recourse
| due to this "suspicious activity" that victims had no
| control over. Computer says no, and it's near-impossible to
| get in touch with a human at Google.
|
| (I agree with you on terminology but media reports tend to
| group number porting attacks in with "SIM swaps")
| Obscurity4340 wrote:
| Is there a reason that would-be hackers are not preempted
| by requiring a specific device, pins, etc with no kill-
| switch or social engineering available (like, you lose
| your credentials, there's nothing we can do, its gone)?
| It sometimes feels like the system is deliberately
| designed so certain "legitimate" actors have a backdoor
| into any given system...
| dvngnt_ wrote:
| my bank disallowed me from using my google voice. they said to
| reduce impersonation. but i said this now makes me vulnerable
| to sim swapping attacks and they had no response
| FabHK wrote:
| NIST recommends against email or VoIP "phones" for the second
| factor, because then it's not what you _know_ and what you
| _have_ , but just two things you _know_ , so no 2FA. As far as
| I understand, it does not recommend against SIM-based 2FA
| anymore, though considers it RESTRICTED.
|
| "Methods that do not prove possession of a specific device,
| such as voice-over-IP (VOIP) or email, SHALL NOT be used for
| out-of-band authentication."
|
| (5.1.3.1 of SP 800-63B
| https://pages.nist.gov/800-63-3/sp800-63b.html)
|
| "Currently, authenticators leveraging the public switched
| telephone network, including phone- and Short Message Service
| (SMS)-based one-time passwords (OTPs) are restricted. Other
| authenticator types may be added as additional threats emerge.
| Note that, among other requirements, even when using phone- and
| SMS-based OTPs, the agency also has to verify that the OTP is
| being directed to a phone and not an IP address, such as with
| VoIP, as these accounts are not typically protected with multi-
| factor authentication."
|
| "NIST SP 800-63B does not allow the use of email as a channel
| for single or multi-factor authentication processes."
|
| (A-B01 and A-B11 in the FAQ https://pages.nist.gov/800-63-FAQ/)
| lxgr wrote:
| > Note that, among other requirements, even when using phone-
| and SMS-based OTPs, the agency also has to verify that the
| OTP is being directed to a phone and not an IP address, such
| as with VoIP, as these accounts are not typically protected
| with multi-factor authentication."
|
| Unbelievable. My email address is protected with multi-factor
| authentication (and given the popularity of Gmail, I'd wager
| that this isn't all that uncommon!); my main phone line
| isn't.
| lostmsu wrote:
| NIST has been wrong previously.
| digging wrote:
| Interesting... I primarily use a virtual phone number because
| I don't want to give out my real phone number though; it's
| easier to cancel and replace a virtual one. (Although maybe
| not - at this point it's tied to so many services I would
| probably lose access to something permanently if I canceled
| it...)
| JimDabell wrote:
| > Except for one certain bank that won't even accept my "real
| [cell] phone number" for identity verification purposes,
| because "it's not verifiable" (probably because it's not with
| the big three cell providers).
|
| It's common for organisations to blacklist VOIP-based numbers
| for 2FA. There's more discussion about this, including some
| solutions, here:
|
| https://news.ycombinator.com/item?id=36909505
| lxgr wrote:
| Yes, a horrible antipattern that's spreading rapidly.
|
| I really hope that security researchers will demonstrate that
| trusting phone providers as the gatekeepers of modern digital
| identity is a bad idea - otherwise, fraudsters (and consumer
| frustration, in case of getting locked out arbitrarily) will.
|
| My phone provider recently switched to SMS-OTP as a mandatory
| (and so far their only) 2FA method, _including for SIM
| replacements_. I guess I 'm just supposed to start my life
| over on a new number if I ever lose my SIM card...?
| DerekBickerton wrote:
| > Tim Beiko strongly recommended removing phone numbers from X
|
| I haven't checked, but it is possible to unlink a phone number
| from X? I always thought it was some anti-spam measure to have a
| number tied to an account.
| otterpro wrote:
| I've been using Google Voice free phone number if I need to give
| out phone number for verification, and I hope it mitigates the
| possibility of SIM-swapping. Also I have another burner phone
| number using Hushed on my phone. Does anyone know if there's
| vulnerability using these burner numbers?
| lxgr wrote:
| I'd say that depends entirely on the security of whatever
| "burner phone" (these are just a different marketing term for
| texting-capable VoIP- lines, right?) service you use.
|
| Depending on how careful they are about account login and
| recovery as well as port-out procedures, it can be much more or
| less secure than a "real" mobile line.
| ajonit wrote:
| Telecos are still careless inspite of the widespread nature of
| this attack.
|
| What can be the solution for a SIM swap? Fingerprint (or iris
| scan) plus email OTP mandatory to get a SIM replaced?
| xyst wrote:
| I'm curious about the conversation that happened between the
| attackers/scammers and T-Mobile.
|
| Was it just a single call to social engineer support? Or did they
| call multiple times until they found an agent susceptible to
| their deception?
|
| Personally, have gotten rid of using SMS as a 2FA method for most
| services. However my most critical services (banking) still use
| SMS as the only option.
| sammy2255 wrote:
| Ironically SMS 2fa is less safer than just using a password
| achandlerwhite wrote:
| I think the real issue is phone based account recovery rather
| than 2FA. It effectively turns 2FA into 1FA.
| MichaelZuo wrote:
| That's what really bothers me, especially when very complex
| passwords are already enforced, it's like cargo cult security.
| hospitalJail wrote:
| I'm ready for this future.
|
| Heck, I don't even like that email can be used to recover
| basically every account.
|
| Someone gets your computer unlocked? They have access to email
| and everything.
| mr_mitm wrote:
| That's not true. SMS 2FA may be the weakest form of 2FA, but it
| cannot be weaker than just using a password, because you always
| also need the password.
|
| As someone else pointed out, SMS based account recovery is the
| culprit.
| trompetenaccoun wrote:
| He did not use phone/SMS as his 2FA it seems, because he knew
| it's insecure, per his tweet. But nevertheless Twitter
| requires a phone number for verified accounts and that phone
| number can be used to reset the Twitter account password.
| There is nothing the user can do. Since these incompetent
| telecom employees get social engineered again and again, it's
| simply bad practice to have anything phone number related for
| security. Twitter and other companies need to change this,
| it's not safe.
| mr_mitm wrote:
| > But nevertheless Twitter requires a phone number for
| verified accounts and that phone number can be used to
| reset the Twitter account password.
|
| Sure, but that is not 2FA. It's 1FA. They could have used
| e-mail as the recovery mechanism to send a password reset
| link, then it still would have been SMS 2FA if they then
| required the SMS factor upon authentication and it would
| have been secure. This wasn't a problem of SMS 2FA, it was
| a problem of SMS based account recovery.
| mindslight wrote:
| "SMS 2FA" makes bank account balances strictly less secure.
| The main thing you need to do to keep your bank balance
| secure is verify your transactions every statement period.
| Increasing login friction discourages the checking of
| transactions.
| mr_mitm wrote:
| How does SMS 2FA make bank account balances (what do you
| even mean by that?) strictly less secure than having
| password 1FA? In both cases the attacker needs the password
| (or the client cert, whatever the other factor is), but
| only in the SMS 2FA case the attacker has to perform SIM
| swapping.
| mindslight wrote:
| After the first sentence, there were two more sentences
| explaining that. "Bank balance" meaning the money in your
| bank account, as opposed to information about your
| transactions. I did forget to include that my comment was
| US-centric.
| mr_mitm wrote:
| Sorry, I still don't follow. With SMS 2FA the attacker
| needs strictly more information as compared to just a
| password. It doesn't matter if you log into your bank
| account or twitter.
|
| Did you mean a TAN for protecting individual
| transactions? I file this under authorization instead of
| authentication. But even then a SMS TAN is better than no
| TAN. I cannot see a scenario where adding SMS
| authentication makes things less secure.
| mindslight wrote:
| You're focusing on an imagined attacker performing a
| single type of attack, and losing sight of more
| significant avenues for damage. When talking about the
| possibility of losing money, the main thing you need to
| do is check your account transactions within 30 days of
| being issued a statement. This is required so that you
| can report unauthorized transactions in a timely manner,
| so that they can be reversed. Transaction authentication
| essentially doesn't matter, especially in the consumer
| market - remember banks are still happily chugging along
| printing a withdrawal key on the front of every check.
| Any impediment to verifying your transactions in a timely
| manner, including for example discontinuing OFX Direct
| Connect access in the name of "2FA", increases the chance
| that you might miss the dispute period and actually lose
| money.
| mr_mitm wrote:
| Ah, now I get it, thanks for clarifying.
|
| Well, this could be solved by sending a notification on
| all transactions. I already get these for my credit card
| account (I wish they did this on my checking account,
| too). When paying with Google Pay, I even get three
| notifications. This was very useful once, when I woke up
| to a $50 transaction to the XBox store that I supposedly
| did while sleeping without even owning an XBox.
| mindslight wrote:
| Pragmatically you might be able to find a setting for
| your bank that lets you notify you of transactions over
| $X, and then set X to $0.01 or $1.00.
|
| Abstractly my larger point is that security isn't a
| monolithic scalar but rather depends on the threat model
| and what is being secured. Far too often large entities
| push out features in the name of "security", but what
| they really mean is _their own security_ at the expense
| of yours (eg the TSA). A lot of these pushes (eg SMS 2FA)
| are like that, especially when made mandatory rather than
| consensual.
| lxgr wrote:
| Going strictly by the definition that's correct, but if you
| take a look at the number of services that allow you to reset
| your password using _only_ an SMS-OTP you 'll quickly realize
| that reality doesn't live up to that ideal.
|
| I mean, at least SMS-OTPs are one-time use, i.e. they don't
| facilitate a compromise _if done correctly_ , but the "done
| correctly" part here is once again very load-bearing.
| delfinom wrote:
| Not to worry, great companies like Google harass you to set a
| recovery phone number /s
|
| No seriously, it is aggravating how much SMS account recovery
| is a thing. Google even displays banners of "You are missing
| recovery information" because you set a recovery email but
| not a recovery phone.
| yomlica8 wrote:
| Recovery phone numbers are much more useful for user
| tracking than emails though.
___________________________________________________________________
(page generated 2023-09-12 23:02 UTC)