[HN Gopher] Android now lets you transfer eSIMs between your phones
___________________________________________________________________
Android now lets you transfer eSIMs between your phones
Author : thunderbong
Score : 108 points
Date : 2024-01-27 07:03 UTC (15 hours ago)
(HTM) web link (www.androidpolice.com)
(TXT) w3m dump (www.androidpolice.com)
| mschuster91 wrote:
| Now that's interesting.
|
| Normally, the entire point of having a SIM in the first place is
| to have a secure storage element for the crypto keys
| authenticating the subscriber to the network... so similar to a
| TPM, it doesn't make sense for anyone to be able to extract the
| private key material, while it does make sense to be able to
| import _new_ key material while at the same time only allowing
| authorized parties to do so - hence the entire dance with eSIM
| provisioning and multiple layers of cryptography involved.
|
| But what's described in the article, at least to me, is that the
| source eSIM only creates some sort of token that a backend in the
| carrier then uses to provision a new set of keys for the
| destination device - so there will at least be some sort of
| record of such a change, and hopefully a way to prevent eSIM
| transfers... because otherwise this will be a pretty nasty attack
| vector, all you'd need to take over someone's phone number is to
| get their phone unlocked in your hands.
| jksflkjl3jk3 wrote:
| If it's just transferring the provisioning token over to the
| other phone (which is what it does sounds like), I wonder why
| the tool is needed and one couldn't just reuse the QR code used
| to install the eSIM initially.
| asdaq1312512 wrote:
| Depends on the carrier if the QR code can be re-used.
| izacus wrote:
| I've never seen a reusable QR code. Even worse, if there's a
| hiccup during provisioning it's usually immediately
| invalidated and you need to spend time with customer support
| to get issued a new one.
| KennyBlanken wrote:
| eSIMs are superficially about "making phones smaller" and
| waterproofing.
|
| What eSIMs really are about: the industry fighting back against
| regulations restricting their anti-competitive SIM and carrier
| locking.
|
| eSIMs are about is stripping owners of the control they have via
| pulling the physical SIM and putting it in another phone.
| rollcat wrote:
| Nothing a quick regulation can't solve. If EU could make Apple
| use USB-C and enable non-Webkit browsers, I'm sure same could
| be done to fix eSIM.
| lakpan wrote:
| See you in 2035
|
| Unfortunately we have to suffer for a long time before
| regulation follows, if ever.
|
| Then regulation follows and we get cookie banners sometimes.
| rusk wrote:
| Sometimes you get free roaming and flat rate data tariffs
| ...
| tjoff wrote:
| It is just adapting existing laws to esims. Won't be nearly
| that long.
|
| In the meantime, don't buy esims. Nothing but drawbacks.
| lucasban wrote:
| I find buying local eSIMs when traveling internationally
| to be much more convenient than physical SIMs
| tjoff wrote:
| Maybe, never had a need. But even more reason to have a
| physical sim for your primary service.
| rollcat wrote:
| Sometimes we get cookie banners, sometimes we get EC 261,
| Schengen, or USB-C.
|
| The root cause of the cookie banner problem was
| implementing third-party cookies in the first place.
| Regulation is like violence; in both that if it doesn't
| work you just need more, and that if you needed to resort
| to it you've already fucked up.
|
| We can't wind the clock back and give Netscape a slap, or
| stop the operators from introducing SIM-lock on handsets.
| The next best thing is to fix it now, and yeah, sometimes
| the wheels have to turn slowly.
|
| What else do you propose we do? Refuse to use mobile data?
| (Actually, doesn't seem like the worst idea.)
| juggertao wrote:
| If it was about control the carriers would block the SIM when
| it was moved to a different phone.
| tjoff wrote:
| They used to do that, but it was outlawed.
| danieldk wrote:
| Not everywhere. The typical practice was to offer steep
| discounts on phones (or even 'free' phones), where the phone
| was paid through a high subscription price. However, the high
| subscription price was maintained after the phone was long paid
| off. This was ruled illegal in The Netherlands (and many other
| EU countries I believe), first because it was a loan in
| disguise (so the providers were bound to do credit checks),
| secondly because they are not allowed to continue charging the
| high subscription prices when the phone is already paid off.
|
| As a result, SIM locking does not have any benefit to the
| providers anymore and they stopped doing that.
|
| That said, I have used eSIMs for years now and there is not
| much of a real benefit outside dual SIM in phones that only
| have one physical SIM slot (like iPhone). When first starting a
| subscription it's faster, because you don't have to wait until
| the SIM card comes through snail mail. But after that there is
| always the anxiety after switching to a new phone whether the
| eSIM transition goes well. With most providers you have to
| request the eSIM through their app on your new phone, you get a
| second factor code on your old phone (where the SIM is still
| active), then an eSIM is installed on the new phone, but only
| activated after you remove the eSIM from the old phone.
| Sometimes you get an error in the middle of the process and
| it's not clear whether the migration is complete or not.
|
| Another issue is that if somehow the screen of your phone is
| destroyed, it's hard to move the eSIM to a replacement. While
| with a physical card you just pop it out and put it in your new
| phone.
| bitwize wrote:
| Many of the practices that were ruled illegal in your
| crystal-spires-and-togas utopia are alive and quite well in
| the stone-knives-and-bearskins hellscape across the pond. In
| particular, our carriers (excepting, as of yet, the German
| one) still whitelist handsets.
| denkmoon wrote:
| Can anyone actually cite a case of anti-lockin regulations
| being subverted because someone was using an esim instead of a
| physical sim? Not saying it doesn't happen but I'd be pretty
| surprised if a court suddenly said lockin is ok because they
| added an "e" to the SIM.
| rtpg wrote:
| yeah I don't get this. Isn't the practical thing that esim
| transfers end up just being "go to your carrier's website and
| do a thing again"?
|
| I feel like people with these comments don't realise that in
| many mobile markets carriers that do lockin don't do it via
| SIM cards, they do it via IMEI number locks on the phone. So
| even if you have a physical SIM card, you put it in another
| phone and it just doesn't work.
| masklinn wrote:
| > Isn't the practical thing that esim transfers end up just
| being "go to your carrier's website and do a thing again"?
|
| My carrier straight up doesn't support esim transfer as in
| moving the esim from one phone to an other, you have to
| renew / order a new one (as if you'd lost a physical sim
| basically).
|
| It does not take too long once you find out you have to do
| that, and hunt down how to do it, but it's stressful,
| annoying, and dumb.
| joshstrange wrote:
| I can.
|
| I bought a bunch of cellular iPads off Amazon ("renewed", aka
| refurbished) for my business. I tried out a few IoT cellular
| providers and the first one used regular SIM cards and they
| worked just fine. The second carrier (that I ultimately went
| with) used eSIM and while most my iPads joined up without
| issue I had 7 of them refuse to add the eSIM. While carriers
| aren't allowed to lock iPads SIM they _are_ allowed to lock
| them to only work with their eSIM.
|
| AT&T was the culprit here and you can find multiple mentions
| of this practice on their forums which appeared to be the
| only way to get help on this issue. Post a new topic, wait
| for customer support to come along and PM you, then ask for
| your iPads to be unlocked (EUICC).
|
| AT&T Forum support ultimately told me "those iPads aren't in
| our system, there is no lock on them". I tried calling in
| (BTW, they won't even talk to you unless you are a customer
| of theirs which, thankfully?, I was for my personal line) and
| spent hours on the phone with them only to be told the same
| thing. I want to be clear, I spent over 4 hours across
| multiple calls where I was told different things but
| ultimately told "there is nothing we can do".
|
| At this point I called Apple (Apple Business Manager) where I
| was able to talk to a real person within <1 min of dialing
| (normally I spent 10min in AT&T phone tree hell) and they
| confirmed "this is an EUICC/eSIM lock on the device by AT&T.
| ONLY AT&T can remove the lock". I cannot rave enough about
| how easy it was to talk to ABM and how knowledgeable the
| person was, not to mention how they were easy to understand
| and immediately understood what I was asking. It was a stark
| difference from AT&T.
|
| I called back into AT&T and just kept pushing until someone
| said they would do it and it'd be fixed in 24 hours. It was
| not. I had a couple more rounds with AT&T, each with 24-72
| hours promises that it would be fixed. This dragged on for
| _weeks_.
|
| Finally, as a hail mary before I attempted to return the
| troublesome iPads to Amazon (which was what AT&T support kept
| suggesting I do), I filed an FCC complaint and in less than 3
| days AT&T reached out to me (no more automated systems) and
| released the lock on all my iPads. The same lock they swore
| didn't exist, for iPads they swore were not "in their
| system".
|
| So yeah, there's a case of anti-lock in being subverted with
| eSIM and the hell I had to go through to get it fixed.
| CrendKing wrote:
| Are you saying if you use physical SIM from AT&T on those
| iPads, the problem would suddenly go away? I thought
| regardless which kind of SIM you use, when a device joins
| the carrier's network, they have to identify itself with
| EID (or something equivalent). If AT&T has a block on that
| ID, why would the kind of SIM matter?
|
| If there is a specific law forbidding carriers to put any
| kind of block on a device using only physical SIM, but not
| if eSIM, I'll be interested to know that law. And if that's
| the case, wouldn't it be obvious that because eSIM is a
| relatively new thing, the law is just lagging behind, not
| that eSIM inherently a bad thing?
| joshstrange wrote:
| I was able to use non-AT&T physical SIM cards without
| issue, I was blocked from using non-AT&T eSIMs. That's
| all I know and I'm not sure on the laws around it.
| turquoisevar wrote:
| Ah good old AT&T with the sleazy shit
|
| Technically it's not a SIM lock (also called carrier lock)
| in the traditional sense, AT&T calls it the carrier
| visibility or carrier reveal program.
|
| It's a BS name because it doesn't just hide other carriers
| from the carrier select screen, it also actively prevents
| eSIM activation via QR code etc. And if you need help from
| AT&T CS 9/10 have never heard of this term.
|
| For all intents and purposes it's basically just an eSIM
| specific SIM lock.
|
| But you (and anyone reading this that runs into the same
| issue) can use the "carrier visibility/reveal" terminology
| to get the issue resolved faster in the future.
| joshstrange wrote:
| > Technically it's not a SIM lock (also called carrier
| lock) in the traditional sense, AT&T calls it the carrier
| visibility or carrier reveal program.
|
| Yes, I forgot to mention that but I did know it at the
| time (I still have a doc with all those terms in it that
| I used when talking to the reps) and yes, almost no one
| knows what you are talking about. Even when I got someone
| to "put in a request" (which didn't work) they sounded
| skeptical about what they were putting in a request for.
| It didn't feel like they knew what I was talking about.
|
| The only people that did use that term or understand it
| (other than the rep that contacted me after the FCC
| complaint) were the forum support but they told me the
| iPads weren't in their system.
| andruby wrote:
| Do you have any more info how esims benefit the carrier?
|
| I'm not in the US and superficially, it seems like esim and
| physical sim don't differ that much.
| redrove wrote:
| I got bit by this when I bought a new iPhone recently, apparently
| the carrier "didn't allow" eSIM transfer so I had to go get
| another eSIM on my carrier's website.
|
| How does Android protect against this? The carrier somehow
| disallowing it?
| lakpan wrote:
| From the article:
|
| > Although carrier support is still limited,
|
| Nope. eSIM is crap on android too.
| ThePowerOfFuet wrote:
| Works great for me. Sounds like your carrier is what's crap.
| izacus wrote:
| It does not. eSIM isn't made to help you, it's made to give
| control back to carrier and them money.
| hef19898 wrote:
| How is an eSIM any different from a normal one? I can get up
| to three eSIM (if memory serves well, did not check) from my
| carrier for free, plus up to two normal SIMs for free. And
| the carrier controls all of those anyway.
|
| And additional SIMs are below 10 bucks.
|
| A more general remarque so, I get it that sometimes companies
| monetize a tad too much. But then nobody is working for free,
| no service comes without cost for the provider and we all
| have to make money to pay our bills. Hence I do not get the
| "they are doing it onpy for money" attitude, especially on a
| site like HN with a considerable number of people making
| litteral FAANG money, money that comes exactly from these
| practices.
| mitthrowaway2 wrote:
| > considerable number of people making litteral FAANG money
|
| As always, be careful not to confuse the sample with the
| distribution. The commenter you are replying to is not
| necessarily one of those people. Also, their statement
| might be matter-of-fact, not a condemnation.
| pi-e-sigma wrote:
| Transferring eSIMs between the carriers requires their
| cooperation. They have to 'approve' the transfer and can
| drag their feet, create artificial obstacles along the way
| or simply refuse the transfer. Meanwhile moving traditional
| SIMs between phones just works
| eertami wrote:
| Don't many phone providers sell locked/branded phones
| that can only be used with their physical sims? This
| locking down has always existed, long before smartphones,
| and it's the reason I only buy phones direct from
| manufacturers.
| TeMPOraL wrote:
| > _Hence I do not get the "they are doing it onpy for
| money" attitude, especially on a site like HN_
|
| I didn't read it as "they're doing it only for money". That
| indeed is perfectly understandable. I read GP as saying,
| _they 're being customer-abusive asshats_.
|
| We all need to make money to pay our bills and such,
| however there's a subtle but important difference between
| selling some good/service/labor in exchange for money, and
| _abusing the customer to extract money from them_. eSIM,
| per GP, is designed very much for the latter case.
| izacus wrote:
| > Hence I do not get the "they are doing it onpy for money"
| attitude, especially on a site like HN with a considerable
| number of people making litteral FAANG money, money that
| comes exactly from these practices.
|
| As someone who designed quite a few public systems like
| this, I can recognize one that's built with users in mind
| and one that's built with profiteering in mind.
|
| There's no reason for eSIM to not be easily transferrable
| between devices like pSIMs are. There's no reason that the
| QR codes with provisioning tokens can't be reusable and
| revokable like pSIM ones. There's no reason that eSIM
| provisioning servers work on whitelist principle where they
| deny all phones the carrier doesn't profit from.
|
| And yet now we have all that. And before (at least here in
| Europe, I'm aware that US citizens are very used and
| defensive about abusive business practices by their
| telecoms) we didn't.
| judge2020 wrote:
| > There's no reason that eSIM provisioning servers work
| on whitelist principle where they deny all phones the
| carrier doesn't profit from.
|
| AT&T already has a whitelist based on IMEI that works for
| pSIM too. https://redd.it/trfw5r
| izacus wrote:
| What did you try to say with that statement?
| lloeki wrote:
| > There's no reason for eSIM to not be easily
| transferrable between devices like pSIMs are.
|
| Indeed there is none:
|
| https://support.apple.com/en-us/HT212780
|
| > Use eSIM Quick Transfer on iPhone
|
| > Some carriers support SIM transfers from your previous
| iPhone to your new iPhone without needing to contact
| them. You can also convert your current physical SIM card
| to an eSIM.
|
| The whole page is full of what eSIM can do, but it seems
| carriers are not too happy about that as many block
| things that should be outright possible.
|
| There are tons of weird things that are impossible just
| because carriers, e.g I have a phone that can do eSIM or
| pSIM, I have a tablet that can do mobile, eSIM or pSIM. I
| have a nice data plan for the phone, and it is eligible
| to share it with a watch and/or a tablet. Such a
| hypothetical watch that I don't own would be eSIM, and be
| able to share the data plan but somehow the exact same
| case for the tablet can only be done via pSIM, neither
| can I convert its pSIM to an eSIM, which is allowed for
| the phone. It makes no sense.
| yokoprime wrote:
| I've never had any additional costs incurred due to eSIM.
| It's always been free and instant, where as physical SIM
| cards I at times have had to pay a fee to swap out and it's
| always been a multi day process
| izacus wrote:
| Well, I did. Among others, the one of my carriers demanded
| (still does!) physical presence in their store to transfer
| eSIM which is a significant cost to anyone when their phone
| breaks. This was not the case with a small plastic card.
|
| I've also had actual costs being charged when eSIM
| provisioning failed with "error -2" or whatever during
| travel and then carrier support refused to do anything
| about it (after taking my money for the card of course).
| vel0city wrote:
| One carrier of mine demanded I appear in a physical store
| to issue a new physical SIM so it's not like eSIMs
| created or enabled that policy.
| izacus wrote:
| For my experience eSIM absolutely created that policy.
| The same carriers pSIMs still don't require that, so I'm
| not sure what exactly are you arguing here? The fact that
| your carrier has a shitty policy it's now ok to spread
| it?
| vel0city wrote:
| I'm arguing shitty carriers can make shitty policies
| regardless of the underlying technology. It's not like
| eSIMs forced them to do that policy, the carrier just
| decided to be shitty all on their own. eSIMs can be
| delivered entirely digitally, so in reality they _should_
| be even easier and have even fewer needs to ever be in
| person.
|
| eSIM didn't make that policy, your carrier did.
| alwa wrote:
| To add insult to injury, one carrier demanded this of me,
| then its retail store franchisees refused to issue me a
| SIM unless I purchased a new device or a new line so
| they'd make commission!
| yaantc wrote:
| The opposite: eSIM allows IoT devices being moved from one
| operator to another remotely, with no physical SIM swap. With
| device using physical SIM this wouldn't be economical, with
| eSIM remote change it can be. This allows long term users
| (meters, industrial connectivity, ...) not to be tied to a
| single MNO. They can regularly renegotiate their contract,
| and use competition. And the telcos really hate this, and
| tried to delay this happening as much as they could. Still in
| the end users and device makers managed to push this through
| the telcos throat.
| Kwpolska wrote:
| The eSIM standard for embedded/internet-of-shit use is
| vastly different to the eSIM standard for phones and
| consumers. The devices could have their own standard, but
| as a consumer, I prefer my small metal and plastic square,
| thankyouverymuch.
| 999900000999 wrote:
| I've had carriers block physical sim swaps. Some even charge
| for it.
| ratg13 wrote:
| esim allows me to provision my phone with a new phone number
| wherever I am.
|
| I don't even need to go to any location, I just need someone
| to send me a QR code.
|
| It is extremely helpful and a huge time saver.
| harha wrote:
| Incredibly annoying - advertised "better than SIM", but really
| just a massive inconvenience.
|
| The only good use-case (for the user) is buying travel eSIMs.
| pzmarzly wrote:
| Another good use-case for eSIMs, at least in EU where
| carriers have to transfer your number within 24 hours, is
| moving number between carriers. Before, this involved waiting
| for new SIM arriving by snail mail, or having to drive to
| carrier's shop to pick it up, sometimes while your number was
| already deactivated at old carrier. With eSIM it recently
| took me less than 1 hour from requesting a number transfer to
| using it with new carrier, all without leaving house.
|
| But it all depends on the carrier now - I heard stories of
| carriers who won't send you the QR code, instead requiring
| you to drive to their store so they can show it to you in
| person "for security", defeating the whole purpose.
| usr1106 wrote:
| I don't think such EU regulation exists. I transferred my
| number from one operator to a competitor recently. There
| was a one week (I believe) warning period that the transfer
| was announced, but could still have been cancelled.
|
| The old operator used the week to make me 3 increasing
| discount offers. Had I switched just for economic reasons I
| could have cancelled the operation on Saturday just before
| the scheduled transfer at Monday noon and saved a bit of
| money.
| OJFord wrote:
| It exists for sure in the UK (you should complain to
| Ofcom as regulator in your case) - I would assume it's
| the same in the EU because it's not new, and the kind of
| thing we shared.
| Kwpolska wrote:
| https://en.wikipedia.org/wiki/Mobile_number_portability#E
| uro... suggests it's not necessarily 24 hours.
| OJFord wrote:
| Ok I was wrong, from the overview there:
|
| > From 1 July 2019 as a result of new rules from Ofcom,
| In the UK a customer can request a PAC without having to
| speak to their provider by texting PAC to 65075.
|
| So it's more recent than I thought (the requirement, the
| 'donor-led' nature it mentions and ability to do it by
| text has definitely existed longer at least with willing
| networks) and UK thing postdating leaving the EU.
| pzmarzly wrote:
| I was referring to Directive 2009/136/EC Article 30
| "Facilitating change of provider". https://eur-
| lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...
|
| > Porting of numbers and their subsequent activation
| shall be carried out within the shortest possible time.
| In any case, subscribers who have concluded an agreement
| to port a number to a new undertaking shall have that
| number activated within one working day.
|
| > In any event, loss of service during the process of
| porting shall not exceed one working day.
| nemetroid wrote:
| The relevant EU regulation on the matter is this[1]:
|
| > The porting of numbers and their subsequent activation
| shall be carried out within the shortest possible time on
| the date explicitly agreed with the end-user. In any
| case, end-users who have concluded an agreement to port a
| number to a new provider shall have that number activated
| within one working day from the date agreed with the end-
| user.
|
| My legalese is not good enough to understand what this
| means. The original text from the 2009 Telecoms
| Package[2] is worded slightly differently. Maybe member
| states failed to achieve the original intent and it was
| weakened to the current wording (as indeed, it takes
| longer than a day in many EU countries).
|
| 1: https://eur-lex.europa.eu/legal-
| content/EN/TXT/?uri=CELEX%3A... article 106, paragraph 5
|
| 2: https://eur-lex.europa.eu/legal-
| content/EN/TXT/?uri=CELEX%3A... article 30, paragraph 4
| Kwpolska wrote:
| I went through porting my number in Poland 3 times, and the
| time between my request and the porting was about a month,
| so plenty of time to receive the SIM card via snail mail.
| In one of the cases, I walked out of the new carrier's
| store with an inactive SIM card in hand.
| graemep wrote:
| In the UK you can get a new SIM and then transfer the
| number, so waiting for the new SIM to arrive by post which
| means there is no risk of having your number deactivated
| before you have your new SIM or any need to leave the
| house.
|
| Once you have the new SIM the transfer is pretty quick.
|
| The problem you are describing is therefore a regulatory
| one, not a technical one.
| grishka wrote:
| Yep, I always buy a eSIM whenever I travel because that's the
| only way my phone can do dual-SIM, and it's also convenient
| in case I come to that country again. I'd never use eSIM for
| my real phone number though. I don't trust software nearly as
| much.
| plantain wrote:
| What's baffling is the eSIM market seems to be substantially
| less competitive - you can almost always buy a local physical
| SIM with far more data for the same price. You'd think the
| cost for providing an eSIM would be less and MVNO's would be
| competing to drive it down.
| harha wrote:
| Agree - especially annoying that there's no reasonable and
| cheap plan across countries, checkout and search isn't much
| easier than getting a SIM card at the airport
| londons_explore wrote:
| Esims-via-app usually seem to be permanently roaming.
|
| That means I assume they are paying roaming rates to the
| local providers.
| crotchfire wrote:
| Except in Germany, where you just can't buy a local SIM at
| all.
|
| Actually I take that back, shady shops will sell you a SIM
| that can't be activated.
| SapporoChris wrote:
| I'm unsure what you are talking about. I was in Germany
| recently and got an O2 Deutschland sim card without
| issue. I had to show my passport, but it was an easy
| process.
|
| Things do change, so I did a quick internet search. Found
| plenty of websites with information on how to purchase
| and activate sim cards.
|
| https://www.phonetravelwiz.com/buying-a-sim-card-in-
| germany-... https://abrokenbackpack.com/germany-sim-
| cards/
|
| many others.
| gruez wrote:
| >What's baffling is the eSIM market seems to be
| substantially less competitive - you can almost always buy
| a local physical SIM with far more data for the same price
|
| Which countries? Of the few countries I traveled to, the
| cheapest esim (by using a esim comparison site) is cheaper
| than local sims for any reasonable amount of data (eg. 3 GB
| for a 2 week trip). The local sims sold at the airport
| might be "cheaper" on a per-GB basis, but they come with
| absurd amounts of data that you couldn't possibly use (eg.
| 30GB) so they are more expensive in actuality.
| nunez wrote:
| That's a huge use case though. Travel eSIMs are much more
| convenient than landing at an airport, finding a store that
| has SIMs, hoping they are open, etc.
| raverbashing wrote:
| I think you can still keep the original qr code and use that
| no?
| redrove wrote:
| They expire, at least mine did.
| asdaq1312512 wrote:
| Only a few carriers use non-expiring QR codes.
| zaptheimpaler wrote:
| Can you clarify, was it free and relatively easy to get a new
| eSIM on the website?
| masklinn wrote:
| I also hit the issue, it was trivial to get a new esim from
| the provider but not being able to transfer was unexpected
| and annoying (as I had to emergency go and hunt for a way to
| renew). It added frustration to the phone change, especially
| as esim transfer is straight up part of apple's migration
| assistant so I can only assume when it works it's seamless.
| redrove wrote:
| Basically the same experience for me as well.
| bgro wrote:
| Someone start a timer for the first 0 day exploit involving this
| codetrotter wrote:
| Time for Android users to abandon SMS as their 2FA.
|
| (Everyone should stop using SMS for that anyway, btw.)
|
| Best 2FA is a hardware device like YubiKey. I have a handful of
| YubiKeys, that I use in important places. Tying multiple
| YubiKeys to an account rather than just one is preferable IMO,
| because it lessens the risk of being locked out of your account
| when you lose a YubiKey or it breaks.
| Aerbil313 wrote:
| No. There is no future where everyone uses YubiKeys, too
| cumbersome for the average person. Passkeys it will be.
| xescure wrote:
| Yubikeys only allow for 25 resident keys. Clearly not ready
| for passkeys, but they can work as a second factor.
|
| My setup for the next few years will be: Bitwarden to store
| passkeys, passwords and sensitive data and a Yubikey that I
| login to Bitwarden with.
| nunez wrote:
| If only any of my banks supported TOTP or Yubikey...
| nsonha wrote:
| Why is this a big deal? Is it just the equivalence of copying
| eSIM via QR code or it can actually convert a physical SIM to
| eSIM in another phone?
| zx8080 wrote:
| Many services, including banks, have their users second factor
| auth tied to phone.
|
| Hopefully the whole esim and namely esim transfer initiative
| would end phone as second factor.
|
| And yes, I know that options for 2FA are limited in general. But
| phone is not the best one.
| Tijdreiziger wrote:
| But usually the second factor is tied to a _bank app_ that you
| have to register in some way, not to your SIM.
| Aerbil313 wrote:
| Phones are a very good solution for 2FA, considering the
| requirements to obtain a phone number. The only disadvantage
| afaict is that SMS communication is easily intercepted and not
| encrypted.
| lotsofpulp wrote:
| I thought the requirements were being a near minimum wage
| employee at mobile network store (in the US) or a call center
| employee.
|
| Which is usually how SMS 2FA are stolen, and no one is liable
| for the consequences.
|
| Which means SMS 2FA is pretty low security. Convenient for
| most, but secure? Hardly.
| Dalewyn wrote:
| >But phone is not the best one.
|
| Phones are the best one.
|
| Why?
|
| Because (almost) everyone has one within reach.
|
| Security enthusiasts and believers constantly fail to
| understand why straight passwords and to a lesser extent phone
| 2FA never go away: All their proposed alternatives and
| solutions are inconvenient.
|
| Most people couldn't give a rotten rat's undead arse about
| security, but they will kill for convenience. Passwords and
| phone 2FA win and keep winning because they are convenient with
| good enough security.
| vigilans wrote:
| The most uninformed takes always come with a healthy dose of
| arrogance and vulgarity.
|
| Every part of the industry that matters has been bitten by
| using phone numbers as a 2FA mechanism. It's why they're
| actually disappearing and are being phased out in favor of
| apps, OTP tokens, and email codes, depending on the amount of
| influence technical people wield at a given org.
| Dalewyn wrote:
| >in favor of apps, OTP tokens, and email codes
|
| And _all_ of them are some form of jank or inconvenience.
|
| Look, most people (myself included) _don 't give a fucking
| fuck_ about security. Our time lost to the kabuki theater
| of security is worth more than the so-called "security" we
| gain, and that's assuming whatever is being secured is even
| worth securing.
|
| A determined attacker will ignore all that and just
| undermine everything with social engineering against a
| useful customer support tech anyway.
|
| Unless your solution is as simple as entering a password
| and hitting a button, which is the digital equivalent to
| taking out a key and unlocking your front door, it is not
| going to see widespread acceptance. Make your fucking
| security solutions convenient, not secure. kthxbai.
|
| Even cars did away with keys because turning the ignition
| is an inconvenience compared to just pushing a button.
| tialaramex wrote:
| > Unless your solution is as simple as entering a
| password and hitting a button
|
| What password?
|
| I mentioned the NHS app I use in a different sub-thread,
| so let's try my (not very good, would not recommend but
| they offered decent credit balance interest) current
| account. I tap the app on my phone, I get a whirl of
| nonsense, and then:
|
| "Verify that it's you" and I touch the fingerprint sensor
| on my Pixel 6.
|
| And that's it. No passwords, no PINs, no SMS messages, no
| separate authenticator device
|
| This is much more secure than real human passwords (it'll
| be an elliptic curve signed message, so similar to HTTPS)
| and much more convenient, and short of convincing me to
| literally send you my phone _and_ my finger you can 't
| trick me into giving you access.
| TeMPOraL wrote:
| What you say, plus the newer security schemes all have
| convenient side effects that end up fucking consumers
| over.
|
| Consider, for example, banking apps: because 2FA via app
| being near-universal these days, even the web page
| doesn't let you use your bank account without installing
| the bank's app. And banks are, after MAFIAA, the biggest
| proponents of remote hardware attestation schemes. Thanks
| to that, we're reaching the point that phones that aren't
| locked down by Apple or Google are going to become
| useless. Mod/rooting scene already all but evaporated
| because of it - rooting your phone means fighting half
| the apps, including your bank, making the whole exercise
| not worth it.
| apienx wrote:
| By "phone", I think OP meant SMS.
|
| Google and Apple could turn modern phones into convenient-to-
| use security keys/FIDO passkeys.
| tialaramex wrote:
| But they do? Works fine for me on GitHub, which is the
| place I most often use it, but also other places if I
| needed them on my phone.
|
| Not only that, they also both provide the same underlying
| technology to 3rd party apps, because the core trick in
| WebAuthn uses a cryptographic hash of a DNS name, so if we
| put say a UUID minted by your app store in where the DNS
| name goes we get the same functionality, (logically
| collisions can happen, but they're astronomically unlikely)
| but customised for each phone vendor & each app.
|
| So e.g. I tap the icon for the NHS app on my Pixel 6, it
| starts up to where it would want me to do nonsense with
| passwords and so on but nope, hold my thumb against the
| screen, biometric match inside the phone, therefore this is
| my phone, it has a FIDO-style proof that this phone, which
| enrolled via the laborious process with passwords and SMS
| and whatever, is mine and it says this is me. Now I can
| order routine prescription re-fills, they go in a queue, my
| doctor says yeah, tialaramex doesn't need to re-check those
| blood levels until summer, prescription approved, done.
| dannyw wrote:
| They do, iOS Passkeys are pretty neat.
| eertami wrote:
| WebAuthn is an open standard and is available on all
| platforms and devices. There's not much reason to mention
| iOS, Apple's implementation of the standard is nothing
| unique.
| sofixa wrote:
| > Hopefully the whole esim and namely esim transfer initiative
| would end phone as second factor.
|
| > And yes, I know that options for 2FA are limited in general.
| But phone is not the best one.
|
| Phone doesn't just mean SMS. E.g. bank apps in the EU use MFA
| with the bank's app directly which you have to unlock with
| biometrics or PIN, after unlocking your phone.
| crotchfire wrote:
| A PIN is just a short numeric password. It's not a second
| factor.
| sofixa wrote:
| Anything is a second factor if it's the second way you're
| identifying yourself.
| crotchfire wrote:
| So I can use a password as my first factor and another
| password as my second factor?
| nottorp wrote:
| And that is why I'm against eSIMs.
|
| I shouldn't need the carrier's, google's or apple's permission to
| use different phones.
| IshKebab wrote:
| I would maybe say the same except there's one use case where
| esims are undeniably awesome: travelling. There are tons of
| apps that let you get very cheap esims in any country, so you
| basically never have to pay roaming charges ever again.
|
| Before esims you would have to go and get a physical SIM from
| somewhere. I've done it before. It's possible, but it was
| _much_ more of a pain than esims.
|
| The only issue with them I've found is that they're delivered
| by QR code via email, and the only way to install them on
| Android (that works) is scanning a QR code _with your camera_.
| I had do ask someone to take a photo of my phone so I could
| scan that photo. _facepalm_
| nottorp wrote:
| > There are tons of apps that let you get very cheap esims in
| any country, so you basically never have to pay roaming
| charges ever again.
|
| ... you mean, with Google/Apple's permission :)
| addandsubtract wrote:
| Can you link some of those apps? I'd love to have a travel
| eSIM just for data.
| Brajeshwar wrote:
| https://www.airalo.com
| addandsubtract wrote:
| Hmm... that's 5x as expensive as getting a regular SIM,
| though :/
| mFixman wrote:
| I use https://esimdb.com/uk instead of a single app.
|
| It lists the cheapest e-SIMs for travelling to each
| country.
| IshKebab wrote:
| Yeah this is the best option by far.
| dylmye wrote:
| I've used Nomad (https://www.getnomad.app/), they usually
| have a 10-25% code somewhere. I've had no issues and used
| them 10s of times.
| bmicraft wrote:
| If this can be done through Google lens, then it would be
| possible on device. If you share an image with the Google app
| it opens in lens and can scan codes.
| IshKebab wrote:
| It can't unfortunately. It's special QR scanner activity
| deep in Android's settings somewhere.
| SoapSeller wrote:
| That's depends on the device and app, I've used Airalo on
| couple of Android devices and it was always one click inside
| the app to install the eSIM.
| m-p-3 wrote:
| They're also great for corporate devices deployments. If the
| carrier is compatible, you can have the MDM/UEM auto-
| provision an eSIM during the account registration.
|
| This also has the benefit that the user cannot take it out or
| lose the SIM while traveling, or do SIM-swap with another
| device because their manager doesn't follow procedure of
| contacting IT when reusing spare phones between employees,
| creating all sorts of mismatches in the inventory between S/N
| and phone number, etc.
| TeMPOraL wrote:
| > _There are tons of apps that let you get very cheap esims_
|
| Wait. Why would you need, or want, an _app_ for that? I 'd
| automatically assume that any such app is a scam. These kinds
| of things are not what apps do, it's out of scope on
| restricted mobile OS.
| nottorp wrote:
| He means that instead of buying the service on a web site
| he buys it in the web site packed inside an Electron "app".
|
| He does say they're delivered via QR in the email, so the
| "application" is just a store frontend, it doesn't change
| his esim itself.
| dannyw wrote:
| Both iOS and Android provide eSIM APIs. How else do you
| think carrier apps work?
|
| Apps like Airalo, etc, are legit.
| TeMPOraL wrote:
| > _How else do you think carrier apps work?_
|
| IDK, I've always considered carrier apps to be the
| prototype example of garbage / scams, next to "value-add"
| software shipped by printer vendors. None of the services
| I pay my carriers for are, or were, ever enabled or
| improved by an app.
| IshKebab wrote:
| They are apps because they're almost universally used on
| phones and apps can provide a much better UX than web sites
| (fight me PWA delusionists). I think you can probably do it
| on the web if you want too though.
| TeMPOraL wrote:
| I agree that apps can and do provide better UX (or at
| least used to, now they're just mostly wrapping webviews,
| which sucks) - but this class of activity is something
| I'd never consider using an app for in the first place.
| An app for a big e-commerce platform make sense. An app
| for one-off, transactional buying relationship? That a
| red flag to me.
| drdaeman wrote:
| There are always caveats and eSIMs are a double-edged sword.
|
| I'm locked down to my current phone because of eSIM. I have
| two eSIMs from different countries, both necessary for long-
| term use (e.g. I have bank accounts in both countries, and
| banks want local numbers). Replacing or upgrading phone would
| be a tricky endeavor, with temporary outage on one of my
| lines, as I will be able to move only one eSIM, but not the
| other until I physically travel to a different country.
|
| Sure, it's a rare edge case, but still - super inconvenient.
| judge2020 wrote:
| AT&T et al have been blocking transfers or requiring physical
| verification for transfers for a decade now, not exclusive to
| eSIM.
| nottorp wrote:
| Hmm I can take my physical sim out and plug it into any other
| phone over here.
|
| The only exception is when the destination phone is carrier
| locked by a contract, but they have to unlock it for a
| nominal fee at the end (I think it was a few eur, or maybe
| last time they didn't charge me anything.).
|
| Are you referring to the fact that no one buys contract free
| phones in the US?
| ratg13 wrote:
| They are referring to SIM locks. ATT locks the sim to the
| phone so it can't be transferred if you got a subsidised
| phone from them.
|
| All depends on if someone set this flag when creating your
| SIM and if you took their discount when buying their
| service.
| egberts1 wrote:
| Still a major mistake to deploy eSIM; physical SIM is an
| excellent security feature.
|
| Caution: never use eSIM with your real phone number; always get a
| new phone number just for use with eSIM.
|
| OTP does a way better job giving consumer absolutely control than
| the eSIM does for mobile providers. (Yeah, re-read that last
| sentence carefully).
|
| Disclaimer: I do eUICC vulnerability analysis with eIM.
|
| https://www.ericsson.com/en/blog/2023/12/simplifying-iot-inn...
| TMWNN wrote:
| >Caution: never use eSIM with your real phone number; always
| get a new phone number just for use with eSIM.
|
| Yet again, having ported my phone number to Google Voice
| (GrandCentral back then), and never giving out whatever my
| current SIM's phone number is, pays off
| TeMPOraL wrote:
| How does this work? I thought GV and other VOIP numbers are
| becoming universally blacklisted by everyone because
| "sekhurity".
| oefrha wrote:
| It's funny, I ported my number to Google Voice, two years
| later I got kicked off Zelle because VOIP numbers are
| banned. So how do I send and receive money? Sign up Zelle
| with email instead. Yes, a VOIP number is a security threat
| (never mind Wells Fargo has known everything about me
| financially since forever), but a random email address is
| A-OK.
| checkyoursudo wrote:
| I can get SMS "security" codes from most services to my
| google voice number, but one of my banks just flat out
| refuses, and let me tell you it can be a huge pain in the
| ass if a few circumstances line up so that you cannot
| receive a "security" clear-text msg on your approved
| phone.
| NoZebra120vClip wrote:
| Sending SMS costs $$$, and the gateways are closely-
| guarded. There are bad actors hammering on logins to
| elicit SMS codes, and Zelle is charged for the service
| according to that volume.
| guiambros wrote:
| There are a few stupid sites that ban VOIP numbers, but
| thankfully it's still very rare. The vast majority (like
| 90-95%) accepts just fine.
|
| Source: GV user since Grand Central days.
| asimpletune wrote:
| I had a big carrier number that I later transferred to
| google voice and I've never had any issues with it since.
| silisili wrote:
| I have a ton of accounts. The only ones I know of actively
| blocking it are Elan Financial(credit card servicer) and
| maybe Chase. Not sure on Chase, it doesn't block it, just
| doesn't seem to gets msgs for 2fa.
|
| Everything else (including paypal, fidelity, schwab, sofi,
| discover, capital one, to name a handful) work fine.
| egberts1 wrote:
| Your act (of going presumably SIM-less) has increased the
| surface area of attack on your own line by at least a
| thousand-fold over traditional mobile phone provider but
| still (probably barely) safer than eSIM.
|
| The Internet is more harsh than telco backend infrastructure.
| guiambros wrote:
| Genuinely curious about why you believe that. Carriers are
| notoriously sloppy with handling SIM swap attacks, while
| Google is notoriously hard to get into an account (even
| your own, if you happen to lose your password or 2FA).
| egberts1 wrote:
| One word: Backend.
| guiambros wrote:
| > _" One word: Backend."_
|
| Sorry, I still don't get it. Telco's backend is a mess.
| It has a profusion of processes and frontend systems for
| customer service teams to interface with user records,
| which creates all sort of loopholes. Any sufficiently
| motivated attacker can pull a SIM swap attack, as it
| happens frequently, and the weak link is always a
| variation of: a clueless agent somewhere trying to help a
| poor "customer" who dropped their phone in the toilet,
| and needs to urgently to recover the number.
|
| Or are you suggesting that Google's GV backend is riskier
| than the carriers?
| rsync wrote:
| "Yet again, having ported my phone number to Google Voice
| (GrandCentral back then), and never giving out whatever my
| current SIM's phone number is, pays off ..."
|
| Agreed.
|
| My phone number lives at twilio and I couldn't tell you the
| physical phone number on my SIM card ... I have no idea what
| it is without looking it up.
|
| In addition to the obvious benefits of never caring whether
| you lose your phone or being vulnerable to a SIM swap there
| are other "telco superpowers" that come along with this
| arrangement:
|
| - I can text you, from my number, from the command line (curl
| API)
|
| - I can lose my phone and still send and receive SMS (again,
| curl API)
|
| - I can "sanitize" incoming text messages to ascii-256, block
| attachments, block or alert on silent SMS, etc.
|
| - block lists for incoming voice and SMS
|
| - CC incoming texts to a mailspool which allows me to browse
| my SMS history as if it were email (this one is particularly
| nice).
|
| Finally, I cannot participate in a discussion of hosted/VOIP
| vs. physical SIM numbers without reminding readers that a
| "2FA Mule" solves the problems of providers not supporting
| VOIP numbers for 2A:
|
| https://kozubik.com/items/2famule/
| TMWNN wrote:
| >- I can text you, from my number, from the command line
| (curl API)
|
| For SMS, Google Vooice both sends to and receives from
| email. I have a cronjob set up to `mail` a TextNow number
| that needs activity every 28 days to stay alive.
|
| >- CC incoming texts to a mailspool which allows me to
| browse my SMS history as if it were email (this one is
| particularly nice).
|
| Oh, I like this. I tend to delete most of my SMS-via-email,
| and the texts are always searchable in my Google Voice
| account, but can definitely see the appeal of always
| archiving all incoming texts with my mail so that I can use
| `mairix` for search.
|
| >Finally, I cannot participate in a discussion of
| hosted/VOIP vs. physical SIM numbers without reminding
| readers that a "2FA Mule" solves the problems of providers
| not supporting VOIP numbers for 2A:
|
| Nice. I do use my phone's SIM (now eSIM) number when (and
| only when) 2FA won't take Google Voice, but if I decide
| that is a meaningful security flaw, your approach would
| work.
|
| Speaking of telco superpowers, I don't know if Twilio lets
| you do this but Google Voice has always supported voice
| calls by browser. The only time I make or answer a phone
| call on my phone is when I am away from my computer. When
| iOS 8 appeared, I'd enjoyed the equivalent of Continuity
| for years.
| LeafItAlone wrote:
| > Caution: never use eSIM with your real phone number; always
| get a new phone number just for use with eSIM.
|
| This seems to be impractical advice with the way devices are
| going. Look at iPhones.
| javajosh wrote:
| As with so many things, like physical media, the wider world
| will undervalue some devices which is an opportunity for
| those in the know. It's a consolation prize, to be sure, but
| it's not nothing.
| eqvinox wrote:
| > This seems to be impractical advice with the way devices
| are going. Look at iPhones.
|
| Unfortunately, quite a few security practices are sometimes
| "impractical". If you go purely by practicality, all
| computers would always trust you and do as you request --
| what is that if not the most practical way of interacting
| with a computer?
|
| You always need to decide where to place your personal trade-
| off, maximize in that direction, and _be honest about it to
| yourself_. If you don 't care about security to this degree,
| buy an iPhone. If you don't care about their known
| shortcomings, use face ID and/or fingerprint sensors. Or buy
| a different phone.
|
| > way devices are going. Look at iPhones.
|
| Also, FTR, almost all US people have a distorted view of
| iPhone market share. It's only the US where they have about
| half the market. It's far less in the rest of the world. That
| said, they still have somewhat of a "technology leader"
| position where everyone else feels like they have to imitate
| it, so... meh.
| kenmacd wrote:
| I'd much prefer companies actually follow NIST and stop using
| SMS for any type of authentication.
|
| eSIM has the advantage of allowing me to switch to cheaper
| services without paying $10 and waiting for a physical card to
| arrive. Is it's security crap? Well so is the security of my
| mobile provider's kiosk minimum-wager workers.
| Sayrus wrote:
| > without paying $10
|
| Reducing delays to near instantaneous is an argument, but
| having to pay $10 for a physical SIM sounds like a scam. Yet
| I've seen providers making people pay for eSIM as well so it
| seems they like to do this.
|
| On my provider, physical SIM are free and available under
| 24h. eSIM are free as well and I haven't seen a single SIM on
| any local provider more expensive than 1EUR.
| turquoisevar wrote:
| I'd add a caveat.
|
| Namely that physical SIMs are an excellent security feature,
| provided carriers aren't cavalier about managing them.
|
| Nowadays US carriers put up a few more hurdles here and there
| after some highly publicized issues, but it's still bonkers
| that I can ultimately just read off the ICCID of a card in my
| possession and get a number ported to it.
|
| Most European carriers don't allow you to bring your own SIM
| and will instead only link numbers to SIMs issued to the
| customer by themselves.
|
| That in and of itself would make things safer, but, and this
| practice varies from carrier to carrier and country to country,
| often times they require in-person pickup with ID check or
| courier delivery with ID scan. Although there are also plenty
| that just send it to the address on file.
| Brajeshwar wrote:
| Interestingly, here in India, I have had one of the smoothest
| transfers from physical to eSIM and between eSIMs to new phones
| (so far). They have itemized steps to follow, and unlike in
| 2015-2016, these days, I don't even need to talk to customer
| support. I have done this while I still had access to my old
| phone (simpler), and eSIM-ed to the new phone. I have also
| successfully done it after I had no access to the old phone with
| Apple's buyback-replacement program when the guy who came to my
| home gave me the new phone, taking away the old one.
|
| The one key thing that happened is that they sent me
| confirmations and steps to the email attached to my carrier.
| Besides that, the security features kick in, where I can
| make/receive calls, but data/SMS on that number is blocked for
| the next 24 hours (so, no 2FA and other credentials).
| kkfx wrote:
| I wait for a "NEW revolution", the plain old ability to log-in to
| services via a terminal of some kind with personal credential
| instead of being bound to a specific device... Because that's
| what we talk about.
|
| Big tech do it's best to trap users, let's say WA tied to a
| mobile phone number that after some time surrender and allow for
| a web access, still keeping the user trapped, but a bit less.
|
| You can enslave as much as you can, a step at a time the barrier
| will drop. New others will be built and so on, why keeping up the
| fight?
| KomoD wrote:
| eSIMs are great.
|
| I have 4 eSIMs on my Pixel 7, 2 active, it's amazing.
|
| Getting a new eSIM is also so easy, don't have to wait for a
| physical sim card to arrive.
| kotaKat wrote:
| eSIMs are purportedly great until you try to use them in a small
| cell deployment and literally nobody wants to talk to a single-
| cell CBRS operator to deploy eSIMs.
|
| I hate the large-scale corporate gatekeeping combined with how
| insane the GSMA's security requirements and bullshit cert chains
| keep me from provisioning my own eSIMs for my own network
| compared to just buying a bunch of ISIMs from China to program in
| a reader.
| 127361 wrote:
| It would be nice if we had an open-source eSIM software emulator.
| However I think this requires secret crypto keys that are only
| available to chip manufacturers?
| rasz wrote:
| Some preliminary investigations by osmocom team:
|
| OsmoDevCall - Exploring eUICCs and eSIMS using pySim, lpac and
| osmo-smdpp https://www.youtube.com/watch?v=9V1Vx35lZ5c
___________________________________________________________________
(page generated 2024-01-27 23:02 UTC)