[HN Gopher] T-Mobile Employees Across the Country Receive Cash O...
___________________________________________________________________
T-Mobile Employees Across the Country Receive Cash Offers to
Illegally Swap Sims
Author : miles
Score : 270 points
Date : 2024-04-15 20:19 UTC (2 hours ago)
(HTM) web link (tmo.report)
(TXT) w3m dump (tmo.report)
| abeppu wrote:
| > First and foremost, if you use any services online that have
| two-factor authentication, be sure it is not SMS-based. Use an
| app like Google Authenticator or Authy for this purpose instead.
|
| It really disappointing that in 2024, this is the "right"
| guidance to give, but we still know there's a whole lot of really
| important stuff that still uses SMS for 2-factor authentication.
| filoleg wrote:
| Half the time, even if a service supports autheticator app 2FA
| and not just sms, all it takes is just clicking "use another
| method" on the 2FA page, and it defaults to sms-based 2FA
| anyway. And it would still require a phone number when
| registering, so there is no way to avoid that fallback anyway.
| Borderline useless.
| jandrese wrote:
| The services require a phone number not because it adds
| security, but because it is a monetary challenge for
| scammers. If a service allows for multiple 2FA types it
| usually demands SMS for the initial setup, but once that is
| done you can remove your phone number to force it to switch
| to TOTP or a token. It's generally a good idea to not have
| your phone number stored in a zillion websites anyway, every
| copy is just another vulnerability for hackers to exploit
| when they knock over that service.
| filoleg wrote:
| That's totally fine, i am not against services requiring
| phone numbers during registration. I am just against those
| services allowing sms to be used as an easy 2FA fallback
| when an app-based 2FA is enabled. Because doing so makes
| app-based 2FA kinda useless.
|
| I agree with your points, it just feels insanely rate to
| see a service utilizing phone number requirement for
| registration the proper way (i.e., the way you describe).
| bsder wrote:
| > That's totally fine, i am not against services
| requiring phone numbers during registration.
|
| I am completely opposed to services having any PII
| (Personal Identifiable Information) beyond an email
| address because the dumbass services keep my PII and then
| lose it when they get hacked.
|
| If I can go collect a million dollars from a company that
| loses my PII, I'd let them collect it. SInce I can't, my
| best option is to refuse.
|
| If you want to verify, take a credit card number. At
| least I can cancel and change that when some dumbass get
| hacked and loses it.
| Wowfunhappy wrote:
| > It's generally a good idea to not have your phone number
| stored in a zillion websites anyway, every copy is just
| another vulnerability for hackers to exploit when they
| knock over that service.
|
| Are you relatively confident that these sites actually
| delete removed phone numbers?
| jandrese wrote:
| All I'm confident about is that they certainly won't
| delete them if you leave it as a 2FA option.
| liveoneggs wrote:
| Why should someone outsource one more important identity thing
| to Google?
| solardev wrote:
| It doesn't have to be Google Auth, it can be any 2FA app
| (1password, Bitwarden, Authy, Microsoft Auth), whatever. It's
| just a safer way to do 2FA than SMS.
|
| Google Auth is just one of the earlier popular apps, so it's
| a common example. It kinda sucks though, cuz if you lose your
| phone you have to reset all your 2FAs.
| astrange wrote:
| Google Authenticator is client side.
|
| It's not the best 2FA app though; it makes it unreasonably
| hard to transfer codes.
| lxgr wrote:
| It's the opposite these days - they sync your HMAC secrets
| to your Google account now unless you opt out:
| https://security.googleblog.com/2023/04/google-
| authenticator...
| hot_gril wrote:
| Google Authenticator makes it very unclear to average users how
| you back up or transfer stuff to other devices. Sites that
| support Google Auth are gonna have to deal with lots of locked-
| out users trying to recover access, which can negatively impact
| security.
|
| If anything hopes to replace SMS, it needs to be as user-
| friendly as SMS.
| fishpen0 wrote:
| Google auth is not the only authenticator that supports TOTP.
| Any time a site tells you to use google authenticator you
| should be using a better service like 1password, bitwarden,
| lastpass, etc... to scan the QR code and store the TOTP code.
|
| I'm flabbergasted every time I switch jobs and some jamook in
| IT or Security says we have to sue google authenticator and
| that other authenticators aren't allowed. Then there are
| constant lockout events generating tickets for those teams
| when people delete the app or get new phones.
| hot_gril wrote:
| Yeah, it needs to be clear to users that they can use other
| things, especially some built-in option. Currently it's
| not.
| usea wrote:
| Many services will happily remove the authenticator from your
| account if you email them and say you lost it. The whole
| thing is a joke.
| lxgr wrote:
| It syncs everything to the cloud by default these days:
| https://arstechnica.com/security/2023/09/how-google-
| authenti...
| dumbfounder wrote:
| Every freaking time I get a new phone I forget the step of
| porting my authenticator keys. Wow, is it ever a drag trying to
| set them up again. Often, you need to do zoom calls to verify
| your identity. Takes days. This is the type of thing that will
| push almost everyone towards SMS. Also, it's easy for users and
| developers, and no one needs to learn anything. Solves these
| issues and we are good to go.
| ramesh31 wrote:
| There's a very simple solution which is to centralize the
| process. Banks learned this decades ago. It's why your teller
| can't do anything that an ATM machine can't do anymore.
| solardev wrote:
| What do you mean? Sometimes when I forget my ATM card, I go to
| the teller, who can help me after checking my photo ID and
| maybe some security questions.
| ramesh31 wrote:
| Right, but they still can't do anything you wouldn't be able
| to achieve over the phone with the centralized support line.
| Maybe verifying your identity for a cash withdrawal, but that
| still requires knowing the same secrets you'd need to just
| replace the card. The branch employee has no more access to
| your account than you do.
| solardev wrote:
| But isn't that kinda the crux of it? If I can withdraw cash
| by presenting a photo ID instead of using my 2FA online, it
| is both more convenient for me as an end-user and also less
| secure (opens the account up to social engineering, fake
| IDs, etc.).
|
| Similarly, some 2FA implementations allow human support
| agents to manually reset the 2FA, sometimes making that the
| weakest link.
|
| The ruthless alternative is "If you lose your 2FA, you lose
| your entire account and there's nothing we can do about
| it". I've rarely seen that implemented in normal apps.
| hn_throwaway_99 wrote:
| Yeah, I was thinking at the very least changing SIM assignment,
| given the huge target this is for bad guys, should require
| confirmation by at least 2 unrelated employees.
| Animats wrote:
| The article is vague. Is this "sim-swapping" physically replacing
| the SIM card in the customer's phone? Or entering the wrong IMSI
| into some T-Mobile database to change the association between
| IMSI and customer?
| flutas wrote:
| Sim swapping is typically "put their phone number on this sim
| card I control" the point being to bypass any SMS based 2
| factor auth / alerts.
| daveoc64 wrote:
| In a typical SIM swapping attack, the attacker will contact the
| Cellular Carrier (either in-person at a retail store, or by
| phone/online support), impersonating the victim and claim that
| they've lost their phone (including SIM) and that they need a
| new SIM for their account.
|
| Carriers should have procedures in place to ensure that the
| identity of someone who presents themselves with this situation
| is verified, but it can often be bypassed.
|
| In the case of the article, corrupt employees of the carrier
| are being bribed to bypass the ID and security checks that
| should take place in the above situation.
|
| In other attacks, there are social engineering ways of
| bypassing the ID checks - such as claiming to be the victim of
| a robbery where both the phone and wallet were taken - so they
| don't have any ID, credit cards, or phone to prove who they are
| and that getting a new SIM would really help them out.
| hypeatei wrote:
| Yet, most banks in the US force the use of SMS 2FA without
| offering TOTP as an option. Truly incompetent institutions we've
| created.
| dheera wrote:
| Yet other institutions do single TOTP with SMS backup instead
| of TOTP with a 2nd TOTP backup.
|
| The former is as bad as SMS.
| klabb3 wrote:
| I think the popularity of phone numbers is not because it's a
| good auth factor but because it is a little more work to Sybil
| flood with generated identities, compared to say email. So it's
| not for our security exactly, but more for the company's anti-
| abuse systems, and maybe the marketing department that loves
| hoarding phone numbers. That it works as a second factor is
| just a "happy" coincidence.
|
| Which in turn annoys me to no end given that phone numbers are
| _regional_. Having no access to banks when moving, let alone
| traveling, to an area with no cell service or a different
| country, is infuriating. It's like "what's your mother's maiden
| name" all over again.
| fuster wrote:
| My bank took away the ability to do 2FA via email and is phone-
| only now. At least with the typical Gmail/equivalent account
| you have the option of making that less vulnerable to social
| engineering and outright bribes.
| dvzk wrote:
| SMS 2FA is one thing. Bad, but ineffective. SMS-based account
| recovery is far worse. Every time a major website asks me for a
| phone number _" in case you lose access to your email account"_
| I freak out internally before ensuring I never enter it.
| causal wrote:
| Right. The SMS 2FA risk is overstated IMO - at worst it makes
| it as insecure as password-only, and at best it creates a
| roadblock for attackers that can be significant for locked
| SIMs.
|
| But SMS account recovery is definitely opening the door to
| attack.
| hn_throwaway_99 wrote:
| > Where did this private information come from?
|
| > Still, the biggest issue here is how this person (or multiple
| people) obtained the employee phone numbers. We're not sure yet
| which employees are impacted, but based on comments online it
| seems at least a few third-party employees are affected, and
| we've independently confirmed current corporate employees have
| also received the message.
|
| Sadly, the idea that phone numbers of people are private should
| be considered laughable at this point. There is LinkedIn, and
| even if you're not directly connected to someone it would be easy
| to correlate publicly available LinkedIn data to phone number
| data.
|
| Also, note that TMobile explicitly provides a "SIM Protection"
| feature, https://www.t-mobile.com/support/plans-features/sim-
| protecti.... Why this isn't enabled for everyone by default I
| don't know.
| 0cf8612b2e1e wrote:
| The website does not make it clear - what does SIM protection
| do? Does it put a waiting period on changes? Requires a website
| login first?
|
| What happens if I legitimately need a new SIM?
| xyst wrote:
| I had to deal with this recently. Basically, they put a hold
| on the account. The request is forwarded to another internal
| department for verification. Once verification is complete
| and the team determines the request is not fraudulent (asking
| for "verification pin" or "account password"). Then the
| request is forwarded to the appropriate tech team for further
| processing.
|
| SMS and calling was blocked during that entire time (~24-36
| hrs) since the backend teams are likely operating in offshore
| timezones.
| livueta wrote:
| I'm curious how that feature works on the backend. If the
| premise is employees abusing internal access to fiddle account
| data, and the feature can be toggled on an account page, can't
| the insider abuse a password reset flow, toggle the setting
| off, then proceed as normal? I'm assuming that there's some
| "customer walks into store and needs to reset their password"
| functionality employees can access. Maybe a mandatory waiting
| period?
| lukeschlather wrote:
| We really need better standards for MFA. Probably we should have
| a legal definition of MFA and SMS should be described as 2SA
| (Two-step authentication) on par with email or whatever. While
| MFA should be restricted to actual Yubikeys and other hardware
| certificate based things.
|
| I'd also say people shouldn't be able to advertise MFA if they
| only support a single token per method.
| toomuchtodo wrote:
| https://www.cisa.gov/sites/default/files/publications/fact-s...
| ("CISA.gov: Implementing Phishing-Resistant MFA")
|
| https://passkeys.dev/
|
| https://passkeys.directory/
| hot_gril wrote:
| It's not reasonable to expect people to have Yubikeys. iPhone
| Keychain is about as good as it'll get realistically, and that
| somewhat relies on hardware security.
| xyst wrote:
| "iPhone Keychain" - no thanks, I'll stick with a non-vendor
| specific provider.
|
| I am trying to escape that awful ecosystem, not dig myself
| further in.
| hot_gril wrote:
| The option of Yubikeys is fine as long as the basic 1P
| thing is painlessly usable too.
| overstay8930 wrote:
| you know its trival to export, right? There's nothing more
| secure than Keychain if you're in the Apple ecosystem.
| Nothing gets more scrutiny from the entire industry, at
| least.
| lukeschlather wrote:
| Actually I maybe misspoke and I might go further than that
| and say that services shouldn't be allowed to make any
| requirements about how hardware tokens work. This means if
| someone wants to use a software token that should be
| supported.
|
| And also I think this is why the passkey standard is bad, it
| sets rigid hardware requirements and the manufacturers will
| use this to drive planned obsolescence. If Apple and
| Microsoft have their way we will throw away $1000+ phones and
| laptops because someone found an exploit in the TPM that
| requires physical access.
| hot_gril wrote:
| Yes, that and WEI
| fishpen0 wrote:
| Its funny how you can't work for a secure government agency if
| you can't get clearance, and that a primary litmus test for
| clearance is how much debt you are in. (AKA how easy you are to
| bribe). But then for huge swaths of our infrastructure we have
| privatized it and left it in the hands of minimum wage employees
| who probably have auto and student debt and can be bribed for
| pittances.
| toomuchtodo wrote:
| Login.gov is a thing (and over 300 federal agencies use it as
| their idp as of this comment). USPS provided identity proofing
| in person for it. All federal gov agencies are moving towards
| it. The "right" way would be a national smart card ID system
| like Estonia has (built on cryptographic primitives), but you
| have a cohort of crazies who think it's the "mark of the beast"
| and other wild tales. So, we walk when we could run. This
| problem is at the people/policy OSI layer.
|
| The Defense Dept already does this: CAC/common access cards
| [1]. Create a civilian root and do it already. A PIV/CAC can
| also be used as an auth factor with Login.gov [2].
|
| [1] https://www.cac.mil/common-access-card/
|
| [2] https://www.login.gov/help/get-started/authentication-
| method... (Physical PIV (personal identity verification) cards
| or CACs (common access cards) are secure options for federal
| government employees and military personnel. These cards, with
| encrypted chip technology, are resistant to phishing and
| difficult to hack if stolen.)
| throw7 wrote:
| Papers Please.
| toomuchtodo wrote:
| This is a tired argument. If you want better governance,
| it's a political problem, not a tech problem. "Papers
| Please" exists today due to a lack of law enforcement
| oversight and current statute [1]. A properly functioning
| national ID system and infrastructure doesn't change that.
|
| The databases already exist [2] [3] [4] [5]; because you do
| not have the physical card does not mean you don't live
| this reality today. On the contrary, you already don't have
| the privacy you think you have, without any of the quality
| of life improvements a national ID card would provide.
|
| > CBP has successfully implemented facial biometrics into
| the entry processes at all international airports, known as
| Simplified Arrival, and into the exit processes at 49
| airport locations. CBP also expanded facial biometrics at
| 39 seaports and all pedestrian lanes at both Southwest
| Border and the Northern Border ports of entry.
|
| > To date, CBP has processed more than 490 million
| travelers using biometric facial comparison technology and
| prevented more than 1,900 impostors from entry to the U.S.
|
| [1]
| https://en.wikipedia.org/wiki/Stop_and_identify_statutes
|
| [2] https://www.dhs.gov/biometrics
|
| [3] https://www.tsa.gov/biometrics-technology/evaluating-
| facial-...
|
| [4] https://www.cbp.gov/travel/biometrics/airports
|
| [5] https://www.dhs.gov/real-id/real-id-faqs
| BadHumans wrote:
| This is why the US will never have functioning anything.
| People just immediately leap to why it's going to lead to
| dystopia.
| jfengel wrote:
| Unfortunately that was literally true from the beginning.
| Much of the US Constitution is devoted to separation of
| powers. But the powers are so separated that it's
| practically impossible to do anything. Our checks and
| balances are badly overbalanced.
|
| The government persists because the executive branch
| takes a lot on itself. The Supreme Court is currently
| deciding that this may be too much overreach, and the
| government will grind completely to a halt.
| vundercind wrote:
| We already have that and have for a long time, it's just
| more way time-wasting and far less secure than it could be.
| redserk wrote:
| This is a silly retort. We already have multiple identity
| systems in the US:
|
| - Social Security
|
| - Passports
|
| - NAPHSIS
|
| - Most states' ID systems using Real ID w/ SPEXS
|
| - The DoD's ID card system
| fishpen0 wrote:
| I love me some ID.me and think every bank and financial
| institution should be required to use it. It goes so far
| beyond to do good multi-factor auth and even accounts for the
| un-homed and un-phoned in their multifactor. Thousands of
| people can't bank or use many services because they can't get
| a phone number, but they can use id.me at a library or other
| public computer with few issues just having an old offline
| phone running an authenticator
|
| Edit: TIL login.gov is the new hotness
| SpaceManNabs wrote:
| Is Id.me and login.gov the same thing?
| toomuchtodo wrote:
| ID.me is a for profit private provider of identity
| proofing services. Login.gov is provided by the US
| General Services Administration. All federal agencies are
| moving to Login.gov. IRS is one of the last digital
| services that will move. There were some congressional
| hearings on ID.me, due to distorting the truth.
|
| https://news.ycombinator.com/item?id=30430851 ("HN: IRS
| to adopt Login.gov as user authentication tool (Feb
| 2022)")
|
| https://news.ycombinator.com/item?id=39691325 (a previous
| comment I wrote on the topic)
|
| https://cyberscoop.com/idme-irs-identity-verification-
| congre... ("ID.me misled IRS on processing times for
| identity verification, congressional investigators
| found")
|
| https://cyberscoop.com/id-me-ceo-backtracks-on-claims-
| compan... ("ID.me CEO backtracks on claims company
| doesn't use powerful facial recognition tech")
|
| https://cyberscoop.com/id-me-aclu-oregon-states-
| messaging-fa... ("Documents shed light on ID.me's
| messaging to states about powerful facial recognition
| tech")
|
| https://arstechnica.com/tech-policy/2022/11/id-me-made-
| basel... ("ID.me lied to IRS about unemployment fraud,
| average wait times, House Dems say")
| imzadi wrote:
| I was neutral on id.me until I started getting unsolicited
| marketing emails through them. https://help.id.me/hc/en-
| us/articles/202709194-Why-am-I-rece...
| yieldcrv wrote:
| > mark of the beast
|
| what bothers me the most about unfalsifiable predictions is
| that their predictive quality can only be retroactively
| applied, undermining its ability to be predictive at all
|
| it relies on total ignorance of everything _prior_ that fit,
| and other catastrophes that also looked like the "end times"
|
| how was world war I not? everyone dying of mustard gas
| followed by famine, plague.
|
| world war II?
|
| the year 536?
|
| other maladies in other countries? for many people it was the
| end time because their entire family and culture were killed
| and wiped out
|
| I wonder if America will shake its Evangelical death cult.
| People are becoming unaffiliated with religion here but I
| feel like the mysticism is ingrained into the culture either
| way for another generation or two
| ImAnAmateur wrote:
| Talking about it being the "mark of the beast" is a
| strawman. What you should talk about instead to win support
| among those same groups of people is to explain how it
| isn't/wouldn't be a means of government abuse. They're
| worried about it backdooring personal financial freedom the
| same way you would worry about the government backdooring
| encryption.
| yieldcrv wrote:
| It's not a strawman if thats exactly what the people
| being referred to will say.
|
| But semantics aside, I agree that addressing their actual
| concerns is more productive. And there is no way to
| guarantee that.
| jimbob45 wrote:
| _a primary litmus test for clearance is how much debt you are
| in_
|
| As someone on the outside, I'm curious if that's true. I've
| never applied for clearance but I was always under the
| impression that it was more about how many people could vouch
| for you. Is it true that it actually just comes down to your
| bank account?
| fishpen0 wrote:
| There are a handful of key litmus tests that are part of the
| background check. If you are/were a felon, If you lie at all
| during the check, If you are in extreme debt, If they find
| public record of you being anti-american, If you fail a drug
| test.
|
| These all come up during the screening interviews of your
| peers, family, and coworkers. I have done about a half dozen
| or so of these for former peers, friends, and colleagues who
| have moved on to do public sector or join private military
| companies that needed clearance.
| blackhaj7 wrote:
| I lost my phone a few weeks back and was astonished that I was
| able to go into T Mobile and get my number switched to my new
| phone without showing any ID
| noxon wrote:
| That's horrifying!
| lrvick wrote:
| I had the ability to swap numbers for 3 carriers as a minimum
| wage paid Radio Shack employee.
|
| It was just a web form with a few boxes to fill out based on
| customer provided info followed by enter.
|
| Even when ID is checked, a decent fake ID is like $50 these
| days, and grants access to wealthy bank accounts.
|
| At the time we were heavily incentivized to speed run
| anything that did not generate a commission so checking ID
| carefully if at all was not high on our list of priorities.
| tempaccount420 wrote:
| Americans like to believe they live in a high trust society.
| That must be why things like this are even possible. It brings
| convenience (and I guess profit, as time is money) but the
| trust required is very high.
| ec109685 wrote:
| Did you have a pin on your account?
|
| One would hope it's not possible to swap unless that is
| entered, no matter how corrupt the employee.
| moose44 wrote:
| Humans remain the biggest vulnerability in cyber security.
| eBombzor wrote:
| It's actually unbelievable how often SMS OTP is used, when it's
| public knowledge that it just replaces one attack vector with a
| worse attack vector... Cracking a password or breaking into an
| encrypted database is 10x harder than getting a sim swap.
| loloquwowndueo wrote:
| Cracking a _good_ password - which a large percentage of people
| don't have or will readily input in any phishing web form
| without a second thought.
|
| Time-constrained 2FA codes can be broken with sim swaps or
| targeted phishing which are less widespread than a wide-net
| spam-based phishing campaign.
|
| Now don't get me wrong I hate SMS 2FA with a passion but still
| :)
| zamalek wrote:
| My bank recently added the feature of removing SMS as an 2FA
| option - requiring TOTP. Now if they'd only add webauthn, but
| TOTP is pretty secure against phishing with a browser-
| integrated password manager (no autofill results in suspicion).
| s1dev wrote:
| What bank is this and are they available nationwide?
| zamalek wrote:
| First Tech CU. Their physical locations are PNW only, but
| that hasn't stopped me from continuing to use them
| electronically on the east coast. They are also part of the
| CU alliance, so access to alliance branches and ATMs is
| possible (I've never had the need to test this).
| Hnrobert42 wrote:
| Yes. Why are banks with TOTP so rare?!
| eco wrote:
| My bank finally added 2FA today actually. It is, of course,
| SMS or Email only because banks the worst online security for
| reasons I'll never understand.
| avidiax wrote:
| Couldn't T-Mobile send their own SMS's to their employees
| pretending to increase the payout to $600, then fire any employee
| that replies?
|
| Or maybe change the terms of use for the employee line discount
| to allow monitoring SMS content or metadata for security threats
| to the companies users?
| FeistySkink wrote:
| Or pay people enough so they don't get tempted to begin with.
| ApolloFortyNine wrote:
| Billionaires have literally committed financial crimes for
| more money. Pay has very little to do with it.
| Red_Leaves_Flyy wrote:
| Billionairism. Addiction to the accrual of wealth and the
| power wealth affords. They should be in asylums not
| boardrooms.
| ssl-3 wrote:
| There's plenty of room for them in the Fletcher Memorial
| Home.
| renewiltord wrote:
| Lol Martha Stewart has $400m and she got done for $230k worth
| of insider trading.
|
| And Matt Levine every now and then talks about a guy making a
| few million a year insider insider trading a few thousand and
| settling.
| DaveExeter wrote:
| Wasn't it because she lied about it?
| akerl_ wrote:
| The point is that she was already rich. High pay doesn't
| stop people from doing crimes.
| LASR wrote:
| You could solve this by simply sending out a memo not to
| respond to such offers or risk termination.
| gabeio wrote:
| How is knowingly doing sim swapping not already a dick move?
|
| Honestly what the OP suggested is simply a sting operation.
|
| Your reaction to it is ... more scary.
| tw04 wrote:
| It shouldn't just be termination, it should be jail time.
| It's no better than selling a gun to a person you know
| intends to use it to commit a crime.
| UberFly wrote:
| T-Mobile should make a few loud examples out of those
| proven to be doing this. Deterrent is the best medicine. Of
| course they don't want this kind of attention so they'll do
| as little as possible.
| akerl_ wrote:
| Just so we're clear: getting shot is quite a bit worse than
| having your phone number stolen.
| dexterdog wrote:
| It's actually significantly better.
| jjice wrote:
| Is it? It'd be a good way to catch people doing something
| that's seriously damaging to others for personal gain.
|
| I don't think I have much sympathy if you lose your job for
| doing something this damaging and probably illegal.
| WolfeReader wrote:
| A telling reply.
|
| SIM swapping? No comment. Trying to catch SIM swappers?
| Suddenly you have feelings about it!
| maximinus_thrax wrote:
| Red teams do this sort of things all the time. How about you
| don't accept bribes? Arguably that's a bigger dick move.
| jxramos wrote:
| audit log tied to the one who authorizes the swap along with
| guaranteed criminal penalties would be a stronger
| disincentive I believe.
| lrvick wrote:
| Or, crazy idea, we do not give minimum wage paid retail sales
| reps the ability to control access to the online accounts of
| hundreds of millions of people.
| ClassyJacket wrote:
| Wow, genius, just tell people not to break laws, why didn't
| they think of that...
| actionfromafar wrote:
| T-mobile could do many things (not sure it's legal to pretend
| you want to pay for simswaps, but that's beside the point), but
| first we need to establish why they would care.
|
| I haven't seen much evidence in the past they would.
| masspro wrote:
| They don't care. Source: got swapped on TMo, front-line CSR
| fixed it but no one else at the business cared; would not
| even refund my final bill. Solution: move to Google Fi. It
| has a word-of-mouth reputation for being resistant to this,
| which I believe if nothing else because Google has almost no
| human support to bribe/phish.
| unstatusthequo wrote:
| Still seen swaps with Google Fi. Efani is a much better
| option if you actually want protection. I am a cyber lawyer
| and that's our recommendation to any clients who care. I
| can't recall if Efani is throttled on AT&T or Verizon as
| MVNO, but one isn't. Easy to ask them.
| narrator wrote:
| Google Voice too. No human tech support. It's kind of weird
| how having no human to talk to can be a good thing in these
| high security matters. No social engineering attack
| surface.
| ssl-3 wrote:
| I've just realized that, even though I've used Google
| Voice as my primary phone number since before it was
| Google Voice -- for about 18 years now -- I have never
| really had a problem with it[0], and I've also never paid
| a dime for it[1].
|
| It seems like a well-oiled machine.
|
| 0: Well, some places don't like using GV for 2FA (and
| demand a "real" cell phone number), and some other places
| don't think it can do short-code messages at all, but
| those aren't issues that anyone at GV could ever solve
| even if those people did exist.
|
| 1: Yeah, sure. I'm the product. Blah blah.
| moneywoes wrote:
| what if you lose access to google voice yourself?
| caymanjim wrote:
| I'm pretty sure T-mobile could legally do that to their own
| employees. Corporate security teams are always sending fake
| phishing email to test their employees' gullibility and send
| them off to Re-education Camp.
| foldr wrote:
| Phishing emails don't usually ask people to do something
| illegal, though.
| noodlesUK wrote:
| What's the solution here? Can we practically expect employees at
| retail stores to not be permitted to change a person's phone
| over? What if the person who needs the swap has said their phone
| is lost/stolen?
|
| I think ideally there would be some kind of verification that the
| customer was indeed present and that their ID had been verified,
| but I don't see how you can do that in the US as there aren't ID
| cards or similar forms of universally available ID. I also think
| you should be able to get a phone number without ID at all, which
| would preclude verification in those cases.
|
| The issue is that people's phones are essentially the roots of
| trust for our digital lives. Passkeys being built into the OS are
| good because they push that problem away from carriers, but the
| fundamental issue still remains. Bootstrapping trust is hard.
| jupp0r wrote:
| > What's the solution here?
|
| webauthn
| jasonjayr wrote:
| ... away from carriers and into the hands of
| Google/Apple/Microsoft, who can kill your account for any and
| no reason at all.
|
| Except for that one giant issue, passkeys _are_ gonna be great.
| patmorgan23 wrote:
| There are several 'boutique' email providers (fast mail,
| proton, etc) that you can use instead of the big 3. You can
| even host your own MX server but use a relay service so you
| don't have to deal with IP reputation issues.
| Avicebron wrote:
| lol relay services have reputation issues, I was talking to
| someone today about trying to whitelist some vendor this
| company uses because they use a relay service and it looks
| sketch as hell when emails show up seeming to pretend to be
| someone else
| nijave wrote:
| Sketchy relay services have issues. Haven't had issues
| with AWS SES or Sendgrid
|
| They should still have proper SPF/DKIM/DMARC so you can
| verify the sender even if it was relayed
| CharlesW wrote:
| > _Except for that one giant issue, passkeys are gonna be
| great._
|
| Unlike passwords, you can have multiple passkeys associated
| with an account. Accessing from an iPhone? Use your Apple
| passkey. From Android? Use your Google passkey. Want cross-
| platform? Use your 1Password passkey. Etc.
| jasonjayr wrote:
| Right. Relaying Parties (RPs) need to have beaten into
| their implementations that multiple keys for each identity
| is normal + correct behavior, and the number of multiple
| keys should not be unreasonably limited.
| ianburrell wrote:
| After the trouble of adding multiple keys, I think there
| needs to be way to easily add multiple keys. Like
| uploaded file or service that has list of public keys.
| Something like cross-sign the keys and then authenticate
| one of them.
|
| I wonder if hassle means there will be more use of OAuth
| but that means trust.
| Suppafly wrote:
| I have google fi and I'm always a little low key worried that
| they'll block my account which will kill my
| phone/docs/drive/email all at once.
|
| It also kinda sucks having google as your email and your
| phone when they want to use email to verify your account
| settings and you can't get into your account. This happened
| to my wife, and they essentially have no support on the fi
| side and the gmail side support isn't super helpful. She was
| eventually able to recover her gmail account and fix her fi
| activation but it a huge pain and took a couple of days.
| brightball wrote:
| > but I don't see how you can do that in the US as there aren't
| ID cards or similar forms of universally available ID.
|
| How so? Aren't there multiple options available?
| patch_cable wrote:
| There are many available but people are not required to have
| one (unless driving, etc.)
| dragonwriter wrote:
| > I think ideally there would be some kind of verification that
| the customer was indeed present and that their ID had been
| verified, but I don't see how you can do that in the US as
| there aren't ID cards or similar forms of universally available
| ID.
|
| Requiring government issued photo ID for identity verification
| is not at all an uncommon policy for various purposes in the
| US, and AFAIK all states have universally available ID cards
| (they are generally not free of charge, but they are
| universally available.)
| Salgat wrote:
| I use Google Voice for this reason, so that you need to
| authenticate with my google account to modify anything related
| to my phone number. It's not perfect since there is still an
| internal forwarding number they could sim swap on, but it would
| require them associating the two numbers first, and I don't use
| my t-mobile number for anything outside being the forwarding
| number for google voice.
| hx833001 wrote:
| You can switch Voice to use IP only through the app/web
| ec109685 wrote:
| Having a pin on your account before a swap (or any other action
| is allowed) seems like a useful barrier to entry.
|
| Then a corrupt employee needs something they won't have to
| execute the swap.
| _dark_matter_ wrote:
| There is no way that most people would remember the pin, so
| employees would need some way to bypass. And voila, back to
| where we started.
| hiatus wrote:
| > I also think you should be able to get a phone number without
| ID at all, which would preclude verification in those cases.
|
| While I agree with you, this is already not the case in much of
| Europe where an ID is required to obtain a sim card.
| snowwrestler wrote:
| "Inside job" SIM swap attacks are not necessarily new; a close
| friend's T-Mobile phone got hit this way in March 2020.
|
| The news here is the intersection of a data breach with SIM
| swapping: criminals are using the employee phone numbers from a
| recent T-Mobile breach data dump to text tons of employees at
| once, offering $300 per swap.
|
| Previously, criminals would develop the inside agent either
| through personal connections or by applying and getting hired
| themselves. With the breached data, they can automate and scale.
| b8 wrote:
| Yeah this has been a thing since 2012ish and became more popular
| around 2016/17. Brian Krebs has documented this for the past 8
| years. No new news here.
| squokko wrote:
| When you have $15/hr employees who can enable a $100,000 scam
| this is bound to happen.
| patmcc wrote:
| I feel the need to defend the use of SMS for 2FA (in limited
| cases).
|
| SMS is actually a perfectly good channel for 2FA for _most_
| customers in _most_ cases. Because _most_ customers, most of the
| time, are not under a targeted or even semi-targeted attack. SMS
| 2FA protects quite well against large-scale brute force or
| credential stuffing attacks. If someone is checking 10k accounts
| against the 3 top passwords (yes, this is a very common attack
| type), those customers will be very well served by having SMS
| 2FA.
|
| SMS is a _terrible_ channel if anyone is trying to target you
| directly though, that 's absolutely true.
|
| edit: also, in case this wasn't clear - I'm not talking about any
| services that allow password reset through SMS alone - that's
| beyond idiotic, obviously.
| pyrophane wrote:
| But isn't it the case that most sites will tell you if you pass
| a password check before hitting you with a SMS verification?
|
| In that case I could see someone attempting a sim swap attack
| for accounts where they pass a password check for higher value
| stuff like primary email or anything that is probably linked to
| a spending account
| patmcc wrote:
| That assumes the attacker even has the phone number - best
| practice is to not display the full number, just the last 4
| (xxx-xxx-1234) - so again, for the typical case, the attacker
| isn't going to know what number to sim swap.
|
| SMS is bad at protecting one account, it's good at protecting
| 10000.
| ImAnAmateur wrote:
| The minnow security model is bad at protecting one fish,
| it's good at protecting 10000.
|
| What would you say is an advantage unique to SMS that would
| be lost if text messages were switched to another model?
| I'm asking sincerely. There aren't many people arguing in
| favor of SMS here, so you seem like the right person to
| ask.
| patmcc wrote:
| It's pretty simple - there are people who don't have
| smart phones, plus people who couldn't manage to
| install/use a TOTP app. Something like ~10% of users
| probably fit in that category. So either you offer them
| no protection (if 2FA is optional), no use of the service
| (if 2FA is mandatory), or ok-but-not-great protection (if
| you allow SMS).
|
| (In reality, some users don't even have SMS (no cell
| phone) - so automated voice calls can be offered too.
| Those without any phone at all...will not be considered
| as valid customers, in most cases.)
| pyrophane wrote:
| Yeah, but say I am an attacker doing some kind of brute
| force password hack, and I have a certain number of
| successes.
|
| Given the funnel there, it might well be worth it for me to
| put some energy into figuring out who the person at the
| other end of that account is. Phone numbers aren't secrets.
| patmcc wrote:
| Yeah, agreed. But again I'm not arguing that SMS is the
| _best_ second factor, I 'm arguing that (used correctly)
| it's better than _no_ second factor, which is what it 's
| actually competing with in the real world.
|
| Generally, I think services should offer TOTP, email, and
| SMS, and _strongly encourage_ TOTP. But not offering SMS
| just means some segment of customers won 't have a second
| factor at all.
| nashashmi wrote:
| As another user here said it best: it is good enough to keep
| honest people honest. But determined people will find a way.
| patmcc wrote:
| This is actually a pretty good comparison. It's like the $50
| lock on your front door. A determined burglar can pick the
| lock or smash the window, no problem. But it's better than
| leaving the door unlocked.
| snarf21 wrote:
| While you are right, you're missing the real problem. SMS 2FA
| is a systemic threat vector for identity takeover. Buy out one
| employee for $20 and you have access to take over any one of
| millions of users. Additionally, the victim won't figure out
| there was an attack right away. And the attacker can live
| anywhere in the world.
|
| If someone wants to rubber hose me, they have to physically
| come to my area and that doesn't scale except for high value
| targets. Tolerating SMS as 2FA is absurd with built in passkey
| capabilities backed biometrics/code built into a device you can
| buy for $100 and already carry with you 24/7.
| patmcc wrote:
| >>>and that doesn't scale except for high value targets
|
| Real-world activities (kidnapping, rubber hose, fingerprint
| stealing, whatever) aren't worth it for medium-value targets,
| true - but my point is that SIM swaps aren't either - for
| low-value targets.
|
| From the article, they're offering $300 per - so the expected
| value from these specific compromised accounts must be more
| than that (I'd guess $1k min). This makes it pretty clear
| that if you're protecting accounts worth ~$50, SMS is
| probably "good enough". And for some users that's the right
| trade off.
| ImAnAmateur wrote:
| That is a very convincing argument for why SMS should be
| replaced entirely for everyone.
| Terretta wrote:
| > _SMS is actually a perfectly good channel for 2FA_
|
| You might have different definitions of both "perfectly" and
| "good" than the researchers who found in every case with every
| major phone provider, the SIM could be stolen.
|
| See: https://www.issms2fasecure.com/ ...
|
| - _We examined the authentication procedures used by five
| prepaid wireless carriers when a customer attempts to change
| their SIM card, or SIM swap._
|
| - _We found that all five carriers use insecure authentication
| challenges that can easily be subverted by attackers._
|
| - _We reverse-engineered the authentication policies of over
| 140 websites that offer SMS-based authentication, and rated the
| vulnerability level of users of each website to a SIM swap
| attack._
|
| - _We found 17 websites on which user accounts can be
| compromised based on a SIM swap alone. After over 60 days since
| our disclosure, nine of these websites remain vulnerable in
| their default configuration._
| patmcc wrote:
| You might have difficulty reading entire comments.
|
| Yes, SMS 2FA will fail against a sophisticated and targeted
| attack. It is still drastically better than NO second factor,
| which is the actual comparison in the real world. There are
| people without smartphones. There are people without the
| ability to install/use a TOTP app. My aunt can either use SMS
| 2FA or nothing. 2MS protects her pretty well against 95% of
| the types of attacks she's likely to face.
| Terretta wrote:
| Which part of your comment do you think I failed to read?
|
| Frankly, a secure password alone, with no second factor, is
| "drastically" better than a secure password with ability to
| change that password by SMS, as is frequently the case (a
| quarter of the time, per that research). So set up LastPass
| or 1Password for your aunt.
|
| As for "protects her from 95% of the attacks she is likely
| to face", that's a number that doesn't jive with my
| experiences as CTO of the second largest bank in the world.
|
| Your claim is "Because most customers, most of the time,
| are not under a targeted or even semi-targeted attack."
|
| On the contrary, most customers are under automated
| attacks, and SMS plus password leaks lets that takeover be
| fully automated.
| patmcc wrote:
| >>Frankly, a secure password alone, with no second
| factor, is "drastically" better than a secure password
| with ability to change that password by SMS, as is
| frequently the case (a quarter of the time, per that
| research). So set up LastPass or 1Password for your aunt.
|
| Obviously password resets shouldn't be possible by SMS
| alone, I never claimed otherwise. I'm talking about using
| SMS as a _second factor_ - in addition to having the
| valid password.
|
| >>As for "protects her from 95% of the attacks she is
| likely to face", that's a number that doesn't jive with
| my experiences as CTO of the second largest bank in the
| world.
|
| In my experience, low-net-worth + technically
| unsophisticated users are mostly at risk from brute force
| attacks and/or credential stuffing, and SMS (as an actual
| second factor, not a "reset the password for free"
| button) is very effective at stopping that.
|
| >>On the contrary, most customers are under automated
| attacks, and SMS plus password leaks lets that takeover
| be fully automated.
|
| If your customers have phone number/username/password all
| leaked together...sure, I can believe that. Probably you
| should focus on preventing leaks of that size.
| wepple wrote:
| This isn't just an sim/T-Mobile issue
|
| Most customer service representatives are on very low incomes
| (especially in other countries) and it's not hard to find one who
| will take actions for a (western) small amount of money. CSRs
| often have powerful capabilities and access to sensitive
| information. With poor access controls.
|
| Solve the SMS/MFA issue and they'll attack the next thing in line
| nijave wrote:
| Yeah, but ideally the next thing in line is much more secure
| than a financially vulnerable, low wage worker.
|
| Afaik SMS 2FA is the easiest to compromise of all the methods.
| At least with, say, email, you need a password and potentially
| a different 2FA first.
| jupp0r wrote:
| Who would be stupid enough to commit a federal crime for $300?
| Doing this will leave a clear paper trail to the respective
| employee (I hope, if not that'd be disastrous) and the crime
| itself has a high likelihood of being reported.
|
| Am I missing something?
| insaneirish wrote:
| > Who would be stupid enough to commit a federal crime for
| $300?
|
| Probably hundreds, if not thousands, of low level employees
| that work for carriers in retail positions.
| imzadi wrote:
| I think a lot of people are forgetting that most of this
| customer service is being outsourced to other countries.
| zkms wrote:
| There has got to be some sort of two-man rule
| (https://en.wikipedia.org/wiki/Two-man_rule) integrated into the
| system that can't be bypassed by the people with authority to
| make changes to accounts. Otherwise any insider / careless spear-
| phishing victim will make the changes they want.
| causal wrote:
| I was initially pleased when I discovered T-Mobile itself
| supported using TOTP apps like Google Auth and then flabbergasted
| when I found you could not disable SMS 2FA even after enabling
| alternatives.
| xyst wrote:
| SIM swap attacks are the reason I do not use SMS 2FA. Everything
| has been switched to use software or hardware based MFA. Opting
| for "magic link" sign in where necessary. E-mail protected by one
| or more non-SMS MFA.
|
| The only services that I use with SMS 2FA are honeypot accounts.
| dimmke wrote:
| Don't new iPhones not even have physical SIM trays? And T-Mobile
| also lets you lock your number so it can't be ported out.
| pxeboot wrote:
| That doesn't mean an employee can't activate your line on a
| pSIM and hand it over to a threat actor.
| lxgr wrote:
| Oh no! Who could have known that designating utility companies as
| the guardians of authentication and identification/KYC would have
| any downsides?
| cyanydeez wrote:
| While simultaneously degrading the value of employment to any
| of these conglomerates.
|
| This is the same reason you want well paid politicians and FBI
| staff.
| lxgr wrote:
| Sure, but please let the takeaway here not be "the employees
| of Con Edison, PG&E, National Grid etc. need to be paid and
| vetted like bank tellers, then it'll all be good".
|
| The intrinsic overlap of incentives and strengths between
| utility providers and identity verification organizations
| (whether private or public) is minimal, and I suspect
| extrinsically forcing them into that role can't end well
| either.
| hx833001 wrote:
| Good thing there are no corrupt politicians and FBI agents.
| airstrike wrote:
| Well paid politicians do everything to get reelected rather
| than doing everything to increase general welfare.
|
| Also as others have commented, even well paid people do shady
| things. TFA isn't an endorsement of higher wages, it's a
| denouncement of our terrible collective security and
| authentication protocols.
| JumpCrisscross wrote:
| > _Who could have known that designating utility companies as
| the guardians of authentication and identification /KYC would
| have any downsides?_
|
| Not sure what your point is. Identity authentication sounds
| like the sort of thing you _would_ want a utility to do.
| Terretta wrote:
| If you are a SaaS provider or bank, and you let password resets
| happen by SMS, _you_ are a threat to your customers.
|
| Stop doing this.
|
| First, and a no brainer: offer "continue with ____" sign ins
| (OpenID Connect / OIDC) for users of Google, O365, Apple, to get
| out of the account creds business for most users.* (See also:
| passkeys.)
|
| Second, prefer TOTP as the MFA, not SMS.
|
| Third, if you absolutely have to do SMS for some dark pattern
| "harvest my customers' phones" reason, use it exclusively as a
| second step, never as an only factor.
|
| * For most customer firms using M365 or Google accounts, if you
| couple accepting OIDC with a domain validation to the customer's
| email address, you don't have to do SSO/SAML, since OpenID
| connect + domain accomplishes roughly similar goals on both sides
| without the per client company configuration overhead or "SSO
| tax": https://sso.tax/
| dudus wrote:
| Aren't passkeys ready for prime time yet?
| shepherdjerred wrote:
| Yup! There's a directory of sites with support here:
| https://passkeys.directory/
|
| I use it for ~50 sites. It's such a pleasure to use.
| 0cf8612b2e1e wrote:
| Not until I can backup a passkey without Apple or Google
| acting as the steward. I need a system where I know that if
| my phone is lost, I can restart my digital identity without a
| tech giant.
| rootusrootus wrote:
| 1Password does passkeys, and they exist on multiple
| platforms. I assume they are not the only non-Apple/Google
| password app which can do this.
| renewiltord wrote:
| I have mine in Bitwarden but I didn't think carefully
| through this, I just used what I had. It looks like
| Vaultwarden hasn't yet added support so you can't rehost
| without Bitwarden but you don't need Apple or Google.
| miles wrote:
| KeePassXC: Enabling Passkey Support
| https://keepassxc.org/docs/KeePassXC_UserGuide#_passkeys
|
| KeePassXC Passkeys Without Big Tech!
| https://www.youtube.com/watch?v=L7uXFJfxf80
| compootr wrote:
| I believe bitwarden does this too, but I stick to
| yubikeys
| recursive wrote:
| I'm not touching it unless I have a way to export my passkeys
| and migrate them wherever I want.
| exabrial wrote:
| All I can say is: No shit ^
|
| I'm tired of it. SMS as "authentication" needs to be outlawed
| at this point. I'd vote for whatever candidate wants to sponsor
| this bill.
| bigstrat2003 wrote:
| It is absolutely not a no-brainer to use Google/etc accounts
| instead of handling that oneself. The last thing we need is an
| Internet which is unusable to anyone who chooses not to have
| (or gets banned by) big tech companies. I myself refuse to use
| the federated login option because I value the ability to not
| tie my entire life to my Google account.
| robotnikman wrote:
| Also, there is always a risk of your google account getting
| banned for no reason other than their blackbox system
| suspects you did something wrong.
| MaxBarraclough wrote:
| They'll address this kind of issue manually, provided your
| story makes it to the Hacker News front-page.
| Terretta wrote:
| For end users, the sign in page will look like this:
|
| https://id.atlassian.com/login
|
| Or this:
|
| https://www.xsplit.com/user/auth
|
| These both offer a "your own email" sign in path. That's why
| I said "out of the business for most users", I didn't say
| "for all users".
|
| Plus, I'm speaking to SaaS providers here.
|
| Fully 85% of businesses in the USA use M365, meaning for all
| but 15% of your b2b users, you do not have to host company-
| user credentials!
| bigstrat2003 wrote:
| I'm pretty sure you didn't have the "for most users"
| qualification when I first replied. I may be mistaken, but
| I don't remember seeing it at any rate.
| jjeaff wrote:
| there are plenty of options for 2 factor apps that don't
| require login. in fact, even Google's authenticator app does
| not require you to login. you can use it locally and store
| the codes locally.
| bigstrat2003 wrote:
| OP said that companies should let Google (etc) handle
| logins entirely, not just use 2FA apps.
| lrvick wrote:
| Honestly even TOTP is negligent to support at this point.
|
| TOTP is phishable, and the root secrets are stored in most TOTP
| apps (including Google Authenticator) in plan text, usually in
| SQLite, because almost no enclaves support the TOTP algorithm.
|
| The only hardware devices that -do- support TOTP like Yubikeys
| or Nitrokeys also support WebAuthn in which case just use that.
|
| A hard requirement of Virtual Passkeys and hardware WebAuthn
| devices should be a bare minimum for auth security in 2024.
|
| Passwords and one time codes are phishable 90s solutions to the
| problem and it is nuts they still are so dominant.
| samtho wrote:
| TOTP is a compromise, like everything in security, and one
| that's fairly secure. Until we reach a point where hardware
| tokens or virtual passkeys become mainstream (and their
| related usability issues addressed), we will be stuck with
| the "something you have" factor needing to temporarily move
| into the "something you know" factor via the the TOTP. The
| fact this expires within 30 seconds makes the attack vector
| more limited, also unlike an SMS code that providers use to
| verify you while on the phone with them, you never give this
| code out (found on a separate app) to a person on the phone,
| which helps separate this particular factor from SMS.
|
| The truth is that, while it offers superior security,
| hardware tokens and virtual passkeys are not accessible to
| the masses one way or other. This is a problem that should
| eventually be solved but nearly all prior attempts cannot
| supplant the ubiquity of passwords.
| lrvick wrote:
| Passkeys are easier to use, harder to lose, and more secure
| than TOTP or passwords in every way. If you have a web
| browser from the last couple years you can use a passkey.
|
| You do not often get a win that clear in security. It is a
| no brainer to mandate for users today, and stop wasting
| customer support hours on dealing with accounts compromised
| by phishing.
| spxneo wrote:
| Not sure what the alternative is as most users will walk if
| they aren't allowed to use SMS
| lrvick wrote:
| Would users walk away from a hospital if they are required to
| wash their hands and wear a mask?
|
| Sometimes the customer is not educated on safety and you have
| to hold a line to protect them and yourself.
|
| Invest in good onboarding UX.
| darby_eight wrote:
| _Any choice more secure than SMS_ will only empower the
| consumer. You 're pointing out a real problem, but the first
| step is at least _an_ alternative.
| dylan604 wrote:
| The alternative is to educate the users. People use SMS
| because they've been coerced into believing it is secure, and
| had the wool pulled over their eyes for
| $reasonsToGetYourData.
| theamk wrote:
| Educate me please, if I value availability, are there any
| options better than SMS?
|
| OIDC means your digital life is destroyed if Google ever
| decides to ban you. And they are well known to do so, and
| there is normally no recourse once you are banned. You have
| to be either brave or stupid to trust your security to tech
| giants.
|
| Passkeys, TOTP are vulnerable to your device getting lost
| or broken, something that can also happen a lot.
|
| Sadly, if you want things to work no matter what, SMS are
| your best bet.
| r00fus wrote:
| Most users? Seriously doubt it.
| Bjartr wrote:
| Where's that assertion coming from?
| mschuster91 wrote:
| > First, and a no brainer: offer "continue with ____" sign ins
| (OpenID Connect / OIDC) for users of Google, O365, Apple, to
| get out of the account creds business for most users.* (See
| also: passkeys.)
|
| Thanks but no thanks, the last thing I want is for _Google_ to
| be in the chain for something as vital as banking. One false
| signal in Google 's AI model and you're permanently fucked. Or
| someone compromising the email account (not just credential
| stuffing but e.g. cookie theft).
|
| > Second, prefer TOTP as the MFA, not SMS.
|
| People _loathe_ app-based (or, even worse, RSA token-style)
| OTP, especially if they lose their phone or it becomes
| permanently damaged you 're fucked unless you made a backup.
|
| SMS in contrast? Even your 80 years old grandma can use that,
| and most common failure modes (i.e. stuff requiring support
| from you) are handled by the telco.
| darby_eight wrote:
| Ok, I honestly don't know--is there a way to use this to secure
| access to an account generally, without having access to the
| password? I.e. do authentication providers use phone as a sole
| method of identity verification for any major service?
| wkat4242 wrote:
| Or a government, many do this too
| toast0 wrote:
| If you use SSO for a consumer account, you still need to
| provide a way to reset the account when the identity account is
| no longer available. That reset path is still most likely the
| weakest link. Not to mention that some of the identity
| providers will allow reset with only SMS, and once someone gets
| in there, now they're in everywhere.
|
| I still like it for corp SSO though; you can force corp
| accounts to SSO only with no recovery, and you can force the
| corp account recovery to be difficult.
| omoikane wrote:
| > if you absolutely have to do SMS for some dark pattern
| "harvest my customers' phones"
|
| I had a bank that asked for my phone number when I sign up, and
| I gave them a landline number that is not capable of receiving
| SMS. Some years later, without any input or authorization from
| me, they decided to enable 2-factor using this landline number.
| It was super annoying.
|
| My other bank accepts Yubikey. I wish more banks would do this.
| aidenn0 wrote:
| My bank offers 3 choices for MFA; not sure which of #1 and #2
| is more secure:
|
| 1. Password + SMS one-time-password
|
| 2. 4-digit pin + 6-digit TOTP
|
| 3. No MFA
|
| They do, at least, offer the option of disabling automatic
| password-resets via SMS code, but I know from experience that
| you can authenticate yourself to a CS rep with just name, SSN,
| and a SMS code, and presumably a CS rep can reset your
| password.
| giobox wrote:
| Surely we are close to the point a fully self-service cell
| account is possible via secure portal? Choose to eliminate human
| customer service, expose portal to user with appropriate MFA
| access controls etc.
|
| I guess what I'm asking for is a cellphone plan with no human
| customer service, similar to how there is basically no one I can
| call if I have a problem with a gmail account. Remove the source
| and the temptation of this attack in one go.
|
| I appreciate not every customer would like or want this, but
| could be offered to more security conscious users as an option.
| It's not unheard of to get a discount for pre-paying or enabling
| auto-payments on cell plans around the world, perhaps you could
| even get a few bucks off a month for choosing to not have option
| to call a contact center too.
| getcrunk wrote:
| The easiest solution would be a two employee requirement with a
| 3rd remote in corporate office. In smaller stores at least one
| remote. Using a camera for live video that was installed and
| inspected by corporate.
| cyanydeez wrote:
| ...and uh, make sure they're paid far above minimum wage.
| dpe82 wrote:
| Reasonably well paid people are susceptible to bribes, too.
| mschuster91 wrote:
| Yeah but if you're not resorting to just hiring anyone off
| the street who can talk sales, you get less morons applying
| in the first place. Less morons, less people who might be
| willing to treat that "stand in a mall and upsell people"
| job like they'd do flipping burgers and snotting into the
| mayonaise, or who need some "side hustle" cash just to make
| rent.
|
| Pay peanuts and everyone and their dog will apply, pay
| appropriately and you'll get higher quality applications
| that you can afford to actually vet.
| httpz wrote:
| So looks like FCC is implementing some new rules to protect
| against SIM swapping and that's taking effect on July 8, 2024.
| Though from the press release, I'm not quite sure if that'll
| protect the customer from a carrier employee being the bad actor.
|
| https://www.fcc.gov/consumer-governmental-affairs/fcc-announ...
|
| https://docs.fcc.gov/public/attachments/DOC-398483A1.pdf
| alufers wrote:
| I know everybody says how bad SMS 2FA is, and how we should
| replace it with the next cool thing $BIGCORP invented (thus
| requiring you to have an account with them, which only defers the
| problem).
|
| But couldn't we pressure the telecoms to improve it?
|
| I have an idea that would make SIM swaps way harder to execute.
| Namely a website that wants to authenticate you should be able
| query the telecom for some kind of SIM card ID. This would happen
| before sending a 2FA code.
|
| With such a feature it would be easy to store the SIM card ID in
| a database when enrolling the phone number. Later when the user
| tries to authenticate and the ID does not match what saved
| before, the account is locked out. For enterprise accounts you
| would need to explain yourself to IT and for personal accounts a
| fallback 2FA would have to be used. Alternatively the
| authentication would be delayed for a few days to give the
| legitimate owner of the SIM card time to react.
|
| Another thing that could be added on top of this is to send a SMS
| to the old "inactive" SIM, alerting the original owner of the
| attack.
|
| EDIT: To add to this, here are some advantages of SMS 2FA over
| time based OTP or passkeys:
|
| 1. My grandma can use it with her dumb phone and poor digital
| skills. 2. Your SIM card will most likely survive if your phone
| is destroyed due to water or physical damage. (Sadly not true for
| eSIM) 3. You can dictate an SMS/OTP code over the phone, or
| forward it to somebody you trust. 4. Banks can append a short
| description of what you are currently authorizing. It can tip you
| off in case your computer is infected with malware, or you are
| victim to one of those TeamViewer scams.
| mjmahone17 wrote:
| In your scheme, how do I transfer money from my bank after my
| phone is stolen and I need to get a new phone without access to
| the original sim? Or access my email?
|
| If that's just impossible, how do I fix the issue? A "fallback
| 2FA" what is that exactly?
| alufers wrote:
| Probably one time use recovery codes you are supposed to
| print and keep in a safe place. In case of a bank this could
| also mean a trip to the nearest branch for ID verification.
|
| The same issue you mentioned applies to other 2FA methods.
| Your TOTP codes and passkeys also live on your phone,
| Yubikeys can be stolen too.
| pcai wrote:
| I think this is conceptually wrong from a layering perspective
| because youre punching through the abstraction and making it
| leaky on purpose. This just moves the problem down one layer in
| the stack - there will be legitimate new use cases for "sim
| card ID spoofing" and then we're back to square one. Also from
| a usability standpoint "getting a new phone" is precisely the
| wrong time to lock users out of their accounts
|
| A perfect analogy would be trying to implement security with
| mac addresses but applied to internet. It just makes a mess of
| an abstraction layer and then you have to rebuild it because
| those abstractions were useful (mac address spoofing has
| legitimate uses because mac addresses were used for security
| and then people realized they needed to be able to
| transparently swap things out)
| aryan14 wrote:
| This has been going on for 5+ years, and there is an entire
| community behind this.
|
| Typically, teenagers ranging from 14 - 19 will select targets, or
| "targs" to conduct a "Sim Swap" on.
|
| Desired targets are often individuals with "rare" or "OG" handles
| on social media platforms, as they're worth a lot of money. Or,
| individuals with large crypto wallets (Think: Coinbase, Binance,
| Etc)
| xivusr wrote:
| Any reports of Verizon employees getting approached like this?
| kotaKat wrote:
| I've heard of them off and on in the past, typically a Verizon
| employee requires a significantly higher payoff ($2000-3000) to
| get a SIM swap across, so they're generally a lot more
| expensive all around.
|
| https://old.reddit.com/r/verizon/comments/1bnnsbc/kick_out_t...
|
| Common to see people get approached on communities like carrier
| subreddits if they post that they work at a store and be
| dangled offers like that.
| SpaceManNabs wrote:
| 2FA is broken.
|
| If I want to get a new cell phone number, I am absolutely fucked
| on everything. This isn't sustainable.
| mlfreeman wrote:
| I'll throw out an idea that _seems_ simple to me...
|
| An *opt-in* option to require that lines on your account can not
| be moved to a new SIM unless the current SIM is offline as far as
| the cell grid is concerned.
|
| This could even be made into something that customer service
| could be blocked from overriding.
|
| If someone steals your phone, they try to get it into airplane
| mode as fast as possible to avoid activation locks. If you drop
| your phone in the ocean or off the side of a cliff, it's probably
| not going to remain working for long. If you're concerned about
| losing it somewhere where it'd remain active but you'd never find
| it, then don't opt in to this.
| imzadi wrote:
| There is an opt-in SIM protection available. You can lock the
| SIM card and can't move the line until it is unlocked.
| mlfreeman wrote:
| Taking the device offline requires you to either have control
| of or destroy the current phone, while that SIM protection
| sounded like something a customer service rep could be
| tricked into working around.
| chgs wrote:
| Send a message to the SIM card saying "do you want to move"
|
| If you don't respond then it takes 48 hours to move.
|
| If you say "yes" then it moves
|
| If you say "no" then whoever asked for the move has some
| questions to answer
| tass wrote:
| Yes, or even require a challenge sent to the current line with
| a grace period, and you get to choose your own grace period up
| front. In this way, someone can't jack your line while they
| know you're on a flight.
|
| So, I lose my phone (maybe it's sitting on the side of the road
| somewhere) and need a new line. Since I can't reply to it my
| line will transfer after 8 (?) hours of no response to the
| challenge.
| zb3 wrote:
| To everyone pushing for a different 2FA method - what if I lose
| the 2FA device? Would it mean I won't be able to get into my bank
| account anymore? If not, then the method I could use to get my
| account back in that case could be the method that will be
| attacked..
|
| If employees can be bribed, that's the problem.. there must be a
| human element somewhere, otherwise we'd have to be permanently
| locked out if we lose all 2FA devices
| k8svet wrote:
| I just have a visceral reaction every time I see "SMS" anywhere.
| It's a garbage human verification method (hello boxes of SIM
| cards available in [certain markets] for spare change), it's a
| _garbage_ 2fa mechanism (especially when its the only one). It 's
| a garbage platform through and through. I don't care if I burn
| karma here, it's the worst technology that I'm forced to use on a
| regular basis. And I hate seeing it defended and used in new
| places.
|
| s/garbage/[stronger words]/g
|
| I mean, it's not quite _as_ cheap, but even now I can provision
| fungible, resellable eSIMs, non-wholesale, for less than $5.
| Throw a little HS + acceptxmr, sit in front of Airalo
| /holaSIM/etc, or just figure out who their upstreams are. It's
| all a complete and utter farce.
| paradox242 wrote:
| Even in the black market of SIM swaps, that is a lowball offer.
| devy wrote:
| SMS based OTP has been known to be unreliable way to authenticate
| someone because exactly this type of social engineering hacks.
|
| All software providers and the industry should ban SMS based OTPs
| as a standard practice. Either leapfrogging to a Passkey
| implementation or just time based OTPs.
| akerl_ wrote:
| What software provider or industry group is in a position to
| enact a ban on an MFA strategy?
| mathgradthrow wrote:
| the US government.
| bhaney wrote:
| Maybe organizations in charge of cybersecurity compliance
| frameworks? We'd see a lot of companies drop SMS 2FA pretty
| quickly if it became a requirement to maintain their SOC
| compliance.
|
| I don't think we need a complete sweeping ban to get it to
| largely fall out of use, just a critical mass to drop it so
| it's no longer defensible as an industry standard
| hotpotatoe wrote:
| This isn't limited to T-Mobile employees, I work for a T-Mobile
| MVNO and received the offer
___________________________________________________________________
(page generated 2024-04-15 23:00 UTC)