Hacker News new | past | comments | ask | show | jobs | submit login
SIM swap horror story: I've lost decades of data and Google won't help (zdnet.com)
430 points by kaboro on June 17, 2019 | hide | past | favorite | 290 comments



Google really fails hard in the face of providing support when issues like this occur. The average person has to try various automated account recovery options which, as in the author's case, are readily changeable the moment the account is compromised, rendering them somewhat useless, and then users are out of luck.

It's a situation that is mind-boggling. Users as asked to place a significant chunk of their digital lives in the care of Google, it is unbelievable that they fail this badly. It's useful to note than it's not a situation that business users face. People who pay for G-suite have real support, even ::gasp:: telephone support. Why on earth does google not offer this to consumer users? I would gladly pay for that level of support and security. For that matter if there were some way of converting my personal account over to G-Suite I would do so.

I would even not mind something like one-time payments for support calls, for example pay $50 for a service call to get assistance in a case like this. I just can't fathom the "no support" model at all.


This is why I panicked when they announced they won't sync Google Photos with Google Drive anymore. With the sync, I can setup one of my computers to constantly download the photos and then copy it onto a local backup and an online backup. If my Google Account gets locked - I'll just copy the photos into something else and move on with my life. They removed that saying it's confusing to users - all the while it was an option users had to go explicitly enable.

I switched to iCloud which supports the download feature.


FWIW, I use syncthing for this exact use case.


SyncThing is fantastic, it's really solid and always just works.


Where did they announce that? I still have that setting enabled, and I'm using it for backing up exactly the same way you described, so I really hope this doesn't just get magically turned off someday.


Google Photos will stop syncing to Drive on July 10, 2019 https://gsuiteupdates.googleblog.com/2019/06/google-photos-d...

HN discussion: https://news.ycombinator.com/item?id=20166131


Would you mind elaborating on your iCloud setup to handle this please?


The most common way to do this is to have the Photos app on MacOS set to "download originals," then use whatever backup solution you like best. I highly recommend setting this up. Last month through some sort of iCloud glitch my fiancé lost almost all of her photos from before the beginning of this year. We've escalated it to their highest tiers of support but the photos are gone. Redundancy is important, and even the best providers aren't foolproof. It was devastating to lose all of those memories.


Thanks. Currently I do this:

Phone -> Dropbox + Google Photos (automatically)

Card-based cameras -> Plug in card, Dropbox + Google Photos pick up new photos

Backup 'server': Local synced Dropbox folder -> Local + Cloud backups

I couldn't see how to add iCloud to my existing syncs / backups. When I looked at it, I couldn't be sure it would keep photos on my phone long enough to allow Dropbox and Google Photos to pick them up. It's good that it's possible to get the originals over at a MacOS machine. Might be worth exploring then.


This is how I do it too, then backups are done through Arq and Amazon. I consider Google Photos as a “share / social” area. I would never entrust masters with Google.


I should go and backup my photos asap then...


In case you own an iPhone, it's given to you the option to backup your photos to your iCloud account (Apple service bundled into the phone).


How is your solution different from uploading to Google Drive?


Editing, search, organization, sharing and viewing tools. Google Photos is a fantastic UI for that - provided, the pictures actually live in my Drive.


> I would even not mind something like one-time payments for support calls, for example pay $50 for a service call to get assistance in a case like this.

I can just see the people raging about this on social media now.

“Google charged me $50 to fix an issue with my account!”

“Google won’t give me any help unless I pay them! Extortion artists!”

Etc.


Sure, people would complain. But they complain now when these issues happen. I'd rather a scenario where people complain but the problems are getting fixed. It's not completely unreasonable that Google offers low/no support for free products. It is unreasonable that they don't have any way to pay for help when there are serious problems.


Make it something you can pay in advance, then.

For a fee, you get marked as a high-risk/high-value account, get the recovery service and risky factors of authentication get extra scrutiny, etc.


You can get extra security from Google for free. https://landing.google.com/advancedprotection/


Patio11 just had an automated loss of access on his phone when enrolling. Lack of support hurts there too.

https://mobile.twitter.com/patio11/status/114040469625693798...


This was quite unfun. (Fixed now, after I blackboxed what the actual problem was. Some Googlers are looking into the docs/error messages to fix that half.)


Not exactly free, because you must buy a couple of hardware tokens. Fifty dollars when bought from google. But free besides that.


They'd probably get bad headlines regardless of whether or not they required an in-advance subscription:

- Don't allow upgrading after a problem arises to get premium support: "Google won't let me pay to fix my account"

- Allow upgrading after a problem arises to get premium support: "Google extorting me to regain access to my account"


I believe Google does offer support to consumers via Google One (where available), it’s priced very reasonably too.

One of Google One’s selling points Google advertises is phone based access to Google experts.


There’s also another bad side effect of Google. Google makes and gives away stuff for free and one of the reasons they do it is because they run a lean operation. They don’t provide any kind of support. Let’s say someone want to start a new company that provides all the same features of Google and provide solid support - there’s no way they can do it for free. Or even if it’s a reasonable price, people are going to pick free anyway. Except those of us who care. Just the fact Google and Facebook gives it away from free, in a sense, kills any possible paid service in the domains they operate. IMHO that qualifies as anti-competition and anti-trust. But the laws aren’t designed for this scenario at all.


> kills any possible paid service in the domains they operate.

I can think of paid services that compete in the domains google operates in. Fastmail is an easy one.


It’s $20/year to get 100GB of space for GoogleOne. Worth it so that you have a paid account with support options.


The author mentions that they are a paying customer.


Google One has support, it's pretty much the only button in the UI when you go there.

EDIT: actually it looks like the support might need to be reached from within the account, so that's still a major problem when you can't get in at all.


This kind of stuff is horrifying to me and why I willingly pay the Apple Tax. At the end of the day they have stores full of humans I can walk into and tell my sob story to and excellent telephone support.


I don't believe it works the way you think it does:

https://support.apple.com/en-us/HT204921 "If you need more help, contact Apple Support. While we can answer your questions about the account recovery process, we can't verify your identity or expedite the process in any way."


That is fine but the scam started by reassigning the SIM; something not related to Apple. I am not having enough criminal fantasy but in your Apple World you live in a monoculture...usually this makes it just easier for intruders to make problems.


> I would even not mind something like one-time payments for support calls, for example pay $50 for a service call to get assistance in a case like this. I just can't fathom the "no support" model at all.

Have you considered alternatives that do offer support?


> People who pay for G-suite have real support, even ::gasp:: telephone support. Why on earth does google not offer this to consumer users?

I know people are getting sick of this phrase, but I'm going to repeat it here anyway because it answers your question perfectly: why doesn't Google have customer support? They do, but if the product is free, you're not the customer.

As you note, Google does have real customer support for people who pay. The other people are not customers, they are advertising targets. Why waste money on support for them?


As someone using G Suite for personal purposes I'm glad to pay for support honestly (+ the peace of mind of being mostly in charge of my data, not having it be mined for whatever purposes).


> Why waste money on support for them?

On the other hand, a paid edge case support option for otherwise free services would be a win for both sides. If only the long term projection of the resulting incentives would not be so ugly...


Google One advertises real support for consumer users... but it turns out they can't really so anything but read support docs to you.


I didn't realize, I apparently was automatically made a Google One user when they created the program because I pay for a bit of extra Drive storage. I'd really like to hear stories from people who have had a hacked/stolen account and the support Google One provided.


Is this a reference to something? I haven't heard much about Google One's support good or bad.

The concern I'd have with G-One is that if you lost access to your account, you also aren't a Google One customer, and the support likely won't assist you. Creating a chicken/egg situation.


Not a reference to any story, just a few personal experiences. I had various issues, and they couldn't escalate anything to actually fix them, they just read support docs back to me. It's not like the paid support that gsuite customers get (although I'd be happy to pay more for that if I could).


Yes, there should be some support for non-paying users. Even if it comes at a cost, like a flat rate incident fee.


g suite is awesome for personal accounts. One of the few non abusive services that google offers.


Buy a domain (12+USD year depends on extension) + G-Suite (around 4-5USD/Month) and that's it. As a bonus, you always can swap your email provider without changing your email address.


Why is it that the most dramatic stories of people's digital lives being lost/broken usually seem to revolve around a compromised mobile phone number? Mobile phone numbers are not unique (they are recycled) and are terrible security (mobile phone companies are careless). I change mobile numbers at least once a year and most years I end up receiving calls/messages on behalf of the previous owner. I refuse to connect my mobile phone to these services.

It seems like one of the most important lessons of computer security has already been forgotten: It's only as good as the weakest link. Not only this but decentralization/redundancy is often better than centralization/dependency. For example, I'm not sitting awake at night worrying over some semi-pseudo password I generated for an old unencrypted forum run on some random persons server.


> I change mobile numbers at least once a year and most years I end up receiving calls/messages on behalf of the previous owner.

I had something very similar happen when I got a new number. I kept getting calls for the previous owner from what I assume to have been a bank, a library (for passed-due books no less; left a voice mail), and random people trying to contact this person. Not long thereafter, I started getting text updates from Facebook any time one of their contacts posted something. Facebook fortunately disables this with the text message STOP (IIRC) [1], but it bothered me that a nefarious actor could have passively collected the names of this person's contacts, messages, or more.

Not quite sure what to do, I did end up calling most of them back to inform them they had the wrong number, if they left a voice mail. The calls stopped about a year and a half later, and while I was somewhat annoyed at the time, in retrospect it could have been much worse!

[1] https://www.facebook.com/help/225089214296643


Because every time you login to gmail without a phone number there's a big "add your phone number for super security!!" pop up on the screen. People do what the google tells them to do.


This is a good place to remind everyone of Google Takeout [1]. Back up all of your data. Don't let this horror story happen to you.

[1] https://takeout.google.com/settings/takeout


Thanks for the reminder--I've done it several times in the past, but it wasn't a scheduled thing at all.

There's a new checkbox in takeout that lets you schedule a backup every 2 months (and then presumably you'll get an email when you need to download it).

Does anyone else have issues with takeout failing with "unknown error occurred" if you use the default of selecting all products? I have to manually create multiple takeout archives (one for gmail, one for photos, one for location history...)


Absolutely! Always fails. I didn't know about the alternative you mention...thanks....


Works fine for me with select all. Maybe it was a temporary thing.


I was just about to set this up to automatically put everything in my organization's Box every six months, but:

> With access to your XXX@YYY.ZZZ Box account, Google Download Your Data can:

> Read and write all files and folders stored in Box

Nope. Download link it is.


Yeh that's unfortuante but it is normal for box's API. This isn't Google being overly grabby, its the only scope available to third party read and writing to box.

The API scope doesn't have any knowledge of individual files or applications. https://developer.box.com/docs/scopes

Conversely, Google Drive does have scopes available for Application specific folder read/write https://developers.google.com/drive/api/v3/appdata

So box needs to up its game.


To be clear though, unless Box does actually offer a finer-tuned 'write to specific dir' access control, that's not nosey Google's fault.


Thanks for reminding me... again... about this. Why haven't I backed up my gmail data yet? It has been years since I realized I have to do it. Why haven't I done it?


Because it's not easy to automate.


Gmail alone is easy - use POP in a mail client, set it to mark stuff read, leave it on the server etc https://support.google.com/mail/answer/7104828?hl=en


I'll agree that POP is pretty easy and worthwhile here.

One caveat: I'm not certain that it's identical to what Takeout provides. I downloaded the mbox file via Takeout and the Takeout version was a fair bit larger than my Thunderbird mbox file as I recall. Maybe Thunderbird stores the emails more efficiently than Takeout? I should examine this more closely. As far as I am aware there are no missing emails in Thunderbird, though I could write a script to be certain.

Edit: Seems that I misremembered. The Takeout file seems to be appreciably smaller than what Thunderbird has, but in line with what Gmail reports at the bottom. I guess Thunderbird is actually less efficient than Gmail. Attachments might explain some of this, as I deleted some attachments in Gmail that I kept in Thunderbird.


The takeout file might be compressed too. Most mail clients don't bother to compress anything.


Yes, it was zipped, but I was comparing uncompressed. I've now checked. There's about a 500 MB difference for about 10 GB of emails. So not too bad, but appreciably different.


Attachments?


They now have a feature that lets you schedule it to run every few months. You could probably automate the download from your email client.


`gmvault` in a cron job works pretty well...


Check out Mailstore Home


My previous experience (years ago) was that it actually gave me incomplete backups... which is.. insane and frustrating. Hopefully that’s fixed now.


Anyone who wants to defend themselves, consider using U2F where you can and Google Advanced Protection. I just recently picked up a bluetooth security key because one is needed to log an iPhone into an account using advanced protection; there is no SMS backup loophole. The Titan key bundle comes with a bluetooth and USB key, which is enough to get started, though frankly you probably want a couple additional backup keys too.

https://landing.google.com/advancedprotection/

(The usual disclosure: I work for Google, but not on anything related to this, only speaking as a user.)


U2F keys are great but I look forward to the day when they’re more widely available outside the US. And I’m still waiting for my replacement from Feitian for the recent vulnerability. Not to say you shouldn’t use them, but... they have their limits. Particularly Advanced Protection which forces you to use Google’s browser in many situations and disables API access so I can’t use the API to get my own data, only Google’s official apps and a small exception for Apple’s.


Yeah, Chromium is needed to add keys, which effectively means you can’t enable Advanced Protection without Chromium. I personally ran into this wall. I acknowledge that this sucks, as a person that intentionally only uses Firefox, but to be clear logging in and most other operations work absolutely fine with Advanced Protection.

Does it really disable all API access? I thought it only blocked certain OAuth scopes, but to be honest I haven’t really tried.

I was able to login to a NVIDIA Shield, but only by resetting and bootstrapping off a spare Android device (!!!) because U2F keys are broken on Shield. Interestingly, my Samsung TV remains signed into Youtube, which is kind of odd now that I think about it.


Seems like Firefox U2F is just disabled by default: https://www.yubico.com/2017/11/how-to-navigate-fido-u2f-in-f... (tl;dr: Open about:config, search for u2f, enable)

With that done, GitHub prompts me for my key. My Linux office workstation is missing the necessary udev rule, so I couldn't test more. (Funnily, pressing Cancel caused them to send me a SMS, so their 2FA is practically worthless).


I've run into strange interactions where adding a key is disabled in Firefox (even with the security.webauth.u2f flag set to true), but once one key is added, you can add subsequent keys no problem.

This is how Github worked for me - I think it's just a mis-match in the code checking for U2F functionality...


I think adding the key use a different mechanism - there are two JS interfaces for U2F, and FF only supports one of them. TBH I've added my key to GitHub with chromium, but have since moved to FF; so that might be what you're seeing with GitHub.


Oh yeah, I’ve set all that stuff up already and I am able to login; NixOS makes it mostly pretty easy.


Youtube/YoutubeTV seem to be walled off on 2nd factor auth. I've been able to log into both on browsers w/o 2nd factor and then get prompted when logging into web gmail.


Or use your Android phone as your second factor.

https://security.googleblog.com/2019/06/use-your-android-pho...


That’s a great idea and would’ve saved me some time. Sadly, I had ordered and received my Titan kit before even realizing I still had an Android device, less that I could use it to bootstrap my iOS device...

I hope Apple some day supports NFC or maybe even USB U2F, both things Android has supported on phones for a bit.


Why doesn't Google get rid of SMS recovery completely? It's a huge security flaw that can be easily exploited.


Probably because the more barriers you put in the way of scams, social engineering, etc. the harder you make it for people to legitimately get back into their accounts and the more likely it is that you'll instead read stories about how someone "forgot their credentials and lost access to everything in their account and Google won't do anything about it."

No opinion on SMS specifically but there are tradeoffs.


It would be more just if people losing access to their accounts were those that lost their credentials rather than anyone that has a SMS number tied to their account. Other approaches to account recovery could be explored but none of them should involve SMS.


Google is a pain as there's no way to talk to a human. I have lost access to an old Gmail account as my phone broke. Without authenticator I can't get in. I can't set up authenticator anew because I don't have the password anymore. I still have same phone and plenty of emails - just no way to get in.


When you set up 2fa with Google they give you a set of backup codes you can use to get back in case you lose access to your phone/authenticator. It's important to store those somewhere safe.


I have no idea what the pros and cons are and certainly can’t speak for why. However, I think the existence of the Advanced Protection Program is definitely acknowledgment that the SMS backup is not secure enough for everyone.

The thing is, not long ago I had no issue recovering my account if it got compromised. I think attackers today have gotten better at finding ways to beat the system. One thing I’ve seen, albeit I don’t know if it works on Google accounts, is enabling high security after stealing an account, effectively making recovery very hard.

Though, I can’t really speculate on if that’s what’s going on here.


Because, depending on your risk profile, it can be very helpful:

> We found that an SMS code sent to a recovery phone number helped block 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks.

* https://security.googleblog.com/2019/05/new-research-how-eff...

Not everyone has to worry about being targeted by nation states.


When you first enable 2FA with Google you have to do SMS (at least that was the requirement last time I did it). However, once you've defined an alternative 2FA method (Google auth, u2f key, etc) then you can remove the SMS method completely.

Believe it or not banks are really bad at security. They are so bad at it that they don't even realize how bad at it they are. But the banks all copy from each other so "what the other guy is doing" is more or less their justification for what they do. Most of them have little to no idea why they do what they do for IT security, they just do what the Computer Security for Dummies book says to do (walk through the IT security department at any big bank and I bet you there is a dog eared copy of that tome on every desk)

Synchrony is one of the worst offenders, they won't even let you change your password without doing SMS verification, and their source of phone numbers is a Transunion skip trace database (which you can't change or remove any information from), so getting past Synchrony can be as easy as filling out a contest form at a mall, waiting for the phone number to appear with Transunion, then choosing that phone number to do SMS verification. It might take a couple months but payoff can be huge.

My hero at the moment is Capital One, they allow you to do e-mail authentication instead of SMS, and their iOS app also doubles as an additional factor (one requiring you to enter your password or use touch ID to use).

I was also extremely happy to find that the brokerage Robinhood offers Google Auth as a second factor. E*Trade also offers 2FA but a proprietary token w/ lcd display (which they happily charge you for).

My trick has been to give banks a false phone number that rings busy forever. That does effectively keep me from using banks that require SMS authentication, but there are more then enough that either offer other methods or drop their SMS requirement if you list your mobile number as your home number (indicating that its a wired phone and can't receive SMS). That doesn't keep my Synchrony accounts secure but there are enough protections around credit cards that my liability would be $50 at worst, with Synchrony having to eat the remainder of the loss.


> When you first enable 2FA with Google you have to do SMS (at least that was the requirement last time I did it)

I don't remember that ever being the case, either when Google first launched Google Authenticator and 2FA (when I pretty soon after set it up) or when I later went through the setup process for my work account at my current job (a couple years ago).


That is awesome then! It was a lot of hassle for me to find a phone that accepts incoming calls (and wouldn't come back to me) so I could get past the first step - though to Google's credit the number I used never showed up anywhere so they didn't try to sell me out.


It depends on your threat level. If you're just trying to avoid phishing, it's great, something like 99.9% effective. However, if you're worried you'll be targeted, where someone will go through the effort to do this to you specifically, then it's not a good choice.


2FA does not fully protect you against phishing. The attacker can just passthrough all credentials including your 2FA code. It limits the attack to a time window and any further security sensitive changes that require 2FA may be protected unless the user naively re-enters their code.


U2F/ WebAuthn credentials can't be passed through.

Or in more detail, the credentials aren't human readable and are per-FQDN, so when you visit badguy.example thinking it's goodguy.example, your Security Key will cheerfully hand over valid credentials for badguy.example, but there is no way to give them credentials for goodguy.example because that's not where you are.

Hence that 100% score on Google's page.


Meant to say TOTP or SMS 2FA.


I've just checked and Google now allows the removal of SMS based 2FA if you have an alternative 2FA method configured.


What is your contingency plan for when that physical key is lost, stolen or damaged?


Multiple physical keys in multiple formats stored in multiple places. I've got a few security keys: one on a keyring, one in a locked file cabinet, one locked in a safe. Backup codes are printed on good quality acid-free paper with good toner and then are put in acid-free envelopes or laminated, stored in a safe at home and a trusted family member's house.

I'm far more concerned with an attacker from the internet or destruction from a fire or natural disaster than someone using my computer at my home who happens to have my username/password combination as well.


I have two. One stays with me, the other in a safe.

Which is legitimately a pain in the ass to register, manage, keep in sync, etc but I only use it for a few very important accounts--Google being one of them.


You should have emergency backup keys as well printed on real paper. I have a set stored with our important files, and another in my nightstand. Having my phone stolen would be a damnable inconvenience, since that is my second factor -- although not via SIM, but via Google's in-app authentication. But it wouldn't be fatal.


I use andOTP, which is compatible with Google Authenticator and actually allows backing up the private keys (one of the key missing features of Google Authenticator, though maybe they've fixed that).


A good equivalent to andOTP on iOS is OTP Auth (backups, optional cloud syncs, it just works): https://apps.apple.com/us/app/otp-auth/id659877384


I have about six, one in each computer I regularly use.


Have multiple keys/tokens?


Why not "defend" yourself by not relying on gmail? It's not exactly the first time this has happened.


What’s better? Serious question. Very few companies spend as much on security as Google. You have to do your part and configure something like Advanced Protection, but if someone’s going to go to all the effort listed in the article, which provider would be a better bet?


It's not like email providers get hacked all the time. Individual email accounts do get hacked.

Find an email provider that provides decent support, i.e. you can call and talk to a real person. Make sure they support 2FA (ideally the non SIM variant). Also recovery tokens that you can write down and stuff like that.

Personally I run my own mail server but I understand that's not everybody's cup of tea.


Is there anything specific to Google about this? Could it be the same story about another email provider?

And if not then why not? Is it because Google is a bigger and more obvious target or something specific they are doing badly?

If you think people should switch then these are the kind of questions you should answer.


A smaller, paid provider may make it easier to get someone on the phone to resolve problems when things go wrong. Having better support than Google would not take much.


"Getting someone on the phone" is a big reason these kinds of problems happen in the first place. The reason Google doesn't do that is because they would be too big of a social engineering target, and couldn't possibly be secure in the face of that at a reasonable cost.


Fair enough. Is there any email provider that has similar procedures to NFSN?

https://faq.nearlyfreespeech.net/q/LostEverything


The article doesn't say if the user had two-factor authentication set up. I guess it's implied they used SMS as the second factor.

This would happen with any email provider.

So the fix isn't changing email provider, it's using a more secure second factor, e.g. U2F.


Right, but at least with a different email provider it's infinitely more likely to get actual support if this happens.


"I don't remember my password and I have a new phone, can you help me" is precisely how attackers do sim swaps in the first place.


Absolutely, if you want. I am not advocating to use or not use Gmail or other services. But also be sure to use U2F on whatever you can, be it Fastmail or Proton Mail or what have you. I think Proton Mail is still working on their U2F support today, though.


FastMail has humans respond to all support tickets. Imagine being able to recover your email without spending 5 days talking to a google form?

source: I work at fastmail. It's cool.


At the end of the day, there’s a lot of differences between the many webmail offerings. The apps, the support, the feature-sets, etc. If you have gotten used to things like the nuances of Gmail filters, switching anywhere can be challenging, I think, and the same could be said about the reverse. I’ve been considering using both Gmail and FastMail simultaneously for a while, especially for custom domains. Also, JMAP is cool.

I am mostly just suggesting that folks who read stories like these and fear similar predicaments take the time, effort, expense, etc. to properly secure whatever accounts they have.

Thought experiment: if someone steals an account with no 2FA, enables U2F and other security mechanisms, how will support verify who truly owns the account? Or the reverse: user enables U2F and someone calls in and tries to claim the account was stolen?

Having humans make judgements is important because the real world is complicated and people are imperfect, but using U2F in the first place can save you a huge headache, no matter what services you use. If support can just flip a bit and disable U2F, it isn’t very useful for the same reasons accounts get hijacked to begin with.


I mean, i think you answered the question yourself. History of account security details, things like login logs, IP addresses, when things were changed, payment information, etc can corroborate the story a user is trying to tell (ie, my account got stolen), or refute it.

And those things? It comes down to having strong process rules and having intelligent life forms make the decision.


This is the first thing I thought of when reading that. For sure, Google's lack of real support for fixing things when someone does steal enough 2FA creds, like phone number, is a drag. On the other hand, it appears that setting up Advanced Protection probably gives you a much harder to hack account than any other provider could do.


This unfortunately is useless. Account recovery will still allow the hacker to use the phone number that has just been swaped to logon to the email. The weakest link is what matters and in this case you are just putting a bigger door lock on the front door while leaving your back door open.


Once you've configured a security key on a Google account, it's entirely possible to remove phone-number based account recovery -- and strongly recommended for at-risk users. See step 21 et seq. in the Tech Solidarity security guide for people working on political campaigns:

https://techsolidarity.org/resources/security_key_gmail.htm

For no particular reason, Google does require you to temporarily configure phone-number based recovery while configuring other 2FA options -- but once they're set up, you don't need the phone number anymore.


A few suggestions:

1) Call your cellphone carrier and ask to set up a password/PIN to be used for when you call into the customer service phone number.

2) Consider your phone number and SIM card insecure. The phone carriers are ignoring the SIM swap problem even though they know how much damage it's causing. Give your phone number to as few companies as possible. Phone services such as Google Voice work without a SIM card, so they are less prone to problems. Give out such a phone number if necessary.

3) Don't use text message verification codes as 2FA. Use an authentication app, such as Google Authenticator.

4) You can retake possession of your hacked Gmail account by providing one of the previously used passwords. No need to have a working phone.

5) Ask yourself, what will happen if you lose both your laptop and your phone at once? Do you have things set up in a way where you can get back into your digital life? Someone can break into your home while you're away, the government can confiscate them at the airport, etc.

6) Check what email addresses you have configured as backup auth methods for your Gmail. Those accounts can be used as a means of access by a hacker.


> 4) You can retake possession of your hacked Gmail account by providing one of the previously used passwords. No need to have a working phone.

That's possible?! I only ever change password if I suspect it might have been compromised. Now if a service allows to use old passwords, that's quite a bummer and makes password change meaningless.


> Call your cellphone carrier and ask to set up a password/PIN

Note that, at least for TMobile, AT&T, and Verizon, the password/PIN is presented to the CSR in plaintext (as they verify the pin over the phone verbally).

I'd assumed they'd transfer to some pin-capture applet to verify, but nope.

> Use an authentication app, such as Google Authenticator

If you decide on Google Authenticator, make sure you scan the barcode with 2 devices (say, your tablet and your phone) to back up that credential. Or just use Authy.


Authy allows you to recover your account using... SMS. So this is also vulnerable to SIM swapping. https://medium.com/mycrypto/what-to-do-when-sim-swapping-hap...


Omg you're kidding me


> scan the barcode with 2 devices

You can print out a copy of the barcode and keep it somewhere safe. It's a little bit scary as that barcode is a super powerful extra key but, you will have a key that will work and not be reliant on any device to store it.


There are plenty of TOTP apps (besides Authy) that support backing up the code generation keys. I use andOTP, for example, which supports backing up locally to the phone's internal storage (and optionally encrypting that backup with either AES + a passphrase or a PGP key if you've setup an OpenPGP provider on your device). 1Password's iOS (and Android?) app also supports TOTP.


> 2) Consider your phone number and SIM card insecure.

Your phone number is an obvious attack vector. I think having a dual sim phone with 2fa dedicated number that is not publicly associated with you, possibly with the carrier that has it's security in order, would decrease the odds of getting hacked.


> Call your cellphone carrier and ask to set up a password/PIN to be used for when you call into the customer service phone number.

What is really infuriating is that it is not required for BestBuy-type authorized resellers that hook directly into the system.


> 4) You can retake possession of your hacked Gmail account by providing one of the previously used passwords. No need to have a working phone.

This is what I'm worried about, if I don't have a phone number on a gmail account, won't it make it harder to get access to that gmail account if I am locked out. Even though there's obviously a bad security loophole with just having a phone number on your account as a recovery option, is it not worse to be locked out of your account with no way to get in?


Even if you go through the g.co/advancedprotection onboarding process, they still say account recovery is possible and that it would take 3-5 days extra. Granted, it's not easy, but it's much easier to buy security keys and put one in a safe deposit box than it is to try to get every carrier to be nice to you and not SIM-swap your account.


> 5) Ask yourself, what will happen if you lose both your laptop and your phone at once?

Yes! For example, if you're robbed on your way home from work, and they take your laptop and your mobile.


In the space of the afternoon after reading this article, I removed SMS 2FA from all my accounts, installed Authy, added all my accounts to it, found out Authy is also insecure[0], reconfigured it to be less insecure, and basically despaired.

My solution going forward will be to spend all of my money each month so there's nothing to steal, and have a terrible reputation online that therefore can't be ruined.

[0] https://medium.com/p/1367f296ef4d#681f


A lock on your door is obviously insecure, but can work because it introduces friction for the burglar, while there are other targets around. It's a similar principle at work for online security. Some amount of protection coupled with the statistical likelihood of being targeted already goes a long way.


After reading a similar article on HN a year ago, I too decided to use Authy but the realized that it was vulnerable to the same methods. I eventually decided to use andOTP[1].

While it doesn't automatically sync across devices, it does allow you to create backups[2] which can be encrypted with AES or your PGP key. Just store this in Dropbox/Drive/Box and offline storage and you're good to go.

[1] https://github.com/andOTP/andOTP/blob/master/README.md [2] https://raw.githubusercontent.com/flocke/andOTP/master/asset...


> My solution going forward will be to spend all of my money each month so there's nothing to steal, and have a terrible reputation online that therefore can't be ruined.

Way ahead of you there buddy

(sorry, I know, no jokes..)


I find it strange that there is no procedure for the following situation:

* all emergency/account recovery info changed

* Person contacts shortly thereafter claiming account hack

I lost a legacy skype account recently. It had had no email attached to it, so the hacker was able to add theirs and get notified whenever I got back into the account. There was no way to remove their email or add new security mechanisms without waiting 24 hours, so I had no way to keep them from resetting the password.

The account was shut down for spam not long after. As far as I could tell there was no way to effectively reach microsoft about this, despite being a paying office 365 customer. They had a security chat but it was a deadend, and slow.


Unlike what the OP stated, the key is NOT to list you phone number as an SMS 2FA recovery option. Only use the non-SMS options (e.g. app-based recovery, Google Authenticator, recovery codes). Adding SMS as an option makes your account less secure, not more.

Unfortunately, most sites do not allow you to turn off SMS recovery even if they offer other 2FA options.

Security is only as strong as the weakest link, and SMS is very weak.


The problem lies in that Google Authenticator is tied to a device, so if you upgrade it or lose it, you’re f’d. I also doubt many use/print recovery codes, and if they do, good luck finding them 7 years later.

Overall the situation isn’t great.


I just went through this situation with a couple non-Google companies when I upgraded my phone, not realizing that their authentication info wouldn't transfer when Google transferred my data to the new phone. I thought I had double-checked that I had everything, but this got missed.

It was a pain for all of them, but it was worst for the ones that I had no other auth systems set up. (Or the ones that had my old phone number for SMS still, even though I thought I'd changed it everywhere.)

In the end, there's still no good system for real security. You're either stuck with a device you might lose (or someone might steal), or stuck with an account that you might cancel (or someone might steal). Or use biometrics which are just not ready for prime time.


I encountered the similar problem the last time I upgraded. There are alternatives to Google Authenticator that offer backups and cloud syncs while maintaining security. andOTP on Android and OTP Auth on iOS. https://play.google.com/store/apps/details?id=org.shadowice.... https://apps.apple.com/us/app/otp-auth/id659877384


> The problem lies in that Google Authenticator is tied to a device, so if you upgrade it or lose it, you’re f’d.

You can save the QR code that was used during setup to repeat the onboarding at any time. You can also use Authy, 1Password, or another service that lets you store the one-time password somewhere else. Or use U2F devices when possible.


I would recommend saving the recovery codes in a password manager app (that is not your browser)


No, Google Authenticator is not tied to a device. It's a standard (TOTP, RFC 6238) and you just need to use an app (perhaps not Google Authenticator, I use a different app myself) that will let you see the numerical code that you need to save somewhere.


It’s tied to the device as in it won’t be part of your backup to a new phone.. you have to manually transfer it yourself which according to you is using another app!

So the likelihood of moving to a new phone without those codes transferred is very high. Not exactly an easy experience.


I still have my Google Account recovery codes in my wallet that I first generated in 2011.


Better not lose your wallet!

When you’re at Google scale, all of these methods have real world flaws.


The industry needs to learn that sms 2fa is not secure because getting a sim for someone else is so easy. And this happening in every country.


SMS 2FA is fine. 2FA adds another layer on top of your password. The second factor doesn’t have to be particularly secure to make you safer.

The problem is SMS account recovery, which is a really bad idea.


> The problem is SMS account recovery, which is a really bad idea.

The problem is that a lot of services tie the two together. Often one implies the other. Even if it doesn't, though, it's also easier to social engineer -- "look! I have access to the 2fa phone number! I just can't access my password manager!"


Companies do that, but they shouldn't call it 2FA at that point as it is no longer a _second_ factor: it has become the primary factor.


I'm not sure I've ever seen SMS account recovery.


Google has sms account recovery.


In times like these, I am glad to live in a stone age country like German, where it is near-impossible to get a new SIM without going to the store in person and presenting a government-issued ID.


Sorry but you are wrong. Today was news on heise that clearing bank accounts by replacements and transfering the money to some popular new banks like fidor and n26 resulted in a temporary ban of a small bank to transfer any money to these banks. It‘s happening here too ;)


Or a country like Sweden where you have to authenticate customer service through 2 FA using an application connected to your bank account, where you input a password or fingerprint.

And then the change only happens after you confirm a text message sent to your phone asking you to approve the request.


Does the 20 year old minimum wage employee working at that store know how to spot a good quality fake ID card?

What about hackers bribing an employee?


I would say that for the average user sms 2FA is secure enough.

P.S. I might have a different perspective as where i am from, there really aren't important services (banks etc.) that are using sms 2FA. Mobile operators doesn't ship SIM cards over mail, you can get a new SIM only in person providing ID (or PIN/PUK in case of prepaid cards). Probably my country is just too small market for these kind of attacks so i feel secure enough when using sms 2FA.


Depends on what it’s protecting, for example banks using it isn’t, as it’s a common enough attack vector it’s appeared on consumer programs on TV fairly often and they had to introduce a law to allow people to be refunded in cases of sim swap.


It wasn't secure enough for the author of this article.


Not really an average person isn't he?


How is he not an average person, as far as security goes?

1) he didn't use a password app

2) he thought google drive was a safe place for his stuff

3) he thought google drive was a secure place for his stuff

All three things, which I would bet are fairly common assumptions (the last 2 are certainly part of Google's marketing!), turned out to bite him.


He is a public personality and in that role has been related to Bitcoin. And he also has his phone number and email publicly visible on the internet.

https://gizmodo.com/a-tv-anchor-tries-to-gift-bitcoin-on-air...

It seems like this only happens to people who have poor opsec about their email addresses, phone numbers, and are publicly related to the cryptocurrency movement. I mean, I'm sure it happens to other people, but that's the only case I've ever heard about.

I would personally be wary about publicly listing the email I use with my bank, or my phone number, and I've done what I can to scrub the internet of these values. If you have to be publicly reachable through a medium other than Facebook or Twitter, have a separate email and phone number through which you conduct your serious personal business. But most people do not need this kind of public reachability, or else have it through work. For those types of people, it would behoove them to keep their profile small.


Before the identity theft occurred, what about the the author made him particularly "not average"? Being an early twitter adopter or something?


I wouldn't call a writer for ZDnet who probably has a very public persona an average JOE.


A writer for ZDnet might be a public figure, but to call him "very public" seems like a stretch. There are probably millions of people as public or more than him.


You're saying that you're safe because you're not an interesting target. People tend to agree that security through obscurity is not a good strategy.

As for how hackers can swap someone's SIM, consider:

- Does the 20 year old minimum wage employee working at that store know how to spot a good quality fake ID card?

- What about hackers bribing an employee?


Bank of America uses SMS.


Silicon Valley has a systemic customer service problem. The price you pay for "Free" services.


His cell provider was the problem, and that is a paid service. They never should have given someone else a SIM, they are absolutely liable.


I think the common wisdom dictates that since we aren't paying, we aren't the actual customers. I'll bet advertisers have great customer service.


That's less common wisdom and more of a catchy but dumb meme. There are all sorts of things you can buy that have crappy-to-nonexistent customer service.


I think there can be several reasons that a company lacks good customer service. One might be lack of competition. Another could be that they don't see their users as customers.


Sure, but even Comcast isn't as bad as Google; not as much depends on Comcast, and Google has mountains of p[eople's key life-altering data, yet it is nearly impossible to speak with a human that has any capability to effect a change.

As with every generalizations, there are exceptions, but they generally only prove the rule.


I was thinking more along the lines of manufacturer's warranties, which are often hard to actually use. Or Teslas being in the shop for weeks due to an unavailable part.

Customer service has more to do with company-specific culture than what you actually paid. There are good and bad examples in every industry (or even with the same company).


> There are all sorts of things you can buy that have crappy-to-nonexistent customer service.

But that doesn't contradict the point of the comment you were replying to, does it?

Edit: You should reply instead of just downvoting.


Article author was paying for some of it.


He was paying for all those services (except Twitter and Facebook [which was ok]).


The hack was the fault of T-Mobile though. He pays for that.


This is why I would like to trust my digital identity to my bank.

They have enough local, physical presence so that I could show up in person and prove who I am. Also the personnel is already familiar with checking the identity and hopefully less suspectiple to social engineering.

2FA tokens and codesheets without SMS backup are secure, but bit tricky to manage. Takes some effort to distribute to different, secure places (think if house burns) and some regular checks to verify backup tokens are alive and codesheets not lost.


My good bank has no physical presence whatsoever. I mean, I presume they operate a call centre somewhere, maybe in Scotland, but I've never seen it.

They can reach out and cause things to happen at a distance, but I don't want that used to authenticate me. They used it when I had lost my cards, to cause me to receive a bundle of cash so I could get on with my day just paying cash everywhere.

I have a specialized OTP device with a chiclet keyboard, and a password used for normal stuff. When I do something serious, like the time I bought somewhere to live, I call them to set up the transaction, then a different random person gets assigned to call me back and verify the details - this way if one employee goes rogue they can't empty my account by claiming I called them. They have a password for me, and the second employee uses that password so that I know it's really the bank calling me.


I would like to know more about this bank!

What bank is it? How did you find it?

I've not heard of features similar to this, especially the last part about buying a house.


It's First Direct https://www1.firstdirect.com/

It's a Telephone Bank in the UK, launched in 1989 and I became a customer a year or three after that. Because it doesn't have any branches its call centre staff have to be trained to handle absolutely anything - if they can't fix it then it won't get fixed.

I found it because my father used it, I have no idea why, he was not ordinarily a man to favour technologically sophisticated solutions, he never owned his own email address for example. Maybe as a working man he found it frustrating that other banks were closed after hours? First Direct is never closed, it operates 24/7. I have used other banks for some things, but I've always kept accounts with First Direct because of their truly extraordinary customer service hence I call it the "good bank". I actually know one of their Founders and apparently that commitment to customer service was key to their original vision for the bank, he led a strategy session for the start-up where I work now and it used that vision to give us a worked example. He was Chairman at another start-up I've worked for too. Small world.

For the buying a home part I do mean that I bought it outright by the way, there wasn't a mortgage or anything like that - so that's a lot of money, let's say six figures. I presume the precaution was triggered by the fact that I wanted to move this large sum (almost all the money I had) to an account I'd never sent any money to before. Sounds almost exactly like a scam.

I would _like_ to believe any other bank would have similar protections - but of course I don't buy a home every day, so I have no other examples to compare, and most of my contemporaries have a mortgage so the very large sums aren't involved.

The password when they call me thing was nice, to be honest they didn't proactively set that up. I suggested it off-handedly one day and they were like "Of course, yes, we can set that up". I presume it's not custom, just they didn't explicitly advertise it to me as an option. That happens a lot, I didn't want contactless on my new card recently, and they were like "Yup, of course, done. Replacements for this card will also not have contactless until you call to change that".


Phone providers, email providers, and banks should provide an option to require in-person verification for account recovery or in the case of phone providers transfer of a number to a different SIM. These events should be infrequent enough that it would be OK if there was a fee for verification.

This might seem impractical for people who live somewhere that the provider doesn't have an office, but it actually isn't. There is a nationwide, readily available mechanism already in place for this. They are called notary publics.

It could work like this:

1. You request account recovery, and pay the fee, and provide your physical contact information.

2. The provider hires a notary public in your area, and sends them a form for you to sign authorizing the account recovery.

3. The notary meets with you, verifies your identity, notarizes your signature on the form, and then lets your provider know that this has successfully completed.

4. Now that the provider knows the request was legitimate, the recovery or transfer can go through.


This is why I don't use Google for anything of importance. No customer support = I am not using it for anything of importance. Consider it a 'burner' service.


Exactly


So the same pattern unfolds:

Someone trusts faceless uncaring tech companies with all of their most crucial data.

Companies get hacked. User's life is crashed. Companies feel nothing and have pathetic "support".

"Thankfully", insider access grants privileges.

> Thankfully, I have a good friend at $COMPANY who was very concerned with my plight and was able to get $PRIVILEGED_SUPPORT

My point is that we have set up these systems that have us all skating on thin ice, and when people inevitable fall through (or are pulled under by thieves) we have almost no recourse, unless we happen to be well-connected to the internal workings of these machines.

We're turning the world into Morlocks and Eloi. We've got to wake up and slow this shit down.


Agree.

These two snippets inspired /facepalm:

> While Twitter is a free service, I would still expect some level of assistance for someone who has had the same account for 13 years and can get thousands of people to verify my identity.

'free service' being the operative words, and they can probably trust the user to do all the hard work of maintaining a new account for another 13 years (with associated pageviews) without lifting a finger.

> I made sure to have two-factor authentication (2FA) enabled with this service. It turns out that the 2FA with text messaging sent to a cell phone may be useless when hackers steal your SIM right out from under you.

O RLY. The point of 2FA is that one of those factors is a physical token which cannot be stolen remotely. Anything involving SMS to a phone number is not 2FA and never will be 2FA and anyone claiming otherwise is either an idiot or assumes you are...


The fact that ACH is slow is a feature not a bug. Remember that when people want to speed up money transfers.

> After a couple of days, our bank reversed the $25,000 charge and told us that the fraud department caught the ACH withdrawal before it was fully processed so that neither my family nor the bank lost this money forever.


Instant transfers work fine in countries where banks do their job properly.

Mobile phone numbers shouldn't be used as a second factor, much less as a way to fully recover online credentials to your bank account.


You're probably right. You definitely shouldn't be able to recover your online credentials then immediately transfer out all the money.


But also, the US regulatory environment is very friendly towards individuals when it comes to fraudulent electronic transfers, regardless of how quickly they execute.


IMHO. "I trusted cloud services to store my data". I never do that. I have multiple offline encrypted backup copies (on-site and off-site). I do not trust anything out of my arm's reach. The cloud is not an option for serious backups (unless you have n copies with different vendors + offline backups). I think the convenience of the cloud (with encryption) is an option when you have offline backups. I hope you will get your data back and that nothing will be compromised.


Don't use 2FA, if the 2nd factor is anything mobile-based. Use strong passphrases, and type them when you need access to the assets they protect.

There is the concept of "security VS convenience", a trade-off you make when using secured assets. 2FA is convenience just as much as it is security. By having SMS as a method to reset a password, you reduce the attackers workload from cracking a difficult password to "compromise your mobile phone physically or electronically". I trust my passphrases much more than my mobile device and/or carrier.


This doesn't make sense. Why not use both 2fa AND a strong passphrase? To get to the second factor the attacker still needs your password. There is nothing that says you should use a simple password if you have 2fa configured.


Because they can do "forgot password" using the 2fa.


Passphrases can be phished.


The author really hasn't learnt anything if he thinks that enabling all Google recovery options is the right thing to do. The only thing you should ever use is "Google Authenticator" and then store a copy of its recovery codes in a safe place (bank vault or zero-knowledge encrypted online storage). But better yet, don't use GMail in the first place.


> I had backed up a ton of personal information on Google Drive. This included tax returns, account passwords for my wife in case I died, personal documents and spreadsheets, and just about everything I had paper copies of at home.

I guess the author learned that lesson, but… please don't. Backups in the cloud are fine, but such sensitive information has to be encrypted. Ideally with a 6 words diceware password or so.

And if it is meant for your close ones to recover if you die, write that password down, and lock it up in a couple homes you trust.


I believe Google has some kind of service you can turn on where you will pair it with a U2F token like a Yubikey or their Titan key. At that point, all other forms of login and password recovery are turned off. In theory, that should stop the SIM-swap attack.

See: https://support.google.com/accounts/answer/7539956?hl=en


I use Authenticator, which should also stop a SIM-swap. However, I've noticed that many services seem to require activating 2FA via text message in order to activate authenticator. Has anyone else noticed that?


Quite a few do require you to have at least two second-factor methods set up, although I think for me only one has ever insisted on setting up phone / text 2FA. If you don't have a spare phone for TOTP or a Yubikey for U2F, phone-based might be all you can use (considering a surprisingly small number of 2FA supporting sites seem to implement recovery codes).


The point is that, while there are dangers, TXT 2FA is leagues better than not having anything at all.


Unfortunately, Yubikey at least basically only works in Google Chrome, so if you actually want to use your account you have to use methods other than the Yubikey.


You can use it in any browser. You have to register it in chrome. Crappy, but not a line in the sand I'm willing to die on.


Conventionally, one metaphorically chooses a _hill_ to die on, and lines in the sand are only crossed or redrawn, not died on.

The insistence on using Chrome is arbitrary and I don't like it. The use of U2F rather than WebAuthn at least has a technical justification (older Android devices can't do WebAuthn, and while it's backward compatible in the sense that you can use a WebAuthn authentication having signed up with U2F, vice versa is not possible, so old Android devices would have a confusing UX behaviour) but the insistence on Chrome is just arbitrary lock-in.

I won't be dying on that hill either, but it does suck.


> The insistence on using Chrome is arbitrary and I don't like it.

Supposedly this limitation is because Firefox doesn't implement the JavaScript calls that permit a U2F-calling site to know the type of U2F key being used and Google wants to enforce, when enrolling for ATP, that at least one of the two keys being enrolled can be used wirelessly (Bluetooth or NFC).

I don't agree with it either but will only truly be mad if/when Mozilla implements the requisite call and Google still blocks enrollment without Chrome.


You'd think Ubuntu chromium-browser might be acceptable for Google U2F setup -- but no, not when I tried a couple of months ago.


Worked for me. :(

What error did you see?


Ha! That was an amusing mix of phrases. You got what I meant though, and provided some color. Agreed on it sucking.


The problem starts with a mobile provider simply giving away a service to someone else. Twice. This is shocking.


I certainly didn't appreciate how much SIM cards are the keys to our modern lives until mine got stolen. Interestingly, my thieves took a different tack: they actually stole the physical SIM card! You might ask how this could happen: I was traveling internationally and had a friendly guy at an official kiosk in the Heathrow arrivals hall swap out my SIM card for a local SIM. He palmed my SIM and gave me back a dud without me noticing. He then shipped it back to Atlanta where collaborators used it to blindly called credit card support numbers. Some of these credit card numbers were hits — places where I had existing accounts and where they recognized my phone number. They social-engineered their way to get the CC companies to divulge more information about me — including the CC numbers themselves — allowing them to increase my credit limits and open new cards. They then went on a $40k shopping spree.

Of course I didn't notice until I came home. The dud card he gave me worked for 24 hours (I still don't understand how). And even after it stopped working, it took me quite some time to piece together everything that happened — I didn't realize that the SIM card I had wasn't mine for quite some time. Fortunately they did the equivalent of an identity theft smash-and-grab. It was relatively easy to identify and reverse, and they didn't compromise any tech 2FA services.

Interestingly Heathrow police didn't care as the "theft" was only a $5 SIM card and not a "high enough value item" to warrant investigation.

tldr: Don't let anyone ever touch your SIM cards.


> Interestingly Heathrow police didn't care as the "theft" was only a $5 SIM card and not a "high enough value item" to warrant investigation.

What about the part that's "being a part of a criminal conspiracy to steal $40k?" I guess that's not something for the airport police to deal with though.


Ayup. Here's what I got back from them:

    In light of the extended Fraud on your account, I believe
    that due to the 7 day lapse between you collecting the SIM
    and returning to the USA, then your details could have been
    compromised anywhere. In all probability, this occurred in
    the USA as this is where the accounts have been set up and 
    believed the fraudsters would have had to have been in order
    to benefit from the crime.
 
    The fact that you bought a SIM card in the UK is purely
    circumstantial I’m afraid, therefore we would not 
    investigate this further.
Of course I was shouting "THEY HAD TO SHIP IT BACK TO THE U.S. FOR IT TO WORK" as well as providing the call logs documenting calls from the Atlanta region (where I don't live and hadn't visited), but it fell on deaf ears and I gave up. That response made me feel like a tin-hatted conspiracy theorist, though: yes, I am certain I was defrauded through an international criminal conspiracy.


I understand your frustration, but I also think they have a point.

What you're telling us is all based on your educated guesses as to how they might have pulled this. There are things that feel a bit weird and I'm guessing you have no evidence to prove them, such as the scammer shipping the real SIM back to Atlanta in time before you realise the issue.

How did you realise the SIM card you were handed was fake? Couldn't it be that they instead duplicated your SIM whilst you weren't looking?

IMHO the police (or FBI or whatevs) in the US should conduct the investigation as that's were the fraud happened. They'll evaluate if it's worth it contacting their counterparts in the UK to move forward. However I also think it is good that you've given a heads up to the UK local authorities.

Do you remember what company was offering the local SIMs? I've seen mostly Lebara, but not in Heathrow...


The SIM ICCID that I physically had in my hands upon return was different than the ICCID that ATT had on file for me. I also watched the dude do it right in front of me, but of course SIM cards are quite easy to palm. It was the "Tourist Services" kiosk and I bought a £20 Lebara card. He very kindly taped the ATT card down to the Lebara cardboard packaging, and I wasn't able to remove that tape without damaging it so I'm quite certain that it wasn't swapped elsewhere.

I did also report it to both my local police and the FTC and the FBI but never could gain traction as nobody thought it was their jurisdiction. I eventually gave up once my credit was repaired.


Just playing devil's advocate, the ICCID on file would also be different if they had managed to compromise your account and change the sim associated with it.


They also had the last-changed date (which was from when I set up my account).


That might be reasonable. It also makes the scam OP is guessing happened a pretty good criminal scam, since the police will refuse to investigate it...

I mean, what possible additional evidence could one plausibly have that the guessed scam is indeed what happened?

Which is the scary thing about all these SIM-theft things. It clear happened, there's really no way for the victim to know how/where/what/when/who.


It certainly took me quite some time to put all the pieces together — and I'd wager very few folks defrauded like this are able to realize exactly what happened.

I do wonder if it's still happening...


Is SIM cloning still easily doable?


Anyway, thanks for sharing. This is not exactly an obvious fraud.

I think one way to prevent it, aside from remembering to not let your SIM off your hands is to mark/paint your SIM and make it unique and easily recognizable.

Then you can deal with it immediatelly, even if you forget the rule to not give your SIM temporarily to others. (You'll probaly not forget, but people who may not have your experience and still want to protect themselves against this, may.) Also the attackers will not probably attempt to swap unique looking SIM in the first place.


Other ways are to use phones with 2 SIM card slots or simply use a local carrier with decent international roaming support or (of course) carry a paperclip to just do it yourself.


fun fact about sims. they run a java operating system which can be accessed via binary SMS messages (apdu messages) - invisible to your phone, with the right sim pin, they can get filesystem access in this 'os' and steal your private keys and phone identification numbers, effectively allowing them to mitm / clone your phone and calls/sms etc.

that being said it's just plain silly how important these crummy devices are, and how little information and warnings they come with.

set a good sim pin, that will save u from this type of trouble. of course, it won't save u from physical phone / sim access.


Is this true in say an iPhone? I don’t think there’s even a way to set a sim pin?


You can setup a SIM PIN, but I hadn't enabled it and I bet few folks do as it's not connected to the device lock code and not on by default: https://support.apple.com/en-us/HT201529


How did they get your 4-digit PIN? Don't you have to enter it on every reboot?


Phones' PINs aren't connected to SIMs. I have to enter my PIN on reboot, even if I removed my SIM. Putting the SIM in a phone without a PIN results in nothing being required.

Edit: Thanks for correcting me- I guess my SIM does not have a PIN.


SIM cards themselves can have a PIN attached to them too, usually with a lockout after 3 unsuccessful attempts. The card is supposed to be secure against tampering, but since it's running an OS which receives very little scrutiny and runs lots of legacy tech, there are likely all kinds of exploits to reset / root the SIM and bypass any PIN protection. It's still useful against casual theft though.


While there have been a few very scary hacks that could compromise a currently-unlocked-and-running SIM, I don't think there is anything you can do to a powered-down SIM without the PIN.


A SIM card has its own PIN, completely independent from the phone's pin. If I put my SIM in someone else's phone, it will ask for my PIN, even when they don't have a PIN set.


SIM PINs aren't enabled by default on iPhones and are independent of your device lock code.


It's not an iPhone thing. It's entirely on your carrier whether or not to enable it on a new SIM.


> We pay for Google Drive, Google Fi, and Google Play Movies so I was hoping there would be some level of customer service for paying customers. There are no phone numbers available for customers who pay for services or those who only use free services.

I pay for Drive (now part of Google One) and they advertise free phone support with it. I've never used it, and it turns out it's not a phone number you can call, but rather you request a call from them:

https://support.google.com/googleone/contact/googleone_c2c?h...

So there is a level of support for paying customers... at least in theory. I haven't heard of anyone's experiences with it in practice, however.

Curious if anyone here has tried Google One support, and whether their reps have the ability to escalate issues, the way G Suite reps can?


Back before phones we had things like fire safes that would hold your "precious memories" so when your house burned down you wouldn't lose them. That is so much harder to do these days.

One of the things I do is periodically spool off ephemeral data to BD-R's (write once Blu-Ray disks). At 25GB a pop they aren't super dense but I don't actually generate more 'new' data than that in a given month. It was something I do because when I started in this business I made backups because crappy disk drives would lose data. But these days you can get crypto ransomed and poof all that data unavailable?

There is no doubt a market for some new 'best practices' for data security. Perhaps No Starch Press will get someone to collect those ideas into a book.


> It turns out that the 2FA with text messaging sent to a cell phone may be useless when hackers steal your SIM right out from under you.

The most annoying part about this is that Twitter demands your phone number. You can't use another method for 2FA, such as U2F or OTP. I assume it's not at all because they want to authorize you or keep your account safe, but rather because they want to be able to identify you. User's lose both privacy and security.

Just to clarify, you can use U2F to login, but you can’t only use U2F. Eventually you’ll be locked out of your account (after logging in) and forced to provide a valid number.


> You can't use another method [with Twitter] for 2FA, such as U2F or OTP.

Are you sure?

* https://www.yubico.com/works-with-yubikey/catalog/twitter/


If you remove your phone number, you’ll eventually be locked out of your account and forced to provide a number. It’s unfortunate.


They still ban your account without valid non-VOIP phone.


> While I had a PIN associated with my SIM, I still do not know how the thief was able to get past this the first time, I changed this PIN on the call.

If he's really talking about the SIM PIN, I don't think having one helps against this kind of attack. The SIM PIN is to prevent people in possession of your physical SIM from using your cellular account for voice or data.

What you need with T-Mobile is a separate PIN that is required for porting out your number [1]. You set this PIN up by calling support.

[1] https://www.t-mobile.com/customers/secure


This T-mobile doc has more on the 6-15 digit "PIN/passcode":

  https://support.t-mobile.com/docs/DOC-37477
Note that it can be set up via the T-Mobile web site, alternative to the phone support line.


I thought of the port out pin too, but I think the attacker convinced t-mobile support to activate a different SIM. I don't think the PIN does anything in that scenario.


In many asian countries they recycle telephone numbers quite frequently, some providers as often as 3 months.

Perhaps it would be interesting to get a few pre-paid SIM cards and see if it there is any Google accounts connected to them?


If you haven't yet, remove your telephone number as a recovery option for your Gmail account. And also, why can't US fix the shit that is transferring SIM cards? In the UK you can request a SIM transfer code but it takes at least a few days - there's plenty of time to catch it and stop it before someone transfers your SIM. Why can't American operators do the same? Just say "you have received your request, please wait 7 days for it to be processed" - why does it have to be instant?


There's no such thing as a "SIM transfer code" in the UK. SIM swap scams are a thing here too : https://www.bbc.co.uk/news/business-46047714


? Of course there is - it's called a PAC code, and it takes at least 1 working day with the fastest operators, in the meantime you get notified that it's happening.


No, you're confused. A PAC code is used when switching carriers, it has nothing to do with the scam described here where an attacker contacts your carrier and claims "I lost my SIM". Activating a replacement SIM can happen in minutes (and that's a good thing : would you want to wait 7 days to get service again ?) The only thing that seems different from the US is that I don't think everything can be done over the phone here : you need to go physically into a shop and (hopefully) show ID.


In India to port a sim you have to first send a sms and would receive a verification number which is valid for a month or something.


Which is the problem...


Is there some mobile provider that has a way higher standard of security? Something like "Cloudflare for SIM"


No.

The issue is partially that while social engineering countermeasures that could help prevent sim swaps could be helped by better training and more rigorous security checks, there are actually bad actors who are employees of the carriers who can be paid off to switch SIMs.


Google Fi requires you to have access to your google account to port or sim swap your number. So if you have real 2FA you should be safer.

I just had my AT&T sim swapped two weeks ago. According to police, the sim swappers are insiders at the telcos or have compromised corporate credentials and are logging into the telco admin portal and processing the swaps themselves.

I’ve now switched to Google Fi. I’m banking on the assumption that Google doesn’t keep an admin portal open to the internet and that they don’t give sim swap/port access to employees that aren’t paid well enough to be willing to take a small bribe to swap the sims.


I noticed that author assumed he couldn't call 611 and took how long to contact via alternate phones.

I'm pretty sure 611 works without a SIM card.


no sim is no calls or sms. however, an inactive sim is allowed to call 611 (or provider equivalent) , 911(or local equivalent) and a few such emergency numbers generally. You do need the sim to be in working order and in the device. but it does not need to be activated.


How would the phone know which network to 611?


I would expect it to work for a carrier-branded device even with no SIM card, unless the device has been flashed with a stock firmware from the OEM.

For a non-carrier-branded device though, perhaps the presence of a SIM card is required.


> This included tax returns, account passwords for my wife in case I died, personal documents and spreadsheets, and just about everything I had paper copies of at home.

This is why you should never store passwords on your computer / cloud in plain text.

> Given that I had 2FA enabled for my bank account and the bank account info on Google Drive, it was just a matter of time before the thief started stealing my money.

Is it common in the United States to allow online banking without any physical second factor? My bank requires me to use some kind of device similar to https://en.wikipedia.org/wiki/Chip_Authentication_Program with my card and code to login or execute transactions. I think most other banks in my country require something similar.


my UK bank ties their app to my phone using an off band code i receive from a person after calling their contact number. if i reinstall my OS i need to call them to receive another code.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: