Twitter uses SMS as a single factor, because you can reset the password with only access to the text message. If Twitter was using SMS only as a 2nd factor, this attack would not have worked without also knowing Jack’s password or having access to his email. Twitter’s password reset function could require an SMS code and then send a password reset email to complete the process.
Number porting should require an SMS to the existing SIM with the ability to respond NO to cancel the process and flag the request as fraud (e.g. whoever made the request on the carrier side should be flagged, to fish out compromised support reps).
A mandatory time delay (12 or 24 hours) could be imposed. This would slightly inconvenience people who lost their SIM and need to setup a new one. This seems like a reasonable cost/security trade-off for losing a SIM card. Mission critical numbers should be implemented as forwarding services that separately route to the cell phone anyway, so “this number must be live right now” is not a reasonable excuse to compromise everyone’s security.
You could also mandate a short delay (4 business hours) and high value targets that sometimes take international flights could opt-in to longer (24/48 hour) waiting periods. The expectation should be that 99% of users keep the default.
Using SMS as a second factor has trade-offs. This isn’t news because every single authentication mechanism presents a unique set of trade-offs in terms of cost of provisioning, ease of use, possibility of loss, possibility of spoofing, replay, etc.
SMS is an extremely powerful authentication factor due to its availability, cost, and accessibility. It’s worth it to shore up protection against SIM swaps not in the least because it would improve the security posture of SMS as an authentication factor. It would still not make SMS perfect. Nothing is.
There's an MVNO owned by the Canadian ISP tucows called Ting, I used them for my primary mobile service for some time (I would still but I wanted access to Verizon's 700 and 800 Mhz bands for better coverage at my residence so I switched). Anyhow last time I checked they've since added several awesome (and self configurable via their account dashboard) features like multi factor auth settings for # porting, comprehensive forwading options, port locking, locking a line to a sim or device, among other security related overlays to their service some assible via REST API, IIRC. They offer live, immediatly accessable by phone call, north american based (US/Canada), friendly, usually native english spreaking knowledgable support agents and start their minimum service tier pricing at $6/line/month with the ability to toggle (block) voice, sms and data services for each line. For < $90/yr you can configure a pretty secure dedicated line for 2FA.
> There's an MVNO owned by the Canadian ISP tucows called Ting, I used them for my primary mobile service for some time (I would still but I wanted access to Verizon's 700 and 800 Mhz bands for better coverage at my residence so I switched). Anyhow last time I checked they've since added several awesome (and self configurable via their account dashboard) features like multi factor auth settings for # porting, comprehensive forwading options, port locking, locking a line to a sim or device, among other security related overlays to their service some assible via REST API, IIRC. They offer live, immediatly accessable by phone call, north american based (US/Canada), friendly, usually native english spreaking knowledgable support agents and start their minimum service tier pricing at $6/line/month with the ability to toggle (block) voice, sms and data services for each line. For < $90/yr you can configure a pretty secure dedicated line for 2FA.
Wow, I use this company for my elderly father for a resounding monthly bill of ~$7/8 for years and had no idea they were also Tucows.
Tucows has been terrible in handling a client of mine's issues, their domain has no SPF or DKIM, and thus their email is unreliably making it to customer's inboxes.
If anyone has pointers on how to get a domain & email address that are both bought & hosted with Tucows up to snuff with the email security standards of yesteryear (SPF & DKIM), I would really appreciate it!
Hit me up at jack at my domain name (found in my profile. But not hard to guess) with their domain name and I’ll have a look (pref from the domain that needs to be configured so I can see the headers, infact send me one from the domain in question and one from your own email address just incase my own spam filters catch the one from the clients domain name :-P).
Iirc tucows don't “directly” sell and host email to the general public. But offer reseller accounts or they are sold and hosted to the general public by their subsidiary Hover.
So just because its a "tucows domain" doesn't mean its actually tucows hosting your email services, anyways...
You might be able to get away without DKIM if the email is coming from “safe known ips” which hopefully your email provider has told the various big email providers.
SPF can be done completely from a DNS record. Google a SPF generator, fill in the details, and throw the result into your DNS records and done.
DKIM is a bit different as the outgoing mail server signs your outgoing email. The receiving party then check your DNS for the public key for the email.
Your mail provider might already be signing outgoing mail and you just need to put the public key on the DNS or you will need to contact your mail provider and ask them to turn it on for you. (If it’s is hover their customer support has always been good~ish to me. I think I’ve had one issue with them in the past, but it was a minor issue and I still have a few domains reg’ed with them. Anyways back on point.)
If your email provider is refusing to set up DKIM for you, you can try with just SPF and hope the reputation of the mail server itself is enough to fill in the blank of DKIM or moved to another provider either self hosted (cheaper, but more manual setup) or something like FastMail which does offer easy to configure DKIM (plus things like iOS Mail Push support) or an SMTP relay (depending on the volume of outgoing mail you might get away with using the free allowance from say sendgrid, sendpulse, mailgun or one of the many others out there.)
Obv trying to get your current provider up and running is the preferred option as then your client and any other mailboxes they have won’t need to chan he any of their mail client settings to get up and running.
EDIT: Also, having DKIM and SPF correctly configured doesn't always matter. Outlook for example may still reject your mail if it comes from an IP that they are not expecting. But you can ask them to add a mitigation for you via https://support.microsoft.com/en-us/supportrequestform/8ad56... (If they reply saying "Nope your not blocked..." just email them back politely asking them to check again as you are still having deliverability issues. I personally had this recently, but it was fixed with a follow up email so I'm not going to complain about it). Though as you are not the outgoing mail provider yourself you may not be able to answer all the questions (Are you sure you know all the ip ranges your mail provider use?). Gmail may get mad at you if you are doing a catch-all forward (including all the spam) from the domain to your clients personal gmail account.
But yeah, if you want to hit me up drop me a email and when I have a spare 30 mins I'll give it a once over and tell you your options. (Note: UK time here, dunno where you are, so if you email me while I'm asleep I'll get back you after coffee and I've done my morning tasks.)
It's 1 FA authentication because all you need is the phone to access the account. The password is irrelevant since all you need is access to the reset code that is sent via SMS. However, since you don't really even need access to the phone and can easily social engineer access to messages sent to the phone, it's not really a full one factor.
Suppose you mistype your password and get a page saying "wrong password, log in anyway?" You click yes and are logged in to your account. Would you consider that account to be password-protected?
To me, a second factor that can bypass the first factor is exactly the same as this situation. Being able to hack your way into an account is a different issue.
A password is a factor of authentication, so by definition is 1FA. Any service which allows access to the account through social engineering could be labeled as having less than 1FA.
If an attacker could access your account without knowing any of your secrets, then it's really 0FA.
> Number porting should require an SMS to the existing SIM
This is done by some carriers in Russia as far as I remember.
> with the ability to respond NO to cancel the proces
There is no such possibility, but you can visit carrier's representative.
> A mandatory time delay (12 or 24 hours) could be imposed.
Some carriers do this for SMS. Here is a quote from one of the carrier's website:
> To protect you from scammers, after replacing a SIM card SMS messages from banks and commercial online services will be blocked for 24 hours. You will be able to send and receive SMS from other users and popular messengers and applications instantly.
> SMS is an extremely powerful authentication factor
Thanks for clarifying this. This article completely missed this point and hand-waved over this, although this should have been the most important message: Twitter should not allow SMS as a single factor.
Lots of account take-overs could have been prevented if they had added this obvious security measure.
My experience is that after you give your phone number to most companies it effectively becomes a single factor: it's trivial to get them to change passwords with that alone. AFAICT, the only protection is to not give them your phone number in the first place.
> "the only protection is to not give them your phone number in the first place."
That has its own risks. If you don't provide it to google and your account gets hacked, it's extremely hard to get it back. (My wife lost her original gmail account that way about 2 years ago. And of course there was no way to get any live support to try & fix it)
Basically if you don't provide your number, you're more open to the more prevalent traditional hacking. If you do provide a number, you're more open to a slightly less prevalent type of hacking. It doesn't leave much to choose from.
I've read of many cases of folks losing access to their personal Google account through no fault of their own, and winding up helpless to get it back. Almost happened to me after I was victim of a SIM Swap.
From the article, even the Twitter CEO has this problem:
While he has managed to get back his social media accounts, he has not regained access to two Google email accounts that held years of communications.
If anyone with directional authority at Google is out there: It would be really decent of you to provide some means of customer service for consumers stuck in this catch-22.
I can't accept there's no reasonable way to perform an identity confirmation beyond the laughably limited self-help measures currently in place. If it's a matter of economics, make it pay-per-use.
With Google anyway you're down to 2FA using an authentication app (possibly U2F but I haven't checked on that recently) and backup codes which should also protect you from traditional hacking.
Maybe it's time to reconsider phone numbers. Think about it. There's already a divide between phones on one side, and tablets/laptops/pcs etc on the other. You can only use whatsapp on a phone (or a laptop connected to a phone). You need a special phone contract to make phone calls. You can make voice calls via voip/whatsapp/whatever but you have to understand what network the person is on. Then there's this security nonsense, with porting numbers and permission etc. If there was a voip standard where you just placed a voice call with someone else from any device, for free, with a known way of dealing with missed calls, where spam wasn't an issue (whitelist only, or at the very least some authenticated way of knowing who was calling you so you could block someone's actual number not the one they spoofed/could refuse to entertain number-withheld etc), you'd do away with loads of this nonsense in one go. And it's not like it would require any new infrastructure at all; it would be purely a protocol/software thing.
That "just" is doing a lot of legwork, though. How do you identify and find that someone else, so you can call them? Generally, you need some sort of unique identity. And how do you make sure that unique virtual identity connects to the correct physical person? Once you solve that, you can probably apply the solution to phone numbers.
I briefly used a free UK voip service which allocated you a real, geographic phone number anywhere you wanted in the uk. 01234 567890 for examine. Anyone - you for example - could phone that number, and my phone would be configured to use that company's service via username/password such that I'd receive your call. You'd think it was a regular phone call, and being geographic it would be free, or taken from your minutes or just normal if you were phoning me from another country, and I could receive that call anywhere I had data (and not necessarily phone - so i'd not need a foreign sim card if I were travelling which is the case currently) coverage. I'd have to pay the company if I wanted to place calls to regular phone numbers.
So I'm really suggesting something like that. Assuming it was a standard and the company didn't want paying because they weren't doing the whole geographic number to voip identity thing - they were just allowing the creation of an account. We'd be moving away from traditional phone numbers - the number/id could be a guid or long hash or whatever; nobody's going to try and remember it - it would be stored in your contacts like "dave smith" or "mum" or whatever.
Dare I say it, you could have a blockchain for this. Just to store the identifier. Not associated with any other string, such as a name or email address; just a way to ensure that the identifier isn't taken (so there may be a rush for cool ones but like I said, no-one would actually need to remember them) - that you're the first person to claim it.
Fine, there's a free global database that stored some random unique ID for you. Now say you're in Lisbon connected to some public wifi network, and I'm in Oslo connected to my office wifi network.
If I press the button to call your unique ID, how does my softphone get yours to ring?
SMS is only as good as the cell providers security, which has been shown over and over again to be terrible. It should never be used in any ongoing authentication.
Beyond SIM card cloning, I could sit behind a target, initiate a SMS auth, and simply wait for the guy to look at his phone. Most of the time it will pop up right on the front screen even if locked. If he misses it, I just wait for him to unlock the phone and look at his SMS. How would you like it if passwords just popped up visible to all on your phone?
I'm usually the one on my phone, and when I'm not the user I'm almost always aware of who the user is and I've granted them permission to access the device. The level of security cannot be not objectivly measured across all threat surfaces or catagories of potential bad actors.
The parent poster said "login with phone number" but that should be understood as login with a one time password by demonstating access to the receiving end of a fairly private and relatively difficult to intercept communication channel (physically controlling the client registered to receive messages destined for your phone number on the SS7 network). The authentication factor effectively becomes something have (your phone) whereas a password is something you know which allows for a much larger pool of potential bad actors (with a realistic means of gainig access).
SMS factor works more like a physical key your in possesion of that can be used to set a new combination (secret/password) for future access. In practice, combinations (passwords) are forgotten much more often than keys (phones) are lost or compromised.
helped a less-tech-savvy neighbor 'reset her skype' account that was tied to 'her phone number', only to find that the account bound to that phone number, which she had recently acquired, was publically searchable and connected with some sort of anime sex fetish subculture, presumably from a previous owner of that phone number..
she was using this phone / skype account for a job interview.
needless to say, a searchable skype account connected to her phone number with such a public profile could have had a hugely negative impact on her job search, and she wasn't even aware of it's existence until she happened to stumble upon it..
Never really made any sense to me whatsoever why we all switched over from having to use phone numbers instead of email addresses as sign in over the past few years.
I get why businesses want to harvest peoples phone numbers and phone books but you'd hope at least some would think of the implications to users first.
Good enough, as long as you don't get assigned a number that previously belonged to a porn-addicted weirdo, or criminal, or dead-beat who doesn't pay their bills, or any number of other not-nice things that can turn your life into a hot mess despite never doing those things yourself.
Indian laws require a police report before telecom operators can transfer a line to a new SIM card. I was always surprised how easy it is in US to transfer in comparison.
In India I had to give a photocopy of my passport, my permanent address in India, and a letter of referral from an Indian citizen to get my Airtel sim card. It was one of the weirdest experiences I've had in the country.
I've got my number transferred to new SIM card, about 30 times over last 10 years, without any police report. Had to produce ID proof which is quite convenient.
> Number porting should require an SMS to the existing SIM with the ability to respond NO to cancel the process and flag the request as fraud (e.g. whoever made the request on the carrier side should be flagged, to fish out compromised support reps).
Better yet, a YES text should be required with a port
> I believe t-mobile has a nice requirement of being able to mark you number as "show up in the store and show your ID"
Yup, and yet I've heard of stories of people social engineering their way around that. the telecom companies need to make it impossible for a CSR to access your account at all without actual verifying data from you.
> Number porting should require an SMS to the existing SIM with the ability to respond NO to cancel the process and flag the request as fraud
This would work to the thief's advantage in the case of physical device theft. The notification should definitely be a thing, but it should not be possible to cancel the process without talking to the carrier directly and verifying your identity to them.
Fun fact, the person who stole the sim probably worked for the carrier, or used someone who worked at the carrier that they either knew or had leverage over. You already have to verify your identity to the carrier if you want to make changes to your account, and while you might be able social-engineer your way past it, but I would be shocked if someone like Jack Dorsey didn't have a password associated with his account that is required to make changes. Saying the carrier needs to be sure before making changes is useless if the person at the carrier is circumventing it. Plus they already do it.
> while you might be able social-engineer your way past it,
My personal experiences and various accounts I've heard make this "might" shift to "fairly easily". Why are you so confident that it has to be someone with inside knowledge?
> I would be shocked if someone like Jack Dorsey didn't have a password associated with his account that is required to make changes
I do not share your trust. I'd be shocked if he didn't NOW, but you are basing your assumption off of what...that he recognized his status as a high profile target? Were that the case I doubt this vulnerability would have existed.
2FA over SMS is fine. It’s not a terribly strong second factor, but it’s decent, and far better than nothing.
The problem is when companies implement 1FA over SMS and call it “2FA.” That is a catastrophically had idea, and unfortunately it confuses people into thinking that 2FA over SMS is somehow dangerous.
It's not fine, considering the zero cost of enabling TOTP 2 factor authentication.
The only reason I can see for why companies don't give the option for TOTP is to force people to hand over phone numbers so they can be tracked, and in the process make the system less secure.
While you're correct it's not fine, not everyone has a smart phone or a TOTP device. There are some cases where SMS makes sense as 2FA since it's a reasonable compromise between having no 2FA or a TOTP device.
Most feature phones can also easily run a TOTP application (and have/do). There are J2ME TOTP applications that will run on hardware far back into the ancient past. There are all sorts of fun TOTP apps in the AdaFruit, Arduino, RPi hacking worlds.
The algorithm is rather straightforward. The "hardest" part is the SHA1 hashing algorithm and people have written versions of that for just about every hardware under the sun, including 6502 assembly. (Hmm, an old Game Boy would make an amusing TOTP device. I should add that to my list of possible future hack project ideas.)
Just noticed the tab I had opened mentioning 6502 SHA1 hashing was to do it on old Tamagotchi hardware. Forgot that was also a 6502. Wonder if that person ever finished a TOTP Tamagotchi.
My claim is that SMS as the only 2FA option never makes sense. Wherever 2FA is enabled, a TOTP option (or equivalent that doesn't rely on third parties) should be provided.
You don't need a "TOTP device". It's software. You can easily write an authenticator for a smartphone, a pc, a digital dumb phone, or pretty much anything.
I think the real issue is that companies like SMS because of the tracking it enables. With a single number you get instant geographic + general socioeconomic data on user along a unique tracking ID. But the particularly nice thing about this ID, from a corporate perspective, is how blithe users are with it. People will happily "validate" away on numerous sites. Now, by "sharing select information with our trusted partners" (as seems to be the preferred T&C jargon) companies can create extensive profiles on their users well above and beyond their activities on any given site.
Obviously you get none of this with a TOTP. Instead you get better security, better portability, and less external dependencies. But no tracking. So SMS wins in the current state of the internet.
You don't need a smartphone or 2FA device to generate TOTP codes, and in fact, can use applications like Bitwarden. SMS is obviously not adequate, or the Jack Dorsey wouldn't have been hacked.
I can see more mundane reasons for SMS second factor.
In some places, SMS is simply what people are accustomed to, and the idea of using an app feels like a weird intrusion. Couple this with a PM saying "What if someone changes phones? SMS is more convenient and everyone already uses it anyway". Add a couple of years of SMS-factor, and it can quickly become considered good enough and no more work on MFA is required.
When you setup TOTP 2FA, the application should offer a few one time use codes (google offers 10, for example). These can be copied and stored safely somewhere.
If you lose the one time use codes, then you're screwed. But that's the risk you face if you want the most simple and most secure method.
Also, most providers allow you to setup multiple simultaneous TOTP devices (and those that don't, should). On my personal TODO list is setting up a "safe deposit box" TOTP device sometime.
That’s the problem. Twitter requires you to add a phone number (even if you sign up without one, eventually you’ll be locked out and requires to add one). Then, once you add a number to unlock your account you’re left exposed.
The worst thing here is there are genuinely people who are afraid of 2FA because they see headlines about how 2FA over SMS is dangerous, and they (as well as the writers in some cases, to be fair) don't understand that the "over SMS" part is the crux of it, not the 2FA part. It doesn't even make sense. You don't even need extra infrastructure to do it properly. It costs you more money to send an SMS. Just don't!
While companies definitely need to move away from SMS two factor it’s so entrenched (and simple) that more is needed.
The government agencies that setup the mobile number portability system need to realise the seriousness of this flaw and allow a “Never transfer my Number” flag to be set in their databases. Until then even the lowest rung service desk agent at any telco has the ability to transfer numbers. A system like that can never be secure.
The problem is when a phone number is the only factor that is used. That is what Twitter allows.
If you truly use an SMS only as a second factor - and don't provide recovery options only by phone, like Twitter - then you have much less of a problem. In that case, a compromised phone number does not give the attacker the password or other factor. SMS is still extremely imperfect for 2FA, but it's still a lot better than no 2FA [1].
Actually 2fa via SMS is a bad idea. Check out Troy Hunt's HIBP project to get an idea of how common password reuse is.
A good way to think about the SMS problem is this: As a second factor, your cellphone is considered by many to be "something you have". TOTP like Google authenticator does verify you are in possession of that device through a shared secret key.
SMS does not verify this and the factor is not something you have. Instead, SMS is more like "something loosely associated with you that is transferrable and vulnerable to social engineering attacks".
Anything is better than nothing. However this may be worse because it provides a false sense of security.
Demonstrating that passwords are also a poor factor doesn't make using SMS as an additional factor a "bad idea". A physical cell phone is also something that is loosely associated with you, transferable and vulnerable to social engineering attacks.
It turns out there are no really good ways to authenticate individuals at scale. The answer is not to deride and blacklist arbitrary bad options from the pool, but to add even more factors so that their differing contexts present a more formidable holistic challenge.
Obviously, as GP points out, supporting multiple factors but allowing any one of them to be used in isolation is just building a chain with a weakest link. Better to build a chain-link fence.
A physical cell phone is also something that is loosely associated with you, transferable and vulnerable to social engineering attacks.
SIM swapping is not always the result of social engineering attacks. There are bad actors that work for carriers who will knowingly fraudulently swap sims.
At least with something like Google Authenticator that can be done at scale, someone has to have your physical device and has to get past your hopefully secure pin code/finger print sensor/face id or use rubber hose decryption.
Although I agree that in some cases SMS 2FA provides a false sense of security, this argument misses the economy of the attacks here. It's not that black and white.
Any attacks on phone numbers are spearphishing, almost my definition. Some form of identity fraud - no matter how easy it is for an attacker - must be performed in phone number stealing. Even if it's very easy, that's a significant cost for an attacker and not an easily scalable attack. I agree that SMS 2FA must never be presented as an effective means to thwart spearphishing, where attackers are willing to put in this effort.
Now in the real world, password reuse attacks are far more common, and an commonly bigger concern for a random online accounts system. SMS 2FA can be of really big help there.
> The problem is when a phone number is the only factor that is used. That is what Twitter allows.
that's not true. i have twitter 2FA inside authy[0] AND inside twitter's own app (it's hidden -- at least on android -- under setting and privacy -> account -> security -> login verification -> Login Code Generator)
Or do it like Turkey, and require central clearance with physical SIM replacement (this is required both for ownership and porting transfers). One of the few things we got right.
I feel like a time delay would help with this too. If it takes an extra 24 hours and you get notifications by SMS and email during that period with the chance to call "fraud" it stops most of these attacks which take control of e-mail and phone simultaneously.
I get that makes life much more difficult when you are travelling and have your phone (and therefore SIM) stolen, but given the severity of the current issues it seems minimal disruption. You get a burner phone for 24 hours?
You get a new SIM instantly, but it has a temporary number. Then you get notifications via SMS on your old SIM, you usually get a call from your old carrier trying to get you to stay, offering discounts and shit. Then after 7-14 days the new SIM gets the old number and the old SIM stops working.
The U.S. system sounds horrifically irresponsible.
// Replacement with the same carrier is quick, but requires physical presence with government ID (passport)
Same in Turkey (takes 2-6 days), but you get your replacement SIM after the transfer is cleared, you still use your old carrier and SIM during porting porting. Old one simply gets inoperable by a remote command.
I'd say it's pretty simple then: you can't transfer your number and just need to get a new one.
I mean at some point you have to draw a line; losing your password and resetting it via email is already a pretty gracious thing, and most support desks will help you beyond the default password reset as well if necessary.
But at some point you have to draw a line - key's lost? Access is lost.
I think this is going too far. It's easy to lose your SIM - in particular, whenever you lose your phone (you left it somewhere, it fell into a river, etc.).
Why not just require that if you don't have your old SIM on you, you have to jump through extra hoops involving physically showing government-issued documents and otherwise leaving enough paper trail for the police to find and jail you if it turns out you were a fraud?
That still doesn’t help. Who are you showing your physical ID to? The store clerk at the carrier store? There have been cases where the clerk was in on the fraud.
The last time I got my SIM reissued (the old one was too big for my new phone), I had the old SIM with me and I still had to show government-issued documents matching the registered SIM owner.
That kinda ruins the main utility of the system for most people. People aren't switching service providers often or SIM sizes at all these days (the latter especially with larger SIMs just being the same nanoSIM but with an adapter of sorts around it).
For the average person, the best utility of it is being able to retain your number on losing your device. Usually you aren't expecting to lose your device, so imagine how much more complicated everything gets when not only do you have to worry about getting a new one unexpectedly, but then also have to get a new number, inform everyone you know about that, and then update all your accounts.
All of that just to protect people from being targeted by fraud that is not only very unlikely to happen to them unless they're well known, but is also better resolved by making authentication systems smarter.
I would so much rather lose my twitter account where:
a) I don't use twitter, so it's a loss of minimal proportions
b) It's twitter's fault and easily prevented by them
Sure, a) won't be applicable to all services because there are services I actually use that my life revolves around. However, the only service I can think of that would disrupt more of my life than losing my phone number is verified 2FA secured and does not have this vulnerability.
I would actively avoid a carrier that promotes this policy and think it's naive to assert that it's even remotely viable.
That's ridiculous to suggest as a solution and that's why it won't be adopted. Better to work on an alternative solution that has a better chance of adoption.
It could be done remotely but only if the store had signed off that ID had been viewed and the port confirmed in person. Of course this could be gamed but an employee would need to put their name on the line to say they had met the person and viewed the ID
We have a <major us carrier> rep (as a business customer) and he will port our lines and change SIMs for me based on an email. However I noticed the last time I initiated one of these requests there was a confirmation step that involved an email sent to me with a URL I had to click to approve. From memory I don't believe that URL needed authentication so the email was a bearer instrument. An attacker would need to both fake my outgoing email (easy) and also intercept incoming email (not so easy). There was also a confirmation email sent advising that the request had been approved and processed.
I can imagine however that an admin at a reasonably large business would receive several of these emails per day and may just reflexively click on them all. Note these emails are sent to the business account admin, not the end-user. I happen to be both so can see both sides of the process.
Edit: I should also add that I have never met this rep and so he has definitely not looked at my government ID. The process is secured only by receipt of email.
This seems like the best solution. Introduce an opt-in security feature, whereby any attempt to port the number, or swap sims, is subject to a ~72h cooldown period. During that period, notify the account holder through numerous communication channels of the pending change.
Yup. Authy does a good job of this if you need to reset your access. They (automatically) harass the shit out of you for 24h before doing it. I think I got 10+ calls/texts plus emails.
The Swedish solution for physical address change (yes, we all must be registered at an address which is then used for everything formal) is to lock it using Mobile Bank ID
> BankID is a citizen identification solution that allows companies, banks and governments agencies to authenticate and conclude agreements with individuals over the Internet.
You need your phone to use it but it can be recovered using other means like ID card or a digipass from you bank
If you do want to transfer it you need a 'higher' level of identity proof. Usually this means you have to visit a store/office of the provider and show a means of identification to get the transfer lock lifted.
I thought number portability was only a between carriers thing. SIM swapping doesn't cross the carrier border usually so would setting that flag actually fix anything?
That's how domain registrars work. You set a "lock" so the domain can't be transferred away until you "unlock". Then you can tie this locking/unlocking procedure to 2FA, identify verification, whatever.
T-Mobile lets you set a PIN that you have to present if you want to port your number or get a new SIM. They sent out mass texts about it a couple of years ago.
The problem is that it is not enforced by the automated system. Instead it is enforced by sales people who have ability to override the system, including people like the blue shirts at Best Buy. Yes, they are not supposed to, but they can.
Does anyone know how common or easy SIM swapping elsewhere in the world? The SIM swapping stories I've seen on HN mostly focus on US users. I remember reading an article years ago, about banks combating SIM swapping in Africa, where a lot of transfers are done by SMS, by forcing a cooldown.
But I wonder, besides the US and Africa, where is SIM swapping prevalent? NYT says I'm at risk too. I'm in Europe -- am I?
Yes. Of course it works, if it was not possible for you to move your phone number to a different device then you'd be trapped and of course the mobile phone companies would take advantage of that to gouge you.
The problem is your cell provider doesn't have a very good way to be sure it's Svip asking them to do this transfer. They are mostly going to rely on low paid call center or shop floor staff to decide. Fortunately for them this is a low-value transaction. If I get them to transfer Svip's number, I don't cost them very much money and I don't inconvenience you all that much really. Why would I bother...
Unless some idiot decides to rest the authentication scheme for their valuable service on control over a phone number.
In the UK in particular for example the person doing the authentication in an actual store will usually be a teenager working part time for the mobile phone company to get some spending money or during tertiary education. When a hot guy approaches them saying they can make twice their weekly wage if they just "forget" to do a proper ID check for a few friends of his, why wouldn't they say "Yes" ? They might get fired? They have never had a serious job, they're treated like shit, unless they're unusually upright and honest or they think it's a trap they're going to agree.
To be more specific, I live in Denmark. Last time I had to transfer my number, it was quite a hassle. I had to show up physically in a store, and they needed to scan two ID cards of mine. In addition, because I have a legally hidden address, the guy in the store needed to contact someone inside to confirm me. Essentially, he was not able to do it on his own.
In fairness, that was me moving from one carrier to another. I assume, if I were to get a new SIM with the same carrier, it would be a lot easier. I have been trying to figure out what it would require for me to change SIM within the carrier, but their help articles aren't clear on this, besides mentioning it is possible (my impression is that they will ship the SIM card by postal services).
There are still ways to make the system more secure.
For example, you have to physically go to a store to port the number unless you have the old SIM.
Then it's not done immediately - there's a 72 hour period in which multiple texts and calls are sent to the old SIM asking for confirmation. If you physically have the old SIM this is instant, but if you claim to have lost it you need to wait 72 hours and provide a signature and mugshot at the store.
If a member of staff "forgets" to do this stuff, they go to jail.
People don't usually lose their SIM card, so this process wouldn't happen very often.
Sure, you could have a national "reality" TV show, everybody who lost their SIM has to go on the TV show for six months with it showing on screen which number they claim is theirs - so this way there's no chance they're a crook.
Or make anyone who claims they lost their SIM wrestle a bear first before they get a replacement. Won't see many crooks take that on.
But, I put it to you that this all seems very disproportionate when you remember that you're punishing the phone company and its customers for not securing Twitter. These are the wrong people!
I'm a strong believer in solving problems at the single point of failure. If you solve it at the Twitter level, what about any other internet/cloud based service that is designed just like Twitter? It would still be a problem. If you solve it at the phone company level, all the companies that operate like Twitter are protected.
Even better still, solve it at both levels, but definitely don't let phone companies off the hook.
Yeah, I think it should be solved in both places TBH. Defense in depth.
But it won't happen because people are dumb and don't care about the issue until the exact moment it bites. This basically applies to every security problem: everything is perpetually broken and therefore nefarious actors can always find a way to achieve their goals. Most people's best defence is to not have any enemies.
Being serious, I don't think waiting 72 hours for a SIM number port is an inconvenience.
IF you lose your phone & SIM inside it, you need to go to the store anyway, or have a new phone sent by post (takes a few days usually). One of these things has to happen! You need a new phone!
So what we are adding here is a 72 hour wait for the number port. In the meantime you have a temporary number.
Govt should legislate to make precautions like this compulsory, or to create incentives for good security like steep fines against the phone company for simjacking, together with private red teams probing phone corp's security in this regard and claiming part of the fine.
People don't usually lose
their SIM card, so this
process wouldn't happen very
often.
People lose their entire phone all the time. In most cases, their SIM card is inside the missing phone.
Unless, of course, they anticipated just such an emergency, and preemptively kept the phone and SIM separate because they care that much about faceless, global social media platforms.
> They are mostly going to rely on low paid call center or shop floor staff to decide.
Actually retail sales at AT&T and T-mobile stores(not third-party retailers) can make mid to high five figures if they're competent salespeople. Maybe low six figures at a high-volume store. Most of the money is in commission but it's there.
There's a scandal being reported by Glenn Greenwald in Brazil, which is centered around the minister of Justice and his actions as a judge in the Lava Jato operation that led to Lula (ex president) being arrested. He helped prosecutors by coordinating strategies with them. These conversations took place on telegram and were stolen using sim swap.
Unfortunately, the current corporate thinking in Poland is that 2-factor authentication means SMS. I see banks and other companies introduce this in spite of known vulnerabilities.
* SMS (and automated voice call) are bad for people who live in areas with poor phone coverage, people with international phone numbers, and people who want good security.
* TOTP is bad for people who don't have smartphones.
* FIDO U2F is bad for people who don't have $20, safari/iOS users, and people whose devices don't have USB.
* Vendor-specific apps are bad for people who don't have smartphones, people with low spec or poorly supported smartphones, blind people, and the privacy-conscious.
* Smart card readers and physical tokens with screens cost $$$, often aren't accessible to blind people, and are too bulky for users to carry more than one or two.
* Paper single-use codes are bad for people who log in regularly, people who don't have printers, and don't scale to multiple services all that well.
* All of the above are bad for people who are forgetful or clumsy enough to regularly lose or break the second factor.
WITH THAT SAID, you can still provide Hacker-News-reader-approved two-factor authentication by basically copying Google: Offer the user TOTP, FIDO, SMS and paper codes, let them choose any two.
Gain bonus points with a setting that stops customer services resetting the password or disabling 2fa, and a week-long warning/waiting period in case account hijackers dial up the security settings to stop the original user getting their account back.
> TOTP is bad for people who don't have smartphones.
This only true if you're willing to define everything beyond the most mundane "dumb phone" as a "smartphone". One of my friends has a long list of exciting problems which ends up meaning he doesn't own what anyone these days would consider a smartphone.
But it's not like he uses carrier pigeons. His phone does have a (monochrome) screen and is quite capable of running software, it's just the software has to be crappy mobile Java from last century. However TOTP is trivial, you probably can't do it in your head but you definitely can do it in a Java 1.0 implementation and so sure enough it can be run on those phones.
On a brand new Pixel of course you vaguely wave your phone near the screen, it reads a QR code and sets everything up, he has to instead laboriously transcribe a secret value using T9 input, but the same effect is achieved - a changing code that he can input to prove he knows the shared secret.
You're correct: You could TOTP from a java phone app, a tablet, an airgapped computer, a non-airgapped PC you were really confident of the security of, and so on.
That's why I said "bad for" rather than "impossible for" :)
After all, you'd still be excluding all the people who don't have any of those. Like my 90-year-old neighbour who only has a landline phone.
I've helped maybe 50 employees set up VPN access at my workplace, and at least 2 of them said they didn't have any way to TOTP independently of the laptop we were issuing them with.
> * SMS (and automated voice call) are bad for [...] people with international phone numbers
Why is that? I'm maybe spoiled by my surroundings (Poland and Europe in general), but receiveing SMS text is free abroad. While using dataplan generally is not, so SMS is cheaper (free) as a second factor if you travel a lot.
Depending on where the customer is roaming from and to, they might risk a per-SMS charge, suffer unreliability, get no signal, or even turn off their phone to avoid accidentally running up a big roaming bill.
When I went from the UK to Montreal, I tried to use local Uber competitor "Teo Taxi" but was unable to as their number-confirmation SMS didn't arrive.
Some countries really don't want you automating SMS's to their local users, countries like UAE for example are very restrictive. Other issues, number porting often brakes cross carrier SMS and roaming in general often breaks SMS delivery.
On my Canadian cellphone, unless I get a US/Intl plan before I leave, it stops entirely all my SMS when I'm outside Canada. I'm entirely dead in the water if I rely on SMS 2FA.
Very easy. I have a UK sim with Giffgaff. I lost the original sim and ordered a new one (not linked to me, it was a freebie for distributing to get a referral). I could log into my account, activate the new sim and it was done in about ten minutes.
That's really nice in some respects, but in theory if your account gets hacked, goodbye phone number. There may have been some additional work involved, eg confirm via email, but I believe other networks make it a lot more difficult. Eg you need to request it specifically through customer services and they need actual ID.
My mum is with EE and she had to go to a physical store and prove she was the account holder. Three is similar, you have to request a new sim but in theory if your mobile account is broken then that can be done online (though it never worked when I tried it, the sim didn't arrive).
>When Sims rang EE, it soon emerged that someone posing as his wife had managed to persuade the mobile network to activate a new sim card
>Sims says that when he contacted his bank, Halifax, the call centre told him it is handling hundreds of sim scams every day, making it the fastest growing fraud in the country – although Halifax later disputed this figure.
On the other hand I'm sure I saw something about banks etc being able to subscribe to services that would give them background information about a mobile number (ie if the number has been recently ported).
In Turkey if you change your SIM card you cannot login to your bank account (web site, app). Yeah, even if you are in same mobile operator with your same phone number. How does my bank know that I have changed my SIM card? I think that they have API between mobile operator, government, and bank. For example I can see my mobile and land line numbers from my e-government account.
But I am not sure about website, maybe they have integration with the operators to check last sim change date and compare it to their last know trusted sim or check the last time your phone was audited? You need to generate one time codes in TR banks afaik.
>Numara taşıma, 4.5G veya başka nedenlerle yapılan SIM kart değişikliklerinden sonra, Garanti BBVA İnternet Bankacılığı ve Garanti BBVA Mobil’e girişte kullanılan tek kullanımlık şifreler güvenliğiniz için bloke edilmektedir.
"Due to switching to another provider, 4G, or for whatever reason if you change your SIM card your password is blocked for both the app and internet banking."
>Blokenizi kaldırmak için Garanti BBVA Şubelerine uğrayabilir ya da 444 0 333 no’lu Garanti BBVA Müşteri İletişim Merkezi’ni arayabilirsiniz.
"In order to remove the password block you will need either to visit the one of our banks or call us."
Logging to Garanti requires 2FA. You can either use your password + SMS, or your password + one time code generator, in the past there was also password + mobile sign.
In Turkey 2FA is required by law in banking. This law is in action since for, I think 5-6 years.
Also, it is easy to implement this "notify the bank if SIM has changed" because all the banks (except few state banks which are in Ankara) and mobile operators (3) are all located in Istanbul.
In Germany, you have an extra PIN (called PUK) that is required for these things (alternatively show up with your ID at a store). So unless someone has that, it’s not as much of a problem.
Please do not allow people to call SMS 2FA. For it to be 2FA, it must be: something I know alone, something I possess alone, something I am alone. Otherwise, it's just another account identifier (and likely spoof-able). SMS and phone numbers are none of these.
In same vein, I wish security questions would die in a fire. Always treat them like additional passwords: use nonsensical words and store them in your password manager.
Exactly. "Things I own alone" are no good as passwords, if they cannot be changed. They are account identifiers only.
And if a password has sufficient entropy (not likely to ever be duplicated) then the account identifier is pointless. Just use the password as sufficient authentication.
Be careful with nonsense in those security question answers. I've hear many are plain text and if you tell the rep, "it is just nonsense," they can say "yup, sounds good."
Twitter is one of the largest social media networks on the market. It's not a bumbling startup, it's a mature tech company in the center of the tech space.
> Twitter said on Wednesday that it would stop allowing some users to post updates via text message, which made Twitter access particularly easy for SIM swappers. But that will not stop hackers who use the SIM swap to log in to a victim’s Twitter account. (Twitter said it was working to improve this.)
At the risk of jumping onto hot-takes, at what point is it reasonable to say that Twitter as a company just isn't taking security seriously? The first response from Twitter should have been, "we turned off SMS password resets immediately", not, "we're working on it." This is the kind of mistake I expect a technologically naive company to make. It's a mistake I would expect a bank to make, or a startup with 7 engineers total.
I don't understand how a company can brush aside an attack where attackers took over their CEO's account. I understand everybody does dumb things occasionally, but how big is Twitter's security team? Nobody thought this was a problem?
There must be some aspect to this I'm missing; how does doing password resets over SMS pass any security audit? This isn't new, even mainstream sources have been talking about SIM-swapping for years.
Someone was telling me that here in India authorities clone SIM cards to eavesdrop on WhatsApp conversations. I don't know if that's accurate, but it's becoming clear that SIMs in general are a vulnerable form of ID.
I've seen US-based IT-security-minded people saying on Twitter for a long time that SMS based 2fa is bad, but the problem with hardware dongles is that they can be too secure. I don't want to lock myself out of my own Gmail account. I guess apps like Authy as mentioned in the other comments are an alternative. In any case I guess there are (or should be) some special codes you can write down in case you lose access to your second-factor info.
> I've seen US-based IT-security-minded people saying on Twitter for a long time that SMS based 2fa is bad, but the problem with hardware dongles is that they can be too secure. I don't want to lock myself out of my own Gmail account. I guess apps like Authy as mentioned in the other comments are an alternative. In any case I guess there are (or should be) some special codes you can write down in case you lose access to your second-factor info.
All systems/services I have seen that allow 2FA through a hardware device like a Yubikey also provide you a set of several recovery codes that you need to note down somewhere safe so that you can use those if your device fails or is lost. Some systems/services also force you to first setup a TOTP based authentication (with an app like OTP Auth/Authy) and then proceed with setting up additional hardware based 2FA. Unless you lose access to your recovery codes, which is the same as losing your password on a system with no 2FA, you should be fine (though I do get the concern here). People also get two hardware keys and set them up for the same platforms/services, keeping one in a safe place for future use in case the first one that's regularly used gets lost or breaks.
> Someone was telling me that here in India authorities clone SIM cards to eavesdrop on WhatsApp conversations.
source? There is lot of wrong with our authorities but I really really doubt about what you just said. I mean the way you have written it is giving wrong impression that authorities can clone any sim at their whim just like china or other authoritarian government.
Disappointed they didn’t do something like use it to manipulate the stock market. Then it would have got much more coverage and something might actually get fixed as a result.
There are automated systems employed by exchanges that analyze trades and are undeterred by volume. If someone burned this on a couple single comma trades, goodness.
I'm still a big fan of passwords. Long, hard to guess passwords. More than one password/phrase as a failsafe, in case I lose it.
I got my first iOS device 3 days ago as a gift, an iPad. During the excitement of the setup process, I was told to set up 2FA for my iCloud account, which I've never conscientiously used since I own no iOS devices. Now all my Apple ids, from my 2009 iMac to my macbook are tied to the darn 2FA and... my phone number.
Apparently 2FA for Apple ids cannot be rolled back! Now everytime I want to upgrade something in my Macbook I have to get an SMS code on my (vulnerable) phone to access my Apple account. This is a very unfortunate decision by Apple.
Like I said I'm a big fan of passwords. Just give me 2 or 3 passwords or passphrases (or secret patterns) as backup for my main password. Require them to be long and complex. Something that is inside my brain and only Leonardo di Caprio can steal. Not my dad's middle name or pet name or school teacher's name. I'm not a security expert, but I still feel that's the most secure way to protect an account.
Passwords don't work these days for sophisticated attacks. Phishing is too easy.
I repeat, they don't work. No 2FA means you'll experience many successful account takeover attacks on your customers. 2FA does not mean you won't, though.
Coinbase had a great talk about account takeover attacks on the recent DefCon. They receive some of the most sophisticated attacks, sometimes when attackers already have control of every other account that the target has. Email, Facebook, Apple Cloud - you name it, now they come for the coins, to cash out.
Phishing, as in entering your password into a field pwnd by a hacker, seems like the problem to solve: how can we avoid giving out our password to a rogue player?
There are simple and complex solutions out there, we should keep taking small steps in the direction of safer password authentication, like how browsers showing the users the certificate validity, or things requiring a secret, individualized secret question so that you know the the host is not phishing.
I agree passwords are far, far from ideal and that 2FA is probably just adding complexity for the hackers, hence making it appear to be a better option, but this is just for the time being. Phone-based 2FA is flawed at the root (of how SIM cards work), so we should keep working on improving password security [1] instead of throwing ourselves into the arms of a flawed phone 2FA.
U2F and it's successors like FIDO2 were specifically designed to prevent phishing.[0] Google claims that it has entirely eliminated phishing of their employees who have been issued U2F keys.[1]. The solutions to these problems are out available.
It's not clear to me how 2FA would help against a phishing attack. Is there something I'm missing?
My understanding is that 2FA helps protect against weak passwords and password leaks. That's it. If you give me your password via a phished site, then you'll also just as readily give me your 2FA code. Then I can log into your account and turn off 2FA, generate new login codes, or just keep the login session running indefinitely.
Maybe if you set up a site that looks like a login form phishing for the PW then immediately forwarding it to the target site, then do the same for a 2FA token you have a point.
But in any other case where the victim isn't in the loop, that 2FA protects them (hopefully). If you haven't been to target.com in a week, you're not going to click the pop-up on your phone to log in out of the blue (hopefully).
Ideally your 2FA methods are not as simple as just sending a code and having the user parrot it back though. There might be some cryptography going on that would make it even harder for the attacker to interfere.
> Now everytime I want to upgrade something in my Macbook I have to get an SMS code on my (vulnerable) phone to access my Apple account. This is a very unfortunate decision by Apple.
This sounds strange. I always get the 2FA authorization message and the code through a push notification from Apple that appears as a dialog on the device(s) used to authorize access from another device. SMS or voice call is used for the initial setup though. [1]
>Apparently 2FA for Apple ids cannot be rolled back!
Apple removed the option to turn off two-factor authentication on some Apple IDs created in iOS 10.3 or macOS 10.12.4 and later.
A couple of years ago, I forgot the question/passphrase sequence for two-step verification and subsequently got frozen out. I had initially set it as samephrase1..2..3 in an effort to refrain from supplying PII. In order to reset, I managed to opt-in to 2FA and then revert back to initial setup.
I would have continued to think of the above process as the norm, until I read your comment and followed the support link provided by the other commenter, which states that the 2FA process cannot be undone anymore! However, there seems to be a slightly convoluted alternative i.e. unlinking existing AppleID and attach a new one for iCloud only, thus keeping the (old) existing one for the App Store and other services.
If you have an Apple device logged in to the account then Apple uses its own push notification infrastructure instead of SMS. Apple calls it “Trusted Devices”:
Also, SMS is always in-addition to your password. If you forget your password and you don’t have a trusted device from which to reset it, then Apple uses a recovery procedure which requires more than just SMS for verification.
You can also enable a recovery key which will then prevent SMS from being used to reset your password. With a recovery key you need to either use a trusted device or the key to reset your password.
Which effectively reduces it back to 1-factor authentication. There's an adage somewhere that is probably worded better but which boils down to your security is only as good as your weakest link.
If you type in the same passwords every time that's already a possible security breach. Single use 2FA is good because it you need one separate code for each transaction.
SIMs and phones being vulnerable is different from 2FA not working.
I once lost my phone (with a SIM card in it). So I went to a store that served my operator, asked to give me a new SIM. They promptly gave me a new SIM and activated it on the spot. The only piece of information I gave them was my phone number. No other verification such as name, ID or SSN was required. This is how easy it is to hijack your cell phone number. It's basically trivial and there is absolutely no risk to it.
Not a security expert by any means and it'd actually be nice to get some feedback on this. I have a Gmail account protected with a hardware token and no additional 2FA mechanisms. I created a google voice # that forwards any text or voice messages to this email. The number is locked and cannot be transferred without having physical access to the google account. If I need to setup 2FA, I use the google voice #. The 2FA token is received via my secured Gmail. Any kind of social engineering attempts would have to go through Google support instead of telco. Is something like this worth pursuing?
>> "Criminals have learned how to persuade mobile phone providers like T-Mobile and AT&T to switch a phone number to a new device that is under their control."
This is why SMS should be never an option for MFA. You simply cannot rely on a telco employee for the security of your organization or online presence.
Unfortunately the EU regulation mandating 2FA[1] is only just starting to be adopted by the banks, in the UK at least. And they're doing it using SMS codes[2].
2FA has always been a requirement in my country, as far as I remember all the way from the start. The new EU legislation made things worse: one-time pad paper key list isn't accepted any more. My second factor now needs to be my phone (app or SMS).
The written list of one-time passwords (not a "pad" the One Time Pad is a specific crypto design that largely exists to compare things to rather than as a practical gizmo) fails the requirement in 2018/389 because it doesn't end up verifying the specific transaction.
Suppose you have password '47BF-38AP-3M99' on the list. You get a plausible email from your friend Barry saying he needs €40 urgently. You send €40 using that password and instructions Barry gave about some web site for transferring money.
Oops. That wasn't Barry, crooks used Barry's email account to send the message and the €40 transfer turns out to have been a transaction to empty your account of €5830.26 but '47BF-38AP-3M99' was correct so the bank OK'd it.
The regulation aims to arrange that the second factor involves the transaction value 5830.26 which is weird for you because you are trying to send Barry €40. You would probably realise something is wrong when typing 5830.26 into an authenticator, or else, the crooks only get €40 which is a bad pay-off for such a sophisticated attack.
My good bank gave me a weird chiclet keypad device years ago that I have to type stuff into while doing online transactions. So I'd have to type the amount into that device. It whitelists certain actions, so if I keep sending Barry money, I think I don't have to type the amount in every time or something.
The EU rules definitely don't forbid your bank doing something better here, but I can see that the way that bank chose to implement them hasn't helped you which sucks.
Thanks for the in-depth explanation. My reaction has maybe been a bit knee-jerk, it's not like this is a major annoyance. The attack scenario is quite convoluted with needing both access to the account and a phishing attack for the one-time key, but I suppose it is plausible. At the same time this does open users to new attack vectors though, especially with SMS.
Any idea what the keypad device is called? Are you expected to carry it with you at all times? Is that feasible? Is there some sort of threshold for its use? For example, transactions under $X, even if fraudulent, might not be worth the inconvenience to the customer of having to go through the extra steps.
If you don’t mind my asking, is your banking institution geared towards HNW clients? The amount verification sounds very similar to what most banks in the US do for inter-bank transactions but I’ve never heard of something like that implemented on a bank account from the consumer’s side.
The device claims to be a "Vasco DigiPass". It has lots of other identifying marks but those might be secret (even if they weren't supposed to be, disclosing them might inadvertently reveal a secret)
I am not required to carry it, but my understanding is that most features of my online banking don't work if I tell the system I don't have it with me. I store it with other valuable identity items like my birth certificate in my home, I do not take it with me when I travel.
This bank offers excellent 24/7 phone service, if I was away from home I would call them if I needed anything. All conceivable transactions can be concluded by phone, indeed I've mentioned to HN before that it turns out very high value financial transactions (literally buying a home in my case) can't be done online at all. The web site just tells me to call them instead to complete the transaction.
The institution is not especially geared to High Net Worth individuals, but it doesn't offer any products geared to people focused on being thrifty/ economical. It doesn't offer zero fee current account banking, it doesn't pay great interest on savings, it doesn't have "cash back" features on credit cards, it's just a very well run bank. If I needed £10 more than I need a bank I can rely on, I would leave.
The most secure alternative, which should be the choice for anyone who actually cares, and an option anywhere that thinks _any_ of their users might care is WebAuthn (U2F is roughly the same thing but obsolete, no reason to deploy more of it)
WebAuthn uses FIDO Security keys, relatively cheap USB or Bluetooth devices or sometimes just a built-in feature of a smartphone, to authenticate. They are Something-You-Have, but the WebAuthn protocol also offers:
* Optionally a mode where you give the FIDO key a PIN (Something-You-Know) or biometric input (Something-You-Are) to do all the authentication locally
* Phishing proof - there's no decision about whether this is really your bank. WebAuthn is completely happy to log you into https://fake.bank.phishingsite.example/ but the credentials are useless to the crooks who own that site because they won't work on https://your.actual.bank.example/ even if the crooks got the logo just exactly right and wrote a very convincing pleading email from your bank saying they definitely need you to go to the fake bank site.
With all of these, you're often kicking the vulnerability down to the enrollment step. You've still got to find a way of assigning the authentication device/key generator to the users account in a secure way and dealing with losing the device.
Don't save your TOTP codes in your password manager if you are going for the "best" security.
That turns multi-factor auth back into "single factor auth" and leaves you one exploit away from having your password and TOTP code from getting stolen.
I store my TOTP in 1Password... I think it's still more secure than SMS (because to restore 1Password vault you also need a Secret, not only your password) and so much more convenient than a separate app, because 1Password auto-copies the TOTP code to your clipboard after filling form fields, making signing in a very smooth experience.
It is a security tradeoff that I take for most of my accounts. For a few that a much more sensitive I use a Yubikey.
And that's fine IMO as long as you know you are making a tradeoff.
But unless you have your 1Password setup to need the secret every time you go to have it fill in the password, the seed string is in memory unencrypted along with your passwords (or more specifically, it's stored in a way that it can be decrypted by the app/extension on it's own). That makes it one spectre/meltdown style exploit away from getting everything needed to login to the account.
Still, if that system works for you, then good! having any 2fa (even SMS) is better than nothing, storing TOTP codes in a password manager is better than SMS, storing them in a seperate device is better still, and U2F keys are even better still.
Like anything it's a gradient of tradeoffs, but I've seen too many people go from Google Authenticator to 1Password in an attempt to further secure their account, and I just like to point out that there's a good chance it's doing the opposite.
The main benefit behind TOTP is that you can tie its value creation to a second factor, such as something you own like a device (instead of something you know like a password).
It’s arguable that you’re removing that second factor when you store the parameters needed to create the TOTP in the same place as you store your passwords.
The setup string which generates the time codes is basically a second password. If something can read that setup string, they can generate their own TOTP codes for your account whenever they want.
I've done a piss poor job of describing it, but the way TOTP works is there is a "setup code" or a setup "string". Often in a QR code format.
That string is all that is needed to generate all of the TOTP codes forever. So while the TOTP code that you type is different every minute, it's generated by doing some math on the setup string and the current time.
Some password managers (like 1Password) allow you to have them generate your TOTP codes by putting in your setup string into them (often using the exact same process you would do to setup your TOTP codes in an app). But i'm saying that's not a good idea if you are going for "most secure", because at that point if something were to somehow exploit your password manager, they will not only get your username and password, but will have that setup string as well so they can generate their own TOTP codes for you.
WebAuthn/U2F security keys. No MITM, phishing or duplication possible. Register more than one per account in case the physical key breaks, keep one in a secure place.
My bank uses an app, Symantec VIP, to generate a 6 digit code.
This works on vacation when I can't receive SMS. It was much cheaper to buy a 4G SIM in Barcelona (for Google Maps etc) than enable international roaming from Australia ($AU5/day).
> Criminals have learned how to persuade mobile phone providers like T-Mobile and AT&T
Those seem like excellent litigation targets, and I’m surprised that that fact alone hasn’t fixed this bug. Dorsey should sue and sue and sue and not settle and get these companies to unfuck themselves.
> Dorsey should sue and sue and sue and not settle and get these companies to unfuck themselves.
If you are a captain of a ship that sees an out of control oil tanker heading for it, the solution is not to sue the oil tanker owners, rather it is to get out of its way which in Jack's case should be ordering an immediate implementation of a non-SMS 2FA
COLREGs (international rules to not have collisions at sea on account of everybody is agreed that would be bad)
A.2b. "In construing and complying with these rules due regard shall be had to all dangers of navigation and collision and to any special circumstances, including the limitations of the vessels involved, which may make a departure from these rules necessary to avoid immediate danger"
Basically, if obeying the other rules mean you'll get hit by an oil tanker, Rule 2b says ignore those other rules so that you don't get hit by an oil tanker. So yeah, Jack ought to order his engineers to go fix this.
In case anyone regularly has trouble not getting hit by an Oil Tanker, I'd like to recommend John W. Trimmer's excellent book: How to Avoid Huge Ships[1].
> U2F requires the presence of SMS fallback. It cannot be disabled as of two days ago when I tried it last.
The original statement is:
> 1 point by chimeracoder 11 minutes ago | parent | edit | favorite | on: Hackers Hit Twitter CEO Jack Dorsey in a ‘SIM Swap...
> which in Jack's case should be ordering an immediate implementation of a non-SMS 2FA
Which, as I point out, is superfluous, because Twitter already has three other forms of non-SMS 2FA. Twitter does also support SMS-based password reset, which is a problem, but that's not actually how Jack Dorsey's account got hacked in the first place.
Aside from any improvements to Twitter's security practices that could be made, Jack Dorsey himself was not using the existing security features that Twitter already offers. Which is the real problem.
I am not Twitter's CEO. I'm twitter's user. I cannot use that feature without opening my account to this attack. Therefore that feature for all intended purposes does not exist because it is unusable for the purpose of protecting the account.
In India it's not just that these digital services are at stake due to SMS OTP, entire banking security, Tax filing to Aadhaar (UID containing all data of an Indian Citizen) relies upon SMS OTP.
SIM swapping attacks could have devastating effects on the lives of the people here.
It's devastating how many platforms require a mobile number in India. Many platforms also use the mobile number as the sole user identifier (try registering on Flipkart or Bounce or any other service — there is no way to do it without a mobile number and with just an email address). Many platforms also make assumptions that people's mobile numbers don't change. I gasp and scream every time I see these on a site or service, and then promptly abandon it and navigate elsewhere!
A correction: Aadhaar is available to all residents of India (those who have spent more than 182 days in the country in a year). It has nothing to do with Indian citizenship or being a proof of Indian citizenship, though with the completely broken design of the system, Aadhaar can be used to get a passport, and thus proving that one is a "citizen".
Correction on Resident non-Indian being eligible for Aadhaar duly noted.
Ironically, Aadhaar could indeed prevent SIM swapping attacks in certain cases for those who have updated their Aadhaar number to their service provider. If the Aadhaar number is available at the service provider, it needs to be authenticated (via Biometric and SMS OTP) before swapping SIM.
I wonder if the mobile is lost, whether at-least biometric part of the Aadhaar authentication is required to get the new SIM. Also, say if Aadhaar OTP needs to be entered in their internal service; bribing might not be possible.
I once walked into a T-mobile store, showed them my phone and claimed that the simcard is stuck and asked them to transfer it to a new simcard I brought with me. They asked for my phone number, scanned the barcode on the new simcard, done. I didn't have to provide any identity. I could have been anybody and the only trace would be the security camera in the store.
This is one thing nice about Google Fi, Sim swap attacks aren't possible. Your phone number with Fi what is tied to your Google account, the only way to get a Fi phone number on a new phone is to sign into the Google account. So if you protect your account with good 2FA, your number is safer than any cell phone company (at least in the US).
> I’ve been fiercely evangelical about Project Fi since Google launched their cell phone service a few years ago. ... I think it’s important to update y’all about some recent experiences and research, along with why I am withdrawing my endorsement.
> ...
> Previously, whenever I had issues with my Pixel 2 or prior Fi-enabled devices, the third-party support center was phenomenal. I’ve had them help me with hardware issues, system issues, a phone that just wouldn’t connect to WiFi, or tethering that didn’t work when it was supposed to — every interaction was great, and resulted in the problem being solved.
> Since November, this has not been the case. My calls and chats to support have gone nowhere, and the once-great support staff have been replaced (or supplemented) by random people using generic scripts. I’m sure the awesome trouble-shooters are still there, but the sampling I’ve seen doesn’t suggest pervasive competency.
EDIT: Actually there is another, possibly more serious issue with Google Fi mentioned in the article:
> If you can’t use Google Payments, you can’t pay for Google Fi
> ...
> Getting this fixed is actually impossible, and I say that as someone who really, truly, loves solving problems and has made a living off getting phone agents to want to help me.
> We have submitted copies of his ID four times, my ID twice, multiple photos of credit cards, and various credit card statements. We’ve talked to agents and supervisors at Google Payments and Google Fi. No one is empowered to do anything, and even a well-intentioned agent doesn’t get the same answer from the "security department" twice.
> I’ve since found hundreds of comments and Reddit threads from people having similar experiences, with almost zero positive conclusions.
> The only suggestion of a solution we’ve been given is that he abandon both his email address and phone number of the past twenty years and start fresh.
The Fi team cares a long about these kinds of issues and does what they can to solve them. I cannot comment on specific cases, but as someone that works on Payments @ Google, I've seen the Fi team advocate for their users a lot to get things running smoothly. They deeply care about good experiences and do what they can to make sure that's the case.
Sadly, things sometimes go wrong, and it becomes a learning experience to make it better for users in the future.
Sadly, I've experienced the same steep drop in Google support of late (twice in the past week in fact) working with G Suite support agents.
Just yesterday, I was helping a client troubleshoot a week-long issue with Drive File Stream ("Can't reach Google Drive") that remains unresolved for three of their users. Despite repeated phone calls and a promised callback from a "Drive engineer", the issue persists. We've eliminated suspected culprits by testing on other computers and networks.
Tech support from large players like Google, Microsoft, and Rackspace, even when paid, has declined precipitously in recent years.
Transparency is hard for some reason at large companies. I think it's a mixture of wanting to maintain an image, plus complexity of systems that don't always make it easy to get information to end-users about issues.
For your Drive FS issue, I assume you're on Windows? I have no clue if this is backend or client, but watch for a new version: https://support.google.com/a/answer/7577057
Maybe that will fix your issues. I'm not sure how to check your Drive FS client version sadly.
> For your Drive FS issue, I assume you're on Windows? I have no clue if this is backend or client, but watch for a new version: https://support.google.com/a/answer/7577057 Maybe that will fix your issues.
Thank you. Yes, they're Windows clients. We've tried downloading the latest version (as of yesterday) on completely new Windows 7 and 10 machines on a completely separate network and still have the same issue for the same 3 users every time. The other users don't have any problem with File Stream. We've checked and rechecked all of the settings available to us via the G Suite Admin Dashboard.
Google is not a consumer company. If your account is banned you will loose access to your Fi service with little to no chance to recover it. Cases of google abuse are well documented and numerous, appeal process is non existing and overall relying on Fi is just creating another vulnerability vector.
I'm not at risk, because I deleted my Twitter account when they started nagging at me to tell them my phone number. Demanding more information from users than the company understandably needs to provide its service, is a huge red flag for me. It's good to know that they're now getting the medial backlash they deserve.
I'm well aware of that and don't use my phone number for security-related tasks when I can. My operator or the authorities (with IMSI-catchers, also available to criminals) could gain control of it at any time after all.
I'm scared though, Voice seems to be an after though for google. They've killed Hangouts, which is the only app that text works with (if you have another way tell me), not given it any update love in forever and have been ending projects more actively recently.
This is my solution as well since it lets me indirectly secure everything with a physical second factor and not worry about migrating things when changing phone numbers such as when moving countries but some services don't accept gvoice numbers.
This could be stopped easily by making cell phone companies liable
> Criminals have learned how to persuade mobile phone providers like T-Mobile and AT&T to switch a phone number to a new device that is under their control.
> Hackers can get the codes by bribing phone company employees.
How hard is it to insist on someone coming down to a store and submit several forms of identification to get a new SIM? And make multiple people in the store sign off on it. Has anyone ever gone to jail for taking a bribe to swap a SIM?
The other issue is to stop using SMS for a 1-factor recovery. There still needs to be a second factor, like knowing a password or a pin.
They have some duty to protect your account that you're paying for. And that means making some effort to verify that you're you when asking for a SIM transfer.
That's why I don't give my mobile number to any mobile service. Heck, I don't even give it to my service providers. I use Twilio phone numbers as a filter to transfer voice or texts without using my real number.
Have Twitter stated that this is how the hack was accomplished? When I first read that SMS was used I assumed someone had just spoofed the phone number. My assumption was that the Twitter account has a verified phone number and that any SMS sent to the SMS->Tweet service would be published as long as the senderid was the same as the account phone number. That there was need to begin the SMS with a secret code/password to authenticate each SMS. And that is why the shut down the whole service because anyone can just spoof the senderid in a SMS.
More than myself I am concerned when POTUS is hit. Imagine seeing bunch of tweets showing up at 4am announcing to everyone that USA is in process of launching nukes against Russia right at this moment. By the time the whole thing is explained as a hack-in, Russia may be sending their nukes this way and for a darn good reason, because no country takes nukes threats against them as a joke or "you know perhaps they were hacked so let's go sleep". This is more serious than my little 15,000 followers twitter handle.
Any word on whether using Google-Voice would be a good safeguard against this? Presumably, because your google-voice account is so intrinsically linked to your Google account, which is much harder to hack, that should mitigate this threat tremendously. Especially if you're using google-voice to forward all calls to a number that no one else knows about.
I would not use Google voice. I'm not sure, but I doubt Google controls the major component in the international mechanism responsible for routing telephone calls. I would expect that they outsource some of the mechanisms to 3rd parties.
Signal doesn't really care about identity at all, it leaves it up to the users to decide if "Steve" in their contacts is who they thought it should be, if they're happy to accept that without proof or if they've verified it was who they expected in person or out of band.
Modern Signal lets users put together a profile, like a Twitter profile, and like the Twitter profile you might know somebody whose profile name is "Grim Reaper" and whose profile photo is the Discworld Death, without you believing that is their real name or appearance. Maybe you decide that's enough reason not to mark your friend Suzie ("Grim Reaper") as Verified in Signal. Most likely not. Other Signal users aren't informed of this decision and Signal itself doesn't know what you decided.
But it does default bind your contacts to Signal users based on a telephone number they've proved control of at some point. So if you don't verify anything, a message from you to "Steve" could be received by somebody who registered the phone number you've associated with the contact "Steve". Signal's creators rationalise that this is what an ordinary phone user expects to happen.
If it's important to you that "SIM Swap" isn't used to create an imposter Signal account with your phone number - a reasonable concern for some people, you can set a "Registration Lock PIN" for the phone number. Anybody else in the future who wants to use Signal with that telephone number will need the PIN or their registration fails.
Both mobile number portability and SIM swap are stupidly insecure in the US. In every other country, you need to initiate the port with your current provider - usually by sending a text from your phone. Over here, I can do it from the receiving provider and that makes it really easy to bypass security checks. Similarly for SIM swaps - there's very little security and social engineering will do the job of bypassing it.
I see plenty of people suggesting we don't give phone numbers at all. That's not very convenient for most people. I consider myself savvy and use 2FA and password managers ...etc. But by the time I realized this issue, I had given my phone number to most important services.
This and spam are two very serious issues in the US that's already solved in most countries of the world.
How does this work? The sim-card is sent to your own address, in a plain white envelope.They have to steal that envelope to gain physical access to the sim.
Why is it so hard to stop sending sim-cards to different addresses than the main address where it was registered?
I think it works like this; people buy a SIM card from the same carrier, and call that carrier and ask them to move the victim's phone number to that SIM card. I know T-Mobile in the US allows you to buy a SIM card in any of their stores. I am sure other US carriers have the same offer.
It's much simpler. The attackers simply go to the service provider, claim they lost the sim card/phone and provide your details. If they're convincing enough the provider will deactivate your SIM and activate theirs within 10 minutes or so and by the time you notice your mobile connection doesn't work anymore they're already busy entering TANs sent to your number.
Now I don't know how easy that is to pull off in the US, but it varies in different countries. In some it takes a day to switch to a new SIM, in some you only need the real owner's name and a codeword and it'll get switched within minutes, for free and no questions asked.
It seems to me like there needs to be far more security in place before a SIM card can be swapped out over the phone. You should need to state your SSN, answer a few security questions and maybe let them know how much you paid on your last three bills or something like that.
That doesn't mitigate the risk of bribery but if you have the right software in place for the person on the line at T-Mobile or AT&T then they wouldn't be able to proceed without the proper verification.
Seems like a pretty big but easy to solve problem to me.
What is amazing to me is that after this attack has been successfully mounted against the CEO of the company he still has not announced "I have directed our engineering to implement a non SMS-based 2FA. They have been provided all the necessary resources and authorizations. It will become available for all users on a platform in no more than 30 days."
Imagine if it was Amazon and Bezos' account got hacked because the company did not implement proper security. Plugging that hole properly would become not a priority one but a priority before priority one project.
IMO the idea behind 2-factor is that an attacker requires physical access to a physical object. Which reduces the number potential attackers to the small number that are able and willing to finance a targeted theft.
I don't understand why there hasn't been a class action lawsuit against the telco's complete disregard for this security flaw in porting SIM/phone numbers. Literally this morning I read about this engineer that lost 100k from a hacker using the same attack https://www.ccn.com/100000-bitcoin-loss-bitgo-engineer-sim-h...
I think it's pretty bad that the phone companies facilitate this attack. I wonder if they have any kind of legal liability for their negligence? Maybe all that's needed to stop these attacks is for people to start suing them for the damages incurred upon being SIM-swapped? It should not be easy to steal someone's phone number.
SIM swapping events are due to phishing attacks which are hard to prevent for multiple reasons so relying on SMS based 2FA for for account security is completely foolish. You're better off disabling SMS 2FA than having it enabled because the attacker can reset your account by having your phone number.
This was a problem before Twitter allowed 2FA via SMS, so I'd argue this is very much a Twitter problem.
Afaict this all stems from mixing verification with authentication, where verification may be required when creating an account and authentication (and possibly more verification) when using the account.
Because people get new sims and legitimately transfer their numbers _all the time_.
I'm not saying they shouldn't put more effort into verifying the transfer, I'm just explaining why its quick and easy and they don't invest in checking much.
Twitter is the service that accounts are being stolen from. There exists a trivial solution to the problem (stop allowing people to reset accounts via only SMS verification).
As a user, I'm at risk because Twitter is refusing to implement that trivial protection.
I don't care who's fault it is, but it is very much Twitter's problem.
I’m hope Google Voice on a dedicated Google Account makes this relatively harder for crooks to pull-off. In theory it should require a porting attack and in theory since you can lock your number on the Google side you should at least get notified by Google first about any porting attempt.
The second factor for authentication is best handled by having it under the account holder's control. Either a client side TLS certificate or a Yubi key. The former is better in my opinion since it's compatible with application level protocols other than HTTP.
A client side TLS key has some properties plenty of people don't want because it specifically assures the remote party of your identity.
If I use a client TLS key with (examples are hypothetical) GitHub for my work as "Fast Jack The Javascript Hack" and Twitter as "Aunty Fa" to write posts calling out Nazis, then the effect is that data from GitHub and Twitter can be used to find out that "Jack" and "Aunty" are one and the same. Maybe they both give the data to cops who are actually Klan members, maybe it's stolen, maybe some goof uploads it to Pastebin. Doesn't matter, now my day job is destroyed because I used a TLS client certificate.
If I use FIDO keys for U2F/ WebAuthn then nobody knows Jack and Aunty are the same person, unless they suspect this and they deliberately arrange for Twitter and GitHub to work together to test this /specific/ hypothesis, in which case frankly I'm probably screwed anyway.
If we want to authenticate a user, what is the best way to do it?
best: a great balance between convenience, security and cost.
Lately, it bothers that we cannot be sure that we are interacting with real people or the people that we are interacting with are not the same people with different accounts.
You should certainly be able to tell that the person controlling an account is its rightful owner, but it's not obvious to me that you should be able to tell that 2 accounts are controlled by the same owner.
If I have 2 accounts, and you can tell that they're both me, doesn't that compromise my privacy?
Authenticate a user as _what_ / _who_ ? That's the most important question you need to figure out the answer to before setting off on this journey.
If I "authenticate" a $1 postcard of the Mona Lisa, does that mean it's the real Mona Lisa? A real postcard? Really worth a dollar? Really a physical object that exists?
In some cases the account officially belongs to a company so the real person is only an agent in any case.
Also there are attorneys: a real person acting on behalf of a different real person. Currently many financial institutions seem to be unable to cope with this situation. When talking to a call centre, in practice it's much easier, and probably not illegal, for you to impersonate the person you're representing rather than attempt to explain the actual legal situation to the confused employee in Bangalore.
In India, SMS services are blocked for the first 24 hours whenever a SIM is changed. This creates a bottleneck for the hackers but doesn't quite solve the problem.
risk to what ? you can probably clone the SIM (unless your carrier is aware that it's a "special" SIM, probably not) but then what ? you leave the car unconnected and that's it. You can't steal anything from it or the car itself.
Unless you technically enforce the block, there is nothing stopping a bad rep from doing it for a bribe, or being fooled. If you technically enforce the block, you now store more dangerous data with the telco that they shouldn't be holding at all for any reason.
I have a few friends in the esports field that deal with some of these issues - one had someone physically show up to a mobile store with two fakes including most watermarks in the correct name to get a SIM swap attack completed (to only shitpost on Twitter, mind you, not to steal crypto or anything)
I assume companies don’t give the option for TOTP and require phone numbers to identify their users to collect more precise data about them, for possible advertising revenue.
Solving spoofed callerid would help reduce robocalls also. I don't understand why the telcos can't make this happen. If they don't figure this out, we're all going to drop SMS and voice forever; the trend away from SMS has already started and people already have stopped answering all calls they don't know.
Number porting should require an SMS to the existing SIM with the ability to respond NO to cancel the process and flag the request as fraud (e.g. whoever made the request on the carrier side should be flagged, to fish out compromised support reps).
A mandatory time delay (12 or 24 hours) could be imposed. This would slightly inconvenience people who lost their SIM and need to setup a new one. This seems like a reasonable cost/security trade-off for losing a SIM card. Mission critical numbers should be implemented as forwarding services that separately route to the cell phone anyway, so “this number must be live right now” is not a reasonable excuse to compromise everyone’s security.
You could also mandate a short delay (4 business hours) and high value targets that sometimes take international flights could opt-in to longer (24/48 hour) waiting periods. The expectation should be that 99% of users keep the default.
Using SMS as a second factor has trade-offs. This isn’t news because every single authentication mechanism presents a unique set of trade-offs in terms of cost of provisioning, ease of use, possibility of loss, possibility of spoofing, replay, etc.
SMS is an extremely powerful authentication factor due to its availability, cost, and accessibility. It’s worth it to shore up protection against SIM swaps not in the least because it would improve the security posture of SMS as an authentication factor. It would still not make SMS perfect. Nothing is.