
Listen to a SIM-Jacking, Account-Stealing Ransom - petethomas
https://motherboard.vice.com/en_us/article/5984zn/listen-to-sim-jacking-account-ransom-instagram-email-tmobile
======
themagician
This is something that really worries me. I use token based 2FA when I can but
the reality is that I have like 50 accounts with 2FA and I forget which ones
have SMS as a backup. I'm sure there's an account in there somewhere that's at
risk. I have AT&T and use the extra security PIN code, but I know it's not
100% guaranteed. The other day I got a robocall asking for my PIN and last for
of my social. I didn't do it, but just knowing my number was on that list
worried me. I called AT&T and asked them to put a note in my account that said
not to allow my phone number to be transferred to another SIM. They said they
did it, but again I don't know how effective that is.

I understand why they make it possible to move a number to a new SIM, but I
really wish you had an option to force a notification and delay the transfer
for a number off days. Even a three day delay would be enough. You'd put in
the request and they'd send a notification via SMS/call and email, and then
the transfer wouldn't happen for 72 hours.

I would gladly deal with the potential inconvenience of not having access to
my phone for a few days if it meant that it would make it harder to transfer
my number to a different SIM. I don't think this should be mandatory, but I'd
like the option.

It's just WAY too easy to call a cell provider and have them transfer your
number to a new SIM and all the security measures that they use are easily
defeated. Once you have someone's social security number you can spend 99¢ on
a public records dump and get enough information to convince just about any
customer service person to do whatever you want.

~~~
phire
I talked to my cell phone provider and asked them if there was anything they
could do to prevent transfering of my number.

They said the best they could do was to add a note to my file to _check id in
store before transferring_.

This is better than nothing, but relies on the CS representative actually
seeing the note on my file. Even then, there might be ways around it.

And more importantly, it does noting to stop someone asking another provider
to port my number to them. Apparently Inter-provider ports are all automated
and there is nothing anyone could do to stop it.

~~~
narrator
Running it through google voice will make it subject to your google 2fa.

~~~
davchana
Could you please elaborate about google thing you mentioned? I am interested
in making my ATT sim morr secure..

~~~
zimbatm
It replaces the SMS 2FA with a Google prompt app on the phone for Gmail
verification.

So it doesn't make the SIM more secure but the SIM get hacked it doesn't allow
the attacker to gain access to Gmail.

~~~
narrator
Also if your public SMS reset number is in google voice, a hacker can't port
it off of Google easily because you need to log into your google account to
port it, which requires 2fa. They have to figure out your real number, but you
never give that out to anyone or you just use google hangouts SMS instead of
forwarding text messages to your insecure phone.

------
exabrial
Dear everyone at Apple, Facebook, Google, etc. Please stop and remove the
ability to use texting as 2FA. The mobile telecom industry is not hardened.

~~~
mikeash
2FA over SMS is fine. It’s not the most secure thing, but it’s an improvement
over just having a password.

The problem is when people forget the “2” part and allow SMS to be a
_substitute_ for having the password. That should never be done.

The related problem is that, as a used, it’s hard to tell when some service
wants your number for proper 2FA, or when they want it as a separate
authentication mechanism they just happen to call “2FA.”

~~~
floatboth
The "best" part is password _recovery_ — where SMS is typically the "second
factor" to a completely insecure "secure question"

~~~
palunon
You have no obligation to answer the secure questions truthfully, or not to
write a long random string of text... Starting with "Do not accept the answer
if I can't spell this exactly" in case a human gets involved...

~~~
jandrese
Of course you'll be SOL if you legitimately lose your password and the answers
to those questions.

~~~
psergeant
Sounds like a good reason to use a password manager and good backups to store
them?

------
baybal2
One does not even need to bribe or defraud telecom employees, the biggest
gaping hole is the fact that roaming requests are insecure, and SMSes are
plaintexted.

On "certain Russian forums" the talk is that was the way how British MPs were
deprived of their email mailboxes in 2016. Somebody dug up their IMSIs from
leaks and public dbs, and sent roaming requests through Megafon - Russia's
biggest telco

~~~
droopybuns
I doubt that was necessary. Many of the telcos use atrocious pin security for
voicemails- and they fail to prevent spoofed calls to their voicemail servers.
Makes for a bad combination.

SS7 hacking to achieve that end would be a higher barrier to entry and more
likely to get caught.

------
ghop02
2FA security aside, it really is remarkable how Jared was able to talk the
hacker down. We seem to really undervalue those sorts of social skills.
Jared's one conversation could have saved hundreds of thousands of dollars
(for himself and others).

~~~
notyourday
When a social engineer I meets a social engineer II the better social engineer
gets the upper hand. In this case it was not the hacker.

------
slivanes
I remember reading somewhere that Google Voice numbers cannot be ported - and
are useful in having them set as your 2FA for email accounts etc. Is that
still correct?

~~~
majormajor
I ported one out last year, I had to make it portable from inside my Google
Voice account (a quite poorly documented pain, actually), but that's still a
much higher bar than your average cell carrier.

~~~
ironcan
And since there is no google customer service, nobody can social engineer it
out of you!

~~~
cj
Google Voice is on track to be a core service in Gsuite, which has pretty
impressive phone support in my experience.

~~~
toast0
I interacted with Google support (when it was called Google apps) for two
things, the first one was I wanted to disable links in Gmail -- the support
people couldn't understand what I wanted for about 30 minutes, then couldn't
understand why I wanted it, then said it couldn't be done.

I don't remember what the second one was, but it ended with the support person
agreeing it was a problem, but suggesting I post to product forum.

If that's amazing support, I'd rather rely on the normal channels: writing an
angry blog post and posting it to HN, or suckering your smart friends into
interviewing at Google and bribing them to fix your problems once they get
there.

------
mherdeg
The "OG account" stuff is fascinating. ( see e.g.
[https://waypoint.vice.com/en_us/article/43ebpd/the-long-
weir...](https://waypoint.vice.com/en_us/article/43ebpd/the-long-weird-story-
explaining-why-i-bid-dollar700-for-a-stolen-psn-account) for screenshots of
forum or [https://medium.com/@N/how-i-lost-my-50-000-twitter-
username-...](https://medium.com/@N/how-i-lost-my-50-000-twitter-
username-24eb09e026dd) ).

Also fascinating is that the only functional support channel is "write a blog
post and hope a lot of people upvote it on a news aggregator".

Two really interesting trends there.

------
jameslk
This marketing entrepreneur talks down a ransom seeker with a heart warming
story AND manages to record it? Sounds a little too good to be true

~~~
FeteCommuniste
The accent of the "scammer" in the call is definitely not German.

~~~
socialist_coder
Germany has a ton of immigrants, they don't all speak with German accents.

------
Exuma
Can someone please point out what is the solution to bypass all these
headaches? Can I get a separate phone account that is under a business entity
or something (not a personal name)? Would that work?

------
walrus01
For anyone who wants to know how easy it is to social engineer big-4 mobile
phone carrier customer service people... I highly recommend reading Mitnick's
"art of deception" book on social engineering in general.

------
aviv
Taking over the SMS functionality of any phone number in the US is trivial and
can be done in 2 minutes. The phone will continue to operate as normal and the
victim will likely take a while to notice anything is wrong. Never ever use
SMS to secure _anything_.

~~~
noselasd
Trivial if you have access to an SS7 network that has a direct access or a
roaming agreement with the network of the victim, and the proper tools to do
that. But you will not manage to do it within 2 minutes if you have.

~~~
jandrese
I was thinking of someone just walking into their local cellphone store and
sweet talking the person behind the counter to transfer their number off of
their old "broken" phone.

