
Hackers Hit Twitter CEO Jack Dorsey in a ‘SIM Swap’ - blackbear742
https://www.nytimes.com/2019/09/05/technology/sim-swap-jack-dorsey-hack.html
======
zaroth
Twitter uses SMS as a _single_ factor, because you can reset the password with
only access to the text message. If Twitter was using SMS only as a 2nd
factor, this attack would not have worked without also knowing Jack’s password
or having access to his email. Twitter’s password reset function could require
an SMS code and _then_ send a password reset email to complete the process.

Number porting should require an SMS to the existing SIM with the ability to
respond NO to cancel the process and flag the request as fraud (e.g. whoever
made the request on the carrier side should be flagged, to fish out
compromised support reps).

A mandatory time delay (12 or 24 hours) could be imposed. This would slightly
inconvenience people who lost their SIM and need to setup a new one. This
seems like a reasonable cost/security trade-off for losing a SIM card. Mission
critical numbers should be implemented as forwarding services that separately
route to the cell phone anyway, so “this number must be live right now” is not
a reasonable excuse to compromise everyone’s security.

You could also mandate a short delay (4 business hours) and high value targets
that sometimes take international flights could opt-in to longer (24/48 hour)
waiting periods. The expectation should be that 99% of users keep the default.

Using SMS as a second factor has _trade-offs_. This isn’t news because every
single authentication mechanism presents a unique set of trade-offs in terms
of cost of provisioning, ease of use, possibility of loss, possibility of
spoofing, replay, etc.

SMS is an extremely powerful authentication factor due to its availability,
cost, and accessibility. It’s worth it to shore up protection against SIM
swaps not in the least because it would improve the security posture of SMS as
an authentication factor. It would still not make SMS perfect. Nothing is.

~~~
nullc
My experience is that after you give your phone number to most companies it
effectively becomes a single factor: it's trivial to get them to change
passwords with that alone. AFAICT, the only protection is to not give them
your phone number in the first place.

~~~
ineedasername
> _" the only protection is to not give them your phone number in the first
> place."_

That has its own risks. If you don't provide it to google and your account
gets hacked, it's extremely hard to get it back. (My wife lost her original
gmail account that way about 2 years ago. And of course there was no way to
get any live support to try & fix it)

Basically if you don't provide your number, you're more open to the more
prevalent traditional hacking. If you do provide a number, you're more open to
a slightly less prevalent type of hacking. It doesn't leave much to choose
from.

~~~
rkagerer
I've read of many cases of folks losing access to their personal Google
account through no fault of their own, and winding up helpless to get it back.
Almost happened to me after I was victim of a SIM Swap.

From the article, even the Twitter CEO has this problem:

 _While he has managed to get back his social media accounts, he has not
regained access to two Google email accounts that held years of
communications._

If anyone with directional authority at Google is out there: It would be
really decent of you to provide some means of customer service for consumers
stuck in this catch-22.

I can't accept there's no reasonable way to perform an identity confirmation
beyond the laughably limited self-help measures currently in place. If it's a
matter of economics, make it pay-per-use.

------
hprotagonist
[https://www.schneier.com/blog/archives/2016/08/nist_is_no_lo...](https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html)

NIST has said that 2FA via SMS is bad and awful for at least 3 years now. Can
we knock it off, already?

This won’t stop SIM swaps, but it will blunt their impact by rather a lot.

~~~
dev_dull
That’s the problem. Twitter requires you to add a phone number (even if you
sign up without one, eventually you’ll be locked out and requires to add one).
Then, once you add a number to unlock your account you’re left exposed.

~~~
jandrese
Can't you add a number, verify the account, then delete the number?

~~~
mceachen
Nope, that disables 2FA.

~~~
jandrese
You can however uncheck "Text Message" as a viable second factor.

~~~
mceachen
...but texting 40404 still doesn't require authentication.

------
stirlo
While companies definitely need to move away from SMS two factor it’s so
entrenched (and simple) that more is needed.

The government agencies that setup the mobile number portability system need
to realise the seriousness of this flaw and allow a “Never transfer my Number”
flag to be set in their databases. Until then even the lowest rung service
desk agent at any telco has the ability to transfer numbers. A system like
that can never be secure.

~~~
nialv7
> “Never transfer my Number” flag

what if you actually want to transfer your number?

~~~
scep12
OP's intent was clear, at least to me: never transfer my number on the phone.
Require it to be in person with some stronger form of identification.

~~~
matwood
The problem is, I think a lot of these hacks have an internal connection. How
much access do these 3rd party carrier stores have to transfer numbers?

~~~
celticninja
It could be done remotely but only if the store had signed off that ID had
been viewed and the port confirmed in person. Of course this could be gamed
but an employee would need to put their name on the line to say they had met
the person and viewed the ID

~~~
dboreham
We have a <major us carrier> rep (as a business customer) and he will port our
lines and change SIMs for me based on an email. However I noticed the last
time I initiated one of these requests there was a confirmation step that
involved an email sent to me with a URL I had to click to approve. From memory
I don't believe that URL needed authentication so the email was a bearer
instrument. An attacker would need to both fake my outgoing email (easy) and
also intercept incoming email (not so easy). There was also a confirmation
email sent advising that the request had been approved and processed.

I can imagine however that an admin at a reasonably large business would
receive several of these emails per day and may just reflexively click on them
all. Note these emails are sent to the business account admin, not the end-
user. I happen to be both so can see both sides of the process.

Edit: I should also add that I have never met this rep and so he has
definitely not looked at my government ID. The process is secured only by
receipt of email.

------
Svip
Does anyone know how common or easy SIM swapping elsewhere in the world? The
SIM swapping stories I've seen on HN mostly focus on US users. I remember
reading an article years ago, about banks combating SIM swapping in Africa,
where a lot of transfers are done by SMS, by forcing a cooldown.

But I wonder, besides the US and Africa, where is SIM swapping prevalent? NYT
says I'm at risk too. I'm in Europe -- am I?

~~~
tialaramex
Yes. Of course it works, if it was not possible for you to move your phone
number to a different device then you'd be trapped and of course the mobile
phone companies would take advantage of that to gouge you.

The problem is your cell provider doesn't have a very good way to be sure it's
Svip asking them to do this transfer. They are mostly going to rely on low
paid call center or shop floor staff to decide. Fortunately for them this is a
low-value transaction. If I get them to transfer Svip's number, I don't cost
them very much money and I don't inconvenience you all that much really. Why
would I bother...

Unless some idiot decides to rest the authentication scheme for their valuable
service on control over a phone number.

In the UK in particular for example the person doing the authentication in an
actual store will usually be a teenager working part time for the mobile phone
company to get some spending money or during tertiary education. When a hot
guy approaches them saying they can make twice their weekly wage if they just
"forget" to do a proper ID check for a few friends of his, why wouldn't they
say "Yes" ? They might get fired? They have never had a serious job, they're
treated like shit, unless they're unusually upright and honest or they think
it's a trap they're going to agree.

~~~
rmtech
There are still ways to make the system more secure.

For example, you have to physically go to a store to port the number unless
you have the old SIM.

Then it's not done immediately - there's a 72 hour period in which multiple
texts and calls are sent to the old SIM asking for confirmation. If you
physically have the old SIM this is instant, but if you claim to have lost it
you need to wait 72 hours and provide a signature and mugshot at the store.

If a member of staff "forgets" to do this stuff, they go to jail.

People don't usually lose their SIM card, so this process wouldn't happen very
often.

~~~
tialaramex
Sure, you could have a national "reality" TV show, everybody who lost their
SIM has to go on the TV show for six months with it showing on screen which
number they claim is theirs - so this way there's no chance they're a crook.

Or make anyone who claims they lost their SIM wrestle a bear first before they
get a replacement. Won't see many crooks take that on.

But, I put it to you that this all seems very disproportionate when you
remember that you're punishing the phone company and its customers for not
securing Twitter. These are the wrong people!

~~~
georgeam
I'm a strong believer in solving problems at the single point of failure. If
you solve it at the Twitter level, what about any other internet/cloud based
service that is designed just like Twitter? It would still be a problem. If
you solve it at the phone company level, all the companies that operate like
Twitter are protected.

Even better still, solve it at both levels, but definitely don't let phone
companies off the hook.

~~~
rmtech
Yeah, I think it should be solved in both places TBH. Defense in depth.

But it won't happen because people are dumb and don't care about the issue
until the exact moment it bites. This basically applies to every security
problem: everything is perpetually broken and therefore nefarious actors can
always find a way to achieve their goals. Most people's best defence is to not
have any enemies.

------
cdumler
Please do not allow people to call SMS 2FA. For it to be 2FA, it must be:
something I know alone, something I possess alone, something I am alone.
Otherwise, it's just another account identifier (and likely spoof-able). SMS
and phone numbers are none of these.

In same vein, I wish security questions would die in a fire. Always treat them
like additional passwords: use nonsensical words and store them in your
password manager.

~~~
theandrewbailey
Don't forget to change your birthday, mother's maiden name, fingerprint, and
face regularly.

~~~
JoeAltmaier
Exactly. "Things I own alone" are no good as passwords, if they cannot be
changed. They are account identifiers only.

And if a password has sufficient entropy (not likely to ever be duplicated)
then the account identifier is pointless. Just use the password as sufficient
authentication.

------
danShumway
Twitter is one of the largest social media networks on the market. It's not a
bumbling startup, it's a mature tech company in the center of the tech space.

> _Twitter said on Wednesday that it would stop allowing some users to post
> updates via text message, which made Twitter access particularly easy for
> SIM swappers. But that will not stop hackers who use the SIM swap to log in
> to a victim’s Twitter account. (Twitter said it was working to improve
> this.)_

At the risk of jumping onto hot-takes, at what point is it reasonable to say
that Twitter as a company just isn't taking security seriously? The first
response from Twitter should have been, "we turned off SMS password resets
immediately", not, "we're working on it." This is the kind of mistake I expect
a technologically naive company to make. It's a mistake I would expect a bank
to make, or a startup with 7 engineers total.

I don't understand how a company can brush aside an attack where attackers
took over their _CEO 's_ account. I understand everybody does dumb things
occasionally, but how big is Twitter's security team? Nobody thought this was
a problem?

There must be some aspect to this I'm missing; how does doing password resets
over SMS pass any security audit? This isn't new, even mainstream sources have
been talking about SIM-swapping for years.

------
firasd
Someone was telling me that here in India authorities clone SIM cards to
eavesdrop on WhatsApp conversations. I don't know if that's accurate, but it's
becoming clear that SIMs in general are a vulnerable form of ID.

I've seen US-based IT-security-minded people saying on Twitter for a long time
that SMS based 2fa is bad, but the problem with hardware dongles is that they
can be _too_ secure. I don't want to lock myself out of my own Gmail account.
I guess apps like Authy as mentioned in the other comments are an alternative.
In any case I guess there are (or should be) some special codes you can write
down in case you lose access to your second-factor info.

~~~
fwn
AFAIK there is a feature in WhatsApp Settings that tells you whenever a
contact in an ongoing conversation changes their device.

So no protection, but a notification.

[https://faq.whatsapp.com/en/android/28030014/?category=52452...](https://faq.whatsapp.com/en/android/28030014/?category=5245250)

~~~
hiq
You can (should?) protect the verification step with a pin:

[https://faq.whatsapp.com/general/26000021/?category=5245245](https://faq.whatsapp.com/general/26000021/?category=5245245)

You can do the same in Signal.

------
0x00000000
Disappointed they didn’t do something like use it to manipulate the stock
market. Then it would have got much more coverage and something might actually
get fixed as a result.

~~~
oh_sigh
"I'm pleased to announce that Twitter is becoming a part of the Alphabet
family for $X", where $X is a bit more or less than the current value.

~~~
Cthulhu_
"Am considering taking Twitter private at $420. Funding secured."

Just a single tweet from Musk, caused a big wave in the value of Tesla + a
serious bollocking from the SEC.

------
ojosilva
I'm still a big fan of passwords. Long, hard to guess passwords. More than one
password/phrase as a failsafe, in case I lose it.

I got my first iOS device 3 days ago as a gift, an iPad. During the excitement
of the setup process, I was told to set up 2FA for my iCloud account, which
I've never conscientiously used since I own no iOS devices. Now all my Apple
ids, from my 2009 iMac to my macbook are tied to the darn 2FA and... my phone
number.

Apparently 2FA for Apple ids cannot be rolled back! Now everytime I want to
upgrade something in my Macbook I have to get an SMS code on my (vulnerable)
phone to access my Apple account. This is a very unfortunate decision by
Apple.

Like I said I'm a big fan of passwords. Just give me 2 or 3 passwords or
passphrases (or secret patterns) as backup for my main password. Require them
to be long and complex. Something that is inside my brain and only Leonardo di
Caprio can steal. Not my dad's middle name or pet name or school teacher's
name. I'm not a security expert, but I still feel that's the most secure way
to protect an account.

~~~
H8crilA
Passwords don't work these days for sophisticated attacks. Phishing is too
easy.

I repeat, they don't work. No 2FA means you'll experience many successful
account takeover attacks on your customers. 2FA does not mean you won't,
though.

Coinbase had a great talk about account takeover attacks on the recent DefCon.
They receive some of the most sophisticated attacks, sometimes when attackers
already have control of every other account that the target has. Email,
Facebook, Apple Cloud - you name it, now they come for the coins, to cash out.

~~~
ojosilva
Phishing, as in entering your password into a field pwnd by a hacker, seems
like the problem to solve: how can we avoid giving out our password to a rogue
player?

There are simple and complex solutions out there, we should keep taking small
steps in the direction of safer password authentication, like how browsers
showing the users the certificate validity, or things requiring a secret,
individualized secret question so that you know the the host is not phishing.

I agree passwords are far, far from ideal and that 2FA is probably just adding
complexity for the hackers, hence making it appear to be a better option, but
this is just for the time being. Phone-based 2FA is flawed at the root (of how
SIM cards work), so we should keep working on improving password security [1]
instead of throwing ourselves into the arms of a flawed phone 2FA.

[1] [https://a16z.com/2019/07/25/passwords-are-dead-
again/](https://a16z.com/2019/07/25/passwords-are-dead-again/)

~~~
dublinben
U2F and it's successors like FIDO2 were specifically designed to prevent
phishing.[0] Google claims that it has entirely eliminated phishing of their
employees who have been issued U2F keys.[1]. The solutions to these problems
are out available.

[0] [https://fidoalliance.org/fido2/](https://fidoalliance.org/fido2/) [1]
[https://krebsonsecurity.com/2018/07/google-security-keys-
neu...](https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-
employee-phishing/)

------
alexeiz
I once lost my phone (with a SIM card in it). So I went to a store that served
my operator, asked to give me a new SIM. They promptly gave me a new SIM and
activated it on the spot. The only piece of information I gave them was my
phone number. No other verification such as name, ID or SSN was required. This
is how easy it is to hijack your cell phone number. It's basically trivial and
there is absolutely no risk to it.

------
Havoc
Vaguely related...SIM Swap crime is rampant in South Africa - in the Bank acc
2FA context.

Interestingly enough (academically) neither party is accepting blame,
resulting in consumer taking the hit given organised syndicates.

Bank - not my problem if password and 2FA gets compromised

Cell provider - I never promised you bank grade security or safety of funds

...consumer...FML

------
sakopov
Not a security expert by any means and it'd actually be nice to get some
feedback on this. I have a Gmail account protected with a hardware token and
no additional 2FA mechanisms. I created a google voice # that forwards any
text or voice messages to this email. The number is locked and cannot be
transferred without having physical access to the google account. If I need to
setup 2FA, I use the google voice #. The 2FA token is received via my secured
Gmail. Any kind of social engineering attempts would have to go through Google
support instead of telco. Is something like this worth pursuing?

------
StreamBright
>> "Criminals have learned how to persuade mobile phone providers like
T-Mobile and AT&T to switch a phone number to a new device that is under their
control."

This is why SMS should be never an option for MFA. You simply cannot rely on a
telco employee for the security of your organization or online presence.

------
bengale
These places need to stop using SMS for 2FA.

~~~
aikah
You didn't provide a secure and practical alternative, please enlighten people
unaware of them.

~~~
tialaramex
The most secure alternative, which should be the choice for anyone who
actually cares, and an option anywhere that thinks _any_ of their users might
care is WebAuthn (U2F is roughly the same thing but obsolete, no reason to
deploy more of it)

WebAuthn uses FIDO Security keys, relatively cheap USB or Bluetooth devices or
sometimes just a built-in feature of a smartphone, to authenticate. They are
Something-You-Have, but the WebAuthn protocol also offers:

* Optionally a mode where you give the FIDO key a PIN (Something-You-Know) or biometric input (Something-You-Are) to do all the authentication locally

* Phishing proof - there's no decision about whether this is really your bank. WebAuthn is completely happy to log you into [https://fake.bank.phishingsite.example/](https://fake.bank.phishingsite.example/) but the credentials are useless to the crooks who own that site because they won't work on [https://your.actual.bank.example/](https://your.actual.bank.example/) even if the crooks got the logo just exactly right and wrote a very convincing pleading email from your bank saying they definitely need you to go to the fake bank site.

~~~
Slimbo
With all of these, you're often kicking the vulnerability down to the
enrollment step. You've still got to find a way of assigning the
authentication device/key generator to the users account in a secure way and
dealing with losing the device.

------
peteretep
> Criminals have learned how to persuade mobile phone providers like T-Mobile
> and AT&T

Those seem like excellent litigation targets, and I’m surprised that that fact
alone hasn’t fixed this bug. Dorsey should sue and sue and sue and not settle
and get these companies to unfuck themselves.

~~~
notyourday
> Dorsey should sue and sue and sue and not settle and get these companies to
> unfuck themselves.

If you are a captain of a ship that sees an out of control oil tanker heading
for it, the solution is not to sue the oil tanker owners, rather it is to get
out of its way which in Jack's case should be ordering an immediate
implementation of a non-SMS 2FA

~~~
tialaramex
COLREGs (international rules to not have collisions at sea on account of
everybody is agreed that would be bad)

A.2b. "In construing and complying with these rules due regard shall be had to
all dangers of navigation and collision and to any special circumstances,
including the limitations of the vessels involved, which may make a departure
from these rules necessary to avoid immediate danger"

Basically, if obeying the other rules mean you'll get hit by an oil tanker,
Rule 2b says ignore those other rules so that you don't get hit by an oil
tanker. So yeah, Jack ought to order his engineers to go fix this.

~~~
jxcl
In case anyone regularly has trouble not getting hit by an Oil Tanker, I'd
like to recommend John W. Trimmer's excellent book: How to Avoid Huge
Ships[1].

[1]: [https://www.amazon.com/Avoid-Huge-Ships-John-
Trimmer/dp/0870...](https://www.amazon.com/Avoid-Huge-Ships-John-
Trimmer/dp/0870334336/ref=sr_1_1?keywords=how+to+avoid+huge+ships&qid=1568222579&s=gateway&sr=8-1)

------
Abishek_Muthian
In India it's not just that these digital services are at stake due to SMS
OTP, entire banking security, Tax filing to Aadhaar (UID containing all data
of an Indian Citizen) relies upon SMS OTP.

SIM swapping attacks could have devastating effects on the lives of the people
here.

~~~
wtmt
It's devastating how many platforms require a mobile number in India. Many
platforms also use the mobile number as the sole user identifier (try
registering on Flipkart or Bounce or any other service — there is no way to do
it without a mobile number and with just an email address). Many platforms
also make assumptions that people's mobile numbers don't change. I gasp and
scream every time I see these on a site or service, and then promptly abandon
it and navigate elsewhere!

A correction: Aadhaar is available to all residents of India (those who have
spent more than 182 days in the country in a year). It has nothing to do with
Indian citizenship or being a proof of Indian citizenship, though with the
completely broken design of the system, Aadhaar can be used to get a passport,
and thus proving that one is a "citizen".

~~~
Abishek_Muthian
Correction on Resident non-Indian being eligible for Aadhaar duly noted.

Ironically, Aadhaar could indeed prevent SIM swapping attacks in certain cases
for those who have updated their Aadhaar number to their service provider. If
the Aadhaar number is available at the service provider, it needs to be
authenticated (via Biometric and SMS OTP) before swapping SIM.

I wonder if the mobile is lost, whether at-least biometric part of the Aadhaar
authentication is required to get the new SIM. Also, say if Aadhaar OTP needs
to be entered in their internal service; bribing might not be possible.

------
httpz
I once walked into a T-mobile store, showed them my phone and claimed that the
simcard is stuck and asked them to transfer it to a new simcard I brought with
me. They asked for my phone number, scanned the barcode on the new simcard,
done. I didn't have to provide any identity. I could have been anybody and the
only trace would be the security camera in the store.

~~~
justwalt
Reading stories like these make me feel like it’s only a matter of time before
this happens to me. Frustrating.

------
kyrra
(googler, opinions are my own)

This is one thing nice about Google Fi, Sim swap attacks aren't possible. Your
phone number with Fi what is tied to your Google account, the only way to get
a Fi phone number on a new phone is to sign into the Google account. So if you
protect your account with good 2FA, your number is safer than any cell phone
company (at least in the US).

~~~
miles
While Google Fi appears to offer better security than other US-based carriers,
the support team needs work:

Why I Can No Longer Recommend Google Fi [https://onemileatatime.com/google-fi-
review/](https://onemileatatime.com/google-fi-review/)

> _I’ve been fiercely evangelical about Project Fi since Google launched their
> cell phone service a few years ago. ... I think it’s important to update
> y’all about some recent experiences and research, along with why I am
> withdrawing my endorsement._

> ...

> _Previously, whenever I had issues with my Pixel 2 or prior Fi-enabled
> devices, the third-party support center was_ phenomenal. _I’ve had them help
> me with hardware issues, system issues, a phone that just wouldn’t connect
> to WiFi, or tethering that didn’t work when it was supposed to — every
> interaction was great, and resulted in the problem being solved._

> _Since November, this has not been the case. My calls and chats to support
> have gone nowhere, and the once-great support staff have been replaced (or
> supplemented) by random people using generic scripts. I’m sure the awesome
> trouble-shooters are still there, but the sampling I’ve seen doesn’t suggest
> pervasive competency._

EDIT: Actually there is another, possibly more serious issue with Google Fi
mentioned in the article:

> _If you can’t use Google Payments, you can’t pay for Google Fi_

> ...

> Getting this fixed is actually impossible, _and I say that as someone who
> really, truly, loves solving problems and has made a living off getting
> phone agents to want to help me._

> _We have submitted copies of his ID four times, my ID twice, multiple photos
> of credit cards, and various credit card statements. We’ve talked to agents
> and supervisors at Google Payments and Google Fi. No one is empowered to do_
> anything, _and even a well-intentioned agent doesn’t get the same answer
> from the "security department" twice._

> _I’ve since found hundreds of comments and Reddit threads from people having
> similar experiences, with almost zero positive conclusions._

> _The only_ suggestion _of a solution we’ve been given is that he abandon
> both his email address and phone number of the past twenty years and start
> fresh._

~~~
kyrra
I remember that story. It was talked about a lot here:
[https://news.ycombinator.com/item?id=18886804](https://news.ycombinator.com/item?id=18886804)

The Fi team cares a long about these kinds of issues and does what they can to
solve them. I cannot comment on specific cases, but as someone that works on
Payments @ Google, I've seen the Fi team advocate for their users a lot to get
things running smoothly. They deeply care about good experiences and do what
they can to make sure that's the case.

Sadly, things sometimes go wrong, and it becomes a learning experience to make
it better for users in the future.

~~~
miles
Thanks for your reply, kyrra.

Sadly, I've experienced the same steep drop in Google support of late (twice
in the past week in fact) working with G Suite support agents.

Just yesterday, I was helping a client troubleshoot a week-long issue with
Drive File Stream ("Can't reach Google Drive") that remains unresolved for
three of their users. Despite repeated phone calls and a promised callback
from a "Drive engineer", the issue persists. We've eliminated suspected
culprits by testing on other computers and networks.

Tech support from large players like Google, Microsoft, and Rackspace, even
when paid, has declined precipitously in recent years.

~~~
kyrra
Transparency is hard for some reason at large companies. I think it's a
mixture of wanting to maintain an image, plus complexity of systems that don't
always make it easy to get information to end-users about issues.

For your Drive FS issue, I assume you're on Windows? I have no clue if this is
backend or client, but watch for a new version:
[https://support.google.com/a/answer/7577057](https://support.google.com/a/answer/7577057)
Maybe that will fix your issues. I'm not sure how to check your Drive FS
client version sadly.

~~~
miles
> For your Drive FS issue, I assume you're on Windows? I have no clue if this
> is backend or client, but watch for a new version:
> [https://support.google.com/a/answer/7577057](https://support.google.com/a/answer/7577057)
> Maybe that will fix your issues.

Thank you. Yes, they're Windows clients. We've tried downloading the latest
version (as of yesterday) on completely new Windows 7 and 10 machines on a
completely separate network and still have the same issue for the same 3 users
every time. The other users don't have any problem with File Stream. We've
checked and rechecked all of the settings available to us via the G Suite
Admin Dashboard.

------
lazyjones
I'm not at risk, because I deleted my Twitter account when they started
nagging at me to tell them my phone number. Demanding more information from
users than the company understandably needs to provide its service, is a huge
red flag for me. It's good to know that they're now getting the medial
backlash they deserve.

~~~
tomglynch
You've missed the point. It's not that his twitter was hacked, it's that an
attacker can get control of your phone number.

~~~
lazyjones
I'm well aware of that and don't use my phone number for security-related
tasks when I can. My operator or the authorities (with IMSI-catchers, also
available to criminals) could gain control of it at any time after all.

------
heydenberk
This Reply All episode [https://gimletmedia.com/shows/reply-
all/v4he6k](https://gimletmedia.com/shows/reply-all/v4he6k) is how I learned
about SIM swapping and I strongly recommend it for interested people.

------
narrator
This is why I use Google Voice with 2 factor authentication for my SMS. Google
has no customer service to socially engineer.

~~~
BEEdwards
Voice is the best, even as it's the worst.

I'm scared though, Voice seems to be an after though for google. They've
killed Hangouts, which is the only app that text works with (if you have
another way tell me), not given it any update love in forever and have been
ending projects more actively recently.

I don't know what I'd do without voice.

------
fortran77
This could be stopped easily by making cell phone companies liable

> Criminals have learned how to persuade mobile phone providers like T-Mobile
> and AT&T to switch a phone number to a new device that is under their
> control.

> Hackers can get the codes by bribing phone company employees.

How hard is it to insist on someone coming down to a store and submit several
forms of identification to get a new SIM? And make multiple people in the
store sign off on it. Has anyone ever gone to jail for taking a bribe to swap
a SIM?

The other issue is to stop using SMS for a 1-factor recovery. There still
needs to be a second factor, like knowing a password or a pin.

~~~
TwoBit
But cell phone companies never opted into being used as security
authenticators for other parties.

~~~
fortran77
They have some duty to protect your account that you're paying for. And that
means making some effort to verify that you're you when asking for a SIM
transfer.

------
jeromeparadis
That's why I don't give my mobile number to any mobile service. Heck, I don't
even give it to my service providers. I use Twilio phone numbers as a filter
to transfer voice or texts without using my real number.

------
sleepyhead
Have Twitter stated that this is how the hack was accomplished? When I first
read that SMS was used I assumed someone had just spoofed the phone number. My
assumption was that the Twitter account has a verified phone number and that
any SMS sent to the SMS->Tweet service would be published as long as the
senderid was the same as the account phone number. That there was need to
begin the SMS with a secret code/password to authenticate each SMS. And that
is why the shut down the whole service because anyone can just spoof the
senderid in a SMS.

------
joering2
More than myself I am concerned when POTUS is hit. Imagine seeing bunch of
tweets showing up at 4am announcing to everyone that USA is in process of
launching nukes against Russia right at this moment. By the time the whole
thing is explained as a hack-in, Russia may be sending their nukes this way
and for a darn good reason, because no country takes nukes threats against
them as a joke or "you know perhaps they were hacked so let's go sleep". This
is more serious than my little 15,000 followers twitter handle.

~~~
floatboth
Surely countries rely on detection systems and spies rather than just believe
public messages on the internet?

------
noego
Any word on whether using Google-Voice would be a good safeguard against this?
Presumably, because your google-voice account is so intrinsically linked to
your Google account, which is much harder to hack, that should mitigate this
threat tremendously. Especially if you're using google-voice to forward all
calls to a number that no one else knows about.

~~~
ElonMuskrat
I would not use Google voice. I'm not sure, but I doubt Google controls the
major component in the international mechanism responsible for routing
telephone calls. I would expect that they outsource some of the mechanisms to
3rd parties.

------
neflabs
It's not just SMS 2FA causing this issue, it's the entire premise that a phone
number is equivalent to identity. [https://neflabs.com/article/sim-swapping-
attacks/](https://neflabs.com/article/sim-swapping-attacks/)

~~~
zeveb
Note that Signal, everyone's favourite secure SMS replacement, also conflates
phone numbers and identity!

~~~
tialaramex
Not exactly true.

Signal doesn't really care about identity at all, it leaves it up to the users
to decide if "Steve" in their contacts is who they thought it should be, if
they're happy to accept that without proof or if they've verified it was who
they expected in person or out of band.

Modern Signal lets users put together a profile, like a Twitter profile, and
like the Twitter profile you might know somebody whose profile name is "Grim
Reaper" and whose profile photo is the Discworld Death, without you believing
that is their real name or appearance. Maybe you decide that's enough reason
not to mark your friend Suzie ("Grim Reaper") as Verified in Signal. Most
likely not. Other Signal users aren't informed of this decision and Signal
itself doesn't know what you decided.

But it does default bind your contacts to Signal users based on a telephone
number they've proved control of at some point. So if you don't verify
anything, a message from you to "Steve" could be received by somebody who
registered the phone number you've associated with the contact "Steve".
Signal's creators rationalise that this is what an ordinary phone user expects
to happen.

If it's important to you that "SIM Swap" isn't used to create an imposter
Signal account with your phone number - a reasonable concern for some people,
you can set a "Registration Lock PIN" for the phone number. Anybody else in
the future who wants to use Signal with that telephone number will need the
PIN or their registration fails.

------
8ytecoder
Both mobile number portability and SIM swap are stupidly insecure in the US.
In every other country, you need to initiate the port with your current
provider - usually by sending a text from your phone. Over here, I can do it
from the receiving provider and that makes it really easy to bypass security
checks. Similarly for SIM swaps - there's very little security and social
engineering will do the job of bypassing it.

I see plenty of people suggesting we don't give phone numbers at all. That's
not very convenient for most people. I consider myself savvy and use 2FA and
password managers ...etc. But by the time I realized this issue, I had given
my phone number to most important services.

This and spam are two very serious issues in the US that's already solved in
most countries of the world.

~~~
cortesoft
> In every other country, you need to initiate the port with your current
> provider - usually by sending a text from your phone

How does this work if your phone is lost/stolen?

------
tiku
How does this work? The sim-card is sent to your own address, in a plain white
envelope.They have to steal that envelope to gain physical access to the sim.

Why is it so hard to stop sending sim-cards to different addresses than the
main address where it was registered?

~~~
alpaca128
It's much simpler. The attackers simply go to the service provider, claim they
lost the sim card/phone and provide your details. If they're convincing enough
the provider will deactivate your SIM and activate theirs within 10 minutes or
so and by the time you notice your mobile connection doesn't work anymore
they're already busy entering TANs sent to your number.

Now I don't know how easy that is to pull off in the US, but it varies in
different countries. In some it takes a day to switch to a new SIM, in some
you only need the real owner's name and a codeword and it'll get switched
within minutes, for free and no questions asked.

~~~
sodafountan
It seems to me like there needs to be far more security in place before a SIM
card can be swapped out over the phone. You should need to state your SSN,
answer a few security questions and maybe let them know how much you paid on
your last three bills or something like that.

That doesn't mitigate the risk of bribery but if you have the right software
in place for the person on the line at T-Mobile or AT&T then they wouldn't be
able to proceed without the proper verification.

Seems like a pretty big but easy to solve problem to me.

------
notyourday
What is amazing to me is that after this attack has been successfully mounted
against the CEO of the company he still has not announced "I have directed our
engineering to implement a non SMS-based 2FA. They have been provided all the
necessary resources and authorizations. It will become available for all users
on a platform in no more than 30 days."

Imagine if it was Amazon and Bezos' account got hacked because the company did
not implement proper security. Plugging that hole properly would become not a
priority one but a priority before priority one project.

------
FreeHugs
Isn't texting usually used in 2-factor-authentification?

What was the other factor?

I thought the whole idea behind 2-factor-auth is that two somewhat secure
authentification methods combined make a stronger one.

~~~
dagw
_Isn 't texting usually used in 2-factor-authentification?_

Unfortunately it is also used far too often as 1-factor authentication for
password resets, making 2-factor authentication essentially pointless.

------
rburhum
I don't understand why there hasn't been a class action lawsuit against the
telco's complete disregard for this security flaw in porting SIM/phone
numbers. Literally this morning I read about this engineer that lost 100k from
a hacker using the same attack [https://www.ccn.com/100000-bitcoin-loss-bitgo-
engineer-sim-h...](https://www.ccn.com/100000-bitcoin-loss-bitgo-engineer-sim-
hijacked/)

------
ijpoijpoihpiuoh
I think it's pretty bad that the phone companies facilitate this attack. I
wonder if they have any kind of legal liability for their negligence? Maybe
all that's needed to stop these attacks is for people to start suing them for
the damages incurred upon being SIM-swapped? It should not be easy to steal
someone's phone number.

------
miguelmota
SIM swapping events are due to phishing attacks which are hard to prevent for
multiple reasons so relying on SMS based 2FA for for account security is
completely foolish. You're better off disabling SMS 2FA than having it enabled
because the attacker can reset your account by having your phone number.

------
darkhorn
This is mobile operator problem, not Twitter. How on earth the mobile operator
can hand a SIM card to someone else?!

~~~
brod
This was a problem before Twitter allowed 2FA via SMS, so I'd argue this is
very much a Twitter problem.

Afaict this all stems from mixing verification with authentication, where
verification may be required when creating an account and authentication (and
possibly more verification) when using the account.

~~~
brod
And even more simply, verifying the user is a "real person" in contrast to
verifying the user is the "right person".

~~~
nialv7
How does that help? Surely the attacker is a real person too.

------
js2
I’m hope Google Voice on a dedicated Google Account makes this relatively
harder for crooks to pull-off. In theory it should require a porting attack
and in theory since you can lock your number on the Google side you should at
least get notified by Google first about any porting attempt.

------
u801e
The second factor for authentication is best handled by having it under the
account holder's control. Either a client side TLS certificate or a Yubi key.
The former is better in my opinion since it's compatible with application
level protocols other than HTTP.

~~~
baybal2
USB smartcards worked flawlessly for 10+ years.

Last gen titan key finally supports work in a driverless smartcard mode, but
you have to custom order them as I understood

------
mrtksn
If we want to authenticate a user, what is the best way to do it?

best: a great balance between convenience, security and cost.

Lately, it bothers that we cannot be sure that we are interacting with real
people or the people that we are interacting with are not the same people with
different accounts.

~~~
jstanley
You should certainly be able to tell that the person controlling an account is
its rightful owner, but it's not obvious to me that you should be able to tell
that 2 accounts are controlled by the same owner.

If I have 2 accounts, and you can tell that they're both me, doesn't that
compromise my privacy?

------
rdl
Did we have any actual confirmation that SIM swapping happened to Jack?

------
kgdinesh
In India, SMS services are blocked for the first 24 hours whenever a SIM is
changed. This creates a bottleneck for the hackers but doesn't quite solve the
problem.

------
zimmerfrei
Are SIM-based IoT devices at risk too? Say a connected car?

~~~
2rsf
risk to what ? you can probably clone the SIM (unless your carrier is aware
that it's a "special" SIM, probably not) but then what ? you leave the car
unconnected and that's it. You can't steal anything from it or the car itself.

------
willvarfar
Although this was used to deface Dorsey's twitter and we know about that, one
has to wonder what calls they made or received too.

~~~
bransonf
Anyone else remember the voicemail scandal?

------
sriram_sun
Can I put in a note saying that "Don't transfer unless I physically show up
with ID in a brick and mortar store?"

~~~
dylz
Unless you technically enforce the block, there is nothing stopping a bad rep
from doing it for a bribe, or being fooled. If you technically enforce the
block, you now store more dangerous data with the telco that they shouldn't be
holding at all for any reason.

I have a few friends in the esports field that deal with some of these issues
- one had someone physically show up to a mobile store with two fakes
including most watermarks in the correct name to get a SIM swap attack
completed (to only shitpost on Twitter, mind you, not to steal crypto or
anything)

------
ecmascript
Well, MAYBE, just maybe Twitter should stop require new users to enter their
phone number in order to validate their account.

~~~
lotsofpulp
I assume companies don’t give the option for TOTP and require phone numbers to
identify their users to collect more precise data about them, for possible
advertising revenue.

------
miohtama
It was not a SIM swap, but a spoofed sender number. You can have whatever as
your sender number in SMS, same as with email.

~~~
imglorp
Solving spoofed callerid would help reduce robocalls also. I don't understand
why the telcos can't make this happen. If they don't figure this out, we're
all going to drop SMS and voice forever; the trend away from SMS has already
started and people already have stopped answering all calls they don't know.

------
snorrah
Does twitter now mandate a phone number when creating an account, or are they
happy with just an email address?

------
darkhorn
Any United Statian here? How do you know if someone has obtained a phone
number with your identity?

------
iicc
Workaround: get a sim from a different country that doesn't have this problem
(are there any?).

~~~
dewey
The problem is mostly not a technical one, it's a customer service problem.

------
rc_kas
Cool this is good to know, I will not trust that my phone number is mine
anymore.

------
vkaku
Karma. They should probably target Zuck next.

------
Nguyenhung
2FA

------
appleflaxen
tldr: use Authy or another TOTP generator

------
yegor256a
It seems that Google Voice is the perfect solution to this problem: A phone
number without a SIM card.

~~~
lotsofpulp
TOTP 2 factor authentication has been around for years, and does not rely on
google or any third party.

