
Who Owns Your Wireless Service? Crooks Do - hsnewman
https://krebsonsecurity.com/2019/08/who-owns-your-wireless-service-crooks-do/
======
3xblah
I see these problems from a different angle than the usual commentators. I
continue to ask myself: Why is mobile used for important things, e.g.,
banking, payments, etc.?

A great example is authenticating a person's identity via possession of a SIM
card, i.e., their mobile number. If one can switch SIM cards, then one can
switch identities. This flexibility is not a flaw in mobile communications;
the ease-of-use is what makes mobile so useful. However it is silly to pretend
mobile is as safe as landline for all uses. Mobile may be altogether more
useful than landline -- few could argue otherwise -- and at the same time it
can be entirely inappropriate for use in important things like banking. This
concept seems non-existant. Instead the prevailing thinking is all-or-nothing.

In addition to "convenience", mobile has introduced a new class of problems
when used for important things like banking and payments. These problems
either do not exist or exist at a much lower scale with respect to landline.
Who owns landline service? Crooks?

From where I stand, the risks of using mobile for important transactions
outweigh the benefits. Unfortunately, I also see that "convenience" continues
to prevail over common sense. I am willing to sacrafice convenience for peace
of mind. Meanwhile banks and others push harder and harder for customers to
use mobile, including as a means of verifying identity.

~~~
wvenable
> These problems either do not exist or exist at a much lower scale with
> respect to landline.

Except for an ever-growing amount of the population doesn't have a landline --
only mobile.

~~~
umeshunni
The vast majority of people do not have a land line. Per World Bank data,
there are 12 landlines per 100 people and 102 mobile lines per 100 people.

~~~
3xblah
What are the statistics for businesses?

How many landlines per business entity?

Are the vast majority of businesses using cellphones exclusively? Why not?

~~~
digikata
Is a business accessing their lines via voip considered a landline?

------
nimbius
As a personal hacking project in my spare time, I switched from T-Mobile to
anveo and an asterisk setup. I can send and receive SMS on my server and can
make WiFi calls on my phone. SMS gets sent to my email as well. This costs
maybe $45 USD a year. I've thought about documenting my setup but I don't know
if there is any interest.

~~~
peteretep
I am rarely in the same country very long and use
[https://www.aa.net.uk/](https://www.aa.net.uk/) in the UK for a UK 07 number
that can retrieve SMS and that I can use a VOIP phone with. As far as I'm
aware they're the only service in the UK allowing this with 07 numbers.

~~~
rahimnathwani
How much do they charge for this? I looked on their web site but when you
select that option they say:

'Sorry, you will need to contact sales to order an 07 mobile number at this
time.'

~~~
peteretep
Very very little. Paying a couple of quid a month I think. Yes, you'll need to
contact sales, but also you can port your existing number in.

------
OedipusRex
It's hard not to get really depressed when you think about all the political
institutions that were setup to protect consumers and have since been hijacked
by the corporations to protect them from the consumers.

~~~
mikedilger
Maybe you won't be so depressed when you realize that some of the quotes in
that article by Gigi Sohn ("complete and total abdication of oversight") are
prima facie hyberbole, and thus we can dismiss them as politically motivated.
How can I say it's hyberbole? The rest of the article tells us that there are
lawsuits, prosecutions, and FCC investigations. That doesn't sound like a
complete and total abdication of oversight. Is the problem serious? yes. Is it
ongoing? yes. Is there regulatory capture? yes. But is nothing being done
about it? no.

~~~
nnvvhh
I think you're overreacting. The Sohn quote is referring specifically to
oversight by relevant government agencies. Lawsuits are not relevant to the
statement. The article implies that the FCC investigation into location data
sharing was, at best, proceeding slowly.

~~~
mikedilger
Perhaps. I mostly concur with the article. I think FCC deregulation was poorly
done. I'm not happy with the wording of my prior statement but I'm not going
to edit it. What I was thinking when I wrote it was "cheer up, things will
work out okay"

------
Causality1
Curiously enough, an edition of the Encyclopedia Galactica that had the good
fortune to fall through a time warp from a thousand years in the future
defined the telecommunications executives of America as "a bunch of mindless
jerks who were the first against the wall when the revolution came."

~~~
dylan604
How I miss Douglas Adams

------
wmf
AT&T's response to this sounds pretty bad. They're not going to prevent SIM
swaps but they're going to let banks (not Google, not cryptocurrency
exchanges) discover that you got swapped after the fact.

~~~
incompatible
Eventually, this could make legitimate SIM swaps unusable. The point of SIM
swaps was to retain a phone number when swapping carriers or SIM chips. If a
number becomes untrusted after a SIM swap, you may be better off getting a new
number.

~~~
iforgotpassword
Assuming it wasn't bribery but simple social engineering, what's there to
prevent this from being abused? In Germany, porting the number to another
carrier would be next to impossible without the victim realizing. You have to
request from the old carrier to release the number for porting, then you have
to tell the new carrier you want to port over the old number from the old
carrier. Then the old carrier informs you via SMS and email when the
switchover will happen. That date is usually at least one week in the future.
And usually the evening before the switch you get another SMS.

Pretending to have lost your SIM and requesting a new one might be slightly
easier, I never needed to do that. But it would mean your SIM gets deactivated
the moment they start the process of shipping out the new SIM, so it will give
you at least a full 24 hours to notice you got no service, usually two days. I
wouldn't be surprised if they'd also send you a text plus email before
deactivation just in case.

But in general I feel like call center workers here are very good at following
the protocol. I'd be very surprised if you'd manage to convince one that you
lost your phone and you also happen to have moved and want it sent to another
address.

But sure, if you're paying someone on the inside, all bets are off.

~~~
incompatible
I could probably go a week before I noticed that my phone had no service.

There doesn't seem to be much security at all in Australia. Enter the number
and date of birth (and contract number, if it's not a prepaid phone) and wait
a couple of hours.

~~~
iforgotpassword
> I could probably go a week before I noticed that my phone had no service.

Fair enough, not everyone is checking their phone every 5 minutes. But otoh if
you wouldn't realize it within a day or two you probably aren't using it for
Apple pay, 2fa and whatnot so you're not a likely target anyways.

~~~
incompatible
Not using it for much stuff like that. But considering everything I wrote
above, I think I'll start checking the service once a day.

------
maximente
this is actually an existential financial threat for some people:

\- SIM swap to get obtain SMS/telephone capability

\- hijack email, if known + non-2FA or known SMS/telephone 2FA

    
    
      - this could be socially engineered as well - "sorry, i forgot my password to that email account, can you change it to..."
    

\- using gathered intel from email (e.g. monthly statements), call up
banks/financial account (many of which are non-2FA or SMS/telephone 2FA)

\- password reset/etc any accounts without 2FA or with SMS/telephone 2FA

\- social engineer way into bank/financial accounts

\- drain and profit

i've seriously considered tying up financial stuff to an undisclosed phone
number on its own account.

~~~
rolltiide
this happens to people that store their cryptocurrency on services with sms-
based 2fa.

any service that uses sms-based 2fa without any other option like client side
generated one time passcodes (otp) should be sued for negligence at this
point. the otp should be the default choice.

people are currently masquerading incompetence as an indictment to
cryptocurrencies as a concept. this is allowing negligent, incompetent
businesses to get a free pass, because the people that should be in charge of
protecting consumers are thinking the cryptocurrency itself is insecure or
"got hacked" which so far isn't what is happening.

(with regard to storing cryptocurrency on someone else's server, yeah those
users are being negligent too.)

~~~
i_am_nomad
My personal peeve is various services that offer MFA, but very quietly still
offer SMS-based 2FA as a backup that is nearly impossible to turn off. If you
set up MFA, be absolutely sure that recovery is only done through one-time
codes and the service doesn't automatically fall back on SMS.

~~~
rolltiide
So Coinbase and .... who else?

------
calvano915
Are any providers offering an opt-in SIM freeze of sorts with some kind of
enhanced authentication in order to unfreeze? Wouldn't such a feature/service
easily prevent the SIM-swap risk? I don't know how easy this is to prevent
regarding the infrastructure (do networks detect a SIM-swap via change in host
IMEI?). I understand the article describes a rogue employee but it seems to me
that an added layer for such a service could easily prevent unauthorized
access.

------
KirinDave
I didn't know AT&T was just selling real time data in defiance of the FCC
rules and I'm quite inclined to just terminate my service after holding an
account for nearly 20 years with them over it.

That's beyond unacceptable.

------
the_arun
I liked the smart title of this article!

------
iflywithbook
Great piece of content. First time I read something in krebsonsecurity

Love the combination of investigation and cybersecurity.

