
One man lost his life savings in a SIM hack, you can try to protect yourself - prostoalex
https://www.cnn.com/2020/03/13/tech/sim-hack-million-dollars/index.html
======
dehrmann
> Ross had approximately $1 million stored in two [cyrptocurrency] exchanges
> when he was attacked, according to a report by investigators.

You know what happens if someone tries this with your brokerage? It takes
three days, not one hour, there's a name on the destination account (know your
customer), it takes days (at least) to withdraw money from it, and there's a
medallion signature on the transfer, so your brokerage is on the hook for it.

There's a reason fraudsters are targeting cryptocurrency exchanges: arguably
less security, but more importantly, it's easy to quickly and irreversibly
transfer the money.

~~~
perl4ever
"there's a medallion signature on the transfer, so your brokerage is on the
hook for it"

I'm...not sure that's how it works. Yes, common sense suggests it's much more
difficult with conventional financial assets, but is that signature guarantee
or whatever you call it protecting you or the institution? In the sense that,
if someone successfully forges one, what actually happens next?

~~~
lawfulcactus
From Wikipedia[0]:

> A medallion signature guarantee is a guarantee by the transferring financial
> institution that the signature is genuine and the financial institution
> accepts liability for any forgery.

[0]
[https://en.m.wikipedia.org/wiki/Medallion_signature_guarante...](https://en.m.wikipedia.org/wiki/Medallion_signature_guarantee#Guarantee)

~~~
perl4ever
I'm not sure I understand that. Because the signature guarantee _isn 't_ "by"
the transferring financial institution, is it? You want to transfer an account
from "A" to "B" and you get the guarantee from someone that provides
guarantees, call them "C". And if someone _forges_ the guarantee, then "C"
never _did_ guarantee anything, so why would they be liable, let alone "A" and
"B"?

Maybe I'm forgetting how this works...

...reading the wikipedia page, it sounds like the idea is to deal with
forgeries of signatures provided to the guarantor. Not with forgeries of the
guarantor's approval.

Then again, maybe you can't really forge a guarantee as long as it can be
looked up or invalidated by their database.

~~~
battery_cowboy
I think what they are saying is that in the banking system is nearly
impossible to steal someone's life savings via a hack and get away with it, or
at least if you do they have insurance at the brokerage to cover it.

~~~
perl4ever
And what I was saying was that is probably true, but I'm not sure what would
happen with a similar hack only aimed at the guarantor.

~~~
ahaseeb
True like in CC they've guarantees against such unauthorised usages

------
LatteLazy
No actual guide on how to protect yourself. In fact, none of the carriers
listed seem to do anything remotely effective.

Seems like the best answer is to not reuse passwords, use complex passwords
and avoid giving "real" answers to security questions.

And if course, don't keep your life savings in an account that can be
withdrawn entirely on a moments notice...

~~~
ahaseeb
I have been a victim 4 times which is the reason I built Efani.com

~~~
byteshock
Could you explain how your company defends against these attacks?

From a quick look at your website, it looks like you are offering prepaid
services through different providers similar to H20 Wireless. You claim to
offer protection but give no detail on it except that you use "military grade
protection".

~~~
ahaseeb
Yes updating the website this week with complete information. Our arrangement
is somewhat similar to any other MVNO with just that we've blocked sim port
attacks & have specific measures in place along with a $5M insurance

------
pcurve
Someone tricked ATT that led to swim swap and this guy losing $1 million. Yet
ATT "disputes the allegation and intent to prove it in court"?

I get the fact that the real crook is the thief, but surely ATT is at least
partly negligent. How much are they responsible?

~~~
lotsofpulp
Everyone is trying to make phone networks the liable party because it’s cheap
for them, and the phone networks don’t want to be the liable party. Even the
federal government (SSA) uses SMS as 2FA for proof of identity.

And unlucky people are caught in the middle.

~~~
EGreg
The same Federal Government says not to use SMS for 2FA, for quite a while:

[https://www.pindrop.com/blog/nist-explains-proposed-ban-
on-s...](https://www.pindrop.com/blog/nist-explains-proposed-ban-on-sms-
for-2fa/)

Why should we use outdated and vulnerable networks when social engineering is
all you need to steal stuff?

This from 2012: [https://www.wired.com/2012/08/apple-amazon-mat-honan-
hacking...](https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/amp)

I encourage everyone to use a hard to guess email alias (foo+bar@gmail.com)
for your LOGIN — not password. This thwarts many of these attacks!

“Sir, let’s reset your password. What is your email please?”

“foo@gmail.com”

“Sorry, we have no such user.”

“Really? But—“

“Really.”

~~~
lotsofpulp
ATT’s login is the phone number itself.

------
swizzler
Enfani (previously don't port) has a product to prevent this:
[https://efani.com/](https://efani.com/)

I haven't used it. I want to, but haven't wanted to deal with changing my
family plan. It does make me more interested in a dual-sim phone.

~~~
ryanlol
How is this supposed to work? Efani seems to just be a MVNO, there’s no way
they can protect you against attacks on the carriers they resell.

The language on the page is downright hilarious “11-Layer of Military Grade
Authentication”.

~~~
ahaseeb
It's a hybrid of MVNO and reseller & I can challenge that we can protect.
Happy to give you a bounty if you're able to break into the system.

~~~
ryanlol
>Happy to give you a bounty if you're able to break into the system.

Yeah, the problem here is that since you’re a MVNO the easiest angle of attack
would might just be to go for the big MNOs that you resell (Verizon, ATT,
Sprint,Tmo). You can’t really offer bounties for such attacks, and I can’t see
how you could defend against them either.

~~~
ahaseeb
We can because due to our relationship, we control the # and they don't. We've
a slightly different arrangement. Think of that you've ATT and you're roaming
in Canada on Rogers network. Rogers employee can't port you out or do funny
things to your account. Similarly, we're using their network but they can't
access your account

~~~
ryanlol
You control the #, sure. But what specific technical measure prevents the
carrier from associating that customer line with another sim card?

The fact that you control the # might defend against port-outs, I don’t
understand how that could prevent SIM swaps though.

~~~
ahaseeb
Carriers don't have access to the customer account. They don't even know who
the customer is and our SIMs have a different serial number

------
crobertsbmw
SIM companies could prevent a lot of cases by trying to call or text the phone
that is currently active on the SIM. If AT&T would have called the number then
it’s likely this could have been prevented.

~~~
ahaseeb
ATT is built around selling you cheap plans and the SOPs are not that strong.
There are 1000s of ports every days so they want to make it simple for their
employees

------
Stierlitz
How is someone persuading your provider to transfer your number to another
provider, a hack?

~~~
dehrmann
Social engineering.

> Hi, AT&T, I was at the bar last night and I lost my phone. I still have my
> old phone, though. Can you help me transfer it? Mother's maiden name? Why
> yes, it _is_ on whitepages.com!

~~~
Stierlitz
@guessmyname: ‘It sounds like you are not aware of the existence of the term
“Social Engineering”.’

Sorry for the delay in answering, “Social Engineering” is _not_ hacking.
Manipulating the SS7 protocols for nefarious ends, could be considered
hacking.

[https://blog.securegroup.com/phone-hacking-through-ss7-is-
fr...](https://blog.securegroup.com/phone-hacking-through-ss7-is-
frighteningly-easy-and-effective)

------
ahaseeb
[https://www.issms2fasecure.com/](https://www.issms2fasecure.com/) This is a
great resource on this issue

------
htk
One could argue that the greatest weakness in this case is in holding your
life savings in cryptocurrency.

~~~
battery_cowboy
Not only that, but holding it in a way that they can get to it. If I had a
million bucks in crypto, I'd have a few geographically separate offline
laptops with the codes on them, fully encrypted, as cold storage.

~~~
ahaseeb
People are generally lazy and it has happened to non-crypto folks too where
other information was stolen

~~~
battery_cowboy
It's rare to impossible to do this to a regular bank account, and if they did,
the bank would be liable. Crypto is a great solution for some stuff, but it's
not a pancea to solve every problem.

