
The SIM Hijackers - deegles
https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin
======
exabrial
Please everyone: Stop allowing sms as 2 factor authentication. The normal
readers of Hacker News are in a special position to prevent this.

Please promote U2F with TOTP backup.

~~~
danso
Having helped people set up 2-factor auth, I find that SMS is a reasonable
mitigation for people may find U2F and other measures to be intimidating
enough to not try. That is, the vulnerability introduced via SMS is at least a
magnitude less compared to 1-factor-auth of email/password. The pragmatic
optimist in me thinks that it's more likely that we'll see phone companies
meaningfully harden their customer auth processes, because it's easiest to
focus public blame/scrutiny on them for the time being.

~~~
acct1771
The same way you'd think they'd be interested in securing basebands from
intelligence agencies.

Buuuut, they don't. My suspicion? The Kingmakers at the tres letras don't
allow it.

Hell, they steal SIM encryption keys, too.

------
kalleboo
I feel impervious to these hacks since my phone operator doesn't have an
English support line, and even if you used a real-time translation service,
their toll-free number doesn't work from VoIP or international phones. The one
time poor support is actually a good thing?

~~~
danso
Seems too much like security through obscurity? If their customer service is
bad, it may also be untested -- e.g. the company may have not even thought of
having policies and training that mitigate social engineering.

