
PayPal and Venmo are still letting SIM swappers hijack accounts - danso
https://www.vice.com/en_us/article/pke9zk/paypal-and-venmo-are-letting-sim-swappers-hijack-accounts
======
zxcvbn4038
CapitalOne is even worse -they locked me out of their app today and asked to
send an SMS code - and they let you pick which number to send it to on the
spot. Good one fellas. What is the point of having Touch ID and their dumb
Swift ID stuff set up if they keep doing dumb stuff like this.

~~~
RJIb8RBYxzAMX9u
Google does this too when you sign in from "unknown" locations, if you don't
have 2FA configured. I think the purpose is to slow down bots. If you try
reusing the same number in quick succession on different accounts, Google
won't let you.

I'm so glad I'm out of the family tech support "business"; if only firing real
customers were so easy...

~~~
ladberg
This really bugs me. I have throwaway Google accounts that I don't want to add
my phone number to, so I can only access them from the location I created
them.

~~~
markdown
How do you even create a Google account without a phone number?

~~~
zxcvbn4038
You can't create a Google account without a phone number (at least last I
tried), however once you enable a 2FA method other then SMS you can then
delete the phone number. To their credit the phone numbers I gave to Google
when setting up my accounts have never shown up in any of the usual law
enforcement or skip trace databases so I'm less apprehensive about opening new
accounts with them.

T-Mobile sells me out once a year - I don't even give them my real name, they
must get it from my credit card or something. This year I used a fake name
"authorized user" card, still waiting to see if that keeps my latest number
out of the databases or not, around nine months to go.

~~~
mehrdadn
Wow there's a lock to unpack here. How are you accessing law enforcement or
skip trace databases to check?! And what do you mean by T-Mobile selling you
out -- where did they give out your info? (They let you get a line without
your real name?!)

~~~
zxcvbn4038
You can request a copy of your info from those databases from Transunion,
LexisNexis, etc. and they'll send it to you. however since they are not used
in credit decisions they are not governed by the FCRA and you can not dispute
or amend anything. Every phone number I've ever had is in those databases, as
well as every address I've ever lived at - plus a few dozen variations that
are typos or incomplete which I guess says something about my handwriting,
every paycheck I've received over the past twenty-some years is in there, both
regular payments and bonus, with taxes broken out and everything (a lot of
businesses outsource employment verification to a Transunion subsidiary called
The Work Number and in return they get all that information). There is my list
of "known associates" which is pretty much all of my family living and dead
since the 80s, all of my wife's family, a couple former roommates and their
families. Apparently I own a sporting goods store in Austin, Tx (thats false,
but can't dispute or amend). Every legal action I've been a party to is there.
Every car I've ever driven is in there. I think most people would be shocked
if they knew how much data these companies keep. I became aware when a police
officer called me about some tenants at a rental property on a phone number
I'd never given to anyone. I think the Transunion TXLop database is where I
finally found the number. Since then its been my hobby to see how long I can
keep my phone numbers out of that database.

~~~
mehrdadn
Wow, thank you so much for sharing, that's really great info!

------
maallooc
My account was abused because of SIM swap. It was banned. I explained them
that I did not do it. They won't budge.

We need to enforce tech companies to have proper customer support. We need to
make a regulation that enables users to appeal or sue tech companies decision
about their account. No more 'fix through hacker news submission or reply'
please.

~~~
AnthonyMouse
Paypal is less of a tech company and more of a finance company.

This kind of behavior is caused by rules that put the cost of fraud on the
payment processor rather than the customer, even though the payment
processor's primary tools to prevent it basically involve locking the
customer's account based on vague suspicion and hearsay.

When someone has stolen your identity, there isn't really anything you can
tell someone to prove you're you. Having your password or SSN or access to
your email or the answers to your security questions tell them nothing. The
perpetrator could have those things. Your account may have been created by the
perpetrator to begin with and the person whose name is on it has never even
used their service. How are they supposed to tell? Even if you're you, the
perpetrator may still have access to whatever method was used to access your
account to begin with and if they turned it back on there would be more fraud
(which causes the payment processor to lose money instead of you). So your
account is locked forever and you can pound sand.

The alternative to people getting locked out of their accounts is having
accounts without reversible transactions. You don't want this for your
brokerage account, but you do want it for the account you're using to buy
things with petty cash. Because then the account never has more than $1000 in
it to begin with, which limits your losses to that amount, but then the
payment processor doesn't have any incentive to ban your account because the
losses are yours. If you're careless and reuse passwords, you might lose the
$1000, but you don't get banned forever from making financial transactions.
Then you learn your lesson and do better next time.

That would also result in lower transaction fees, because most of the
transaction fees go to paying the cost of fraud protection. And it would
reintroduce the incentive to prevent fraud to the people best situated to do
that ( _stop reusing passwords, people_ ), so there would also be less fraud,
which is better for everybody.

~~~
zxcvbn4038
PayPal is the worst - a couple days ago they disabled my password (including
both 2FAs) and sent me an e-mail asking me to reset it. The only way to reset
it is via SMS which I don’t do. I’m locked out of my account now and also
support now since the only way to contact them is by logging in. I’m hoping
Synchrony has an in with them because I have balances on PayPal MasterCard and
PayPal line of credit that can only be accessed by logging in.

~~~
AnthonyMouse
It's really the same problem. As soon as they suspect your account could be
compromised, they can't trust your authentication methods anymore and the risk
calculation favors losing your business over reactivating your account and
then having fraud losses on it. It's a math problem, not a customer service
problem.

Granted it's obviously bullshit if they try to keep the money when your
account had a positive balance.

~~~
zxcvbn4038
What I love is when they refuse to help you except by talking on the phone.
As-if somehow my speaking to someone who has never met me and is completely
unfamiliar with my voice is more secure then when I log in to their "secure
message portal" and leave a message. Too bad there is no Tony for security
theater. ;)

------
dabernathy89
This is the recommended solution:

> The easiest way to make it impossible for SIM swappers to take over your
> accounts after they hijack your number is to unlink your phone number with
> those accounts, and use a VoIP number—such as Google Voice, Skype, or
> another—instead.

They don't mention that some carriers offer the ability to secure your account
against unauthorized transfers, but it's opt-in. Here's how you can do it on
Verizon:

[https://twitter.com/ramsey/status/1235227940054585344](https://twitter.com/ramsey/status/1235227940054585344)

~~~
KingMachiavelli
I tried using a Twilio number with my bank. I found out that any service that
uses SMS shortcodes for their SMS '2FA' won't work as this kind of service.
SMS shortcuts are a value addon that carriers provide that is only suppose to
work with real numbers.

It's possible that services more centered around VOIP vs an automation
plateform might work. It's also possible that using a foreign VOIP number
might work but that also might also cause issue if you try using it with a US
bank.

And I'd rather not have some half baked solution using Google Voice.

If anyone knows how to get an shortcode enable number ( _not_ a short code
number but rather a number that can recieve SMS _from_ shortcodes) on Twilio
or similar platform, it would be very easy to set up an SMS 2 EMAIL gateway.
Perhaps if a number is ported to Twilio it will retain shortcode capabilities?

Besides finding a solution to the above problem, I suppose I could just get a
GSM usb modem & SIM card for this purpose.

~~~
notyourday
I've started using a dual sim phone with a second number that I do not give
out to anyone being used for companies that insist on SMS authentication.

~~~
h4waii
Be sure to enable a SIM PIN on it, in the event that it's stolen/taken an
attacker can't simply put the SIM in a new device to request the code.

~~~
notyourday
I did not think of this. Thank you!

------
Finnucane
I try to avoid having my phone linked to accounts as much as I can. When the
web sites say, "add your phone" I say "no."

~~~
pengaru
Same here, but disturbingly some sites are making it a requirement.

The Match Group dating sites like Plenty of Fish and OkCupid recently made it
a hard requirement to setup a 2FA phone number, even for existing accounts.

It's a super annoying trajectory, and I imagine potentially dangerous if one
considers the dating sites and victims of abusive relationships attempting to
get out. Making physical access to the phone all one needs to gain access to a
dating profile is a clear regression from unsaved passwords.

~~~
nexuist
Without any form of national ID it's a really hard problem to solve. As
someone who runs my own login system, I require phone numbers to prevent
botting. Obviously you can make a bot through Twilio etc, but it becomes
economically nonviable to mount attacks through bot registration, which is my
goal.

~~~
pengaru
What are you doing to combat the risks of attacks like SIM-swapping?

Personally I find using phone numbers for this purpose as a cop-out, and like
you said it's just a Twilio account away from being defeated. Like captchas
it's only a matter of time before that is the baseline capability for bots and
you're in no better place than before, except now your users have worsened
security.

IMHO the true business incentive for requiring numbers is just getting
identity-coupled phone numbers which add significant value to their collection
of PII.

------
caymanjim
While SIM swapping is certainly a concern, this article makes it sound like
it's universally bad to rely on phones as a form of authorization. What are
the alternatives? I'd argue that email is far riskier; it's more commonly
compromised, easier to compromise, and less visible when compromised. Ideally,
users employ more secure 2FA methods like TOTP apps or dongles, but it's like
pulling teeth to get anyone to adopt those. Relying on SMS in addition to
email is better than relying on either one in isolation. I don't think I agree
that Google Voice numbers are necessarily harder to hijack, because to do that
they just need access to your Google login (typically your email credentials).

There are risks all around, but this article doesn't offer any good solution
that customers are likely to adopt in meaningful numbers. Maybe PayPal and
other companies should require people to use secure 2FA, but they'd lose too
much business.

~~~
rabuse
TOTP apps are fine, if they're properly implemented (either completely on-
device, or properly encrypted before stored in cloud). Services should
properly implement account restoration codes if access to TOTP secret is lost.
SMS should never be used for 2FA, ever.

~~~
WorldMaker
There are some apps that if my TOTP secret is lost, as horrifyingly annoying
as it would be, I'd much rather need to take the time to get a registered
public notary to stamp that they saw me in person, and checked my ID or other
such documents, before the account recovery process can begin.

The "old ways" are usefully slow, have protections built around them for
centuries of our culture, and I'd rather the annoying administrative headache
and "slow" over the quick abuse of account recovery systems for theft and
fraud.

------
mikece
It is annoying that some of these companies refuse to allow me to use a Twilio
number when they insist on using SMS as 2FA. If they are going to insist on
the weakest possible form of 2FA and INSIST that I use a number which is
subject to SIM hijacking, how are they not liable through negligence?

~~~
stqism
This is because these companies use APIs to establish trust for numbers which
do so using a combination of proprietary telco data, machine learning models,
and reports from customers. voip numbers like twilio and google voice are a
surprisingly large source of fraud, so often the recommendation returned is to
block based on how risk adverse the company is.

This method is highly effective at reducing fraud at the cost of penalizing a
minority of legitimate users who actually do have to use Google voice / etc.

It should be noted though that factors like why is this number being looked up
are considered too, ie: OTP is less risky than say account creation at a bank.

~~~
TwoBit
Can't Google Voice numbers be outside the US? I've read of foreigners trying
to take over Google Voice numbers so they can use them like they are in US.

------
tpmx
> Paypal

So my instinctual habit of adding and then deleting my credit card details
whenever I need to do a Paypal payment was correct, after all...

------
Raphaellll
This was (is?) also possible with Lyft. When I was interning in the US, my
visa sponsor sent me a SIM card that they clearly reused several times a year.
Opening the Lyft app with this SIM automatically logged me in to the attached
account. I didn’t noticed this and took a 70$ trip from SF to SV. Next morning
I realized it wasn’t my account and credit card details. Wrote to Lyft support
but never heard back. It wasn’t even possible to log out of this account and
create a new one.

~~~
jedberg
Lyft probably decided it was cheaper to eat the $70 than admit this attack
vector exists.

------
jlebar
PayPal / Venmo also don't have support for proper security keys. :(

~~~
fuzzy2
PayPal supports Symantec tokens though? They even sold hardware tokens in the
past.

------
dang
The article this is pointing to was discussed here:
[https://news.ycombinator.com/item?id=22687927](https://news.ycombinator.com/item?id=22687927)

and the study here:
[https://news.ycombinator.com/item?id=22016212](https://news.ycombinator.com/item?id=22016212)

------
tpmx
There should be a well-known website with a neat domain name that lists well-
known companies that allow this to continue to happen.

------
wronglebowski
Is there a recommended defense against a SIM Swap attack at the carrier level?
Do carriers offer some form of two factor? I suppose the weakest link is the
in store associate who just can't be bothered to verify identities.

~~~
dabernathy89
Yes, you can add additional security onto your account - at least with
Verizon. I highly encourage everyone to do so. Once enabled, you will need to
present photo ID at a corporate Verizon store to allow your phone # to be
transferred to a new carrier.

Instructions:
[https://twitter.com/ramsey/status/1235227940054585344](https://twitter.com/ramsey/status/1235227940054585344)

My wife got SIM jacked just a few weeks ago and we got extremely lucky that it
didn't turn into a bigger problem. They did get a hold of her Venmo account,
but fortunately it's not actually linked to our bank account (Venmo restricts
the # of users that can link to a single bank account).

~~~
jtokoph
This doesn’t work because many SIM swaps are now done with stolen corporate
credentials or bribed retail employees. They login to the corporate portal and
check the box that says “I verified the customer’s ID” and proceed with the
sim swap.

This only protects you from the old way where a scammer tries to convince well
intentioned phone support or retail employees.

------
exabrial
Please stop supporting sms for 2FA. It's not better than nothing, it's worse
than nothing. Given the extent of technology workers on hacker news please
work to remove this antipattern from your products.

~~~
wtallis
The problem is that the SMS is being used not to implement 2FA, but 1/2FA
where you can get into the account with just one of the two factors, rather
than requiring both.

------
jonny383
PayPal is legitmately the biggest piece of crap flying around the internet.
I'm amazed they are still a thing, given the sheer number of stories we all
hear about "PayPal stole my 10k and wouldn't give it back for months" and
then, this.

It's been such a relief to stay in SE asia for sometime where PayPal isn't
associated with all kinds of online shopping. I can actually order online AND
be given the choice to either pay online OR in person in cash.

PayPal and it's crappy culture needs to die.

------
choward
Why isn't there more of an emphasis on the phone companies? They're the ones
literally giving your phone number to someone else.

------
dheera
2FA should never be SMS based. I've deprecated SMS for all communications and
block all SMS messages to my phone.

I use a virtual number for all such services that demand an idiotic SMS
verification code. I won't state which one I use here, but there are several
services you can choose from that provide virtual numbers.

------
ppf
Oddly enough, today I finally had to give my mobile number to paypal -
apparently due to incoming EU PSD2 regulations. I was also automatically
signed up to paypal "one touch", where my device is now able to make
transactions with no need for a password. Another thing I have to turn off.

------
latchkey
To be clear, Paypal owns Venmo.

------
renewiltord
I think if you use Google Fi, then you can lock down your account pretty well
and you'll need your hardware key to change things.

------
kome
can we please stop using cellphones and smartphone for anything serious
please?

