
SIM swap horror story: I've lost decades of data and Google won't help - kaboro
https://www.zdnet.com/article/sim-swap-horror-story-ive-lost-decades-of-data-and-google-wont-lift-a-finger/
======
ineedasername
Google really fails hard in the face of providing support when issues like
this occur. The average person has to try various automated account recovery
options which, as in the author's case, are readily changeable the moment the
account is compromised, rendering them somewhat useless, and then users are
out of luck.

It's a situation that is mind-boggling. Users as asked to place a significant
chunk of their digital lives in the care of Google, it is unbelievable that
they fail this badly. It's useful to note than it's not a situation that
business users face. People who pay for G-suite have real support, even
::gasp:: telephone support. Why on earth does google not offer this to
consumer users? I would gladly pay for that level of support and security. For
that matter if there were some way of converting my personal account over to
G-Suite I would do so.

I would even not mind something like one-time payments for support calls, for
example pay $50 for a service call to get assistance in a case like this. I
just can't fathom the "no support" model at all.

~~~
8ytecoder
This is why I panicked when they announced they won't sync Google Photos with
Google Drive anymore. With the sync, I can setup one of my computers to
constantly download the photos and then copy it onto a local backup and an
online backup. If my Google Account gets locked - I'll just copy the photos
into something else and move on with my life. They removed that saying it's
confusing to users - all the while it was an option users had to go explicitly
enable.

I switched to iCloud which supports the download feature.

~~~
rikkus
Would you mind elaborating on your iCloud setup to handle this please?

~~~
ericwood
The most common way to do this is to have the Photos app on MacOS set to
"download originals," then use whatever backup solution you like best. I
highly recommend setting this up. Last month through some sort of iCloud
glitch my fiancé lost almost all of her photos from before the beginning of
this year. We've escalated it to their highest tiers of support but the photos
are gone. Redundancy is important, and even the best providers aren't
foolproof. It was devastating to lose all of those memories.

~~~
rikkus
Thanks. Currently I do this:

Phone -> Dropbox + Google Photos (automatically)

Card-based cameras -> Plug in card, Dropbox + Google Photos pick up new photos

Backup 'server': Local synced Dropbox folder -> Local + Cloud backups

I couldn't see how to add iCloud to my existing syncs / backups. When I looked
at it, I couldn't be sure it would keep photos on my phone long enough to
allow Dropbox and Google Photos to pick them up. It's good that it's possible
to get the originals over at a MacOS machine. Might be worth exploring then.

------
bArray
Why is it that the most dramatic stories of people's digital lives being
lost/broken usually seem to revolve around a compromised mobile phone number?
Mobile phone numbers are not unique (they are recycled) and are terrible
security (mobile phone companies are careless). I change mobile numbers at
least once a year and most years I end up receiving calls/messages on behalf
of the previous owner. I refuse to connect my mobile phone to these services.

It seems like one of the most important lessons of computer security has
already been forgotten: _It 's only as good as the weakest link_. Not only
this but decentralization/redundancy is often better than
centralization/dependency. For example, I'm not sitting awake at night
worrying over some semi-pseudo password I generated for an old unencrypted
forum run on some random persons server.

~~~
Zancarius
> I change mobile numbers at least once a year and most years I end up
> receiving calls/messages on behalf of the previous owner.

I had something very similar happen when I got a new number. I kept getting
calls for the previous owner from what I assume to have been a bank, a library
(for passed-due books no less; left a voice mail), and random people trying to
contact this person. Not long thereafter, I started getting text updates from
Facebook any time one of their contacts posted something. Facebook fortunately
disables this with the text message STOP (IIRC) [1], but it bothered me that a
nefarious actor could have passively collected the names of this person's
contacts, messages, or more.

Not quite sure what to do, I did end up calling most of them back to inform
them they had the wrong number, if they left a voice mail. The calls stopped
about a year and a half later, and while I was somewhat annoyed at the time,
in retrospect it could have been much worse!

[1]
[https://www.facebook.com/help/225089214296643](https://www.facebook.com/help/225089214296643)

------
chongli
This is a good place to remind everyone of Google Takeout [1]. Back up all of
your data. Don't let this horror story happen to you.

[1]
[https://takeout.google.com/settings/takeout](https://takeout.google.com/settings/takeout)

~~~
mceachen
Thanks for the reminder--I've done it several times in the past, but it wasn't
a scheduled thing at all.

There's a new checkbox in takeout that lets you schedule a backup every 2
months (and then presumably you'll get an email when you need to download it).

Does anyone else have issues with takeout failing with "unknown error
occurred" if you use the default of selecting all products? I have to manually
create multiple takeout archives (one for gmail, one for photos, one for
location history...)

~~~
techer
Absolutely! Always fails. I didn't know about the alternative you
mention...thanks....

------
jchw
Anyone who wants to defend themselves, consider using U2F where you can and
Google Advanced Protection. I just recently picked up a bluetooth security key
because one is needed to log an iPhone into an account using advanced
protection; there is no SMS backup loophole. The Titan key bundle comes with a
bluetooth and USB key, which is enough to get started, though frankly you
probably want a couple additional backup keys too.

[https://landing.google.com/advancedprotection/](https://landing.google.com/advancedprotection/)

(The usual disclosure: I work for Google, but not on anything related to this,
only speaking as a user.)

~~~
flarex
Why doesn't Google get rid of SMS recovery completely? It's a huge security
flaw that can be easily exploited.

~~~
ghaff
Probably because the more barriers you put in the way of scams, social
engineering, etc. the harder you make it for people to legitimately get back
into their accounts and the more likely it is that you'll instead read stories
about how someone "forgot their credentials and lost access to everything in
their account and Google won't do anything about it."

No opinion on SMS specifically but there are tradeoffs.

~~~
pergadad
Google is a pain as there's no way to talk to a human. I have lost access to
an old Gmail account as my phone broke. Without authenticator I can't get in.
I can't set up authenticator anew because I don't have the password anymore. I
still have same phone and plenty of emails - just no way to get in.

~~~
WillPostForFood
When you set up 2fa with Google they give you a set of backup codes you can
use to get back in case you lose access to your phone/authenticator. It's
important to store those somewhere safe.

------
heliodor
A few suggestions:

1) Call your cellphone carrier and ask to set up a password/PIN to be used for
when you call into the customer service phone number.

2) Consider your phone number and SIM card insecure. The phone carriers are
ignoring the SIM swap problem even though they know how much damage it's
causing. Give your phone number to as few companies as possible. Phone
services such as Google Voice work without a SIM card, so they are less prone
to problems. Give out such a phone number if necessary.

3) Don't use text message verification codes as 2FA. Use an authentication
app, such as Google Authenticator.

4) You can retake possession of your hacked Gmail account by providing one of
the previously used passwords. No need to have a working phone.

5) Ask yourself, what will happen if you lose both your laptop and your phone
at once? Do you have things set up in a way where you can get back into your
digital life? Someone can break into your home while you're away, the
government can confiscate them at the airport, etc.

6) Check what email addresses you have configured as backup auth methods for
your Gmail. Those accounts can be used as a means of access by a hacker.

~~~
mceachen
> Call your cellphone carrier and ask to set up a password/PIN

Note that, at least for TMobile, AT&T, and Verizon, the password/PIN is
presented to the CSR in plaintext (as they verify the pin over the phone
verbally).

I'd assumed they'd transfer to some pin-capture applet to verify, but nope.

> Use an authentication app, such as Google Authenticator

If you decide on Google Authenticator, make sure you scan the barcode with 2
devices (say, your tablet and your phone) to back up that credential. Or just
use Authy.

~~~
rashkov
Authy allows you to recover your account using... SMS. So this is also
vulnerable to SIM swapping. [https://medium.com/mycrypto/what-to-do-when-sim-
swapping-hap...](https://medium.com/mycrypto/what-to-do-when-sim-swapping-
happens-to-you-1367f296ef4d)

~~~
timwis
Omg you're kidding me

------
thom
In the space of the afternoon after reading this article, I removed SMS 2FA
from all my accounts, installed Authy, added all my accounts to it, found out
Authy is also insecure[0], reconfigured it to be less insecure, and basically
despaired.

My solution going forward will be to spend all of my money each month so
there's nothing to steal, and have a terrible reputation online that therefore
can't be ruined.

[0]
[https://medium.com/p/1367f296ef4d#681f](https://medium.com/p/1367f296ef4d#681f)

~~~
Bakary
A lock on your door is obviously insecure, but can work because it introduces
friction for the burglar, while there are other targets around. It's a similar
principle at work for online security. Some amount of protection coupled with
the statistical likelihood of being targeted already goes a long way.

------
graeme
I find it strange that there is no procedure for the following situation:

* all emergency/account recovery info changed

* Person contacts shortly thereafter claiming account hack

I lost a legacy skype account recently. It had had no email attached to it, so
the hacker was able to add theirs and get notified whenever I got back into
the account. There was no way to remove their email or add new security
mechanisms without waiting 24 hours, so I had no way to keep them from
resetting the password.

The account was shut down for spam not long after. As far as I could tell
there was no way to effectively reach microsoft about this, despite being a
paying office 365 customer. They had a security chat but it was a deadend, and
slow.

------
mself
Unlike what the OP stated, the key is NOT to list you phone number as an SMS
2FA recovery option. Only use the non-SMS options (e.g. app-based recovery,
Google Authenticator, recovery codes). Adding SMS as an option makes your
account less secure, not more.

Unfortunately, most sites do not allow you to turn off SMS recovery even if
they offer other 2FA options.

Security is only as strong as the weakest link, and SMS is very weak.

~~~
azinman2
The problem lies in that Google Authenticator is tied to a device, so if you
upgrade it or lose it, you’re f’d. I also doubt many use/print recovery codes,
and if they do, good luck finding them 7 years later.

Overall the situation isn’t great.

~~~
Tepix
No, Google Authenticator is not tied to a device. It's a standard (TOTP, RFC
6238) and you just need to use an app (perhaps not Google Authenticator, I use
a different app myself) that will let you see the numerical code that you need
to save somewhere.

~~~
azinman2
It’s tied to the device as in it won’t be part of your backup to a new phone..
you have to manually transfer it yourself which according to you is using
another app!

So the likelihood of moving to a new phone without those codes transferred is
very high. Not exactly an easy experience.

------
tpetry
The industry needs to learn that sms 2fa is not secure because getting a sim
for someone else is so easy. And this happening in every country.

~~~
tooop
I would say that for the average user sms 2FA is secure enough.

P.S. I might have a different perspective as where i am from, there really
aren't important services (banks etc.) that are using sms 2FA. Mobile
operators doesn't ship SIM cards over mail, you can get a new SIM only in
person providing ID (or PIN/PUK in case of prepaid cards). Probably my country
is just too small market for these kind of attacks so i feel secure enough
when using sms 2FA.

~~~
iNate2000
It wasn't secure enough for the author of this article.

~~~
tooop
Not really an average person isn't he?

~~~
mceachen
How is he not an average person, as far as security goes?

1) he didn't use a password app

2) he thought google drive was a safe place for his stuff

3) he thought google drive was a secure place for his stuff

All three things, which I would bet are fairly common assumptions (the last 2
are certainly part of Google's marketing!), turned out to bite him.

~~~
ijpoijpoihpiuoh
He is a public personality and in that role has been related to Bitcoin. And
he also has his phone number and email publicly visible on the internet.

[https://gizmodo.com/a-tv-anchor-tries-to-gift-bitcoin-on-
air...](https://gizmodo.com/a-tv-anchor-tries-to-gift-bitcoin-on-air-is-
immediatel-1488636715)

It seems like this only happens to people who have poor opsec about their
email addresses, phone numbers, and are publicly related to the cryptocurrency
movement. I mean, I'm sure it happens to other people, but that's the only
case I've ever heard about.

I would personally be wary about publicly listing the email I use with my
bank, or my phone number, and I've done what I can to scrub the internet of
these values. If you have to be publicly reachable through a medium other than
Facebook or Twitter, have a separate email and phone number through which you
conduct your serious personal business. But most people do not need this kind
of public reachability, or else have it through work. For those types of
people, it would behoove them to keep their profile small.

------
exabrial
Silicon Valley has a systemic customer service problem. The price you pay for
"Free" services.

~~~
metalliqaz
I think the common wisdom dictates that since we aren't paying, we aren't the
actual customers. I'll bet advertisers have great customer service.

~~~
skybrian
That's less common wisdom and more of a catchy but dumb meme. There are all
sorts of things you can buy that have crappy-to-nonexistent customer service.

~~~
toss1
Sure, but even Comcast isn't as bad as Google; not as much depends on Comcast,
and Google has mountains of p[eople's key life-altering data, yet it is nearly
impossible to speak with a human that has any capability to effect a change.

As with every generalizations, there are exceptions, but they generally only
prove the rule.

~~~
skybrian
I was thinking more along the lines of manufacturer's warranties, which are
often hard to actually use. Or Teslas being in the shop for weeks due to an
unavailable part.

Customer service has more to do with company-specific culture than what you
actually paid. There are good and bad examples in every industry (or even with
the same company).

------
jpalomaki
This is why I would like to trust my digital identity to my bank.

They have enough local, physical presence so that I could show up in person
and prove who I am. Also the personnel is already familiar with checking the
identity and hopefully less suspectiple to social engineering.

2FA tokens and codesheets without SMS backup are secure, but bit tricky to
manage. Takes some effort to distribute to different, secure places (think if
house burns) and some regular checks to verify backup tokens are alive and
codesheets not lost.

~~~
tialaramex
My good bank has no physical presence whatsoever. I mean, I presume they
operate a call centre somewhere, maybe in Scotland, but I've never seen it.

They can reach out and cause things to happen at a distance, but I don't want
that used to authenticate me. They used it when I had lost my cards, to cause
me to receive a bundle of cash so I could get on with my day just paying cash
everywhere.

I have a specialized OTP device with a chiclet keyboard, and a password used
for normal stuff. When I do something serious, like the time I bought
somewhere to live, I call them to set up the transaction, then a different
random person gets assigned to call me back and verify the details - this way
if one employee goes rogue they can't empty my account by claiming I called
them. They have a password for me, and the second employee uses that password
so that I know it's really the bank calling me.

~~~
greggyb
I would like to know more about this bank!

What bank is it? How did you find it?

I've not heard of features similar to this, especially the last part about
buying a house.

~~~
tialaramex
It's First Direct
[https://www1.firstdirect.com/](https://www1.firstdirect.com/)

It's a Telephone Bank in the UK, launched in 1989 and I became a customer a
year or three after that. Because it doesn't have any branches its call centre
staff have to be trained to handle absolutely anything - if they can't fix it
then it won't get fixed.

I found it because my father used it, I have no idea why, he was not
ordinarily a man to favour technologically sophisticated solutions, he never
owned his own email address for example. Maybe as a working man he found it
frustrating that other banks were closed after hours? First Direct is never
closed, it operates 24/7\. I have used other banks for some things, but I've
always kept accounts with First Direct because of their truly extraordinary
customer service hence I call it the "good bank". I actually know one of their
Founders and apparently that commitment to customer service was key to their
original vision for the bank, he led a strategy session for the start-up where
I work now and it used that vision to give us a worked example. He was
Chairman at another start-up I've worked for too. Small world.

For the buying a home part I do mean that I bought it outright by the way,
there wasn't a mortgage or anything like that - so that's a lot of money,
let's say six figures. I presume the precaution was triggered by the fact that
I wanted to move this large sum (almost all the money I had) to an account I'd
never sent any money to before. Sounds almost exactly like a scam.

I would _like_ to believe any other bank would have similar protections - but
of course I don't buy a home every day, so I have no other examples to
compare, and most of my contemporaries have a mortgage so the very large sums
aren't involved.

The password when they call me thing was nice, to be honest they didn't
proactively set that up. I suggested it off-handedly one day and they were
like "Of course, yes, we can set that up". I presume it's not custom, just
they didn't explicitly advertise it to me as an option. That happens a lot, I
didn't want contactless on my new card recently, and they were like "Yup, of
course, done. Replacements for this card will also not have contactless until
you call to change that".

------
tzs
Phone providers, email providers, and banks should provide an option to
require in-person verification for account recovery or in the case of phone
providers transfer of a number to a different SIM. These events should be
infrequent enough that it would be OK if there was a fee for verification.

This might seem impractical for people who live somewhere that the provider
doesn't have an office, but it actually isn't. There is a nationwide, readily
available mechanism already in place for this. They are called notary publics.

It could work like this:

1\. You request account recovery, and pay the fee, and provide your physical
contact information.

2\. The provider hires a notary public in your area, and sends them a form for
you to sign authorizing the account recovery.

3\. The notary meets with you, verifies your identity, notarizes your
signature on the form, and then lets your provider know that this has
successfully completed.

4\. Now that the provider knows the request was legitimate, the recovery or
transfer can go through.

------
samat
This is why I don't use Google for anything of importance. No customer support
= I am not using it for anything of importance. Consider it a 'burner'
service.

~~~
doubt_me
Exactly

------
carapace
So the same pattern unfolds:

Someone trusts faceless uncaring tech companies with all of their most crucial
data.

Companies get hacked. User's life is crashed. Companies feel nothing and have
pathetic "support".

"Thankfully", insider access grants privileges.

> Thankfully, I have a good friend at $COMPANY who was very concerned with my
> plight and was able to get $PRIVILEGED_SUPPORT

My point is that we have set up these systems that have us all skating on thin
ice, and when people inevitable fall through (or are pulled under by thieves)
we have almost no recourse, unless we happen to be well-connected to the
internal workings of these machines.

We're turning the world into Morlocks and Eloi. We've got to wake up and slow
this shit down.

~~~
desc
Agree.

These two snippets inspired /facepalm:

> While Twitter is a free service, I would still expect some level of
> assistance for someone who has had the same account for 13 years and can get
> thousands of people to verify my identity.

'free service' being the operative words, and they can probably trust the user
to do all the hard work of maintaining a new account for another 13 years
(with associated pageviews) without lifting a finger.

> I made sure to have two-factor authentication (2FA) enabled with this
> service. It turns out that the 2FA with text messaging sent to a cell phone
> may be useless when hackers steal your SIM right out from under you.

O RLY. The point of 2FA is that one of those factors is a _physical token_
which cannot be stolen remotely. Anything involving SMS to a phone number is
_not_ 2FA and _never will be_ 2FA and anyone claiming otherwise is either an
idiot or assumes you are...

------
rb808
The fact that ACH is slow is a feature not a bug. Remember that when people
want to speed up money transfers.

> After a couple of days, our bank reversed the $25,000 charge and told us
> that the fraud department caught the ACH withdrawal before it was fully
> processed so that neither my family nor the bank lost this money forever.

~~~
hocuspocus
Instant transfers work fine in countries where banks do their job properly.

Mobile phone numbers shouldn't be used as a second factor, much less as a way
to fully recover online credentials to your bank account.

~~~
rb808
You're probably right. You definitely shouldn't be able to recover your online
credentials then immediately transfer out all the money.

------
lkuty
IMHO. "I trusted cloud services to store my data". I never do that. I have
multiple offline encrypted backup copies (on-site and off-site). I do not
trust anything out of my arm's reach. The cloud is not an option for serious
backups (unless you have n copies with different vendors + offline backups). I
think the convenience of the cloud (with encryption) is an option when you
have offline backups. I hope you will get your data back and that nothing will
be compromised.

------
module0000
Don't use 2FA, if the 2nd factor is anything mobile-based. Use _strong_
passphrases, and type them when you need access to the assets they protect.

There is the concept of "security VS convenience", a trade-off you make when
using secured assets. 2FA is convenience just as much as it is security. By
having SMS as a method to reset a password, you reduce the attackers workload
from cracking a difficult password to "compromise your mobile phone physically
or electronically". I trust my passphrases much more than my mobile device
and/or carrier.

~~~
thefreeman
This doesn't make sense. Why not use both 2fa AND a strong passphrase? To get
to the second factor the attacker still needs your password. There is nothing
that says you should use a simple password if you have 2fa configured.

~~~
ars
Because they can do "forgot password" using the 2fa.

------
tempsolution
The author really hasn't learnt anything if he thinks that enabling all Google
recovery options is the right thing to do. The only thing you should ever use
is "Google Authenticator" and then store a copy of its recovery codes in a
safe place (bank vault or zero-knowledge encrypted online storage). But better
yet, don't use GMail in the first place.

------
loup-vaillant
> _I had backed up a ton of personal information on Google Drive. This
> included tax returns, account passwords for my wife in case I died, personal
> documents and spreadsheets, and just about everything I had paper copies of
> at home._

I guess the author learned that lesson, but… please don't. Backups in the
cloud are fine, but such sensitive information has to be encrypted. Ideally
with a 6 words diceware password or so.

And if it is meant for your close ones to recover if you die, write that
password down, and lock it up in a couple homes you trust.

------
AdmiralAsshat
I believe Google has some kind of service you can turn on where you will pair
it with a U2F token like a Yubikey or their Titan key. At that point, _all
other_ forms of login and password recovery are turned off. In theory, that
should stop the SIM-swap attack.

See:
[https://support.google.com/accounts/answer/7539956?hl=en](https://support.google.com/accounts/answer/7539956?hl=en)

~~~
metalliqaz
I use Authenticator, which should also stop a SIM-swap. However, I've noticed
that many services seem to require activating 2FA via text message in order to
activate authenticator. Has anyone else noticed that?

~~~
jsty
Quite a few do require you to have at least two second-factor methods set up,
although I think for me only one has ever insisted on setting up phone / text
2FA. If you don't have a spare phone for TOTP or a Yubikey for U2F, phone-
based might be all you can use (considering a surprisingly small number of 2FA
supporting sites seem to implement recovery codes).

------
rad_gruchalski
The problem starts with a mobile provider simply giving away a service to
someone else. Twice. This is shocking.

------
3JPLW
I certainly didn't appreciate how much SIM cards are the keys to our modern
lives until mine got stolen. Interestingly, my thieves took a different tack:
they _actually stole the physical SIM card!_ You might ask how this could
happen: I was traveling internationally and had a friendly guy at an official
kiosk in the Heathrow arrivals hall swap out my SIM card for a local SIM. He
palmed my SIM and gave me back a dud without me noticing. He then shipped it
back to Atlanta where collaborators used it to blindly called credit card
support numbers. Some of these credit card numbers were hits — places where I
had existing accounts and where they recognized my phone number. They social-
engineered their way to get the CC companies to divulge more information about
me — including the CC numbers themselves — allowing them to increase my credit
limits and open new cards. They then went on a $40k shopping spree.

Of course I didn't notice until I came home. The dud card he gave me worked
for 24 hours (I still don't understand how). And even after it stopped
working, it took me quite some time to piece together everything that happened
— I didn't realize that the SIM card I had wasn't mine for quite some time.
Fortunately they did the equivalent of an identity theft smash-and-grab. It
was relatively easy to identify and reverse, and they didn't compromise any
tech 2FA services.

Interestingly Heathrow police didn't care as the "theft" was only a $5 SIM
card and not a "high enough value item" to warrant investigation.

tldr: Don't let anyone ever touch your SIM cards.

~~~
zyx321
How did they get your 4-digit PIN? Don't you have to enter it on every reboot?

~~~
sdinsn
Phones' PINs aren't connected to SIMs. I have to enter my PIN on reboot, even
if I removed my SIM. Putting the SIM in a phone without a PIN results in
nothing being required.

Edit: Thanks for correcting me- I guess my SIM does not have a PIN.

~~~
r1ch
SIM cards themselves can have a PIN attached to them too, usually with a
lockout after 3 unsuccessful attempts. The card is supposed to be secure
against tampering, but since it's running an OS which receives very little
scrutiny and runs lots of legacy tech, there are likely all kinds of exploits
to reset / root the SIM and bypass any PIN protection. It's still useful
against casual theft though.

~~~
zyx321
While there have been a few very scary hacks that could compromise a
currently-unlocked-and-running SIM, I don't think there is anything you can do
to a powered-down SIM without the PIN.

------
crazygringo
> _We pay for Google Drive, Google Fi, and Google Play Movies so I was hoping
> there would be some level of customer service for paying customers. There
> are no phone numbers available for customers who pay for services or those
> who only use free services._

I pay for Drive (now part of Google One) and they advertise free phone support
with it. I've never used it, and it turns out it's not a phone number _you_
can call, but rather you request a call from _them_ :

[https://support.google.com/googleone/contact/googleone_c2c?h...](https://support.google.com/googleone/contact/googleone_c2c?hl=en)

So there _is_ a level of support for paying customers... at least in theory. I
haven't heard of anyone's experiences with it in practice, however.

Curious if anyone here has tried Google One support, and whether their reps
have the ability to escalate issues, the way G Suite reps can?

------
ChuckMcM
Back before phones we had things like fire safes that would hold your
"precious memories" so when your house burned down you wouldn't lose them.
That is so much harder to do these days.

One of the things I do is periodically spool off ephemeral data to BD-R's
(write once Blu-Ray disks). At 25GB a pop they aren't super dense but I don't
actually generate more 'new' data than that in a given month. It was something
I do because when I started in this business I made backups because crappy
disk drives would lose data. But these days you can get crypto ransomed and
poof all that data unavailable?

There is no doubt a market for some new 'best practices' for data security.
Perhaps No Starch Press will get someone to collect those ideas into a book.

------
dev_dull
> _It turns out that the 2FA with text messaging sent to a cell phone may be
> useless when hackers steal your SIM right out from under you._

The most annoying part about this is that Twitter demands your phone number.
You can't use another method for 2FA, such as U2F or OTP. I assume it's not at
all because they want to authorize you or keep your account safe, but rather
because they want to be able to identify you. User's lose both privacy and
security.

Just to clarify, you can use U2F to login, but you can’t _only_ use U2F.
Eventually you’ll be locked out of your account (after logging in) and forced
to provide a valid number.

~~~
throw0101a
> _You can 't use another method [with Twitter] for 2FA, such as U2F or OTP._

Are you sure?

* [https://www.yubico.com/works-with-yubikey/catalog/twitter/](https://www.yubico.com/works-with-yubikey/catalog/twitter/)

~~~
dylz
They still ban your account without valid non-VOIP phone.

------
tzs
> While I had a PIN associated with my SIM, I still do not know how the thief
> was able to get past this the first time, I changed this PIN on the call.

If he's really talking about the SIM PIN, I don't think having one helps
against this kind of attack. The SIM PIN is to prevent people in possession of
your physical SIM from using your cellular account for voice or data.

What you need with T-Mobile is a separate PIN that is required for porting out
your number [1]. You set this PIN up by calling support.

[1]
[https://www.t-mobile.com/customers/secure](https://www.t-mobile.com/customers/secure)

~~~
everybodyknows
This T-mobile doc has more on the 6-15 digit "PIN/passcode":

    
    
      https://support.t-mobile.com/docs/DOC-37477
    

Note that it can be set up via the T-Mobile web site, alternative to the phone
support line.

------
TheChaplain
In many asian countries they recycle telephone numbers quite frequently, some
providers as often as 3 months.

Perhaps it would be interesting to get a few pre-paid SIM cards and see if it
there is any Google accounts connected to them?

------
gambiting
If you haven't yet, remove your telephone number as a recovery option for your
Gmail account. And also, why can't US fix the shit that is transferring SIM
cards? In the UK you can request a SIM transfer code but it takes at least a
few days - there's plenty of time to catch it and stop it before someone
transfers your SIM. Why can't American operators do the same? Just say "you
have received your request, please wait 7 days for it to be processed" \- why
does it have to be instant?

~~~
renaudg
There's no such thing as a "SIM transfer code" in the UK. SIM swap scams are a
thing here too :
[https://www.bbc.co.uk/news/business-46047714](https://www.bbc.co.uk/news/business-46047714)

~~~
gambiting
? Of course there is - it's called a PAC code, and it takes at least 1 working
day with the fastest operators, in the meantime you get notified that it's
happening.

~~~
renaudg
No, you're confused. A PAC code is used when switching carriers, it has
nothing to do with the scam described here where an attacker contacts your
carrier and claims "I lost my SIM". Activating a replacement SIM can happen in
minutes (and that's a good thing : would you want to wait 7 days to get
service again ?) The only thing that seems different from the US is that I
don't think everything can be done over the phone here : you need to go
physically into a shop and (hopefully) show ID.

------
kburman
In India to port a sim you have to first send a sms and would receive a
verification number which is valid for a month or something.

~~~
sofaofthedamned
Which is the problem...

------
fheld
Is there some mobile provider that has a way higher standard of security?
Something like "Cloudflare for SIM"

~~~
iNate2000
I noticed that author assumed he couldn't call 611 and took how long to
contact via alternate phones.

I'm pretty sure 611 works without a SIM card.

~~~
maxerickson
How would the phone know which network to 611?

~~~
Rychard
I would expect it to work for a carrier-branded device even with no SIM card,
unless the device has been flashed with a stock firmware from the OEM.

For a non-carrier-branded device though, perhaps the presence of a SIM card is
required.

------
clmul
> This included tax returns, account passwords for my wife in case I died,
> personal documents and spreadsheets, and just about everything I had paper
> copies of at home.

This is why you should never store passwords on your computer / cloud in plain
text.

> Given that I had 2FA enabled for my bank account and the bank account info
> on Google Drive, it was just a matter of time before the thief started
> stealing my money.

Is it common in the United States to allow online banking without any physical
second factor? My bank requires me to use some kind of device similar to
[https://en.wikipedia.org/wiki/Chip_Authentication_Program](https://en.wikipedia.org/wiki/Chip_Authentication_Program)
with my card and code to login or execute transactions. I think most other
banks in my country require something similar.

~~~
kmlx
my UK bank ties their app to my phone using an off band code i receive from a
person after calling their contact number. if i reinstall my OS i need to call
them to receive another code.

------
jimnotgym
By all means use hosted email, but if you want to stop this happening to you
make sure you register your own domain! At least then you can open a new mail
account and move the domain to this. That way you can make sure you can
recover your other accounts...as long as you don't lose you DNS of course!

------
jwr
Companies should never require SMS as a 2nd factor. It isn't secure. Let's
call out names:

* Twitter requires you to enable cell-phone based 2nd factor before they let you enable any other 2nd factor. Luckily in my case their buggy software determined that my cell phone number is "incorrect", so I was never able to.

* Twilio (the authors of Authy!) let you use TOTP codes from Authy in addition to SMS-based 2FA. There is no way to disable the SMS authentication, so your account is never secure.

* Many banks assume that SMS is a secure channel, which it isn't, and force its use as 2FA.

This should get more publicity and companies should be called out on forcing
people to use SMS as a 2nd factor. There are many reasons why this is a bad
idea, and the story described in the article is just one of many possible
attacks.

~~~
013a
Its because all of these companies are cheap and don't want to deal with the
customer support cost of people who lose a virtual/physical MFA device.
Instead, they treat virtual/physical MFA like a convenience feature that their
customers keep whining about. But, if you've got that SMS on backup, then who
cares if you lose the MFA; just use your phone, security be damned.

1Password is also guilty of this in a different way: They won't let you
register a U2F physical security key unless you also have a virtual security
key on the account.

This is ridiculously simple. I'll spell it out:

1) Offer Virtual, U2F, and SMS-based multi-factor authentication. SMS is still
useful for convenience on platforms which pose less of a security risk to your
digital life.

2) Don't gatekeep methods of multi-factor authentication behind others.

3) Allow multiple devices for each method of multi-factor authentication,
especially physical U2F keys.

4) Offer backup codes.

5) Offer an Enhanced Lockdown option, whereby customer support account
recovery is irrevocably impossible in the event of lost multi-factor.

------
catacombs
This is a good reminder to never entrust Google with sensitive financial
records and documents. Sure, the cloud service is a convenience, but, if a
hacker accesses your account, it doesn't take much to download copies of those
documents and use them against you.

------
LorenPechtel
I strongly suspect the problem will continue until someone gets a nice, fat
judgement against a telco over SIM swap damage. As it stands now they lose
very little when it happens, why should they make their systems secure?

------
runjake
It’s probably a good time to remind people complaining that there is no Google
support to call:

You are not their customer. You are their product.

This is quite literally true. They only have to care for us cattle enough to
keep us as good products.

------
gnicholas
> _I have countless PR folks, friends, family, and others who are in my long
> Gmail history and am currently unable to access any of that information_

I have all this in my gmail also, but my mail downloads to my computer (I use
Mail on my Mac). My Mail application data in turn backs up to a few backup
drives, so I have this data in several places.

Do people use gmail without having a copy stored anywhere else? I totally get
that this guy has been screwed many different ways, including by Google, but
it seems unwise to not have a backup copy of your mail anywhere.

------
Bucephalus355
Recently I discovered that Facebook has a policy that no one with pending
misdemeanors can be hired if they are just a contractor. We recently had to
turn away a 23 year old combat veteran who had deployed to Afghanistan because
he had a _pending_ Class C misdemeanor. That’s a max fine of $50 for the state
this was in. All for a $16.50 an hour job.

The amount of indifference to suffering by people in the corporate world today
has gotten...I am not even sure what the word is.

~~~
baud147258
Are you sure you are commenting in the right thread?

~~~
Rychard
The article did mention that their Facebook account was the only one that
wasn't compromised.

> Through all of these hacks, it was interesting to find that Facebook was the
> one reliable and secure service under my control.

Perhaps their comment was attempting to provide some anecdotal data in an
effort to explain why the author's Facebook account remained secure.

Though I agree with you in the sense that it's far more likely that they
simply commented on the wrong article. :)

------
tomc1985
The lack of customer support provided my tech companies today is pathetic.
Combine this with Google's decreasing effectiveness in looking up solutions to
technical problems and we get this :(

I have a really odd, obscure problem with SMB and Windows 10 and would really
like to just call up a Microsoft tech support hotline like they used to have,
except they don't even offer a paid service for that any more to consumers.
Got a problem with Windows? Get fucked!

------
throw7
Don't use an sms/voice phone number as part of your 2-step verification in
Google.

In the past, I did use a verizon landline phone number as Verizon had the
ability to "lock/freeze" that number from any outside changes, but I got rid
of my landline a while ago.

Also, print out some backup codes and stick it in your wallet.

I have no idea what month and year I created my google account, and google
doesn't seem to make that info available to you in a simple manner.

~~~
module0000
> Also, print out some backup codes and stick it in your wallet.

The idea of backup codes is good. Putting them in your wallet reduces your
security though. Depending on the value of your accounts, you give a
(physical) attacker everything he or she needs to compromise you.

If you are going to keep these things on your person, consider protecting them
with a hand-written cipher. Example:
[https://www.schneier.com/academic/solitaire/](https://www.schneier.com/academic/solitaire/)

------
doodpants
>If anyone has tips on how I might get my Google and Twitter accounts back, I
would greatly appreciate the feedback.

I know of one approach that might get results, but he's already done it:
publicly shame them in an article. It's the only way to get results from these
algorithm-driven companies that lack anything resembling an actual customer
service department.

------
spookyuser
A good mitigation including getting a password manager might be to add a sync
passphrase to chrome right?

[https://support.google.com/chrome/answer/165139?visit_id=636...](https://support.google.com/chrome/answer/165139?visit_id=636963843940305641-634482703&rd=1)

------
rb808
And this is a tech journalist who has friends at Google. The average guy on
the street is %%%%'d in this new world.

------
e40
Google Takeout is your friend. I download all my drive, calendar, email, etc
once a month. (Not photos, since I have those already.)

It pays to be skeptical with your data. 3 copies. 2 local one offsite. If your
only copy is offsite in the control of someone else... that's a terrible
decision.

------
eeeeeeeeeeeee
Anyone know if Google Voice numbers have more protection from the SIM attack?
I would assume that those numbers are hard to port out anywhere given their
usage, right? Are mobile numbers part of a separate pool of numbers with
different rules on porting?

------
tobiasbischoff
I will never understand how someone can have all his digital life in one
single place.. I mean, mail eMail, Passwords to all other sites, scanned
documents - all in google? That is asking for trouble. Also, 2FA via Text
makes your account unsafer, if any.

------
everybodyknows
> ... enable a requirement that my SIM could not be changed unless someone
> went into the store with at least one means of physical identification ...

Anyone have experience with this, or heard reports of attacks by means of
forged physical ID?

~~~
miles
How to Fight Mobile Number Port-out Scams
[https://krebsonsecurity.com/2018/02/how-to-fight-mobile-
numb...](https://krebsonsecurity.com/2018/02/how-to-fight-mobile-number-port-
out-scams/)

" _T-Mobile suggests adding its port validation feature to all accounts. To do
this, call 611 from your T-Mobile phone or dial 1-800-937-8997 from any phone.
The T-Mobile customer care representative will ask you to create a
6-to-15-digit passcode that will be added to your account._ "

~~~
perl4ever
And then I forget/lose my 15 digit passcode, then what? Either there is a
retrieval method that makes the whole thing irrelevant, or else I've replaced
one catastrophe with another to no purpose.

------
jeandejean
Feels like a real pain and the author has genuine honesty that I appreciate.
But that's also why I don't ever use chrome to store my passwords! Why on
earth would you do that??

------
wooptoo
Google now allows the removal of SMS and Voicemail based 2FA if you have a
hardware token configured. Good news is you can now use your Android phone as
a hardware token.

------
toss1
Google Authenticator is a huge question.

While there is apparently a desktop interface, if someone gets access to my
phone, they have the live access codes right there. When the SIM is stolen,
can the authenticator also be accessed with the new location of that identity?

The process for moving Authenticator involves receiving a six digit Google
code on your phone -- which was just effectively stolen with the SIM...

While Google may have built in protections, they are not obvious at this point
to me, a casual user of Google Authenticor.

Does anyone have any more information to keep this more secure?

~~~
r1ch
Last time I switched phones I had to set up GA from scratch, re-scanning the
seeds on every account. The initial SMS code was just to attach an
authenticator to a new device. Someone compromising your phone number
shouldn't be able to get access to your codes, they would need the physical
device.

Also note that there is no official desktop client, anything that claims to be
is 3rd party and wouldn't be connected to your current codes.

------
fastball
I don't understand how the attacker got access to his Google account just from
his phone number? Was his password "password"?

~~~
iwasakabukiman
You can just say you forgot your password and they’ll send you a text message
with a code to reset the password if you’ve registered a number with that
account.

~~~
fastball
Oh yeah, that's a terrible security practice.

------
segmondy
Something that's very concerning about these stories is that it seems to
happen more with TMobile than other carriers.

------
jonnismash
As a tech-reviewer I'd assume OP to be more tech-savvy than your average
shmoe, yet they kept ALL (literally all) Finanical and generally sensitive
information in a central location that easily breached (G-drive) and to top it
off used 2FA through SMS for many of their services. If anything this article
only discredits the author of any common sense in the tech-space.

------
Animats
Someone should start a blog at "googlevictims.com". The domain is available.

------
_def
Moving your irreproducible data into cloud storage is everything but a backup.

------
yalogin
What do companies still use phone numbers for 2FA? This should be an automatic
design decision to not use the phone number for anything outside of initial
account set up. All the banks use it.

------
DonCarlitos
Google NEVER helps - with anything.

------
doubt_me
Since becoming aware of my own problems with google (they truly could care
less about their users data) and reading stories about previous incidents of
swapping SIM cards.

My solution to all of it is literally just 2 emails. Both 2fa. Recovery exists
but the numbers and emails are unknown to the world beyond Google or m$
servers. And those don't get used to register anything ever. I park my
recoveries then use my main email as my most public one. Everything else is
registered and recoverable on the second email that also isn't publicly known
unless one of the services I'm attached to gets their data leaked etc etc
etc....so even if they did successfully swap my SIM they can't get anything
else.

TMobile got hacked a few months back and around the same time my personal
debit card that stayed in my wallet the whole time and I don't ever use in
public literally for that reason. Got charged. They tried to empty it all. I
pressed and pressed the only thing they could do for me was ask for a specific
code. Verbal 2fa. I think if I remember correctly none of the data showed up
publicly anywhere yet not sure about the specific incident I just thought the
timing was weird.

If that's the best security TMobile has and that's all their customer support
has to offer us. They have failed as a company in my eyes. And it will only
get worse not better as more middle managers get their cut of the security
upgrades that they will partially and incorrectly implement.

Of course they won't lift a finger your not a Kardashian

~~~
OJFord
_couldn 't_ care less

