Hacker News new | past | comments | ask | show | jobs | submit login
Hackers Are Hijacking Phone Numbers and Breaking into Email, Bank Accounts (forbes.com)
650 points by CarolineW on June 11, 2017 | hide | past | web | favorite | 362 comments

This happened to me.

1. I believe it began with the hacker getting DOB/SSN. 2. Called wireless provider, and hacker forward all calls and texts to a burn phone. Eventually, the hacker ported my wireless phone to another provider/number (not sure which), and the phone registered to my provider did not work anymore. The landline phone was also forwarding calls to another number.* 3. Hacker gained access to email (as that email was also within the telco's site). At the beginning, the hacker did not reset the password. After I changed the email's password, hacker was still gaining access to our emails and he/she eventually reset the email blocking my access. (reason was all the text and calls was forwarding to his/her burn phone so he/she can reset the pass anytime) 5. Requested 2FA from bank. 6. Gained access to bank account.

This was over a course of 3 months. It was a nightmare to resolve and paranoia still remained. The hacker later on went opening several bank accounts. Fortunately, this was discovered early. The entire situation was communicated to the FBI, local police, and bank institutions, but I do not think anyone cared.

*I saw two numbers that were being used within my wireless account site to forward the calls.

> The entire situation was communicated to the FBI, local police, and bank institutions, but I do not think anyone cared.

Why would they care? It happens dozens of times a day, and the criminals are out of their jurisdiction.

If only the police, FBI, politicians, etc. could go after the banks and telcos to improve their security. But no... they see it as their job to destroy security, in order to make you "safe".

Did you file a report with FBI? I once was scammed on ebay for a laptop worth $1200 around year 2002. The local police did not get involved so I went to the FBI website and filed a report. I thought nothing is going to happen. They eventually caught the guy and I got my payments in installments (restitution) over several years.

They won't go after an attacker if there's not a high amount of damage, like $250K or more. FBI guys are swamped with people calling, and there's just not enough agent time to go around. Same for bank fraud. Ever wonder how people get away with popping someone's bank account, transferring to another local account, and walking off with the cash? For a couple grand, no one's gonna spend the time and effort to track you down.

Liability for data breaches limited to companies over X size would be a good idea though.

Maybe we should increase the number of agents investigating this stuff, then? Fraud affects many more people than terrorism, but nobody gives the "there's just not enough agents" excuse for that.

Also, only investigating fraud when there's lots of money involved means we're only helping rich people, who need the least help. Losing less money doesn't mean less impact on someone's life if that's all they have.

Because people are more terrified about a random bomb hitting a random place once in a while more than their accounts getting hacked and then finding themselves in a big trouble?

It takes a lot of work by the military-media-industrial complex to keep people that terrified about such a stupid ginned-up threat.

And yet then you see things like this [1], where the 4 year old case of a very minor eBay scammer is personally prosecuted by a state Attorney General. I guess it depends on who has time to kill. These two guys are looking at decades in prison for a scam that looks to have netted about $3K.

[1] http://ag.nv.gov/News/PR/2017/Attorney_General_Laxalt_Announ...

Why do you think he personally prosecuted it? His name's on the complaint, but it's on all the complaints referenced in their press releases. The press release says the case "was investigated and is being prosecuted by the Attorney General’s Fraud Unit".

Which is interesting because it should be the other way around. If you have $250k stolen, it is bad but you are probably wealthy enough you won't go in deep trouble stress.

If your whole account is $2k it might be a different world for you and you might relying on these to pay rent, medical expenses which is more serious than an investor not having access to his $250k.

Not meaning it is fine to steal $250k from wealthy people but that poor ones being affected (at $2k) is more urgent from a humanitarian perspective.

>> If you have $250k stolen, it is bad but you are probably wealthy enough you won't go in deep trouble stress.

Or it might be your entire life's savings and if you can't get it back you kill yourself from the stress of losing 40+ years of work. It's very dangerous to make assumptions about other people's money.

Do you usually have your life savings in a checking bank account and not in an IRA account? Shouldn't that has more red-flags for the bank.

I'm not saying that investigating the $250k is not important; but just not more urgent than the $2k theft.

I have all my life savings in a checking account. So in my case if I got hacked and my money from that account stolen I would be in big trouble and have suicidal thoughts very likely.

>>I'm not saying that investigating the $250k is not important; but just not more urgent than the $2k theft.

Absolutely not. Ignore the case when this 250k was your entire life savings (30-40 years of saving remainder of your salary every month and slowly building savings for retirement).

It could be mortgage money which you are about to buy a house with or it could be company money for payroll. Suddenly employees of a small business don't get paid. Those employees of course have to pay mortgage/rent/medical bills and suddenly paycheck they counted on doesn't come. This could affect many people in very negative ways.

I think $250k stolen should definitely get a priority to be investigated by agents over $2k stolen as it is more likely it will mess up lives of many people in a bad way.

Interesting. When two crimes both take similar effort to commit, and similar effort to investigate, I'm not sure if the higher dollar amount should be defacto prioritized.

I am going away from SMS based 2FA where I can. For services where it is used, anyone have opinions on using 2FA via a SMS to VOIP number with a provider who has better account security/authentication tools than most telcos (e.g. google, etc)?

The argument for giving more priority to higher amounts is that since criminals are stealing the money, they can commit more crime with more money(in simple terms - you can buy more drugs/guns with 250k than with 2k)

"I'm not sure if the higher dollar amount should be defacto prioritized."

Why not? Higher net worth equates to higher taxes paid - the 250k victim has been paying the investigators a more substantial sum, and should receive a more substantial response from them. "Size matters" sums it up to me.

That's not how modern Western societies work. Plutocracy has been tried, and found to be devastating for society, human dignity, and the human condition in general, not to talk about the rampant corruption it invites.

> "That's not how modern Western societies work."

Are you sure? Maybe you believe they shouldn't work that way, but do you believe they truly are blind to the net worth of the offended party?

No, they are not. But ideally the advantage the 'richer' party has in influencing the effort of the investigators/judiciary to put forth more effort on their behalf is not written policy, it is corruption/cronyism. Should we create policy that prioritizes investigating an auto theft of a $100,000 automobile with more resources and severity that the theft of a $20,000 one, simply because the value is larger, or weight the effort based on the tax contribution of the victim? I would say absolutely not.

I guess the theft of a more expensive car should be investigated with higher priority because selling it gives criminals more money to work with and leads to more severe crime. A group that can steal and sell a Lamborghini likely runs a much larger and more organized operation than a group which steals and sells old cheap cars.

This is all guessing though, I'd love to see more data on it.

This assumes a linear margin on units of stolen cars to value. Smaller ticket items are easier to fence specifically because they are common. It's hard to sell the Mona Lisa. It's easy to sell a mass-produced TV. Cops would spot a stolen Lamborghini as soon as the APB comes in. Not so much for a Toyota Camry.

Yeah, and that's why I said that a group that can actually steal and sell a Lamborghini successfully should be investigated with more resources, since you are more likely to find a well organised criminal organisation behind it, if they can shift Lamborghinis the can probably shift drugs and guns too.

I remember reading somewhere the top car make/model stolen was the Honda Civic.

No doubt. High resale + common item = higher portion of thefts, I would expect.

We disagree then, I think they absolutely should prioritize that because of the tax contribution of the victim. If I pay someone $1000 for a job, and you pay the same person $100 for an opposing job - you should lose. That's only my capitalist opinion, but I don't think it's an unpopular one.

Probably disagree on some aspects, and I may not have choosen the best example, or clarified my position enough. In a situation where two parties are voluntarily engaging in competition(for a job applicant), the party who offers more value usually does win, and I think that's appropriate. And I support allocating resources to fight crime based upon the effect of the crime's proceeds in supporting or leading to further crime. In mandatory participation systems like public civil services I am for at least a baseline allocation of resourses not directly correlated to financial input of the particular recipient.

I was using google voice for this for a while but if you are worried that someone may have access to your computer / email, then they may effectively access to your google voice as well. voice.google.com

Taking money out of an IRA into your checking bank account is usually two clicks with my bank, I'd get a warning about losing interest if I take the money out but I can do it anyway and the money is available instantly - for all intentions and purposes it might just as well be in a checking account, and it certainly won't make any different to an attacker who got into my account.

>>I'm not saying that investigating the $250k is not important; but just not more urgent than the $2k theft.

I'd argue that it's a lot more urgent. What if you were paying for a house tomorrow, and the money is gone, so you lose the house? Or you are a small company that has to pay its tax bill for the year, but the money is gone? Or you have to pay for an expensive operation that won't go forward otherwise?

2k is not as important in a way that if you are really short of 2k, then there is a plethora of options to come up with 2k on a short notice(some astonishingly bad like payday loans but there are options) - while if you are out of 250k and need 250k then most likely you are absolutely screwed.

Again, to repeat my final point - don't make assumptions about people's money.

> Why would they care?

Because it is their job.

>criminals are out of their jurisdiction

We are in dire need of specific cyber security public divisions are people can go to. FBI I believe will have many problems to deal with, and as far as I know, there isn't any cyber-police division capable at the city/state level.

Atleast nothing capable of handling incidents like the one mentioned above. The debate of who's job it is can get hairy. Especially with the future where internet is becoming more pervasive, there can be more damage.

The FBI claims jurisdiction on crimes committed by foreign national against Americans. It's just hard to investigate and arrest individuals who aren't on US soil, but not absolutely impossible. They arrested a Russian ID theft a while back, but they had to lure him out of Russia to do so, as the Russian authorities didn't cooperate.

I don't mean to sound flippant but they don't care. It is their 'job', but they don't care.

The is a direct correlation between security and fraud related interest/insurance in regards to the cost of use and exposure to fraud.

They aren't out to "destroy" your security, it's a liability threshold calculation. At the end of the day secure yourself in life, this include choosing banks that are more stringent based on your needs and what you want to pay.

The real answer is to not use SMS as a 2FA. That was never ever a good idea.

What is better? Authenticator apps/hardware devices?

Most Dutch banks (except for ING, which does still use SMS) use hardware devices that use the chip on your debit card to authenticate. You unlock the chip with your PIN, enter the challenge code supplied by the banking website for the transaction, and the device shows you a one time code you enter in the banking website. This is a decade old technology that works rather well.

Same in Ireland. In France I've also seen a combination of SMS and pre-shared secret (SMS asking for a code from a grid printed in a small card you can store in your wallet).

Authenticators are fine but u2f keys are better because they protect against phishing.

Not to mention you lose your Authenticator if you upgrade/lose/break your phone, but U2F keys are (practically) forever.

    adb backup com.google.android.apps.authenticator2
all the codes are stored in the sqlite3 database which you can open with standard command line tools.

there are also more user friendly backup apps such as helium, but adb works quite nicely.

Last I checked, adb backup doesn't backup the secrets. Has that changed?

I don't know but I've been using this technique for a year or two now with great success. The Google authenticator just stores its secrets in the salute db every app gets.

Autocorrect kicked in there... sqlite* (it is absurdly difficult to put an asterisk at the end of a message on HN. it seems to require a trailing whitespace[1] for it to show up, however the input is trimmed, so...)

[1] https://news.ycombinator.com/formatdoc

Have you tried a restore on a factory-reset device?

I have not, but I have extracted the backup with https://sourceforge.net/projects/adbextractor/ and inspected the contents, visually confirming the secrets are there. Even if a restore doesn't work, I can re-enter them manually from the information in the sqlite database. However I fully expect a restore to work.

Thats exactly why I copy and save every 2fa QR Code in my KeePass database, along with backup codes. Phone changed? No worries, install Google Auth, rescan those QRs, and voila, your 2fa system is back and running !! :)

Most 2FA services that allow authenticators offer recovery codes. I keep the recovery code saved in my password manager, and if I ever lost my phone I use that to log into the site and then get a new QR code.

Yes, that's also a way, but why not save the QR code first time you see it, instead of loosing it, resetting with recovery code, and then again getting a new one? Recovery codes are fine, and should be kept safe and such, but also the Original QR code can also be saved and screenshot. That way, phone lost? open database, load QR code, scan in new phone.

Authy allows multiple devices (and encrypted backups) - that ensures fairly good security (if good password is chosen) and availability, doesn't it?

What is a good u2f key you'd recommend?

I have used Yubico's U2F key since shortly after they came out (Nov 2014). They are very robust and relatively cheap. Moreover, in contrast to some cheaper keys, they require physical confirmation by a finger press.

Feitian NFC-compatible is nice because you can set up your Google Account on an Android phone with it: https://www.amazon.com/gp/aw/d/B01M1R5LRD/

If you're into cryptocurrency, the Trezor will also act as a U2F device.

"What is better? Authenticator apps/hardware devices?"

Mobile signature (SIM-based)(0) is the most secure method as far as I've seen in banks. Citing wiki: "supporting the authentication on the Internet with a parallel closed network like mobile/GSM and a digital signature enabled SIM card is the most secure method today against the man in the middle attack."

0. https://en.wikipedia.org/wiki/Mobile_signature

Which banks should you choose? How do you decide?

The ACH model is fundamentally insecure: anyone who knows your account number can pull money from it, and the protocol makes no allowance for the bank to check with you first. I don't think choice of bank matters very much.

You can manage your risk somewhat by:

1) Using credit and not debit cards for day to day spending.

2) Maintaining your long term wealth in separate accounts at separate institutions and not linking them directly to anything except your checking account. This minimizes what can be stolen if your checking account is compromised, and makes it less likely that your savings can be stolen directly (account number is used in fewer places).

3) Turning on all the alerting and notification settings you can find, so that you'll hear about unauthorized activity immediately.

I read somewhere that companies that do a lot of ACH payments use different accounts for receiving and sending payments. The receiving account is locked so that it can't send and the sending account is supposed to stay secret. I don't know if that actually works in practice, though.

If you give someone a paper check you are giving them your account number in plain text. I don't see how they can make that "secret."

ACH transfers, not paper checks.

Yeah but for 90%+ of transactions, if you are being paid by a company, you can almost always request a paper check instead of an ACH transfer (sometimes with a fee). In that case they either have yet another account for check writing (which won't be "secret") or they give away their "secret" ACH account.

I'm not proposing this as the solution to fix the extremely outdated ACH/check system, just relaying what I read about what some companies do.

Why they keep that system? In most of Europe you got "normal" banking system where you can give everyone your account number and worse thing they can do is to put some money there.

In US it seems #freemarket is putting externalities (security) on the customer.

ACH is a service of the Federal Reserve, actually.

It also provides wire transfers, which are a little more secure because they're push only, but also less secure because they're instantaneous and irreversible. All banks charge at least ~$15 per transaction and they're really only used for high value, time sensitive deals.

Jeremy Clarkson made a similar argument and even published his bank details. Then this happened: http://news.bbc.co.uk/1/hi/7174760.stm

For SEPA (Single European Payment Area) direct debits, you have 8 weeks to get a full and immediate refund. I'd assume that holds for the UK as well.

Many companies (and individuals) in Europe publish their account numbers on their letter head and website, it really isn't a big deal.

Anything else seems security by obscurity.

For SEPA-DD, 8 weeks is for no questions asked refund; in general for non-authorised payments you have 13 months to request a refund, but if it's 8+ weeks they can verify the lack of direct debit mandate before hand - but it seems to be the policy of most banks that they'll refund anyway immediately and let the merchant handle the problems.

So what? Someone set up a direct debit, he can just cancel it and get the money back. Of course it will take a bit (a few seconds with online banking nowadays) but you wouldn't lose any money. There's no way someone can get money from a UK bank account by just knowing the account number, assuming that you check your account regularly.

Not sure about UK but in Poland direct debit is something you need to manually enable and pay small fee for it.

And even if you enable it someone needs to forge your signature under direct debit order to allow someone to charge you.

So still no.

überweisung isn't really that secure.

I had somebody buying products on Amazon using my company's IBAN numbers. Amazon were super frustrating to deal with. They kept asking for my amazon account details and I kept explaining that the company doesn't have an amazon account. They didn't know how to proceed ! But in the end they did reverse the charge.

My girlfriend had somebody buying groceries using her numbers. They just write numbers in and signed the sheet of paper at the store. The store refused to take responsibility for doing this without ID-ing the person. The police were more understanding.

it seems #freemarket is putting externalities (security) on the customer.

More like corporatist government regulations are putting the burden on the customer.

My CEO went to a local large bank and demanded as a condition of his business with them that they have an out-of-band communication (a phone call or SMS or whatever) with him before any outbound wire transaction can be attempted. They rejected his condition because they interpreted it as both (1) added liability due to all of the customers that could potentially claim they should have been similarly protected and (2) too much effort/cost/resources/whatever.

I don't deny that there are _corporatist government regulations_ (which largely prevent the best qualified engineers/entrepreneurs from wanting to tackle the consumer fintech problems), but banks are dragging their feet and the #freemarket hasn't developed a viable alternative yet.

The business model of all fintech is to ensure straight-through processing for as close to 100% of transactions as possible; if you have slightly more manual processing than competitors, then you can't be competitive price-wise.

A requirement "out-of-band communication [..] before any outbound wire transaction can be attempted" easily turns the processing cost (not price) from $0.02 to $20+ per transaction, a thousandfold increase, and that's assuming that this'd be offered as standard product and not a special case for a single customer.

If it's not made as a standard product, then it's really painful - it would mean that either the whole staff&systems would have to be trained for that customers needs (not likely unless you're bringing 10+% of the whole bank's revenue) or the customer wouldn't be able to use any standard banking channels ever, not the normal branches, not the normal online services, not the normal call centres, only directly through your private bankers.

I never experienced this directly, but when Chip'n'Pin first came out, wasn't it the case that some European banks held customers responsible when it got hacked? The theory was apparently that it was "impossible" to hack Chip'n'Pin so something must have been the customer's fault...

Isn't it still impossible? You can only hack it if you can guess the PIN or in cases where the victim wrote it on the card. The latter happens quite often and this is where banks sometimes refuse to pay.

If you keep your PIN secret it's a very secure system (unless the attacker is very lucky).

No, this is a case where hard to change regulations are preventing progress.

I would refine that question: does anybody know of a competent rater that evaluates and rates banks based on security?

Security always sucks. The differentiation is response. That usually means a small regional bank or midsize credit union.

If you have enough dollars, a private bank type thing works too.

> 1. I believe it began with the hacker getting DOB/SSN

We [the US] dramatically over-rely on SSN. At least one upside to ubiquitous biometrics will be that we can start layering more authentication measures in an effective and consumer friendly way.

Relying on it is not the problem. Treating it (or "date of birth" or "mother's maiden name") as a secret for use in authentication is a big problem. These things are not secret, and having me say mine does not prove that you're talking to me.

In my (shared) office, everyone knew each other's last 4 SSN digits, because whenever on the phone to some random customer service rep, we had to give them to "authenticate".

> Relying on it is not the problem. Treating it (or "date of birth" or "mother's maiden name") as a secret for use in authentication is a big problem.

I honestly don't see how you didn't just restate what I said with different language, while simultaneously saying you disagree with me.

Either way, I agree, and don't really think this is worth a cyber-argument so not sure if I should even be responding. Oh well.

It would be just fine to rely on SSN as an identifier, even to a much larger scale as USA does now, if only it would be clearly assumed that this number isn't secret.

It seems this was a popular hack at one time. I hope this no longer happens. Anyway it's great that you were able to "shake it off", so to speak.

Yeah, Identity theft is one of those crimes where the authorities don't really care. It can be quite lucrative for the folks carrying it out since there are no consequences.

The police are so overwhelmed and typically it is out of jurisdiction so their options are 0 to none to prosecute.

The only way to guard against it is to keep your foot print small and give as little info as required.

> Yeah, Identity theft is one of those crimes where the authorities don't really care.

There is no such thing as "identity theft". You can't steal who someone is, that's bullshit. It's rather some party not making sure it's actually you they are talking to, and then claiming that you are responsible for it anyway because they fell for someone else's scam.

Unfortunately, it doesn't work that way. The Uniform Commercial Code (in the US) has provisions about what constitutes accepting an instrument of payment taken in good faith, and that indemnifies a business. Maybe those laws should not exist and insurance should be the mechanism to cover loss stemming from fraud, but it doesn't work that way.

And piracy is an act of robbery on the high seas.

When the name sticks, there's usually nothing we can do. Sad but true.

The problem with the phrase "identity theft" is that it puts the onus of security onto the consumer to secure their personal details instead of onto the bank/telcos/etc to secure their systems.

We should call it what it is: fraud. Whether that's bank fraud, computer fraud or wire fraud, banks should be responsible for compensating individuals for the losses incurred. One way to encourage this change is a change in the language we use surrounding these crimes.

> The problem with the phrase "identity theft" is that it puts the onus of security onto the consumer to secure their personal details instead of onto the bank/telcos/etc to secure their systems.

And it's really even worse than that, as you are assigned blame for something that the party blaming you is itself forcing you to do. Like, they won't open an account for you unless you tell them your SSN, but then they blame you if you don't keep your SSN secret.

It's reasonable to some degree to expect that you keep your password secret. It's a different thing altogether to take information that is unavoidably known to lots of parties, or in many cases even outright essentially public info (like, stuff you can just buy as a database) as proof of identity, and then insist that you are legally responsible for a contract or whatever they made with someone who knew your DOB or something.

It's really not much different than just throwing darts at a phone book, and then pretending that the fact they hit your name proves that you now have a contract with them ... no, it doesn't, and it's your fucking problem if you think it does.

That example doesn't use word games to shift the loss to an uninvolved and innocent party.

So, how much money did you lose if any?

A few months ago I took 3 of my 4 kids to a birthday party at a minigolf course. I played some holes with my youngest I had taken with me, and then left the two older ones at the birthday party with the understanding that their mother would pick them up (as we had discussed earlier)

After leaving the party with my youngest, I went to the grocery store, and then on home. When I got home my wife was gone, which I expected since she was picking up the older kids from the party.

Throughout this afternoon I had not been checking my phone in an attempt to be a bit less connected on the weekends.

About half an hour later my wife comes home totally freaked out and frazzled.

Apparently after I had left, someone went into a T-Mobile store and somehow convinced the associate that my number was theirs. I had received a couple of texts from T-Mobile with a pin number where the store associate had attempted to do something, but I was not aware of them until later.

Once this person had my number, they called my bank, reset my online password, and transferred all of our money from various accounts into one of my checking accounts. The bank then put a hold on everything (thank god).

My wife happened to have been paying bills online while this was happening, and saw it all go down. Her first thought was to call me, then when I didn't answer to call the mom throwing the birthday party.

Birthday party mom told my wife I had left, so my wife assumed that myself and our 3 year old were being mugged or something. The police were involved and she spent a good amount of time freaking out trying to find me.

All in all I had a pretty good afternoon :P

For real tho, it was a freaking mess. Took weeks to get our accounts safe, and we try to avoid using phone numbers for 2fa now.

>someone went into a T-Mobile store and somehow convinced the associate that my number was theirs.

I had to regain access to an employee's phone a few months ago. T-mobile gave me account control after providing them a phone number that phone had dialed "recently". I am disappointed, but not shocked.

In Singapore they give us a physical token. We have to enter the 2Fa we receive into it to receive a third code to enter into the website. Well I guess it's 3Fa. It is a bit of a hassle but better safe than sorry.

Yea, my wife uses a physical token generator now, and I use the app which is bound to my phone. Someone would have to physically have my phone (and unlock it) in order to access my bank now.

Are you sure your bank wouldn't allow someone to disable it over the phone like they allowed someone to change your password? People lose cell phones just as they forget passwords, so there is surely a way for customer support to deal with it.

Banks over here only reset those tokens with instructions sent to your known address. You can only change that address with a working token or showing government issued ID (which everyone around here has and is also required to open an account in the first place). At worst you need to send a copy by mail but going to a branch or post office or a video chat are more common.

Banks can always ask you to go into a branch for more important things like that. They do that in the UK. If you're not in the country, you can write a letter on paper and have the local police or lawyer confirm your identity. I've done that before. It's a nightmare but it eventually works.

In such cases the bank would offer to send new tokens by physical mail to the registered address or receive them in a branch with proper ID.

I recall a case where an important customer was stuck abroad with everything stolen; they were sent replacement tokens and cards to be received at the embassy, which could properly ID them.

Why can a bank have such a robust procedure for replacing tokens, and be trusted to follow it, but not have a similarly robust procedure for handling password resets?

They definitely can, but some of them don't, especially in USA for various reasons.

I mean, any bank with proper procedures doesn't really have the concept of "online password" that's sufficient to do anything and makes 2FA mandatory; I believe in EU now it would be forbidden for a bank to have simply a username-password authentication.

I think it's worth noting that while physical token is needed for adding new payees and changing transaction limits, it is not necessary for online purchases, which only requires sms verification (at least for DBS).

I think it's a fine approach balancing security and convenience.

Seriously, I don't understand why physical tokens are not the norm and standardized on all devices, still. It isn't a new concept at all.

"Apparently after I had left, someone went into a T-Mobile store and somehow convinced the associate that my number was theirs."

How that can happen? When I visit my cell provider's store, nobody is going to talk about any account details while you haven't provided a government issued ID to prove that you are an account holder. Sure, it's not 100% bulletproof method, but if somebody went a great lengths to counterfeit my ID, phone number is the least of my worries then. I assume, this happened in USA, so is ID check so unpopular there or it's easily circumvented somehow?

Yes, ID check is easily circumvented. People are the weakest link. The store reps are not government officials or police officers, nor do they scan ids. They may be convinced not to check your if, accept an id that isn't your drivers license, or anything else.

The point is that by using an SMS as 2fa, is placing much of your security in underpaid cell phone store workers.

"The store reps are not government officials or police officers, nor do they scan ids."

Neither they are here (in EU), but nobody is going to talk to you unless you provide an ID anyway. Asking for ID doesn't seem too hard, even for non-trained personnel. You don't have to be a detective to match name/code on ID with the name/code on account.

Having access to potentially thousands of dollars from cleaning up victim's accounts is an incentive to go and obtain a fake ID. Do the store clerks scan and verify that the ID is genuine somehow (check against a database, look at the photo) or do they just look at it in passing and give it back.

From an EU perspective, obtaining a fake ID isn't that likely - counterfeiting anything certainly is possible, but it's hard and expensive (harder than counterfeiting money), risky (being caught with a fake means jail time, it's a more severe crime than theft and there's no "take-backsies" if they don't like the ID) so fraud with fake IDs is extremely rare.

It may happen with certain large scale scams involving organized crime, but not for small amounts; it simply doesn't show up in practice. What does happen is use of real IDs that are stolen (or bought from homeless people), but most places that have some risks have access to registries where they can verify if the ID has been reported as stolen.

Sure, but the excuse is then, "I had everything stolen! My phone, my wallet, etc. I just need to get my phone back so I can pay my rent and get an Uber to the DMV to get my new license." Then if the clerk says, "Sorry can't help you until you have an ID," you freak out and start yelling and the manager comes over and says, "I'm so sorry sir, let's get this worked out," and does whatever you ask him to.

Not happening in EU - since in such a case the company not verifying the ID tend to get liability for losses, all companies have policies where such managers are prohibited to do so; they would be risking their own money (and job) for giving you stuff without proper authorisation.

I mean, as soon word would get out that some company allows that, they'd be exploited for free stuff in large amounts; all of the obvious loopholes have been tried and plugged in the last couple decades. USA has the problems only because they treat it as "stolen identity" instead of "someone defrauded a company with fake ID", and don't have proper universal IDs and try to make do with a mishmash of driver licences, names, addresses, SSNs, etc.

> someone went into a T-Mobile store and somehow convinced the associate that my number was theirs.

The fact that the T-Mobile employees can get hold of your mobile phone number is disturbing and a red flag for using your phone number for sensitive stuff (such as money). You should always assume malice from unknown actors.

I don't know where OP is from, but over here(Poland) you need two forms of ID(Passport/national ID/driving licence) if you want the T-Mobile clerk to do anything for you in-store. I got quite annoyed once because I needed a new sim-card for my company phone, but despite having two forms of ID confirming that I am the company owner, they also wanted to see the incorporation papers saying so.

I think the point of the grandparent is that the T-Mobile clerk has the power to register a new SIM card for your account. That makes them an extremely weak link (easy to blackmail, corrupt, etc.).

Yes. If the compensation (reward) from the theft is big enough, there will be always a guy who will do it.

Without meaning to pick on T-Mobile, the stories I'm hearing here, including yours, lead me to believe that T-Mobile is liable for damages. As in, they didn't take reasonable precautions to safeguard your account, and you suffered financial damages as a result.

I am generally of the philosophy that you should trust no one to do the right thing, but these cases seem to be overlooking the obvious that the phone companies are fucking up on security.

Large companies like cell providers have concentrated benefits and their customers have diffuse costs. They force a large contract on you (because they have an oligopoly and you have only ~4 or fewer realistic choices) and that contract almost always contains a "no class action" and a "forced arbitration" clause. While those clauses exist, we are at the mercy of cell providers. Potentially very large customers (large companies and governments) might be able to demand changes in the contract, but it's unlikely to automatically filter down to the individual consumer.

I'm starting to worry about similar weak process security on the part of the IRS and Social Security. You can theoretically opt out of using a cell phone, but it's far harder to opt out of government programs that are forced on you with the threat of state force.

So, I've read the article a couple of times, It's pretty long. For those of you looking to get the most bang for your buck, I think the following advice is Golden:

1. Do NOT secure your sensitive accounts (facebook, primary email, bank accounts, twitter, etc) with your telco phone #. Telco Phone number is NOT secure!

"Create a brand new Gmail email account. Do not connect it to any of your existing email accounts. (When signing up for a new Gmail, you don’t need to enter a phone number or current email, although there are fields for you to do so. Leave them blank.) Once you’ve created the new island-unto-itself email address, create a new Google Voice number." Use this Google Voice # to secure your primary accounts, and don't have your telco # listed in any of those accounts.

But, make sure your New Gmail account is super secure, with a security key, as mentioned in the article.

2. Check the password recovery methods for all your sensitive accounts and make sure the answers aren't duplicated from any other site. Actually, it's best to remove them, if you can.

If any security experts want to chime in, please do.

"Once you’ve created the new island-unto-itself email address, create a new Google Voice number." Use this Google Voice # to secure your primary accounts, and don't have your telco # listed in any of those accounts."

The problem with this otherwise good idea is that google will not allow you to keep this account as an island.

Eventually you will get the "we've noticed something suspicious about your account" dialog which requires entering some other, unrelated phone number. You're locked out until you do so.

The suspicious behavior is, of course, signing up without a live phone number.

Ironically, they will accept any number you input with no verification that it is related to the account in any way. They just want to see a live, carrier number input.

(This has been my experience from within the US)

What an interesting way of increasing phone number data conversion rates.

Twitter does that too. At some point I created another account without specifying a phone number, posted a tweet from there and​ next thing you know they are flagging it for suspicious activity and asking for my phone number to unlock the account.

> When signing up for a new Gmail, you don’t need to enter a phone number

This is not true in general. It probably at least depends on the country you try to sign-up from probably other factors.

Gmail didn't mandate phone number the last time I created dummy account (~1 month ago). I don't have phone number linked even with my primary account.

I don't doubt that. In my experience sometimes a phone number is required and sometimes not. When it prompted for a phone I didn't find a way to work around that.

I find that when I create a dummy account from a clean browser (no cookies) with a VPN, a phone number is required. I wouldn't be surprised if they do some internal risk/dodginess assessment based on several factors.

Can you then remove it after the fact? I was able to remove the phone number from my account without it complaining.

They do sometimes though depending on how "risky" they deem you based on a secret criteria. I've never been able to bypass their phone number requirements.

Or use a Google Voice number to setup 2FA on the same account. That way you can only ever login if you have a device on your person already logged in. If somehow you're away from technology long enough that all your devices are locked, use a printed backup code to unlock one.

Use Google Authenticator or any other time-based token app. Print out the private key, store in a safe. Also print out extra codes and also put in a safe.

But, if you use Google Voice number on your other Gmail account, they say it's not recommended because you can get locked out of both.

I think you can use Google Voice number on everything other than your main Gmail account.

So, to be extra safe, after you've set up your 2FA for gmail, make sure to change your recovery phone # to something other than your main telco or google voice number.

Same account. You can use the Google Voice number to 2FA its associated gmail account. A printed backup key will protect you from getting permanently locked out. But nobody will be able to login without physical access to your device or printed key.

This is how 2FA was meant to work. It should always require a physical device only you have access to. Otherwise it's just using 1FA two times.

Somewhere on YouTube somebody got locked from his google account while streaming live because of similar setup as your suggestion, Google 2fa codes to Google voice, and the look on the face when he realised it was hilarious. Not sure, but maybe he sorted it out somehow.

It seems Google Voice is US only, and a bit abandoned. From the UK, the website throws various errors, and searching for "Google Voice" in Apple's App Store just shows spam apps.

Not abandoned - The past year Google has been pushing updates; including a new websites and mobile apps (finally)!

Yes, it's nice to see signs of life. I, like many people, have been afraid it would go the way of Google Reader.

Too bad they really dumbed down the interface - it's not possible to delete messages from the new site.

Same for NL. I keep hearing it getting mentioned, but the website is completely nonfunctional and makes little sense.

While SMS for 2fa is _a_ problem, it's not _this_ problem. Using SMS for _account recovery_ circumvents 2fa and circumvents strong passwords.

Last year when I upgraded my phone I was amused — but mostly horrified — by how easily one could get a SIM card for my own phone number with less than a modicum of information on me.

As I required to upgrade my Micro SIM to a Nano SIM, I went to one of my provider's shops and asked for a Nano SIM for phone number X. I was then asked to verbally confirm my name and address — and that's it. No ID card confirmation, no nothing. "Here you go sir, your new SIM card will be active within a few minutes. Can I help you with anything else?". What. the.

Last week I walked into a T-Mobile store and asked for a new SIM card to replace one I lost. I gave them the phone number and apparently an invalid pin (the sales rep verified that I gave him the wrong PIN). I asked if I should do something else to verify it was my account and nothing. They didn't ask for name, ID, or anything else, and they didn't charge me for the SIM card. I went home and popped it in and my account had clearly been transferred -- I didn't have to do any other activation steps or anything.

Great customer service experience, but horrible security.

Your story reminds me of when I ordered a $200 video card from Staples ship to store. I went to the cashier and told them they should have a video card I ordered. They asked for my name and gave it to me (inside the shipping box so they didn't even know the contents). It's not as bad as getting your phone number stolen but it opened my eyes how easy it would be to "steal" a package.

The problem with all these stories is that there is a physical interaction. Maybe there is a video or whatever, but for some reason people easily let their guard down when transaction is conducted in person.

That physical interaction is important. It means there's a human being in your country committing a crime on video. That same person could just pick up a product off the shelf and walk out with it too. Either way, they're putting themselves at risk of arrest.

When it's online, there's almost no risk because they're probably in Russia and leave no physical evidence.

Never mind the video, you know for a fact they are carrying a tracking device.

Recently my dad entered his SIM PIN incorrectly three times and it locked him out. Turns out his mobile operator has an IVR service which hands out the PUK to any phone number you enter! No authentication whatsoever, just the phone number. How common is this?

Exact same thing happened to me. Upgraded my phone, needed to switch over to nano sim, walked into T-Mobile and chatted up the sales clerk and then walked out with my new nano sim without showing ID. I was dumb founded that it was so easy.

NIST has already been discouraging the use of SMS for 2fa[0], but that apparently won't stop the subset of incompetent IPSec consultants who still recomment SMS based 2fa.

[0] www.slate.com/blogs/future_tense/2016/07/26/nist_proposes_moving_away_from_sms_based_two_factor_authentication.html

It doesn't stop incompetent dataroom operators either from forcing their users to give them their phone numbers for 2fa purposes.

And there is absolute gold in those datarooms if you know where to look.

Recent offender:

"iDeals proposes to protect your account with 2 factor authentication. It means that each time when you will be accessing the project/ changing your password/ accessing the protected versions of documents in the data room - an sms code will be sent to your cell phone. "

This after me pointing out that SMS for 2fa is not a good idea.

There’s a far worse example:

PayPal only supports SMS based 2FA, or, if you dig through their old website with archive.org, you can find a way to use one of their proprietary 2FA devices.

Support for TOTP? HOTP? Nope.

Those proprietary 2FA devices are just TOTP with a weird provisioning system.

You can use a tool such as https://github.com/dlenski/python-vipaccess to use google authenticator/freeotp etc. to access paypal.

That said... I believe you still need a mobile number enrolled to enable a token.

The direct URL is https://www.paypal.com/us/cgi-bin/webscr?cmd=_setup-security... , it's no longer accessible from their new web interface.

Wow, that actually works. I had to go through many ancient web interfaces, but it works.

Sadly you can easily and trivially bypass the VIP token by providing a credit card number or a few other identifying details. It's worse than the SMS loophole. And another reason why I'm trying to delete my Paypal account. ;-)

Thanks! I didn't realize that was possible either. I just switched my paypal account to use google authenticator instead of sms, which besides being more secure, is much more convenient since I don't get cell reception in most of my apartment and have to put my phone near a window to get the sms.

> PayPal only supports SMS based 2FA

You can still use Symantec’s VIP (Validation & ID Protection) authenticator app instead of SMS. I just set it up a few moments ago following these instructions:


then deactivated the former SMS-based Security Key.

Paypal also couldn't walk you through a 2FA payment for eBay on mobile. At all. You had to use a desktop. This was about a year or two ago. One would think that a payment company would have better security, especially given they're owned by eBay.

They aren't owned by eBay anymore. They were spun off into an independent company in 2015.

I've sometimes been instructed to login with 2fa code+password joined in the single field. It's rarely worked.

I think that your average dataroom holds stuff with value well in excess of what the average paypal account holds.

The PayPal account itself might not hold much, but most people have their bank account directly linked to PayPal, without any limits.

In my case, PayPal could take every cent from my account before I’d even get a message. And that’s why 2FA is so important.

There are also measures that can be taken when using SMS based MFA, via services that check if the SMS is forwarded to a burner phone, or do a SIM check with the phone. In addition the SMS based MFA services should be leveraging fraud score and number deactivation checks for the target numbers to catch the most obvious fraud scenarios.

Not sure a lot of the companies providing these services actually do that though. And all-in-all, non-SMS based MFA is going to be better anyway.

so why do well-respected companies like Google and Stripe do it?

Because their target markets contain both people who'll gladly spend 50 quid on the latest account security dongle, as well as people who have a Pentium 4 desktop and a 50 quid feature phone. The latter get much more secure when apart from a password, probably on a post it stuck next to the screen, they are inconvenienced to also type in a few digits from SMS.

You are 100% correct. But I'm genuinely curious why institutions such as banks/telcos couldn't spare the resources to offer both SMS 2FA and more secure options for those who do care. I can't imagine it's a matter of technical resources as it wouldn't take much. Is it institutional inertia? technical debt?

Security model of banks is completely different from everything else. They will only consider 2FA if the total calculated cost /to them/ becomes significant if they don't.

...and if they were to offer a more advanced 2fa option, it'd possibly only appeal to a niche of users that wouldn't significant change (improve) their calculated cost?

That's why they probably wouldn't roll out to a voluntary subset on regular accounts.

Tbf, I've had a handful accounts in a few different countries. I've had proper 2FA in most of them (the one I've started with around 2005 uses printed one use codes), SMS codes in one and no 2FA in one.

They also (most likely) include many other, even network packet level checks in addition to primary and secondary authentication. Its not as simple as it looks to the honest end user.

Is 2fa with SMS safer or less safe than no 2fa at all?

REAL 2fa with SMS is marginally safer (but not much more so), since it requires password and SMS to do anything.

The problem is that nearly every single 2fa setup out there does something radically stupid such as use your 2fa method for password reset, or a combination of 2fa + email. This is horribly, horribly broken and worse than "no 2fa at all." All it takes is a SIM clone to steal your phone #, which you use to reset the email, and then email + phone/SMS can be used to reset nearly every single credential under the sun. The only exceptions are those that use proper 2FA such as one-time password apps -- but not Authy which just syncs your OTP/2fa credentials to the cloud and happily transfers to the cloned device :(

Could you elaborate on why Authy is not safe? In my setup,

1) after adding the devices I wanted to add, I've disabled multi-device (which keeps the existing devices, but prohibits adding new devices),

2) for new devices, it requires a backup password (once) to decrypt the credentials retrieved from the cloud, and

3) IIRC, it requires authorisation from one of the trusted devices to add a further device.

All in all, it seems much better (in terms of the security/availability trade-off) than Google Authenticator. But I've read opinions similar to yours a few times, and I wonder where they come from, whether they've been reasonable in the past, and whether they still are.

How well do you trust the customer service rep at Authy against social engineering? Especially when someone has control over your email, phone, and potentially many other accounts already.

Good question!

1) I trust them ever so slightly more than your average off-shored telco rep.

2) AFAIK, they do not hold the credentials in unencrypted form, they're only decrypted on the device with the backup password.

It's certainly safer than only using a password if you use the same password on lots of sites, since the odds of any password database being hacked are higher than the odds of your phone being targeted.

Thanks. This thread was giving me the impression that adding 2fa with SMS to a system would make it more vulnerable somehow.

It does if the provider uses the phone number to reset the password.

...in which case it becomes an "alternative factor" instead of a "second factor".

More importantly, a lot of web framework templates using 2FA with an SMS provider will still be around. Of particular note is ASP.NET's template, which is very easy to get up and running with 2FA with SMS/Email.

Wouldn't SMS 2FA have a higher adoption rate among non-technical users, hence making it more suitable for certain types of systems?

Can anyone recommend a US based bank (or a bank that accepts US customers) that 1) has either a 2FA token for phone e.g. with Google Authenticator, a hardware token, or some kind of other token based factor; and 2) has strong security when calling? I generally don't need a physical presence.

My current two banks don't have direct 2FA enabled. As far as I remember, the questions available to one of my banks (credit union) are simple enough that you could probably find out by doing a public info search somewhere, and the other bank (Chase) has SMS 2fa, but outside of that it's just public database questions (I know this because I had my card number stolen recently, I currently don't have access to my phone as I'm out of the country, and they asked me a few different questions from a public database, like if I had ever lived at ABC Dr., do you know this person, and what is the full name, etc.). I'd much rather be able to give the banks some kind of information that they are required to verify before they can access my account, like a verbal passphrase, but I don't think that's possible (as in, I wouldn't be able to access my account over the phone without the passphrase).

There are a handful of smaller banks or credit unions listed as accepting proper 2FA here. [0] I have no experience with any of them.


Although the list is a bit misleading. German banks are all listed without 2FA whereas in reality they all use some form of a TAN (transaction number). Not as safe as a hardware token but if you keep it safe, it's as secure as a hardware token.

And most Sparkasse branches will use actual hardware tokens. So the reality is not as bad as the list suggests.

The problem seems to be that no German bank I know of support 2FA for login purposes which is what that list tracks[0] (although they don't state that clearly – it took me a few minutes to track that down)

But listing "Sparkasse" as one German bank is misleading as there are 400 independent banks sharing that brand with different policies. They use at least a few different backends for their online system although there seemed to have been some consolidation in recent years.

[0]: https://github.com/2factorauth/twofactorauth/blob/master/CON...

I know that USAA offers TOTP 2FA. Not sure about calling though.

Sadly, USAA is only open to military service members and their kids. That would be my choice if I could use it.

Not true. They offer insurance only to military families. Banking is open to anyone. EDIT: This is no longer true as of 2013.

You USED to be correct. I'm not military and I have a USAA bank account. For a couple/few years they opened accounts to civilians, but then reversed that decision about a year or so ago. Now bank accounts are only offered to military again.

Are you sure? At the link listed below, it seems that it's only available for military.


You are right and I was wrong. They changed the rules in 2013: https://communities.usaa.com/t5/Other/USAA-Changes-Membershi...

They've grandfathered in existing members who wouldn't qualify today.

Yes, but it's this janky Symantec-only implementation. AFAIK I'm unable to use a generic TOTP authenticator like Duo or GA.

Is that for Chase, or J.P. Morgan? My understanding is that Chase doesn't offer a 2FA besides SMS and when I go into my account settings I don't see anything that lets me enable 2FA.


Regarding your security questions: you don't have to put the real answers in. Instead I often create 30 char passwords for those fields.

They don't advertise this, but schwab offers 2fa with either a hardware token that they will ship you OR a 2FA token on your phone using https://m.vip.symantec.com/ . You have to call them up, but their customer service is pretty good.

It's insane how much easier it is to transfer a phone number than a domain name.

I also find it odd Facebook, and other sites will let you signup solely with a phone number. There's prepaid cell phone providers that recycle phone numbers, etc. Just seems so stupid to rely on a phone number for authentication alone, but two factor I'm okay with since you still need to know the password. Twitter has a developer product where you can be texted a code to login using only a phone number, which to me just seems wrong to do.

It'd be nice if trying to port a number, change important info, etc if they had to actually call you or text you first to confirm. But one of the problems is people will lose their phones, and need a new sim or phone... That I think I'd have a requirement to actually visit the store - but that doesn't work to well with prepaid phone providers without physical stores selling via other stores like Walmart, Target, etc. Maybe in that case without nearby stores, partner with your retailers to verify ID or fax a ID in.

"There's prepaid cell phone providers that recycle phone numbers, etc. "

This isn't limited to prepaid phone companies or even cell phones. This practice has gone on for years. (I worked at GTE/Verizon around the time of the merger). My understanding is that the bigger issue is that it is fairly easy to run out of phone numbers if we never repeat. If I remember correctly, most hold the number unused for 3-6 month and fewer folks change now since they can port numbers to a new company at times, if the company that owns the number allows for it. (Yes, the phone company at least used to own the number).

I can't speak for whether or not Facebook is doing it, but the carrier of the number is usually a determining factor on whether or not an arbitrary line is allowed for registration.

I wish we could kill phone numbers once and for all. It's insecure, device-dependent, carrier-dependent, country-dependent, subject to snooping and censorship, and all of these are recipes for disaster as an authentication scheme, especially in the event that a device gets stolen. Phone calls and text messages should emphatically NEVER be used to verify anything.

Conversation with one of my banks the other day:

Them: Can we please verify a code sent to your phone number?

Me: Umm, sure, although that won't verify anything. Use something else to verify that it's me.

Them: Can you please verify your phone number?

Me: Umm, I don't know what phone number I used with you? Try XXX-XXX-XXXX, XXX-XXX-XXXX, XXX-XXX-XXXX, XXX-XXX-XXXX, XXX-XXX-XXXX, XXX-XXX-XXXX, and XXX-XXX-XXXX? They all belong to me depending on where I am.

Them: Can we use XXX-XXX-XXXX? Do you have this phone with you right now so we can we send a text message with a verification code?

Me: Send your insecure SMS to any of my numbers. They all go to my e-mail inbox. [I don't need to have my "phone" with me -- my "phones" are virtual.]

Is it really necessary or helpful to be rude to the poor CSR who is just trying to do their job?

They didn't make this policy, and I'm sure they think its just as stupid as you do.

This isn't a literal transcript of the conversation, more like what was going on in my head vs. what they said ;) Of course I was nice to them in explaining that I have a ton of virtual phone numbers and really don't know which one I used, etc.

I would not think CSR would actually know that phone is not a secure channel. I bet they are taught it is.

It is still more secure than not using a second factor at all. Stealing a phone number is more work than not having to do it.

While conversation is probably not a good example of anything, I agree with the main statement: phone numbers must die. They are insecure, unremarkable remnants of an outdated system.

Well in many countries you are required to show and submit ID to the provider that ties you to a particular sim/number. While I see this more as a control mechanic than a security measure, it does give some reason as to why organisations tie identity to a phone number. I must assume that the USA does not do this?

I owned a hosted PBX company from 2007-2011 and was amazed with how antiquated the port request system truly is.

The problem is that the phone company owns your phone number and you just get access as part of a service. Unlike a domain name where you own it.

If we change the law we'd bring more accountability.

To be fair, you really don't own a domain. You still rely on the TLD honoring your purchase and not hand it over to someone else in the same way you rely on the phone company to treat your number as yours.

Some domain registrars are so completely incompetent (ie Dotster), I'm disappointed they're still in business. Literally clueless "customer support" staff that either don't auth (experienced that personally), or refuse to follow the written rules to everyone's detriment.

Recent example:


Note - Don't use Dotster (specifically) for your domains. If you're using them now, switch away. Saying that because if you experience any trouble with your domains, you'll be wanting to contact competent staff who can fix problems. Dotster's can't. :(

At least you have a legal path:


Not exactly an easy thing to do with a phone number.

In the same way that you rely on a county deed office to own your land. The only difference is the amount of legal precedence in place and physical occupancy, neither which can be solved with the wave of a hand.

This needs to change as well. We nee to do away with the concept of a select few TLDs, indeed we need to scrap payed for subdomains/domains in general.

"was amazed with how antiquated the port request system truly is"

Absolutely. In the UK, I could easily port someone or many someone's landline number and slap a trunk on it. Sadly though I would also end up paying the bill for it. However its much easier to simply fake your outbound CLID to show the call centre you are the mark.

I have no numbers for this but I'll bet that CLID is used by banks etc as part of the security checks for your identity.

In this case it's better for us all to move away from centralized numbers, not simply regulate them better.

There are many, better and more secure options for communicating these days.

So 2FA reset via SMS is bad, which I agree but what are the alternatives to prevent a meltdown when your 2FA device dies?

I have had two phones die on me that was my 2FA device, plus OS upgrades, so I have gone through resetting 10-20 2FA accounts a few times. Though with upgrades usually I foresaw that and downgraded my 2FA before hand.

All I wish for was that resetting 2FA would be a very very slow step by step process and spammingly broadcasted to all emails, sms, postal etc associated with the account. But I know for cost cutting customer services departments that wont happen.

Most major providers like GitHub, Google etc allow you to create "recovery" codes - so you can do a one-off login without 2FA using the code.

I've started getting a recovery code for each of my major accounts, printing it out, then literally putting it in a safe.

I use 2FA code generator in cloud-synced 1Password. That endures all software upgrades, unlike Google Authenticator or Authy.

If all this information is in 1Password then I guess you are back down to one factor - your 1Password master password. Which may be ok with you. Just pointing it out.

If you use an Android phone that's rooted, you can use Titanium Backup to copy your Google Authenticator app data between devices. It's up to you to copy that data somewhere else, but it is a very low level alternative to storing everything in 1Password or similar.

Even without rooting, just do that that next time when you register for 2FA, save that QR image, or screenshot it, and/or save that 16+ chars string somewhere safe, same as where you save passwords. Phone died/changed/lost? Install Google Auth, rescan that QR/Screenshot.

TIL. Thank you.

2FA systems have a code that serves as the seed for the token. If you keep this code you can set up 2FA on a new device any time you want without having to reset it. Just be careful securing the code.

I've had this happen with Microsoft/Office365. Lost access, couldn't get the recovery email. They sent emails and made me wait a day or two before resetting things.

Not answering security questions truthfully is tricky.

Yes, it's a problem that security questions turn hacking into a simple public records search.

BUT most terms of service have a line like 'you warrant that you've been entirely truthful with us' or something. If you give the wrong security question to your bank, they potentially have grounds to freeze your money or screw you later.

Why isn't the answer 'consumers have the power -- punish services that don't support FIDO by not using them'.

At best this article is saying 'don't connect anything to anything'.

I one time called a service that I used a randomly generated string for the security questions.

After they asked the question I said "oh it's a giant random string of crap, hold on..." The person replied "yeah that's good enough" and started the next step before I even had a chance to find the actual string!

This. I've had the exact same experience with support accepting "a long string of random crap" as an answer. Now I recommend people to use diceware to generate their security answers with actually readable words.


No need for diceware - use lines of poetry. They're made for people to memorize and use strange connections between words. Plus they often have odd punctuation.

I answer mandatory security questions with things like these:

  “This account must never be unlocked over phone, chat, or email.”

  “Never reveal any information about this account (such as address or CC numbers) via support channels”

  “The person you are discussing with is a hacker trying to illegally access this account”
I expect to never, ever have to use the security questions myself.

Sometimes, I enter random phrases.

Never anything that would actually be true.

...and then some dumbass IT configuration administrator decides that nobody needs to have more than 10 characters to type in their aunt's cousin's roommate's name. This is, of course, the secret question they use, so why would anyone else use something different?

Do you have an recovery scenario in case you'd actually need those?

I was almost there once. Authenticator device had died, and to my horror the primary backup was corrupt as well. I had a secondary backup (and even an off-site tertiary one, although it's somewhat dated), so I was able to recover... But I also had the idea that I won't ever have to use recovery processes and even though I hadn't, after the incident my certainty it's not so iron-clad.

I wish I could elect to have my recovery option be painful. I'll use a yubikey and backup codes. If I lose both of those, mail me something to confirm my identity, all the while notifying me on all other channels (email, sms, phone) that an account reset is happening. I am okay waiting a few weeks for access to my account if I manage to lose my primary and backup access methods.

No, I don't.

My recovery scenario is either to socially engineer the support channel myself, or start over with a fresh account.

This seems pretty easy to beat within a few calls, eventually an agent will give away whats up with the questions and then it's only a matter of "uhh, it's just me rambling something about hackers trying to access my account"

> Sometimes, I enter random phrases.

Yeah, I just use a passphrase generator in keepass.

I never use real answers. I've had a bank teller ask "your mother had a number I get maiden name?"

"Wait, you actually use real answers instead of passwords for security questions?"

I don't use real answers either because I'm paranoid about this stuff, but it always causes trouble when I have to interact with an institution.


- I lost my health insurance for 6 months because I couldn't dig up my 'secret answer' in time to activate COBRA.

- My credit card expired while I was traveling and I couldn't reactivate it because I didn't know what answer I had given to 'mother's maiden name'. (In the end I convinced them I didn't need a secret answer to verify my identity, which in its own way is even worse).

- Some company had a form that stripped numbers from the secret answer and mine had numbers in it (hilarity ensues).

Instead of working around institutional nonsense, we should fire bad companies and hire / start good ones.

I always, always store my bogus answers in 1Password. One of many reasons I love the tool.

Most security questions are either trivial for someone else to figure out with a little research or I don't know what my real answer would be. Name of my first pet? Well, I had several that could meet that definition, and I definitely don't remember the name of the first one.

It's actually dangerous.

Consider what would happen if you're accidentally exposed to a malware that steals data from the password managers (by introspecting process memory after the data was already decrypted)

Better keep those eggs in the different baskets (Update: Point was, I think 1Password doesn't have multiple databases, does it?)

I would expect greater risk if I spread that information around more. Is it really better if only 1/3rd of my passwords are stolen, at least relative to the 3x risk I face by using multiple sources?

I'm not sure I get the idea.

My idea is to have two password databases. One is the usual, for the passwords. Another is infrequently opened and is used for the recovery codes and insecurity questions.

I don't see how a secondary normally-closed password vault would degrade security. It's still encrypted, and safe. On the contrary, it should increase security a little - for the abovementioned local malware scenario. Price paid is that because database is rarely used, it could get corrupt without user noticing, or access details could be forgotten.

Or I'm missing something important? Why the 3x risk?

Sorry, I elided some of the scenario details.

1/3rd / 3x was based on the idea of splitting my passwords across 3 databases. Let's take your idea instead.

My concern was that if there is a risk of compromise, by using two different software solutions you've doubled the odds that a vulnerability will expose your data. (I once consulted for a company that had two data centers for high availability, but they had split their production services across the data centers, effectively doubling the odds of an outage instead of reducing their exposure.)

If instead you use the same software and two different data stores, I can see a benefit in having a store that you rarely open, but I'm not sure it outweighs the extra work, at least for me. If someone grabs my password store, having the security questions and answers protected would only help for a few accounts (admittedly, my bank being an important one) and the protection would only last as long as it took an attacker to social engineer their way past it.

I admit, now that you've raised the issue I'm going to at least think about moving my bank q&a info, but I doubt I'll go to the trouble; I suspect I'd either end up forgetting how to get to the credentials or leaving them somewhere someone could get at them.

I always fill in security questions with ascii85- or base64-encoded data from /dev/random , as much as the field allows. Then I throw the random string away.

This will bite me when I lose a password, and also when the web site uses security questions for anything else than password recovery. The latter almost bit me once on Adobe's forum website, when right after creating an account I wanted to change my initial password to something more secure. Luckily, I hadn't closed the window with the data yet, so I could still recover, and saved the random strings in the notes field of my password manager.

I always answer security questions with a known grammatical transformation of the question's sentence structure. That way, as long as they use the same parts of speech in the question to prompt me, I'll never forget an answer or have it guessed by an attacker.

I am old enough to remember how everything used to make sense (as little as 5-7 years ago). Today, "don't connect anything to anything" sounds like the last line of defense against the horde of Progress-worshiping geeky retards.

This recently happened to a friend of mine. It was devastating. As mentioned, U2F is very scarcely supported today.

The best way he came up with to secure services that insist on using SMS for 2FA (or credential reset) was to register the number of a pre-paid phone for those services.

Inconvenient? YES. But a pre-paid phone number can not be ported by a negligent (or willfully criminal!) operator.

It's still very trivial to tell a customer rep that you lost your SIM card and have the rep send all new communication to the phone number to a separate SIM card with a pre paid phone.

If you only use this pre-paid phone for authentication, then the fraudster has to discover that phone number before they launch their attack. For additional security, you can rotate this pre-paid phone number every few months, and only use it for authentication to online services.

What settings exactly do I have to change to get GMail to never unlock my account by SMS alone?

I have enabled proper 2FA on my Google account with U2F, but I haven't disabled everything else yet because I only have one token, and I still need something like TOTP for stuff that uses Google accounts, but doesn't support U2F.

As a closely related remark, I wish U2F would just get popular enough, it's pretty convenient, isn't vulnerable against the kind of attack SMS-based 2FA is, and protects against phishing. But almost nobody outside Google supports it, and OS/Application support is rather incomplete or requires additional setup.

Something that is infuriating is that when you have 2FA enabled on Google, they insist that you add a backup phone number that a bot calls to give you a verification code, in case, you know, you lost your second factor. Which is nice and all, but now, you're back to having a second factor that is about as vulnerable as SMS.

You can remove the phone after you add another factor (ex: TOTP device).

The Tech Solidarity guide at https://techsolidarity.org/resources/security_key_gmail.htm has detailed instructions on how to set up 2FA with U2F and then remove SMS 2FA. (I've been holding off because I use Firefox - hopefully U2F will get more support soon!)

U2F is ludicrously hard to implement. Adding TOTP 2FA to an existing webapp will take a competent developer a few hours, using only a 10-line code snippet and the standard library. Adding U2F means learning a ton of complicated concepts and either using a giant, poorly documented library provided by Yubico or writing a bunch of tricky crypto code from scratch. :(

I disagree, U2F is relatively easy to implement once you understand it, I've contributed to several open source implementations and eventually wrote one of my own.

I asked the same at https://security.stackexchange.com/questions/151675/how-to-s...

Basically, the safest is, add Google Auth via App to your account, then remove all the phone numbers from Google. If any phone number is linked to your account, no matter what your account recovery options are, Google will always give you option to "recover" it by SMS.

Go to: https://myaccount.google.com/signinoptions/two-step-verifica...

And remove SMS from the listing. I currently have 3 2FA mechanisms listed: Security-Key/Yubikey (default), Authenticator App (set on two devices), and Backup codes which I downloaded (and at some point will print and place in a safe deposit box).

Losing access to my two gmail accounts would be a complete nightmare---more so than my bank/brokerage accounts. Some brokerages like TD Ameritrade do not even offer 2FA. In my case, paranoia mode for email accounts is completely warranted.

I really wish U2F becomes the standard across all web services. It seems insane that, in some scenarios, the only barrier against financial ruin is the gullibility of your cell-phone provider's customer service rep.

I might be wrong, tried long ago, but maybe it is that even if you don't list SMS as your backup code delivery option, clicking forgot password (need only your username), and then going to Other Options, and choosing to gey identified by providing a phone number (Google shows type your number * * * * * * -1234), hijacking its SMS, can provide access to your account.

Also, Google only supports U2F in Chrome – even if you have an addon to support it in Firefox, Google won’t support it (because they activate it based on Useragent, not on actually available functionality)

I don't have a phone number in any of my Google accounts, just Google Authenticator for 2-step verification.

I don't recall ever having a problem with this setup. Are there services that require a Google account to sign in, but don't work if you don't have a phone number?

Go to "account recovery" option and remove the phone number listed there.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact