Over and over we learn that the carrier is the weak link in the security chain. What is an effective way to deal with this?
I have a Google Voice number which I use for texts and verification and which forwards to carrier cell number. Taking over the carrier numbewr therefore does nothing and Google support is crappy enough to never allow one to speak with a human representative. Google Voice itself is behind two factor.
I don't feel good about the setup, since the second factor is not technically a separate device with Google Voice. It seems better than the alternatives for now. Any other ideas of how to practically eliminate the weak link?
The problem is that we rely on phone companies way too much. You wouldn't trust some random person in a foreign country with a million dollars, right? Yet the phone companies are trusting those same people and are giving them enough access to their infrastructure to do millions of dollars in damage if they wanted. And of course if you treat your employees like crap you'll get some people breaking protocol and the fun starts.
Until phone companies get their stuff together and start acting responsibly (which will never happen, because the current situation is still profitable for them), we need to stop trusting them and assume every single bit of data sent over their networks is compromised and readable by anyone. So don't rely on phone numbers, and if you must, get one from a reputable VoIP provider (Google Voice?) and use that instead.
And as if this wasn't bad enough, there are inherent vulnerabilities in the protocols used to do roaming between carriers. When you're connected to the SS7 network you can say to any carrier "hey this SIM is now roaming on my network so just send me all of their calls and texts" and the attacked network will happily comply, sometimes despite the fact that the victim's phone is still connected to the attacked network's towers.
I have a Google Voice number which I use for texts and verification and which forwards to carrier cell number. Taking over the carrier numbewr therefore does nothing and Google support is crappy enough to never allow one to speak with a human representative. Google Voice itself is behind two factor.
I don't feel good about the setup, since the second factor is not technically a separate device with Google Voice. It seems better than the alternatives for now. Any other ideas of how to practically eliminate the weak link?