But They still haven't ported all their systems to 2FA yet. Some pages require you to enter your password and append your 2fa token to the end of it (Mainly when logging in on mobile) and I know of a couple of stores that due to their PayPal integration I can not get to the final "Pay Now" page on paypal even though I successfully log into PayPal. But when you would normally get to that final page to press "Pay" the page just times out. I have to disable 2fa and do it again.
You can use "Symantec VIP" (it was renamed after Verisign was brought out). Though they don't make the sign up very easy. You have to go to the 2 factor page ("Security key") under security, press "Get security key", when prompted to enter your phone number press "cancel" then press "Activate your PayPal or VIP (VeriSign Identity Protection) token" and then enroll up as normal.
Its not Google Auth and it kinda feels like I can now gaining a collection of 2FA apps (iirc Namecheap's non sms 2fa is powered by Authy but you can not use Authy) so I do which they would all adopt a standard.
The motive appears to be bitcoin, based on the people contacted via facebook.
Is it possible the initial PIN that was sent by Tmobile was intercepted via SS7? I am trying to find out if my phone (android) is compromised as well.
The accounts and phone number are back under my control but I want to find out the vector as soon as possible -I don't trust tmobile to honor requests not to allow porting.
This has no relevance to Bitcoin wallets.
Still, this is what many have come to think of as Bitcoin wallets.
Me, I only use local wallets. If I had lots of Bitcoin, they'd be offline.
For example my boss lost coin trusting it in the hands of coinbase. He has contacted support to no avail. And there are no legal reprecussions for them doing this, just as Paypal reserves the right to freeze or steal your assets.
SS7 in itself is huge disaster, I can recommend the following presentations: https://media.ccc.de/v/31c3_-_6249_-_en_-_saal_1_-_201412271... and https://media.ccc.de/v/31c3_-_6531_-_en_-_saal_6_-_201412272...
tldr: everything that uses sms is vulnerable.
edit: as others already mentioned, use offline 2fa like google authenticator.
Until all those whose job it is to secure the various Xs stop ignoring the problem?
It wasn't confirmed until a few minutes later, but that was enough time to assume everything was fine and to keep doing stuff in the meantime. Concretely, you can assume almost every unconfirmed transaction will be confirmed, and you'll almost never be wrong. That means Bitcoin is effectively instant for every transacfion you don't need to care about, and in the other cases you can just wait a few minutes.
Some payment processors credit sellers with just one confirmation. But it can still take several minutes, or more if your wallet client doesn't add enough fee.
Also, with Bitcoin price so high, fees are absurd for small transactions. That's the real problem.
For large transactions, on the other hand, Bitcoin is faster than wire transfer. I can move thousands of USD in a few hours, anonymously through a mixing service. For ~2% fee. There is the risk of price volatility, I admit.
Edit: Sorry, I didn't specify international transfers.
I could have moved more for exactly the same fee of free.
*subject to chargeback/reversal for up to n months.
Moving funds internationally, in my experience, has sometimes taken days.
If I am wrong, please correct me, but I see no other options on Paypal, which is ridiculous, considering Paypal is such an important service. SMS should not be used for any critical services, but in cases like Paypal there is no choice.
It's also allegedly possible to deactivate in a bunch of other ways, e.g. by adding a new credit card.
Here's the steps the steps commonly advised for Ethereum (also works for storing ERC-20 tokens):
Look up "My Ether Wallet" (be extremely paranoid and treble check the URL so you don't get scammed with a fake duplicate website). If you follow the steps below, your wallet is as hack-proof as a Nano/Trezor (just store the paper wallet securely, because it's the same as cash when the wallet is loaded with Ether).
1. Create an offline MEW wallet, on a secure PC not connected to the internet (e.g. boot Linux ISO from a read only DVD)
2. Print out the wallet details (will have the private key, a QR code for the wallet address, and another QR code for the private key).
3. Send a small amount of Ether to test that you have the correct details (if you bought on Coinbase, use their app to scan the QR code of the paper wallet). The Ether should show up in the wallet within a few seconds (use etherscan.io to check your new address).
4. If the test went ok, send the remaining Ether from Coinbase -> MEW.
5. (Optional) Backup a digital copy of the MEW wallet on a clean USB, that you exclusively use for that purpose. Store the wallet details in a password manager on the USB, e.g. KeePass, Keeweb, (any open source password manager that is kdbx compliant). This is convenient for when you wish to do transfers. Make sure you don't accidentally copy these details to another PC, upload them online somehow, etc.
("Airgap" ETH wallet for $5)
New crowd-funding page!
TL;DR; The system that allows our phone networks to work together was designed decades ago with minimal security.
SMS isn't a secure nor authenticated transport and never has been. Avoid anything that uses SMS as a transport for secrets or phone numbers as auth.
It's not just SS7 vulns but also number portability.
afaik Coinbase is still using SMS as an optional second factor, while iCloud still only allows SMS.
? I’ve had 2FA turned on for my iCloud account for a while, any time I’ve needed to authorize a device I’ve had to approve it on my iMac or iOS device, it doesn’t use SMS.
see step 2: https://support.apple.com/en-au/HT204915
"trusted phone number" is an oxymoron
It's like the whole thing is a house of cards. I'm half amazed that it works as well as it does and isn't exploited more often.
We still need better identity authentication. Copied passports, phone numbers, and email all have problems. There are government initiatives (in the US it seems to be NSTIC and login.gov). This should be opened up and made international. It seems that login.gov is already an OpenID identity provider. So only marketing is left. Next to login with Facebook and Google, there should be a "login with GovID" or however it is called. It has to work automatically for any citizen in any country (whose government participates), so UX is critical.
While blockchain is the hipster technology and there are people working on that (e.g. Civic), I cannot believe in adoption unless government is involved.
We have religious people who will claim it is the foretold sign of the beast and forbid use by their congregation.
So, as you say, it is going to need some marketing. Those same people will often give their information to Facebook, by the way. Once it's from the government, I bet there is blowback. When it was announced, even comments on HN and Slashdot were immediately against the idea.
But, yeah, you're right. It's going to need government involvement, I'm just not sure that is a realistic hope. I also don't have a better solution.
Technically, it is not necessary that the government runs it. We could let Facebook do that, but that would be worse than government imho. Maybe a non-profit would work?
Still, governments must be involved because ultimately they are the original source and enforcer of identity.
We could start by making it optional and using it to expedite some services. We could also start initiating it at birth, to go along with the SSN. Maybe we could even make the SSN card a plastic card with a magnetic strip and a chip in it, for the NFR functionality, as well as making inexpensive USB devices for online authentication?
I'm not an authority on this, or anything. I'm just speculating as to how it might work and how it might be possible to get it adopted. There will still be people against it, thinking it is something like trying to force a single world government, but it should be okay so long as it isn't a strict requirement to access services. Of course, accessing those services might be more difficult and that'd give incentive to use it.
It'd have to be no-direct cost, and replaceable if lost or stolen. Maybe allow a free replacement every two years, or similar. Then, maybe a few bucks to replace it otherwise. There should probably be a hardship clause.
The card could have many other uses, as well. Maybe people could opt to use the same card for banking, for library loans, for welfare benefits, and things like that?
It seems doable, tech-wise. Politically, it's much more difficult. Even the new(ish) enhanced ID requirements went over poorly. My State fought that for years by using the excuse that it was an unfunded law. Yup, Maine fought against the enhanced ID that lets us cross the border into Canada without a passport. The excuse was funding, but it was really about not wanting to be told we needed a federal ID.
It's a potentially tough nut to crack.
I'm surprised that Googler still kept unsecure password reset on 2FA, while disabling it on regular accounts.