Slightly less exciting TLDR: as many of you already know, SMS isn't a good second factor for auth. That includes entrusting your Bitcoin wallet's private keys to a company using SMS for 2FA. Let's mention "cryptocurrency" as well to show up in more news alerts.
Basically its a hangover from the PayPal football days (A PayPal branded Verisign 2fa token hardware device) they used to sell.. No idea why they don't transition over to Google Auth Style TOTP Algo.
But They still haven't ported all their systems to 2FA yet. Some pages require you to enter your password and append your 2fa token to the end of it (Mainly when logging in on mobile) and I know of a couple of stores that due to their PayPal integration I can not get to the final "Pay Now" page on paypal even though I successfully log into PayPal. But when you would normally get to that final page to press "Pay" the page just times out. I have to disable 2fa and do it again.
You can use "Symantec VIP" (it was renamed after Verisign was brought out). Though they don't make the sign up very easy. You have to go to the 2 factor page ("Security key") under security, press "Get security key", when prompted to enter your phone number press "cancel" then press "Activate your PayPal or VIP (VeriSign Identity Protection) token" and then enroll up as normal.
Its not Google Auth and it kinda feels like I can now gaining a collection of 2FA apps (iirc Namecheap's non sms 2fa is powered by Authy but you can not use Authy) so I do which they would all adopt a standard.
I was targeted this evening by a hacker who ported my phone number, and then got into FB + Yahoo (SMS reset).
The motive appears to be bitcoin, based on the people contacted via facebook.
Is it possible the initial PIN that was sent by Tmobile was intercepted via SS7? I am trying to find out if my phone (android) is compromised as well.
The accounts and phone number are back under my control but I want to find out the vector as soon as possible -I don't trust tmobile to honor requests not to allow porting.
What a frightening experience! I'm sorry this happened to you. Curious to understand how these attacker obtain your phone number in the first place? I mean it's not something you publish widely right?
Unfortunately I don't guard my name + number like I do my passwords. Who knows how they found it, in a post equihax world I'm not sure anyone can consider this private.
I don’t mean to say it was OP’s fault but you shouldn’t really use your primary phone number for 2FA anyways. Using a burner dumb phone dedicated only for 2FA should be standard, right?
It turns out the hacker stole a dealer's ID which meant the OTP sent to my phone was never needed / used. The dealer id overrides the need for a password.
I think it's important to hammer in the distinction into the minds of the public. The takeaway being that one should not treat coinbase as a wallet and thus should never leave coin in their accounts.
For example my boss lost coin trusting it in the hands of coinbase. He has contacted support to no avail. And there are no legal reprecussions for them doing this, just as Paypal reserves the right to freeze or steal your assets.
Maybe not Bitcoin, but most other currencies have near-instant transactions. Even Bitcoin's transaction speed outperforms wire transfers (in the US) by a matter of days.
Actually, I was shocked how quickly Bitcoin transfers were. About a week ago I watched someone transfer me $10 in BTC and I got "unconfirmed: $10" within a few seconds.
It wasn't confirmed until a few minutes later, but that was enough time to assume everything was fine and to keep doing stuff in the meantime. Concretely, you can assume almost every unconfirmed transaction will be confirmed, and you'll almost never be wrong. That means Bitcoin is effectively instant for every transacfion you don't need to care about, and in the other cases you can just wait a few minutes.
Some payment processors credit sellers with just one confirmation. But it can still take several minutes, or more if your wallet client doesn't add enough fee.
Also, with Bitcoin price so high, fees are absurd for small transactions. That's the real problem.
For large transactions, on the other hand, Bitcoin is faster than wire transfer. I can move thousands of USD in a few hours, anonymously through a mixing service. For ~2% fee. There is the risk of price volatility, I admit.
Edit: Sorry, I didn't specify international transfers.
It will be using faster payments[1] which allows up to £250,000 to be moved between UK accounts without any fees. For how long it takes I'm used to seeing "within 2 hours" claimed but in practice it's instantaneous.
I routinely move funds internationally using the old-fashioned mechanism called "wire transfer" which for my particular case, is settled in hours and has zero fee.
Maybe things have improved. I recall some hassle getting my bank to handle international wires. And I suspect that "routinely" may be the distinction. Once the bank does one transfer, it becomes routine.
So, a little anecdote, a friend of mine was the victim of an attack and wanted my advice. The attackers used the SS7 hack, but he also used a phone based TFA, and somehow attackers were able to get the keys to this. He was able to get some of his coins elsewhere on a paper wallet, but they got everything in his hot wallet, and he received a notification that his coins were being moved out of his cold storage. Thankfully this process takes some time, so he was able to get that company on the line and stop it (probably pure luck that the attackers didn't intercept this). I told him to lock down the cold storage and trash his phone (based on the level of control that would be required to get TFA private keys). So, there hasn't been any further analysis done on this attack (the cold storage coins are safe, that's the main thing), but just want to mention this to get your gears turning. It's possible coins being stolen this way are being used to fund a nuclear program - keep them close.
Sadly, as far as I know, Paypal only allows SMS. I believe business account, you cannot link your Paypal to Braintrees and thus you cannot use any 2-auth authenticator.
If I am wrong, please correct me, but I see no other options on Paypal, which is ridiculous, considering Paypal is such an important service. SMS should not be used for any critical services, but in cases like Paypal there is no choice.
I wonder if you could use the interest in bitcoin wallets as a canary for device compromise - load up servers, phones, desktops, etc with unprotected wallets, add a small amount of bitcoin and set up an alert system if the funds are moved.
Or a paper wallet, which is free, although it involves jumping through some extra hoops.
Here's the steps the steps commonly advised for Ethereum (also works for storing ERC-20 tokens):
Look up "My Ether Wallet" (be extremely paranoid and treble check the URL so you don't get scammed with a fake duplicate website). If you follow the steps below, your wallet is as hack-proof as a Nano/Trezor (just store the paper wallet securely, because it's the same as cash when the wallet is loaded with Ether).
1. Create an offline MEW wallet, on a secure PC not connected to the internet (e.g. boot Linux ISO from a read only DVD)
2. Print out the wallet details (will have the private key, a QR code for the wallet address, and another QR code for the private key).
3. Send a small amount of Ether to test that you have the correct details (if you bought on Coinbase, use their app to scan the QR code of the paper wallet). The Ether should show up in the wallet within a few seconds (use etherscan.io to check your new address).
4. If the test went ok, send the remaining Ether from Coinbase -> MEW.
5. (Optional) Backup a digital copy of the MEW wallet on a clean USB, that you exclusively use for that purpose. Store the wallet details in a password manager on the USB, e.g. KeePass, Keeweb, (any open source password manager that is kdbx compliant). This is convenient for when you wish to do transfers. Make sure you don't accidentally copy these details to another PC, upload them online somehow, etc.
Clickbait, has almost nothing to do with Bitcoin "the first cases of attacks exploiting SS7 were registered in Germany, in which money was stolen from bank accounts"
? I’ve had 2FA turned on for my iCloud account for a while, any time I’ve needed to authorize a device I’ve had to approve it on my iMac or iOS device, it doesn’t use SMS.
Maybe it's time for SSMS? The extra S being for secure, of course. Something encrypted and requiring authentication would be good - and maybe (tangentially related) not letting just anyone transfer your phone number to a new phone contract. That should require ID and some level of additional authentication.
It's like the whole thing is a house of cards. I'm half amazed that it works as well as it does and isn't exploited more often.
We still need better identity authentication. Copied passports, phone numbers, and email all have problems. There are government initiatives (in the US it seems to be NSTIC and login.gov). This should be opened up and made international. It seems that login.gov is already an OpenID identity provider. So only marketing is left. Next to login with Facebook and Google, there should be a "login with GovID" or however it is called. It has to work automatically for any citizen in any country (whose government participates), so UX is critical.
While blockchain is the hipster technology and there are people working on that (e.g. Civic), I cannot believe in adoption unless government is involved.
I'd like to see something done in that area. Unfortunately, I'm not sure how politically feasible login.gov is. No, I know it exists and is technically possible - but we have people, a lot of them, who are very much against government tracking. We have people who think the census should be illegal and will claim it is a conspiracy when you point out it is an enumerated responsibility listed in the constitution.
We have religious people who will claim it is the foretold sign of the beast and forbid use by their congregation.
So, as you say, it is going to need some marketing. Those same people will often give their information to Facebook, by the way. Once it's from the government, I bet there is blowback. When it was announced, even comments on HN and Slashdot were immediately against the idea.
But, yeah, you're right. It's going to need government involvement, I'm just not sure that is a realistic hope. I also don't have a better solution.
Facebook already serves as a global identity provider. However, it does not fit some use cases. For example, to buy Bitcoins on Coinbase, you have to comply with KYC/AML laws, which essential means you must send them a scan of your passport and other stuff. A Facebook login is not enough.
Technically, it is not necessary that the government runs it. We could let Facebook do that, but that would be worse than government imho. Maybe a non-profit would work?
Still, governments must be involved because ultimately they are the original source and enforcer of identity.
I wonder if some sort of global NGO would work? Maybe an offshoot of the UN? At least initially, it will get lots of blowback in the US - if it is a requirement to get services. So, maybe they can incentivize it? Total adoption may take quite a while, perhaps even a full generation, though maybe more.
We could start by making it optional and using it to expedite some services. We could also start initiating it at birth, to go along with the SSN. Maybe we could even make the SSN card a plastic card with a magnetic strip and a chip in it, for the NFR functionality, as well as making inexpensive USB devices for online authentication?
I'm not an authority on this, or anything. I'm just speculating as to how it might work and how it might be possible to get it adopted. There will still be people against it, thinking it is something like trying to force a single world government, but it should be okay so long as it isn't a strict requirement to access services. Of course, accessing those services might be more difficult and that'd give incentive to use it.
It'd have to be no-direct cost, and replaceable if lost or stolen. Maybe allow a free replacement every two years, or similar. Then, maybe a few bucks to replace it otherwise. There should probably be a hardship clause.
The card could have many other uses, as well. Maybe people could opt to use the same card for banking, for library loans, for welfare benefits, and things like that?
It seems doable, tech-wise. Politically, it's much more difficult. Even the new(ish) enhanced ID requirements went over poorly. My State fought that for years by using the excuse that it was an unfunded law. Yup, Maine fought against the enhanced ID that lets us cross the border into Canada without a passport. The excuse was funding, but it was really about not wanting to be told we needed a federal ID.