I imagine a world where you go into the cell store, and they demand three forms of identification including a utility bill to talk to you. I can already hear the complaints from a much larger portion of their customer base.
I don't know whether in this case the victim was using SMS codes, or whether the attacker used their phone number as part of a more involved attack (e.g. calling customer support and impersonating the victim). Even if you don't use SMS codes, there are a number of attacks that are opened up if someone seizes your cell phone number.
In general, however, I think it would be a good thing if service providers were held liable for damages occurring due to account breaches; that's the only way we're going to get proper account security. Schneier has written on this subject extensively, e.g. https://www.schneier.com/essays/archives/2003/11/liability_c....
Usually the attack is done against an individual who is known to have significant crypto assets and is using Gmail. By default if you enable 2fa on your Gmail account, sms based 2fa is activated as backup.
The attacker social engineers the phone provider to port the victims number, then resets the victims Gmail account, uses Android device manager to wipe their devices, and using the details found in Gmail they proceed to gain access to other accounts owned by the victim. The main goal being to social engineer access to services where they store crypto or to find unencrypted wallet backups in the cloud.
Now there is https://landing.google.com/advancedprotection/, which might be a better option -- interested to know if you've got any opinions on that scheme.
You give one example. It also applies when people lose the password for an account, no longer have access to their original or backup email, etc. The most secure thing to do is probably to tell the customer "tough." But that won't go over very well so account recovery practices get put in place that are probably susceptible to social engineering attacks.
It would be similar to the account recovery aspect of Google's Advanced Protection Program: "A common way that hackers try to access your account is by impersonating you and pretending they have been locked out of your account. To give you the strongest protection against this type of fraudulent account access, Advanced Protection adds extra steps to verify your identity during the account recovery process. If you ever lose access to your account and both of your Security Keys, these added verification requirements will take a few days to restore access to your account."
If they actually took part that seriously, most identification could be done with a PIN or a password or whatever and the serious identification could be reserved for people who've actually forgotten.
When I was surprised that this is all the authn they needed, the sales guy joked with the rhetorical question “well, you are <my name>, right?” i.e. “well, it ain’t a problem at the moment, right?”
Is that more or less likely than SMS providers fixing their security?
I'm sure you mean TOTP, but it's an important distinction to make. All 2FA isn't created equal.
Two factor authentication is when you need both a password and an SMS token, like how GitHub does it.
I'm not saying SMS 2fa is strong enough, often passwords are weak and/or weakly guarded, and ostensibly phone numbers can be fidgeted with. But having a phone number be the only thing guarding your entire identity is a whole next level of weak.
Suppose you own a coffee shop and offer free wifi, should you be held responsible if someone logs into a bank without SSL and gets their credentials sniffed?
Should you be responsible for designing a wifi protocol that uniquely encrypts the traffic of each user, without shared keys, to prevent sniffing?
Stop giving out my data/access to anyone but me. Once you set a general company attitude towards distribution of data/access, you can't ask for pity when that attitude comes back to bite you. Collect less, lock it down, proliferate it less, etc. Then you'll get my sympathy when an employee at one of your stores gives away my data/access.
And no, restricting data/access and ease of use are not completely mutually exclusive. There is a harmonious middle of the venn diagram that is completely different to the way things are currently run. Nobody's asking to force 2FA on cell phones here (unless we opt-in), we're just asking for better identity verification and less apathy towards giving out my info (in all cases).
But the problem is the company doesn't know who "you" are.
How about, if you forget your password and can’t get into your account, you need to visit a store in person to show your ID, or mail in a notarized copy, or something like that?
It also introduces plenty of other problems. For example, if you are mugged on the street and lose your phone and wallet are you just frozen out of your mobile account until you can get to the DMV and wait the month until you get a new ID?
It is a hard problem that can't just be fixed by "taking it seriously".
Perhaps a series of strong security questions(no 'mothers maiden name' type), and if failed, you must present ID at a physical location.
Perhaps a copy of an ID or other photo on file that you could match/resend?
Maybe an option to 'lock' the account to changes, that can only be unlocked by the user when logged in, or by visiting a store?
Just off the top of my head, I can think of hundreds of things these companies could be doing better..many of which are not 100% foolproof, but far ahead of what they're doing now.
AT&T sorta offers this - there's an enhanced security option that lets you provide a password or PIN if you want to make account changes. This is allowed in lieu of ID.
My AT&T account is technically still tied to my father-in-law, because my wife and I took it over over a decade ago, when we were still in college. They no longer have AT&T phones and I consider it my account, but whenever I visit a store I have to provide the password before I can upgrade my phone or change the service plan. To move the account into my name would require me and my FIL to visit a store together, which is inconvenient enough that we've not bothered.
To this day I have a personal phone and a revolving burner I only use for non-SMS 2FA with an unlisted number, which is kept in an EMF proof bag while not in use.
Security for this kind of thing is an absolute joke.
Granted, this guy should've known better granted the value of his holdings... Most also don't know that accounts such as Authy and other non-SMS 2FA authenticators can still be stolen if your mobile number is stolen.
However, I'm still waiting for a carrier that creates a system that can't be trivially socially engineered by bored Chinese scammers...
I was under the impression that apps like Authy and Google Authenticator have no connection with the telephone network/phone number. Do you have any reference that claims otherwise?
Google Authenticator is offline only and is not vulnerable.
>this password is not stored anywhere on Authy's servers! If you forget the password and none of your devices are synched, your tokens are lost and you will need to delete them and start over
I have some of my more important services tied to an older Yubikey. The only attack vectors for it would be on the server-side and the physical key.
> After the first hack, Terpin alleged that an impostor was able to get his phone number from an "insider cooperating with the hacker" without an AT&T store employee requiring him to show valid identification or provide a required password.
If what he's alleging is true, then he certainly has a case against AT&T.
The point is to prove that you have possession of both knowledge and a physical token (hence two factor). And while sms to phone makes it seem like you are proving possession of the phone, you’re actually proving that you have the phone that texts will route to. That last bit is movable and subject to shockingly little security, hence the issue.
The SS7 (https://en.wikipedia.org/wiki/Signalling_System_No._7) does not have any authentication so anything over the telephone networks can be easily MITM'd.
And at provider's stores they are too eager to please a "customer" so social engineering is very effective at swapping SIM cards out and hijacking your number.
I don't know too much about the SMS protocol. But I do know that most protocols do start out plaintext because programmers are lazy and optimistic.
I'm all for At&t to be held responsible if they broke security protocols. They charge an arm and a leg
Only rich morons actually need armed security as a result of their social media habits emanating from a pathetically desperate ego.
By Kerckhoffs's principle
a cryptosystem has to stay secure even if everything about the system, except the key, is public knowledge. So Bank A is at fault, because it neglected basic guiding principles for designing security systems.
Here, you're just being a dick.
The point I was trying to make was about conflating the damages being sought in a lawsuit by one party and the actual damages owed by other other in a lawsuit. I think it is pretty common practice for the plaintiff pick a high number out of somewhat thin air to prevent themselves from pricing themselves from leaving money on the table.
Assuming you even have to use SMS, get some weird walmart mobile service that you can't even really call for support.
It's security through obscurity but they often literally wont let you port your number out without absurd gymnastics, the support people don't know how, their crappy web based management system the CSRs use doesn't have a button, etc.
Maybe you can be your own bank, but banks have to depend on external factors/entities to do what they're supposed to do as well.
> Terpin was the victim of two hacks within seven months
If indeed these were separate occurrences of breaking in through the same phone account—and the article is not definitive on this—then the punitive damages seem quite appropriate. “Fool me twice, shame on me,” and all that.
A baseless allegation would be if I were suing AT&T for losing all my crypto investments. I have none and am not an AT&T customer.
An "allegation without merit" means no rational interpretation of the law would result in a guilty conviction of the allegations. Baseless ones are almost always without merit.
I assume as axiomatic (and required by HN guidelines) that you intended to be helpful and relevant, so I asked a question to determine what you were thinking.
If you do not think lawyers use the "baseless" language in a totally transparent, sincere way, then I would've expected you to be more interested in when and how they do that, which is the discussion I was looking for, if any.
I will help you and go ahead and flag all of my posts in this thread so dang and others can take moderative actions against me.
I suspect good lawyers refrain from falsely alleging a claim is baseless when they have more sound arguments to make, and they save the histrionics for table pounding occasions.
What is harder to prove is that he doesn't also control the new addresses where the funds were transferred to.
But couldn't they reasonably argue they are not a service for securing this kind of thing?
If i leave $224m in my car and park it in car park at my local shopping centre are they liable for $224m?
I'm not saying they're not liable to some extent.
I suspect that metaphors aren't going to really convey this well.
I think the "cash left in the car" part captures the negligence on the cryptocurrency holder's part. One, he explicitly chose to store his wealth in a medium without reversal mechanisms. Two, he used an online account. AT&T bears some blame for his loss, but not a tremendous amount.
OK that's even more crazy. I had assumed he lost 224.
Also, in what world when he lost $24M can he sue for $224M? Entited to a 10x return because of his own neglegence. Nope!
>Sues telecommunications conglomerate for $224M over loss
Is this guy ill or what
I don't think you can expect a security mechanism that is supposed to work counter to that to work very well.
Verification by knowledge of numbers intended to remain secret (social security, credit card) is also never okay.
> After the first hack, Terpin alleged that an impostor was able to get his phone number from an "insider cooperating with the hacker" without an AT&T store employee requiring him to show valid identification or provide a required password. That phone number was later used to access Terpin's cryptocurrency accounts, according to the complaint.
It's just that the article says, "was able to get his phone number".
Getting a phone number, to me, has always had a pretty universal meaning, which is to simply learn its digits. But I suppose you must be right and they actually mean a deeper compromise.
> Sue At&T for $224 million
> Lose all profit.
1) $200M in punitive damages? The hack occurred in January, and the price has gone down across all cryptocurrencies substantially since then.
2) Was the password hacked? Or did the exchange allow password resets via SMS? (So negligence made 2fa really 1fa) In this situation it seems AT&T would be at most 50% responsible.
You could reduce that further by arguing AT&T aren't at fault because third-parties built authentication and identity protocols ontop of what was never guaranteed to be a secure or authenticated channel
That's why I said "at most" :-)
Absolutely not. It never should be possible for a single employee to do that with no checks at all.