Hacker News new | comments | ask | show | jobs | submit login

There are of course two sides to every coin. The flip side is, cell carriers never signed up to be a secure identification mechanism. SMS wasn't designed for security, and there's little financial incentive for them to invest in those changes, i.e., they don't charge you more for secure authorization of 3rd party platforms. I think its very akin to the US Social Security Number being used as a 'secure' identification in many cases.

I imagine a world where you go into the cell store, and they demand three forms of identification including a utility bill to talk to you. I can already hear the complaints from a much larger portion of their customer base.

That's a good point in general; NIST recommends not using SMS for challenge-response authentication.

I don't know whether in this case the victim was using SMS codes, or whether the attacker used their phone number as part of a more involved attack (e.g. calling customer support and impersonating the victim). Even if you don't use SMS codes, there are a number of attacks that are opened up if someone seizes your cell phone number.

In general, however, I think it would be a good thing if service providers were held liable for damages occurring due to account breaches; that's the only way we're going to get proper account security. Schneier has written on this subject extensively, e.g. https://www.schneier.com/essays/archives/2003/11/liability_c....

I work in fraud prevention. While it's not yet a typical attack, it is does happen regularly.

Usually the attack is done against an individual who is known to have significant crypto assets and is using Gmail. By default if you enable 2fa on your Gmail account, sms based 2fa is activated as backup.

The attacker social engineers the phone provider to port the victims number, then resets the victims Gmail account, uses Android device manager to wipe their devices, and using the details found in Gmail they proceed to gain access to other accounts owned by the victim. The main goal being to social engineer access to services where they store crypto or to find unencrypted wallet backups in the cloud.

The previous best option I was aware of with Gmail was to add a pair of Yubikeys, then explicitly remove your cellphone from the account, to close the gap you mention.

Now there is https://landing.google.com/advancedprotection/, which might be a better option -- interested to know if you've got any opinions on that scheme.

Exactly. You can always debate specific security practices. But there's definitely a tradeoff between resistance to social engineering and related attacks on the one hand and convenience on the other hand.

You give one example. It also applies when people lose the password for an account, no longer have access to their original or backup email, etc. The most secure thing to do is probably to tell the customer "tough." But that won't go over very well so account recovery practices get put in place that are probably susceptible to social engineering attacks.

What if carriers created an "enhanced security mode," which users can opt-in to if they want more security and are okay with sacrificing convenience in case of account recovery?

It would be similar to the account recovery aspect of Google's Advanced Protection Program: "A common way that hackers try to access your account is by impersonating you and pretending they have been locked out of your account. To give you the strongest protection against this type of fraudulent account access, Advanced Protection adds extra steps to verify your identity during the account recovery process. If you ever lose access to your account and both of your Security Keys, these added verification requirements will take a few days to restore access to your account."[1]

[1] https://landing.google.com/advancedprotection

Mr. Terpin had enrolled to such enhanced security program from AT&T. AT&T broke their own rules. Thus, the lawsuit.

Thread https://twitter.com/stephendpalley/status/102973234509876428...

I just want a world where you go into a cell store, and they don't tell you they've got a great idea, just make your PIN your birthdate.

If they actually took part that seriously, most identification could be done with a PIN or a password or whatever and the serious identification could be reserved for people who've actually forgotten.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact