I understand why they make it possible to move a number to a new SIM, but I really wish you had an option to force a notification and delay the transfer for a number off days. Even a three day delay would be enough. You'd put in the request and they'd send a notification via SMS/call and email, and then the transfer wouldn't happen for 72 hours.
I would gladly deal with the potential inconvenience of not having access to my phone for a few days if it meant that it would make it harder to transfer my number to a different SIM. I don't think this should be mandatory, but I'd like the option.
It's just WAY too easy to call a cell provider and have them transfer your number to a new SIM and all the security measures that they use are easily defeated. Once you have someone's social security number you can spend 99¢ on a public records dump and get enough information to convince just about any customer service person to do whatever you want.
They said the best they could do was to add a note to my file to check id in store before transferring.
This is better than nothing, but relies on the CS representative actually seeing the note on my file. Even then, there might be ways around it.
And more importantly, it does noting to stop someone asking another provider to port my number to them. Apparently Inter-provider ports are all automated and there is nothing anyone could do to stop it.
So it doesn't make the SIM more secure but the SIM get hacked it doesn't allow the attacker to gain access to Gmail.
"Phone number" is truly the most dysfunctional social network.
I know T-Mobile actually had some issues with this in the past, so even though I miss the convenience of going to t-mobile.com/sim to swap a card out I feel it's a much better solution security-wise.
It reminds me of MJR confidently stating that the maximum cost of gaining access to any secure network is min:
1) A yearly salary of the lowest paid employee who has access (i.e. someone's secretary)
2) A price of a Desert Eagle
You also need to supply your secret social security number in a safe validation form.
So to me it’s much safer than a token auth that I’ll accidentally wipe whenever I buy a new phone. At least Authy allows SMS restore.
For example, I lost my phone on a Thursday a couple months ago and desperately needed it for work the following week. Ordered a replacement phone as well as SIM with express shipping. Received both over the weekend, called the provider to port from the lost SIM to the new one, and was able to work on Monday.
Having an unavoidable X-hour long delay before the port went through would've been awful. I'm sure there's another way to accomplish the same goal - perhaps requiring more info than just account number / PIN / password, implementing physical ID verification, etc.
What if that "unavoidable X-hour long delay" prevented your 2-FA codes from being compromised during a targeted attack?
To be fair, very few people are individually targeted in these types of attacks (statistically).
It would be great to have a 72-hour delay on transfer if it were on an opt-in basis.
(Side note: has anyone tried to disable web access to text messages on a Verizon line?)
For me the potential delay in the event of a lost/stolen/upgraded device is well worth it when the flip side is the potential nightmare resulting from the damage done if the person gets into an important account.
It seems to me like requiring some secondary form of authentication can always be bypassed at the discretion of the agent helping you because there will always be a possibility that the customer lost/can't remember the secondary key or ID.
Although, now that I think about it… UPS does something interesting to verify your account. They ask you to input a unique set of numbers that appear on your last invoice to link your account and verify your ID. Not foolproof by any means, but it's enforced for every authentication by design. Definitely more secure than the current PIN.
The problem is when people forget the “2” part and allow SMS to be a substitute for having the password. That should never be done.
The related problem is that, as a used, it’s hard to tell when some service wants your number for proper 2FA, or when they want it as a separate authentication mechanism they just happen to call “2FA.”
...or when they want it to be able to call or text you with other BS entirely. I hesitate to give my cell number to any company. I have a separate number (formerly a landline, now strictly a voicemail box) that I use specifically for companies.
I gave my cell number to a new dentist recently, thinking "medical office, probably important they be able to reach me." That turned out to be a mistake. They subscribed me to an automated appointment confirmation service, and they also send me a text (from a different number than the confirmation service) after I finish a visit to solicit reviews. This is exactly why I hate giving it out.
The account has no associated number so it's not a verification at all!
1. They draw from fixed unimaginative pools of often-overlapping questions, so that a breach in one company compromises you on multiple others.
2. Unlike a password, the actual secret question is often plaintext
If I had to design a replacement... The user would always be allowed to define custom questions, all questions could be assigned multiple synonymous correct answers (e.g. "Dr. Smith", "Doctor Smith"), and they all go through a one-way hash with salt.
I'm using it with the Titan keys (they're not my favorite, but work) and it works pretty well. I can't do as much 3rd party stuff, but I only keep my Google account (right now) for my old email address that's already forwarded to my new email address, Google Music, and Google Pay, so that doesn't affect me much. If you use a lot of 3rd party apps or get your mail via IMAP and the like, it's going to be more difficult.
A weird thing is that Google doesn't seem to allow for U2F key use without Advanced Protection turned on, which is puzzling to me.
The PSTN and phone system telecom industry in general is not hardened. The more you see the underpinnings of it, as I have, the more it looks like a bunch of 30-year-old bullshit held together with the technological equivalent of duct tape and twine.
SS7 needs to be burnt to the ground, the ashes stomped around on a bit, and shoveled into a dustbin.
This happens to every system eventually if it lives long enough.
a) only a certain elite group of people or companies will be able to use it (in this case, PSTN operators)
b) total trust between all parties using it, so there's no need for provably-hardened cryptography.
both of which are now laughable in a modern network security threat environment.
In this case SS7 was just never designed with the concept that malicious third parties might get access to it, or that it would not be operated by RBOCs (regional bell operating companies), or the international equivalent thereof (national run telcos such as British Telecom, Telecom Italia, etc).
No one is forcing you to use the same number for everything. And don't complain that it's just too expensive and unrealistic to maintain more than one phone number, because that is simply untrue.
Yes, I am aware of NIST's guidelines, regarding SMS as a layer of multi-factor authentication . Those guidelines are for large organizations that dictate user behavior in a top-down hierarchy. Individual security profiles are much more flexible, and don't require the same degree of adherence to recommended practices.
Absolutely minimal 3rd party involvement, I'd say less than most web browsers these days as there really isn't a significant attack surface for the apps.
It uses Verisign's VIP app instead of Google Authenticator (or Authy or whatever).
Personally I wouldn't risk it since it could mean risking getting locked out of your account.
Most of these attacks are social engineering.
Paypal’s ceo is head of symantec’s board. Paypal must use symantec software wherever it is available, and their mfa is no exception.
This is still baffling as you say though, because symantecs mfa system does allow for other mechanisms.
On "certain Russian forums" the talk is that was the way how British MPs were deprived of their email mailboxes in 2016. Somebody dug up their IMSIs from leaks and public dbs, and sent roaming requests through Megafon - Russia's biggest telco
SS7 hacking to achieve that end would be a higher barrier to entry and more likely to get caught.
wow, no proof of stake required, rating 1/5
Their technical support is actual tech support, with tech guys that won't take any bullshit, especially if you have 2FA (TOTP-based) on your account.
The numbers are not recognised as VoIP and will work with every single service (I have yet to find one that will fail). I believe they are partnered with a local carrier that does some magic (call forwarding to some internal number?) so from the outside they look just like any other mobile number from that carrier.
(no affiliation besides being a satisfied customer for years)
Which numbers are you using? 07 ones or 020?
I don't remember what the second one was, but it ended with the support person agreeing it was a problem, but suggesting I post to product forum.
If that's amazing support, I'd rather rely on the normal channels: writing an angry blog post and posting it to HN, or suckering your smart friends into interviewing at Google and bribing them to fix your problems once they get there.
Great decision as I got to reset my social graph - no services would try to auto-connect me with everyone from high school and college that had data dumped their contacts
My daily number, not connected to any 2FA (for which I use Google Voice) is a T-mobile, and a couple years ago I bought a nano sim to replace a larger sim, and the call center operator transferred the number without me having to answer almost anything overly personal, I think they just asked for a PIN which I'd obviously forgotten and with some mild additional information it was reset right there. It was truly shocking, the old sim just got disconnected from the network instantly.
For 2FA via text, Google Voice is IMHO the only choice, by far.
And for social graph implications, on your google account you can choose to not be discoverable to other people via your phone number, and that includes the Google Voice number since it's explicitly listed there (of course I assume it doesn't work the other way around, which seems to be the thing you are bothered by, I'm usually worried about being discovered by others than being shown a list of people I might know).
Offering SMS based one time codes - with no OTP protocol alternative - should be considered negligence of the legally sanctionable kind.
and finally who cares about your social graph on Google? Thats not the issue at alllll
Also fascinating is that the only functional support channel is "write a blog post and hope a lot of people upvote it on a news aggregator".
Two really interesting trends there.
Citation needed. Extra credit for WikiHow step by step with badly drawn art.