Hacker News new | past | comments | ask | show | jobs | submit login
Listen to a SIM-Jacking, Account-Stealing Ransom (vice.com)
167 points by petethomas 5 months ago | hide | past | web | favorite | 92 comments

This is something that really worries me. I use token based 2FA when I can but the reality is that I have like 50 accounts with 2FA and I forget which ones have SMS as a backup. I'm sure there's an account in there somewhere that's at risk. I have AT&T and use the extra security PIN code, but I know it's not 100% guaranteed. The other day I got a robocall asking for my PIN and last for of my social. I didn't do it, but just knowing my number was on that list worried me. I called AT&T and asked them to put a note in my account that said not to allow my phone number to be transferred to another SIM. They said they did it, but again I don't know how effective that is.

I understand why they make it possible to move a number to a new SIM, but I really wish you had an option to force a notification and delay the transfer for a number off days. Even a three day delay would be enough. You'd put in the request and they'd send a notification via SMS/call and email, and then the transfer wouldn't happen for 72 hours.

I would gladly deal with the potential inconvenience of not having access to my phone for a few days if it meant that it would make it harder to transfer my number to a different SIM. I don't think this should be mandatory, but I'd like the option.

It's just WAY too easy to call a cell provider and have them transfer your number to a new SIM and all the security measures that they use are easily defeated. Once you have someone's social security number you can spend 99¢ on a public records dump and get enough information to convince just about any customer service person to do whatever you want.

I talked to my cell phone provider and asked them if there was anything they could do to prevent transfering of my number.

They said the best they could do was to add a note to my file to check id in store before transferring.

This is better than nothing, but relies on the CS representative actually seeing the note on my file. Even then, there might be ways around it.

And more importantly, it does noting to stop someone asking another provider to port my number to them. Apparently Inter-provider ports are all automated and there is nothing anyone could do to stop it.

Running it through google voice will make it subject to your google 2fa.

Could you please elaborate about google thing you mentioned? I am interested in making my ATT sim morr secure..

It replaces the SMS 2FA with a Google prompt app on the phone for Gmail verification.

So it doesn't make the SIM more secure but the SIM get hacked it doesn't allow the attacker to gain access to Gmail.

Also if your public SMS reset number is in google voice, a hacker can't port it off of Google easily because you need to log into your google account to port it, which requires 2fa. They have to figure out your real number, but you never give that out to anyone or you just use google hangouts SMS instead of forwarding text messages to your insecure phone.

> Apparently Inter-provider ports are all automated and there is nothing anyone could do to stop it.

"Phone number" is truly the most dysfunctional social network.

T-Mobile has put in place some protections to prevent unauthorized transfers of your account to new SIM cards, I just had to deal with them last night - actually. Swapping SIM cards for a line must either be done in-store where your photo ID can be verified, or over the phone but only after confirmation of a OTP sent to account managers via SMS.

I know T-Mobile actually had some issues with this in the past, so even though I miss the convenience of going to t-mobile.com/sim to swap a card out I feel it's a much better solution security-wise.

The lack of security of cell phone providers is absolutely infuriating considering the sheer number of people who are paid $20/h that have ability to see and manipulate records at the likes of AT&T, Sprint, TMO and VZ not to mention those who work for resellers like BestBuy that are authorized to make activation and porting related changes.

It reminds me of MJR confidently stating that the maximum cost of gaining access to any secure network is min:

1) A yearly salary of the lowest paid employee who has access (i.e. someone's secretary)

2) A price of a Desert Eagle

Ah just FYI the pay is around $10-$11 an hour.

In my country you can’t transfer your sim or number without signing the transaction with our national two-factor digital identity that is provided by the government.

You also need to supply your secret social security number in a safe validation form.

So to me it’s much safer than a token auth that I’ll accidentally wipe whenever I buy a new phone. At least Authy allows SMS restore.

There definitely needs to be more stringent protocols in place for transferring numbers, but I have to disagree with the 72-hour delay idea - it may hamstring those who are porting numbers for legitimate reasons.

For example, I lost my phone on a Thursday a couple months ago and desperately needed it for work the following week. Ordered a replacement phone as well as SIM with express shipping. Received both over the weekend, called the provider to port from the lost SIM to the new one, and was able to work on Monday.

Having an unavoidable X-hour long delay before the port went through would've been awful. I'm sure there's another way to accomplish the same goal - perhaps requiring more info than just account number / PIN / password, implementing physical ID verification, etc.

> Having an unavoidable X-hour long delay before the port went through would've been awful

What if that "unavoidable X-hour long delay" prevented your 2-FA codes from being compromised during a targeted attack?

To be fair, very few people are individually targeted in these types of attacks (statistically).

It would be great to have a 72-hour delay on transfer if it were on an opt-in basis.

(Side note: has anyone tried to disable web access to text messages on a Verizon line?)

That's why I said it should be optional. A lot of people wouldn't want this. Some would. I definitely would.

For me the potential delay in the event of a lost/stolen/upgraded device is well worth it when the flip side is the potential nightmare resulting from the damage done if the person gets into an important account.

It seems to me like requiring some secondary form of authentication can always be bypassed at the discretion of the agent helping you because there will always be a possibility that the customer lost/can't remember the secondary key or ID.

Although, now that I think about it… UPS does something interesting to verify your account. They ask you to input a unique set of numbers that appear on your last invoice to link your account and verify your ID. Not foolproof by any means, but it's enforced for every authentication by design. Definitely more secure than the current PIN.

Dear everyone at Apple, Facebook, Google, etc. Please stop and remove the ability to use texting as 2FA. The mobile telecom industry is not hardened.

2FA over SMS is fine. It’s not the most secure thing, but it’s an improvement over just having a password.

The problem is when people forget the “2” part and allow SMS to be a substitute for having the password. That should never be done.

The related problem is that, as a used, it’s hard to tell when some service wants your number for proper 2FA, or when they want it as a separate authentication mechanism they just happen to call “2FA.”

> ...it’s hard to tell when some service wants your number for proper 2FA, or when they want it as a separate authentication mechanism they just happen to call “2FA.”

...or when they want it to be able to call or text you with other BS entirely. I hesitate to give my cell number to any company. I have a separate number (formerly a landline, now strictly a voicemail box) that I use specifically for companies.

I gave my cell number to a new dentist recently, thinking "medical office, probably important they be able to reach me." That turned out to be a mistake. They subscribed me to an automated appointment confirmation service, and they also send me a text (from a different number than the confirmation service) after I finish a visit to solicit reviews. This is exactly why I hate giving it out.

Just today Google prevented me from logging in with the correct password and asked for a phone number as additional verification. Any phone number.

The account has no associated number so it's not a verification at all!

That's not for your benefit, that's for them to verify you're a human / not a spammer / collect information (at least that seems like the most reasonable explanation to me).

The "best" part is password recovery — where SMS is typically the "second factor" to a completely insecure "secure question"

It frustrates me how almost every company's "secure question" system is utterly retarded and recklessly dangerous.

1. They draw from fixed unimaginative pools of often-overlapping questions, so that a breach in one company compromises you on multiple others.

2. Unlike a password, the actual secret question is often plaintext

If I had to design a replacement... The user would always be allowed to define custom questions, all questions could be assigned multiple synonymous correct answers (e.g. "Dr. Smith", "Doctor Smith"), and they all go through a one-way hash with salt.

You have no obligation to answer the secure questions truthfully, or not to write a long random string of text... Starting with "Do not accept the answer if I can't spell this exactly" in case a human gets involved...

Of course you'll be SOL if you legitimately lose your password and the answers to those questions.

Sounds like a good reason to use a password manager and good backups to store them?

If you register your phone nr your password basically get useless as someone can remotely (from another country even) steal your phone number and then reset your password.

That would be one factor, no?

I mean if SMS is not just used as second factor, but also used for password reset/override, it basically become a one factor. So yes.

Google has a new account setting called Advanced Protection. All it accepts is two hardware U2F keys (primary and backup) and your password. It supposedly makes your Google account pretty hardened. The only issue is that you can only use Chrome with U2F keys right now because Firefox U2F isn't fully baked yet.

I'm using it with the Titan keys (they're not my favorite, but work) and it works pretty well. I can't do as much 3rd party stuff, but I only keep my Google account (right now) for my old email address that's already forwarded to my new email address, Google Music, and Google Pay, so that doesn't affect me much. If you use a lot of 3rd party apps or get your mail via IMAP and the like, it's going to be more difficult.

A weird thing is that Google doesn't seem to allow for U2F key use without Advanced Protection turned on, which is puzzling to me.

For what it's worth, I use a U2F key regularly with Firefox. Just enable the security.webauth.u2f flag under about:config. I realize that's not a good solution for everyone, but if you're just looking to do it for yourself it works.

You know, I figured out what the problem was and it works now. I had setup FF Sync on a PC that didn't have U2F turned on yet.

Weird, I have U2F keys in my non-Advanced Protection account.

Maybe I was looking in the wrong place, good to know, thanks.

> The mobile telecom industry is not hardened.

The PSTN and phone system telecom industry in general is not hardened. The more you see the underpinnings of it, as I have, the more it looks like a bunch of 30-year-old bullshit held together with the technological equivalent of duct tape and twine.

SS7 needs to be burnt to the ground, the ashes stomped around on a bit, and shoveled into a dustbin.

> The more you see the underpinnings of it, as I have, the more it looks like a bunch of 30-year-old bullshit held together with the technological equivalent of duct tape and twine.

This happens to every system eventually if it lives long enough.

My biggest takeaway from it is that many things standardized before a certain era are based entirely on two concepts of operations:

a) only a certain elite group of people or companies will be able to use it (in this case, PSTN operators)

b) total trust between all parties using it, so there's no need for provably-hardened cryptography.

both of which are now laughable in a modern network security threat environment.

In this case SS7 was just never designed with the concept that malicious third parties might get access to it, or that it would not be operated by RBOCs (regional bell operating companies), or the international equivalent thereof (national run telcos such as British Telecom, Telecom Italia, etc).

You know pre-paid burner phones are a reasonable option to harden security at your own pace, right?

No one is forcing you to use the same number for everything. And don't complain that it's just too expensive and unrealistic to maintain more than one phone number, because that is simply untrue.

Yes, I am aware of NIST's guidelines, regarding SMS as a layer of multi-factor authentication [0]. Those guidelines are for large organizations that dictate user behavior in a top-down hierarchy. Individual security profiles are much more flexible, and don't require the same degree of adherence to recommended practices.

[0] https://pages.nist.gov/800-63-3/sp800-63b.html

Seems pretty wasteful solution if everyone maintains a secondary burner phone for login. But it works for the short term, and I would worry about fees, and inactivity cancelations.

Or, allow it, and inform them there's a safer method called Google authenticator. Authenticators make your logins dependent upon 3rd party software, and is only as secure as how that single source of failure is.

There's many 2FA apps compatible with the TOTP and HOTP standards and they rarely, if ever require an update.

Absolutely minimal 3rd party involvement, I'd say less than most web browsers these days as there really isn't a significant attack surface for the apps.

It always bugged me how Google Authenticator doesn't back up accounts "by design." I know its more secure, but damn its a major hassle if you use it for a lot of things and you need to get a new phone.

Many of these services, I believe google is one, still require mobile phone as a fallback option.

Google requires at least 2 ways of 2fa protection. You can enable a third one and disable the phone completely.

Requiring the phone number is mostly an anti-bot/spammer measure. Once they've seen your phone number you don't need to let them use it anymore.

Paypal, an actual bank, still only allows SMS 2fa. It's stupid.

Wrong. TOTP is supported, although hidden.


It uses Verisign's VIP app instead of Google Authenticator (or Authy or whatever).

You can use any TOTP app.

It's not hidden, it's de facto disabled for 99% of users. Fix this, Paypal.

According to some threads I've read it doesn't work in all circumstances.

Personally I wouldn't risk it since it could mean risking getting locked out of your account.

I've been using it for a few years now and I haven't encountered a place where I couldn't use it. It might force you to enter the TOTP code at the end of your password though, but it works.

And even this option is not available in all countries. I've almost stopped using Paypal completely because of this.

I think it depends on the mobile provider and country.

Most of these attacks are social engineering.

For paypal, texting is even the only 2FA option for non-US citizens. Baffling.

You can use a symantec hardware token.

Paypal’s ceo is head of symantec’s board. Paypal must use symantec software wherever it is available, and their mfa is no exception.

This is still baffling as you say though, because symantecs mfa system does allow for other mechanisms.

Paypal's Symantec HW token can be replaced with a TOTP app.

I can't. It only seems to be available for US citizens.

One does not even need to bribe or defraud telecom employees, the biggest gaping hole is the fact that roaming requests are insecure, and SMSes are plaintexted.

On "certain Russian forums" the talk is that was the way how British MPs were deprived of their email mailboxes in 2016. Somebody dug up their IMSIs from leaks and public dbs, and sent roaming requests through Megafon - Russia's biggest telco

I doubt that was necessary. Many of the telcos use atrocious pin security for voicemails- and they fail to prevent spoofed calls to their voicemail servers. Makes for a bad combination.

SS7 hacking to achieve that end would be a higher barrier to entry and more likely to get caught.

> One does not even need to bribe or defraud telecom employees

wow, no proof of stake required, rating 1/5

2FA security aside, it really is remarkable how Jared was able to talk the hacker down. We seem to really undervalue those sorts of social skills. Jared's one conversation could have saved hundreds of thousands of dollars (for himself and others).

When a social engineer I meets a social engineer II the better social engineer gets the upper hand. In this case it was not the hacker.

I remember reading somewhere that Google Voice numbers cannot be ported - and are useful in having them set as your 2FA for email accounts etc. Is that still correct?

For UK numbers I can also recommend these guys: https://www.aa.net.uk/telecoms.html

Their technical support is actual tech support, with tech guys that won't take any bullshit, especially if you have 2FA (TOTP-based) on your account.

The numbers are not recognised as VoIP and will work with every single service (I have yet to find one that will fail). I believe they are partnered with a local carrier that does some magic (call forwarding to some internal number?) so from the outside they look just like any other mobile number from that carrier.

(no affiliation besides being a satisfied customer for years)

Except their text messages only appear to be processed every half hour or so... which makes it useless for 2FA most of the time (the only reason I went with them).

Strange - I get their texts immediately.

Which numbers are you using? 07 ones or 020?

07. Forwarded to email.

I ported one out last year, I had to make it portable from inside my Google Voice account (a quite poorly documented pain, actually), but that's still a much higher bar than your average cell carrier.

And since there is no google customer service, nobody can social engineer it out of you!

Google Voice is on track to be a core service in Gsuite, which has pretty impressive phone support in my experience.

I interacted with Google support (when it was called Google apps) for two things, the first one was I wanted to disable links in Gmail -- the support people couldn't understand what I wanted for about 30 minutes, then couldn't understand why I wanted it, then said it couldn't be done.

I don't remember what the second one was, but it ended with the support person agreeing it was a problem, but suggesting I post to product forum.

If that's amazing support, I'd rather rely on the normal channels: writing an angry blog post and posting it to HN, or suckering your smart friends into interviewing at Google and bribing them to fix your problems once they get there.

did you try to port it without marking it as portable in Google Voice? I would be interested to see if that flag actually matters.

I tried to port out in early 2017 without unlocking the number at GV and the receiving provider said the sending provider had rejected the port request.

Bank of America does not or is not able to send 2FA SMS to Google Voice numbers.

That's not true, I have both my Bank Of America and Merrill Edge accounts protected with 2FA using my Google Voice number, and it's been working fine for at least a couple years (when I switched to that method), I use both of them weekly receiving their authentication text via GV and never had a problem.

Interesting, I tried years ago and it didn't work, maybe it has changed. Good thing is BoA also emails 2FA codes, so don't need SMS anyway.

I ported my Google Voice number to T-mobile about 6 years ago, replacing my main number

Great decision as I got to reset my social graph - no services would try to auto-connect me with everyone from high school and college that had data dumped their contacts


Is it worth it though? Now you can't fully rely on your phone number for 2FA, T-mobile is one of the providers notoriously known for transferring numbers without asking too many information.

My daily number, not connected to any 2FA (for which I use Google Voice) is a T-mobile, and a couple years ago I bought a nano sim to replace a larger sim, and the call center operator transferred the number without me having to answer almost anything overly personal, I think they just asked for a PIN which I'd obviously forgotten and with some mild additional information it was reset right there. It was truly shocking, the old sim just got disconnected from the network instantly.

For 2FA via text, Google Voice is IMHO the only choice, by far.

And for social graph implications, on your google account you can choose to not be discoverable to other people via your phone number, and that includes the Google Voice number since it's explicitly listed there (of course I assume it doesn't work the other way around, which seems to be the thing you are bothered by, I'm usually worried about being discovered by others than being shown a list of people I might know).

totally worth it, that number can be used to create a new google voice number.

Offering SMS based one time codes - with no OTP protocol alternative - should be considered negligence of the legally sanctionable kind.

and finally who cares about your social graph on Google? Thats not the issue at alllll

Do you mean a brand new google voice number can/should be used for all 2fa smses?

I've ported one back out, you have to sign into your account and allow it.

The "OG account" stuff is fascinating. ( see e.g. https://waypoint.vice.com/en_us/article/43ebpd/the-long-weir... for screenshots of forum or https://medium.com/@N/how-i-lost-my-50-000-twitter-username-... ).

Also fascinating is that the only functional support channel is "write a blog post and hope a lot of people upvote it on a news aggregator".

Two really interesting trends there.

This marketing entrepreneur talks down a ransom seeker with a heart warming story AND manages to record it? Sounds a little too good to be true

The accent of the "scammer" in the call is definitely not German.

Germany has a ton of immigrants, they don't all speak with German accents.

Can someone please point out what is the solution to bypass all these headaches? Can I get a separate phone account that is under a business entity or something (not a personal name)? Would that work?

For anyone who wants to know how easy it is to social engineer big-4 mobile phone carrier customer service people... I highly recommend reading Mitnick's "art of deception" book on social engineering in general.

Taking over the SMS functionality of any phone number in the US is trivial and can be done in 2 minutes. The phone will continue to operate as normal and the victim will likely take a while to notice anything is wrong. Never ever use SMS to secure anything.

>can be done in 2 minutes

Citation needed. Extra credit for WikiHow step by step with badly drawn art.

Trivial if you have access to an SS7 network that has a direct access or a roaming agreement with the network of the victim, and the proper tools to do that. But you will not manage to do it within 2 minutes if you have.

I was thinking of someone just walking into their local cellphone store and sweet talking the person behind the counter to transfer their number off of their old "broken" phone.

You are thinking about it from the wrong angle. Even less than 2 minutes.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact