Hacker News new | past | comments | ask | show | jobs | submit login
Criminals Are Tapping into the Phone Network Backbone to Empty Bank Accounts (vice.com)
244 points by secfirstmd 47 days ago | hide | past | web | favorite | 153 comments

Someone stole 415-867-5309 from me by forging the port paperwork. My carrier refused to do a port back.

I filed an FTC complaint and they couldn’t have cared less.

Phones are a broken system.

Phone number hijacking is a real problem, especially with cell phones, and thieves use it as part of an overall identity (and retirement fund) theft approach.

For those who didn't catch it, that's a somewhat "famous" phone number.

In the 80s, there was a song by that name: "867-5309 (Jenny)" by the band Tommy Tutone. https://en.wikipedia.org/wiki/867-5309/Jenny

Neat tip: you can use your area code + this number in almost any system that asks for a phone number (especially useful supermarket "loyalty" customer tracking systems). If they ask for a name, just tell them "Jenny".

I was at the mall one day buying something. The cashier said “what’s your cell number?” My reply was “no”. They looked at me shocked and bewildered but the shock was all mine. Who in their right mind asks for a cell number from a shopper? Any time anyone asks me for phone number I just say “no”, seems to work.

I would steer away from being rude to the average cashier, and instead complain to their corporate overlords.

As someone who worked in retail, it was equally uncomfortable for me to ask as it was for the customer to answer.

I'm confused. If you ask me a question, answering 'No' seems to be an option... How is it rude to reply that way?

I'm well aware cashiers are people, and want to treat them that way.


> Would you like to upgrade to a large?

> Nope.


> Can we just get your phone number?

> No...

I think the parent took the literal answer of “no” to be a bit terse, depends on how you read that example conversation. I doubt anyone is arguing it’s actually rude to refuse to provide a phone number, just to not be snarky when doing so.

If it’s uncomfortable to ask then don’t take my response personally. I don’t do it to be rude, just found this to be the most effective way of making a statement without saying much more - which is more likely to make the cashier upset given my resting tone.

Radio Shack used to always want a bunch of information from you for their database, whenever you would buy anything, cash or not. It was good training in refusing to participate in data harvesting that, 30 years after my first nervous "No", is more relevant and necessary than ever.

No isn't rude.

I've got to agree with this. You're ultimately just being rude to a minimum wage worker who has to follow a script or be fired.

What would be a non-rude approach in you opinion? >can we have your phone number? >Yes. walks away

tThe initial'no' as presented was completely valid, polite response.

I'm not saying you should say yes to be agreeable. Just be polite but firm. I would say something along the lines of "I don't want to give out my phone number sorry." or even just shaking your head back and forth works.

"Do you have a phone number" "No" comes off as you being irritated and will make the staff member feel like a dick for just doing their job.

I'm not saying you must always be polite. If somebody is being a pushy asshole push back. However if you can take a few seconds to make a minimum wage drone not feel as bad about their job its well worth it.

Maybe you shouldn't do things that you know are wrong.

but he has children to feed and mortgage of pay. clearly doing immoral things is the lesser of the two evils in this scenario.

> Neat tip: you can use your area code + this number in almost any system that asks for a phone number (especially useful supermarket "loyalty" customer tracking systems). If they ask for a name, just tell them "Jenny".

Do you actually do this? It hasn't worked for me most places I've tried it. In a couple cases it froze/crashed their system. I always wondered what people who legitimately have this number do.

Yep, I use it all the time at the area supermarkets (works with no less than four different chains).

I predict that someday soon, supermarkets will sell my food purchase history to insurance companies, so when I buy loads of vegetables and such, I use my real number. When I buy wine & bacon -- you guessed it: 867-5309.

Tip #2: They also link purchase records based on debit card account numbers. So pay cash.

Tip #3: if the number doesn't work for your area code, try it with a different area code. (the sysadmins sometime purge a number that is being used by loads of people.) Also, if you need to provide a zip code, Beverly Hills 90210 works just fine.

> I predict that someday soon, supermarkets will sell my food purchase history to insurance companies, so when I buy loads of vegetables and such, I use my real number. When I buy wine & bacon -- you guessed it: 867-5309.

That won't help, your purchases can still be linked to yourself with your credit card.

With Apple/Google Pay isn't this information NOT shared with merchant, but only a transaction token ?

so they say. but the data lives somewhere, and when it has enough value it will be a commodity.

> That won't help, your purchases can still be linked to yourself with your credit card.

This doesn't seem to add much value on top of

>> Tip #2: They also link purchase records based on debit card account numbers. So pay cash.

I've used it at CVS with area code 213. I usually got a very large printout about all the beauty care products Jenny was using.

Used this at a Food Lion once and the savings to date was like $10k+ or something outrageous, we all had a good laugh.

I've had it work sometimes, but also ran into times where it must've been overused.

If a shop or any service business, which has no business of having this information, asks me for phone # or ZIP code I advise them right straight to fuck off.

Since it's not the cashiers fault I make sure not do be hostile or rude to her / him, but I make it very clear that it's none of their business and if they absolutely insist on it I walk away.

I do this too. I found once I started being okay with saying no it became way less awkward.

This works for companies that ask for email as well.

Demanding questions are a form of force.

"What do you do?"

"How much do you make?"

"Where do you live?"

"What are you doing?"

Preemptively: "Nothing-to-hide" folks don't live in transparent houses, wear clothes and don't tell their passwords to everyone they meet. Everyone has something to hide or they're dishonest. Information equals opportunities for attack... Publisher's Clearing House and other "contest" identity prostitution scams... no way.

I always use 312-836-7000, which is the CTA's customer service number. It stuck in my head from years of bus commuting in Chicago. It most recently worked for me as a loyalty card at a Safeway in Mountain View, so I'm apparently not the only one with this number stuck in their head. But not enough people know it for it to be flagged. (Never tried it when I lived in Chicago, interestingly. There it might be more widespread.)

Are there any SIM card providers in the US or Europe that provide strong identification on Phone number porting? Such as requiring a password or physical identification?

Many do, until an employee decides the number needs to be ported anyway. There is always an "override" feature / method to overcome these measures.

Telecoms are thin margin business and every human check or technical security measure will be rejected until customers start leaving, mentioning a particular issue. Problems with porting, S7 weaknesses, number spoofing and other anoyances is that you will be hard pressed to find an alternative operator that actually protects for these risks simply because they cost money and in the end only few customers are willing to pay the 10% a month extra.

In germany i had to verify my id at a post office. Deutsche Post has a infrastructure for verifying ids that buissnesses can use.

In Italy you can block porting altogether. Unblocking requires visiting a store in presence and showing id.

You don't even need to forge the paperwork if you work at a telco. Create the number port request in NPAC, wait for the confirmation timeout, and activate the number port. The timeout depends on the two carriers but it's generally a day or two.

Banks are starting to support opening accounts and credit cards using phone carrier data for authentication. A majority of application data could be auto-filled using only a phone number and billing zip code. The effort for convenience in applying actually could open a lot of people to potential fraud (which the banks won't materially feel) and serious financial damage.

A counter-measure to such attacks would be a "block" against the usual "hard pull" from Equifax or other credit raters when opening a bank account.

Usually a hard pull isn't done for a bank account (it is for loans though). A soft pull is done instead, which has essentially no credit impact.

It sounds more like lack of law enforcement is the problem. In any sane society, law enforcement would have to authority to rain down like holy hell on people like this.

I get the impression that in the United States, regulation to shift fraud liability to the banks, and away from the individual customers, is more effective than relying upon law enforcement.

If someone breaks into my home and steals my stuff, I may hope for law enforcement to catch those responsible. I have no expectation that my property would be returned to me.

Thinking through this analogy, property-theft insurance is affordable because law enforcement is effective where I live, and I am expected to maintain reasonable precautions against theft.

I don't know how to prevent my phone number from being used without my permission. So I don't know how to apply law enforcement as a remedy.

> If someone breaks into my home and steals my stuff, I may hope for law enforcement to catch those responsible.

Dream on. In most US jurisdictions, property crime is very low priority for law enforcement. Even if you have cameras recording the thieves in action, LE might create a report but they will probably not investigate the crime at more than a superficial level.

The clearance rate for property crimes isn't quite as bad as I thought: https://www.statista.com/statistics/194213/crime-clearance-r...

Law enforcement in the US is primarily focused on clearing "moral" crimes or things that make their departments money. Things like murder, drug use, prostitution, and domestic violence are high targets because they are "easier" to police than things like theft. Some police departments are also funded by monies they can just take from people under "suspicion" that someone was going to commit a crime using civil asset forfeiture. Good luck ever getting that money back. Just watching a show like LivePD in the US you'll see that while there are a ton of absolutely amazing and dedicated law enforcement officers out there, there's also those who completely treat people like dirt and take every opportunity to lie or intimidate people into confessing to crimes.

I've lost numbers by just moving my service from a PRI to AT&T's fiber offering.

"You have to lose one of the numbers, that's just how the port works". Usually it's a DID.

Normally, AT&T would add a number before the port that would be the sacrificial number.

So do your own fraudulent port out. It's clear you wont get in trouble for it.

> It's clear you wont get in trouble for it.

That assumes the world is fair. From my experience, it's not.

I would fully expect if I did this for it to be one of the few times they actually caught it (and possibly because he the original complaint caused specific flags to be put on one or the other of the accounts...)

I would have war dialed them until they gave it back. I bet the FCC would have had something to say about that.

It was disconnected for a long time after they stole it. They hopped carriers all the time as well making it difficult to keep track of who had it.

The thieves were not new to this.

That’s infuriating. I feel a lot of secondhand frustration. Do you think they stole it to sell or use?

This is one reason I use Google Fi - criminals would have to first break my Google account security to cancel my service / port the number.

Not necessarily. It is entirely possible to force-port a number by faking a letter of authorization as OP described. When I worked in telco, I did LOA-based paper ports at least twice a month for customers whose losing providers were being jerks* about not coughing up approval. The number port database admin at the time only required that I tick a box on an electronic form certifying that I had written authorization from the customer to force the port and upload a PDF. The losing carrier could do nothing to stop the port.

Your Google account security actually means relatively little here for a determined attacker. Sure, it prevents the takes-only-a-few-minutes automatically-approved ports (which, yes, is what roughly 90% of attackers are going to go for) so you're excluded as low-hanging fruit but Google is not itself a telco and doesn't host the phone numbers directly on its infrastructure so it can't do much to harden against this kind of attack.

* (A certain wireless provider that used to be a three-letter acronym and is now fairly low in the alphabet was notorious for refusing ports when wireless number portability first started.)

What carrier was that? I keep hearing stories that, for some reasons, only involve T-Mobile - so I was wondering which one was that.

I know of cases of it being done with Verizon.

Ironton Global.

Terrible company.

>Phones are a broken system.

US phone numbering is a broken system.

Why would this company need that specific phone number? https://www.whitepages.com/phone/1-415-867-5309

Because it's likely one of the most memorable numbers in history at this point, as it's been immortalized by pop music.[1]

1: https://www.youtube.com/watch?v=6WTdTwcmxyo see 50 seconds in or so for the chorus...

My point is, it doesn't look like it's in their public contact phones. It doesn't matter how memorable it is if you don't show it to the masses.

eight six seven five three oh niii-eee-iii-innn

Slightly unrelated, but i'm fishing for suggestions.

I have a beef with my local Australian bank, the ING (of Dutch fame). Their login system consists of your "customer number" (printed on the back of your debit card) and a 4 digit numeric PIN. Yes, 4 digits. In 2019. To add a payee to your address book the only auth that happens is over SMS; to actually transfer money out of the account you can select any existing address book contact with no further verification.

I like their product offering (cheapest / best in class locally) but this is such a worry to me. I've repeatedly talked to their customer support about this issue (and their Twitter is full of complaints about this) but they keep giving canned responses and redirecting to their "Online Security Guarantee" https://www.ing.com.au/security.html. Any ideas how to get through to someone who understands what's going on, before I grudgingly take my business elsewhere?

This seems pretty common with a lot of banks. I've got accounts with several high street UK banks and almost all of them have some kind of reliance on SMS, maximum password requirements (like 10 letters with no symbols) or 'secret words' where you have to pick a few choice letters from an word which is presumably kept in plain text.

I can only assume they are relying more on legal recourse and insurance than data security experts and I assume that if a hack did happen I would be reimbursed but it's a bit of a worry.

With Barclays you can rely soley on the card reader and disable login using "memorable data". Lots of other banks in the UK offer card readers (of the top of my head, Barclays, Nationwide, Natwest).

You should ask them about controls for call center based fraud.

Write a nice letter and send it to them.

Also, you could try contacting journalists, who then might try to contact the bank, or some white hat security group, and ask them about how easy it is to socially engineer their way into your account.

However, I think it's not that easy. 4 digit PIN, one account, I guess it gets flagged fast if someone tries to brute force it. You should try it, hm?

This is a good suggestion, thanks. I'll consider giving it a try.

> However, I think it's not that easy. 4 digit PIN, one account, I guess it gets flagged fast if someone tries to brute force it. You should try it, hm?

Their security page says 3 incorrect attempts means you need to call up their call centre. But as you point out, how hard would it be to socially engineer your way in.

That's really weird. Over here, the ING has quite stringent password demands, and require a password change every 6 months. Furthermore, 2 factor authentication via phone is required for every transaction.

This is why we should all be paranoid over things like the Mobile Authentication Taskforce and "Project Verify" where the US cell carriers are colluding to form a new authentication/identification to replace passwords with single-factor phone identification. We know our cell accounts are utterly and woefully insecure, but expect this push to come in the near future.

> we should all be paranoid over things like the Mobile Authentication Taskforce and "Project Verify" where the US cell carriers are colluding to form a new authentication/identification to replace passwords with single-factor phone identification.

There's lots of infosec paranoia is ill-based in reality but I've got to concur here. It's gotten so easy and uncomplicated to social-engineer a fraudulent port / SIM swap that there's an entire cottage industry of bored teenagers that do exactly that, in part to commandeer Instagram accounts with coveted usernames.

Basing authentication/identification on an industry that's simultaneously pathologically incompetent (fraudulent ports/SIM-swaps) and also grossly evil (selling real-time locations of all their subscribers without their consent to a phantasmagorically layered and non-auditable set of resellers and intermediaries) when it comes to security is pure folly.

While I agree SMS based MFA is less than ideal the real issue is telephony security. Weak security allows ANI spoofing, message interception (as seen here), IMSI catching, and who knows what else.

I stopped picking up calls from unknown numbers since its practically all spam. It'll probably never be secure but I can dream.

That’s great and all, until you’re applying for jobs. Or in sales/support. Or just new to an area. Or have a child at day-care.

When I’m on-call and they spoof a similar phone number (same area and exchange code), I gotta answer it.

Per quora, area code 308 probably has the smallest population of any area code, so getting a phone number based there and screening for 308 numbers would probably work well.

Honestly if google voice had a captcha system I could implement for non contact numbers, that would be sweet.

This is actually a feature on the Pixel 2 and Pixel 3: Screen your calls before answering them [0]. When you activate it on an incoming call it'll play a message for the caller, show you a transcript of their response, and allow you to respond with a few canned messages of your own. The best part is that it works entirely offline [1], so it doesn't require sacrificing your privacy. It's incredibly convenient.

For a while I'd been receiving a ton of spam calls. Eventually I caved and enabled "Filter spam calls" on my Phone app. Suddenly, all the calls stopped. I ultimately decided that this was a worthwhile privacy tradeoff for me, especially since I rarely use my phone. I only use it to occasionally interact with businesses, and as a way for close family to reach me at a moment's notice in case of an emergency.

[0] https://support.google.com/phoneapp/answer/9118387

[1] https://support.google.com/phoneapp/answer/9094888

Isn’t this a standard google voice feature for the last 12 years or so?

Google Voice provides text transcripts for voicemail, but I'm not aware of it having ever supported anything like the screen call feature.

When you activate the feature the caller hears the following message: "Hi, the person you’re calling is using a screening service from Google, and will get a copy of this conversation. Go ahead and say your name, and why you’re calling."

Then you'll see a live transcript with whatever the caller says, and you're given multiple choices with which to respond. Here's some of the available actions / responses, along with the message the caller hears:

* Is it urgent? - “Do you need to get a hold of them urgently?” * Report as spam - “Please remove this number from your mailing and contact list. Thanks, and goodbye.” * I'll call you back - “They can’t talk right now, but they'll give you a call later. Thanks, and goodbye.” * I can't understand - "It's difficult to understand you at the moment. Could you repeat what you just said?”

You also have the option to answer or end the call at any time.

Another important detail is that this is done exclusively using on-device technologies, so it works offline and it preserves your privacy. Voicemail transcripts are generated on Google's servers.

All of this information is taken verbatim from the two articles I linked as part of my original response.

I don't think google voice showed you a transcript in real time or allowed you to interact with the caller.

No transcript, but they play back the caller's introduction to you before you decide to accept or ditch the call. Again, for the last 12 years or so. That was one of the reasons Google acquired Grand Central and launched Google Voice.

Yeah they had that but this is different, more interactive and something you can decide to use while your phone is ringing. Google voice currently does not have a call screening feature like the one on the pixel.

Well, GV is interactive by some definition, but awkward. You need to listen to the headset to hear the callers introduction, then type 1 to accept the call or hang out and send caller to voice mail.

Real time transcription would be much nicer, very true. GV is apparently on a lifeline while Google is trying to push Fi. Just like Duo and Hangouts.

Get a number in a completely different area code than where you live. In an attempt to appear legitimate and get answered lots of spam calls with come from the area code of your phone number.

If I get a call from the area code where I live I pick it up because it’s usually the vet, doctor, school, mechanic, etc. But if I get a call from an unknown number in the area code of my phone # I can safely ignore it and let it go to voicemail. If it’s legitimate they will leave a message (and it’s never been legitimate so far).

It's great that the FTC in the US rolled with the flood of scam calls and partnered with call blocking lists [0], but ignorant question--why are scammers able to cycle through and commandeer and route through so many domestic phone numbers and remain untraceable to enforcement?

0: https://www.consumer.ftc.gov/articles/0548-blocking-unwanted...

Edit: Thanks for the pointers! Sorry this was a bit of a tangential question.

They often buy SIP services from VoIP operators, as a business, and cycle through the subscriptions.

But it's a totally different problem than the problem depicted in this article.

There's a good practical look into how this works in Martin Vigo's talk.[0]

0: https://media.ccc.de/v/35c3-9383-compromising_online_account...

Because once you get connected to the SIP network you are assumed trusted. Getting connected to the SIP network is easy and requires no verification.

Problem of this attack is that the subscriber never gets any indication that the attack occured. So you can't do anything to defend yourself.

The attack described is two-part:

1. The criminals launch a phishing campaign against you specifically to get your bank username and password. This is defensible, although the harder step, by being vigilant, not clicking links, regularly changing your password, ensuring your password is unique so they won't be able to find it on a database of another breached web service, etc.

2. They intercept your SMS-based 2FA. This is not possible if you are not using SMS-based 2FA. Switch to a more secure method of 2FA, or communicate your concerns to your bank if none is available (really, make it public, because this is a big deal), or switch banks.

I believe there are things you can do to defend yourself, although having to do these things is clearly not ideal. Hopefully just knowing about it will improve a person's defensive posture against such types of attacks.

Edit: formatting (for anyone who's ever wondered: https://news.ycombinator.com/formatdoc)

"Switch to a more secure method of 2FA"

If you can... All the institutions (bank, 401K, IRA) I use will fall back to SMS even if you have a more secure method. I gave up trying to find one that didn't.

Instead I got a burner phone with cash. Don't really know if it helps but it seems less likely that some database dump has my name associated with that number.

"Switch to a more secure method of 2FA"

What would you suggest? I've heard that using your phone for 2FA is a bad idea several times now, but I'm not hearing suggested alternatives. Clearly your alternatives are limited by what you're offered, but I would still welcome advice for what practical alternatives I should try to use instead of phone.

An app or hardware generating TOTP or HOTP codes is generally considered better than SMS based authentication but is susceptible to phishing and requires planning around phone upgrades or backup measures in case of a lost device. Google Authenticator app, Yubikey, or the like.

I'm not claiming this is more secure by any means but I started using a Google Phone number for 2FA associated with a Google account which uses a hardware token for authentication. My reasoning being that a Google phone number cannot be transferred without logging into the account and releasing the number. So I figured if I used the most secure 2FA method for that account it would be safer than relying on my telco which doesn't employ any serious security measures and is likely more susceptible to social engineering than Google.

I think there needs to be a larger effort to shame the banks into fixing their MFA support. Some of them sign onto FIDO2 for example but don't enable it for their customers. I've looked for every bank I do business with and NONE of them support non-SMS MFA.

Motherboard/Vice is trying to load another article at the bottom of this one, but the one it wants to pull up is apparently MIA, and causes the article I actually WANT to read to cut to a 404 before I can reach the end. If you must shove additional content down our throats, can you at least make it a bit more failsafe? #notagoodlook

With NoScript (https://noscript.net/) blocking their Javascript I get the whole article, no attempt to load any other article, and no 404 anywhere on the page.

Use reader view. I’ve had mine set to open all links and my life has been much less stressful now that I don’t have to deal with website styles and nonsense the likes of which you describe above. Try it.

i got a horse 404 too

SS7 is fundamentally broken and nobody is ever going to fix it. It's based on telcos all trusting each other in the year 1985. The sheer mass of installed equipment that nobody wants to spend hundreds of thousands of dollars to upgrade means that implementing authentication and security on top of SS7 is never going to happen. Any extensions on top of SS7 that implement something resembling proper security will thoroughly break backwards compatibility with all old PSTN equipment.

If you use SMS or anything phone network related for 2FA you're doing it wrong.

My job title has "network engineer" in it. It's time to simply disregard the existence of the PSTN and move on to modern communications methods. By modern, I mean things that are based on packet-switched IP networks, with software applications using battle tested public/private key crypto implemented at layers 4-7 in the OSI model.

Crypto attempts have been made, but now we're starting to see both industry associations (GSMA) and open source (P1 Security SigFW [1]) working on filtering and encrypting SS7.

If placed in front of the legacy equipment, that could enable operators to gradually move toward signed+encrypted signaling traffic.

Problem is that this industry can be slow to react and would probably need government/regulatory pressure to move faster.

[1] https://github.com/P1sec/SigFW/

GSMA standards have always included purposeful insecurity, e.g. look at the history of A5/1 & A5/2.

It's a group that buys into the idea of secure backdoors, I'm not sure it's possible for them to build a secure system.

I actually think the current Huawei mess is direct fallout from our history of creating purposefully insecure systems: if the overall system was designed to be secure, the network infrastructure potentially being compromised wouldn't be such a significant issue.

I work at a company whose customer is the Phone Company. As I complained to my manager, "We may have a two-week sprint, but the Phone Company has a two-year sprint."


Well back when I worked for BT they had quarterly sprints but this was for things like major changes to the entire system.

I like to view the problem of SS7 as similar to that of BGP. How to add security to a widely used protocol. I think there are ways of moving forward, albeit slowly, without having to mass replace everything.

Interesting you mean a hybrid TCP/IP and OSI model

The entire security model of the PSTN is just broken. It's not just SS7, it's stingrays, caller id, robocalls, porting numbers, etc, etc. It's time to deprecate the entire system.

How are bad actors getting access to SS7? Is SS7 being transported over public IP networks and subject to intercept? Are they bribing/hacking telecoms themselves?

At one point, one of the attack vectors was said to be by spoofing or otherwise manipulating traffic to/from a wireless femtocell. The same wireless femtocells that many operators will gladly sell or give to you for free or very little $.

I don't know how effectively that strategy still works today, but I think it speaks to the significant degree to which the phone system is completely insecure and untrustworthy by design.

Almost every telecom company in the world has access to SS7 network so the attack surface is very wide.

Small telecoms in developing nations, corruption of the LEC telecom in places vulnerable to bribery, and CLEC interconnections for SS7 traffic.


1. Renting access by pretending to be legit telecom business

2. Internal access

3. Internet hacking into less protected telecom operators to then compromise the SS7 core network nodes and send traffic from there.

Other ways exist, but these represent the bulk.

gruez, SS7MAP - it's a CLI app written in Erlang, you can find it on Github I think. At least it is useable :)

SS7 is just another network that you can buy access to from telcos.

30yr ago on the big nations could do this. 15yr ago most nations could do this. Today organized crime or well funded companies can do this. 10yr from now small time criminals will be able to do this.

Technology trickles down really well.

This is just another instance.

small time criminals have been doing this for years? I guess its so lucrative that they aren't considered small time after executing it on a useful bank account

its rampant on instagram, which introduced non-SMS OTP just a few months ago after everyone figured out their negligence was just to data mine phone numbers

Wow, I really thought we were still at the social engineering scale (convincing the guy in the cell shop).

Does anyone know if Google Voice texts are also subject to this kind of attack? In the sense that they have to honor SS7 rerouting commands or anything like that.

Google Voice is, by and large, just* using Bandwidth.com's API to send and receive SMS. The same attacks still work though it is marginally harder to forcibly port or steal a number from a Google Voice account because Bandwidth passes the port auth request onward to Google for approval.

Point being, Google Voice is not a telco on its own. They rent underlying access, of sorts, and that access still relies on SS7.

* For suitably large values of "just."

Do you know if this includes Google Fi as well? From what I can tell, they appear to share much of the same infrastructure. There's even a link to Google Voice at the bottom-left side of the screen of the Google Fi website.

I don't have much knowledge of how Google Fi works but what little I know makes me think that, yes, Fi and Voice are doing the same thing. If they are, then yes, a Fi number is on the exact same footing as a Voice number for port-out shenanigans.

One data point for why Fi and Voice numbers are the same: For a long time, hip-and-trendy apps like Uber and Venmo wouldn't accept Google Voice numbers because they show up in API calls as "voip." About a year after Fi became widespread, Google Voice numbers show up in services that provide information about phone numbers with a carrier of "Bandwidth.com/GV" or similar so now the apps can whitelist that carrier as "yeah it's VoIP but it's fine." If I test the number of someone who I know uses Google Fi--but did use that number with Google Voice before Fi, so I don't know for sure if this is valid--the information returned still comes back as Google Voice.

What about using a service like Twilio to receive texts?

This will not work. A Twilio Number cannot receive messages from a short code. Almost every single two factor authentication code from a bank or other institution comes from a short code. No number you receive or port into Twilio is Classified as a mobile number – so they cannot receive messages from short codes.

I spoke to engineers from Twilio at the 2018 Signal conference and they confirmed - there is no technical limitation, but they would have to do a lot of work and deal with a lot of spam issues if they allowed their numbers to be classified as "mobile" and able to receive SMS from shortcodes - and they are declining to do that for now.

So whether you source a new number from Twilio or port in an existing mobile number, once it hits Twilio it is no longer a mobile number. Yes, you can receive SMS/MMS from "normal" numbers just fine.

I think Twilio is running its own infrastructure so some of the attack risk is mitigated but there's still no prevention of doing things like temporarily rerouting SMS or other things like that through SS7 access.

Point being, SMS-based "authentication" is so laughably insecure as to be pointless if you become a target of someone who wants into your checking account.

When https://n26.com launches in the US they could prevent this attack, unless they fool customer support somehow. In the EU they have non-SMS based 2fa and optionally send a push notification for all transactions.

Also, I'm looking for a bank that blocks all debits/transactions/transfers unless pre-authorized via app. Anyone know if that exists?

Yikes! Banks need to start supporting other 2FA methods such as TOTP or U2F

Some do, but their backend systems are still vulnerable. Most folks here on HN would not believe me if I said that many of the back-end systems do not use encryption. There are still many automation jobs that use clear-text FTP on the WAN and for some jobs, even across the internet.

Yeah, this list is still pitiful: https://twofactorauth.org/#banking

Some do. Of the four banks where I currently have accounts, only one uses SMS-based 2FA codes; the other three all provide chip-and-pin card readers or similar gadgets to generate transaction-specific auth codes.

and, the banks that support 2FA need to figure out a way to keep supporting their data subscription services. there is no good OFX for 2FA

Meanwhile, Twilio is raking it in on the back of this broken system.

Can you elaborate? How does Twilio benefit specifically from these vulnerabilities in ss7 ?

And this is just another reason why SMS based 2FA is fundamentally broken.

I bank with Barclays in the UK and they give each of their account holders a PinSentry device. This is a physical device that you have to insert your card into, and then enter your pin code to unlock, you then use it to sign/verify transactions that you are trying to make.

Don't have access to the pin sentry device? Guess who can't add a new transfer recipient.

The chink in the chain for Barclays though is their mobile app on-boarding that relies on bank account information and SMS authentication which turns your phone into a PinSentry too.

Don't get me wrong, Barclays probably does it better than anyone else but I was surprised when I set up a new phone recently.

That's odd - when I installed the iOS app I either had to get a one-time-code by using a Barclays ATM, or by identifying with my physical PinSentry device ...

Barclays is a terrible example. If someone obtain your pin and nick your card then can do anything with your bank account as the card works with any pinsentry.

Much better is HSBC. The device you get is the only one that works, you cannot use different device.

If someone obtain your pin and nick your card

If that is the case there are many options available to you that do not require pinsentry. This argument makes no sense in the context of this discussion.

Since it is tax time, when people normally discover their accounts have gotten locked by people trying their account name and passwords from the endless stream of credentials thefts, I would observe that there are several brokerages which will issue a brand new password and read it to you over the phone without a single challenge (even the useless public records questions) if the ANI on the inbound call is correct.

People have lived happily alongside this vulnerability for decades.. There's also a pretty cool CLI application called SS7MAP for pentesting which is not quite that old (a year perhaps), I haven't gotten around to trying it yet.. I had forgotten. Interesting stuff.. And this is extactly why you often hear the phrase "you shouldnt rely on 2 Factor Auth."

I've heard about such scams since years ago at sites like http://whycall.me and another similar sites. People should be aware of these kind of scams by now. Keep spreading the word and informing our family about them is the key.

A popular attack these days is usage of fake roaming requests. They require nothing except knowledge of your IMEI, and IMEIs can be bought bulk online from android app devs.

That's how British MPs were, allegedly, pwned en masse in 2016

Are you sure you're not mixing up IMEI (identifiers of hardware handsets and end devices, can be often reflashed), with IMSI (identifiers on the SIM, and therefore the number and subscription associated with the SIM (simplified description)) ?

You don't need to "buy", but you need to FIND, the IMSI of the target you're going to do fake roaming (fake Location Update) request on. This is most of the time doable.

I did, thanks for correcting me.

I am glad my bank does not use phone numbers for anything. 2FA works with a special device that is not on GSM networks, for identification they use other means (not including the phone number).

off topic: how much defunct/dormant telco infra has been left laying around which could be put to use? are old copper lines between cities still there? Old mode fiber?

Other than hoarding gold (edit: or cryptos, or anything similar), what is the best way to make sure my net worth doesn't just go to zero from one day to the next?

Assuming you are a regular person, and that you do not have the US Government out to get you, put your money in an FDIC (or equivalent) insured bank account. The financial system is pretty good at making sure that even with these hacks and breaches, the actual depositors don't actually lose money. Other alternatives such as hoarding gold, digging a hole in your backyard and burying cash, buying cryptocurrencies has a higher chance of resulting in your losing your money than if you just put it in a bank account.

You should diversify. Have some money in a 401k, and an IRA or brokerage account invested in a whole market fund mostly, with a smaller amount in bonds. Buy a house.

All of those except for the house can be stolen in one shot from your bank, unless you spread your accounts among multiple banks, and that increases your risk of accidentally losing one of them.

real-estate. Although may that is the same concept as hoarding gold.

Nope. Stealing land titles is very much a thing in the UK: https://www.gov.uk/protect-land-property-from-fraud

Even more so in places like India one of my co-workers a few years back mentioned that his family back home had lost property to "gangsters".

Cryptocurrencies. Its pub-priv key security for money.

Hardware wallets are really cool ex: https://wiki.trezor.io/FAQ:Overview

That's a sure fire way to do exactly what he said he didn't want to do.

Seems like a heavily volatile way to store your "net worth."

I guess it is ironic that stablecoins are probably the most secure way to store your money

crypto security, usually legacy underpinnings, no volatility

I know what cryptocurrencies are. I should have been more specific than "Other than hoarding gold" to include other volatile commodities.

text-version: https://termbin.com/9w1q

I bet the 1A2 Key system was harder to hack

Using sms or smartphones in any capacity for 2fa is dumb

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact