I filed an FTC complaint and they couldn’t have cared less.
Phones are a broken system.
For those who didn't catch it, that's a somewhat "famous" phone number.
In the 80s, there was a song by that name: "867-5309 (Jenny)" by the band Tommy Tutone. https://en.wikipedia.org/wiki/867-5309/Jenny
Neat tip: you can use your area code + this number in almost any system that asks for a phone number (especially useful supermarket "loyalty" customer tracking systems). If they ask for a name, just tell them "Jenny".
As someone who worked in retail, it was equally uncomfortable for me to ask as it was for the customer to answer.
I'm well aware cashiers are people, and want to treat them that way.
> Would you like to upgrade to a large?
> Can we just get your phone number?
tThe initial'no' as presented was completely valid, polite response.
"Do you have a phone number" "No" comes off as you being irritated and will make the staff member feel like a dick for just doing their job.
I'm not saying you must always be polite. If somebody is being a pushy asshole push back. However if you can take a few seconds to make a minimum wage drone not feel as bad about their job its well worth it.
Do you actually do this? It hasn't worked for me most places I've tried it. In a couple cases it froze/crashed their system. I always wondered what people who legitimately have this number do.
I predict that someday soon, supermarkets will sell my food purchase history to insurance companies, so when I buy loads of vegetables and such, I use my real number. When I buy wine & bacon -- you guessed it: 867-5309.
Tip #2: They also link purchase records based on debit card account numbers. So pay cash.
Tip #3: if the number doesn't work for your area code, try it with a different area code. (the sysadmins sometime purge a number that is being used by loads of people.)
Also, if you need to provide a zip code, Beverly Hills 90210 works just fine.
That won't help, your purchases can still be linked to yourself with your credit card.
This doesn't seem to add much value on top of
>> Tip #2: They also link purchase records based on debit card account numbers. So pay cash.
Since it's not the cashiers fault I make sure not do be hostile or rude to her / him, but I make it very clear that it's none of their business and if they absolutely insist on it I walk away.
"What do you do?"
"How much do you make?"
"Where do you live?"
"What are you doing?"
Preemptively: "Nothing-to-hide" folks don't live in transparent houses, wear clothes and don't tell their passwords to everyone they meet. Everyone has something to hide or they're dishonest. Information equals opportunities for attack... Publisher's Clearing House and other "contest" identity prostitution scams... no way.
Telecoms are thin margin business and every human check or technical security measure will be rejected until customers start leaving, mentioning a particular issue. Problems with porting, S7 weaknesses, number spoofing and other anoyances is that you will be hard pressed to find an alternative operator that actually protects for these risks simply because they cost money and in the end only few customers are willing to pay the 10% a month extra.
If someone breaks into my home and steals my stuff, I may hope for law enforcement to catch those responsible. I have no expectation that my property would be returned to me.
Thinking through this analogy, property-theft insurance is affordable because law enforcement is effective where I live, and I am expected to maintain reasonable precautions against theft.
I don't know how to prevent my phone number from being used without my permission. So I don't know how to apply law enforcement as a remedy.
Dream on. In most US jurisdictions, property crime is very low priority for law enforcement. Even if you have cameras recording the thieves in action, LE might create a report but they will probably not investigate the crime at more than a superficial level.
"You have to lose one of the numbers, that's just how the port works". Usually it's a DID.
That assumes the world is fair. From my experience, it's not.
I would fully expect if I did this for it to be one of the few times they actually caught it (and possibly because he the original complaint caused specific flags to be put on one or the other of the accounts...)
The thieves were not new to this.
Your Google account security actually means relatively little here for a determined attacker. Sure, it prevents the takes-only-a-few-minutes automatically-approved ports (which, yes, is what roughly 90% of attackers are going to go for) so you're excluded as low-hanging fruit but Google is not itself a telco and doesn't host the phone numbers directly on its infrastructure so it can't do much to harden against this kind of attack.
* (A certain wireless provider that used to be a three-letter acronym and is now fairly low in the alphabet was notorious for refusing ports when wireless number portability first started.)
US phone numbering is a broken system.
1: https://www.youtube.com/watch?v=6WTdTwcmxyo see 50 seconds in or so for the chorus...
I have a beef with my local Australian bank, the ING (of Dutch fame). Their login system consists of your "customer number" (printed on the back of your debit card) and a 4 digit numeric PIN. Yes, 4 digits. In 2019. To add a payee to your address book the only auth that happens is over SMS; to actually transfer money out of the account you can select any existing address book contact with no further verification.
I like their product offering (cheapest / best in class locally) but this is such a worry to me. I've repeatedly talked to their customer support about this issue (and their Twitter is full of complaints about this) but they keep giving canned responses and redirecting to their "Online Security Guarantee" https://www.ing.com.au/security.html. Any ideas how to get through to someone who understands what's going on, before I grudgingly take my business elsewhere?
I can only assume they are relying more on legal recourse and insurance than data security experts and I assume that if a hack did happen I would be reimbursed but it's a bit of a worry.
Write a nice letter and send it to them.
Also, you could try contacting journalists, who then might try to contact the bank, or some white hat security group, and ask them about how easy it is to socially engineer their way into your account.
However, I think it's not that easy. 4 digit PIN, one account, I guess it gets flagged fast if someone tries to brute force it. You should try it, hm?
> However, I think it's not that easy. 4 digit PIN, one account, I guess it gets flagged fast if someone tries to brute force it. You should try it, hm?
Their security page says 3 incorrect attempts means you need to call up their call centre. But as you point out, how hard would it be to socially engineer your way in.
There's lots of infosec paranoia is ill-based in reality but I've got to concur here. It's gotten so easy and uncomplicated to social-engineer a fraudulent port / SIM swap that there's an entire cottage industry of bored teenagers that do exactly that, in part to commandeer Instagram accounts with coveted usernames.
Basing authentication/identification on an industry that's simultaneously pathologically incompetent (fraudulent ports/SIM-swaps) and also grossly evil (selling real-time locations of all their subscribers without their consent to a phantasmagorically layered and non-auditable set of resellers and intermediaries) when it comes to security is pure folly.
I stopped picking up calls from unknown numbers since its practically all spam. It'll probably never be secure but I can dream.
When I’m on-call and they spoof a similar phone number (same area and exchange code), I gotta answer it.
Honestly if google voice had a captcha system I could implement for non contact numbers, that would be sweet.
For a while I'd been receiving a ton of spam calls. Eventually I caved and enabled "Filter spam calls" on my Phone app. Suddenly, all the calls stopped. I ultimately decided that this was a worthwhile privacy tradeoff for me, especially since I rarely use my phone. I only use it to occasionally interact with businesses, and as a way for close family to reach me at a moment's notice in case of an emergency.
When you activate the feature the caller hears the following message: "Hi, the person you’re calling is using a screening service from Google, and will get a copy of this conversation. Go ahead and say your name, and why you’re calling."
Then you'll see a live transcript with whatever the caller says, and you're given multiple choices with which to respond. Here's some of the available actions / responses, along with the message the caller hears:
* Is it urgent? - “Do you need to get a hold of them urgently?”
* Report as spam - “Please remove this number from your mailing and contact list. Thanks, and goodbye.”
* I'll call you back - “They can’t talk right now, but they'll give you a call later. Thanks, and goodbye.”
* I can't understand - "It's difficult to understand you at the moment. Could you repeat what you just said?”
You also have the option to answer or end the call at any time.
Another important detail is that this is done exclusively using on-device technologies, so it works offline and it preserves your privacy. Voicemail transcripts are generated on Google's servers.
All of this information is taken verbatim from the two articles I linked as part of my original response.
Real time transcription would be much nicer, very true. GV is apparently on a lifeline while Google is trying to push Fi. Just like Duo and Hangouts.
If I get a call from the area code where I live I pick it up because it’s usually the vet, doctor, school, mechanic, etc. But if I get a call from an unknown number in the area code of my phone # I can safely ignore it and let it go to voicemail. If it’s legitimate they will leave a message (and it’s never been legitimate so far).
Edit: Thanks for the pointers! Sorry this was a bit of a tangential question.
But it's a totally different problem than the problem depicted in this article.
1. The criminals launch a phishing campaign against you specifically to get your bank username and password.
This is defensible, although the harder step, by being vigilant, not clicking links, regularly changing your password, ensuring your password is unique so they won't be able to find it on a database of another breached web service, etc.
2. They intercept your SMS-based 2FA.
This is not possible if you are not using SMS-based 2FA. Switch to a more secure method of 2FA, or communicate your concerns to your bank if none is available (really, make it public, because this is a big deal), or switch banks.
I believe there are things you can do to defend yourself, although having to do these things is clearly not ideal. Hopefully just knowing about it will improve a person's defensive posture against such types of attacks.
Edit: formatting (for anyone who's ever wondered: https://news.ycombinator.com/formatdoc)
If you can... All the institutions (bank, 401K, IRA) I use will fall back to SMS even if you have a more secure method. I gave up trying to find one that didn't.
Instead I got a burner phone with cash. Don't really know if it helps but it seems less likely that some database dump has my name associated with that number.
What would you suggest? I've heard that using your phone for 2FA is a bad idea several times now, but I'm not hearing suggested alternatives. Clearly your alternatives are limited by what you're offered, but I would still welcome advice for what practical alternatives I should try to use instead of phone.
If you use SMS or anything phone network related for 2FA you're doing it wrong.
My job title has "network engineer" in it. It's time to simply disregard the existence of the PSTN and move on to modern communications methods. By modern, I mean things that are based on packet-switched IP networks, with software applications using battle tested public/private key crypto implemented at layers 4-7 in the OSI model.
If placed in front of the legacy equipment, that could enable operators to gradually move toward signed+encrypted signaling traffic.
Problem is that this industry can be slow to react and would probably need government/regulatory pressure to move faster.
It's a group that buys into the idea of secure backdoors, I'm not sure it's possible for them to build a secure system.
I actually think the current Huawei mess is direct fallout from our history of creating purposefully insecure systems: if the overall system was designed to be secure, the network infrastructure potentially being compromised wouldn't be such a significant issue.
Well back when I worked for BT they had quarterly sprints but this was for things like major changes to the entire system.
I don't know how effectively that strategy still works today, but I think it speaks to the significant degree to which the phone system is completely insecure and untrustworthy by design.
1. Renting access by pretending to be legit telecom business
2. Internal access
3. Internet hacking into less protected telecom operators to then compromise the SS7 core network nodes and send traffic from there.
Other ways exist, but these represent the bulk.
Technology trickles down really well.
This is just another instance.
its rampant on instagram, which introduced non-SMS OTP just a few months ago after everyone figured out their negligence was just to data mine phone numbers
Does anyone know if Google Voice texts are also subject to this kind of attack? In the sense that they have to honor SS7 rerouting commands or anything like that.
Point being, Google Voice is not a telco on its own. They rent underlying access, of sorts, and that access still relies on SS7.
* For suitably large values of "just."
One data point for why Fi and Voice numbers are the same: For a long time, hip-and-trendy apps like Uber and Venmo wouldn't accept Google Voice numbers because they show up in API calls as "voip." About a year after Fi became widespread, Google Voice numbers show up in services that provide information about phone numbers with a carrier of "Bandwidth.com/GV" or similar so now the apps can whitelist that carrier as "yeah it's VoIP but it's fine." If I test the number of someone who I know uses Google Fi--but did use that number with Google Voice before Fi, so I don't know for sure if this is valid--the information returned still comes back as Google Voice.
I spoke to engineers from Twilio at the 2018 Signal conference and they confirmed - there is no technical limitation, but they would have to do a lot of work and deal with a lot of spam issues if they allowed their numbers to be classified as "mobile" and able to receive SMS from shortcodes - and they are declining to do that for now.
So whether you source a new number from Twilio or port in an existing mobile number, once it hits Twilio it is no longer a mobile number. Yes, you can receive SMS/MMS from "normal" numbers just fine.
Point being, SMS-based "authentication" is so laughably insecure as to be pointless if you become a target of someone who wants into your checking account.
Also, I'm looking for a bank that blocks all debits/transactions/transfers unless pre-authorized via app. Anyone know if that exists?
Here's the password requirements for Coast Capital Savings:
I bank with Barclays in the UK and they give each of their account holders a PinSentry device. This is a physical device that you have to insert your card into, and then enter your pin code to unlock, you then use it to sign/verify transactions that you are trying to make.
Don't have access to the pin sentry device? Guess who can't add a new transfer recipient.
Don't get me wrong, Barclays probably does it better than anyone else but I was surprised when I set up a new phone recently.
Much better is HSBC. The device you get is the only one that works, you cannot use different device.
If that is the case there are many options available to you that do not require pinsentry. This argument makes no sense in the context of this discussion.
That's how British MPs were, allegedly, pwned en masse in 2016
You don't need to "buy", but you need to FIND, the IMSI of the target you're going to do fake roaming (fake Location Update) request on. This is most of the time doable.
Hardware wallets are really cool ex: https://wiki.trezor.io/FAQ:Overview
crypto security, usually legacy underpinnings, no volatility