A great example is authenticating a person's identity via possession of a SIM card, i.e., their mobile number. If one can switch SIM cards, then one can switch identities. This flexibility is not a flaw in mobile communications; the ease-of-use is what makes mobile so useful. However it is silly to pretend mobile is as safe as landline for all uses. Mobile may be altogether more useful than landline -- few could argue otherwise -- and at the same time it can be entirely inappropriate for use in important things like banking. This concept seems non-existant. Instead the prevailing thinking is all-or-nothing.
In addition to "convenience", mobile has introduced a new class of problems when used for important things like banking and payments. These problems either do not exist or exist at a much lower scale with respect to landline. Who owns landline service? Crooks?
From where I stand, the risks of using mobile for important transactions outweigh the benefits. Unfortunately, I also see that "convenience" continues to prevail over common sense. I am willing to sacrafice convenience for peace of mind. Meanwhile banks and others push harder and harder for customers to use mobile, including as a means of verifying identity.
In fact, most of my payments these days are with Apple Pay. My interactions with my bank and the stock market are all through my phone.
My bank protects me from fraud. It's really not that big of a deal - especially not to a point where using a landline makes any sense.
Except for an ever-growing amount of the population doesn't have a landline -- only mobile.
How many landlines per business entity?
Are the vast majority of businesses using cellphones exclusively? Why not?
I thought SIMs were just an evolution of "calling card" tech, originally intended to be slotted into a payphone. A cell phone is just a miniature payphone which holds onto a single "calling card" long-term.
In the developing world, this is often the only link people have to the Internet at large. I worked in a company with primarily Nigerians and one of the biggest developments in recent years are payment systems built over mobile networks.
Since most other countries don't bundle the phone with a contract and SIM-lock them, SIM-swapping is a very reasonable way to pay-as-you-go while hopping between mobile networks and regions.
>However it is silly to pretend mobile is as safe as landline for all uses
What's the alternative for people lacking wired infrastructure? It's not desktop systems, it's not landlines, and they can't rely on the government to solve these problems for them.
SMS is trickier as I only know enough programming to write a script in bash to send sms. I can't send pictures or videos, so I try to convince friends to use signal instead.
911 works with no sim card, as required by federal law.
I do have working SMS to email however, so viewing SMS is a piece of cake :)
I have an Anveo call flow that implements a white/grey/black list setup that works great. There were a couple really persistent callers that I had to block the entire NPA NXX which is harder for the caller to spoof. I get almost no robocalls.
$3/month gets you an US/Canada phone number that you can make/receive voice calls using SIP, and send/receive SMS using XMPP.
'Sorry, you will need to contact sales to order an 07 mobile number at this time.'
It would be cool to get back on a mobile carrier, but only if I had enough network control to handle the kind of hacking attempts in the article
It seems this would solve the hijacking issues but you’d still likely get bombarded with robo calls to the MVNO number.
Does your setup have any mitigation against robo calls for the anveo number?
What do use for dialing? I’m wondering if it would somehow be possible to disable the device phone app to disable getting nuisances from the MVNO number.
I’m very interested in a write up. Thanks for sharing!
presumably all his calls are done through a VOIP app (he said astrix so probably SIP) and he can ignore all "normal" incoming calls, or is forwarded to his phone using a known number and he can ignore every number except that one.
In the scenario where you use a cheap cell plan to have an always on data connection to the the PBX you will have to have some method of blocking all of the calls to the device number. I suppose you could have them all forward to the PBX and then your filtering could apply.
Badly behaved businesses reap concentrated benefit while imposing diffuse losses on others. It's kind of like how a factory worker in a declining city notices the harm of a layoff much more than the benefit of TVs costing 25% less.
Pretending to have lost your SIM and requesting a new one might be slightly easier, I never needed to do that. But it would mean your SIM gets deactivated the moment they start the process of shipping out the new SIM, so it will give you at least a full 24 hours to notice you got no service, usually two days. I wouldn't be surprised if they'd also send you a text plus email before deactivation just in case.
But in general I feel like call center workers here are very good at following the protocol. I'd be very surprised if you'd manage to convince one that you lost your phone and you also happen to have moved and want it sent to another address.
But sure, if you're paying someone on the inside, all bets are off.
There doesn't seem to be much security at all in Australia. Enter the number and date of birth (and contract number, if it's not a prepaid phone) and wait a couple of hours.
Fair enough, not everyone is checking their phone every 5 minutes. But otoh if you wouldn't realize it within a day or two you probably aren't using it for Apple pay, 2fa and whatnot so you're not a likely target anyways.
Do you only use your phone number for 2fa? People don't call you or send texts? Keeping the same phone number is still convenient so people can still reach you at the same number.
- SIM swap to get obtain SMS/telephone capability
- hijack email, if known + non-2FA or known SMS/telephone 2FA
- this could be socially engineered as well - "sorry, i forgot my password to that email account, can you change it to..."
- password reset/etc any accounts without 2FA or with SMS/telephone 2FA
- social engineer way into bank/financial accounts
- drain and profit
i've seriously considered tying up financial stuff to an undisclosed phone number on its own account.
I wonder if the government wants people to be as paranoid as the people running the government, or they’re just ignorant. Most of these protocols were developed during the Cold War, not after.
any service that uses sms-based 2fa without any other option like client side generated one time passcodes (otp) should be sued for negligence at this point. the otp should be the default choice.
people are currently masquerading incompetence as an indictment to cryptocurrencies as a concept. this is allowing negligent, incompetent businesses to get a free pass, because the people that should be in charge of protecting consumers are thinking the cryptocurrency itself is insecure or "got hacked" which so far isn't what is happening.
(with regard to storing cryptocurrency on someone else's server, yeah those users are being negligent too.)
That's beyond unacceptable.
Love the combination of investigation and cybersecurity.