Hacker News new | past | comments | ask | show | jobs | submit login
Who Owns Your Wireless Service? Crooks Do (krebsonsecurity.com)
204 points by hsnewman 73 days ago | hide | past | web | favorite | 57 comments

I see these problems from a different angle than the usual commentators. I continue to ask myself: Why is mobile used for important things, e.g., banking, payments, etc.?

A great example is authenticating a person's identity via possession of a SIM card, i.e., their mobile number. If one can switch SIM cards, then one can switch identities. This flexibility is not a flaw in mobile communications; the ease-of-use is what makes mobile so useful. However it is silly to pretend mobile is as safe as landline for all uses. Mobile may be altogether more useful than landline -- few could argue otherwise -- and at the same time it can be entirely inappropriate for use in important things like banking. This concept seems non-existant. Instead the prevailing thinking is all-or-nothing.

In addition to "convenience", mobile has introduced a new class of problems when used for important things like banking and payments. These problems either do not exist or exist at a much lower scale with respect to landline. Who owns landline service? Crooks?

From where I stand, the risks of using mobile for important transactions outweigh the benefits. Unfortunately, I also see that "convenience" continues to prevail over common sense. I am willing to sacrafice convenience for peace of mind. Meanwhile banks and others push harder and harder for customers to use mobile, including as a means of verifying identity.

The world is going to leave you behind fast if you're using a landline because you're too scared of mobile phones...

In fact, most of my payments these days are with Apple Pay. My interactions with my bank and the stock market are all through my phone.

My bank protects me from fraud. It's really not that big of a deal - especially not to a point where using a landline makes any sense.

> These problems either do not exist or exist at a much lower scale with respect to landline.

Except for an ever-growing amount of the population doesn't have a landline -- only mobile.

The vast majority of people do not have a land line. Per World Bank data, there are 12 landlines per 100 people and 102 mobile lines per 100 people.

What are the statistics for businesses?

How many landlines per business entity?

Are the vast majority of businesses using cellphones exclusively? Why not?

Is a business accessing their lines via voip considered a landline?

Businesses only care about fraud losses they have to pay. SIMs only exist because cellphone companies wanted to cut off free riders. The efficiency gain from online transaction versus teller asissted far exceeds fraud losses. Passwords remain the default authenticator, which are often Password1, Linkedin2009, 123456. Password reset questions are added to minimize tech support costs or just check an audit box. SMS is the band-aid over guessable passwords. Not everyone has a smartphone. If businesses don't want to pay for password reset calls, they certainly aren't going to issue customer smartcards or open retail locations where they check two forms of ID.

> SIMs only exist because cellphone companies wanted to cut off free riders.

I thought SIMs were just an evolution of "calling card" tech, originally intended to be slotted into a payphone. A cell phone is just a miniature payphone which holds onto a single "calling card" long-term.

>Why is mobile used for important things

In the developing world, this is often the only link people have to the Internet at large. I worked in a company with primarily Nigerians and one of the biggest developments in recent years are payment systems built over mobile networks.

Since most other countries don't bundle the phone with a contract and SIM-lock them, SIM-swapping is a very reasonable way to pay-as-you-go while hopping between mobile networks and regions.

>However it is silly to pretend mobile is as safe as landline for all uses

What's the alternative for people lacking wired infrastructure? It's not desktop systems, it's not landlines, and they can't rely on the government to solve these problems for them.

What may be the only alternative for important transactions, and a sensible one, for people in the developing world may not necessarily be the most sensible alternative for people in developed countries who have more alternatives, such as wired service. The article focuses on AT&T, a carrier in the developed world.

As a personal hacking project in my spare time, I switched from T-Mobile to anveo and an asterisk setup. I can send and receive SMS on my server and can make WiFi calls on my phone. SMS gets sent to my email as well. This costs maybe $45 USD a year. I've thought about documenting my setup but I don't know if there is any interest.

Some responses: Its reliable enough to pay my credit card bills over the phone using public bus WiFi

SMS is trickier as I only know enough programming to write a script in bash to send sms. I can't send pictures or videos, so I try to convince friends to use signal instead.

911 works with no sim card, as required by federal law.

I do have working SMS to email however, so viewing SMS is a piece of cake :)

I use Anveo for my "land" line and Google Voice for my cell. Instead of Asterisk, I use an Obi. The Obi also connects to my GV number so my home office can make/receive calls to either number.

I have an Anveo call flow[1] that implements a white/grey/black list setup that works great. There were a couple really persistent callers that I had to block the entire NPA NXX which is harder for the caller to spoof. I get almost no robocalls.

1. https://ibb.co/bBs2RsJ

For people who want this setup as a service, there's jmp.chat.

$3/month gets you an US/Canada phone number that you can make/receive voice calls using SIP, and send/receive SMS using XMPP.

Yes! I've wanted to decouple SMS from the phone I carry, be able to respond to SMS via other devices. Right now the best option I have is to convince as many people I can to start using Signal.

I am rarely in the same country very long and use https://www.aa.net.uk/ in the UK for a UK 07 number that can retrieve SMS and that I can use a VOIP phone with. As far as I'm aware they're the only service in the UK allowing this with 07 numbers.

How much do they charge for this? I looked on their web site but when you select that option they say:

'Sorry, you will need to contact sales to order an 07 mobile number at this time.'

Very very little. Paying a couple of quid a month I think. Yes, you'll need to contact sales, but also you can port your existing number in.

How reliable is it? Could it be used to replace non critical services twilio offers for say small business?

I definitely have an interest In hearing more about how you achieved this for such a low cost. My own sms/voip setup costs about $50 a month. I still gladly pay it for the control it offers, but would love to pay less but not lose reliability.

I use voip.ms in a similar capacity but with a much simpler/adequate setup. My problem is that certain senders (banks, credit card companies, etc.) are unable to text the number in question. Is Anveo better in this regard?

Is this just a number blacklist thing? If so, presumably you could get a regular mobile number and port it to your VOIP setup.

That's what I had done, i.e. ported the number from a regular carrier to voip.ms.

If you were to get a plan on a cheap mvno with a second phone number, would it work as seamlessly as if your main number were tied to your SIM?

I'm not sure I understand? The service I built is entirely WiFi based. I find most bars restaurants and coffee shops generally have WiFi capable of VoIP traffic.

It would be cool to get back on a mobile carrier, but only if I had enough network control to handle the kind of hacking attempts in the article

My interpretation is that the MVNO plan and number would only serve the purpose of keeping a constantly on data connection to then use your own infrastructure and number. The number from the MVNO would not really be used.

It seems this would solve the hijacking issues but you’d still likely get bombarded with robo calls to the MVNO number.

Does your setup have any mitigation against robo calls for the anveo number?

What do use for dialing? I’m wondering if it would somehow be possible to disable the device phone app to disable getting nuisances from the MVNO number.

I’m very interested in a write up. Thanks for sharing!

>you’d still likely get bombarded with robo calls to the MVNO number.

presumably all his calls are done through a VOIP app (he said astrix so probably SIP) and he can ignore all "normal" incoming calls, or is forwarded to his phone using a known number and he can ignore every number except that one.

In his setup, yes, this works as he does not have any phone number tied to the device. He’s using WiFi to connect to the PBX.

In the scenario where you use a cheap cell plan to have an always on data connection to the the PBX you will have to have some method of blocking all of the calls to the device number. I suppose you could have them all forward to the PBX and then your filtering could apply.

Yes this!

I am interested!

Quite interested!

i'm interested too.

It's hard not to get really depressed when you think about all the political institutions that were setup to protect consumers and have since been hijacked by the corporations to protect them from the consumers.

Maybe you won't be so depressed when you realize that some of the quotes in that article by Gigi Sohn ("complete and total abdication of oversight") are prima facie hyberbole, and thus we can dismiss them as politically motivated. How can I say it's hyberbole? The rest of the article tells us that there are lawsuits, prosecutions, and FCC investigations. That doesn't sound like a complete and total abdication of oversight. Is the problem serious? yes. Is it ongoing? yes. Is there regulatory capture? yes. But is nothing being done about it? no.

I think you're overreacting. The Sohn quote is referring specifically to oversight by relevant government agencies. Lawsuits are not relevant to the statement. The article implies that the FCC investigation into location data sharing was, at best, proceeding slowly.

Perhaps. I mostly concur with the article. I think FCC deregulation was poorly done. I'm not happy with the wording of my prior statement but I'm not going to edit it. What I was thinking when I wrote it was "cheer up, things will work out okay"

It's inevitable unless regulators and consumer activists maintain the upper hand (in which case businesses will complain about a business unfriendly environment).

Badly behaved businesses reap concentrated benefit while imposing diffuse losses on others. It's kind of like how a factory worker in a declining city notices the harm of a layoff much more than the benefit of TVs costing 25% less.

Curiously enough, an edition of the Encyclopedia Galactica that had the good fortune to fall through a time warp from a thousand years in the future defined the telecommunications executives of America as "a bunch of mindless jerks who were the first against the wall when the revolution came."

How I miss Douglas Adams

AT&T's response to this sounds pretty bad. They're not going to prevent SIM swaps but they're going to let banks (not Google, not cryptocurrency exchanges) discover that you got swapped after the fact.

Eventually, this could make legitimate SIM swaps unusable. The point of SIM swaps was to retain a phone number when swapping carriers or SIM chips. If a number becomes untrusted after a SIM swap, you may be better off getting a new number.

Assuming it wasn't bribery but simple social engineering, what's there to prevent this from being abused? In Germany, porting the number to another carrier would be next to impossible without the victim realizing. You have to request from the old carrier to release the number for porting, then you have to tell the new carrier you want to port over the old number from the old carrier. Then the old carrier informs you via SMS and email when the switchover will happen. That date is usually at least one week in the future. And usually the evening before the switch you get another SMS.

Pretending to have lost your SIM and requesting a new one might be slightly easier, I never needed to do that. But it would mean your SIM gets deactivated the moment they start the process of shipping out the new SIM, so it will give you at least a full 24 hours to notice you got no service, usually two days. I wouldn't be surprised if they'd also send you a text plus email before deactivation just in case.

But in general I feel like call center workers here are very good at following the protocol. I'd be very surprised if you'd manage to convince one that you lost your phone and you also happen to have moved and want it sent to another address.

But sure, if you're paying someone on the inside, all bets are off.

I could probably go a week before I noticed that my phone had no service.

There doesn't seem to be much security at all in Australia. Enter the number and date of birth (and contract number, if it's not a prepaid phone) and wait a couple of hours.

> I could probably go a week before I noticed that my phone had no service.

Fair enough, not everyone is checking their phone every 5 minutes. But otoh if you wouldn't realize it within a day or two you probably aren't using it for Apple pay, 2fa and whatnot so you're not a likely target anyways.

Not using it for much stuff like that. But considering everything I wrote above, I think I'll start checking the service once a day.

>If a number becomes untrusted after a SIM swap, you may be better off getting a new number.

Do you only use your phone number for 2fa? People don't call you or send texts? Keeping the same phone number is still convenient so people can still reach you at the same number.

I can imagine the convenience for most people. For me, not being a big phone user, it's not difficult. I did it recently when porting to a new provider failed to work (despite only needing my phone number and date of birth as input). Perhaps a few organisations didn't get the new number and can no longer contact me for marketing etc., but that's a bonus.

Telcoms want the revenue that comes with identity and access as a service, but not the liability nor due diligence costs.

this is actually an existential financial threat for some people:

- SIM swap to get obtain SMS/telephone capability

- hijack email, if known + non-2FA or known SMS/telephone 2FA

  - this could be socially engineered as well - "sorry, i forgot my password to that email account, can you change it to..."
- using gathered intel from email (e.g. monthly statements), call up banks/financial account (many of which are non-2FA or SMS/telephone 2FA)

- password reset/etc any accounts without 2FA or with SMS/telephone 2FA

- social engineer way into bank/financial accounts

- drain and profit

i've seriously considered tying up financial stuff to an undisclosed phone number on its own account.

Should be more than that, data leaks are everywhere, and anything worth more than the fee for a phone line should have it’s own number.

I wonder if the government wants people to be as paranoid as the people running the government, or they’re just ignorant. Most of these protocols were developed during the Cold War, not after.

this happens to people that store their cryptocurrency on services with sms-based 2fa.

any service that uses sms-based 2fa without any other option like client side generated one time passcodes (otp) should be sued for negligence at this point. the otp should be the default choice.

people are currently masquerading incompetence as an indictment to cryptocurrencies as a concept. this is allowing negligent, incompetent businesses to get a free pass, because the people that should be in charge of protecting consumers are thinking the cryptocurrency itself is insecure or "got hacked" which so far isn't what is happening.

(with regard to storing cryptocurrency on someone else's server, yeah those users are being negligent too.)

My personal peeve is various services that offer MFA, but very quietly still offer SMS-based 2FA as a backup that is nearly impossible to turn off. If you set up MFA, be absolutely sure that recovery is only done through one-time codes and the service doesn't automatically fall back on SMS.

So Coinbase and .... who else?

Are any providers offering an opt-in SIM freeze of sorts with some kind of enhanced authentication in order to unfreeze? Wouldn't such a feature/service easily prevent the SIM-swap risk? I don't know how easy this is to prevent regarding the infrastructure (do networks detect a SIM-swap via change in host IMEI?). I understand the article describes a rogue employee but it seems to me that an added layer for such a service could easily prevent unauthorized access.

I didn't know AT&T was just selling real time data in defiance of the FCC rules and I'm quite inclined to just terminate my service after holding an account for nearly 20 years with them over it.

That's beyond unacceptable.

I liked the smart title of this article!

Great piece of content. First time I read something in krebsonsecurity

Love the combination of investigation and cybersecurity.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact