Number porting should require an SMS to the existing SIM with the ability to respond NO to cancel the process and flag the request as fraud (e.g. whoever made the request on the carrier side should be flagged, to fish out compromised support reps).
A mandatory time delay (12 or 24 hours) could be imposed. This would slightly inconvenience people who lost their SIM and need to setup a new one. This seems like a reasonable cost/security trade-off for losing a SIM card. Mission critical numbers should be implemented as forwarding services that separately route to the cell phone anyway, so “this number must be live right now” is not a reasonable excuse to compromise everyone’s security.
You could also mandate a short delay (4 business hours) and high value targets that sometimes take international flights could opt-in to longer (24/48 hour) waiting periods. The expectation should be that 99% of users keep the default.
Using SMS as a second factor has trade-offs. This isn’t news because every single authentication mechanism presents a unique set of trade-offs in terms of cost of provisioning, ease of use, possibility of loss, possibility of spoofing, replay, etc.
SMS is an extremely powerful authentication factor due to its availability, cost, and accessibility. It’s worth it to shore up protection against SIM swaps not in the least because it would improve the security posture of SMS as an authentication factor. It would still not make SMS perfect. Nothing is.
Wow, I use this company for my elderly father for a resounding monthly bill of ~$7/8 for years and had no idea they were also Tucows.
If anyone has pointers on how to get a domain & email address that are both bought & hosted with Tucows up to snuff with the email security standards of yesteryear (SPF & DKIM), I would really appreciate it!
Iirc tucows don't “directly” sell and host email to the general public. But offer reseller accounts or they are sold and hosted to the general public by their subsidiary Hover.
So just because its a "tucows domain" doesn't mean its actually tucows hosting your email services, anyways...
You might be able to get away without DKIM if the email is coming from “safe known ips” which hopefully your email provider has told the various big email providers.
SPF can be done completely from a DNS record. Google a SPF generator, fill in the details, and throw the result into your DNS records and done.
DKIM is a bit different as the outgoing mail server signs your outgoing email. The receiving party then check your DNS for the public key for the email.
Your mail provider might already be signing outgoing mail and you just need to put the public key on the DNS or you will need to contact your mail provider and ask them to turn it on for you. (If it’s is hover their customer support has always been good~ish to me. I think I’ve had one issue with them in the past, but it was a minor issue and I still have a few domains reg’ed with them. Anyways back on point.)
You can use something like https://www.appmaildev.com/en/dkim/ to check if you mail is already being signed and get the public key for it.
If your email provider is refusing to set up DKIM for you, you can try with just SPF and hope the reputation of the mail server itself is enough to fill in the blank of DKIM or moved to another provider either self hosted (cheaper, but more manual setup) or something like FastMail which does offer easy to configure DKIM (plus things like iOS Mail Push support) or an SMTP relay (depending on the volume of outgoing mail you might get away with using the free allowance from say sendgrid, sendpulse, mailgun or one of the many others out there.)
Obv trying to get your current provider up and running is the preferred option as then your client and any other mailboxes they have won’t need to chan he any of their mail client settings to get up and running.
EDIT: Also, having DKIM and SPF correctly configured doesn't always matter. Outlook for example may still reject your mail if it comes from an IP that they are not expecting. But you can ask them to add a mitigation for you via https://support.microsoft.com/en-us/supportrequestform/8ad56... (If they reply saying "Nope your not blocked..." just email them back politely asking them to check again as you are still having deliverability issues. I personally had this recently, but it was fixed with a follow up email so I'm not going to complain about it). Though as you are not the outgoing mail provider yourself you may not be able to answer all the questions (Are you sure you know all the ip ranges your mail provider use?). Gmail may get mad at you if you are doing a catch-all forward (including all the spam) from the domain to your clients personal gmail account.
But yeah, if you want to hit me up drop me a email and when I have a spare 30 mins I'll give it a once over and tell you your options. (Note: UK time here, dunno where you are, so if you email me while I'm asleep I'll get back you after coffee and I've done my morning tasks.)
If you had parts of either, or a hint, maybe a previously used password works for "verifying your ID" then I'd call that 1/2FA
To me, a second factor that can bypass the first factor is exactly the same as this situation. Being able to hack your way into an account is a different issue.
If an attacker could access your account without knowing any of your secrets, then it's really 0FA.
This is done by some carriers in Russia as far as I remember.
> with the ability to respond NO to cancel the proces
There is no such possibility, but you can visit carrier's representative.
> A mandatory time delay (12 or 24 hours) could be imposed.
Some carriers do this for SMS. Here is a quote from one of the carrier's website:
> To protect you from scammers, after replacing a SIM card SMS messages from banks and commercial online services will be blocked for 24 hours. You will be able to send and receive SMS from other users and popular messengers and applications instantly.
> SMS is an extremely powerful authentication factor
But it discloses person's identity and location.
Lots of account take-overs could have been prevented if they had added this obvious security measure.
That has its own risks. If you don't provide it to google and your account gets hacked, it's extremely hard to get it back. (My wife lost her original gmail account that way about 2 years ago. And of course there was no way to get any live support to try & fix it)
Basically if you don't provide your number, you're more open to the more prevalent traditional hacking. If you do provide a number, you're more open to a slightly less prevalent type of hacking. It doesn't leave much to choose from.
From the article, even the Twitter CEO has this problem:
While he has managed to get back his social media accounts, he has not regained access to two Google email accounts that held years of communications.
If anyone with directional authority at Google is out there: It would be really decent of you to provide some means of customer service for consumers stuck in this catch-22.
I can't accept there's no reasonable way to perform an identity confirmation beyond the laughably limited self-help measures currently in place. If it's a matter of economics, make it pay-per-use.
With Google anyway you're down to 2FA using an authentication app (possibly U2F but I haven't checked on that recently) and backup codes which should also protect you from traditional hacking.
That "just" is doing a lot of legwork, though. How do you identify and find that someone else, so you can call them? Generally, you need some sort of unique identity. And how do you make sure that unique virtual identity connects to the correct physical person? Once you solve that, you can probably apply the solution to phone numbers.
So I'm really suggesting something like that. Assuming it was a standard and the company didn't want paying because they weren't doing the whole geographic number to voip identity thing - they were just allowing the creation of an account. We'd be moving away from traditional phone numbers - the number/id could be a guid or long hash or whatever; nobody's going to try and remember it - it would be stored in your contacts like "dave smith" or "mum" or whatever.
Dare I say it, you could have a blockchain for this. Just to store the identifier. Not associated with any other string, such as a name or email address; just a way to ensure that the identifier isn't taken (so there may be a rush for cool ones but like I said, no-one would actually need to remember them) - that you're the first person to claim it.
If I press the button to call your unique ID, how does my softphone get yours to ring?
I would bet on “log in with phone number” being better than “log in with password” across a population any day.
Beyond SIM card cloning, I could sit behind a target, initiate a SMS auth, and simply wait for the guy to look at his phone. Most of the time it will pop up right on the front screen even if locked. If he misses it, I just wait for him to unlock the phone and look at his SMS. How would you like it if passwords just popped up visible to all on your phone?
The parent poster said "login with phone number" but that should be understood as login with a one time password by demonstating access to the receiving end of a fairly private and relatively difficult to intercept communication channel (physically controlling the client registered to receive messages destined for your phone number on the SS7 network). The authentication factor effectively becomes something have (your phone) whereas a password is something you know which allows for a much larger pool of potential bad actors (with a realistic means of gainig access).
SMS factor works more like a physical key your in possesion of that can be used to set a new combination (secret/password) for future access. In practice, combinations (passwords) are forgotten much more often than keys (phones) are lost or compromised.
helped a less-tech-savvy neighbor 'reset her skype' account that was tied to 'her phone number', only to find that the account bound to that phone number, which she had recently acquired, was publically searchable and connected with some sort of anime sex fetish subculture, presumably from a previous owner of that phone number..
she was using this phone / skype account for a job interview.
needless to say, a searchable skype account connected to her phone number with such a public profile could have had a hugely negative impact on her job search, and she wasn't even aware of it's existence until she happened to stumble upon it..
I get why businesses want to harvest peoples phone numbers and phone books but you'd hope at least some would think of the implications to users first.
I've got my number transferred to new SIM card, about 30 times over last 10 years, without any police report. Had to produce ID proof which is quite convenient.
Example form for others reading till here - https://discover.vodafone.in/documents/pdfs/simreplacement/s...
Better yet, a YES text should be required with a port
I believe t-mobile has a nice requirement of being able to mark you number as "show up in the store and show your ID"
Yup, and yet I've heard of stories of people social engineering their way around that. the telecom companies need to make it impossible for a CSR to access your account at all without actual verifying data from you.
This would work to the thief's advantage in the case of physical device theft. The notification should definitely be a thing, but it should not be possible to cancel the process without talking to the carrier directly and verifying your identity to them.
My personal experiences and various accounts I've heard make this "might" shift to "fairly easily". Why are you so confident that it has to be someone with inside knowledge?
> I would be shocked if someone like Jack Dorsey didn't have a password associated with his account that is required to make changes
I do not share your trust. I'd be shocked if he didn't NOW, but you are basing your assumption off of what...that he recognized his status as a high profile target? Were that the case I doubt this vulnerability would have existed.
This is an excellent idea. And I wish all the cell phone carriers would adopt this, if not already.
NIST has said that 2FA via SMS is bad and awful for at least 3 years now. Can we knock it off, already?
This won’t stop SIM swaps, but it will blunt their impact by rather a lot.
The problem is when companies implement 1FA over SMS and call it “2FA.” That is a catastrophically had idea, and unfortunately it confuses people into thinking that 2FA over SMS is somehow dangerous.
The only reason I can see for why companies don't give the option for TOTP is to force people to hand over phone numbers so they can be tracked, and in the process make the system less secure.
The algorithm is rather straightforward. The "hardest" part is the SHA1 hashing algorithm and people have written versions of that for just about every hardware under the sun, including 6502 assembly. (Hmm, an old Game Boy would make an amusing TOTP device. I should add that to my list of possible future hack project ideas.)
I think the real issue is that companies like SMS because of the tracking it enables. With a single number you get instant geographic + general socioeconomic data on user along a unique tracking ID. But the particularly nice thing about this ID, from a corporate perspective, is how blithe users are with it. People will happily "validate" away on numerous sites. Now, by "sharing select information with our trusted partners" (as seems to be the preferred T&C jargon) companies can create extensive profiles on their users well above and beyond their activities on any given site.
Obviously you get none of this with a TOTP. Instead you get better security, better portability, and less external dependencies. But no tracking. So SMS wins in the current state of the internet.
Frustratingly, you can't enable TOTP without a phone number, and if you remove your phone number, you disable 2FA.
In some places, SMS is simply what people are accustomed to, and the idea of using an app feels like a weird intrusion. Couple this with a PM saying "What if someone changes phones? SMS is more convenient and everyone already uses it anyway". Add a couple of years of SMS-factor, and it can quickly become considered good enough and no more work on MFA is required.
It doesn't take nefarious motives.
If you lose the one time use codes, then you're screwed. But that's the risk you face if you want the most simple and most secure method.
The government agencies that setup the mobile number portability system need to realise the seriousness of this flaw and allow a “Never transfer my Number” flag to be set in their databases. Until then even the lowest rung service desk agent at any telco has the ability to transfer numbers. A system like that can never be secure.
If you truly use an SMS only as a second factor - and don't provide recovery options only by phone, like Twitter - then you have much less of a problem. In that case, a compromised phone number does not give the attacker the password or other factor. SMS is still extremely imperfect for 2FA, but it's still a lot better than no 2FA .
A good way to think about the SMS problem is this: As a second factor, your cellphone is considered by many to be "something you have". TOTP like Google authenticator does verify you are in possession of that device through a shared secret key.
SMS does not verify this and the factor is not something you have. Instead, SMS is more like "something loosely associated with you that is transferrable and vulnerable to social engineering attacks".
Anything is better than nothing. However this may be worse because it provides a false sense of security.
It turns out there are no really good ways to authenticate individuals at scale. The answer is not to deride and blacklist arbitrary bad options from the pool, but to add even more factors so that their differing contexts present a more formidable holistic challenge.
Obviously, as GP points out, supporting multiple factors but allowing any one of them to be used in isolation is just building a chain with a weakest link. Better to build a chain-link fence.
SIM swapping is not always the result of social engineering attacks. There are bad actors that work for carriers who will knowingly fraudulently swap sims.
At least with something like Google Authenticator that can be done at scale, someone has to have your physical device and has to get past your hopefully secure pin code/finger print sensor/face id or use rubber hose decryption.
Any attacks on phone numbers are spearphishing, almost my definition. Some form of identity fraud - no matter how easy it is for an attacker - must be performed in phone number stealing. Even if it's very easy, that's a significant cost for an attacker and not an easily scalable attack. I agree that SMS 2FA must never be presented as an effective means to thwart spearphishing, where attackers are willing to put in this effort.
Now in the real world, password reuse attacks are far more common, and an commonly bigger concern for a random online accounts system. SMS 2FA can be of really big help there.
that's not true. i have twitter 2FA inside authy AND inside twitter's own app (it's hidden -- at least on android -- under setting and privacy -> account -> security -> login verification -> Login Code Generator)
I get that makes life much more difficult when you are travelling and have your phone (and therefore SIM) stolen, but given the severity of the current issues it seems minimal disruption. You get a burner phone for 24 hours?
You get a new SIM instantly, but it has a temporary number. Then you get notifications via SMS on your old SIM, you usually get a call from your old carrier trying to get you to stay, offering discounts and shit. Then after 7-14 days the new SIM gets the old number and the old SIM stops working.
The U.S. system sounds horrifically irresponsible.
// Replacement with the same carrier is quick, but requires physical presence with government ID (passport)
It used to take a long time and the carriers caught grief for making it hard for people to port out to another carrier.
I'd say it's pretty simple then: you can't transfer your number and just need to get a new one.
I mean at some point you have to draw a line; losing your password and resetting it via email is already a pretty gracious thing, and most support desks will help you beyond the default password reset as well if necessary.
But at some point you have to draw a line - key's lost? Access is lost.
Why not just require that if you don't have your old SIM on you, you have to jump through extra hoops involving physically showing government-issued documents and otherwise leaving enough paper trail for the police to find and jail you if it turns out you were a fraud?
Maybe the laws don’t consider that a serious enough crime to even investigate the cases?
For the average person, the best utility of it is being able to retain your number on losing your device. Usually you aren't expecting to lose your device, so imagine how much more complicated everything gets when not only do you have to worry about getting a new one unexpectedly, but then also have to get a new number, inform everyone you know about that, and then update all your accounts.
All of that just to protect people from being targeted by fraud that is not only very unlikely to happen to them unless they're well known, but is also better resolved by making authentication systems smarter.
Even if someone's phone is locked and useless, you could steal it, dispose of it, and cause a lot of grief.
a) I don't use twitter, so it's a loss of minimal proportions
b) It's twitter's fault and easily prevented by them
Sure, a) won't be applicable to all services because there are services I actually use that my life revolves around. However, the only service I can think of that would disrupt more of my life than losing my phone number is verified 2FA secured and does not have this vulnerability.
I would actively avoid a carrier that promotes this policy and think it's naive to assert that it's even remotely viable.
what if you actually want to transfer your number?
I can imagine however that an admin at a reasonably large business would receive several of these emails per day and may just reflexively click on them all. Note these emails are sent to the business account admin, not the end-user. I happen to be both so can see both sides of the process.
Edit: I should also add that I have never met this rep and so he has definitely not looked at my government ID. The process is secured only by receipt of email.
Email, SMS, automated phone call.
> BankID is a citizen identification solution that allows companies, banks and governments agencies to authenticate and conclude agreements with individuals over the Internet.
You need your phone to use it but it can be recovered using other means like ID card or a digipass from you bank
This is common for many telcos, banks, etc.
But I wonder, besides the US and Africa, where is SIM swapping prevalent? NYT says I'm at risk too. I'm in Europe -- am I?
The problem is your cell provider doesn't have a very good way to be sure it's Svip asking them to do this transfer. They are mostly going to rely on low paid call center or shop floor staff to decide. Fortunately for them this is a low-value transaction. If I get them to transfer Svip's number, I don't cost them very much money and I don't inconvenience you all that much really. Why would I bother...
Unless some idiot decides to rest the authentication scheme for their valuable service on control over a phone number.
In the UK in particular for example the person doing the authentication in an actual store will usually be a teenager working part time for the mobile phone company to get some spending money or during tertiary education. When a hot guy approaches them saying they can make twice their weekly wage if they just "forget" to do a proper ID check for a few friends of his, why wouldn't they say "Yes" ? They might get fired? They have never had a serious job, they're treated like shit, unless they're unusually upright and honest or they think it's a trap they're going to agree.
In fairness, that was me moving from one carrier to another. I assume, if I were to get a new SIM with the same carrier, it would be a lot easier. I have been trying to figure out what it would require for me to change SIM within the carrier, but their help articles aren't clear on this, besides mentioning it is possible (my impression is that they will ship the SIM card by postal services).
For example, you have to physically go to a store to port the number unless you have the old SIM.
Then it's not done immediately - there's a 72 hour period in which multiple texts and calls are sent to the old SIM asking for confirmation. If you physically have the old SIM this is instant, but if you claim to have lost it you need to wait 72 hours and provide a signature and mugshot at the store.
If a member of staff "forgets" to do this stuff, they go to jail.
People don't usually lose their SIM card, so this process wouldn't happen very often.
Or make anyone who claims they lost their SIM wrestle a bear first before they get a replacement. Won't see many crooks take that on.
But, I put it to you that this all seems very disproportionate when you remember that you're punishing the phone company and its customers for not securing Twitter. These are the wrong people!
Even better still, solve it at both levels, but definitely don't let phone companies off the hook.
But it won't happen because people are dumb and don't care about the issue until the exact moment it bites. This basically applies to every security problem: everything is perpetually broken and therefore nefarious actors can always find a way to achieve their goals. Most people's best defence is to not have any enemies.
IF you lose your phone & SIM inside it, you need to go to the store anyway, or have a new phone sent by post (takes a few days usually). One of these things has to happen! You need a new phone!
So what we are adding here is a 72 hour wait for the number port. In the meantime you have a temporary number.
Govt should legislate to make precautions like this compulsory, or to create incentives for good security like steep fines against the phone company for simjacking, together with private red teams probing phone corp's security in this regard and claiming part of the fine.
Definitely the phone company to go with!
People don't usually lose
their SIM card, so this
process wouldn't happen very
Unless, of course, they anticipated just such an emergency, and preemptively kept the phone and SIM separate because they care that much about faceless, global social media platforms.
Actually retail sales at AT&T and T-mobile stores(not third-party retailers) can make mid to high five figures if they're competent salespeople. Maybe low six figures at a high-volume store. Most of the money is in commission but it's there.
After reading those I switched authentication from a sms text to my bank app.
SMS is NOT a secure second factor!
* SMS (and automated voice call) are bad for people who live in areas with poor phone coverage, people with international phone numbers, and people who want good security.
* TOTP is bad for people who don't have smartphones.
* FIDO U2F is bad for people who don't have $20, safari/iOS users, and people whose devices don't have USB.
* Vendor-specific apps are bad for people who don't have smartphones, people with low spec or poorly supported smartphones, blind people, and the privacy-conscious.
* Smart card readers and physical tokens with screens cost $$$, often aren't accessible to blind people, and are too bulky for users to carry more than one or two.
* Paper single-use codes are bad for people who log in regularly, people who don't have printers, and don't scale to multiple services all that well.
* All of the above are bad for people who are forgetful or clumsy enough to regularly lose or break the second factor.
WITH THAT SAID, you can still provide Hacker-News-reader-approved two-factor authentication by basically copying Google: Offer the user TOTP, FIDO, SMS and paper codes, let them choose any two.
Gain bonus points with a setting that stops customer services resetting the password or disabling 2fa, and a week-long warning/waiting period in case account hijackers dial up the security settings to stop the original user getting their account back.
This only true if you're willing to define everything beyond the most mundane "dumb phone" as a "smartphone". One of my friends has a long list of exciting problems which ends up meaning he doesn't own what anyone these days would consider a smartphone.
But it's not like he uses carrier pigeons. His phone does have a (monochrome) screen and is quite capable of running software, it's just the software has to be crappy mobile Java from last century. However TOTP is trivial, you probably can't do it in your head but you definitely can do it in a Java 1.0 implementation and so sure enough it can be run on those phones.
On a brand new Pixel of course you vaguely wave your phone near the screen, it reads a QR code and sets everything up, he has to instead laboriously transcribe a secret value using T9 input, but the same effect is achieved - a changing code that he can input to prove he knows the shared secret.
That's why I said "bad for" rather than "impossible for" :)
After all, you'd still be excluding all the people who don't have any of those. Like my 90-year-old neighbour who only has a landline phone.
I've helped maybe 50 employees set up VPN access at my workplace, and at least 2 of them said they didn't have any way to TOTP independently of the laptop we were issuing them with.
Why is that? I'm maybe spoiled by my surroundings (Poland and Europe in general), but receiveing SMS text is free abroad. While using dataplan generally is not, so SMS is cheaper (free) as a second factor if you travel a lot.
When I went from the UK to Montreal, I tried to use local Uber competitor "Teo Taxi" but was unable to as their number-confirmation SMS didn't arrive.
And please, people, stop saying that this is not good for people who do not have smartphones. To a first approximation, everybody has a smartphone.
That's really nice in some respects, but in theory if your account gets hacked, goodbye phone number. There may have been some additional work involved, eg confirm via email, but I believe other networks make it a lot more difficult. Eg you need to request it specifically through customer services and they need actual ID.
My mum is with EE and she had to go to a physical store and prove she was the account holder. Three is similar, you have to request a new sim but in theory if your mobile account is broken then that can be done online (though it never worked when I tried it, the sim didn't arrive).
>When Sims rang EE, it soon emerged that someone posing as his wife had managed to persuade the mobile network to activate a new sim card
>Sims says that when he contacted his bank, Halifax, the call centre told him it is handling hundreds of sim scams every day, making it the fastest growing fraud in the country – although Halifax later disputed this figure.
On the other hand I'm sure I saw something about banks etc being able to subscribe to services that would give them background information about a mobile number (ie if the number has been recently ported).
But I am not sure about website, maybe they have integration with the operators to check last sim change date and compare it to their last know trusted sim or check the last time your phone was audited? You need to generate one time codes in TR banks afaik.
>Numara taşıma, 4.5G veya başka nedenlerle yapılan SIM kart değişikliklerinden sonra, Garanti BBVA İnternet Bankacılığı ve Garanti BBVA Mobil’e girişte kullanılan tek kullanımlık şifreler güvenliğiniz için bloke edilmektedir.
"Due to switching to another provider, 4G, or for whatever reason if you change your SIM card your password is blocked for both the app and internet banking."
>Blokenizi kaldırmak için Garanti BBVA Şubelerine uğrayabilir ya da 444 0 333 no’lu Garanti BBVA Müşteri İletişim Merkezi’ni arayabilirsiniz.
"In order to remove the password block you will need either to visit the one of our banks or call us."
Logging to Garanti requires 2FA. You can either use your password + SMS, or your password + one time code generator, in the past there was also password + mobile sign.
In Turkey 2FA is required by law in banking. This law is in action since for, I think 5-6 years.
Also, it is easy to implement this "notify the bank if SIM has changed" because all the banks (except few state banks which are in Ankara) and mobile operators (3) are all located in Istanbul.
In same vein, I wish security questions would die in a fire. Always treat them like additional passwords: use nonsensical words and store them in your password manager.
And if a password has sufficient entropy (not likely to ever be duplicated) then the account identifier is pointless. Just use the password as sufficient authentication.
i make up random answers and write them down in the notes of my password manager. i always try and recommend others do the same.
I wish password managers would make this easier.
> Twitter said on Wednesday that it would stop allowing some users to post updates via text message, which made Twitter access particularly easy for SIM swappers. But that will not stop hackers who use the SIM swap to log in to a victim’s Twitter account. (Twitter said it was working to improve this.)
At the risk of jumping onto hot-takes, at what point is it reasonable to say that Twitter as a company just isn't taking security seriously? The first response from Twitter should have been, "we turned off SMS password resets immediately", not, "we're working on it." This is the kind of mistake I expect a technologically naive company to make. It's a mistake I would expect a bank to make, or a startup with 7 engineers total.
I don't understand how a company can brush aside an attack where attackers took over their CEO's account. I understand everybody does dumb things occasionally, but how big is Twitter's security team? Nobody thought this was a problem?
There must be some aspect to this I'm missing; how does doing password resets over SMS pass any security audit? This isn't new, even mainstream sources have been talking about SIM-swapping for years.
I've seen US-based IT-security-minded people saying on Twitter for a long time that SMS based 2fa is bad, but the problem with hardware dongles is that they can be too secure. I don't want to lock myself out of my own Gmail account. I guess apps like Authy as mentioned in the other comments are an alternative. In any case I guess there are (or should be) some special codes you can write down in case you lose access to your second-factor info.
All systems/services I have seen that allow 2FA through a hardware device like a Yubikey also provide you a set of several recovery codes that you need to note down somewhere safe so that you can use those if your device fails or is lost. Some systems/services also force you to first setup a TOTP based authentication (with an app like OTP Auth/Authy) and then proceed with setting up additional hardware based 2FA. Unless you lose access to your recovery codes, which is the same as losing your password on a system with no 2FA, you should be fine (though I do get the concern here). People also get two hardware keys and set them up for the same platforms/services, keeping one in a safe place for future use in case the first one that's regularly used gets lost or breaks.
So no protection, but a notification.
You can do the same in Signal.
source? There is lot of wrong with our authorities but I really really doubt about what you just said. I mean the way you have written it is giving wrong impression that authorities can clone any sim at their whim just like china or other authoritarian government.
Just a single tweet from Musk, caused a big wave in the value of Tesla + a serious bollocking from the SEC.
Who are more than negligent here.
Buy some options several days in advance, drop the tweet, then sell right when volume shoots through the roof.
I got my first iOS device 3 days ago as a gift, an iPad. During the excitement of the setup process, I was told to set up 2FA for my iCloud account, which I've never conscientiously used since I own no iOS devices. Now all my Apple ids, from my 2009 iMac to my macbook are tied to the darn 2FA and... my phone number.
Apparently 2FA for Apple ids cannot be rolled back! Now everytime I want to upgrade something in my Macbook I have to get an SMS code on my (vulnerable) phone to access my Apple account. This is a very unfortunate decision by Apple.
Like I said I'm a big fan of passwords. Just give me 2 or 3 passwords or passphrases (or secret patterns) as backup for my main password. Require them to be long and complex. Something that is inside my brain and only Leonardo di Caprio can steal. Not my dad's middle name or pet name or school teacher's name. I'm not a security expert, but I still feel that's the most secure way to protect an account.
I repeat, they don't work. No 2FA means you'll experience many successful account takeover attacks on your customers. 2FA does not mean you won't, though.
Coinbase had a great talk about account takeover attacks on the recent DefCon. They receive some of the most sophisticated attacks, sometimes when attackers already have control of every other account that the target has. Email, Facebook, Apple Cloud - you name it, now they come for the coins, to cash out.
There are simple and complex solutions out there, we should keep taking small steps in the direction of safer password authentication, like how browsers showing the users the certificate validity, or things requiring a secret, individualized secret question so that you know the the host is not phishing.
I agree passwords are far, far from ideal and that 2FA is probably just adding complexity for the hackers, hence making it appear to be a better option, but this is just for the time being. Phone-based 2FA is flawed at the root (of how SIM cards work), so we should keep working on improving password security  instead of throwing ourselves into the arms of a flawed phone 2FA.
My understanding is that 2FA helps protect against weak passwords and password leaks. That's it. If you give me your password via a phished site, then you'll also just as readily give me your 2FA code. Then I can log into your account and turn off 2FA, generate new login codes, or just keep the login session running indefinitely.
How does 2FA help prevent any of that?
But in any other case where the victim isn't in the loop, that 2FA protects them (hopefully). If you haven't been to target.com in a week, you're not going to click the pop-up on your phone to log in out of the blue (hopefully).
Ideally your 2FA methods are not as simple as just sending a code and having the user parrot it back though. There might be some cryptography going on that would make it even harder for the attacker to interfere.
This sounds strange. I always get the 2FA authorization message and the code through a push notification from Apple that appears as a dialog on the device(s) used to authorize access from another device. SMS or voice call is used for the initial setup though. 
Apple removed the option to turn off two-factor authentication on some Apple IDs created in iOS 10.3 or macOS 10.12.4 and later.
A couple of years ago, I forgot the question/passphrase sequence for two-step verification and subsequently got frozen out. I had initially set it as samephrase1..2..3 in an effort to refrain from supplying PII. In order to reset, I managed to opt-in to 2FA and then revert back to initial setup.
I would have continued to think of the above process as the norm, until I read your comment and followed the support link provided by the other commenter, which states that the 2FA process cannot be undone anymore! However, there seems to be a slightly convoluted alternative i.e. unlinking existing AppleID and attach a new one for iCloud only, thus keeping the (old) existing one for the App Store and other services.
Also, SMS is always in-addition to your password. If you forget your password and you don’t have a trusted device from which to reset it, then Apple uses a recovery procedure which requires more than just SMS for verification.
You can also enable a recovery key which will then prevent SMS from being used to reset your password. With a recovery key you need to either use a trusted device or the key to reset your password.
SIMs and phones being vulnerable is different from 2FA not working.
Interestingly enough (academically) neither party is accepting blame, resulting in consumer taking the hit given organised syndicates.
Bank - not my problem if password and 2FA gets compromised
Cell provider - I never promised you bank grade security or safety of funds
This is why SMS should be never an option for MFA. You simply cannot rely on a telco employee for the security of your organization or online presence.
Suppose you have password '47BF-38AP-3M99' on the list. You get a plausible email from your friend Barry saying he needs €40 urgently. You send €40 using that password and instructions Barry gave about some web site for transferring money.
Oops. That wasn't Barry, crooks used Barry's email account to send the message and the €40 transfer turns out to have been a transaction to empty your account of €5830.26 but '47BF-38AP-3M99' was correct so the bank OK'd it.
The regulation aims to arrange that the second factor involves the transaction value 5830.26 which is weird for you because you are trying to send Barry €40. You would probably realise something is wrong when typing 5830.26 into an authenticator, or else, the crooks only get €40 which is a bad pay-off for such a sophisticated attack.
My good bank gave me a weird chiclet keypad device years ago that I have to type stuff into while doing online transactions. So I'd have to type the amount into that device. It whitelists certain actions, so if I keep sending Barry money, I think I don't have to type the amount in every time or something.
The EU rules definitely don't forbid your bank doing something better here, but I can see that the way that bank chose to implement them hasn't helped you which sucks.
If you don’t mind my asking, is your banking institution geared towards HNW clients? The amount verification sounds very similar to what most banks in the US do for inter-bank transactions but I’ve never heard of something like that implemented on a bank account from the consumer’s side.
I am not required to carry it, but my understanding is that most features of my online banking don't work if I tell the system I don't have it with me. I store it with other valuable identity items like my birth certificate in my home, I do not take it with me when I travel.
This bank offers excellent 24/7 phone service, if I was away from home I would call them if I needed anything. All conceivable transactions can be concluded by phone, indeed I've mentioned to HN before that it turns out very high value financial transactions (literally buying a home in my case) can't be done online at all. The web site just tells me to call them instead to complete the transaction.
The institution is not especially geared to High Net Worth individuals, but it doesn't offer any products geared to people focused on being thrifty/ economical. It doesn't offer zero fee current account banking, it doesn't pay great interest on savings, it doesn't have "cash back" features on credit cards, it's just a very well run bank. If I needed £10 more than I need a bank I can rely on, I would leave.
WebAuthn uses FIDO Security keys, relatively cheap USB or Bluetooth devices or sometimes just a built-in feature of a smartphone, to authenticate. They are Something-You-Have, but the WebAuthn protocol also offers:
* Optionally a mode where you give the FIDO key a PIN (Something-You-Know) or biometric input (Something-You-Are) to do all the authentication locally
* Phishing proof - there's no decision about whether this is really your bank. WebAuthn is completely happy to log you into https://fake.bank.phishingsite.example/ but the credentials are useless to the crooks who own that site because they won't work on https://your.actual.bank.example/ even if the crooks got the logo just exactly right and wrote a very convincing pleading email from your bank saying they definitely need you to go to the fake bank site.
That turns multi-factor auth back into "single factor auth" and leaves you one exploit away from having your password and TOTP code from getting stolen.
It is a security tradeoff that I take for most of my accounts. For a few that a much more sensitive I use a Yubikey.
But unless you have your 1Password setup to need the secret every time you go to have it fill in the password, the seed string is in memory unencrypted along with your passwords (or more specifically, it's stored in a way that it can be decrypted by the app/extension on it's own). That makes it one spectre/meltdown style exploit away from getting everything needed to login to the account.
Still, if that system works for you, then good! having any 2fa (even SMS) is better than nothing, storing TOTP codes in a password manager is better than SMS, storing them in a seperate device is better still, and U2F keys are even better still.
Like anything it's a gradient of tradeoffs, but I've seen too many people go from Google Authenticator to 1Password in an attempt to further secure their account, and I just like to point out that there's a good chance it's doing the opposite.
Am I misunderstanding something? Or did you mean OTP rather than TOTP?
It’s arguable that you’re removing that second factor when you store the parameters needed to create the TOTP in the same place as you store your passwords.
That string is all that is needed to generate all of the TOTP codes forever. So while the TOTP code that you type is different every minute, it's generated by doing some math on the setup string and the current time.
Some password managers (like 1Password) allow you to have them generate your TOTP codes by putting in your setup string into them (often using the exact same process you would do to setup your TOTP codes in an app). But i'm saying that's not a good idea if you are going for "most secure", because at that point if something were to somehow exploit your password manager, they will not only get your username and password, but will have that setup string as well so they can generate their own TOTP codes for you.
This works on vacation when I can't receive SMS. It was much cheaper to buy a 4G SIM in Barcelona (for Google Maps etc) than enable international roaming from Australia ($AU5/day).
Those seem like excellent litigation targets, and I’m surprised that that fact alone hasn’t fixed this bug. Dorsey should sue and sue and sue and not settle and get these companies to unfuck themselves.
If you are a captain of a ship that sees an out of control oil tanker heading for it, the solution is not to sue the oil tanker owners, rather it is to get out of its way which in Jack's case should be ordering an immediate implementation of a non-SMS 2FA
A.2b. "In construing and complying with these rules due regard shall be had to all dangers of navigation and collision and to any special circumstances, including the limitations of the vessels involved, which may make a departure from these rules necessary to avoid immediate danger"
Basically, if obeying the other rules mean you'll get hit by an oil tanker, Rule 2b says ignore those other rules so that you don't get hit by an oil tanker. So yeah, Jack ought to order his engineers to go fix this.
Twitter supports U2F. Jack Dorsey just prefers not to use it, according to reports.
The original statement is:
> 1 point by chimeracoder 11 minutes ago | parent | edit | favorite | on: Hackers Hit Twitter CEO Jack Dorsey in a ‘SIM Swap...
> which in Jack's case should be ordering an immediate implementation of a non-SMS 2FA
Which, as I point out, is superfluous, because Twitter already has three other forms of non-SMS 2FA. Twitter does also support SMS-based password reset, which is a problem, but that's not actually how Jack Dorsey's account got hacked in the first place.
Aside from any improvements to Twitter's security practices that could be made, Jack Dorsey himself was not using the existing security features that Twitter already offers. Which is the real problem.
SIM swapping attacks could have devastating effects on the lives of the people here.
A correction: Aadhaar is available to all residents of India (those who have spent more than 182 days in the country in a year). It has nothing to do with Indian citizenship or being a proof of Indian citizenship, though with the completely broken design of the system, Aadhaar can be used to get a passport, and thus proving that one is a "citizen".
Ironically, Aadhaar could indeed prevent SIM swapping attacks in certain cases for those who have updated their Aadhaar number to their service provider. If the Aadhaar number is available at the service provider, it needs to be authenticated (via Biometric and SMS OTP) before swapping SIM.
I wonder if the mobile is lost, whether at-least biometric part of the Aadhaar authentication is required to get the new SIM. Also, say if Aadhaar OTP needs to be entered in their internal service; bribing might not be possible.
This is one thing nice about Google Fi, Sim swap attacks aren't possible. Your phone number with Fi what is tied to your Google account, the only way to get a Fi phone number on a new phone is to sign into the Google account. So if you protect your account with good 2FA, your number is safer than any cell phone company (at least in the US).
Why I Can No Longer Recommend Google Fi https://onemileatatime.com/google-fi-review/
> I’ve been fiercely evangelical about Project Fi since Google launched their cell phone service a few years ago. ... I think it’s important to update y’all about some recent experiences and research, along with why I am withdrawing my endorsement.
> Previously, whenever I had issues with my Pixel 2 or prior Fi-enabled devices, the third-party support center was phenomenal. I’ve had them help me with hardware issues, system issues, a phone that just wouldn’t connect to WiFi, or tethering that didn’t work when it was supposed to — every interaction was great, and resulted in the problem being solved.
> Since November, this has not been the case. My calls and chats to support have gone nowhere, and the once-great support staff have been replaced (or supplemented) by random people using generic scripts. I’m sure the awesome trouble-shooters are still there, but the sampling I’ve seen doesn’t suggest pervasive competency.
EDIT: Actually there is another, possibly more serious issue with Google Fi mentioned in the article:
> If you can’t use Google Payments, you can’t pay for Google Fi
> Getting this fixed is actually impossible, and I say that as someone who really, truly, loves solving problems and has made a living off getting phone agents to want to help me.
> We have submitted copies of his ID four times, my ID twice, multiple photos of credit cards, and various credit card statements. We’ve talked to agents and supervisors at Google Payments and Google Fi. No one is empowered to do anything, and even a well-intentioned agent doesn’t get the same answer from the "security department" twice.
> I’ve since found hundreds of comments and Reddit threads from people having similar experiences, with almost zero positive conclusions.
> The only suggestion of a solution we’ve been given is that he abandon both his email address and phone number of the past twenty years and start fresh.
The Fi team cares a long about these kinds of issues and does what they can to solve them. I cannot comment on specific cases, but as someone that works on Payments @ Google, I've seen the Fi team advocate for their users a lot to get things running smoothly. They deeply care about good experiences and do what they can to make sure that's the case.
Sadly, things sometimes go wrong, and it becomes a learning experience to make it better for users in the future.
Sadly, I've experienced the same steep drop in Google support of late (twice in the past week in fact) working with G Suite support agents.
Just yesterday, I was helping a client troubleshoot a week-long issue with Drive File Stream ("Can't reach Google Drive") that remains unresolved for three of their users. Despite repeated phone calls and a promised callback from a "Drive engineer", the issue persists. We've eliminated suspected culprits by testing on other computers and networks.
Tech support from large players like Google, Microsoft, and Rackspace, even when paid, has declined precipitously in recent years.
For your Drive FS issue, I assume you're on Windows? I have no clue if this is backend or client, but watch for a new version: https://support.google.com/a/answer/7577057
Maybe that will fix your issues. I'm not sure how to check your Drive FS client version sadly.
Thank you. Yes, they're Windows clients. We've tried downloading the latest version (as of yesterday) on completely new Windows 7 and 10 machines on a completely separate network and still have the same issue for the same 3 users every time. The other users don't have any problem with File Stream. We've checked and rechecked all of the settings available to us via the G Suite Admin Dashboard.
I'm scared though, Voice seems to be an after though for google. They've killed Hangouts, which is the only app that text works with (if you have another way tell me), not given it any update love in forever and have been ending projects more actively recently.
I don't know what I'd do without voice.
> Criminals have learned how to persuade mobile phone providers like T-Mobile and AT&T to switch a phone number to a new device that is under their control.
> Hackers can get the codes by bribing phone company employees.
How hard is it to insist on someone coming down to a store and submit several forms of identification to get a new SIM? And make multiple people in the store sign off on it. Has anyone ever gone to jail for taking a bribe to swap a SIM?
The other issue is to stop using SMS for a 1-factor recovery. There still needs to be a second factor, like knowing a password or a pin.
I see plenty of people suggesting we don't give phone numbers at all. That's not very convenient for most people. I consider myself savvy and use 2FA and password managers ...etc. But by the time I realized this issue, I had given my phone number to most important services.
This and spam are two very serious issues in the US that's already solved in most countries of the world.
How does this work if your phone is lost/stolen?
Signal doesn't really care about identity at all, it leaves it up to the users to decide if "Steve" in their contacts is who they thought it should be, if they're happy to accept that without proof or if they've verified it was who they expected in person or out of band.
Modern Signal lets users put together a profile, like a Twitter profile, and like the Twitter profile you might know somebody whose profile name is "Grim Reaper" and whose profile photo is the Discworld Death, without you believing that is their real name or appearance. Maybe you decide that's enough reason not to mark your friend Suzie ("Grim Reaper") as Verified in Signal. Most likely not. Other Signal users aren't informed of this decision and Signal itself doesn't know what you decided.
But it does default bind your contacts to Signal users based on a telephone number they've proved control of at some point. So if you don't verify anything, a message from you to "Steve" could be received by somebody who registered the phone number you've associated with the contact "Steve". Signal's creators rationalise that this is what an ordinary phone user expects to happen.
If it's important to you that "SIM Swap" isn't used to create an imposter Signal account with your phone number - a reasonable concern for some people, you can set a "Registration Lock PIN" for the phone number. Anybody else in the future who wants to use Signal with that telephone number will need the PIN or their registration fails.