Most notably: AT&T and Verizon both use call logs to authenticate SIM swaps from people who don't know the account PIN; requestors are asked to list recently made outbound calls, or in some cases inbound calls. A targeted attacker can trick a customer into making a known call (or, obviously, can simply call the customer to make inbound call records), and then authenticate with them.
AT&T uses billing statement data as a factor. But the research team was able to "spoof" billing statement data by purchasing prepaid refill cards and applying them to a target's account.
The report also identified a bunch of online services for which SMS was used not just as a second factor but, through account recovery, as a sole factor, meaning you're substantially worse off with SMS authentication than you are without it at those services. The reality is probably worse than the report highlights, since a lot of account recovery processes are informal and ad-hoc, and can be socially engineered into relying on SMS.
But if in those cases you disable SMS auth, then you can't recover your account right? That might be considered worse off in some cases.
This is how it works in Poland since September 2019, after some recent SIM-swap attacks. You can swap SIM or get a replacement if stolen only at store showing government ID. It is free of charge with Orange and not always free with T-mobile.
But this has some downsides in real life.
1) I had to walk my 88 yo Mom to the store to swap SIM card.
2) Every clerk at every shop can do that so for a determined criminal it is possible to bribe or threaten one.
3) Virtual operators (MVNOs) usually do not have physical locations and there is a dozen of them.
A recovery code snail-mailed/e-mailed to the account holder when they first open the account is the correct way to go, and if they can't provide it they need to go through a lengthy process where many factors are used to authenticate them (verify their physical address, verify their ID, ask to confirm last call records, billing details, etc).
If later it turns out this was a sim swapping attack you can verify if the clerk entered a valid document ID. He can’t do that without having been presented a proper document, so you can tell if he checked.
I wasn't sure how would you solve the problem of verifying the ID card without showing the previously recorded number to the clerk. But simply requiring to every time just punch in the ID (and maybe scan the whole card to check the photo later) could work - if the system only returns a big OK or BAD signal.
Currently here, in Hungary, the clerks just photocopy the IDs though. And there was a big scandal a few years ago (in connection to the ISIL/ISIS attacks in EU) about some groups obtaining hundreds of thousands of SIMs for just a few names.
Your first drawback is substantial, though.
That would be smart criminal with means. I was thinking more of a hood with fat neck passing $20 to clerk assistant to obtain SIM for $5k fraud.
So easy for evildoers and so much friction for law-abiding customers.
That is for example how my debit card works. If I want to use it abroad I have to turn that feature on for whatever time I am abroad.
The same is true with my major US bank (and probably other banks too).
 Full disclosure: I work at Twilio and built the first version of the wireless product, so I'm a bit biased.
Also, remember the date when you created your Google account. The best way to find that date may be to look at the first email you received in the account.
This just moves your security issues to another account.. how many layers of recovery email address are you willing to go before hitting the end?
I mean, in Europe if criminals want to get a bunch of stuff on credit from some place with a disposable identity, they generally recruit poor/homeless people with real IDs, because that is simpler/cheaper/safer than trying to do it with counterfeit IDs.
SMS hijacking, just as the core identity theft issue is so much rare elsewhere - it demonstrates that it's a solvable issue if the USA wanted to solve it. (in some sense the discussion on identity theft reminds me of https://www.theonion.com/no-way-to-prevent-this-says-only-na...) However, the straightforward way to do that would require a proper single centralized (i.e. federal) gov't ID issued to almost all people, which seems to be anathema in USA.
Can you detail which "most" of Europe you are talking about?
In Italy, while obviously you have to produce an ID card, there is no way that it can be checked online by "an employer", only Police (and Carabinieri) can do those checks, and of course ony for Italian issued ID's, moreover in some other businesses besides SIM card selling where the ID is needed (as an example hotels, AirBnB's and similar, car or tools renting, etc.) the actual employee never had a formal, official training to recognize forged ID's so everything is demanded to the single employee common sense and experience/knowledge (often zero or next to zero).
Particularly with "foreign" or "uncommon" pieces of ID's even if Italian (besides the "normal" ID cards and passports there are a number of other documents that have ID value) it is extremely difficult to understand if it is forged.
In UK AFAIK there is no national ID card, so you are limited to passport and/or (if valid for the scope) the driver license.
For the record - for a period it was laminated, and then it was forbidden to laminate it (as forgeries were somewhat simpler with the laminated one, though I don't know the details).
Old ID card (paper, large, duration - theorical - 5 years, then extended to 10 years, practically indestructible, i.e. they actually lasted the 5 or 10 years):
New ID card (electronic, credit card size, with chip, duration - theorical - 10 years, usually illegible after 2 or 3 years in a wallet unless you use a protective cover):
And whether you get the one or the other may depend on the city (comune) as most will use all the empty paper documents they have in storage before starting issuing the new electronic format.
 for which noone or nearly noone has a reader BTW, the whole stuff is somehow experimental, even now that we have an app (Android only):
The US also has the REAL ID standard that requires IDs to meet minimum standards in order to be accepted by the federal government.
If carriers just required a REAL ID compliant ID in order to get a new SIM, and actually checked it via the chip or magnetic strip, I think we'd be good.
Which is usually a really crappy idea when you want to save a few bucks compared to a real passport.
They're umpteen stories of heartbreak and hurt, by people not being allowed to board an international flight, or a cruise which stops at destinations not covered by a passport card.
They're also those that thought it's a great idea to get them for their kids.
With the same consequence. A passport card does not allow you to fly internationally. Not even to Mexico or Canada.
I'm not saying use it for international travel, I'm saying use it as an ID? Literally any American citizen can get an ID card for $65 that is accepted everywhere someone asks you for ID.
If we started taking things a bit more seriously, we could also get that fee down by subsidizing it.
A few years back I have lost my phone and went to get a new SIM. The attendant in the shop only had a quick look over my ID card. He didn't scan it nor did he enter the ID number in the computer to check anything. I think he only verified that the name was the same as the one on file and the photo looked like me.
The same happens at the post office when you go to collect a parcel / registered mail.
On the other hand, in almost every bar I've been, staff would do a quick check with a pen on every 50 € note they would get, and those notes are fairly common (two cocktails in a random bar in Paris can often cost more than 20 €). I don't know how effective that is in actually detecting counterfeit bills, but there's clearly more effort that what the other clerk did.
This forces crooks to use more expensive and traceable high quality papers for their counterfeit notes or they'll get rejected in stores and bars.
Having IDs that actually look up to anything at all is a relatively modern idea. When I was born if you suspected a passport in my country of being bogus it'd probably take a bunch of clerks several hours of physically looking through filing cabinets to check.
And where we build systems that can check often people don't. The UK government built a system which lets a driver prove to the government who they are and then get a token value back which they can give to anyone - that token can be exchanged for viewing the government records for that driver. So e.g. hire firms could insist on this token to see you're not disqualified and actually have the entitlements your physical driving license says you have.
They don't. Some of them will let you give them this token reluctantly but all prefer you give them a print out, which obviously you could just fake.
Unless it's the former it's as good as a standard paper ID as far as forgeries go. If anything, having it machine-readable decreases security as it means the person inspecting it spends less time looking at it and just scans it in a machine.
On top of that, one could think of:
A passphrase to authenticate a number transfer to another sim.
Sending a code through physical mail.
Do you know if something like this exists in europe?
After that 2FA should always be device specific. If you want to do 2FA with your phone then the 2FA challenge should not get sent via an identifier like a phone number that may change owners. Instead you should download a 2FA app that generates a private/public key pair where the public key is linked to your account. That way the only thing you need to do is wipe your phone remotely if it gets lost.
Won’t this work?
This is a terrible scheme.
Edit: regarding the "lack of availability" at the point of wanting to reset the password: the urgency of resetting passwords should be considered a lesser inconvenience than the risk of having lost control of your account through insecure 2FA.
(I am simply supporting my original brain storming thought through ... I am not married to this idea in any way or form. Just a thought.)
- There are online-only providers. E.g. Giffgaff in the UK, Mobile Vikings in Belgium, etc.
- Many European countries offer prepaid SIMs that aren't tied to ID. Instead, you can just buy them in the supermarket the same way like you would a gift voucher.
Not saying I like this or that this is good way forward but it's a reality that contradicts your assumption.
Offtopic: those laws seem kind of silly if you can still get a valid SIM for 10 days without any ID. Seems more to be about surveillance than about anti-terrorism.
Even if iMessage could be a more secure 1.5FA, it would still be 1.5FA and not true 2FA.
Not to mention Google Authenticator deliberately prevents these stored tokens to be backed up and transferred to a different device, which makes upgrading devices troublesome.
I wish everyone would start using Yubikeys. WebAuthn is now widely supported by browsers.
iPhone backups back up its data correctly—my codes survive new phone restores where they do not with Google Authenticator.
I've wanted to get off Google Authenticator for awhile now, mostly because of the backup-restore problem, also a general trend of limiting my involvement with the company.
Isn’t google authenticator not using this on purpose? Central account and sync is googles thing and yet they deem it too insecure. Completely understandable
So how can using a central service that adds yet another attack vector be of value?
What I would love to have is a paper export.
Every time you add a new account to google authenticator you can print it as QR code for later reimport.
Yes many services already provide this for you via recovery codes but having it on a per service basis directly from authenticator is probably much easier to use and not less secure
Any reason this wouldn’t work?
It's great that people use can use one app for both factors but it seems less secure than two apps.
For example, use Authy for TOTP and LastPass for long passwords. That's two things that have to be compromised. And both of them allow you to have multiple devices (for example iPhone and iPad).
The biggest thing 2FA protects against is credential stuffing. If you’re using a password manager and have high entropy site-unique passwords, the additional entropy by TOTP is mostly moot anyway.
Passwords - protect against unauthorized access of my service accounts, and 1Password - can be compromised via logging or breaches or just plain peeping
Secret key - acts as 2FA for my 1Password and thus protects my master password from unauthorized use - can be compromised if someone steals the physical paper on which it's stored
TOTP - protect against unauthorized use of my service accounts - can be compromised if someone compromises my mobile phone or phone number. Highly unlikely someone would spend that kind of effort and €€€ on me though
All in all its a pretty nicely tiered system. If someone gets my master password, they still need the secret key. If a burglar steals my secret key, they don't have my master password. If someone somehow compromises both of those, they still don't have access to my TOTPs and thus can't login into any of my 'cricital' accounts (basically e-mail, hosting providers, finance, etc. etc.)
Now imagine you have an malicious spouse or housemate or whatever: they could easily learn your master password by peeping over your shoulder, piecing it together bit by bit (ha). They have a lot of opportunity to search for your secret key as well. If you put your TOTPs on 1Password, you're boned. But if you have them in an authenticator app, even having access to your password manager means jack because they can't login without your TOTPs.
I know one of the big faux pas is to talk about your security but most of this stuff can be deducted pretty easily so I don't feel too exposed.
It doesn't offer export in the app UI. It's not doing anything to prevent you from backing up the tokens yourself; they're stored in the clear in the sqlite database for the app.
If that's too much for you, there's a good chance https://github.com/puddly/android-otp-extractor can get them automatically.
If that were possible then you would face the same problems that reused SMS numbers suffer from.
Classic Google Authenticator does not seem much more friction than that.
I am surprised your bank is moving to a weaker auth, what does that mean?
I have 3 bank accounts in 2 countries and they all switched to biometric because it's just a simpler experience then the hardware token or "mobile token" they used before.
A further cost is that they usually require the user to install and set up an app, contrary to SMS.
This scheme also works really well with payments from your computer. Just use the bank app to scan a qr-code on checkout, verify the payment details on your phone, touch a button, and you're done.
I'd guess that a majority of the bank's clients are using this method. This is in the Netherlands, by the way.
They are precisely equivalent to asking for two passwords on login instead of one password. "Something you know" and "something else you know". So pretty much, yeah. SMS may not be especially secure, but it is at least an actual second factor.
The website requires a temporary code, generated by a card reader and my card. It works like a 2FA code, as I need to _have_ my card and to _know_ its pin.
Recently however it has become somewhat less strict it feels and I can now log in to my bank app using FaceID or a pin code.
Normal bank websites still demand a code from a hardware token (think RSA key, but with a pincode and sequence-based instead of time based.)
: I realize it might be that they are just as strict only doing more work in background to verify me instead of bugging me.
Just wondering if there could be an easier non installed version that was always available.
Apologies if it's a really silly question!
But how do you protect access to the website - with a username and password? Or do people now need to remember another code like "JBSWY3DPEHPK3PXP" to set up the authenticator everytime they visit?
Mobile apps were one way to solve this although the hardware U2F tokens like Yubikey provide another authentication factor in a usable way (and more secure than TOTP because you can't be phished to enter them on the wrong site).
This is more generous than it should be. Your TOTP secret is just another part of your password regardless of whether you personally remember it or not; what matters is that, if I would like to be you, I only need to know the secret.
If it is an account you set up from home, probably the simplest thing to do is print the setup page before you scan the QR code for the secret. Even better, print the page, and then scan that QR code from the printout. Then store the printout where you keep other important papers (e.g., mine would go in my fire proof safe).
Another possibility is to scan the code on two devices. I scan on both my iPhone and my iPad. Nearly all realistic scenarios that involve me losing both of those at near the same time also involve me dying.
Encrypting a file is a bit arcane, but not difficult:
openssl enc -aes-256-cbc -pbkdf2 -iter 1024 -in plaintext.txt -out cryptotext.dat
openssl enc -aes-256-cbc -pbkdf2 -iter 1024 -d -in cryptotext.dat -out plaintext.txt
I prefer one file per code. When I get a new code, I make a directory named after the account the code is for, save a screenshot of the QR code in there, save a text file with the text version of of the code and any one-time recovery codes the site provided. I then make a .zip for .tgz from that directory, encrypt that, and save a copy in the cloud and locally. The local copy is in a location that is included in offsite backups.
If you use one file per code, I'd recommend using a public key system for the encryption. That way you don't have to enter any secrets to encrypt a new code. You only enter anything secret when decrypting.
This has a few advantages.
1. Less chance of accidentally exposing the key.
2. If like most people you use the same key for all the files, no chance of unknowingly mistyping the key resulting in a file that you cannot decrypt later.
3. If you need to recover a code, you only need to decrypt that code.
If as you suggest you wrap this in shell scripts, you can address #2 there. Have a reference file encrypted with your symmetric key. For encryption, the script can ask for your key and verify it was typed correctly by using it to decrypt the reference file.
Also worth considering is using an encrypted disk image. I believe that all major desktop operating systems provide reasonably easy ways to create, mount, and dismount such volumes. Whether you use one file per code or all codes in one file, the file or files can live on an encrypted volume that you only mount when you are saving a new code or recovering an old code.
The advantage of that is that there is no need to use any arcane commands or install any extra software.
I prefer keeping it as simple as possible since the consequences of screwing it up are a whole lot of hassle and possibly being locked out of some accounts forever. One downside is when you add or change a code you have to update all of your backups. A second script that syncs all of the backup files is also helpful to have.
In fact, Apple should redesign Keychain into a user friendly, 1Password-lite product with 2FA built-in (1Password offers this too) or as a separate app that works with Keychain.
It's bad enough their development toolchain requires you to buy their hardware, now to log into their websites you also have to buy their expensive hardware.
Once you have control over a phone number, you can register iMessage as that number on a device you control.
I thought both these vectors were already common knowledge
to HN readers.
One person can't know everything... that's why I come here. Thanks for the info!
- Operator app pushes to SIM cards...
- Secret GSM processors and software internals
- Voice / text / data "ciphering"
- Protocol-level "emergency" tracking features
- Silent SMS (sounds like its from a bad cop show but its actually a real thing it turns out.) "They do not show up on a display, nor trigger any acoustical signal when received. Their primary purpose was to deliver special services of the network operator to any cell phone." -- sounds like it has a completely legit use...
The list goes on. It's enough to make anyone want to get the tin foil out. But at least in this case there's a simple and clear recommendation: --not to use 2-factor auth by SIM--.
The original purpose of silent SMS was to send voicemail or missed call notifications to handsets, which would trigger an icon to be displayed on the device. Sending a regular SMS would be annoying as the user would have to delete it - after you've listened to your voicemail, another silent SMS can be sent to turn off the notification. Also originally SMS was stored in the SIM itself which had limited memory, so it would be not be very convenient if you didn't receive a voicemail message as your SIM was full. Remember this is a 28 year old feature of GSM.
The tracking argument seems somewhat mute, maybe when this first came to light 10 years ago it wasn't the case, but nowadays I would be very surprised if operators do not keep detailed logs of all the IMEI (unique identifier for a given device) and IMSI (same, but for the SIM) that connect to their towers.
Carrier license sounds much more involved than what it is. It's not uncommon to sell full SS7 access to companies that are not operators in the regular sense.
If people knew how telcom (and the internet) was held together with bubblegun and duct tape...
Multiple proposed fixes and replacements to SS7, to the best of my knowledge none of them are going anywhere. And even if it was pushed hard, it has to be a global thing.
* Bidding doesn't happen in real time, but you can tell carriers your "rates" so to speak.
This happened both by government-linked parties, where they are able to coerce providers to do it, mostly targeting prominent political opposition members. It also happened without government involvement, done by provider's personnel with sufficient access and some entrepreneur attitude.
The rule of thumb to protect against it:
- do not use SMS 2FA
- if you do, use a foreign SIP number with SMS capabilities
- if you HAVE to use local sim, use SIM that belongs to someone else and noone knows you use it
Shitty 2fa will still deter people who get a list of a hundred million emails/usernames and passwords and try them on banks, Twitter etc from putting in the extra work to break into your account specifically.
If you expect targeted attacks - from governments, because you oppose them, from determined criminals, because you have a lot of nice stuff to steal, or from people around you, because you know too many assholes - maybe it might as well not exist, but for most people, most of the time, any 2fa is better than none.
Any good providers? I've tried Twilio SMS forwarding, but different services (e.g. Steam) reject it for 2FA since they're pretty much considered throwaway numbers, I suppose there's some sort of blacklist
Because with 99.99% certainty the person that needs to unlock the account is me, and not an attacker.
Even with a dozen backup yubikeys and spare codes written down I’d still be much more likely to lock myself out than be attacked.
If it’s one thing I have learned the hard way it’s that the most dangerous person in the equation is myself. I won’t trust myself with any kind of security.
Anytime you have a human in the loop you have the risk of human failings. I.e., that human forgets to follow critical step X in the protocol. Or that human falls for the attackers emotional sob story and takes pity on the attacker and lets the attacker unlock your account. Or that particular human is amenable to bribery to obtain the outcome the attacker wants.
In fact, many sim swaps have been reported to have occurred because of "human at cell phone store did not follow protocol" or "human at cell phone store was taking bribes".
So having a human in the loop is not an absolute solution to solving the problem.
This is exactly my point. If the risk of an attack is X, the risk of me being that person who fails or forgets a critical step of the protocol (backup yubikey, whatever) is a hundred times higher. So this system of “flawed humans interacting” to me looks like the lesser evil.
I don’t want my things protected by foolproof protocols. I‘m the fool you see.
That's why I'm bullish on things like Shamir's Secret Sharing and other social recovery tools.
I'm not sure you get this. Google hasn't seemed to get this in the past. They have added some customer support though.
Any port-out requests are handled manually - you are contacted by a human to ensure that you made the request. You can ask them to put a verification code on file for you to confirm when this happens if you're concerned about the security of your XMPP account (which itself could use whatever kind of authentication scheme you like).
There is also work being done to update the type field of JMP numbers so they appear as "mobile" instead.
Type field is interesting. Not sure this can pass the radars for too long though.
So I've been working on a backup plan. Current incarnation is to use a simple Go cli tool with Shamir's secret sharing algo to break a password into N/M shards. The user can then do whatever they please with the shards, give some to their family, friends, attorney, make a pirate map, get an rfid chip, anything you want.
They can meet at the funeral to assemble your horcruxes.
I am not sure this is true. Most people regularly get phishing e-mails and apparently fall for it.
SMS and TOTP (due to the window of time the TOTP code is valid) only provide limited protection against active phishing attacks, since phishing site can 'proxy' the the SMS/TOTP code besides the password.
I think I would prefer losing access to an account (since I make backups of critical stuff anyway) than my account getting compromised, which could lead to identity theft/fraud, etc.
If you need a blood sample, then would donating blood be considered compromising security?
Identity is what your DNA is. Password is a secret. Your DNA is not a secret.
I will agree with "you have to be physically present" is good enough password. This is Yubikey, which works fantastic. The problem with DNA is when it is compromised - you can't throw it away/change it without exorbant effort (bone marrow transplant? and then you're simply taking on someone else's identity? is that identity theft?).
Which I agree, that works great, but quite narrow in the the use cases at that point.
Carriers have already demonstrated their complete across the board failure to have appropriate security procedures. Your DNA isn't hard to find, you leave it literally everywhere you go.
And do you really want mobile carriers creating a DNA database of their every customer? The same companies that already sell your location data to bounty hunters?
That's going to be a big no thank you from me.
It doesn’t mean that for the rest of the world SMS 2FA is completely secure, it’s just a lot more difficult (or impractical/impossible) to do a SIM swap so easily.
As mentioned in another comment below, SS7 vulnerabilities are another attack vector, globally available and without requiring a SIM swap.
Of course there are much better 2FA options, but for the general public, they are probably too complicated to use.
Everyone understands SMS.
In my strictly personal opinion, responding to a notification that asks if a login attempt is you is clear enough that people need minimal training to make use of it. This might just be me, though.
In my career, I've definitely seen people actively choose SMS over other factors on offer. It was easier for them, and in many cases shouldn't have been offered. Your point about SMS being better than nothing is wise and true and insightful, but it's perhaps not always the question as faced in practice.
In all these situations, I've found companies which offer a back up SMS option very valuable since it usually gets delivered.
I tend to use TOTP for systems where I'm concerned about offline usage. But again, YMMV.
Unless you're using HOTP to mean HOTP and all extending schemes.
Your experience and standards of clarity may be different from mine, obviously.
Obviously banks are a place with a lot of low-value targets and a few very high-value targets, but the cost to implement MFA is the same so they might as well do it.
Hint: if a store ask for a phone number to get a discount, try the local areacode then 634 5789. This is from an old song, and many people seem to have created "anonymous" account with it!
It uses the SIM to implement a challenge-response mechanism where a PIN is prompted by your phone.
While not perfect, it's vastly better than using SMS, without being less convenient.
I don't know if other places leverage the fact that SIMs are smart cards which are perfectly able to perform this kind of stuff given the proper infrastructure.
if you get a SIM replaced after providing proofs of identity, residence and biometrics, it would get activated after few hours.
The kicker is that it wont get SMSes for 24 hours after the SIM is activated.
In the US, won't it be cheaper as well as secure to get a virtual phone number from Twilio for purposes of two factor authentication? (In India, there is no service at the rate what Twilio offers, but there are some which charge around $30-$40/month for virtual phone numbers with incoming SMSes)
The only difference is that you need to register your SIM with the service beforehand, using a reasonably secure process. Banks make you use their own MFA before you can enable Mobile ID (and no, it's never over SMS).
The word "secure" is not binary.
sms as a 2fa is secure.
Just not as secure as a authy totp account
...which is not as secure as a unclonable totp system
...which is not as secure as a hardware token based otp system
...which is not as secure as a hardware token that also requires you enter a pin and a fingerprint to activate it and only communicates using hard coded encrypted messages with the legit service that issued it.
Always buy two. ;-)
Joking aside, I've moved almost every 2FA to hard token, soft-token, or google voice. But the root of trust is still LastPass & Google. I don't see an easy way out of dependency other than power of attorney. Even worse: I worry what happens to my protected assets as I age and possibly face memory loss.
I got bitten in a bad way!
Hopefully twilio will start creating "recognized" numbers someday, as my twilio number is unusable for TOTP. There seems to be a blacklist of all twilio voip numbers.
No place you store your backup can guarantee it won't be lost or destroyed.
google's enhanced protection requires you to have 2 distinct yubikeys to sign up
Your website is outsourcing security to any company which can service a cell phone account, which may be better than your website security or worse.
The question is "Is SMS 2FA secure?", not "Is SMS 2FA-secure?" There is no such property as 2FA-secure.
Title should read: "SMS 2FA is not secure".