Hacker News new | past | comments | ask | show | jobs | submit login

If you own a lot of crypto and it's still protected by SMS auth, you need to disable that (edit: in favor of OTP). If you can't, you need to buy a dozen prepaid sim cards and use them randomly. Or pay someone to do it for you. Very cheap in comparison to a theft.

Or maybe anyone that claims to be a security person worth their salt (on the companies doing 2fa) need to sunset SMS 2fa and use OTP instead, at least

True, and coinbase appears to do that (I say "appears to" because I don't know what they would do if I actually tried to reset my password and cajoled them into using my phone number to do it.)

Unfortunately, some orgs, and even more unfortunately, some banks, still require/force SMS mfa.

OTP is only marginally safer than SMS. Phishing is a far more common threat than SIM-swapping.

Wouldn't a dozen prepaid SIM cards mean 12 times as many things to defend? Also wouldn't anyone you paid to "do it for you" need to be trusted, undermining the no-trust principle of cryptocurrencies?

Yeah, it would require some thought. If you randomly rotated through the different sims it might help. I was thinking that someone else might be a good idea so that it would be harder for an attacker to figure out your number. I'm assuming that if you buy any phone service, prepaid or postpaid, that someone would be able to find it on those people search sites. But maybe all you really need is to have a number strictly dedicated to each value store, never used for communications.

> you need to disable that

Might need a bit more elaboration there. You want people to turn off 2fa?

In favor of offline OTP I meant. Although there's a case to be made that having no mfa might be more secure than SMS mfa, if that can be used to recover access to your account (at which point it is no longer Mfa, but just a)

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact