Every time I hear about yet another SIM swapping attack, I feel confirmed in my decision to use Google Voice for SMS-2FA as much as possible (only for services that don't support an actually secure method, of course).
Except for one certain bank that won't even accept my "real [cell] phone number" for identity verification purposes, because "it's not verifiable" (probably because it's not with the big three cell providers).
The state of "two-factor authentication" (a.k.a. something you're phished for and something you're social-engineered out of) and "identity verification" (a.k.a. "have a $80/month phone plan with these three companies or get lost”) in this country makes me really sad.
On their tech support page [1], Google Fi is said to be resistant/immune to SIM swap attacks because the attacker needs physical access to your device and Google account. Yet earlier this year [2], the Google Fi hack said to have exposed Fi users to SIM swapping. Can anyone shed light on how this can happen without someone having your phone?
> Can anyone shed light on how this can happen without someone having your phone?
I do not know specific details of this particular incident but I would like to emphasize the fact that Google Fi, at least in the US, is a virtual network on top of the T-mobile's physical one. There is some extra level of security via obscurity that makes simple social engineering attacks harder but fundamentally it is still T-mobile underneath.
Think of it. You lost your phone and went to store and store employee or CS over the phone is able to issue you a SIM. Now the same employee takes bribe and give it to the hackers who use it to steal your fund
Implementation flaws like that are always possible, but my concern is that in so many cases, SIM swaps are ridiculously easy by design (or more accurately, by absence) of the phone provider's security procedures.
Issue is that FCC mandates a port out within 4 hours and stores don't make $$ while doing these so their goal is to get you out of the door ASAP so they can focus on the revenue. So that's why + bribe factor
It's pretty wild how baked into modern life insecure 2fa is. Especially with the prevalence of sim swapping. I more or less model most auth as trivially insecure at this point.
You think about someone like Vitalik of all people, if he can't keep his account secure...average person has their work cut out for them.
Private key auth systems have security challenges of their own (losing access forever when you lose your key) but I wish they were an option in place of the current regime.
In the 90s you could bypass security locally on a machine by clicking cancel and it would just log you in. Feels like today it's only slightly more complicated and costs a bit of money to access twitter, email, bank accounts etc.
Seemingly little to no interest in resolving this state of affairs beyond obscure and increasingly less legal crypto based systems.
That’s what happens when we designate phone providers as the single point of identity verification without creating any incentives for them to actually fulfill that role.
One of my banks basically only accepts what they call “phone number verification” to clear a false fraud alert on my cards (or generally talk to them about anything regarding my account).
What that means is (at least I’m fairly sure) that the agent on the phone will ask me for any phone number, they ask the carrier for the name on that line and compare it with mine, and if it’s a match, they send an OTP to that number.
This is even worse than SMS-OTP, since a fraudster doesn’t even need to change my number on file with my bank – opening a phone line in my name with any of the big three carriers is enough!
> It's pretty wild how baked into modern life insecure 2fa is.
And a solution to this is very simple. Make telcos legally liable for losses due to SIM-swap attacks and before the ink is dry on such a law, Telcos will ban using phone numbers for authentication in their TOS. The banks and alike will be forced to come up with another, hopefully, better auth system.
Not sure why you're being downvoted; I think this is pretty reasonable idea.
Of course, there's zero chance of this happening in the US, given telcos would lobby heavily against it. But as a thought experiment, I think that's exactly what should happen: telcos should be held liable for their piss-poor security practices against SIM swapping.
And you never know what's going to come up from EU from a regulatory perspective.
NIST recommends against email or VoIP "phones" for the second factor, because then it's not what you know and what you have, but just two things you know, so no 2FA. As far as I understand, it does not recommend against SIM-based 2FA anymore, though considers it RESTRICTED.
"Methods that do not prove possession of a specific device, such as voice-over-IP (VOIP) or email, SHALL NOT be used for out-of-band authentication."
"Currently, authenticators leveraging the public switched telephone network, including phone- and Short Message Service (SMS)-based one-time passwords (OTPs) are restricted. Other authenticator types may be added as additional threats emerge. Note that, among other requirements, even when using phone- and SMS-based OTPs, the agency also has to verify that the OTP is being directed to a phone and not an IP address, such as with VoIP, as these accounts are not typically protected with multi-factor authentication."
"NIST SP 800-63B does not allow the use of email as a channel for single or multi-factor authentication processes."
> Note that, among other requirements, even when using phone- and SMS-based OTPs, the agency also has to verify that the OTP is being directed to a phone and not an IP address, such as with VoIP, as these accounts are not typically protected with multi-factor authentication."
Unbelievable. My email address is protected with multi-factor authentication (and given the popularity of Gmail, I'd wager that this isn't all that uncommon!); my main phone line isn't.
Interesting... I primarily use a virtual phone number because I don't want to give out my real phone number though; it's easier to cancel and replace a virtual one. (Although maybe not - at this point it's tied to so many services I would probably lose access to something permanently if I canceled it...)
Be careful, I trace cryptocurrency for scam and hack victims and have personally seen GV transfers used in attacks.
The lack of a physical SIM does not give more safety. "SIM Swap" means "convincing a system or human to transfer a phone number." A GV number is just as easy to transfer as any other phone number.
I’d call that a number porting attack. A SIM swap to me is convincing the current provider to provision a new SIM for an existing line, which the attacker can then use to receive texts addressed to the victim.
Porting attacks are definitely possible against Google Voice, but these require confirming the port in the target account first, no?
And the Google Voice equivalent to a SIM swap would just be a compromise of the Google account itself. Definitely not impossible, and I know I’m tying my availability to a company not exactly known for being the best custodian for that – but I’ll take my chances with them over any phone provider.
Google will not share how threat actors are pulling it off but it definitely is happening. (see the Terpin v. AT&T lawsuit for why they might not be disclosing the vector)
There are "fingerprint" cookie marketplaces that sell tokens from malware-compromised computers and allow you to make HTTP requests from a victim's connection, this could be one approach. There are also scammer call centers that will call unsuspecting people pretending to be Google, Coinbase, AT&T, or whomever, and have them click buttons in user interfaces.
I've seen entire Google accounts deleted with no recourse due to this "suspicious activity" that victims had no control over. Computer says no, and it's near-impossible to get in touch with a human at Google.
(I agree with you on terminology but media reports tend to group number porting attacks in with "SIM swaps")
Is there a reason that would-be hackers are not preempted by requiring a specific device, pins, etc with no kill-switch or social engineering available (like, you lose your credentials, there's nothing we can do, its gone)? It sometimes feels like the system is deliberately designed so certain "legitimate" actors have a backdoor into any given system...
> A GV number is just as easy to transfer as any other phone number.
There is nobody to social engineer (it's Google, they hate customer service) and the system rejects all port-out requests until you unlock the number by paying a few dollars which requires breaking into the Google Account to begin with. It is absolutely not the same as compromising an employee of a carrier.
To be clear I'm describing Google Voice which is purely a VOIP service, not Google Fi which is a MVNO.
> Except for one certain bank that won't even accept my "real [cell] phone number" for identity verification purposes, because "it's not verifiable" (probably because it's not with the big three cell providers).
It’s common for organisations to blacklist VOIP-based numbers for 2FA. There’s more discussion about this, including some solutions, here:
Yes, a horrible antipattern that's spreading rapidly.
I really hope that security researchers will demonstrate that trusting phone providers as the gatekeepers of modern digital identity is a bad idea – otherwise, fraudsters (and consumer frustration, in case of getting locked out arbitrarily) will.
My phone provider recently switched to SMS-OTP as a mandatory (and so far their only) 2FA method, including for SIM replacements. I guess I'm just supposed to start my life over on a new number if I ever lose my SIM card...?
I try to avoid giving my cell number, precisely because it’s not secure, but also because it changes or I travel, and then I’m locked out of my own account.
It's not a real vacation if you don't get locked out of at least one bank account or credit card for the crime of accessing your balance from a foreign IP, with no way to recover :)
> It's not a real vacation if you don't get locked out of at least one bank account or credit card for the crime of accessing your balance from a foreign IP, with no way to recover :)
Laughs in Bitcoin
Also, Charles Schwab Investment checking account for the uninitiated saves me from this issue; NFC enabled now ensures my card will never get eaten in a random ATM now.
That’s horrific. My wife lost her Instagram account the same way. Really ruined part of our vacation in Paris. Looking back on it though, maybe that was worth it.
> probably because it's not with the big three cell providers
More likely because it's a VOIP number, which is easy to verify (Twilio's Lookup API will expose this info, and I'm sure there's other lower-level techniques)
my bank disallowed me from using my google voice. they said to reduce impersonation. but i said this now makes me vulnerable to sim swapping attacks and they had no response
Wells Fargo is one. You cannot unlock a card suspended for suspicious activity with the app. You must call the automated line and listen to the 5 most recent transactions. You can confirm you made them or deny you made them. If you deny, the card is immediately revoked, and a new card is issued. If you confirm, the suspension on your card is immediately removed.
Maybe the don't let you unlock on the app in case someone is in possession of your device? Via the automated line, you have to provide ID'ing information that someone with the device might not no still. Just trying to find some logic
When I read that once they got into the account all the attacker did was post a link to a crypto giveaway scam, I briefly wondered why someone who managed to get into an account like this wouldn’t try to pivot it into something more sophisticated. Then in the next sentence we learn they made $700k off of the scam!
I’ve seen these giveaway scams on hacked popular Twitter accounts for years, I’m surprised they’re still so effective. No need for an attacker to risk making $0 on a more involved attack when they can get easy cash like that, I guess.
My redmi has a sim card toolkit app, i've never used it . Reading this i am now more suspicious of it.
Before you all warn me i know it is the worst possible brand to own, i am getting spied on by all the regulars that come with Android - Google/ US agencies but i also get the added bonus of China spying on the device. But i was broke.
Android could append the unique app identifier (ie. "com.myapp") to the end of any data to be signed. Then the user can't be tracked between apps. But it also prevents you using 'sim sign in' to sign in to the same service from a web browser and app for example.
> Android could append the unique app identifier (ie. "com.myapp") to the end of any data to be signed. Then the user can't be tracked between apps. But it also prevents you using 'sim sign in' to sign in to the same service from a web browser and app for example.
I doubt that: simply add two "SIM identities" (which on the mobile phone map to the same SIM card) to the account of the respective service.
> Using the account of probably one of the few trustworthy people in crypto probably helps.
The fact that some person is trustworthy by his personality traits does not imply that he does have the (also technological) skills not to become scammed or impersonated.
The crypto "degens" are pretty much the perfect cohort for pulling these kind of scams on. They're driven by fast money, unearned profit, and the premise of investment despite all rational signals pointing to it being a bad idea. Its a Condensation of Rubes.
Crypto bros are self selecting for scams. If your world view has been degraded to see zero trust as a solution rather than a dystopian end state, meaning you’ve lost all trust in society, you’re highly vulnerable to be conned by the authority figures you secretly crave to trust.
It’s much of what Elon,
Trump and other populists actively foster and exploit in their fan base through relentless conspiracy theories and undermining of trust into anyone who isn’t them.
There’s a paradox here - the more people have their trust violated, the more distrustful they get, the easier they get scam as the overhead of approaching every transaction / interact in life with an adversarial mindset exhausts critical capacity and drives people into desperate savior fantasies - technological miracles, charlatans. snakeoil, the twentieths coin or pump and dump.
Zero trust (non security version - the inability to extend trust) is a miserable desperate state to be in as a human being and makes people highly vulnerable to getting taken advantage of and crypto signaling on social media either identifies you as a scammer or as a mark. You still believe technology can solve societies trust dilemma, you are asking for it at this point.
And the longer the scamming goes on, the stronger the signal of this self identifying audience becomes. It’s like responding to Nigerian prince emails at this point.
Go reddit, look at the safemoon subreddit. It’s … wild how many times you can rip off some people and have them get more militant in their belief they are smart.
As a footnote, more and more tech companies explore this to prop up shrinking profit margins. By selling previously valuable trust marks such as the top result on google (there was a time you could trust this) or flat out verification marks that previously were meant to foster Trust and Safety for money, erosion of trust becomes a profitable feature. It’s good for platforms when users cannot tell placed / bought placement and fake news from actual valuable content.
It’s just terminal for society - each time someone is scammed, has their trust betrayed, they slide a little bit closer into that state that is so exploitable by populists.
You'd be surprised at the typical profile of a crypto scam victim. I trace cryptocurrency professionally and try to help as many victims as possible. Most that I meet are far from the "crypto bro" archetype. Often they are people who trust others easily, are not very tech-savvy, and believe what a website tells them without second guessing.
Yup I think your definition of crypto bro is wrong: that's exactly who they are in their vast majority, people who read once the opinion that the "federal reserve is never federal nor a reserve" and believe it and start clicking on bullshit links. It's in the very name of it and they can still believe the first guy telling them, with no proof nor demonstration, that it's not.
Trusting the first website they read is exactly the defining trait of crypto bros. Normal people just use experience to guide their decision, like say, do like their parents and stick to a bank account.
Nice. A happy user of Reddit, the platform, whose CEO edits messages of his opponents to win an argument, that shadow bans users for mentioning specific words ("Soros" is one, BTW), that automatically sends wrong-think posts to spam... would tell us about the dystopian future Musk is leading us into. What kind of trust do you have in mind, like the one built in soviet times Pravda and Moskovskiy Komsomolets?
If you believe there is signal value in having consumed reddit content - or see a Soros conspiracy behind every criticism of certain idols, I have some crypto coins to sell you too.
Speaking of Soviet Russia - the FSB has fascinating manuals on exactly this topic, how to break down people’s ability to trust systematically to make them vulnerable to ideological hijacking via authority figures and contrarian messages. Highly recommended reading.
Google is surprisingly shit today, actively pushing current events over historic ones despite search filters (weirdly reminiscent of LLM attention issues and biases to recency).
I’ll see if I can find the primary ones, they are from the archives after the Soviet collapse.
Secondary reading:
Adrian Chen, “The Agency,” New York Times Magazine, June 2, 2015, and Peter Pomerantsev and Michael Weiss, The Menace of Unreality: How the Kremlin Weaponizes Information, Culture and Money, New York:
> or see a Soros conspiracy behind every criticism of certain idols
Idols, Soros conspiracy... And you accuse others of being stupid. A simple idea, shady practices on the part of a platform are not OK if what you want, as you say, is trust.
> I have some crypto coins to sell you too.
I'm sure you have. You were left holding the bag in the subreddit you've mentioned.
> the FSB has fascinating manuals on exactly this topic. Highly recommended reading.
Right, they've sent you a copy. You and your government, the idiots who can be seen laughing [1][2] when told they should not depend on Russian energy. "I don't really understand what he means by that ha-ha-ha", tells your genius defense minister.
The healthier attitude to trust issues in crypto (and society at large too), is to find mechanisms (cryptographic, game theory, economic, legal) to manage and constrain the trust assumptions that are made. You can't eliminate trust, and you probably shouldn't try. But you should figure out ways to put good seatbelts and airbags on that trust so that when you do use trust as a social lubricant (it is very good at that), the damage from when it goes wrong is constrained.
Quote of the day - If your world view has been degraded to see zero trust as a solution rather than a dystopian end state, meaning you’ve lost all trust in society, you’re highly vulnerable to be conned by the authority figures you secretly crave to trust.
You may or may not be right (I don't know enough about cryptocurrencies to know), but I think people don't like your snark. Some people lost a lot of money - they are victims of a scam. Now how much the attacker will actually earn from this is another matter, but your original post was not a very welcoming start of a discussion.
Twitter has had support for proper TOTP based 2FA ever since Jack Dorsey got SIM Swapped in 2019[1]. This was also the time when they added support for hardware tokens like Yubikeys. Of course, one needs to enable it.
Just having a phone number added to Twitter means your account is at risk of being taken over with a sim-swap. This was not 2FA related AFAICT. Twitter also requires you to add a phone number, even on old accounts you can get locked out unless you add one.
Nowadays if you create a new account it’ll get briefly banned while they do additional checks to ensure you’re human, which is fixed by giving a phone number. Id almost appreciate just asking for one on signup then the charade
That's not always the case. Sometimes it asked me for a phone number, but most of the time not when not using a VPN or something similar. But last year I managed to create two Twitter accounts with the Tor browser and some sketchy email address and never got asked for a number, just had to do some captcha after a few minutes.
The various Meta properties do this too, except instead of phone numbers they require government ID and headshots. It’s all a scummy dark pattern relying on the sunk cost fallacy.
It'll be a shame if that happens to my account, as I lurk on Twitter every day (but never tweet or like), but I value privacy of my phone number more than I value the enjoyment I get from it.
As far as I remember they only use it for spam protection (i.e. the phone number serves as a moderate-level "proof of humanity"), but not for 2FA purposes (unless you pay for their premium service).
The big problem is that apparently if you have a phone number linked to your account, it can be used to reset your password even with TOTP 2FA enabled which to me, is bonkers: https://twitter.com/TimBeiko/status/1700659107764785336
Twitter was requiring phone numbers for a while for account verification and I had mine attached from pre-history, but have obviously removed it after people have been pointing this out as an attack vector.
Every competent TOTP implementation has backup codes. Use one of your backup codes when your phone breaks.
You did write them down like the site told you to, right?
Even if a site doesn't offer backup codes, you can extract the TOTP secret from the QR code, or most authenticator apps, quite easily, and then write it down.
It's more secure to only save the backup codes though since they have a limited number of uses, while the TOTP secret has unlimited uses.
I know you said competent, so this doesn't apply to the service I used yesterday, but it blew my mind. I lost access to TOTP for a service, but no big deal, I'm a good person who kept the backup codes. The codes are all 4 digits and the service wants a 6 digit code!
Luckily it is some lame work account that someone else can unlock to get me back in. I couldn't believe that the backup codes provided are now obsolete!
Damn, you're lucky it's not something important. Especially with accounts for things like Google or Facebook/Instagram where they boast about not having any human support and you are totally shit-out-of-luck if you can't get in.
Except Google. Google backup codes are near useless because a Google backup code will let you log in, but won't allow you to disable 2 factor or add a new 2 factor device - meaning if you ever lose a 2 factor device and have to use a backup code, there is no way to recover your account.
Really? I'd imagine you'd need two codes (one for the login, one for access to your 2FA settings), but not being able to recover at all using them seems horrible!
Interesting. I can't confirm though - I personally changed my 2FA device 2 weeks ago using a backup code. I couldn't find old yubikey that I used as 2FA for google, decided to regain access with a backup code and add my new yubikey, and it worked flawlessly. It probably helped that I used the same machine as always. Google does a lot of undocumented heuristics in the background, and you either get additional verification or not.
Yes, same machine helped, it's definitely one of the factors it uses.
I have a near-20-year Google account I can't access because I lost the 2FA number. I have the username, password and recovery email. But that isn't enough, apparently.
This is why it’s good to also enroll a hardware key or two if the site/service offers the option. One could for example have a “rescue” YubiKey stuck away in their closet that could be added. MacBooks with Touch ID can also work if you have one of those handy — some sites allow enrolling it via Safari and IIRC Chrome and its myriad clones present Touch ID as a generic key that can be enrolled anywhere WebAuthN is supported.
For extra assurance get a hardware key that supports NFC so it can be used with your phone (and some laptops) even if it can’t be plugged in for some reason.
Multi-pronged 2FA also enables things like being able to remove a key from your account without issue if for example one turns up missing while traveling.
You can enroll multiple devices using the same TOTP QR code, just scan it more than once. They will generate the same code sequence and the site won’t know the difference.
You can even save the QR code and enroll a new device later if you want.
bitwarden has TOTP built in as well. Apple has it built into their platform, but its tougher to use and only works with Chrome if you use windows too.....
Authy solves this by putting all the TOTP keys behind a master password and then backing it up online, so you can get up and running on a different device quickly. It's the same trade-off as a password manager, where your eggs are all in one basket but hopefully it's a secure basket.
If you're actually using them for their intended use (storing your crypto), the less you connect them to your computer, the better. Check them 2-4x a year to make sure they're updated, but I wouldn't want to carry my cold storage device on my keychain like I do my YubiKey.
I thought T-Mobile significantly cracked down on SIM-swapping internally so this couldn't happen again?
I know there's still no patch for human stupidity, but I really am concerned that T-Mobile still apparently seems to be the carrier of choice for easy SIM-swap attacks.
SIM swapping is one thing, but the actual service (X in this case) allowing access to the account via access to the phone number, even without SMS 2FA enabled, is the real problem.
Idk I mean there’s a real trade off to making the app more secure. The causes of insecurity are largely user behavior, and the insecure things are things users want to do for practical reasons.
For example, I have a foolproof way of preventing sim swap attacks: require 256bits of entropy and never allow a password reset, like in crypto. Lose your password? Account is gone forever.
This is more secure but less user friendly. Except for large accounts, I don’t know that anyone even particularly cares if their Twitter gets hacked. You could pretty easily make the argument that preventing sim swap attacks is an optimization for high profile users at the expense of everyone else.
A few years ago, my phone completely died. I walked into a store with it and my new phone, and got them to port the number to a new SIM without providing any information like the account PIN which I had set but didn't remember. It's good customer service, and even if they're supposed to check a bunch of info, that's still just a bit of social engineering to get around. The only solution is to not allow those lower level employees to do anything, which will cause complaints.
_Many_ complaints. People have to realize that people working in tech that can tolerate 2FA jumps are a small minority of people in the general population. Not to mention, the scenario of "person losing their 2fa device" will happen thousands of times more frequently across 300+ million people than the one person a month in a corporate environment.
> I thought T-Mobile significantly cracked down on SIM-swapping internally
They've cracked down so hard that the only way to do SIM swaps is to talk to a human who can be (and still routinely is) socially engineered. Self-service changes have been blocked for over a year "to enhance security".
Tinfoil hat in me says that T-Mobile has a real bad problem with their internal tooling allowing low level employees access that facilitates these sort of attacks. They claim social engineering because that allows them to blame a specific employee being "tricked" rather than a more widespread issue.
This type of stuff is why I canceled my account with them. It just keeps happening.
> T-Mobile has a real bad problem with their internal tooling
Oh, yes. 100%. I remember about 10 or so years ago about people selling guides on how to get access to WATSON (one of the dealer systems that let you provision accounts etc) by basically abusing a common username/password convention and making guesses based on the Store Lookup tool. IIRC it only let you set up new accounts (eg, take a stack of blank SIMs and just make infinite lines) but was still just an absolute WTF that it was... somehow a thing.
That's not true. SMS 2FA may be the weakest form of 2FA, but it cannot be weaker than just using a password, because you always also need the password.
As someone else pointed out, SMS based account recovery is the culprit.
Going strictly by the definition that's correct, but if you take a look at the number of services that allow you to reset your password using only an SMS-OTP you'll quickly realize that reality doesn't live up to that ideal.
I mean, at least SMS-OTPs are one-time use, i.e. they don't facilitate a compromise if done correctly, but the "done correctly" part here is once again very load-bearing.
He did not use phone/SMS as his 2FA it seems, because he knew it's insecure, per his tweet. But nevertheless Twitter requires a phone number for verified accounts and that phone number can be used to reset the Twitter account password. There is nothing the user can do. Since these incompetent telecom employees get social engineered again and again, it's simply bad practice to have anything phone number related for security. Twitter and other companies need to change this, it's not safe.
> But nevertheless Twitter requires a phone number for verified accounts and that phone number can be used to reset the Twitter account password.
Sure, but that is not 2FA. It's 1FA. They could have used e-mail as the recovery mechanism to send a password reset link, then it still would have been SMS 2FA if they then required the SMS factor upon authentication and it would have been secure. This wasn't a problem of SMS 2FA, it was a problem of SMS based account recovery.
Not to worry, great companies like Google harass you to set a recovery phone number /s
No seriously, it is aggravating how much SMS account recovery is a thing. Google even displays banners of "You are missing recovery information" because you set a recovery email but not a recovery phone.
"SMS 2FA" makes bank account balances strictly less secure. The main thing you need to do to keep your bank balance secure is verify your transactions every statement period. Increasing login friction discourages the checking of transactions.
How does SMS 2FA make bank account balances (what do you even mean by that?) strictly less secure than having password 1FA? In both cases the attacker needs the password (or the client cert, whatever the other factor is), but only in the SMS 2FA case the attacker has to perform SIM swapping.
After the first sentence, there were two more sentences explaining that. "Bank balance" meaning the money in your bank account, as opposed to information about your transactions. I did forget to include that my comment was US-centric.
Sorry, I still don't follow. With SMS 2FA the attacker needs strictly more information as compared to just a password. It doesn't matter if you log into your bank account or twitter.
Did you mean a TAN for protecting individual transactions? I file this under authorization instead of authentication. But even then a SMS TAN is better than no TAN. I cannot see a scenario where adding SMS authentication makes things less secure.
You're focusing on an imagined attacker performing a single type of attack, and losing sight of more significant avenues for damage. When talking about the possibility of losing money, the main thing you need to do is check your account transactions within 30 days of being issued a statement. This is required so that you can report unauthorized transactions in a timely manner, so that they can be reversed. Transaction authentication essentially doesn't matter, especially in the consumer market - remember banks are still happily chugging along printing a withdrawal key on the front of every check. Any impediment to verifying your transactions in a timely manner, including for example discontinuing OFX Direct Connect access in the name of "2FA", increases the chance that you might miss the dispute period and actually lose money.
Well, this could be solved by sending a notification on all transactions. I already get these for my credit card account (I wish they did this on my checking account, too). When paying with Google Pay, I even get three notifications. This was very useful once, when I woke up to a $50 transaction to the XBox store that I supposedly did while sleeping without even owning an XBox.
Pragmatically you might be able to find a setting for your bank that lets you notify you of transactions over $X, and then set X to $0.01 or $1.00.
Abstractly my larger point is that security isn't a monolithic scalar but rather depends on the threat model and what is being secured. Far too often large entities push out features in the name of "security", but what they really mean is their own security at the expense of yours (eg the TSA). A lot of these pushes (eg SMS 2FA) are like that, especially when made mandatory rather than consensual.
I've been using Google Voice free phone number if I need to give out phone number for verification, and I hope it mitigates the possibility of SIM-swapping. Also I have another burner phone number using Hushed on my phone. Does anyone know if there's vulnerability using these burner numbers?
I'd say that depends entirely on the security of whatever "burner phone" (these are just a different marketing term for texting-capable VoIP- lines, right?) service you use.
Depending on how careful they are about account login and recovery as well as port-out procedures, it can be much more or less secure than a "real" mobile line.
> Tim Beiko strongly recommended removing phone numbers from X
I haven't checked, but it is possible to unlink a phone number from X? I always thought it was some anti-spam measure to have a number tied to an account.
I’m curious about the conversation that happened between the attackers/scammers and T-Mobile.
Was it just a single call to social engineer support? Or did they call multiple times until they found an agent susceptible to their deception?
Personally, have gotten rid of using SMS as a 2FA method for most services. However my most critical services (banking) still use SMS as the only option.
If you have 2FA enabled, they can deny you access to your account, but they can't actually access it either (unless they also compromise your 2FA of course). That is, they can reset and change your password with only a phone number, but will still require a 2FA token to actually access the account.
I just tried it on my now account. It asks for the account's username, phone number, email and then sends an email to the email address. Perhaps he didn't add an email address to his Twitter account?
I also experimented a bit. I was able to reset my own password only with phone access when 2FA was not enabled: in the reset password flow, I started with my phone number, was then asked for my username and email, and then I was presented with an option to send the reset code either to my email or to my phone number.
But, I then enabled 2FA (with an authentication app), and now when I try the flow again, I get to the screen for sending the reset code and I only have the email option left (but the screen still shows up as an extra step).
So, it's possible that when you have 2FA enabled you can no longer do it. Or, it's possible I've triggered some internal rules by resetting my password twice in a short span of time (and enabling 2FA as well) and they've bumped me to some kind of "extra verification" flow that disabled phone-based password reset.
The EBA (the European banking regulator in charge of specifying the technical details of the PSD2 regulation, which covers secure cardholder authentication, among other things) also stated a while ago that only SMS-OTP is a "true" factor; Email-OTP isn't.
Ironically, my email account is so much better protected than my mobile phone number.
I'm trying very hard to believe that the SMS lobby (i.e. mobile phone operators, which earn multiple cents per inbound SMS in Europe, as well as our friendly SMS verification providers adding their markup on that) didn't exert some pressure on the regulators here...
Insofar as one of the factors should be something the user knows, and one factor something the user has, that makes perfect sense. You know your password (or the master password to your password manager), and you have your phone with the SIM card. With email (or Authy), the second factor is also something you know, thus it's not 2F anymore.
Note that NIST also recommends against email as a factor in 2FA (A-B11 here: https://pages.nist.gov/800-63-FAQ/ ), and says that SMS OTP must be directed to a phone, not an IP address (such as with VoIP, see A-B01 in the same document).
"Methods that do not prove possession of a specific device, such as voice-over-IP (VOIP) or email, SHALL NOT be used for out-of-band authentication." (5.1.3.1 of NIST SP 800-63B)
Yeah, or a fraudster that talked my provider in to SIM-swapping it or porting out my number (quite possible, since many phone providers don't have 2FA themselves!), or malware on my Android phone with access to incoming SMS, or (although much less likely) an SS7 attacker...
A SIM is indeed a smart card theoretically capable of acting as a true "possession" factor (e.g. using EAP-AKA/EAP-SIM, although almost nobody uses that) – but calling it a possession factor for SMS-OTP is at least as much as a stretch as calling an email inbox a knowledge-only factor: Accessing my inbox requires a FIDO authenticator and password.
> Note that NIST also recommends against email as a factor in 2FA
I guess bad decisions and/or lobbying aren't limited to European regulators/legislators then.
What do you mean? I "have" access to my SMSes via my phone, and I "have" access to my email or my Authy also via my phone. If you get my phone, you can:
1. start password reset via email
2. confirm via SMS 2FA
So that makes this into 1FA not 2FA.
At least for TOTP secrets, I can store them securely, and attackers cannot convince a human support agent somewhere to hand them over.
If you want true 2FA, you need something like WebAuthn with hardware tokens where the private key is on the token, but then you need a recovery process, and that takes you right back to the lowest common denominator of SMS verification.
I disagree. To access my email, I need to do one of a few things:
1. Use a device I already have authenticated to access it (something I have)
2. Log in to my email again, going through Google authentication, which includes a proper 2FA system (password plus either Yubikey or TOTP auth code), and is protected by Google's relatively strong security.
3. Log into my domain registrar and change my DNS to point my email somewhere else. This is also protected by 2FA but is probably an easier vector to gain access to my email.
4. (hypothetically) Hack Google (either by hacking the password reset flow, or hacking their actual backends) and gain access to my email messages. This seems relatively difficult but I include it for completeness.
If I want to gain access to SMS sent to my phone, I need to do one of a few things:
1. Use a device that is already authenticated, my phone with its SIM (something I have)
2. Log into my T-Mobile account and order a new SIM
3. Contact T-Mobile support and convince them to SIM-swap or port-out my number
So I get where they are coming from, but IMO neither SMS nor email proves access to "something I have". Both have relatively easy recovery processes that allow someone who has _nothing at all_ to gain access to my messages. SMS just happens to be run by legacy companies that do not take security nearly as seriously as the average modern email provider. Outlook, Google, Proton, Fastmail, etc all have better security than T-Mobile. They (and other major carriers) are famously bad at ensuring that they do not SIM-swaps. Hackers buy access to low-level customer service credentials and offer swaps for $100 to $10000 USD depending on the target.
If you truly want to prove "something I have", then you need to go to a hardware token issued by a trusted vendor, potentially with a key baked into it. These were quite common in the past. TOTP and HOTP used on a hardware token predates their use on phones, and they are still issued for things like wire authorization by business banks, or even PayPal (I think). Or you could use WebAuthn or PassKeys or whatever they are called now, binding the token to the TPM in your general computing device, or using a specialized security processor like a YubiKey or Ledger.
I understand why SMS might be accepted as a "lowest common denominator" second factor. It is certainly better than nothing at all. It just should not be seen as more secure than TOTP or email IMO.
How exactly does a scam like this work? Access to someone's Twitter account only means that you can just post a link. People seem to have connected their wallet, but they still would need to sign a transaction after that. Did the users just auto-pilot click yes?
Tangential, I can't believe the name X is actually being used by journalists, it's even worse that I expected from a sentence readability standpoint.
𝕏 is just a front for a phishing scam in these cases. No money or cryptocurrency is transfered directly. Scammers get access to a popular account with many followers, and tweet something like this: https://static.news.bitcoin.com/wp-content/uploads/2023/09/v...
You don't need to get everyone in the cryptocurrency space to believe you, just a few people transferring funds from their wallet will make you rich.
There have been free or very cheap NFTs in the past, and handing out free coins is the easiest way to get your cryptocurrency flowing.
I'm no criminal, but if I were, I would definitely target cryptocurrency enthusiasts. Many of them are the perfect target, having access to large sums of money, having the ability and willingness to transfer funds in a near untraceable way, and often looking for a get-rich-quick scheme like those cryptomultimillionaires.
Things like NFT smart contract that would transfer all of your NFTs when trying to get rid of them, coupled with unpleasant pictures, coupled with cryptoclout, publicly accessible profiles, and no method to refuse a transaction, have produced some ingenious thefts that nobody would even think possible ten years ago. Millions of real world dollars have been spent on pictures of monkeys, and millions have been lost after someone stole those pictures.
I think that's why it's such an effective scam, these types of posts are everywhere around cryptocurrency fanbases, but this time it came from a reputable person within the community.
You have to sign a transaction, but I _think_ the details of transactions can be obscure enough to not be clear what you're authorizing. Accidentally authorizing the transfer of tokens/NFTs, which are then drained.
I don't understand this sim-swapping concept. Where I am from (EU country), if you need to get a new sim for your number, you have to physically go to your service provider's stores with an official proof of identity (passport or identity card) and do the change. Upon changing, your previous sim immediately loses service
United States services are fundamentally broken in this way because there is literally no unified identification system for the United States. There are identity systems for most US states, but there are 50 of those and the requirements and features vary widely which makes it a nightmare to build on top of them.
Does anyone here use Efani? They are a security-focused provider, and the only one that claims to have had zero SIM-swap attacks successfully executed against them. They are an MVNO.
I probably said it 100 of times, any thing relies on GSM protocol for authentication is not secure, the protocol is fundamentally broken from security perspective, but it’s still there because someone wants to keep these phone numbers as the weakest possible way to link your real identity with the digital ones.
Except for one certain bank that won't even accept my "real [cell] phone number" for identity verification purposes, because "it's not verifiable" (probably because it's not with the big three cell providers).
The state of "two-factor authentication" (a.k.a. something you're phished for and something you're social-engineered out of) and "identity verification" (a.k.a. "have a $80/month phone plan with these three companies or get lost”) in this country makes me really sad.