Hacker News new | past | comments | ask | show | jobs | submit login

Exactly. 8 character password in the 2010s as the only factor was fine. It was only my money we're talking about.

Now I have to wait for an SMS. Great...




SMS is fine on most countries. It’s just America is dumb and allows number transfers to anyone.


Nope, I read The Register (UK based) and they've had scandals from celebrities having their confidential SMS messages leaked; SMS spoofing; I think they even have SIM cloning going on every now and then in UK and some European countries. (since The Register is a tech site, my recollection is some carriers took technical measures to prevent these issues while quite a few didn't.)

I don't think it's a thing that happens that often in UK etc.; but, it doesn't happen that frequently in the US either. It's just a thing that can potentially happen.


UK has plenty of other problems to solve first with identity thief.


...where identity is proved by utility bills instead of government issued id


How else do you prove you live some place?

“I pay the bills there” is barely better than nothing, though. We do this in Canada too. It is what I used for a driver’s license one renewal.


SS7 is a global issue, and so is social engineering to get a number transferred or SIM card transferred.

https://hitcon.org/2015/CMT/download/day1-d-r0.pdf


Its also been a problem in Australia, Optus (2nd biggest teleco) used to allow number porting or activating sim against an existing account with a bare minimum of detail - Like a name, address and date of birth. If you had those details of a target you could clone their SIM and crack any SMS based MFA.


Is that alllowed now still?


Apparently changed in 2022 to protect consumers.


I don’t know about other parts, but here in France SMS is a shitshow. I regularly fail to receive them even though I know I have good reception.

This happened the other day while I was on a conference call with perfect audio and video using my phone’s mobile data.

A few weeks back, had some shop which sends out an SMS to inform you the job’s done tell me this is usually hit and miss when I complained about not hearing from them.


Many single radio phones can either receive sms/calls, or transmit data. My relative owns such a device and cannot use internet during calls or receive/make calls during streaming like YT video playback.


In my case this is an iPhone 14 pro. I'm pretty sure I can receive calls while using data, since I often look things up on the internet while talking to my parents.

And, by the way, the SMS in question never arrived. I don't know if there's some kind of timeout happening, and the network gives up after a while. Some 15 years ago I remember getting texts after an hour or two if I only had spotty reception. This may of course have changed in the meantime, plus this is a different provider.


SMS is not E2E encrypted, so for all intents is just a plain text message that can/has been snooped. Might as well just send a plaintext emails as well.


Number transfers in other countries is also mostly just a question of a bit of social engineering.


No. Most require some form of identification or matching identification between mobile providers.


I recently had an issue with a sim card and went to phone store that gave me a new one and disabled the old. They're supposed to ask for ID, but often doesn't bother. This is true for pretty much every country. Phone 2FA is simply completely insecure.


If the ID matching is done by humans, you can use social engineering on it.

See the sibling comment.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: