Couldn't T-Mobile send their own SMS's to their employees pretending to increase the payout to $600, then fire any employee that replies?
Or maybe change the terms of use for the employee line discount to allow monitoring SMS content or metadata for security threats to the companies users?
T-mobile could do many things (not sure it’s legal to pretend you want to pay for simswaps, but that’s beside the point), but first we need to establish why they would care.
I haven’t seen much evidence in the past they would.
They don't care. Source: got swapped on TMo, front-line CSR fixed it but no one else at the business cared; would not even refund my final bill. Solution: move to Google Fi. It has a word-of-mouth reputation for being resistant to this, which I believe if nothing else because Google has almost no human support to bribe/phish.
Google Voice too. No human tech support. It's kind of weird how having no human to talk to can be a good thing in these high security matters. No social engineering attack surface.
I've just realized that, even though I've used Google Voice as my primary phone number since before it was Google Voice -- for about 18 years now -- I have never really had a problem with it[0], and I've also never paid a dime for it[1].
It seems like a well-oiled machine.
0: Well, some places don't like using GV for 2FA (and demand a "real" cell phone number), and some other places don't think it can do short-code messages at all, but those aren't issues that anyone at GV could ever solve even if those people did exist.
Its more of a recent thing, but I am a little worried about how common it is becoming. I've used my GV number since atleast 2007 for everything.
My bank accounts at banks I like have never complained about my Google Voice number and still don't. My bank account at Bank of America had some security check I needed to complete at some point and my Google Voice number that had been in their system for a decade I was told was not eligible anymore and I needed to actually use my real phone number.
I could almost put up with it if it was for things that need to be secure, but my 7-11 rewards account rejected my phone number at the gas pump a few years ago and Target rewards also started blocking my GV number.
I use Google voice as my main number on my Pixel, but also on a burner phone to harass overly aggressive recruiters. When I set up Google voice in the burner it made me load it with credit but surprisingly all the calls and texts I've made with it are free.
Things are pretty stable because Google Voice has barely changed in the past decade, but when things do go wrong there's no one around to look into it.
There was a time many years ago when Google Voice would intermittently fail to ring or even forward calls to another number when I tried that, and then give no indication that a call was ever made to your number that you missed (I verified it by asking when people I knew called me and said I never got back to them), which is pretty bad when you're expecting to receive important calls sometimes. This went on for months. I received bare minimum support which didn't even come close to helping the issue even though my issue was voted to the top of the support boards because many other people were having the same issue at the time. I'm glad you personally haven't had an issue but you should be prepared to have one at some point and get essentially no help.
Do these databases see through number portability, or are they just verifying that the area code + prefix is assigned to a traditional telco?
Because you can port a landline to Google Voice for $20, and, in my experience, random Internet "phone number lookup" sites still show it as a landline years later.
The number gets classified differently in the "official" phone number database when you port it to a new carrier, including Google Voice. I used to have my US number in GV but ran into a lot of the 2FA issues as as well as trying to use it overseas extensively. Eventually, Google will figure it out to the point where it is no longer tenable to try and keep working around it. I caved and bought a $5/mo eSIM plan from Tello. They don't seem to care that I'm not in the US 10 or 11 months out of the year. I can use wifi calling to send/receive texts for 2FA for free, and iOS even supports using the data of one SIM/eSIM as the "wifi" for a different phone line also present on the device. So even if I'm out, I hop into settings, turn on the second line, it uses my EU data plan to fetch new messages via "wifi calling" and then I get my 2FA code or whatever. Takes about 30 seconds in total.
Is it the most convenient thing ever? No. I have an older iPhone because I'm a cheap bastard so I turn off the other line when I'm not using it, otherwise it will constantly look for a compatible roaming signal which it will never find because I have not authorized any international charges on that account (battery drain).
My class read a science fiction story in CS about a guy getting executed on death row for a late library book in a comedy of errors where a series of automated systems glitch out and a detached bureaucracy is slow to react. Or something like that.
I feel like it should be required reading to protect against "automate all the things" hubris.
Sounds somewhat reminiscent of the Terry Gilliam film Brazil. Basically a fly dies and gets caught in a teletype machine, causing the name on an arrest warrant to be misprinted. This snowballs into all sorts of darkly humorous and depressing hijinks.
Basically a modernized version of the premise of "The Trial" by Franz Kafka. An unknown authority charges the character with a unstated crime and bureaucracy chugs along on errors and assumptions.
That’s a real reason I don’t comment on YouTube or risk using any other Google services except Gmail and Voice.
God forbid I chargeback a purchase on Google Pay (or whatever their PayPal is this year) and trip some anti-fraud system that locks me out of my 20 year old email account. We all know their support is either automated or nonexistent, so it’s not worth the risk.
But there‘s many providers that you pay actual money to (Like Fastmail) and if something goes wrong you, as a customer and not a potential ad target, are their top priority and you can call a human on the phone.
Oddly enough, the EU isn’t racing to bust down the door of these “gatekeepers” and require third-party interoperability with this socially-critical service.
Pretty much just an apple thing as far as I can see.
I think this is one of the reasons that Google Plus failed. It's like if North Korea set up a social network. Nobody would post cause post the wrong thing and get executed.
If you see what people post with their real name on newspaper comments, Instagram or Facebook it‘s clear that people don‘t care, or don‘t think that far ahead.
Google Plus failed for many reasons but I doubt that one was a big factor.
I've mentioned this a few times and don't feel like restating it but if you're curious about my "i was locked out of every single Google service for "fraud" that I didn't commit, don't know what they were talking about, and never got a single response even after sending them my drivers license multiple times to prove my identity" story it's somewhere in my comment history.
It's probably a tiny chance it happens to many people but it's something to consider. I had nobody to talk to. No store to go to. I lost cell service for a week until I migrated everything off of google.
Just something to be wary of.
edit: I tried to dig it up it's about a year old and .. oof yeah i'm not going through pages and pages of paginated yn comments. Moral of the story is what I said above
Lazier than you think! You almost nerdsniped me into seeing how fast I could whip up a crawler but then I checked the search and found out it can find comments and use a custom date range.
My main problem with google fi is that I also use gmail heavily, and if the algorithm decides to cut me off one day for some reason, I don't want to lose access to my primary phone number and primary email address at the same time.
Still seen swaps with Google Fi. Efani is a much better option if you actually want protection. I am a cyber lawyer and that’s our recommendation to any clients who care. I can’t recall if Efani is throttled on AT&T or Verizon as MVNO, but one isn’t. Easy to ask them.
>Efani is a much better option if you actually want protection
Their website says it's $99/month. That seems a bit steep to me considering all they're providing over a regular provider that charges $29/month is that they do a bit more verification when you claim that you lost your sim. It's not even clear whether they protect against a port-out attack, which is probably worth worrying about as well.
Presumably Efani accomplishes that additional protection by maintaining a human support staff they put more resources into training than the average carrier. That's expensive, especially when you consider that it's a relatively niche service (so small user base to amortize that cost over) and presumably only used by people that really care about sim swaps, likely because they are frequently targeted for sim swaps, and thus the training needs to really work. They also have no other lines of business like device sales/financing that could help cover those human operational costs.
That, plus the fact that it's a premium service that is mostly only useful to higher net worth / higher income people, makes it seem reasonable that it would be quite expensive relative to a regular provider.
>Presumably Efani accomplishes that additional protection by maintaining a human support staff they put more resources into training than the average carrier. That's expensive, especially when you consider that it's a relatively niche service (so small user base to amortize that cost over) and presumably only used by people that really care about sim swaps, likely because they are frequently targeted for sim swaps, and thus the training needs to really work.
According to the BLS "Computer User Support Specialists" get paid $30 on average[1]. Whatever training they give to staff to resist sim-swap attacks, I can't imagine they can't be more complicated than the certifications that "Computer User Support Specialists" have to get through, so I think it's reasonable to model their support costs at $30/hr per person. With the premium they're charging over a budget MVNO they can afford two support people per customer. How many fraudulent sim swap attacks could the worst client possibly attract? Is it really that hard to train someone to deny sim swaps until they go through 11 steps of verification like their website says?
>That, plus the fact that it's a premium service that is mostly only useful to higher net worth / higher income people, makes it seem reasonable that it would be quite expensive relative to a regular provider.
I mean yeah that's the more reasonable answer. It's a luxury product and priced accordingly.
Same goes for Mint mobile. They are/were an MVNO now owned by T-Mobile. I have no reason to go into a store since the service just works and I never do much but confirm auto-pay is working. Looking at the site now, it's been T-mobilized with stuff like carrier-locked phones but otherwise I've seen no meaningful changes.
I'm pretty sure T-mobile could legally do that to their own employees. Corporate security teams are always sending fake phishing email to test their employees' gullibility and send them off to Re-education Camp.
Yeah, I'm sure a well paid attorney could probably come up with some legal theory that "makes it OK" to attempt to entice an employee into committing a crime for the purpose of rooting out employees who would commit a crime in exchange for money.
A well paid attorney worth their salt will likely tell you that you don't want to test that theory with a court and the various employment watchdogs.
Engaging in such a plan and through happenstance and human fallibility ending up actually creating harm to an actual customer could potentially expose you to a tort claim.
> not sure it’s legal to pretend you want to pay for simswaps
I don't see a big difference between this, and sending fake phishing emails to employees to see if they bite, which is a fairly common practice.
In this case though, it doesn't necessarily have to be T-mobile that does it. It could be local law enforcement, and they could potentially trade immunity for information on real bribers.
Clicking on fishing link is not illegal. Therefore, it is ok for corporate to sent fake fishing emails. This would be instructing employees to do something illegal.
Likewise, CEO can not instruct the accountant to steal money from company account as a test.
I believe there are telecommunications regulations in olved that prevent them from erecting barriers during the sim swap process. This might be one of the mains reasons it's such a juicy vector.
You may be right! They might not be able to do a "24 hour cooling off" period. Even sending text messages to that number once an hour for a day saying "TEXT STOP TO STOP SIM TRANSFER OR CALL 611" would stop a lot of these.
I'll have to google a bit and see if they are restricted.
T-Mobile should make a few loud examples out of those proven to be doing this. Deterrent is the best medicine. Of course they don't want this kind of attention so they'll do as little as possible.
If your phone number being stolen causes your savings to get drained for long enough that you run into problems making important payments like rent, taxes, car payments; That can pretty quickly spiral into even worse situations. In a world/country where many people have too few savings to go even a month without being paid, losing even that can get extremely dangerous. Not to mention the stress of such a situation alone will probably take quite a bit of your life expectancy off.
While I absolutely understand the point you're making....
At least in the United States, we also live in a society where the financial ramifications of getting shot could lead to equally bad financial outcomes (whether directly or indirectly).
Or, crazy idea, we do not give minimum wage paid retail sales reps the ability to control access to the online accounts of hundreds of millions of people.
Reps for T-Mobile are not making minimum wage. Almost nobody in the US earns minimum wage at this point, it's less than 1/2 of 1% of labor.
You can make $15/hr as an entry-level cashier - your first job, zero job history - at CVS and Walgreens, with tolerable health/dental/eye insurance.
And if you're not entirely braindead you can trivially become a pharmacy intern (then tech) and start at $18-$20, with benefits. They'll pay for your licensing. You can make $18-$22 to start as a telemetry or video tech, with zero experience. Hospitals are filled with people sitting in rooms watching video monitors making sure patients don't fall over or hurt themselves, it pays 3x the minimum wage and requires zero experience.
If you're making $7.50 /hr at this point, you're either living somewhere very barren (almost zero economic opportunities), or it's your own fault.
> Almost nobody in the US earns minimum wage at this point, it's less than 1/2 of 1% of labor.
Almost nobody makes federal minimum wage.
It's gotta be at 2%+ making state minimum wage though.
CA for example has a minimum wage somewhere north of $15, and like 10% of the population makes minimum wage or less. That right there pulls the number for the whole country up to at least 1% making minimum wage, because CA is >10% of the population. (Extreme example, since CA also has the highest real poverty rate in the US (SPM, not the hilariously undercounting OPM)).
Even so, retail sales jobs are often heavily commission adjusted which makes this not so cut and dry.
Sell sell sell, or you are well below the poverty line and quickly replaced by someone more willing to cut corners on the activities that are not profitable like carefully checking ID.
What is the dollar value of getting access to a phone number belonging to a celebrity or a billionaire? I don't know the exact amount, but it is 100% more than what T-Mobile can feasibly pay all of its employees. Do you think security guards protecting the federal reserve's gold vault get paid more than the value of the gold in that vault?
“Inside job” SIM swap attacks are not necessarily new; a close friend’s T-Mobile phone got hit this way in March 2020.
The news here is the intersection of a data breach with SIM swapping: criminals are using the employee phone numbers from a recent T-Mobile breach data dump to text tons of employees at once, offering $300 per swap.
Previously, criminals would develop the inside agent either through personal connections or by applying and getting hired themselves. With the breached data, they can automate and scale.
As others have suggested, the trick is put out fake honeypot offers, to strike at the weak point of the scheme, which is that lack of trust and anonymity run both ways.
In other words, the "old way" isn't just about cultivating an insider agent, but also about establishing that the insider can trust the requestor.
What's the solution here? Can we practically expect employees at retail stores to not be permitted to change a person's phone over? What if the person who needs the swap has said their phone is lost/stolen?
I think ideally there would be some kind of verification that the customer was indeed present and that their ID had been verified, but I don't see how you can do that in the US as there aren't ID cards or similar forms of universally available ID. I also think you should be able to get a phone number without ID at all, which would preclude verification in those cases.
The issue is that people's phones are essentially the roots of trust for our digital lives. Passkeys being built into the OS are good because they push that problem away from carriers, but the fundamental issue still remains. Bootstrapping trust is hard.
Not putting phone providers in charge of access to our digital lives.
> that the customer was indeed present and that their ID had been verified
Present where? My MVNO does not have any branches. And even if they did, why should I ever have to go there? I don't go to bank branches either if I can at all help it.
Sometimes you can't help it, you need a phone today, and need to go into a store for your phone company. No, buying a phone from Walmart or Best buy and waiting for a sim or doing some eSim thing won't work, you just need to get into a branch today. If an MVNO with no branches works for you, great, but some people need to be able to go into a branch of their cell phone provider/bank/utility.
> I think ideally there would be some kind of verification that the customer was indeed present and that their ID had been verified, but I don’t see how you can do that in the US as there aren’t ID cards or similar forms of universally available ID.
Requiring government issued photo ID for identity verification is not at all an uncommon policy for various purposes in the US, and AFAIK all states have universally available ID cards (they are generally not free of charge, but they are universally available.)
ID REALLY should be paid for by taxes and 'free' for everyone obtaining their proof of identity. Now, a 'drivers' license might have an extra fee on top of that.
Maybe the free IDs could be issued by police departments? Either way this is a good time for someone to register as a voter too, WA state has a simple checkbox for that and other states can too.
Especially since the recent push for "Real ID" required to fly. Ok if it's so "Real" it should be easily scanned and verified.
When you get your phone they should hand you a pamphlet saying that when you lose your phone this is the process, these are the risks, and offer you the option to upgrade the security to require, say, a passport to restore your account.
I help people move to Germany. Requirements like this make it really hard for people to settle in a new place. On the other hand you can’t expect a teenager working minimum wage to identify a Thai passport.
There exist services for ID verification, usually by video call. They exhibit the same limitations though.
If a passports are accepted it should not create a problem for most foreigners/immigrants. And Thai passport doesn't look too different from others: https://en.wikipedia.org/wiki/Thai_passport guess an untrained worker will not spot a forgery but that's true for no matter which country's passport do you use and something like an US driving license looks easier to forge than Thai biometric passport.
> something like an US driving license looks easier to forge than Thai biometric passport
I'm not sure this is the right comparison, in general, although I agree with your point (below). I suspect that one benefit of accepting domestic driving licences as ID, but not most foreign non-passport documents, is due to familiarity. That's probably as important a factor in spotting forgeries as the security features embedded in the document, which aren't very useful if the person checking isn't familiar with an authentic version of the document.
In practice, I tend to agree that someone is likely to not be familiar with many driving licences, such as (in the US/Canada) those from distant or low-population US/Canadian states, provinces, or territories, or (in much of Europe) a smaller European country's driving licence or national ID card, so a foreign passport is far from the main concern.
Agreed. And even within a jurisdiction not everyone may be very familiar with domestic IDs. FinCEN just yesterday released a notice to financial institutions regarding the use of forged and legitimate US Passport Cards in connection with fraudulent or suspicious activity. The notice includes a litany of validity tests given that people just don't see these very often.
I have a US Passport Card that I present as my photo ID when asked, because I don't want my address presented to just anyone who might have a valid need to ask for ID. Federal employees look at it and waive me on, but outside that I get a mix of "I've never seen this" (and every time it's still been accepted) and a lot of careful scanning of the card.
Easy solution: Don't use SMS for password recovery.
SMS might even be okay for 2FA, but it must always be the second factor. "Forgot my password" -> SMS code -> new password is just 1FA. Using SMS as the only factor is really, really bad.
Then don't use insecure services. I think in the EU sms only password reset indirectly violates data privacy laws (not securing private data with industry standards).
You should stop using passwords altogether then and move to passkeys. Passwords are on a hot deprecation path.
Hell soon with biometrics and public key crypto you’ll be able to attest that your physically sitting in front of a computer and have an ID issued by a state that matches.
They remember because they enter the pin on a regular basis, and probably share it among all their other bank cards so they're using at least monthly. A pin that they set years ago and never used has zero chance of being remembered.
Simply require that a SIM can only be swapped if it is disconnected from the mobile network for 48 hours. And if it isn't disconnected, the original SIM will be called/texted to ask if they really want the SIM swap to happen.
> require that a SIM can only be swapped if it is disconnected from the mobile network for 48 hours
If someone has both devices in hand, there isn't even need for a delay. The only time you need a delay is when the original device is missing. In that case, sending a message to that SIM and having a mandatory delay (ideally, customisable by the customer) seems reasonable.
> You have requested a replacement sim card. To proceed with the replacement now, reply "Yes". To keep this sim card, reply "No". If you do not reply, a replacement will be mailed to your billing address: 54 Wolverton Gardens in 7 days, and this sim will be deactivated.
An attacker now has to overcome the time delay, and the fact that the replacement sim card must be mailed to the billing address. For those people who have an outdated billing address and lose the sim card, require the sim to be offline for 7 days, or demonstrate access to an email address or credit card on the account.
That's precisely what happens with SIMs in India. When a SIM swap happens, text messages are blocked for 24 hours to allow a customer to alert the operator before one time codes resume sending to the new SIM
There’s always one of you. We can’t change anything and secure systems because 3 people out of the 8 billion walking the earth will have a slightly harder time using said systems. You people need to leave the conversation already as you’re not even helping the people you’re trying to help.
Whenever I go to mobile provider in Serbia to do anything related to account I have to provide government ID. They even put it in card reader to get relevant data. While SIM swap is certainly a theoretical risk, it's not a practical one around here. Having authentication on a phone or another physical device (without backup) seems to be at least two orders of magnitude higher risk of losing access to everything. Relying to Google or another third party for authentication is not without its risks too.
I just hope SMS authentication won't go away completely for other parts of world where risk balance is different than in USA. Until things change, I trust more my local birocracy to work their birocratic ways and always check ID where needed then I would trust myself not to lose some auth device.
I use Google Voice for this reason, so that you need to authenticate with my google account to modify anything related to my phone number. It's not perfect since there is still an internal forwarding number they could sim swap on, but it would require them associating the two numbers first, and I don't use my t-mobile number for anything outside being the forwarding number for google voice.
WebAuthN is an excellent alternative to passwords, but a relatively poor access recovery mechanism, given that it just kicks the can down the road to another provider at best (usually Apple or Google), and to a single physical object that's easy to lose at worst.
I use it myself, but I do also understand companies and people that don't want to make it their only way back into their account as it is.
> I don't see how you can do that in the US as there aren't ID cards or similar forms of universally available ID
You're speaking out of a position of extreme ignorance. There are ID cards - drivers' licenses and passports - that are near-universally available, and are regularly used as identification.
> Except for that one giant issue, passkeys are gonna be great.
Unlike passwords, you can have multiple passkeys associated with an account. Accessing from an iPhone? Use your Apple passkey. From Android? Use your Google passkey. Want cross-platform? Use your 1Password passkey. Etc.
Right. Relaying Parties (RPs) need to have beaten into their implementations that multiple keys for each identity is normal + correct behavior, and the number of multiple keys should not be unreasonably limited.
After the trouble of adding multiple keys, I think there needs to be way to easily add multiple keys. Like uploaded file or service that has list of public keys. Something like cross-sign the keys and then authenticate one of them.
I wonder if hassle means there will be more use of OAuth but that means trust.
This is indeed the elephant in the room with WebAuthN.
There needs to be a way to e.g. share the secret seed in one passkey securely with another and put that in a safe deposit box, with a friend etc. without needing access to both keys whenever a new account is added.
It's a real shame that most stakeholders in FIDO/WebAuthN have moved on to passkeys as the canonical path forward over hardware-based solutions like this. Passkeys are definitely better than passwords, but they shouldn't be the only option out there as-is.
Yubico had done some work back in (I want to say..) 2020 to solve this very problem: bootstrapping a new key based on existing trust with an existing key. Of course the trick remains of needing to have access to both keys for at least a short time to create the relationship between them. They worked out some of the mathematics and cryptography they'd need, but it didn't seem to go anywhere. They wrote a blog post about it but I'm having trouble locating it.
I remember this as well, and it's a real shame it didn't go anywhere.
In terms of user experience, they could sell pre-linked "Yubikey pairs" or offer a user experience of e.g. plugging both into the same computer and resetting them via a long press to "entangle" the pair cryptographically.
I _wish_ for this. I have more Yubikeys than I can shake a stick at because I tend to use them as the exclusive MFA method for high-value accounts, such as many of my professional accounts.
The overhead and time I expend to do audits throughout the year and track what account/services are protected by which keys is in equal measure worth it and maddening. If I could just have a few new keys and "cross entangle" all of them, I would sleep as well as the Yubico promise, well, promises.
I always thought of passkeys as hardware tokens that shouldn't be backed up. It needs to be easy to have extra one that lives in a secure place. But like most people don't use secure passwords, they also won't worry about back up key.
I am not sure that passkeys are any more secure than random password stored in password manager. I'm suspicious about password managers used to store passkeys. I guess they are better since have to unlock the password manager.
I have had idea for place that can verify identity. Walk into store, they take biometrics to verify identity, and then give you card. That can be used to unlock accounts if locked out. It does have risk of employees being bribed. But banks don't seem to have that problem. Making sure it is done in person should help.
Not being able to backed up, to storage of the user's control, is the issue.
I don't want a Google or Apple backed phone to be the only hardware token secure enough to protect my key.
I want these devices to, RIGHT NOW support copying their keys to another device that neither party can control. I want an open standard that people can implement in a less-than $50 secure hardware device that I can duplicate these keys into. I think the UX of a "Key Safe" that is offline, physically securely stored, and can manually + securely have keys copied into, or copied off without Apple or Google's intervention would solve a lot of concern about the very real lock-in that's in play right now.
Because 1Password started charging a subscription for the exact same features they were charging a flat fee for. And when customers that had bought 1Passwords product year after year every year started to complain, they just ignore them. Then to attempt to force people to upgrade, they stated they would stop updating old versions of the app so at some point you’ll have to pay to continue accessing your passwords.
Are you really unaware if the password vault highjacking 1Password is and has been trying to do for 5+ years now?
Yea for sure, it works for some and not for others. I’m likely biased from the subscription fatigue so take what I say with ample salt.
Sharing passwords between families is definitely a problem for me still, like sharing 401k accounts with my wife. Hopefully passkeys and the respective family accounts with the majors can solve this eventually.
There are several 'boutique' email providers (fast mail, proton, etc) that you can use instead of the big 3. You can even host your own MX server but use a relay service so you don't have to deal with IP reputation issues.
lol relay services have reputation issues, I was talking to someone today about trying to whitelist some vendor this company uses because they use a relay service and it looks sketch as hell when emails show up seeming to pretend to be someone else
I have google fi and I'm always a little low key worried that they'll block my account which will kill my phone/docs/drive/email all at once.
It also kinda sucks having google as your email and your phone when they want to use email to verify your account settings and you can't get into your account. This happened to my wife, and they essentially have no support on the fi side and the gmail side support isn't super helpful. She was eventually able to recover her gmail account and fix her fi activation but it a huge pain and took a couple of days.
I would not put all my eggs in one basket like that. You're one inadvertent terms-of-service violation from losing a huge chunk of your digital identity with no recourse.
You're not wrong, but trust is an issue here as well.
If someone convinces both Person A and Person B of their legitimacy, even if they're not legitimate, this doesn't solve anything.
If Person A and Person B trust one another personally, then _idealistically_ you're vulnerable to collusion (intentional) or abuse (unintentional).
If Person B trusts Person A because of some policy or technical attestation, that means the policy or technical criteria needs to be robust against abuse.
If you're in-person at, say, a T-Mobile store, then it's not likely that Person A and Person B don't work together, but even if they don't, the first issue still applies.
I've watched T-Mobile store employees just pass an iPad to a manager and say "can you type in your code?" Depending on the employee or what process was requiring approval, the manager might or might not have asked "what are you doing?" "Can you justify this?" etc.
You can make the higher level person liable for their passcode usage. It’ll only take a few examples to be made for them to change their approach.
This whole two person security thing being untrusted seems silly however, as that’s what nuclear missile silos typically use to avoid rogue actors. Why it won’t work here seems odd, if you put the right punishments in place.
Nuclear missile launches are a very, very far cry from phone company customer support operations.
To engage the comparison nevertheless, at least regarding silos, the two person rule is physically enforced using space itself. You could collude, but the likelihood of two people getting to that point and then going through with it is so infinitesimally small as to be, essentially, purely academic.
The risks to one or two actors fraudulently SIM swapping someone’s line are much, much different.
Proportionality matters as much here as anywhere. What would a sufficient deterring punishment look like in this case that would make others think twice? People have already lost their jobs and been tried under existing law for this and it continues to happen.
There should be a security code that’s only known to the owner, can’t swap it if you don’t have the code. Seems like a pretty simple and effective solution imo.
Can you really not imagine any scenario other than crypto where compromising an employee's account could have financial consequences? Thinking about that somewhat large industry other than crypto dealing with people's money...
then why did these attacks explode in popularity in 2018 and all involve crypto? Bank transfers can be reversed and can take days to process and have more security checks, crypto is instant and irreversible and the security checks much weaker.
One might assume that, but there's still things like the fully digital Bangladesh bank robbery of 2016 [1].
Bank transfers are often, but not always, reversible, and sometimes finality is a feature desired by all participants and explicitly designed into systems, e.g. RTGSes. CEO fraud is on the rise and wouldn't be possible without these systems.
That's one reason why these are often not directly available to private consumers without a banker and some level of ceremony in between.
I can't imagine so many people paying off employees for SIM swaps only to get involved in a very complicated digital bank robbery. Maybe it'd happen once or twice.
I work in crypto and see Sim swaps happen all the time, mostly for Twitter account takeovers of famous people where they then post phishing links and steal their followers coins. T-Mobile is easily the biggest offender for this, most people reporting they use it, so this has been going on for a long time.
The other big problem with Twitter security is you can have your account taken over even if you use non-sms 2FA! If you have your phone number on your account it can be used for recovery completely bypassing 2FA. They've had this security flaw for years and still haven't fixed it.
Almost everybody supporting 2FA has this security flaw today.
The number of sites that actually let me never provide a phone number, or at least not have it be a recovery method, is tiny.
Even things like a simple time lock (e.g. SMS-OTP "2"FA recovery only being possible after 24 hours, combined with sending a blast of "careful, your account is about to be recovered by somebody that might not be you" and a way to stop that for the legitimate accountholder, would go a long way.
A lot of sites have this security flaw, turning SMS 2FA into 1FA: all you need is the phone number. Although allowing it even if you use non-sms 2FA is even worse, 100% defeating the purposes of using an alternate form of 2FA.
It's actually unbelievable how often SMS OTP is used, when it's public knowledge that it just replaces one attack vector with a worse attack vector... Cracking a password or breaking into an encrypted database is 10x harder than getting a sim swap.
My bank recently added the feature of removing SMS as an 2FA option - requiring TOTP. Now if they'd only add webauthn, but TOTP is pretty secure against phishing with a browser-integrated password manager (no autofill results in suspicion).
My bank finally added 2FA today actually. It is, of course, SMS or Email only because banks the worst online security for reasons I'll never understand.
First Tech CU. Their physical locations are PNW only, but that hasn't stopped me from continuing to use them electronically on the east coast. They are also part of the CU alliance, so access to alliance branches and ATMs is possible (I've never had the need to test this).
I have no idea, and I despise it. USAA and eTrade both have TOTP, exclusively with the shitty, non-backup-able Symantec VIP app. Break your phone? You're boned! Symantec VIP on those sites don't provide 2FA verification (the thing where the phone asks to confirm the number on the client-side) and it doesn't provide push notifications.
It's literally a worse version of regular TOTP. And they're in the minority even having 2FA!
It’s easy, it’s free for the customer, and with feature’s like iPhone’s “code autofill”, it’s the easiest UX. Swim swapping happens to such a small number of people that it’s not worth the effort for anyone involved. I hate it myself, but such is the reality.
It's not really "replacing" though. Prior to SMS OTP it would just be the password. Having password + SMS OTP is strictly better, regardless of how shitty SMS OTP might be.
Many sites do allow logging in with just an SMS OTP, no password required (even if you’ve set a password for the account). If it absolutely must be used (it shouldn’t), then SMS OTP should be a second factor, not the only factor.
> Having password + SMS OTP is strictly better, regardless of how shitty SMS OTP might be.
Unfortunately one can claim to "forgot my password" and use SMS OTP to reset it. Now it becomes a single factor authentication with a compromised phone.
Password + SMS OTP is strictly worse than a password. At least you cannot SIM swap your password.
So looks like FCC is implementing some new rules to protect against SIM swapping and that's taking effect on July 8, 2024. Though from the press release, I'm not quite sure if that'll protect the customer from a carrier employee being the bad actor.
Not even joking: there is probably a market for starting a mobile provider company that actually requires a DNA sample to change. The DNA could be collected from multiple sources simultaneously (blood, saliva, and randomly chosen fingernails) and run through a hash so that the provider never stores the DNA string itself. Some level of innovation may be required here, I know DNA itself isn't exactly a UUID, but I'm certain it could be done. VIPs would pay for this service and you could offer limited insurance for hackage.
Edit to add: there was an episode of "Forensic Files" where a suspect injected someone else's blood sample (at great personal risk) to evade a DNA test for a sexual assault charge. So just acknowledging that DNA methods can be attacked too. Hence the necessity of multiple random samples.
We really need better standards for MFA. Probably we should have a legal definition of MFA and SMS should be described as 2SA (Two-step authentication) on par with email or whatever. While MFA should be restricted to actual Yubikeys and other hardware certificate based things.
I'd also say people shouldn't be able to advertise MFA if they only support a single token per method.
It's not reasonable to expect people to have Yubikeys. iPhone Keychain is about as good as it'll get realistically, and that somewhat relies on hardware security.
Actually I maybe misspoke and I might go further than that and say that services shouldn't be allowed to make any requirements about how hardware tokens work. This means if someone wants to use a software token that should be supported.
And also I think this is why the passkey standard is bad, it sets rigid hardware requirements and the manufacturers will use this to drive planned obsolescence. If Apple and Microsoft have their way we will throw away $1000+ phones and laptops because someone found an exploit in the TPM that requires physical access.
you know its trival to export, right? There's nothing more secure than Keychain if you're in the Apple ecosystem. Nothing gets more scrutiny from the entire industry, at least.
The "ecosystem" comes as non-several package. Like for instance, my pet issue "if" I'm in the ecosystem, I'd have to give up my headphone jack. And all the rest of it. The "if" is probably most of the problem.
How else are you supposed to log in from a new device? iCloud is doing that for you anyway, only it requires an Apple device. I can copy ssh privkeys too, and that's fine.
Oh, I didn't realize passkeys and totp aren't the same thing. Totp secrets go into the CSV. Don't think I even have any passkeys to test with. And supposedly 1Password doesn't let you export either.
This seems bogus. I'd rather simply use a random per-site password; looks like passkeys are the same except non-interoperable.
Bitwarden lets you export them as part of at least their JSON export, but unfortunately there's no specified interoperable format yet, so you can only import them back into Bitwarden (which you can at least self host; you could reimplement their serialization format if you're really determined).
There's some movement in that area in the related FIDO working groups, but I think we'll (by design) never see something like CSV export, and it'll be more like a standardized account migration.
> I'd rather simply use a random per-site password; looks like passkeys are the same except non-interoperable.
They're significantly better than a random per-site password since they can't be compromised on the server side (due to being based on public key cryptography), unlike regular passwords and TOTPs.
I guess the real advantage is, if their server is temporarily compromised, they don't have to make me reset my password to get back in. But it's a per-site password, so the attacker can't use it elsewhere.
Most customer service representatives are on very low incomes (especially in other countries) and it’s not hard to find one who will take actions for a (western) small amount of money. CSRs often have powerful capabilities and access to sensitive information. With poor access controls.
Solve the SMS/MFA issue and they’ll attack the next thing in line
>Most customer service representatives are on very low incomes (especially in other countries) and it’s not hard to find one who will take actions for a (western) small amount of money. CSRs often have powerful capabilities and access to sensitive information. With poor access controls.
Another reason to implement my proposal of a law requiring all customer service serving US customers to be located in the US, UK, Ireland, Canada, Australia, or New Zealand.
An *opt-in* option to require that lines on your account can not be moved to a new SIM unless the current SIM is offline as far as the cell grid is concerned.
This could even be made into something that customer service could be blocked from overriding.
If someone steals your phone, they try to get it into airplane mode as fast as possible to avoid activation locks.
If you drop your phone in the ocean or off the side of a cliff, it's probably not going to remain working for long.
If you're concerned about losing it somewhere where it'd remain active but you'd never find it, then don't opt in to this.
Yes, or even require a challenge sent to the current line with a grace period, and you get to choose your own grace period up front. In this way, someone can't jack your line while they know you're on a flight.
So, I lose my phone (maybe it's sitting on the side of the road somewhere) and need a new line. Since I can't reply to it my line will transfer after 8 (?) hours of no response to the challenge.
Taking the device offline requires you to either have control of or destroy the current phone, while that SIM protection sounded like something a customer service rep could be tricked into working around.
This has been going on for 5+ years, and there is an entire community behind this.
Typically, teenagers ranging from 14 - 19 will select targets, or “targs” to conduct a “Sim Swap” on.
Desired targets are often individuals with “rare” or “OG” handles on social media platforms, as they’re worth a lot of money. Or, individuals with large crypto wallets (Think: Coinbase, Binance, Etc)
I was initially pleased when I discovered T-Mobile itself supported using TOTP apps like Google Auth and then flabbergasted when I found you could not disable SMS 2FA even after enabling alternatives.
There has got to be some sort of two-man rule (https://en.wikipedia.org/wiki/Two-man_rule) integrated into the system that can't be bypassed by the people with authority to make changes to accounts. Otherwise any insider / careless spear-phishing victim will make the changes they want.
The article is vague. Is this "sim-swapping" physically replacing the SIM card in the customer's phone? Or entering the wrong IMSI into some T-Mobile database to change the association between IMSI and customer?
In a typical SIM swapping attack, the attacker will contact the Cellular Carrier (either in-person at a retail store, or by phone/online support), impersonating the victim and claim that they've lost their phone (including SIM) and that they need a new SIM for their account.
Carriers should have procedures in place to ensure that the identity of someone who presents themselves with this situation is verified, but it can often be bypassed.
In the case of the article, corrupt employees of the carrier are being bribed to bypass the ID and security checks that should take place in the above situation.
In other attacks, there are social engineering ways of bypassing the ID checks - such as claiming to be the victim of a robbery where both the phone and wallet were taken - so they don't have any ID, credit cards, or phone to prove who they are and that getting a new SIM would really help them out.
T-Mobile has a SIM lock feature that you can enable to block at least most employees from being able to swap your SIM. You can enable it in the account management app or website.
I was able to verify that it worked because an employee in a store literally could not transfer my SIM with it enabled. Their iPad app just gave an error of "customer has SIM lock enabled".
Interestingly the T-Mobile employee had never even heard of this feature, which suggests that basically no one uses it.
> Still, the biggest issue here is how this person (or multiple people) obtained the employee phone numbers. We’re not sure yet which employees are impacted, but based on comments online it seems at least a few third-party employees are affected, and we’ve independently confirmed current corporate employees have also received the message.
Sadly, the idea that phone numbers of people are private should be considered laughable at this point. There is LinkedIn, and even if you're not directly connected to someone it would be easy to correlate publicly available LinkedIn data to phone number data.
I'm curious how that feature works on the backend. If the premise is employees abusing internal access to fiddle account data, and the feature can be toggled on an account page, can't the insider abuse a password reset flow, toggle the setting off, then proceed as normal? I'm assuming that there's some "customer walks into store and needs to reset their password" functionality employees can access. Maybe a mandatory waiting period?
I had to deal with this recently. Basically, they put a hold on the account. The request is forwarded to another internal department for verification. Once verification is complete and the team determines the request is not fraudulent (asking for "verification pin" or "account password"). Then the request is forwarded to the appropriate tech team for further processing.
SMS and calling was blocked during that entire time (~24-36 hrs) since the backend teams are likely operating in offshore timezones.
Surely we are close to the point a fully self-service cell account is possible via secure portal? Choose to eliminate human customer service, expose portal to user with appropriate MFA access controls etc.
I guess what I'm asking for is a cellphone plan with no human customer service, similar to how there is basically no one I can call if I have a problem with a gmail account. Remove the source and the temptation of this attack in one go.
I appreciate not every customer would like or want this, but could be offered to more security conscious users as an option. It's not unheard of to get a discount for pre-paying or enabling auto-payments on cell plans around the world, perhaps you could even get a few bucks off a month for choosing to not have option to call a contact center too.
There's a service called 3Num where you can get a number controlled by a private key. No one else has access to your number/account. Only supports SMS messages currently though, it's not a full phone service.
Who would be stupid enough to commit a federal crime for $300? Doing this will leave a clear paper trail to the respective employee (I hope, if not that'd be disastrous) and the crime itself has a high likelihood of being reported.
To everyone pushing for a different 2FA method - what if I lose the 2FA device? Would it mean I won't be able to get into my bank account anymore? If not, then the method I could use to get my account back in that case could be the method that will be attacked..
If employees can be bribed, that's the problem.. there must be a human element somewhere, otherwise we'd have to be permanently locked out if we lose all 2FA devices
It's a good thing that this is finally becoming common. Hopefully it will put an end to SMS as 2nd factor and the registration by phone number epidemic.
> Sometimes, services may have SMS as the only option for two-factor. If this service is a bank or a crypto wallet, consider switching, because that isn’t great.
Most banks I've interacted with fit in this category, except for online only banks. If you need a bank with a local presence, switching might not be an option.
SIM swap attacks are the reason I do not use SMS 2FA. Everything has been switched to use software or hardware based MFA. Opting for "magic link" sign in where necessary. E-mail protected by one or more non-SMS MFA.
The only services that I use with SMS 2FA are honeypot accounts.
The easiest solution would be a two employee requirement with a 3rd remote in corporate office. In smaller stores at least one remote. Using a camera for live video that was installed and inspected by corporate.
Yeah but if you're not resorting to just hiring anyone off the street who can talk sales, you get less morons applying in the first place. Less morons, less people who might be willing to treat that "stand in a mall and upsell people" job like they'd do flipping burgers and snotting into the mayonaise, or who need some "side hustle" cash just to make rent.
Pay peanuts and everyone and their dog will apply, pay appropriately and you'll get higher quality applications that you can afford to actually vet.
I need to find someone who can do this so I can get back into my Google account. I have the email, password and recovery email, but not the phone number.
I've heard of them off and on in the past, typically a Verizon employee requires a significantly higher payoff ($2000-3000) to get a SIM swap across, so they're generally a lot more expensive all around.
I feel the need to defend the use of SMS for 2FA (in limited cases).
SMS is actually a perfectly good channel for 2FA for most customers in most cases. Because most customers, most of the time, are not under a targeted or even semi-targeted attack. SMS 2FA protects quite well against large-scale brute force or credential stuffing attacks. If someone is checking 10k accounts against the 3 top passwords (yes, this is a very common attack type), those customers will be very well served by having SMS 2FA.
SMS is a terrible channel if anyone is trying to target you directly though, that's absolutely true.
edit: also, in case this wasn't clear - I'm not talking about any services that allow password reset through SMS alone - that's beyond idiotic, obviously.
While you are right, you're missing the real problem. SMS 2FA is a systemic threat vector for identity takeover. Buy out one employee for $20 and you have access to take over any one of millions of users. Additionally, the victim won't figure out there was an attack right away. And the attacker can live anywhere in the world.
If someone wants to rubber hose me, they have to physically come to my area and that doesn't scale except for high value targets. Tolerating SMS as 2FA is absurd with built in passkey capabilities backed biometrics/code built into a device you can buy for $100 and already carry with you 24/7.
>>>and that doesn't scale except for high value targets
Real-world activities (kidnapping, rubber hose, fingerprint stealing, whatever) aren't worth it for medium-value targets, true - but my point is that SIM swaps aren't either - for low-value targets.
From the article, they're offering $300 per - so the expected value from these specific compromised accounts must be more than that (I'd guess $1k min). This makes it pretty clear that if you're protecting accounts worth ~$50, SMS is probably "good enough". And for some users that's the right trade off.
My point is that SIM swaps are possible from the other side of the world and rubber hose isn't. The targetable base for remote SIM swap attacks is everyone from anywhere.
But isn't it the case that most sites will tell you if you pass a password check before hitting you with a SMS verification?
In that case I could see someone attempting a sim swap attack for accounts where they pass a password check for higher value stuff like primary email or anything that is probably linked to a spending account
That assumes the attacker even has the phone number - best practice is to not display the full number, just the last 4 (xxx-xxx-1234) - so again, for the typical case, the attacker isn't going to know what number to sim swap.
SMS is bad at protecting one account, it's good at protecting 10000.
The minnow security model is bad at protecting one fish, it's good at protecting 10000.
What would you say is an advantage unique to SMS that would be lost if text messages were switched to another model? I'm asking sincerely. There aren't many people arguing in favor of SMS here, so you seem like the right person to ask.
It's pretty simple - there are people who don't have smart phones, plus people who couldn't manage to install/use a TOTP app. Something like ~10% of users probably fit in that category. So either you offer them no protection (if 2FA is optional), no use of the service (if 2FA is mandatory), or ok-but-not-great protection (if you allow SMS).
(In reality, some users don't even have SMS (no cell phone) - so automated voice calls can be offered too. Those without any phone at all...will not be considered as valid customers, in most cases.)
Yeah, but say I am an attacker doing some kind of brute force password hack, and I have a certain number of successes.
Given the funnel there, it might well be worth it for me to put some energy into figuring out who the person at the other end of that account is. Phone numbers aren't secrets.
Yeah, agreed. But again I'm not arguing that SMS is the best second factor, I'm arguing that (used correctly) it's better than no second factor, which is what it's actually competing with in the real world.
Generally, I think services should offer TOTP, email, and SMS, and strongly encourage TOTP. But not offering SMS just means some segment of customers won't have a second factor at all.
> SMS is actually a perfectly good channel for 2FA
You might have different definitions of both "perfectly" and "good" than the researchers who found in every case with every major phone provider, the SIM could be stolen.
- We examined the authentication procedures used by five prepaid wireless carriers when a customer attempts to change their SIM card, or SIM swap.
- We found that all five carriers use insecure authentication challenges that can easily be subverted by attackers.
- We reverse-engineered the authentication policies of over 140 websites that offer SMS-based authentication, and rated the vulnerability level of users of each website to a SIM swap attack.
- We found 17 websites on which user accounts can be compromised based on a SIM swap alone. After over 60 days since our disclosure, nine of these websites remain vulnerable in their default configuration.
You might have difficulty reading entire comments.
Yes, SMS 2FA will fail against a sophisticated and targeted attack. It is still drastically better than NO second factor, which is the actual comparison in the real world. There are people without smartphones. There are people without the ability to install/use a TOTP app. My aunt can either use SMS 2FA or nothing. 2MS protects her pretty well against 95% of the types of attacks she's likely to face.
Which part of your comment do you think I failed to read?
Frankly, a secure password alone, with no second factor, is "drastically" better than a secure password with ability to change that password by SMS, as is frequently the case (a quarter of the time, per that research). So set up LastPass or 1Password for your aunt.
As for "protects her from 95% of the attacks she is likely to face", that's a number that doesn't jive with my experiences as CTO of the second largest bank in the world.
Your claim is "Because most customers, most of the time, are not under a targeted or even semi-targeted attack."
On the contrary, most customers are under automated attacks, and SMS plus password leaks lets that takeover be fully automated.
>>Frankly, a secure password alone, with no second factor, is "drastically" better than a secure password with ability to change that password by SMS, as is frequently the case (a quarter of the time, per that research). So set up LastPass or 1Password for your aunt.
Obviously password resets shouldn't be possible by SMS alone, I never claimed otherwise. I'm talking about using SMS as a second factor - in addition to having the valid password.
>>As for "protects her from 95% of the attacks she is likely to face", that's a number that doesn't jive with my experiences as CTO of the second largest bank in the world.
In my experience, low-net-worth + technically unsophisticated users are mostly at risk from brute force attacks and/or credential stuffing, and SMS (as an actual second factor, not a "reset the password for free" button) is very effective at stopping that.
>>On the contrary, most customers are under automated attacks, and SMS plus password leaks lets that takeover be fully automated.
If your customers have phone number/username/password all leaked together...sure, I can believe that. Probably you should focus on preventing leaks of that size.
> If your customers have phone number/username/password all leaked together...sure, I can believe that. Probably you should focus on preventing leaks of that size.
A substantial proportion of your customers' email + password pairs have been leaked before they sign up with you. Email and phone are already paired from data brokers, you don't need the dump.
A majority of SaaS providers and banks fail to check for previously leaked creds. Many of the same ones that think SMS is "perfectly good".
Is your bank one of the ones that uses email addresses for usernames? Because that's a great way to make it much easier for attackers to match up leaked creds. Consider switching to a (chosen) username or card number or something. If your username is quickly matched to a phone number (or email address) it makes phishing (or account takeovers) much easier.
> On the contrary, most customers are under automated attacks, and SMS plus password leaks lets that takeover be fully automated.
Are you implying there's automated SIM swap attacks in the wild ? Or, maybe you are saying SMS can be phished ? I do agree SMS 2nd factor can be phished, but if phishing is the attack, password leaks is irrelevant since, you usually phish both passwords and SMS 2nd factor together, so password leaks don't make any difference.
This is actually a pretty good comparison. It's like the $50 lock on your front door. A determined burglar can pick the lock or smash the window, no problem. But it's better than leaving the door unlocked.
So in summary, SMS-2FA is a great channel for people/use cases that don't actually need that much security/protection? I agree!
Actually, I don't. Even completely trivial things like coffee chain apps require SMS-based logins these days, and I hate it. One particularly idiotic one initially accepted my Google Vocie number, only to lock it out for a subsequent login on a new device.
Phone numbers are a horrible user identifier. SMS is a horrible authentication mechanism. The entire industry has regressed from the bad combo of email + password to something almost universally worse in a matter of years, and it's incredibly frustrating.
The only saving grace is that SMS are quite expensive in some countries, so companies there have an incentive to not actually send them out if they can at all avoid it. Unfortunately they're effectively free in the US.
> I'm not talking about any services that allow password reset through SMS alone - that's beyond idiotic, obviously.
Twitter allows this, it's been a security flaw for years they've never fixed, and it's possible even if you have non-sms 2FA enabled! If you have a phone number on your Twitter account you should definitely remove it.
Quite a few high profile very security conscious people (e.g. Vitalik Buterin) have had their accounts hacked because of this.
> First and foremost, if you use any services online that have two-factor authentication, be sure it is not SMS-based. Use an app like Google Authenticator or Authy for this purpose instead.
It really disappointing that in 2024, this is the "right" guidance to give, but we still know there's a whole lot of really important stuff that still uses SMS for 2-factor authentication.
Half the time, even if a service supports autheticator app 2FA and not just sms, all it takes is just clicking “use another method” on the 2FA page, and it defaults to sms-based 2FA anyway. And it would still require a phone number when registering, so there is no way to avoid that fallback anyway. Borderline useless.
The services require a phone number not because it adds security, but because it is a monetary challenge for scammers. If a service allows for multiple 2FA types it usually demands SMS for the initial setup, but once that is done you can remove your phone number to force it to switch to TOTP or a token. It's generally a good idea to not have your phone number stored in a zillion websites anyway, every copy is just another vulnerability for hackers to exploit when they knock over that service.
That’s totally fine, i am not against services requiring phone numbers during registration. I am just against those services allowing sms to be used as an easy 2FA fallback when an app-based 2FA is enabled. Because doing so makes app-based 2FA kinda useless.
I agree with your points, it just feels insanely rate to see a service utilizing phone number requirement for registration the proper way (i.e., the way you describe).
> That’s totally fine, i am not against services requiring phone numbers during registration.
I am completely opposed to services having any PII (Personal Identifiable Information) beyond an email address because the dumbass services keep my PII and then lose it when they get hacked.
If I can go collect a million dollars from a company that loses my PII, I'd let them collect it. SInce I can't, my best option is to refuse.
If you want to verify, take a credit card number. At least I can cancel and change that when some dumbass get hacked and loses it.
> It's generally a good idea to not have your phone number stored in a zillion websites anyway, every copy is just another vulnerability for hackers to exploit when they knock over that service.
Are you relatively confident that these sites actually delete removed phone numbers?
Every freaking time I get a new phone I forget the step of porting my authenticator keys. Wow, is it ever a drag trying to set them up again. Often, you need to do zoom calls to verify your identity. Takes days. This is the type of thing that will push almost everyone towards SMS. Also, it's easy for users and developers, and no one needs to learn anything. Solves these issues and we are good to go.
Google Authenticator makes it very unclear to average users how you back up or transfer stuff to other devices. Sites that support Google Auth are gonna have to deal with lots of locked-out users trying to recover access, which can negatively impact security.
If anything hopes to replace SMS, it needs to be as user-friendly as SMS.
Google auth is not the only authenticator that supports TOTP. Any time a site tells you to use google authenticator you should be using a better service like 1password, bitwarden, lastpass, etc... to scan the QR code and store the TOTP code.
I'm flabbergasted every time I switch jobs and some jamook in IT or Security says we have to sue google authenticator and that other authenticators aren't allowed. Then there are constant lockout events generating tickets for those teams when people delete the app or get new phones.
Indeed I was once ordered to implement oauth but keep the email password reset because too many people would get locked out otherwise. And I almost locked myself out while testing.
It doesn't have to be Google Auth, it can be any 2FA app (1password, Bitwarden, Authy, Microsoft Auth), whatever. It's just a safer way to do 2FA than SMS.
Google Auth is just one of the earlier popular apps, so it's a common example. It kinda sucks though, cuz if you lose your phone you have to reset all your 2FAs.
I just have a visceral reaction every time I see "SMS" anywhere. It's a garbage human verification method (hello boxes of SIM cards available in [certain markets] for spare change), it's a garbage 2fa mechanism (especially when its the only one). It's a garbage platform through and through. I don't care if I burn karma here, it's the worst technology that I'm forced to use on a regular basis. And I hate seeing it defended and used in new places.
s/garbage/[stronger words]/g
I mean, it's not quite as cheap, but even now I can provision fungible, resellable eSIMs, non-wholesale, for less than $5. Throw a little HS + acceptxmr, sit in front of Airalo/holaSIM/etc, or just figure out who their upstreams are. It's all a complete and utter farce.
There's a very simple solution which is to centralize the process. Banks learned this decades ago. It's why your teller can't do anything that an ATM machine can't do anymore.
What do you mean? Sometimes when I forget my ATM card, I go to the teller, who can help me after checking my photo ID and maybe some security questions.
Right, but they still can't do anything you wouldn't be able to achieve over the phone with the centralized support line. Maybe verifying your identity for a cash withdrawal, but that still requires knowing the same secrets you'd need to just replace the card. The branch employee has no more access to your account than you do.
But isn't that kinda the crux of it? If I can withdraw cash by presenting a photo ID instead of using my 2FA online, it is both more convenient for me as an end-user and also less secure (opens the account up to social engineering, fake IDs, etc.).
Similarly, some 2FA implementations allow human support agents to manually reset the 2FA, sometimes making that the weakest link.
The ruthless alternative is "If you lose your 2FA, you lose your entire account and there's nothing we can do about it". I've rarely seen that implemented in normal apps.
Yeah, I was thinking at the very least changing SIM assignment, given the huge target this is for bad guys, should require confirmation by at least 2 unrelated employees.
Yeah this has been a thing since 2012ish and became more popular around 2016/17. Brian Krebs has documented this for the past 8 years. No new news here.
If you are a SaaS provider or bank, and you let password resets happen by SMS, you are a threat to your customers.
Stop doing this.
First, and a no brainer: offer "continue with ____" sign ins (OpenID Connect / OIDC) for users of Google, O365, Apple, to get out of the account creds business for most users.* (See also: passkeys.)
Second, prefer TOTP as the MFA, not SMS.
Third, if you absolutely have to do SMS for some dark pattern "harvest my customers' phones" reason, use it exclusively as a second step, never as an only factor.
* For most customer firms using M365 or Google accounts, if you couple accepting OIDC with a domain validation to the customer's email address, you don't have to do SSO/SAML, since OpenID connect + domain accomplishes roughly similar goals on both sides without the per client company configuration overhead or "SSO tax": https://sso.tax/
It is absolutely not a no-brainer to use Google/etc accounts instead of handling that oneself. The last thing we need is an Internet which is unusable to anyone who chooses not to have (or gets banned by) big tech companies. I myself refuse to use the federated login option because I value the ability to not tie my entire life to my Google account.
I'm pretty sure you didn't have the "for most users" qualification when I first replied. I may be mistaken, but I don't remember seeing it at any rate.
there are plenty of options for 2 factor apps that don't require login. in fact, even Google's authenticator app does not require you to login. you can use it locally and store the codes locally.
> if you absolutely have to do SMS for some dark pattern "harvest my customers' phones"
I had a bank that asked for my phone number when I sign up, and I gave them a landline number that is not capable of receiving SMS. Some years later, without any input or authorization from me, they decided to enable 2-factor using this landline number. It was super annoying.
My other bank accepts Yubikey. I wish more banks would do this.
> First, and a no brainer: offer "continue with ____" sign ins (OpenID Connect / OIDC) for users of Google, O365, Apple, to get out of the account creds business for most users.* (See also: passkeys.)
Thanks but no thanks, the last thing I want is for Google to be in the chain for something as vital as banking. One false signal in Google's AI model and you're permanently fucked. Or someone compromising the email account (not just credential stuffing but e.g. cookie theft).
> Second, prefer TOTP as the MFA, not SMS.
People loathe app-based (or, even worse, RSA token-style) OTP, especially if they lose their phone or it becomes permanently damaged you're fucked unless you made a backup.
SMS in contrast? Even your 80 years old grandma can use that, and most common failure modes (i.e. stuff requiring support from you) are handled by the telco.
If you use SSO for a consumer account, you still need to provide a way to reset the account when the identity account is no longer available. That reset path is still most likely the weakest link. Not to mention that some of the identity providers will allow reset with only SMS, and once someone gets in there, now they're in everywhere.
I still like it for corp SSO though; you can force corp accounts to SSO only with no recovery, and you can force the corp account recovery to be difficult.
My bank offers 3 choices for MFA; not sure which of #1 and #2 is more secure:
1. Password + SMS one-time-password
2. 4-digit pin + 6-digit TOTP
3. No MFA
They do, at least, offer the option of disabling automatic password-resets via SMS code, but I know from experience that you can authenticate yourself to a CS rep with just name, SSN, and a SMS code, and presumably a CS rep can reset your password.
Not until I can backup a passkey without Apple or Google acting as the steward. I need a system where I know that if my phone is lost, I can restart my digital identity without a tech giant.
I have mine in Bitwarden but I didn't think carefully through this, I just used what I had. It looks like Vaultwarden hasn't yet added support so you can't rehost without Bitwarden but you don't need Apple or Google.
The alternative is to educate the users. People use SMS because they've been coerced into believing it is secure, and had the wool pulled over their eyes for $reasonsToGetYourData.
Educate me please, if I value availability, are there any options better than SMS?
OIDC means your digital life is destroyed if Google ever decides to ban you. And they are well known to do so, and there is normally no recourse once you are banned. You have to be either brave or stupid to trust your security to tech giants.
Passkeys, TOTP are vulnerable to your device getting lost or broken, something that can also happen a lot.
Sadly, if you want things to work no matter what, SMS are your best bet.
Ok, I honestly don't know—is there a way to use this to secure access to an account generally, without having access to the password? I.e. do authentication providers use phone as a sole method of identity verification for any major service?
Honestly even TOTP is negligent to support at this point.
TOTP is phishable, and the root secrets are stored in most TOTP apps (including Google Authenticator) in plan text, usually in SQLite, because almost no enclaves support the TOTP algorithm.
The only hardware devices that -do- support TOTP like Yubikeys or Nitrokeys also support WebAuthn in which case just use that.
A hard requirement of Virtual Passkeys and hardware WebAuthn devices should be a bare minimum for auth security in 2024.
Passwords and one time codes are phishable 90s solutions to the problem and it is nuts they still are so dominant.
TOTP is a compromise, like everything in security, and one that’s fairly secure. Until we reach a point where hardware tokens or virtual passkeys become mainstream (and their related usability issues addressed), we will be stuck with the “something you have” factor needing to temporarily move into the “something you know” factor via the the TOTP. The fact this expires within 30 seconds makes the attack vector more limited, also unlike an SMS code that providers use to verify you while on the phone with them, you never give this code out (found on a separate app) to a person on the phone, which helps separate this particular factor from SMS.
The truth is that, while it offers superior security, hardware tokens and virtual passkeys are not accessible to the masses one way or other. This is a problem that should eventually be solved but nearly all prior attempts cannot supplant the ubiquity of passwords.
Passkeys are easier to use, harder to lose, and more secure than TOTP or passwords in every way. If you have a web browser from the last couple years you can use a passkey.
You do not often get a win that clear in security. It is a no brainer to mandate for users today, and stop wasting customer support hours on dealing with accounts compromised by phishing.
Its funny how you can't work for a secure government agency if you can't get clearance, and that a primary litmus test for clearance is how much debt you are in. (AKA how easy you are to bribe). But then for huge swaths of our infrastructure we have privatized it and left it in the hands of minimum wage employees who probably have auto and student debt and can be bribed for pittances.
Login.gov is a thing (and over 300 federal agencies use it as their idp as of this comment). USPS provided identity proofing in person for it. All federal gov agencies are moving towards it. The "right" way would be a national smart card ID system like Estonia has (built on cryptographic primitives), but you have a cohort of crazies who think it's the "mark of the beast" and other wild tales. So, we walk when we could run. This problem is at the people/policy OSI layer.
The Defense Dept already does this: CAC/common access cards [1]. Create a civilian root and do it already. A PIV/CAC can also be used as an auth factor with Login.gov [2].
[2] https://www.login.gov/help/get-started/authentication-method... (Physical PIV (personal identity verification) cards or CACs (common access cards) are secure options for federal government employees and military personnel. These cards, with encrypted chip technology, are resistant to phishing and difficult to hack if stolen.)
what bothers me the most about unfalsifiable predictions is that their predictive quality can only be retroactively applied, undermining its ability to be predictive at all
it relies on total ignorance of everything prior that fit, and other catastrophes that also looked like the “end times”
how was world war I not? everyone dying of mustard gas followed by famine, plague.
world war II?
the year 536?
other maladies in other countries? for many people it was the end time because their entire family and culture were killed and wiped out
I wonder if America will shake its Evangelical death cult. People are becoming unaffiliated with religion here but I feel like the mysticism is ingrained into the culture either way for another generation or two
Talking about it being the "mark of the beast" is a strawman. What you should talk about instead to win support among those same groups of people is to explain how it isn't/wouldn't be a means of government abuse. They're worried about it backdooring personal financial freedom the same way you would worry about the government backdooring encryption.
I love me some ID.me and think every bank and financial institution should be required to use it. It goes so far beyond to do good multi-factor auth and even accounts for the un-homed and un-phoned in their multifactor. Thousands of people can't bank or use many services because they can't get a phone number, but they can use id.me at a library or other public computer with few issues just having an old offline phone running an authenticator
ID.me is a for profit private provider of identity proofing services. Login.gov is provided by the US General Services Administration. All federal agencies are moving to Login.gov. IRS is one of the last digital services that will move. There were some congressional hearings on ID.me, due to distorting the truth.
This is a tired argument. If you want better governance, it's a political problem, not a tech problem. "Papers Please" exists today due to a lack of law enforcement oversight and current statute [1]. A properly functioning national ID system and infrastructure doesn't change that.
The databases already exist [2] [3] [4] [5]; because you do not have the physical card does not mean you don't live this reality today. On the contrary, you already don't have the privacy you think you have, without any of the quality of life improvements a national ID card would provide.
> CBP has successfully implemented facial biometrics into the entry processes at all international airports, known as Simplified Arrival, and into the exit processes at 49 airport locations. CBP also expanded facial biometrics at 39 seaports and all pedestrian lanes at both Southwest Border and the Northern Border ports of entry.
> To date, CBP has processed more than 490 million travelers using biometric facial comparison technology and prevented more than 1,900 impostors from entry to the U.S.
Unfortunately that was literally true from the beginning. Much of the US Constitution is devoted to separation of powers. But the powers are so separated that it's practically impossible to do anything. Our checks and balances are badly overbalanced.
The government persists because the executive branch takes a lot on itself. The Supreme Court is currently deciding that this may be too much overreach, and the government will grind completely to a halt.
a primary litmus test for clearance is how much debt you are in
As someone on the outside, I'm curious if that's true. I've never applied for clearance but I was always under the impression that it was more about how many people could vouch for you. Is it true that it actually just comes down to your bank account?
You can read clearance hearing/appeal decisions for contractors[1] to see some of what goes into it. On the money part specifically it’s less the raw status of your bank account and more how you’re handling debt and delinquency if at all.
On a topical note, a not-uncommon issue is failing to pay income tax or file a tax return :p the result of those appeals depended on if and how the appellant tried to resolve that.
There are a handful of key litmus tests that are part of the background check. If you are/were a felon, If you lie at all during the check, If you are in extreme debt, If they find public record of you being anti-american, If you fail a drug test.
These all come up during the screening interviews of your peers, family, and coworkers. I have done about a half dozen or so of these for former peers, friends, and colleagues who have moved on to do public sector or join private military companies that needed clearance.
I lost my phone a few weeks back and was astonished that I was able to go into T Mobile and get my number switched to my new phone without showing any ID
I had the ability to swap numbers for 3 carriers as a minimum wage paid Radio Shack employee.
It was just a web form with a few boxes to fill out based on customer provided info followed by enter.
Even when ID is checked, a decent fake ID is like $50 these days, and grants access to wealthy bank accounts.
At the time we were heavily incentivized to speed run anything that did not generate a commission so checking ID carefully if at all was not high on our list of priorities.
Americans like to believe they live in a high trust society. That must be why things like this are even possible. It brings convenience (and I guess profit, as time is money) but the trust required is very high.
My bank took away the ability to do 2FA via email and is phone-only now. At least with the typical Gmail/equivalent account you have the option of making that less vulnerable to social engineering and outright bribes.
I think the popularity of phone numbers is not because it’s a good auth factor but because it is a little more work to Sybil flood with generated identities, compared to say email. So it’s not for our security exactly, but more for the company’s anti-abuse systems, and maybe the marketing department that loves hoarding phone numbers. That it works as a second factor is just a “happy” coincidence.
Which in turn annoys me to no end given that phone numbers are regional. Having no access to banks when moving, let alone traveling, to an area with no cell service or a different country, is infuriating. It’s like “what’s your mother’s maiden name” all over again.
SMS 2FA is one thing. Bad, but ineffective. SMS-based account recovery is far worse. Every time a major website asks me for a phone number "in case you lose access to your email account" I freak out internally before ensuring I never enter it.
Right. The SMS 2FA risk is overstated IMO - at worst it makes it as insecure as password-only, and at best it creates a roadblock for attackers that can be significant for locked SIMs.
But SMS account recovery is definitely opening the door to attack.
SMS based OTP has been known to be unreliable way to authenticate someone because exactly this type of social engineering hacks.
All software providers and the industry should ban SMS based OTPs as a standard practice. Either leapfrogging to a Passkey implementation or just time based OTPs.
Maybe organizations in charge of cybersecurity compliance frameworks? We'd see a lot of companies drop SMS 2FA pretty quickly if it became a requirement to maintain their SOC compliance.
I don't think we need a complete sweeping ban to get it to largely fall out of use, just a critical mass to drop it so it's no longer defensible as an industry standard
Sure, but please let the takeaway here not be "the employees of Con Edison, PG&E, National Grid etc. need to be paid and vetted like bank tellers, then it'll all be good".
The intrinsic overlap of incentives and strengths between utility providers and identity verification organizations (whether private or public) is minimal, and I suspect extrinsically forcing them into that role can't end well either.
Well paid politicians do everything to get reelected rather than doing everything to increase general welfare.
Also as others have commented, even well paid people do shady things. TFA isn't an endorsement of higher wages, it's a denouncement of our terrible collective security and authentication protocols.
> Well paid politicians do everything to get reelected rather than doing everything to increase general welfare.
Yes. Parent comment is literally completely backwards - we've seen from Wall Street that paying people extremely well leads to corruption.
High pay has the opposite effect. Things that work include oversight, transparency, audit logs, removal of human processes, active anti-corruption investigation, and the like.
What you're observing is the climbing the latter effect of absent regulation. Social economics has already identified that people only care about relativistic wealth so a business industry surrounded by greed will of course, produce more greed.
Slap some actual consequences and you'll see better results.
I know everybody says how bad SMS 2FA is, and how we should replace it with the next cool thing $BIGCORP invented (thus requiring you to have an account with them, which only defers the problem).
But couldn't we pressure the telecoms to improve it?
I have an idea that would make SIM swaps way harder to execute. Namely a website that wants to authenticate you should be able query the telecom for some kind of SIM card ID. This would happen before sending a 2FA code.
With such a feature it would be easy to store the SIM card ID in a database when enrolling the phone number. Later when the user tries to authenticate and the ID does not match what saved before, the account is locked out. For enterprise accounts you would need to explain yourself to IT and for personal accounts a fallback 2FA would have to be used. Alternatively the authentication would be delayed for a few days to give the legitimate owner of the SIM card time to react.
Another thing that could be added on top of this is to send a SMS to the old "inactive" SIM, alerting the original owner of the attack.
EDIT: To add to this, here are some advantages of SMS 2FA over time based OTP or passkeys:
1. My grandma can use it with her dumb phone and poor digital skills.
2. Your SIM card will most likely survive if your phone is destroyed due to water or physical damage. (Sadly not true for eSIM)
3. You can dictate an SMS/OTP code over the phone, or forward it to somebody you trust.
4. Banks can append a short description of what you are currently authorizing. It can tip you off in case your computer is infected with malware, or you are victim to one of those TeamViewer scams.
I think this is conceptually wrong from a layering perspective because youre punching through the abstraction and making it leaky on purpose. This just moves the problem down one layer in the stack - there will be legitimate new use cases for “sim card ID spoofing” and then we’re back to square one. Also from a usability standpoint “getting a new phone” is precisely the wrong time to lock users out of their accounts
A perfect analogy would be trying to implement security with mac addresses but applied to internet. It just makes a mess of an abstraction layer and then you have to rebuild it because those abstractions were useful (mac address spoofing has legitimate uses because mac addresses were used for security and then people realized they needed to be able to transparently swap things out)
In your scheme, how do I transfer money from my bank after my phone is stolen and I need to get a new phone without access to the original sim? Or access my email?
If that’s just impossible, how do I fix the issue? A “fallback 2FA” what is that exactly?
Probably one time use recovery codes you are supposed to print and keep in a safe place. In case of a bank this could also mean a trip to the nearest branch for ID verification.
The same issue you mentioned applies to other 2FA methods. Your TOTP codes and passkeys also live on your phone, Yubikeys can be stolen too.
Or maybe change the terms of use for the employee line discount to allow monitoring SMS content or metadata for security threats to the companies users?