I assume companies don’t give the option for TOTP and require phone numbers to identify their users to collect more precise data about them, for possible advertising revenue.
If we want to authenticate a user, what is the best way to do it?
best: a great balance between convenience, security and cost.
Lately, it bothers that we cannot be sure that we are interacting with real people or the people that we are interacting with are not the same people with different accounts.
You should certainly be able to tell that the person controlling an account is its rightful owner, but it's not obvious to me that you should be able to tell that 2 accounts are controlled by the same owner.
If I have 2 accounts, and you can tell that they're both me, doesn't that compromise my privacy?
Authenticate a user as _what_ / _who_ ? That's the most important question you need to figure out the answer to before setting off on this journey.
If I "authenticate" a $1 postcard of the Mona Lisa, does that mean it's the real Mona Lisa? A real postcard? Really worth a dollar? Really a physical object that exists?
In some cases the account officially belongs to a company so the real person is only an agent in any case.
Also there are attorneys: a real person acting on behalf of a different real person. Currently many financial institutions seem to be unable to cope with this situation. When talking to a call centre, in practice it's much easier, and probably not illegal, for you to impersonate the person you're representing rather than attempt to explain the actual legal situation to the confused employee in Bangalore.
Don't save your TOTP codes in your password manager if you are going for the "best" security.
That turns multi-factor auth back into "single factor auth" and leaves you one exploit away from having your password and TOTP code from getting stolen.
The setup string which generates the time codes is basically a second password. If something can read that setup string, they can generate their own TOTP codes for your account whenever they want.
I've done a piss poor job of describing it, but the way TOTP works is there is a "setup code" or a setup "string". Often in a QR code format.
That string is all that is needed to generate all of the TOTP codes forever. So while the TOTP code that you type is different every minute, it's generated by doing some math on the setup string and the current time.
Some password managers (like 1Password) allow you to have them generate your TOTP codes by putting in your setup string into them (often using the exact same process you would do to setup your TOTP codes in an app). But i'm saying that's not a good idea if you are going for "most secure", because at that point if something were to somehow exploit your password manager, they will not only get your username and password, but will have that setup string as well so they can generate their own TOTP codes for you.
The main benefit behind TOTP is that you can tie its value creation to a second factor, such as something you own like a device (instead of something you know like a password).
It’s arguable that you’re removing that second factor when you store the parameters needed to create the TOTP in the same place as you store your passwords.
I store my TOTP in 1Password... I think it's still more secure than SMS (because to restore 1Password vault you also need a Secret, not only your password) and so much more convenient than a separate app, because 1Password auto-copies the TOTP code to your clipboard after filling form fields, making signing in a very smooth experience.
It is a security tradeoff that I take for most of my accounts. For a few that a much more sensitive I use a Yubikey.
And that's fine IMO as long as you know you are making a tradeoff.
But unless you have your 1Password setup to need the secret every time you go to have it fill in the password, the seed string is in memory unencrypted along with your passwords (or more specifically, it's stored in a way that it can be decrypted by the app/extension on it's own). That makes it one spectre/meltdown style exploit away from getting everything needed to login to the account.
Still, if that system works for you, then good! having any 2fa (even SMS) is better than nothing, storing TOTP codes in a password manager is better than SMS, storing them in a seperate device is better still, and U2F keys are even better still.
Like anything it's a gradient of tradeoffs, but I've seen too many people go from Google Authenticator to 1Password in an attempt to further secure their account, and I just like to point out that there's a good chance it's doing the opposite.
WebAuthn/U2F security keys. No MITM, phishing or duplication possible. Register more than one per account in case the physical key breaks, keep one in a secure place.
The most secure alternative, which should be the choice for anyone who actually cares, and an option anywhere that thinks _any_ of their users might care is WebAuthn (U2F is roughly the same thing but obsolete, no reason to deploy more of it)
WebAuthn uses FIDO Security keys, relatively cheap USB or Bluetooth devices or sometimes just a built-in feature of a smartphone, to authenticate. They are Something-You-Have, but the WebAuthn protocol also offers:
* Optionally a mode where you give the FIDO key a PIN (Something-You-Know) or biometric input (Something-You-Are) to do all the authentication locally
* Phishing proof - there's no decision about whether this is really your bank. WebAuthn is completely happy to log you into https://fake.bank.phishingsite.example/ but the credentials are useless to the crooks who own that site because they won't work on https://your.actual.bank.example/ even if the crooks got the logo just exactly right and wrote a very convincing pleading email from your bank saying they definitely need you to go to the fake bank site.
With all of these, you're often kicking the vulnerability down to the enrollment step. You've still got to find a way of assigning the authentication device/key generator to the users account in a secure way and dealing with losing the device.
My bank uses an app, Symantec VIP, to generate a 6 digit code.
This works on vacation when I can't receive SMS. It was much cheaper to buy a 4G SIM in Barcelona (for Google Maps etc) than enable international roaming from Australia ($AU5/day).
Unfortunately the EU regulation mandating 2FA[1] is only just starting to be adopted by the banks, in the UK at least. And they're doing it using SMS codes[2].
2FA has always been a requirement in my country, as far as I remember all the way from the start. The new EU legislation made things worse: one-time pad paper key list isn't accepted any more. My second factor now needs to be my phone (app or SMS).
The written list of one-time passwords (not a "pad" the One Time Pad is a specific crypto design that largely exists to compare things to rather than as a practical gizmo) fails the requirement in 2018/389 because it doesn't end up verifying the specific transaction.
Suppose you have password '47BF-38AP-3M99' on the list. You get a plausible email from your friend Barry saying he needs €40 urgently. You send €40 using that password and instructions Barry gave about some web site for transferring money.
Oops. That wasn't Barry, crooks used Barry's email account to send the message and the €40 transfer turns out to have been a transaction to empty your account of €5830.26 but '47BF-38AP-3M99' was correct so the bank OK'd it.
The regulation aims to arrange that the second factor involves the transaction value 5830.26 which is weird for you because you are trying to send Barry €40. You would probably realise something is wrong when typing 5830.26 into an authenticator, or else, the crooks only get €40 which is a bad pay-off for such a sophisticated attack.
My good bank gave me a weird chiclet keypad device years ago that I have to type stuff into while doing online transactions. So I'd have to type the amount into that device. It whitelists certain actions, so if I keep sending Barry money, I think I don't have to type the amount in every time or something.
The EU rules definitely don't forbid your bank doing something better here, but I can see that the way that bank chose to implement them hasn't helped you which sucks.
Thanks for the in-depth explanation. My reaction has maybe been a bit knee-jerk, it's not like this is a major annoyance. The attack scenario is quite convoluted with needing both access to the account and a phishing attack for the one-time key, but I suppose it is plausible. At the same time this does open users to new attack vectors though, especially with SMS.
Any idea what the keypad device is called? Are you expected to carry it with you at all times? Is that feasible? Is there some sort of threshold for its use? For example, transactions under $X, even if fraudulent, might not be worth the inconvenience to the customer of having to go through the extra steps.
If you don’t mind my asking, is your banking institution geared towards HNW clients? The amount verification sounds very similar to what most banks in the US do for inter-bank transactions but I’ve never heard of something like that implemented on a bank account from the consumer’s side.
The device claims to be a "Vasco DigiPass". It has lots of other identifying marks but those might be secret (even if they weren't supposed to be, disclosing them might inadvertently reveal a secret)
I am not required to carry it, but my understanding is that most features of my online banking don't work if I tell the system I don't have it with me. I store it with other valuable identity items like my birth certificate in my home, I do not take it with me when I travel.
This bank offers excellent 24/7 phone service, if I was away from home I would call them if I needed anything. All conceivable transactions can be concluded by phone, indeed I've mentioned to HN before that it turns out very high value financial transactions (literally buying a home in my case) can't be done online at all. The web site just tells me to call them instead to complete the transaction.
The institution is not especially geared to High Net Worth individuals, but it doesn't offer any products geared to people focused on being thrifty/ economical. It doesn't offer zero fee current account banking, it doesn't pay great interest on savings, it doesn't have "cash back" features on credit cards, it's just a very well run bank. If I needed £10 more than I need a bank I can rely on, I would leave.
While companies definitely need to move away from SMS two factor it’s so entrenched (and simple) that more is needed.
The government agencies that setup the mobile number portability system need to realise the seriousness of this flaw and allow a “Never transfer my Number” flag to be set in their databases. Until then even the lowest rung service desk agent at any telco has the ability to transfer numbers. A system like that can never be secure.
Or do it like Turkey, and require central clearance with physical SIM replacement (this is required both for ownership and porting transfers). One of the few things we got right.
I'd say it's pretty simple then: you can't transfer your number and just need to get a new one.
I mean at some point you have to draw a line; losing your password and resetting it via email is already a pretty gracious thing, and most support desks will help you beyond the default password reset as well if necessary.
But at some point you have to draw a line - key's lost? Access is lost.
I think this is going too far. It's easy to lose your SIM - in particular, whenever you lose your phone (you left it somewhere, it fell into a river, etc.).
Why not just require that if you don't have your old SIM on you, you have to jump through extra hoops involving physically showing government-issued documents and otherwise leaving enough paper trail for the police to find and jail you if it turns out you were a fraud?
The last time I got my SIM reissued (the old one was too big for my new phone), I had the old SIM with me and I still had to show government-issued documents matching the registered SIM owner.
That still doesn’t help. Who are you showing your physical ID to? The store clerk at the carrier store? There have been cases where the clerk was in on the fraud.
That kinda ruins the main utility of the system for most people. People aren't switching service providers often or SIM sizes at all these days (the latter especially with larger SIMs just being the same nanoSIM but with an adapter of sorts around it).
For the average person, the best utility of it is being able to retain your number on losing your device. Usually you aren't expecting to lose your device, so imagine how much more complicated everything gets when not only do you have to worry about getting a new one unexpectedly, but then also have to get a new number, inform everyone you know about that, and then update all your accounts.
All of that just to protect people from being targeted by fraud that is not only very unlikely to happen to them unless they're well known, but is also better resolved by making authentication systems smarter.
That's ridiculous to suggest as a solution and that's why it won't be adopted. Better to work on an alternative solution that has a better chance of adoption.
I would so much rather lose my twitter account where:
a) I don't use twitter, so it's a loss of minimal proportions
b) It's twitter's fault and easily prevented by them
Sure, a) won't be applicable to all services because there are services I actually use that my life revolves around. However, the only service I can think of that would disrupt more of my life than losing my phone number is verified 2FA secured and does not have this vulnerability.
I would actively avoid a carrier that promotes this policy and think it's naive to assert that it's even remotely viable.
I feel like a time delay would help with this too. If it takes an extra 24 hours and you get notifications by SMS and email during that period with the chance to call "fraud" it stops most of these attacks which take control of e-mail and phone simultaneously.
I get that makes life much more difficult when you are travelling and have your phone (and therefore SIM) stolen, but given the severity of the current issues it seems minimal disruption. You get a burner phone for 24 hours?
You get a new SIM instantly, but it has a temporary number. Then you get notifications via SMS on your old SIM, you usually get a call from your old carrier trying to get you to stay, offering discounts and shit. Then after 7-14 days the new SIM gets the old number and the old SIM stops working.
The U.S. system sounds horrifically irresponsible.
// Replacement with the same carrier is quick, but requires physical presence with government ID (passport)
Same in Turkey (takes 2-6 days), but you get your replacement SIM after the transfer is cleared, you still use your old carrier and SIM during porting porting. Old one simply gets inoperable by a remote command.
It could be done remotely but only if the store had signed off that ID had been viewed and the port confirmed in person. Of course this could be gamed but an employee would need to put their name on the line to say they had met the person and viewed the ID
We have a <major us carrier> rep (as a business customer) and he will port our lines and change SIMs for me based on an email. However I noticed the last time I initiated one of these requests there was a confirmation step that involved an email sent to me with a URL I had to click to approve. From memory I don't believe that URL needed authentication so the email was a bearer instrument. An attacker would need to both fake my outgoing email (easy) and also intercept incoming email (not so easy). There was also a confirmation email sent advising that the request had been approved and processed.
I can imagine however that an admin at a reasonably large business would receive several of these emails per day and may just reflexively click on them all. Note these emails are sent to the business account admin, not the end-user. I happen to be both so can see both sides of the process.
Edit: I should also add that I have never met this rep and so he has definitely not looked at my government ID. The process is secured only by receipt of email.
This seems like the best solution. Introduce an opt-in security feature, whereby any attempt to port the number, or swap sims, is subject to a ~72h cooldown period. During that period, notify the account holder through numerous communication channels of the pending change.
Yup. Authy does a good job of this if you need to reset your access. They (automatically) harass the shit out of you for 24h before doing it. I think I got 10+ calls/texts plus emails.
The Swedish solution for physical address change (yes, we all must be registered at an address which is then used for everything formal) is to lock it using Mobile Bank ID
> BankID is a citizen identification solution that allows companies, banks and governments agencies to authenticate and conclude agreements with individuals over the Internet.
You need your phone to use it but it can be recovered using other means like ID card or a digipass from you bank
If you do want to transfer it you need a 'higher' level of identity proof. Usually this means you have to visit a store/office of the provider and show a means of identification to get the transfer lock lifted.
The problem is when a phone number is the only factor that is used. That is what Twitter allows.
If you truly use an SMS only as a second factor - and don't provide recovery options only by phone, like Twitter - then you have much less of a problem. In that case, a compromised phone number does not give the attacker the password or other factor. SMS is still extremely imperfect for 2FA, but it's still a lot better than no 2FA [1].
Actually 2fa via SMS is a bad idea. Check out Troy Hunt's HIBP project to get an idea of how common password reuse is.
A good way to think about the SMS problem is this: As a second factor, your cellphone is considered by many to be "something you have". TOTP like Google authenticator does verify you are in possession of that device through a shared secret key.
SMS does not verify this and the factor is not something you have. Instead, SMS is more like "something loosely associated with you that is transferrable and vulnerable to social engineering attacks".
Anything is better than nothing. However this may be worse because it provides a false sense of security.
Although I agree that in some cases SMS 2FA provides a false sense of security, this argument misses the economy of the attacks here. It's not that black and white.
Any attacks on phone numbers are spearphishing, almost my definition. Some form of identity fraud - no matter how easy it is for an attacker - must be performed in phone number stealing. Even if it's very easy, that's a significant cost for an attacker and not an easily scalable attack. I agree that SMS 2FA must never be presented as an effective means to thwart spearphishing, where attackers are willing to put in this effort.
Now in the real world, password reuse attacks are far more common, and an commonly bigger concern for a random online accounts system. SMS 2FA can be of really big help there.
Demonstrating that passwords are also a poor factor doesn't make using SMS as an additional factor a "bad idea". A physical cell phone is also something that is loosely associated with you, transferable and vulnerable to social engineering attacks.
It turns out there are no really good ways to authenticate individuals at scale. The answer is not to deride and blacklist arbitrary bad options from the pool, but to add even more factors so that their differing contexts present a more formidable holistic challenge.
Obviously, as GP points out, supporting multiple factors but allowing any one of them to be used in isolation is just building a chain with a weakest link. Better to build a chain-link fence.
A physical cell phone is also something that is loosely associated with you, transferable and vulnerable to social engineering attacks.
SIM swapping is not always the result of social engineering attacks. There are bad actors that work for carriers who will knowingly fraudulently swap sims.
At least with something like Google Authenticator that can be done at scale, someone has to have your physical device and has to get past your hopefully secure pin code/finger print sensor/face id or use rubber hose decryption.
> The problem is when a phone number is the only factor that is used. That is what Twitter allows.
that's not true. i have twitter 2FA inside authy[0] AND inside twitter's own app (it's hidden -- at least on android -- under setting and privacy -> account -> security -> login verification -> Login Code Generator)
T-Mobile lets you set a PIN that you have to present if you want to port your number or get a new SIM. They sent out mass texts about it a couple of years ago.
The problem is that it is not enforced by the automated system. Instead it is enforced by sales people who have ability to override the system, including people like the blue shirts at Best Buy. Yes, they are not supposed to, but they can.
I thought number portability was only a between carriers thing. SIM swapping doesn't cross the carrier border usually so would setting that flag actually fix anything?
That's how domain registrars work. You set a "lock" so the domain can't be transferred away until you "unlock". Then you can tie this locking/unlocking procedure to 2FA, identify verification, whatever.
How does this work? The sim-card is sent to your own address, in a plain white envelope.They have to steal that envelope to gain physical access to the sim.
Why is it so hard to stop sending sim-cards to different addresses than the main address where it was registered?
I think it works like this; people buy a SIM card from the same carrier, and call that carrier and ask them to move the victim's phone number to that SIM card. I know T-Mobile in the US allows you to buy a SIM card in any of their stores. I am sure other US carriers have the same offer.
It's much simpler. The attackers simply go to the service provider, claim they lost the sim card/phone and provide your details. If they're convincing enough the provider will deactivate your SIM and activate theirs within 10 minutes or so and by the time you notice your mobile connection doesn't work anymore they're already busy entering TANs sent to your number.
Now I don't know how easy that is to pull off in the US, but it varies in different countries. In some it takes a day to switch to a new SIM, in some you only need the real owner's name and a codeword and it'll get switched within minutes, for free and no questions asked.
It seems to me like there needs to be far more security in place before a SIM card can be swapped out over the phone. You should need to state your SSN, answer a few security questions and maybe let them know how much you paid on your last three bills or something like that.
That doesn't mitigate the risk of bribery but if you have the right software in place for the person on the line at T-Mobile or AT&T then they wouldn't be able to proceed without the proper verification.
Seems like a pretty big but easy to solve problem to me.
Does anyone know how common or easy SIM swapping elsewhere in the world? The SIM swapping stories I've seen on HN mostly focus on US users. I remember reading an article years ago, about banks combating SIM swapping in Africa, where a lot of transfers are done by SMS, by forcing a cooldown.
But I wonder, besides the US and Africa, where is SIM swapping prevalent? NYT says I'm at risk too. I'm in Europe -- am I?
Unfortunately, the current corporate thinking in Poland is that 2-factor authentication means SMS. I see banks and other companies introduce this in spite of known vulnerabilities.
* SMS (and automated voice call) are bad for people who live in areas with poor phone coverage, people with international phone numbers, and people who want good security.
* TOTP is bad for people who don't have smartphones.
* FIDO U2F is bad for people who don't have $20, safari/iOS users, and people whose devices don't have USB.
* Vendor-specific apps are bad for people who don't have smartphones, people with low spec or poorly supported smartphones, blind people, and the privacy-conscious.
* Smart card readers and physical tokens with screens cost $$$, often aren't accessible to blind people, and are too bulky for users to carry more than one or two.
* Paper single-use codes are bad for people who log in regularly, people who don't have printers, and don't scale to multiple services all that well.
* All of the above are bad for people who are forgetful or clumsy enough to regularly lose or break the second factor.
WITH THAT SAID, you can still provide Hacker-News-reader-approved two-factor authentication by basically copying Google: Offer the user TOTP, FIDO, SMS and paper codes, let them choose any two.
Gain bonus points with a setting that stops customer services resetting the password or disabling 2fa, and a week-long warning/waiting period in case account hijackers dial up the security settings to stop the original user getting their account back.
> TOTP is bad for people who don't have smartphones.
This only true if you're willing to define everything beyond the most mundane "dumb phone" as a "smartphone". One of my friends has a long list of exciting problems which ends up meaning he doesn't own what anyone these days would consider a smartphone.
But it's not like he uses carrier pigeons. His phone does have a (monochrome) screen and is quite capable of running software, it's just the software has to be crappy mobile Java from last century. However TOTP is trivial, you probably can't do it in your head but you definitely can do it in a Java 1.0 implementation and so sure enough it can be run on those phones.
On a brand new Pixel of course you vaguely wave your phone near the screen, it reads a QR code and sets everything up, he has to instead laboriously transcribe a secret value using T9 input, but the same effect is achieved - a changing code that he can input to prove he knows the shared secret.
You're correct: You could TOTP from a java phone app, a tablet, an airgapped computer, a non-airgapped PC you were really confident of the security of, and so on.
That's why I said "bad for" rather than "impossible for" :)
After all, you'd still be excluding all the people who don't have any of those. Like my 90-year-old neighbour who only has a landline phone.
I've helped maybe 50 employees set up VPN access at my workplace, and at least 2 of them said they didn't have any way to TOTP independently of the laptop we were issuing them with.
> * SMS (and automated voice call) are bad for [...] people with international phone numbers
Why is that? I'm maybe spoiled by my surroundings (Poland and Europe in general), but receiveing SMS text is free abroad. While using dataplan generally is not, so SMS is cheaper (free) as a second factor if you travel a lot.
Depending on where the customer is roaming from and to, they might risk a per-SMS charge, suffer unreliability, get no signal, or even turn off their phone to avoid accidentally running up a big roaming bill.
When I went from the UK to Montreal, I tried to use local Uber competitor "Teo Taxi" but was unable to as their number-confirmation SMS didn't arrive.
On my Canadian cellphone, unless I get a US/Intl plan before I leave, it stops entirely all my SMS when I'm outside Canada. I'm entirely dead in the water if I rely on SMS 2FA.
Some countries really don't want you automating SMS's to their local users, countries like UAE for example are very restrictive. Other issues, number porting often brakes cross carrier SMS and roaming in general often breaks SMS delivery.
There's a scandal being reported by Glenn Greenwald in Brazil, which is centered around the minister of Justice and his actions as a judge in the Lava Jato operation that led to Lula (ex president) being arrested. He helped prosecutors by coordinating strategies with them. These conversations took place on telegram and were stolen using sim swap.
Yes. Of course it works, if it was not possible for you to move your phone number to a different device then you'd be trapped and of course the mobile phone companies would take advantage of that to gouge you.
The problem is your cell provider doesn't have a very good way to be sure it's Svip asking them to do this transfer. They are mostly going to rely on low paid call center or shop floor staff to decide. Fortunately for them this is a low-value transaction. If I get them to transfer Svip's number, I don't cost them very much money and I don't inconvenience you all that much really. Why would I bother...
Unless some idiot decides to rest the authentication scheme for their valuable service on control over a phone number.
In the UK in particular for example the person doing the authentication in an actual store will usually be a teenager working part time for the mobile phone company to get some spending money or during tertiary education. When a hot guy approaches them saying they can make twice their weekly wage if they just "forget" to do a proper ID check for a few friends of his, why wouldn't they say "Yes" ? They might get fired? They have never had a serious job, they're treated like shit, unless they're unusually upright and honest or they think it's a trap they're going to agree.
There are still ways to make the system more secure.
For example, you have to physically go to a store to port the number unless you have the old SIM.
Then it's not done immediately - there's a 72 hour period in which multiple texts and calls are sent to the old SIM asking for confirmation. If you physically have the old SIM this is instant, but if you claim to have lost it you need to wait 72 hours and provide a signature and mugshot at the store.
If a member of staff "forgets" to do this stuff, they go to jail.
People don't usually lose their SIM card, so this process wouldn't happen very often.
Sure, you could have a national "reality" TV show, everybody who lost their SIM has to go on the TV show for six months with it showing on screen which number they claim is theirs - so this way there's no chance they're a crook.
Or make anyone who claims they lost their SIM wrestle a bear first before they get a replacement. Won't see many crooks take that on.
But, I put it to you that this all seems very disproportionate when you remember that you're punishing the phone company and its customers for not securing Twitter. These are the wrong people!
I'm a strong believer in solving problems at the single point of failure. If you solve it at the Twitter level, what about any other internet/cloud based service that is designed just like Twitter? It would still be a problem. If you solve it at the phone company level, all the companies that operate like Twitter are protected.
Even better still, solve it at both levels, but definitely don't let phone companies off the hook.
Yeah, I think it should be solved in both places TBH. Defense in depth.
But it won't happen because people are dumb and don't care about the issue until the exact moment it bites. This basically applies to every security problem: everything is perpetually broken and therefore nefarious actors can always find a way to achieve their goals. Most people's best defence is to not have any enemies.
Being serious, I don't think waiting 72 hours for a SIM number port is an inconvenience.
IF you lose your phone & SIM inside it, you need to go to the store anyway, or have a new phone sent by post (takes a few days usually). One of these things has to happen! You need a new phone!
So what we are adding here is a 72 hour wait for the number port. In the meantime you have a temporary number.
Govt should legislate to make precautions like this compulsory, or to create incentives for good security like steep fines against the phone company for simjacking, together with private red teams probing phone corp's security in this regard and claiming part of the fine.
People don't usually lose
their SIM card, so this
process wouldn't happen very
often.
People lose their entire phone all the time. In most cases, their SIM card is inside the missing phone.
Unless, of course, they anticipated just such an emergency, and preemptively kept the phone and SIM separate because they care that much about faceless, global social media platforms.
To be more specific, I live in Denmark. Last time I had to transfer my number, it was quite a hassle. I had to show up physically in a store, and they needed to scan two ID cards of mine. In addition, because I have a legally hidden address, the guy in the store needed to contact someone inside to confirm me. Essentially, he was not able to do it on his own.
In fairness, that was me moving from one carrier to another. I assume, if I were to get a new SIM with the same carrier, it would be a lot easier. I have been trying to figure out what it would require for me to change SIM within the carrier, but their help articles aren't clear on this, besides mentioning it is possible (my impression is that they will ship the SIM card by postal services).
> They are mostly going to rely on low paid call center or shop floor staff to decide.
Actually retail sales at AT&T and T-mobile stores(not third-party retailers) can make mid to high five figures if they're competent salespeople. Maybe low six figures at a high-volume store. Most of the money is in commission but it's there.
Very easy. I have a UK sim with Giffgaff. I lost the original sim and ordered a new one (not linked to me, it was a freebie for distributing to get a referral). I could log into my account, activate the new sim and it was done in about ten minutes.
That's really nice in some respects, but in theory if your account gets hacked, goodbye phone number. There may have been some additional work involved, eg confirm via email, but I believe other networks make it a lot more difficult. Eg you need to request it specifically through customer services and they need actual ID.
My mum is with EE and she had to go to a physical store and prove she was the account holder. Three is similar, you have to request a new sim but in theory if your mobile account is broken then that can be done online (though it never worked when I tried it, the sim didn't arrive).
>When Sims rang EE, it soon emerged that someone posing as his wife had managed to persuade the mobile network to activate a new sim card
>Sims says that when he contacted his bank, Halifax, the call centre told him it is handling hundreds of sim scams every day, making it the fastest growing fraud in the country – although Halifax later disputed this figure.
On the other hand I'm sure I saw something about banks etc being able to subscribe to services that would give them background information about a mobile number (ie if the number has been recently ported).
In Turkey if you change your SIM card you cannot login to your bank account (web site, app). Yeah, even if you are in same mobile operator with your same phone number. How does my bank know that I have changed my SIM card? I think that they have API between mobile operator, government, and bank. For example I can see my mobile and land line numbers from my e-government account.
But I am not sure about website, maybe they have integration with the operators to check last sim change date and compare it to their last know trusted sim or check the last time your phone was audited? You need to generate one time codes in TR banks afaik.
>Numara taşıma, 4.5G veya başka nedenlerle yapılan SIM kart değişikliklerinden sonra, Garanti BBVA İnternet Bankacılığı ve Garanti BBVA Mobil’e girişte kullanılan tek kullanımlık şifreler güvenliğiniz için bloke edilmektedir.
"Due to switching to another provider, 4G, or for whatever reason if you change your SIM card your password is blocked for both the app and internet banking."
>Blokenizi kaldırmak için Garanti BBVA Şubelerine uğrayabilir ya da 444 0 333 no’lu Garanti BBVA Müşteri İletişim Merkezi’ni arayabilirsiniz.
"In order to remove the password block you will need either to visit the one of our banks or call us."
Logging to Garanti requires 2FA. You can either use your password + SMS, or your password + one time code generator, in the past there was also password + mobile sign.
In Turkey 2FA is required by law in banking. This law is in action since for, I think 5-6 years.
Also, it is easy to implement this "notify the bank if SIM has changed" because all the banks (except few state banks which are in Ankara) and mobile operators (3) are all located in Istanbul.
In Germany, you have an extra PIN (called PUK) that is required for these things (alternatively show up with your ID at a store). So unless someone has that, it’s not as much of a problem.
Because people get new sims and legitimately transfer their numbers _all the time_.
I'm not saying they shouldn't put more effort into verifying the transfer, I'm just explaining why its quick and easy and they don't invest in checking much.
This was a problem before Twitter allowed 2FA via SMS, so I'd argue this is very much a Twitter problem.
Afaict this all stems from mixing verification with authentication, where verification may be required when creating an account and authentication (and possibly more verification) when using the account.
Twitter is the service that accounts are being stolen from. There exists a trivial solution to the problem (stop allowing people to reset accounts via only SMS verification).
As a user, I'm at risk because Twitter is refusing to implement that trivial protection.
I don't care who's fault it is, but it is very much Twitter's problem.
>> "Criminals have learned how to persuade mobile phone providers like T-Mobile and AT&T to switch a phone number to a new device that is under their control."
This is why SMS should be never an option for MFA. You simply cannot rely on a telco employee for the security of your organization or online presence.
risk to what ? you can probably clone the SIM (unless your carrier is aware that it's a "special" SIM, probably not) but then what ? you leave the car unconnected and that's it. You can't steal anything from it or the car itself.
Disappointed they didn’t do something like use it to manipulate the stock market. Then it would have got much more coverage and something might actually get fixed as a result.
There are automated systems employed by exchanges that analyze trades and are undeterred by volume. If someone burned this on a couple single comma trades, goodness.
Solving spoofed callerid would help reduce robocalls also. I don't understand why the telcos can't make this happen. If they don't figure this out, we're all going to drop SMS and voice forever; the trend away from SMS has already started and people already have stopped answering all calls they don't know.
Someone was telling me that here in India authorities clone SIM cards to eavesdrop on WhatsApp conversations. I don't know if that's accurate, but it's becoming clear that SIMs in general are a vulnerable form of ID.
I've seen US-based IT-security-minded people saying on Twitter for a long time that SMS based 2fa is bad, but the problem with hardware dongles is that they can be too secure. I don't want to lock myself out of my own Gmail account. I guess apps like Authy as mentioned in the other comments are an alternative. In any case I guess there are (or should be) some special codes you can write down in case you lose access to your second-factor info.
> I've seen US-based IT-security-minded people saying on Twitter for a long time that SMS based 2fa is bad, but the problem with hardware dongles is that they can be too secure. I don't want to lock myself out of my own Gmail account. I guess apps like Authy as mentioned in the other comments are an alternative. In any case I guess there are (or should be) some special codes you can write down in case you lose access to your second-factor info.
All systems/services I have seen that allow 2FA through a hardware device like a Yubikey also provide you a set of several recovery codes that you need to note down somewhere safe so that you can use those if your device fails or is lost. Some systems/services also force you to first setup a TOTP based authentication (with an app like OTP Auth/Authy) and then proceed with setting up additional hardware based 2FA. Unless you lose access to your recovery codes, which is the same as losing your password on a system with no 2FA, you should be fine (though I do get the concern here). People also get two hardware keys and set them up for the same platforms/services, keeping one in a safe place for future use in case the first one that's regularly used gets lost or breaks.
> Someone was telling me that here in India authorities clone SIM cards to eavesdrop on WhatsApp conversations.
source? There is lot of wrong with our authorities but I really really doubt about what you just said. I mean the way you have written it is giving wrong impression that authorities can clone any sim at their whim just like china or other authoritarian government.
I'm still a big fan of passwords. Long, hard to guess passwords. More than one password/phrase as a failsafe, in case I lose it.
I got my first iOS device 3 days ago as a gift, an iPad. During the excitement of the setup process, I was told to set up 2FA for my iCloud account, which I've never conscientiously used since I own no iOS devices. Now all my Apple ids, from my 2009 iMac to my macbook are tied to the darn 2FA and... my phone number.
Apparently 2FA for Apple ids cannot be rolled back! Now everytime I want to upgrade something in my Macbook I have to get an SMS code on my (vulnerable) phone to access my Apple account. This is a very unfortunate decision by Apple.
Like I said I'm a big fan of passwords. Just give me 2 or 3 passwords or passphrases (or secret patterns) as backup for my main password. Require them to be long and complex. Something that is inside my brain and only Leonardo di Caprio can steal. Not my dad's middle name or pet name or school teacher's name. I'm not a security expert, but I still feel that's the most secure way to protect an account.
If you type in the same passwords every time that's already a possible security breach. Single use 2FA is good because it you need one separate code for each transaction.
SIMs and phones being vulnerable is different from 2FA not working.
Passwords don't work these days for sophisticated attacks. Phishing is too easy.
I repeat, they don't work. No 2FA means you'll experience many successful account takeover attacks on your customers. 2FA does not mean you won't, though.
Coinbase had a great talk about account takeover attacks on the recent DefCon. They receive some of the most sophisticated attacks, sometimes when attackers already have control of every other account that the target has. Email, Facebook, Apple Cloud - you name it, now they come for the coins, to cash out.
Phishing, as in entering your password into a field pwnd by a hacker, seems like the problem to solve: how can we avoid giving out our password to a rogue player?
There are simple and complex solutions out there, we should keep taking small steps in the direction of safer password authentication, like how browsers showing the users the certificate validity, or things requiring a secret, individualized secret question so that you know the the host is not phishing.
I agree passwords are far, far from ideal and that 2FA is probably just adding complexity for the hackers, hence making it appear to be a better option, but this is just for the time being. Phone-based 2FA is flawed at the root (of how SIM cards work), so we should keep working on improving password security [1] instead of throwing ourselves into the arms of a flawed phone 2FA.
U2F and it's successors like FIDO2 were specifically designed to prevent phishing.[0] Google claims that it has entirely eliminated phishing of their employees who have been issued U2F keys.[1]. The solutions to these problems are out available.
It's not clear to me how 2FA would help against a phishing attack. Is there something I'm missing?
My understanding is that 2FA helps protect against weak passwords and password leaks. That's it. If you give me your password via a phished site, then you'll also just as readily give me your 2FA code. Then I can log into your account and turn off 2FA, generate new login codes, or just keep the login session running indefinitely.
Maybe if you set up a site that looks like a login form phishing for the PW then immediately forwarding it to the target site, then do the same for a 2FA token you have a point.
But in any other case where the victim isn't in the loop, that 2FA protects them (hopefully). If you haven't been to target.com in a week, you're not going to click the pop-up on your phone to log in out of the blue (hopefully).
Ideally your 2FA methods are not as simple as just sending a code and having the user parrot it back though. There might be some cryptography going on that would make it even harder for the attacker to interfere.
Which effectively reduces it back to 1-factor authentication. There's an adage somewhere that is probably worded better but which boils down to your security is only as good as your weakest link.
If you have an Apple device logged in to the account then Apple uses its own push notification infrastructure instead of SMS. Apple calls it “Trusted Devices”:
Also, SMS is always in-addition to your password. If you forget your password and you don’t have a trusted device from which to reset it, then Apple uses a recovery procedure which requires more than just SMS for verification.
You can also enable a recovery key which will then prevent SMS from being used to reset your password. With a recovery key you need to either use a trusted device or the key to reset your password.
> Now everytime I want to upgrade something in my Macbook I have to get an SMS code on my (vulnerable) phone to access my Apple account. This is a very unfortunate decision by Apple.
This sounds strange. I always get the 2FA authorization message and the code through a push notification from Apple that appears as a dialog on the device(s) used to authorize access from another device. SMS or voice call is used for the initial setup though. [1]
>Apparently 2FA for Apple ids cannot be rolled back!
Apple removed the option to turn off two-factor authentication on some Apple IDs created in iOS 10.3 or macOS 10.12.4 and later.
A couple of years ago, I forgot the question/passphrase sequence for two-step verification and subsequently got frozen out. I had initially set it as samephrase1..2..3 in an effort to refrain from supplying PII. In order to reset, I managed to opt-in to 2FA and then revert back to initial setup.
I would have continued to think of the above process as the norm, until I read your comment and followed the support link provided by the other commenter, which states that the 2FA process cannot be undone anymore! However, there seems to be a slightly convoluted alternative i.e. unlinking existing AppleID and attach a new one for iCloud only, thus keeping the (old) existing one for the App Store and other services.
I'm not at risk, because I deleted my Twitter account when they started nagging at me to tell them my phone number. Demanding more information from users than the company understandably needs to provide its service, is a huge red flag for me. It's good to know that they're now getting the medial backlash they deserve.
I'm well aware of that and don't use my phone number for security-related tasks when I can. My operator or the authorities (with IMSI-catchers, also available to criminals) could gain control of it at any time after all.
In India, SMS services are blocked for the first 24 hours whenever a SIM is changed. This creates a bottleneck for the hackers but doesn't quite solve the problem.
Any word on whether using Google-Voice would be a good safeguard against this? Presumably, because your google-voice account is so intrinsically linked to your Google account, which is much harder to hack, that should mitigate this threat tremendously. Especially if you're using google-voice to forward all calls to a number that no one else knows about.
I would not use Google voice. I'm not sure, but I doubt Google controls the major component in the international mechanism responsible for routing telephone calls. I would expect that they outsource some of the mechanisms to 3rd parties.
IMO the idea behind 2-factor is that an attacker requires physical access to a physical object. Which reduces the number potential attackers to the small number that are able and willing to finance a targeted theft.
> Criminals have learned how to persuade mobile phone providers like T-Mobile and AT&T
Those seem like excellent litigation targets, and I’m surprised that that fact alone hasn’t fixed this bug. Dorsey should sue and sue and sue and not settle and get these companies to unfuck themselves.
> Dorsey should sue and sue and sue and not settle and get these companies to unfuck themselves.
If you are a captain of a ship that sees an out of control oil tanker heading for it, the solution is not to sue the oil tanker owners, rather it is to get out of its way which in Jack's case should be ordering an immediate implementation of a non-SMS 2FA
COLREGs (international rules to not have collisions at sea on account of everybody is agreed that would be bad)
A.2b. "In construing and complying with these rules due regard shall be had to all dangers of navigation and collision and to any special circumstances, including the limitations of the vessels involved, which may make a departure from these rules necessary to avoid immediate danger"
Basically, if obeying the other rules mean you'll get hit by an oil tanker, Rule 2b says ignore those other rules so that you don't get hit by an oil tanker. So yeah, Jack ought to order his engineers to go fix this.
In case anyone regularly has trouble not getting hit by an Oil Tanker, I'd like to recommend John W. Trimmer's excellent book: How to Avoid Huge Ships[1].
> U2F requires the presence of SMS fallback. It cannot be disabled as of two days ago when I tried it last.
The original statement is:
> 1 point by chimeracoder 11 minutes ago | parent | edit | favorite | on: Hackers Hit Twitter CEO Jack Dorsey in a ‘SIM Swap...
> which in Jack's case should be ordering an immediate implementation of a non-SMS 2FA
Which, as I point out, is superfluous, because Twitter already has three other forms of non-SMS 2FA. Twitter does also support SMS-based password reset, which is a problem, but that's not actually how Jack Dorsey's account got hacked in the first place.
Aside from any improvements to Twitter's security practices that could be made, Jack Dorsey himself was not using the existing security features that Twitter already offers. Which is the real problem.
I am not Twitter's CEO. I'm twitter's user. I cannot use that feature without opening my account to this attack. Therefore that feature for all intended purposes does not exist because it is unusable for the purpose of protecting the account.
More than myself I am concerned when POTUS is hit. Imagine seeing bunch of tweets showing up at 4am announcing to everyone that USA is in process of launching nukes against Russia right at this moment. By the time the whole thing is explained as a hack-in, Russia may be sending their nukes this way and for a darn good reason, because no country takes nukes threats against them as a joke or "you know perhaps they were hacked so let's go sleep". This is more serious than my little 15,000 followers twitter handle.
311 comments
[ 3.9 ms ] story [ 233 ms ] threadbest: a great balance between convenience, security and cost.
Lately, it bothers that we cannot be sure that we are interacting with real people or the people that we are interacting with are not the same people with different accounts.
If I have 2 accounts, and you can tell that they're both me, doesn't that compromise my privacy?
If I "authenticate" a $1 postcard of the Mona Lisa, does that mean it's the real Mona Lisa? A real postcard? Really worth a dollar? Really a physical object that exists?
Also there are attorneys: a real person acting on behalf of a different real person. Currently many financial institutions seem to be unable to cope with this situation. When talking to a call centre, in practice it's much easier, and probably not illegal, for you to impersonate the person you're representing rather than attempt to explain the actual legal situation to the confused employee in Bangalore.
That turns multi-factor auth back into "single factor auth" and leaves you one exploit away from having your password and TOTP code from getting stolen.
Am I misunderstanding something? Or did you mean OTP rather than TOTP?
That string is all that is needed to generate all of the TOTP codes forever. So while the TOTP code that you type is different every minute, it's generated by doing some math on the setup string and the current time.
Some password managers (like 1Password) allow you to have them generate your TOTP codes by putting in your setup string into them (often using the exact same process you would do to setup your TOTP codes in an app). But i'm saying that's not a good idea if you are going for "most secure", because at that point if something were to somehow exploit your password manager, they will not only get your username and password, but will have that setup string as well so they can generate their own TOTP codes for you.
It’s arguable that you’re removing that second factor when you store the parameters needed to create the TOTP in the same place as you store your passwords.
It is a security tradeoff that I take for most of my accounts. For a few that a much more sensitive I use a Yubikey.
But unless you have your 1Password setup to need the secret every time you go to have it fill in the password, the seed string is in memory unencrypted along with your passwords (or more specifically, it's stored in a way that it can be decrypted by the app/extension on it's own). That makes it one spectre/meltdown style exploit away from getting everything needed to login to the account.
Still, if that system works for you, then good! having any 2fa (even SMS) is better than nothing, storing TOTP codes in a password manager is better than SMS, storing them in a seperate device is better still, and U2F keys are even better still.
Like anything it's a gradient of tradeoffs, but I've seen too many people go from Google Authenticator to 1Password in an attempt to further secure their account, and I just like to point out that there's a good chance it's doing the opposite.
WebAuthn uses FIDO Security keys, relatively cheap USB or Bluetooth devices or sometimes just a built-in feature of a smartphone, to authenticate. They are Something-You-Have, but the WebAuthn protocol also offers:
* Optionally a mode where you give the FIDO key a PIN (Something-You-Know) or biometric input (Something-You-Are) to do all the authentication locally
* Phishing proof - there's no decision about whether this is really your bank. WebAuthn is completely happy to log you into https://fake.bank.phishingsite.example/ but the credentials are useless to the crooks who own that site because they won't work on https://your.actual.bank.example/ even if the crooks got the logo just exactly right and wrote a very convincing pleading email from your bank saying they definitely need you to go to the fake bank site.
This works on vacation when I can't receive SMS. It was much cheaper to buy a 4G SIM in Barcelona (for Google Maps etc) than enable international roaming from Australia ($AU5/day).
[1] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL... [2] https://www.nationwide.co.uk/support/security-centre/interne...
Suppose you have password '47BF-38AP-3M99' on the list. You get a plausible email from your friend Barry saying he needs €40 urgently. You send €40 using that password and instructions Barry gave about some web site for transferring money.
Oops. That wasn't Barry, crooks used Barry's email account to send the message and the €40 transfer turns out to have been a transaction to empty your account of €5830.26 but '47BF-38AP-3M99' was correct so the bank OK'd it.
The regulation aims to arrange that the second factor involves the transaction value 5830.26 which is weird for you because you are trying to send Barry €40. You would probably realise something is wrong when typing 5830.26 into an authenticator, or else, the crooks only get €40 which is a bad pay-off for such a sophisticated attack.
My good bank gave me a weird chiclet keypad device years ago that I have to type stuff into while doing online transactions. So I'd have to type the amount into that device. It whitelists certain actions, so if I keep sending Barry money, I think I don't have to type the amount in every time or something.
The EU rules definitely don't forbid your bank doing something better here, but I can see that the way that bank chose to implement them hasn't helped you which sucks.
If you don’t mind my asking, is your banking institution geared towards HNW clients? The amount verification sounds very similar to what most banks in the US do for inter-bank transactions but I’ve never heard of something like that implemented on a bank account from the consumer’s side.
I am not required to carry it, but my understanding is that most features of my online banking don't work if I tell the system I don't have it with me. I store it with other valuable identity items like my birth certificate in my home, I do not take it with me when I travel.
This bank offers excellent 24/7 phone service, if I was away from home I would call them if I needed anything. All conceivable transactions can be concluded by phone, indeed I've mentioned to HN before that it turns out very high value financial transactions (literally buying a home in my case) can't be done online at all. The web site just tells me to call them instead to complete the transaction.
The institution is not especially geared to High Net Worth individuals, but it doesn't offer any products geared to people focused on being thrifty/ economical. It doesn't offer zero fee current account banking, it doesn't pay great interest on savings, it doesn't have "cash back" features on credit cards, it's just a very well run bank. If I needed £10 more than I need a bank I can rely on, I would leave.
The government agencies that setup the mobile number portability system need to realise the seriousness of this flaw and allow a “Never transfer my Number” flag to be set in their databases. Until then even the lowest rung service desk agent at any telco has the ability to transfer numbers. A system like that can never be secure.
I'd say it's pretty simple then: you can't transfer your number and just need to get a new one.
I mean at some point you have to draw a line; losing your password and resetting it via email is already a pretty gracious thing, and most support desks will help you beyond the default password reset as well if necessary.
But at some point you have to draw a line - key's lost? Access is lost.
Why not just require that if you don't have your old SIM on you, you have to jump through extra hoops involving physically showing government-issued documents and otherwise leaving enough paper trail for the police to find and jail you if it turns out you were a fraud?
Maybe the laws don’t consider that a serious enough crime to even investigate the cases?
Even if someone's phone is locked and useless, you could steal it, dispose of it, and cause a lot of grief.
For the average person, the best utility of it is being able to retain your number on losing your device. Usually you aren't expecting to lose your device, so imagine how much more complicated everything gets when not only do you have to worry about getting a new one unexpectedly, but then also have to get a new number, inform everyone you know about that, and then update all your accounts.
All of that just to protect people from being targeted by fraud that is not only very unlikely to happen to them unless they're well known, but is also better resolved by making authentication systems smarter.
a) I don't use twitter, so it's a loss of minimal proportions
b) It's twitter's fault and easily prevented by them
Sure, a) won't be applicable to all services because there are services I actually use that my life revolves around. However, the only service I can think of that would disrupt more of my life than losing my phone number is verified 2FA secured and does not have this vulnerability.
I would actively avoid a carrier that promotes this policy and think it's naive to assert that it's even remotely viable.
I get that makes life much more difficult when you are travelling and have your phone (and therefore SIM) stolen, but given the severity of the current issues it seems minimal disruption. You get a burner phone for 24 hours?
You get a new SIM instantly, but it has a temporary number. Then you get notifications via SMS on your old SIM, you usually get a call from your old carrier trying to get you to stay, offering discounts and shit. Then after 7-14 days the new SIM gets the old number and the old SIM stops working.
The U.S. system sounds horrifically irresponsible.
// Replacement with the same carrier is quick, but requires physical presence with government ID (passport)
It used to take a long time and the carriers caught grief for making it hard for people to port out to another carrier.
what if you actually want to transfer your number?
I can imagine however that an admin at a reasonably large business would receive several of these emails per day and may just reflexively click on them all. Note these emails are sent to the business account admin, not the end-user. I happen to be both so can see both sides of the process.
Edit: I should also add that I have never met this rep and so he has definitely not looked at my government ID. The process is secured only by receipt of email.
Email, SMS, automated phone call.
> BankID is a citizen identification solution that allows companies, banks and governments agencies to authenticate and conclude agreements with individuals over the Internet.
You need your phone to use it but it can be recovered using other means like ID card or a digipass from you bank
https://www.adressandring.se/private/watch
This is common for many telcos, banks, etc.
If you truly use an SMS only as a second factor - and don't provide recovery options only by phone, like Twitter - then you have much less of a problem. In that case, a compromised phone number does not give the attacker the password or other factor. SMS is still extremely imperfect for 2FA, but it's still a lot better than no 2FA [1].
[1]:https://security.googleblog.com/2019/08/understanding-why-ph...
A good way to think about the SMS problem is this: As a second factor, your cellphone is considered by many to be "something you have". TOTP like Google authenticator does verify you are in possession of that device through a shared secret key.
SMS does not verify this and the factor is not something you have. Instead, SMS is more like "something loosely associated with you that is transferrable and vulnerable to social engineering attacks".
Anything is better than nothing. However this may be worse because it provides a false sense of security.
https://i.pinimg.com/originals/8d/6e/f3/8d6ef375e012df303faa...
Any attacks on phone numbers are spearphishing, almost my definition. Some form of identity fraud - no matter how easy it is for an attacker - must be performed in phone number stealing. Even if it's very easy, that's a significant cost for an attacker and not an easily scalable attack. I agree that SMS 2FA must never be presented as an effective means to thwart spearphishing, where attackers are willing to put in this effort.
Now in the real world, password reuse attacks are far more common, and an commonly bigger concern for a random online accounts system. SMS 2FA can be of really big help there.
It turns out there are no really good ways to authenticate individuals at scale. The answer is not to deride and blacklist arbitrary bad options from the pool, but to add even more factors so that their differing contexts present a more formidable holistic challenge.
Obviously, as GP points out, supporting multiple factors but allowing any one of them to be used in isolation is just building a chain with a weakest link. Better to build a chain-link fence.
SIM swapping is not always the result of social engineering attacks. There are bad actors that work for carriers who will knowingly fraudulently swap sims.
At least with something like Google Authenticator that can be done at scale, someone has to have your physical device and has to get past your hopefully secure pin code/finger print sensor/face id or use rubber hose decryption.
that's not true. i have twitter 2FA inside authy[0] AND inside twitter's own app (it's hidden -- at least on android -- under setting and privacy -> account -> security -> login verification -> Login Code Generator)
[0] https://authy.com/guides/twitter/
Why is it so hard to stop sending sim-cards to different addresses than the main address where it was registered?
Now I don't know how easy that is to pull off in the US, but it varies in different countries. In some it takes a day to switch to a new SIM, in some you only need the real owner's name and a codeword and it'll get switched within minutes, for free and no questions asked.
That doesn't mitigate the risk of bribery but if you have the right software in place for the person on the line at T-Mobile or AT&T then they wouldn't be able to proceed without the proper verification.
Seems like a pretty big but easy to solve problem to me.
But I wonder, besides the US and Africa, where is SIM swapping prevalent? NYT says I'm at risk too. I'm in Europe -- am I?
After reading those I switched authentication from a sms text to my bank app.
SMS is NOT a secure second factor!
* SMS (and automated voice call) are bad for people who live in areas with poor phone coverage, people with international phone numbers, and people who want good security.
* TOTP is bad for people who don't have smartphones.
* FIDO U2F is bad for people who don't have $20, safari/iOS users, and people whose devices don't have USB.
* Vendor-specific apps are bad for people who don't have smartphones, people with low spec or poorly supported smartphones, blind people, and the privacy-conscious.
* Smart card readers and physical tokens with screens cost $$$, often aren't accessible to blind people, and are too bulky for users to carry more than one or two.
* Paper single-use codes are bad for people who log in regularly, people who don't have printers, and don't scale to multiple services all that well.
* All of the above are bad for people who are forgetful or clumsy enough to regularly lose or break the second factor.
WITH THAT SAID, you can still provide Hacker-News-reader-approved two-factor authentication by basically copying Google: Offer the user TOTP, FIDO, SMS and paper codes, let them choose any two.
Gain bonus points with a setting that stops customer services resetting the password or disabling 2fa, and a week-long warning/waiting period in case account hijackers dial up the security settings to stop the original user getting their account back.
This only true if you're willing to define everything beyond the most mundane "dumb phone" as a "smartphone". One of my friends has a long list of exciting problems which ends up meaning he doesn't own what anyone these days would consider a smartphone.
But it's not like he uses carrier pigeons. His phone does have a (monochrome) screen and is quite capable of running software, it's just the software has to be crappy mobile Java from last century. However TOTP is trivial, you probably can't do it in your head but you definitely can do it in a Java 1.0 implementation and so sure enough it can be run on those phones.
On a brand new Pixel of course you vaguely wave your phone near the screen, it reads a QR code and sets everything up, he has to instead laboriously transcribe a secret value using T9 input, but the same effect is achieved - a changing code that he can input to prove he knows the shared secret.
That's why I said "bad for" rather than "impossible for" :)
After all, you'd still be excluding all the people who don't have any of those. Like my 90-year-old neighbour who only has a landline phone.
I've helped maybe 50 employees set up VPN access at my workplace, and at least 2 of them said they didn't have any way to TOTP independently of the laptop we were issuing them with.
Why is that? I'm maybe spoiled by my surroundings (Poland and Europe in general), but receiveing SMS text is free abroad. While using dataplan generally is not, so SMS is cheaper (free) as a second factor if you travel a lot.
When I went from the UK to Montreal, I tried to use local Uber competitor "Teo Taxi" but was unable to as their number-confirmation SMS didn't arrive.
And please, people, stop saying that this is not good for people who do not have smartphones. To a first approximation, everybody has a smartphone.
The problem is your cell provider doesn't have a very good way to be sure it's Svip asking them to do this transfer. They are mostly going to rely on low paid call center or shop floor staff to decide. Fortunately for them this is a low-value transaction. If I get them to transfer Svip's number, I don't cost them very much money and I don't inconvenience you all that much really. Why would I bother...
Unless some idiot decides to rest the authentication scheme for their valuable service on control over a phone number.
In the UK in particular for example the person doing the authentication in an actual store will usually be a teenager working part time for the mobile phone company to get some spending money or during tertiary education. When a hot guy approaches them saying they can make twice their weekly wage if they just "forget" to do a proper ID check for a few friends of his, why wouldn't they say "Yes" ? They might get fired? They have never had a serious job, they're treated like shit, unless they're unusually upright and honest or they think it's a trap they're going to agree.
For example, you have to physically go to a store to port the number unless you have the old SIM.
Then it's not done immediately - there's a 72 hour period in which multiple texts and calls are sent to the old SIM asking for confirmation. If you physically have the old SIM this is instant, but if you claim to have lost it you need to wait 72 hours and provide a signature and mugshot at the store.
If a member of staff "forgets" to do this stuff, they go to jail.
People don't usually lose their SIM card, so this process wouldn't happen very often.
Or make anyone who claims they lost their SIM wrestle a bear first before they get a replacement. Won't see many crooks take that on.
But, I put it to you that this all seems very disproportionate when you remember that you're punishing the phone company and its customers for not securing Twitter. These are the wrong people!
Even better still, solve it at both levels, but definitely don't let phone companies off the hook.
But it won't happen because people are dumb and don't care about the issue until the exact moment it bites. This basically applies to every security problem: everything is perpetually broken and therefore nefarious actors can always find a way to achieve their goals. Most people's best defence is to not have any enemies.
IF you lose your phone & SIM inside it, you need to go to the store anyway, or have a new phone sent by post (takes a few days usually). One of these things has to happen! You need a new phone!
So what we are adding here is a 72 hour wait for the number port. In the meantime you have a temporary number.
Govt should legislate to make precautions like this compulsory, or to create incentives for good security like steep fines against the phone company for simjacking, together with private red teams probing phone corp's security in this regard and claiming part of the fine.
Definitely the phone company to go with!
Unless, of course, they anticipated just such an emergency, and preemptively kept the phone and SIM separate because they care that much about faceless, global social media platforms.
In fairness, that was me moving from one carrier to another. I assume, if I were to get a new SIM with the same carrier, it would be a lot easier. I have been trying to figure out what it would require for me to change SIM within the carrier, but their help articles aren't clear on this, besides mentioning it is possible (my impression is that they will ship the SIM card by postal services).
Actually retail sales at AT&T and T-mobile stores(not third-party retailers) can make mid to high five figures if they're competent salespeople. Maybe low six figures at a high-volume store. Most of the money is in commission but it's there.
That's really nice in some respects, but in theory if your account gets hacked, goodbye phone number. There may have been some additional work involved, eg confirm via email, but I believe other networks make it a lot more difficult. Eg you need to request it specifically through customer services and they need actual ID.
My mum is with EE and she had to go to a physical store and prove she was the account holder. Three is similar, you have to request a new sim but in theory if your mobile account is broken then that can be done online (though it never worked when I tried it, the sim didn't arrive).
https://www.theguardian.com/money/2016/apr/16/sim-swap-fraud...
>When Sims rang EE, it soon emerged that someone posing as his wife had managed to persuade the mobile network to activate a new sim card
>Sims says that when he contacted his bank, Halifax, the call centre told him it is handling hundreds of sim scams every day, making it the fastest growing fraud in the country – although Halifax later disputed this figure.
On the other hand I'm sure I saw something about banks etc being able to subscribe to services that would give them background information about a mobile number (ie if the number has been recently ported).
- https://en.wikipedia.org/wiki/SIM_card#ICCID - https://stackoverflow.com/a/38032034/1329429
But I am not sure about website, maybe they have integration with the operators to check last sim change date and compare it to their last know trusted sim or check the last time your phone was audited? You need to generate one time codes in TR banks afaik.
>Numara taşıma, 4.5G veya başka nedenlerle yapılan SIM kart değişikliklerinden sonra, Garanti BBVA İnternet Bankacılığı ve Garanti BBVA Mobil’e girişte kullanılan tek kullanımlık şifreler güvenliğiniz için bloke edilmektedir.
"Due to switching to another provider, 4G, or for whatever reason if you change your SIM card your password is blocked for both the app and internet banking."
>Blokenizi kaldırmak için Garanti BBVA Şubelerine uğrayabilir ya da 444 0 333 no’lu Garanti BBVA Müşteri İletişim Merkezi’ni arayabilirsiniz.
"In order to remove the password block you will need either to visit the one of our banks or call us."
Logging to Garanti requires 2FA. You can either use your password + SMS, or your password + one time code generator, in the past there was also password + mobile sign.
In Turkey 2FA is required by law in banking. This law is in action since for, I think 5-6 years.
Also, it is easy to implement this "notify the bank if SIM has changed" because all the banks (except few state banks which are in Ankara) and mobile operators (3) are all located in Istanbul.
I'm not saying they shouldn't put more effort into verifying the transfer, I'm just explaining why its quick and easy and they don't invest in checking much.
Afaict this all stems from mixing verification with authentication, where verification may be required when creating an account and authentication (and possibly more verification) when using the account.
As a user, I'm at risk because Twitter is refusing to implement that trivial protection.
I don't care who's fault it is, but it is very much Twitter's problem.
This is why SMS should be never an option for MFA. You simply cannot rely on a telco employee for the security of your organization or online presence.
Regardless, it is still better than any SIM solution.
Just a single tweet from Musk, caused a big wave in the value of Tesla + a serious bollocking from the SEC.
Who are more than negligent here.
Buy some options several days in advance, drop the tweet, then sell right when volume shoots through the roof.
I've seen US-based IT-security-minded people saying on Twitter for a long time that SMS based 2fa is bad, but the problem with hardware dongles is that they can be too secure. I don't want to lock myself out of my own Gmail account. I guess apps like Authy as mentioned in the other comments are an alternative. In any case I guess there are (or should be) some special codes you can write down in case you lose access to your second-factor info.
So no protection, but a notification.
https://faq.whatsapp.com/en/android/28030014/?category=52452...
https://faq.whatsapp.com/general/26000021/?category=5245245
You can do the same in Signal.
All systems/services I have seen that allow 2FA through a hardware device like a Yubikey also provide you a set of several recovery codes that you need to note down somewhere safe so that you can use those if your device fails or is lost. Some systems/services also force you to first setup a TOTP based authentication (with an app like OTP Auth/Authy) and then proceed with setting up additional hardware based 2FA. Unless you lose access to your recovery codes, which is the same as losing your password on a system with no 2FA, you should be fine (though I do get the concern here). People also get two hardware keys and set them up for the same platforms/services, keeping one in a safe place for future use in case the first one that's regularly used gets lost or breaks.
source? There is lot of wrong with our authorities but I really really doubt about what you just said. I mean the way you have written it is giving wrong impression that authorities can clone any sim at their whim just like china or other authoritarian government.
I got my first iOS device 3 days ago as a gift, an iPad. During the excitement of the setup process, I was told to set up 2FA for my iCloud account, which I've never conscientiously used since I own no iOS devices. Now all my Apple ids, from my 2009 iMac to my macbook are tied to the darn 2FA and... my phone number.
Apparently 2FA for Apple ids cannot be rolled back! Now everytime I want to upgrade something in my Macbook I have to get an SMS code on my (vulnerable) phone to access my Apple account. This is a very unfortunate decision by Apple.
Like I said I'm a big fan of passwords. Just give me 2 or 3 passwords or passphrases (or secret patterns) as backup for my main password. Require them to be long and complex. Something that is inside my brain and only Leonardo di Caprio can steal. Not my dad's middle name or pet name or school teacher's name. I'm not a security expert, but I still feel that's the most secure way to protect an account.
SIMs and phones being vulnerable is different from 2FA not working.
I repeat, they don't work. No 2FA means you'll experience many successful account takeover attacks on your customers. 2FA does not mean you won't, though.
Coinbase had a great talk about account takeover attacks on the recent DefCon. They receive some of the most sophisticated attacks, sometimes when attackers already have control of every other account that the target has. Email, Facebook, Apple Cloud - you name it, now they come for the coins, to cash out.
There are simple and complex solutions out there, we should keep taking small steps in the direction of safer password authentication, like how browsers showing the users the certificate validity, or things requiring a secret, individualized secret question so that you know the the host is not phishing.
I agree passwords are far, far from ideal and that 2FA is probably just adding complexity for the hackers, hence making it appear to be a better option, but this is just for the time being. Phone-based 2FA is flawed at the root (of how SIM cards work), so we should keep working on improving password security [1] instead of throwing ourselves into the arms of a flawed phone 2FA.
[1] https://a16z.com/2019/07/25/passwords-are-dead-again/
[0] https://fidoalliance.org/fido2/ [1] https://krebsonsecurity.com/2018/07/google-security-keys-neu...
My understanding is that 2FA helps protect against weak passwords and password leaks. That's it. If you give me your password via a phished site, then you'll also just as readily give me your 2FA code. Then I can log into your account and turn off 2FA, generate new login codes, or just keep the login session running indefinitely.
How does 2FA help prevent any of that?
But in any other case where the victim isn't in the loop, that 2FA protects them (hopefully). If you haven't been to target.com in a week, you're not going to click the pop-up on your phone to log in out of the blue (hopefully).
Ideally your 2FA methods are not as simple as just sending a code and having the user parrot it back though. There might be some cryptography going on that would make it even harder for the attacker to interfere.
https://support.apple.com/en-us/HT204915
Also, SMS is always in-addition to your password. If you forget your password and you don’t have a trusted device from which to reset it, then Apple uses a recovery procedure which requires more than just SMS for verification.
You can also enable a recovery key which will then prevent SMS from being used to reset your password. With a recovery key you need to either use a trusted device or the key to reset your password.
This sounds strange. I always get the 2FA authorization message and the code through a push notification from Apple that appears as a dialog on the device(s) used to authorize access from another device. SMS or voice call is used for the initial setup though. [1]
[1]: https://support.apple.com/en-us/HT204915
Apple removed the option to turn off two-factor authentication on some Apple IDs created in iOS 10.3 or macOS 10.12.4 and later.
A couple of years ago, I forgot the question/passphrase sequence for two-step verification and subsequently got frozen out. I had initially set it as samephrase1..2..3 in an effort to refrain from supplying PII. In order to reset, I managed to opt-in to 2FA and then revert back to initial setup.
I would have continued to think of the above process as the norm, until I read your comment and followed the support link provided by the other commenter, which states that the 2FA process cannot be undone anymore! However, there seems to be a slightly convoluted alternative i.e. unlinking existing AppleID and attach a new one for iCloud only, thus keeping the (old) existing one for the App Store and other services.
https://support.ikeymonitor.com/hc/en-us/articles/1150008243...
What was the other factor?
I thought the whole idea behind 2-factor-auth is that two somewhat secure authentification methods combined make a stronger one.
Unfortunately it is also used far too often as 1-factor authentication for password resets, making 2-factor authentication essentially pointless.
Those seem like excellent litigation targets, and I’m surprised that that fact alone hasn’t fixed this bug. Dorsey should sue and sue and sue and not settle and get these companies to unfuck themselves.
If you are a captain of a ship that sees an out of control oil tanker heading for it, the solution is not to sue the oil tanker owners, rather it is to get out of its way which in Jack's case should be ordering an immediate implementation of a non-SMS 2FA
A.2b. "In construing and complying with these rules due regard shall be had to all dangers of navigation and collision and to any special circumstances, including the limitations of the vessels involved, which may make a departure from these rules necessary to avoid immediate danger"
Basically, if obeying the other rules mean you'll get hit by an oil tanker, Rule 2b says ignore those other rules so that you don't get hit by an oil tanker. So yeah, Jack ought to order his engineers to go fix this.
[1]: https://www.amazon.com/Avoid-Huge-Ships-John-Trimmer/dp/0870...
Twitter supports U2F. Jack Dorsey just prefers not to use it, according to reports.
The original statement is:
> 1 point by chimeracoder 11 minutes ago | parent | edit | favorite | on: Hackers Hit Twitter CEO Jack Dorsey in a ‘SIM Swap...
> which in Jack's case should be ordering an immediate implementation of a non-SMS 2FA
Which, as I point out, is superfluous, because Twitter already has three other forms of non-SMS 2FA. Twitter does also support SMS-based password reset, which is a problem, but that's not actually how Jack Dorsey's account got hacked in the first place.
Aside from any improvements to Twitter's security practices that could be made, Jack Dorsey himself was not using the existing security features that Twitter already offers. Which is the real problem.