> Ross had approximately $1 million stored in two [cyrptocurrency] exchanges when he was attacked, according to a report by investigators.
You know what happens if someone tries this with your brokerage? It takes three days, not one hour, there's a name on the destination account (know your customer), it takes days (at least) to withdraw money from it, and there's a medallion signature on the transfer, so your brokerage is on the hook for it.
There's a reason fraudsters are targeting cryptocurrency exchanges: arguably less security, but more importantly, it's easy to quickly and irreversibly transfer the money.
I only skimmed the first couple paragraphs but I immediately wondered why no financial protections came into play. That explains it. Sort of a misleading headline.
"there's a medallion signature on the transfer, so your brokerage is on the hook for it"
I'm...not sure that's how it works. Yes, common sense suggests it's much more difficult with conventional financial assets, but is that signature guarantee or whatever you call it protecting you or the institution? In the sense that, if someone successfully forges one, what actually happens next?
> A medallion signature guarantee is a guarantee by the transferring financial institution that the signature is genuine and the financial institution accepts liability for any forgery.
I'm not sure I understand that. Because the signature guarantee isn't "by" the transferring financial institution, is it? You want to transfer an account from "A" to "B" and you get the guarantee from someone that provides guarantees, call them "C". And if someone forges the guarantee, then "C" never did guarantee anything, so why would they be liable, let alone "A" and "B"?
Maybe I'm forgetting how this works...
...reading the wikipedia page, it sounds like the idea is to deal with forgeries of signatures provided to the guarantor. Not with forgeries of the guarantor's approval.
Then again, maybe you can't really forge a guarantee as long as it can be looked up or invalidated by their database.
I think what they are saying is that in the banking system is nearly impossible to steal someone's life savings via a hack and get away with it, or at least if you do they have insurance at the brokerage to cover it.
> Hi, AT&T, I was at the bar last night and I lost my phone. I still have my old phone, though. Can you help me transfer it? Mother's maiden name? Why yes, it is on whitepages.com!
Anything where you're accessing or affecting an informational system in a malicious way could be called a hack. Social engineering is a mainstay at Def Con.
You call the provider's help line and tell the minimum wage call center worker on the other end that your phone has been stolen and you want to assign it to a new SIM code.
Not in our case where we go through 11 step process. In addition to this our staff is highly trained and everytime a request is made, we assume it's an attack
> How is someone persuading your provider to transfer your number to another provider, a hack?
It sounds like you are not aware of the existence of the term “Social Engineering”.
I invite you to read this Wiki page [1] which explains what the hack is about.
Social Engineering is, in fact, one of the most common techniques used by hack people, for example, by tricking someone into clicking a malicious link in a phishing email. There is also “Smishing” which is the same —tricking someone into reading and clicking a malicious text or link— but via SMS. In this specific case the hackers are using a technique commonly known as “Vishing” or “Voice Phishing” [2] which is a criminal practice of using social engineering over a telephone system to gain access to private personal and financial information from the public for the purpose of financial reward (verbatim from WikiPedia).
Have you heard stories of hacks where an employee plugged an infected USB, CD-ROM or floppy-disk into a computer connected to a secure facility? Well, this is another social engineering technique commonly known as “Baiting” used by hackers to attack systems that otherwise would be impossible to access from outside [3]. Stuxnet [4] is one of the most famous examples of a social engineering attack, among several other techniques.
As you can see, social engineering is the very beginning of many hacks.
Everyone is trying to make phone networks the liable party because it’s cheap for them, and the phone networks don’t want to be the liable party. Even the federal government (SSA) uses SMS as 2FA for proof of identity.
Because we control the # at that time. We disassociate your personal information from your # and then mask every information that's required to do a port-out
Hey - I am Haseeb Founder of Efani. So we deploy atleast 11 ways to authenticate a user over couple of weeks to make sure that this is a legitimate request + use some manual & automated processes to kill any illegal attempt
Can you be more specific with your question ?
All the port out are blocked by default & no have access to your account # + our UI & our system is in different silos . Finally we've a $5M insurance policy
For most users the problem is someone intercepting their text messages and then using that access to rob them. Port-outs are one way to accomplish this, but certainly not the only way.
Can you defend against sim swap attacks if your MNO is compromised, how?
Where can I read more about your insurance policy? I can’t find any specific details on your website.
I am updating the website within a week so that'll have the complete information. Just rebuilding it to aspire some more confidence in the product honestly.
We do defend against SIM swap attacks because MNOs can't access our account
I'll give you a very simple explain. Imagine you're ATT customer & you're roaming in Canada on Rogers network. Would the roger employee be able to SIM Swap you ? No because you're not his customer and even the kiosk guy can't look into the account either
I'm guessing he's talking about SS7 attacks. Sure, you do everything on your side to prevent sim swaps or the numbers from being ported out, but all of those measures are moot if they're bypassed at the carrier level.
Not really SS7 attacks, it seems that this service is just built on top of regular MVNO/reseller APIs offered by the big carriers that we already know to have serious trouble with not getting hacked.
They might be able to protect you against regular port-outs, but not SIM swap attacks performed by people who’ve compromised carrier infrastructure.
>Happy to give you a bounty if you're able to break into the system.
Yeah, the problem here is that since you’re a MVNO the easiest angle of attack would might just be to go for the big MNOs that you resell (Verizon, ATT, Sprint,Tmo). You can’t really offer bounties for such attacks, and I can’t see how you could defend against them either.
We can because due to our relationship, we control the # and they don't. We've a slightly different arrangement. Think of that you've ATT and you're roaming in Canada on Rogers network. Rogers employee can't port you out or do funny things to your account. Similarly, we're using their network but they can't access your account
during SS7 attack your phone is pushed to deprioritize to a lower network. We've programmed our SIMs against that so if SNR goes high, we don't abide to default settings. This does take out 99% of the attacks . Looking into a setting to inform customers the moment we believe there is any such attempt
Not only that, but holding it in a way that they can get to it. If I had a million bucks in crypto, I'd have a few geographically separate offline laptops with the codes on them, fully encrypted, as cold storage.
It's rare to impossible to do this to a regular bank account, and if they did, the bank would be liable. Crypto is a great solution for some stuff, but it's not a pancea to solve every problem.
SIM companies could prevent a lot of cases by trying to call or text the phone that is currently active on the SIM. If AT&T would have called the number then it’s likely this could have been prevented.
ATT is built around selling you cheap plans and the SOPs are not that strong. There are 1000s of ports every days so they want to make it simple for their employees
Could you explain how your company defends against these attacks?
From a quick look at your website, it looks like you are offering prepaid services through different providers similar to H20 Wireless. You claim to offer protection but give no detail on it except that you use "military grade protection".
Yes updating the website this week with complete information. Our arrangement is somewhat similar to any other MVNO with just that we've blocked sim port attacks & have specific measures in place along with a $5M insurance
Another step one can take is to use a separate number for authorising banking transactions. This number should be 'unlisted', i.e. not shared with anyone but your bank(s).
60 comments
[ 21.4 ms ] story [ 129 ms ] threadYou know what happens if someone tries this with your brokerage? It takes three days, not one hour, there's a name on the destination account (know your customer), it takes days (at least) to withdraw money from it, and there's a medallion signature on the transfer, so your brokerage is on the hook for it.
There's a reason fraudsters are targeting cryptocurrency exchanges: arguably less security, but more importantly, it's easy to quickly and irreversibly transfer the money.
I'm...not sure that's how it works. Yes, common sense suggests it's much more difficult with conventional financial assets, but is that signature guarantee or whatever you call it protecting you or the institution? In the sense that, if someone successfully forges one, what actually happens next?
> A medallion signature guarantee is a guarantee by the transferring financial institution that the signature is genuine and the financial institution accepts liability for any forgery.
[0] https://en.m.wikipedia.org/wiki/Medallion_signature_guarante...
Maybe I'm forgetting how this works...
...reading the wikipedia page, it sounds like the idea is to deal with forgeries of signatures provided to the guarantor. Not with forgeries of the guarantor's approval.
Then again, maybe you can't really forge a guarantee as long as it can be looked up or invalidated by their database.
> Hi, AT&T, I was at the bar last night and I lost my phone. I still have my old phone, though. Can you help me transfer it? Mother's maiden name? Why yes, it is on whitepages.com!
Sorry for the delay in answering, “Social Engineering” is not hacking. Manipulating the SS7 protocols for nefarious ends, could be considered hacking.
https://blog.securegroup.com/phone-hacking-through-ss7-is-fr...
(I’m on T-Mobile and this has happened to me 3 times)
It sounds like you are not aware of the existence of the term “Social Engineering”.
I invite you to read this Wiki page [1] which explains what the hack is about.
Social Engineering is, in fact, one of the most common techniques used by hack people, for example, by tricking someone into clicking a malicious link in a phishing email. There is also “Smishing” which is the same —tricking someone into reading and clicking a malicious text or link— but via SMS. In this specific case the hackers are using a technique commonly known as “Vishing” or “Voice Phishing” [2] which is a criminal practice of using social engineering over a telephone system to gain access to private personal and financial information from the public for the purpose of financial reward (verbatim from WikiPedia).
Have you heard stories of hacks where an employee plugged an infected USB, CD-ROM or floppy-disk into a computer connected to a secure facility? Well, this is another social engineering technique commonly known as “Baiting” used by hackers to attack systems that otherwise would be impossible to access from outside [3]. Stuxnet [4] is one of the most famous examples of a social engineering attack, among several other techniques.
As you can see, social engineering is the very beginning of many hacks.
[1] https://en.wikipedia.org/wiki/Social_engineering_%28security...
[2] https://en.wikipedia.org/wiki/Voice_phishing
[3] https://en.wikipedia.org/wiki/Air_gap_%28networking%29
[4] https://en.wikipedia.org/wiki/Stuxnet
I get the fact that the real crook is the thief, but surely ATT is at least partly negligent. How much are they responsible?
And unlucky people are caught in the middle.
https://www.pindrop.com/blog/nist-explains-proposed-ban-on-s...
Why should we use outdated and vulnerable networks when social engineering is all you need to steal stuff?
This from 2012: https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking...
I encourage everyone to use a hard to guess email alias (foo+bar@gmail.com) for your LOGIN — not password. This thwarts many of these attacks!
“Sir, let’s reset your password. What is your email please?”
“foo@gmail.com”
“Sorry, we have no such user.”
“Really? But—“
“Really.”
I haven't used it. I want to, but haven't wanted to deal with changing my family plan. It does make me more interested in a dual-sim phone.
I want to know how it would’ve prevented this social engineering attack
Sure, you can make porting difficult. That doesn’t get you very far.
Can you defend against sim swap attacks if your MNO is compromised, how?
Where can I read more about your insurance policy? I can’t find any specific details on your website.
We do defend against SIM swap attacks because MNOs can't access our account
How does that work? Your contracts might stipulate this, but I don’t understand how this could work from a technical PoV.
They might be able to protect you against regular port-outs, but not SIM swap attacks performed by people who’ve compromised carrier infrastructure.
The language on the page is downright hilarious “11-Layer of Military Grade Authentication”.
Yeah, the problem here is that since you’re a MVNO the easiest angle of attack would might just be to go for the big MNOs that you resell (Verizon, ATT, Sprint,Tmo). You can’t really offer bounties for such attacks, and I can’t see how you could defend against them either.
The fact that you control the # might defend against port-outs, I don’t understand how that could prevent SIM swaps though.
Seems like the best answer is to not reuse passwords, use complex passwords and avoid giving "real" answers to security questions.
And if course, don't keep your life savings in an account that can be withdrawn entirely on a moments notice...
From a quick look at your website, it looks like you are offering prepaid services through different providers similar to H20 Wireless. You claim to offer protection but give no detail on it except that you use "military grade protection".