Ask HN: How do I protect myself against SIM swap attacks?

56 points by benrapscallion ↗ HN
I am on T-mobile in the US if that helps.

53 comments

[ 2.4 ms ] story [ 114 ms ] thread
in my experience it’s pure PR bs with no teeth in response to public pressure. Getting past the code verification is trivial in stores. Employees do not enforce verification at all or even when they do a decent fake id would easily defeat it since tmobile doesn’t bother sending a 2fa verification to your device.
Yes, I listened to a podcast that describes an attacker getting access even though the victim's account had a PIN (https://darknetdiaries.com/transcript/97/):

>MILES: [MUSIC] They were able to get ahold of T-Mobile and manipulate their way in through either doing it in person or doing it over the phone, and convince somebody to change out the SIM for them.

Don't use text messages as 2FA in the first place.
That's a good idea but it's not a practical solution because most websites don't give you the choice.
Most high security and high value websites, like cryptocurrency exchanges, do. There is less risk of being SIM swapped and attacked on low value website, as there is nothing for criminals to gain.
That is true and consistent with what I've seen. However way too many IT policies Will rely on phone sms 2FA, such as Wells Fargo

Sometimes people just like to watch the world burn...

and besides even if they get something low value as far as money that doesn't mean it's not important to me or terribly stressful

I use Google Fi because the SIM card is attached to my Gmail account where I can use A real 2FA
and considering it's google, there is no way anyone will be able to reach a real human there. /s
Have a separate sim/phone dedicated to 2fa.

Send test sms to yourself at least twice a day

Could you elaborate? What makes the secondary one more secure than the first one?
Nobody knows about it. Sim swappers will attack your number. The one they know.
They may be able to bribe phone company employees to look you up by name, but you'd at least be blocking one route of compromise
You can get phone service anonymously in the USA.
Having a separate number/SIM solely for 2fa makes it harder for attackers to know the number they need to initiate a simswap in the first place, since it won't be publicly associated with you the same way your normal phone number is, like being listed on your LinkedIn or resume, or obtained from a social media or other account info leak, or able to be socially engineered or phished out of friends/family.
Use authenticator app for 2FA, not your phone number.

But be really sure you want to do this. The main reason I would not recommend ordinary consumers do this, is that if you lose your SIM (eg, stolen or lost phone), you can go to a mobile phone shop and get a new SIM card issued to you after verifying your identity. With other forms of 2FA, you do not have access to the same real-life-based identity verification service, and it is also essentially the source of SIM-swap risk.

Yes, ordinary consumers are starting to use TOTP more but still may not be aware of what you pointed out.

To mitigate the risk of losing my 2FA credentials I use the FOSS app andOTP (Aegis is similar, but better UI, from what I hear). It can export your data as both cleartext and encrypted JSON so you can import into a new phone as desired.

I'm aware of solutions that can help prepare for a backup. I don't think most people should trust themselves to handle backup responsibilities. Speaking as someone locked out of an encrypted disk full of old photos that I carefully wrote down the passphrase to on a piece of paper for safekeeping... Since then lost.
Authenticator app can also stop working when you migrate to a new phone - a friend got locked out recently after migration. Apparently you need to follow some steps [0]

[0] https://www.alphr.com/transfer-google-authenticator-codes-ne...

You can use Authy and install it on multiple devices/computers
Doesn't allow for export though, which is a complete pain for backup.
Authy on Android has backup to Google Drive.
Maybe I'm not understanding, but what is export and backup in the context of an OTP application.

Per my understanding, if I have Authy on my Phone, the one on my PC/laptop is the backup, and vice versa - in the sense that if one dies I can use another.

Could you elaborate on the use case.

TOTP/HOTP codes are defined by an algorithm (sha1/md5/...), secret (A826EF8...), and number of digits (I usually see 6 digit codes). TOTP additionally takes time period (30 second codes) and time (current time which maps to some 30 second block) as a parameter and HOTP takes a counter as a parameter. All of these parameters go into the function to generate the numbers as a result.

If you have ever set one of these up with a QR code, that QR scans to something like: otpauth://totp/ACME%20Co:john.doe@email.com?secret=HXDMVJECJJWSRB3HWIZR4IFUGFTMXBOZ&issuer=ACME%20Co&algorithm=SHA1&digits=6&period=30 (From: https://github.com/google/google-authenticator/wiki/Key-Uri-...). Notice all parameters I mentioned above are present, as well as a user friendly account name.

So to directly answer your question: a backup would in some way contain all the parameters above, possibly in that otpauth:// format, but could be json or something else.

I would not consider Authy to be a trustworthy backup. I assume they are storing these secrets for you and transferring them to other computers at your request. If you can't see the secret, you can't switch to a different app. (Take this last paragraph with a grain of salt, I don't know much about authy but it sounds like trouble. I use FreeOTP and other open source OTP apps).

On Android you can use Aegis Authenticator[1], which allows an encrypted export of the private keys.

[1]: https://getaegis.app/

Andotp or aegis authenticator are both great open source 2fa apps that let you export and backup your 2fa to cold storage somewhere incase of these situations
When you add accounts to your authenticator app, you can just print out the QR code (take screenshot).

Then you have a physical offline backup of the TOTP secret in a QR code with error correction.

Store those sheets of paper in a folder somewhere safe.

Also consider using a yubikey for TOTP -- but do a paper backup regardless.

I use google voice locked with 2fa like the rest of my google account.

And yes, I have never been rejected from a service for using a google voice number as my 2fa source. Heck, even my google account uses 2fa through the google voice number - as one option :)

I've never even heard of Google Voice and now feel like I've been living under a rock. Could you elaborate on how you use this? For example:

* Do you use the same Google Voice number as your actual Google account phone number, or just for other sites? If the former, how does it work with Google 2FA (ie if you are logged out of Google account I imagine you can't access you Voice number either?)

* Are you concerned with losing access to your Google Voice number if Google decides to ban your account one day? Regular phone numbers seem a bit less nebulous in that phone providers don't seem to just suddenly decide to ban you and your number as much as Google, Amazon, et al. Then again I have no data to back up this impression.

* What made you pick Google Voice over another VoIP option?

* Do you worry about Voice going away with Google Fi?

Not Op but I can few of your questions.

* I am using same google voice number as my actual google account. I live with constant fear that if I am locked out of google account then I cannot access my voice number. Only thing I do to avoid this scenario is to have back up code written somewhere. * Trust on Google * as of now no

Thank you. I read that Google Voice only provides US numbers, which I have a sneaking suspicion might become a problem for me if my address is not in the US. Coupled with not really wanting to be locked in to Google for another service, I did some more research. A provider called Sonetel seemed to have decent reviews and had great pricing for what I needed, but when reading through their docs I noticed them say their numbers cannot be used for identity verification with third party services :( So it's back to the drawing board. But the whole idea of:

a) Not using my personal number for online services

b) Using a virtual number instead of a phone provider SIM

...seems worth pursuing. I think a) above is more important for me than b), but my current phone provider does not yet support eSIM and my phone does not support dual sim, and I really don't want to carry two phones around...

Not 2FA per se but Google Voice numbers do not work for certain services at all. Zelle is a recent example I ran into but I've had others before that wouldn't accept it or would accept it but fail silently.
PayPal doesn't allow it either
One answer I haven't seen mentioned yet is to use a carrier who lacks a physical presence (e.g. many MVNOs). I'm not sure if the MVNO security infrastructure can be circumvented by employees at the source network's physical stores, however. E.g. if I use Boost Mobile, can a Verizon store employee override the PIN I've set?

Of course the best answer is to not rely on SMS or voice call 2FA, but as others point out, some services only support these insecure options.

As much as possible avoid providing your phone number to the services that you use.

Many of them don't have a separate toggle for phone-based recovery so as soon as you provide the phone you are opting-in for phone-based recovery which makes you vulnerable.

I think all services should have a specific checkbox for this option, if they insist on SMS recovery stuff.

Long story, but some time ago I managed to convince my phone provider to require a "password" when I call them. They had added a saved note against my customer record advising any support agent to ask for the password. I rarely called them but I did see it actually working when I later interacted with them and they asked me the password. I don't recommend this approach at all as it's not reliable.

I think the first way to protect yourself is to switch from T-Mobile they have notoriously bad security. In fact with all the recent leaks I don’t understand what they can do to actually safeguard accounts against SIM swap attacks.

The most secure way to protect against SIM swap attacks is not to use a SIM based number for 2fa. I’d suggest using a Twilio, Telnyx, or similar service where you have more control over the number and even the porting process.

Many services won't accept these 'virtual' phone numbers for 2FA. Last time I tried I couldn't assign a Twilio provisioned number as the second factor on a Google account for example.
Meanwhile I got an e-mail yesterday from Wealthfront saying US-based SMS is now required for 'security' despite having TOTP. Hopefully this was an error to mean 2FA with SMS as a minimum for security, otherwise they don't understand security or they want your phone number for 'other' reasons. If it's not a mistake, that'l be the straw that broke the camel's back for me.
A year ago I was simjacked by someone who walked up to a T-Mobile kiosk in San Diego and acquired my phone number by simply claiming they were me. This bypasses every possible layer of protection you can set up with T-Mobile; an actual human employee just went ahead and gave my SIM away.

Fortunately my wife is primary on the account and is very much on the ball. She got texts that the SIM card had been changed and within minutes had them recover it and lock it back down. Besides "ditch T-Mobile," this might be the best piece of advice: don't be your own primary, and be sure your primary has your SIM card on extra-paranoid notify-me-instantly-if-it-changes mode.

Fortunately the first thing they were after was my Coinbase account, which they two-factored only to discover was empty. If they'd hung around a while and poked around I would have been well and truly pwned. So, second piece of advice, already said upstream: do whatever you can to avoid giving online services your phone number.

When I finally got in front of a support rep they confirmed the whole thing and (just because I was there, and large, and extremely pissed off) let me take as many photos as I wanted of the entire incident report right there on their kiosk. This by itself did not fill me with a strong sense of confidence in their opsec; third piece of advice is: anybody but T-Mobile.

Wow, that is insane. And your advice is much valued! Thank you for sharing.
In my country we have one method that is kind of stupid but it should work. You pay your phone bill after the deadline so you are always one month behind. This way you are always in debt and as such you can not transfer your number to another operator. I didn't test it but it should work since at least for my operator.
Amazing, it seems reasonable that all operators would follow this, I'll have to try this out.
security researcher here, but cellular protocols are one of the few things I hadn't touched, only slightly faniliar from reading and hearing. so reading your title made me wonder what actually can be done, aside from everything people wrote here. seems like this is a gap in security, globally. it really seems to be (one of) the weakest link(s). all other answers are fine, under certain conditions, impractical in reality.

one of the things I do think can be an improvement is using virtual sim, such as twilio, then it's more manageable, get notifications, probably more secure than employee being socially engineered to give your number away...