11 comments

[ 1.9 ms ] story [ 36.6 ms ] thread
I wonder if this was SIM-swapping and if so if it will finally get a bit more federal attention
The problem really isn’t SIM swapping, it’s that we’ve become used to treating phone numbers as reliable personal identifiers, and SMS OTP as proof of identity (for authentication) and/or humanity (for spam/sockpuppet account protection).

Mandating 2FA methods other than SMS OTP would be amazing, but I don’t see that happening at the federal level, largely due to the complete lack of other digital authentication methods. What else should companies use?

the same thing hacker news uses; a user name and a password.

if we want proof that each account correlates to exactly one person, well i think that should 100% not be a phone number and is an entierly bigger+different problem

I fully agree, but practically, this is what many companies are doing right now.
lol after what we've just seen, when one company jumps off a bridge and lays off a ton of folks, other companies copy that same move...
It is far too easy to conduct a SIM swap attack, and far too easy to steal someone's identity and use that for credit.

And the burden is on us, the consumer, to show our innocence, when in reality, we're the victim. The thief defrauded the bank, and it had nothing to do with us. In fact, a huge majority of the time, the information used to defraud the bank came from another corporate security failure.

But companies have, through legislation, contracts, or simple might-is-right, set a standard where they have to do nothing and it's all on us.

I had to go through a whole host of BS with Verizon to show that even though I've lived in Washington for over a decade, and been with AT&T that entire time, that I somehow decided to head down to the outskirts of El Paso to open a Verizon account at a Walmart, and then run it up with international calls to Mexico and Eastern Europe until they cut it off three months later with $1,200 outstanding.

VZW demanded police report (fine, sure), copies of my ID, wanted utility bills to show my residence in Washington, even asked for (and I refused) copies of "several recent AT&T bills to show I had an account in good standing with them".

Their "preliminary review" said that they were "satisfied that I was the account holder and was liable for the debt". So I asked to see the account information, you know, being the owner of the account and having verified my identity to them...

for absolute hilarity, they refused, citing "account holder privacy".

So... it's my account when they want their money. And not my account when they are, all of a sudden, concerned about privacy.

This whole thing is fishy (phishy?). The cryptocurrency ETF announcement was accurate, merely announced a day early.

The "staffer" (a.k.a. intern) was apparently compromised via the SIM swap, but multi-factor authentication was not enabled and they just happened to know THE email address to reset the password? So someone was able to reset the password and post an innocuous announcement, which was basically what was posted for real the following day, and yet the SEC was able to recover control of the account within minutes to post a rebuttal?

Let's just state the obvious - the intern (or possibly an automated system created by the intern) accidentally posted the legitimate announcement a day early which was embarrassing to the SEC. They are doubling down on the "hack" theory for CYA reasons.

How many times do we literally have to learn about sms being the shittiest "2fa" method available?

I'm fed up with it. My _bank_ forced me into sms authentication. How on... earth?

Agreed, and who implement it knows this but they need your phone for other reasons, to ID you, to sell it to ads companies, to find your other accounts that use the same number, among others, but none of them is in the user’s favor. That includes other services that market itself for privacy minded people like Signal.
“Bankers don’t want to work anymore.”