Couldn't T-Mobile send their own SMS's to their employees pretending to increase the payout to $600, then fire any employee that replies?
Or maybe change the terms of use for the employee line discount to allow monitoring SMS content or metadata for security threats to the companies users?
What's the solution here? Can we practically expect employees at retail stores to not be permitted to change a person's phone over? What if the person who needs the swap has said their phone is lost/stolen?
I think ideally there would be some kind of verification that the customer was indeed present and that their ID had been verified, but I don't see how you can do that in the US as there aren't ID cards or similar forms of universally available ID. I also think you should be able to get a phone number without ID at all, which would preclude verification in those cases.
The issue is that people's phones are essentially the roots of trust for our digital lives. Passkeys being built into the OS are good because they push that problem away from carriers, but the fundamental issue still remains. Bootstrapping trust is hard.
... away from carriers and into the hands of Google/Apple/Microsoft, who can kill your account for any and no reason at all.
Except for that one giant issue, passkeys are gonna be great.
Except for that one giant issue, passkeys are gonna be great.
Unlike passwords, you can have multiple passkeys associated with an account. Accessing from an iPhone? Use your Apple passkey. From Android? Use your Google passkey. Want cross-platform? Use your 1Password passkey. Etc.
Right. Relaying Parties (RPs) need to have beaten into their implementations that multiple keys for each identity is normal + correct behavior, and the number of multiple keys should not be unreasonably limited.
After the trouble of adding multiple keys, I think there needs to be way to easily add multiple keys. Like uploaded file or service that has list of public keys. Something like cross-sign the keys and then authenticate one of them.
I wonder if hassle means there will be more use of OAuth but that means trust.
This is indeed the elephant in the room with WebAuthN.
There needs to be a way to e.g. share the secret seed in one passkey securely with another and put that in a safe deposit box, with a friend etc. without needing access to both keys whenever a new account is added.
It's a real shame that most stakeholders in FIDO/WebAuthN have moved on to passkeys as the canonical path forward over hardware-based solutions like this. Passkeys are definitely better than passwords, but they shouldn't be the only option out there as-is.
Yubico had done some work back in (I want to say..) 2020 to solve this very problem: bootstrapping a new key based on existing trust with an existing key. Of course the trick remains of needing to have access to both keys for at least a short time to create the relationship between them. They worked out some of the mathematics and cryptography they'd need, but it didn't seem to go anywhere. They wrote a blog post about it but I'm having trouble locating it.
I remember this as well, and it's a real shame it didn't go anywhere.
In terms of user experience, they could sell pre-linked "Yubikey pairs" or offer a user experience of e.g. plugging both into the same computer and resetting them via a long press to "entangle" the pair cryptographically.
I always thought of passkeys as hardware tokens that shouldn't be backed up. It needs to be easy to have extra one that lives in a secure place. But like most people don't use secure passwords, they also won't worry about back up key.
I am not sure that passkeys are any more secure than random password stored in password manager. I'm suspicious about password managers used to store passkeys. I guess they are better since have to unlock the password manager.
I have had idea for place that can verify identity. Walk into store, they take biometrics to verify identity, and then give you card. That can be used to unlock accounts if locked out. It does have risk of employees being bribed. But banks don't seem to have that problem. Making sure it is done in person should help.
There are several 'boutique' email providers (fast mail, proton, etc) that you can use instead of the big 3. You can even host your own MX server but use a relay service so you don't have to deal with IP reputation issues.
lol relay services have reputation issues, I was talking to someone today about trying to whitelist some vendor this company uses because they use a relay service and it looks sketch as hell when emails show up seeming to pretend to be someone else
Sketchy relay services have issues. Haven't had issues with AWS SES or Sendgrid
They should still have proper SPF/DKIM/DMARC so you can verify the sender even if it was relayed
I have google fi and I'm always a little low key worried that they'll block my account which will kill my phone/docs/drive/email all at once.
It also kinda sucks having google as your email and your phone when they want to use email to verify your account settings and you can't get into your account. This happened to my wife, and they essentially have no support on the fi side and the gmail side support isn't super helpful. She was eventually able to recover her gmail account and fix her fi activation but it a huge pain and took a couple of days.
definitely shift off google for your email. either shift off google for your documents, or at least have regular backups.
I would not put all my eggs in one basket like that. You're one inadvertent terms-of-service violation from losing a huge chunk of your digital identity with no recourse.
I think ideally there would be some kind of verification that the customer was indeed present and that their ID had been verified, but I don’t see how you can do that in the US as there aren’t ID cards or similar forms of universally available ID.
Requiring government issued photo ID for identity verification is not at all an uncommon policy for various purposes in the US, and AFAIK all states have universally available ID cards (they are generally not free of charge, but they are universally available.)
I help people move to Germany. Requirements like this make it really hard for people to settle in a new place. On the other hand you can’t expect a teenager working minimum wage to identify a Thai passport.
There exist services for ID verification, usually by video call. They exhibit the same limitations though.
If a passports are accepted it should not create a problem for most foreigners/immigrants. And Thai passport doesn't look too different from others: https://en.wikipedia.org/wiki/Thai_passport guess an untrained worker will not spot a forgery but that's true for no matter which country's passport do you use and something like an US driving license looks easier to forge than Thai biometric passport.
something like an US driving license looks easier to forge than Thai biometric passport
I'm not sure this is the right comparison, in general, although I agree with your point (below). I suspect that one benefit of accepting domestic driving licences as ID, but not most foreign non-passport documents, is due to familiarity. That's probably as important a factor in spotting forgeries as the security features embedded in the document, which aren't very useful if the person checking isn't familiar with an authentic version of the document.
In practice, I tend to agree that someone is likely to not be familiar with many driving licences, such as (in the US/Canada) those from distant or low-population US/Canadian states, provinces, or territories, or (in much of Europe) a smaller European country's driving licence or national ID card, so a foreign passport is far from the main concern.
Agreed. And even within a jurisdiction not everyone may be very familiar with domestic IDs. FinCEN just yesterday released a notice to financial institutions regarding the use of forged and legitimate US Passport Cards in connection with fraudulent or suspicious activity. The notice includes a litany of validity tests given that people just don't see these very often.
I have a US Passport Card that I present as my photo ID when asked, because I don't want my address presented to just anyone who might have a valid need to ask for ID. Federal employees look at it and waive me on, but outside that I get a mix of "I've never seen this" (and every time it's still been accepted) and a lot of careful scanning of the card.
ID REALLY should be paid for by taxes and 'free' for everyone obtaining their proof of identity. Now, a 'drivers' license might have an extra fee on top of that.
Maybe the free IDs could be issued by police departments? Either way this is a good time for someone to register as a voter too, WA state has a simple checkbox for that and other states can too.
Especially since the recent push for "Real ID" required to fly. Ok if it's so "Real" it should be easily scanned and verified.
When you get your phone they should hand you a pamphlet saying that when you lose your phone this is the process, these are the risks, and offer you the option to upgrade the security to require, say, a passport to restore your account.
Yes, and the police could drive them to the voting booth as well.
but I don't see how you can do that in the US as there aren't ID cards or similar forms of universally available ID.
How so? Aren’t there multiple options available?
There are many available but people are not required to have one (unless driving, etc.)
Yeah when I lived in NYC, I came across a lot of people who didn’t have licenses but used other IDs from local government agencies.
Interesting! What other kinds of ID are there?
IDs are used for many things other than driving, like:
(1) buying alcohol / entering bars
(2) flying
(3) voting (in certain states)
(4) a doctor's appointment
(5) picking up a prescription
(6) withdrawing cash at a bank
(7) touring an apartment you might lease (for the leasing agents' safety)
(8) returning items at a store if you don't have a receipt (as an anti-fraud measure)
Yes. Those are all excellent reasons to have an ID.
A simple time delay can solve 99% of cases.
Simply require that a SIM can only be swapped if it is disconnected from the mobile network for 48 hours. And if it isn't disconnected, the original SIM will be called/texted to ask if they really want the SIM swap to happen.
require that a SIM can only be swapped if it is disconnected from the mobile network for 48 hours
If someone has both devices in hand, there isn't even need for a delay. The only time you need a delay is when the original device is missing. In that case, sending a message to that SIM and having a mandatory delay (ideally, customisable by the customer) seems reasonable.
The message text should say.
You have requested a replacement sim card. To proceed with the replacement now, reply "Yes". To keep this sim card, reply "No". If you do not reply, a replacement will be mailed to your billing address: 54 Wolverton Gardens in 7 days, and this sim will be deactivated.
An attacker now has to overcome the time delay, and the fact that the replacement sim card must be mailed to the billing address. For those people who have an outdated billing address and lose the sim card, require the sim to be offline for 7 days, or demonstrate access to an email address or credit card on the account.
That's a barrier to switching carriers.
That's precisely what happens with SIMs in India. When a SIM swap happens, text messages are blocked for 24 hours to allow a customer to alert the operator before one time codes resume sending to the new SIM
Having a pin on your account before a swap (or any other action is allowed) seems like a useful barrier to entry.
Then a corrupt employee needs something they won’t have to execute the swap.
There is no way that most people would remember the pin, so employees would need some way to bypass. And voila, back to where we started.
Ppl remember pins for many things E.g. Atm. The additional protection is better than not having it.
They remember because they enter the pin on a regular basis, and probably share it among all their other bank cards so they're using at least monthly. A pin that they set years ago and never used has zero chance of being remembered.
Even worse: If the PIN is user-selectable and four digits long, guess what most people will most likely pick?
crypto makes this scam much more lucrative, otherwise paying off an employee not worth the effort usually
Can you really not imagine any scenario other than crypto where compromising an employee's account could have financial consequences? Thinking about that somewhat large industry other than crypto dealing with people's money...
then why did these attacks explode in popularity in 2018 and all involve crypto? Bank transfers can be reversed and can take days to process and have more security checks, crypto is instant and irreversible and the security checks much weaker.
One might assume that, but there's still things like the fully digital Bangladesh bank robbery of 2016 [1].
Bank transfers are often, but not always, reversible, and sometimes finality is a feature desired by all participants and explicitly designed into systems, e.g. RTGSes. CEO fraud is on the rise and wouldn't be possible without these systems.
That's one reason why these are often not directly available to private consumers without a banker and some level of ceremony in between.
What's the solution here?
webauthn
Sure wish more places would allow you to turn off SMS if you’re using something like a Yubi.
WebAuthN is an excellent alternative to passwords, but a relatively poor access recovery mechanism, given that it just kicks the can down the road to another provider at best (usually Apple or Google), and to a single physical object that's easy to lose at worst.
I use it myself, but I do also understand companies and people that don't want to make it their only way back into their account as it is.
Easy solution: Don't use SMS for password recovery.
SMS might even be okay for 2FA, but it must always be the second factor. "Forgot my password" -> SMS code -> new password is just 1FA. Using SMS as the only factor is really, really bad.
The choice of 2fa options isn't under user control. And various non carrier options (Google voice) are rejected.
Then don't use insecure services. I think in the EU sms only password reset indirectly violates data privacy laws (not securing private data with industry standards).
I use Google Voice for this reason, so that you need to authenticate with my google account to modify anything related to my phone number. It's not perfect since there is still an internal forwarding number they could sim swap on, but it would require them associating the two numbers first, and I don't use my t-mobile number for anything outside being the forwarding number for google voice.
You can switch Voice to use IP only through the app/web
I keep it in case I'm in an area that doesn't have data.
There should be a security code that’s only known to the owner, can’t swap it if you don’t have the code. Seems like a pretty simple and effective solution imo.
This already is in place at T-Mobile, but it seems the it can be overridden.
What's the solution here?
Not putting phone providers in charge of access to our digital lives.
that the customer was indeed present and that their ID had been verified
Present where? My MVNO does not have any branches. And even if they did, why should I ever have to go there? I don't go to bank branches either if I can at all help it.
either if I can at all help it.
Sometimes you can't help it, you need a phone today, and need to go into a store for your phone company. No, buying a phone from Walmart or Best buy and waiting for a sim or doing some eSim thing won't work, you just need to get into a branch today. If an MVNO with no branches works for you, great, but some people need to be able to go into a branch of their cell phone provider/bank/utility.
Multi person approval, especially two that don’t work together.
You're not wrong, but trust is an issue here as well.
If someone convinces both Person A and Person B of their legitimacy, even if they're not legitimate, this doesn't solve anything.
If Person A and Person B trust one another personally, then _idealistically_ you're vulnerable to collusion (intentional) or abuse (unintentional).
If Person B trusts Person A because of some policy or technical attestation, that means the policy or technical criteria needs to be robust against abuse.
If you're in-person at, say, a T-Mobile store, then it's not likely that Person A and Person B don't work together, but even if they don't, the first issue still applies.
I've watched T-Mobile store employees just pass an iPad to a manager and say "can you type in your code?" Depending on the employee or what process was requiring approval, the manager might or might not have asked "what are you doing?" "Can you justify this?" etc.
I also think you should be able to get a phone number without ID at all, which would preclude verification in those cases.
While I agree with you, this is already not the case in much of Europe where an ID is required to obtain a sim card.
Whenever I go to mobile provider in Serbia to do anything related to account I have to provide government ID. They even put it in card reader to get relevant data. While SIM swap is certainly a theoretical risk, it's not a practical one around here. Having authentication on a phone or another physical device (without backup) seems to be at least two orders of magnitude higher risk of losing access to everything. Relying to Google or another third party for authentication is not without its risks too.
I just hope SMS authentication won't go away completely for other parts of world where risk balance is different than in USA. Until things change, I trust more my local birocracy to work their birocratic ways and always check ID where needed then I would trust myself not to lose some auth device.
I don't see how you can do that in the US as there aren't ID cards or similar forms of universally available ID
You're speaking out of a position of extreme ignorance. There are ID cards - drivers' licenses and passports - that are near-universally available, and are regularly used as identification.
If you are a SaaS provider or bank, and you let password resets happen by SMS, you are a threat to your customers.
Stop doing this.
First, and a no brainer: offer "continue with ____" sign ins (OpenID Connect / OIDC) for users of Google, O365, Apple, to get out of the account creds business for most users.* (See also: passkeys.)
Second, prefer TOTP as the MFA, not SMS.
Third, if you absolutely have to do SMS for some dark pattern "harvest my customers' phones" reason, use it exclusively as a second step, never as an only factor.
* For most customer firms using M365 or Google accounts, if you couple accepting OIDC with a domain validation to the customer's email address, you don't have to do SSO/SAML, since OpenID connect + domain accomplishes roughly similar goals on both sides without the per client company configuration overhead or "SSO tax": https://sso.tax/
Not sure what the alternative is as most users will walk if they aren't allowed to use SMS
Would users walk away from a hospital if they are required to wash their hands and wear a mask?
Sometimes the customer is not educated on safety and you have to hold a line to protect them and yourself.
Invest in good onboarding UX.
No, because they're locked in. Either by their insurance plan, or because they're experiencing a medical emergency and don't have time to shop around.
A prospective customer shopping around for whatever service has the lowest security is probably not a customer you want.
No one's shopping for low security. They just end up with it because they don't care.
Exactly why we do not sell cheaper models of cars that lack airbags.
Basic security and safety should not be optional.
The alternative is to educate the users. People use SMS because they've been coerced into believing it is secure, and had the wool pulled over their eyes for $reasonsToGetYourData.
Educate me please, if I value availability, are there any options better than SMS?
OIDC means your digital life is destroyed if Google ever decides to ban you. And they are well known to do so, and there is normally no recourse once you are banned. You have to be either brave or stupid to trust your security to tech giants.
Passkeys, TOTP are vulnerable to your device getting lost or broken, something that can also happen a lot.
Sadly, if you want things to work no matter what, SMS are your best bet.
Most users? Seriously doubt it.
Any choice more secure than SMS will only empower the consumer. You're pointing out a real problem, but the first step is at least an alternative.
Where's that assertion coming from?
Aren't passkeys ready for prime time yet?
Not until I can backup a passkey without Apple or Google acting as the steward. I need a system where I know that if my phone is lost, I can restart my digital identity without a tech giant.
KeePassXC: Enabling Passkey Support https://keepassxc.org/docs/KeePassXC_UserGuide#_passkeys
KeePassXC Passkeys Without Big Tech! https://www.youtube.com/watch?v=L7uXFJfxf80
I believe bitwarden does this too, but I stick to yubikeys
1Password does passkeys, and they exist on multiple platforms. I assume they are not the only non-Apple/Google password app which can do this.
I have mine in Bitwarden but I didn't think carefully through this, I just used what I had. It looks like Vaultwarden hasn't yet added support so you can't rehost without Bitwarden but you don't need Apple or Google.
Yup! There's a directory of sites with support here: https://passkeys.directory/
I use it for ~50 sites. It's such a pleasure to use.
I'm not touching it unless I have a way to export my passkeys and migrate them wherever I want.
It is absolutely not a no-brainer to use Google/etc accounts instead of handling that oneself. The last thing we need is an Internet which is unusable to anyone who chooses not to have (or gets banned by) big tech companies. I myself refuse to use the federated login option because I value the ability to not tie my entire life to my Google account.
Also, there is always a risk of your google account getting banned for no reason other than their blackbox system suspects you did something wrong.
They'll address this kind of issue manually, provided your story makes it to the Hacker News front-page.
there are plenty of options for 2 factor apps that don't require login. in fact, even Google's authenticator app does not require you to login. you can use it locally and store the codes locally.
OP said that companies should let Google (etc) handle logins entirely, not just use 2FA apps.
For end users, the sign in page will look like this:
https://id.atlassian.com/login
Or this:
https://www.xsplit.com/user/auth
These both offer a "your own email" sign in path. That's why I said "out of the business for most users", I didn't say "for all users".
Plus, I'm speaking to SaaS providers here.
Fully 85% of businesses in the USA use M365, meaning for all but 15% of your b2b users, you do not have to host company-user credentials!
I'm pretty sure you didn't have the "for most users" qualification when I first replied. I may be mistaken, but I don't remember seeing it at any rate.
Honestly even TOTP is negligent to support at this point.
TOTP is phishable, and the root secrets are stored in most TOTP apps (including Google Authenticator) in plan text, usually in SQLite, because almost no enclaves support the TOTP algorithm.
The only hardware devices that -do- support TOTP like Yubikeys or Nitrokeys also support WebAuthn in which case just use that.
A hard requirement of Virtual Passkeys and hardware WebAuthn devices should be a bare minimum for auth security in 2024.
Passwords and one time codes are phishable 90s solutions to the problem and it is nuts they still are so dominant.
TOTP is a compromise, like everything in security, and one that’s fairly secure. Until we reach a point where hardware tokens or virtual passkeys become mainstream (and their related usability issues addressed), we will be stuck with the “something you have” factor needing to temporarily move into the “something you know” factor via the the TOTP. The fact this expires within 30 seconds makes the attack vector more limited, also unlike an SMS code that providers use to verify you while on the phone with them, you never give this code out (found on a separate app) to a person on the phone, which helps separate this particular factor from SMS.
The truth is that, while it offers superior security, hardware tokens and virtual passkeys are not accessible to the masses one way or other. This is a problem that should eventually be solved but nearly all prior attempts cannot supplant the ubiquity of passwords.
Passkeys are easier to use, harder to lose, and more secure than TOTP or passwords in every way. If you have a web browser from the last couple years you can use a passkey.
You do not often get a win that clear in security. It is a no brainer to mandate for users today, and stop wasting customer support hours on dealing with accounts compromised by phishing.
Or a government, many do this too
If you use SSO for a consumer account, you still need to provide a way to reset the account when the identity account is no longer available. That reset path is still most likely the weakest link. Not to mention that some of the identity providers will allow reset with only SMS, and once someone gets in there, now they're in everywhere.
I still like it for corp SSO though; you can force corp accounts to SSO only with no recovery, and you can force the corp account recovery to be difficult.
if you absolutely have to do SMS for some dark pattern "harvest my customers' phones"
I had a bank that asked for my phone number when I sign up, and I gave them a landline number that is not capable of receiving SMS. Some years later, without any input or authorization from me, they decided to enable 2-factor using this landline number. It was super annoying.
My other bank accepts Yubikey. I wish more banks would do this.
First, and a no brainer: offer "continue with ____" sign ins (OpenID Connect / OIDC) for users of Google, O365, Apple, to get out of the account creds business for most users.* (See also: passkeys.)
Thanks but no thanks, the last thing I want is for Google to be in the chain for something as vital as banking. One false signal in Google's AI model and you're permanently fucked. Or someone compromising the email account (not just credential stuffing but e.g. cookie theft).
Second, prefer TOTP as the MFA, not SMS.
People loathe app-based (or, even worse, RSA token-style) OTP, especially if they lose their phone or it becomes permanently damaged you're fucked unless you made a backup.
SMS in contrast? Even your 80 years old grandma can use that, and most common failure modes (i.e. stuff requiring support from you) are handled by the telco.
All I can say is: No shit ^
I'm tired of it. SMS as "authentication" needs to be outlawed at this point. I'd vote for whatever candidate wants to sponsor this bill.
Ok, I honestly don't know—is there a way to use this to secure access to an account generally, without having access to the password? I.e. do authentication providers use phone as a sole method of identity verification for any major service?
My bank offers 3 choices for MFA; not sure which of #1 and #2 is more secure:
1. Password + SMS one-time-password
2. 4-digit pin + 6-digit TOTP
3. No MFA
They do, at least, offer the option of disabling automatic password-resets via SMS code, but I know from experience that you can authenticate yourself to a CS rep with just name, SSN, and a SMS code, and presumably a CS rep can reset your password.
I feel the need to defend the use of SMS for 2FA (in limited cases).
SMS is actually a perfectly good channel for 2FA for most customers in most cases. Because most customers, most of the time, are not under a targeted or even semi-targeted attack. SMS 2FA protects quite well against large-scale brute force or credential stuffing attacks. If someone is checking 10k accounts against the 3 top passwords (yes, this is a very common attack type), those customers will be very well served by having SMS 2FA.
SMS is a terrible channel if anyone is trying to target you directly though, that's absolutely true.
edit: also, in case this wasn't clear - I'm not talking about any services that allow password reset through SMS alone - that's beyond idiotic, obviously.
SMS is actually a perfectly good channel for 2FA
You might have different definitions of both "perfectly" and "good" than the researchers who found in every case with every major phone provider, the SIM could be stolen.
See: https://www.issms2fasecure.com/ ...
- We examined the authentication procedures used by five prepaid wireless carriers when a customer attempts to change their SIM card, or SIM swap.
- We found that all five carriers use insecure authentication challenges that can easily be subverted by attackers.
- We reverse-engineered the authentication policies of over 140 websites that offer SMS-based authentication, and rated the vulnerability level of users of each website to a SIM swap attack.
- We found 17 websites on which user accounts can be compromised based on a SIM swap alone. After over 60 days since our disclosure, nine of these websites remain vulnerable in their default configuration.
You might have difficulty reading entire comments.
Yes, SMS 2FA will fail against a sophisticated and targeted attack. It is still drastically better than NO second factor, which is the actual comparison in the real world. There are people without smartphones. There are people without the ability to install/use a TOTP app. My aunt can either use SMS 2FA or nothing. 2MS protects her pretty well against 95% of the types of attacks she's likely to face.
Which part of your comment do you think I failed to read?
Frankly, a secure password alone, with no second factor, is "drastically" better than a secure password with ability to change that password by SMS, as is frequently the case (a quarter of the time, per that research). So set up LastPass or 1Password for your aunt.
As for "protects her from 95% of the attacks she is likely to face", that's a number that doesn't jive with my experiences as CTO of the second largest bank in the world.
Your claim is "Because most customers, most of the time, are not under a targeted or even semi-targeted attack."
On the contrary, most customers are under automated attacks, and SMS plus password leaks lets that takeover be fully automated.
>Frankly, a secure password alone, with no second factor, is "drastically" better than a secure password with ability to change that password by SMS, as is frequently the case (a quarter of the time, per that research). So set up LastPass or 1Password for your aunt.
Obviously password resets shouldn't be possible by SMS alone, I never claimed otherwise. I'm talking about using SMS as a second factor - in addition to having the valid password.
>As for "protects her from 95% of the attacks she is likely to face", that's a number that doesn't jive with my experiences as CTO of the second largest bank in the world.
In my experience, low-net-worth + technically unsophisticated users are mostly at risk from brute force attacks and/or credential stuffing, and SMS (as an actual second factor, not a "reset the password for free" button) is very effective at stopping that.
>On the contrary, most customers are under automated attacks, and SMS plus password leaks lets that takeover be fully automated.
If your customers have phone number/username/password all leaked together...sure, I can believe that. Probably you should focus on preventing leaks of that size.
If your customers have phone number/username/password all leaked together...sure, I can believe that. Probably you should focus on preventing leaks of that size.
A substantial proportion of your customers' email + password pairs have been leaked before they sign up with you. Email and phone are already paired from data brokers, you don't need the dump.
A majority of SaaS providers and banks fail to check for previously leaked creds. Many of the same ones that think SMS is "perfectly good".
Is your bank one of the ones that uses email addresses for usernames? Because that's a great way to make it much easier for attackers to match up leaked creds. Consider switching to a (chosen) username or card number or something. If your username is quickly matched to a phone number (or email address) it makes phishing (or account takeovers) much easier.
On the contrary, most customers are under automated attacks, and SMS plus password leaks lets that takeover be fully automated.
Are you implying there's automated SIM swap attacks in the wild ? Or, maybe you are saying SMS can be phished ? I do agree SMS 2nd factor can be phished, but if phishing is the attack, password leaks is irrelevant since, you usually phish both passwords and SMS 2nd factor together, so password leaks don't make any difference.
But isn't it the case that most sites will tell you if you pass a password check before hitting you with a SMS verification?
In that case I could see someone attempting a sim swap attack for accounts where they pass a password check for higher value stuff like primary email or anything that is probably linked to a spending account
That assumes the attacker even has the phone number - best practice is to not display the full number, just the last 4 (xxx-xxx-1234) - so again, for the typical case, the attacker isn't going to know what number to sim swap.
SMS is bad at protecting one account, it's good at protecting 10000.
Yeah, but say I am an attacker doing some kind of brute force password hack, and I have a certain number of successes.
Given the funnel there, it might well be worth it for me to put some energy into figuring out who the person at the other end of that account is. Phone numbers aren't secrets.
Yeah, agreed. But again I'm not arguing that SMS is the best second factor, I'm arguing that (used correctly) it's better than no second factor, which is what it's actually competing with in the real world.
Generally, I think services should offer TOTP, email, and SMS, and strongly encourage TOTP. But not offering SMS just means some segment of customers won't have a second factor at all.
The minnow security model is bad at protecting one fish, it's good at protecting 10000.
What would you say is an advantage unique to SMS that would be lost if text messages were switched to another model? I'm asking sincerely. There aren't many people arguing in favor of SMS here, so you seem like the right person to ask.
It's pretty simple - there are people who don't have smart phones, plus people who couldn't manage to install/use a TOTP app. Something like ~10% of users probably fit in that category. So either you offer them no protection (if 2FA is optional), no use of the service (if 2FA is mandatory), or ok-but-not-great protection (if you allow SMS).
(In reality, some users don't even have SMS (no cell phone) - so automated voice calls can be offered too. Those without any phone at all...will not be considered as valid customers, in most cases.)
While you are right, you're missing the real problem. SMS 2FA is a systemic threat vector for identity takeover. Buy out one employee for $20 and you have access to take over any one of millions of users. Additionally, the victim won't figure out there was an attack right away. And the attacker can live anywhere in the world.
If someone wants to rubber hose me, they have to physically come to my area and that doesn't scale except for high value targets. Tolerating SMS as 2FA is absurd with built in passkey capabilities backed biometrics/code built into a device you can buy for $100 and already carry with you 24/7.
>>and that doesn't scale except for high value targets
Real-world activities (kidnapping, rubber hose, fingerprint stealing, whatever) aren't worth it for medium-value targets, true - but my point is that SIM swaps aren't either - for low-value targets.
From the article, they're offering $300 per - so the expected value from these specific compromised accounts must be more than that (I'd guess $1k min). This makes it pretty clear that if you're protecting accounts worth ~$50, SMS is probably "good enough". And for some users that's the right trade off.
My point is that SIM swaps are possible from the other side of the world and rubber hose isn't. The targetable base for remote SIM swap attacks is everyone from anywhere.
As another user here said it best: it is good enough to keep honest people honest. But determined people will find a way.
This is actually a pretty good comparison. It's like the $50 lock on your front door. A determined burglar can pick the lock or smash the window, no problem. But it's better than leaving the door unlocked.
So in summary, SMS-2FA is a great channel for people/use cases that don't actually need that much security/protection? I agree!
Actually, I don't. Even completely trivial things like coffee chain apps require SMS-based logins these days, and I hate it. One particularly idiotic one initially accepted my Google Vocie number, only to lock it out for a subsequent login on a new device.
Phone numbers are a horrible user identifier. SMS is a horrible authentication mechanism. The entire industry has regressed from the bad combo of email + password to something almost universally worse in a matter of years, and it's incredibly frustrating.
The only saving grace is that SMS are quite expensive in some countries, so companies there have an incentive to not actually send them out if they can at all avoid it. Unfortunately they're effectively free in the US.
I'm not talking about any services that allow password reset through SMS alone - that's beyond idiotic, obviously.
Twitter allows this, it's been a security flaw for years they've never fixed, and it's possible even if you have non-sms 2FA enabled! If you have a phone number on your Twitter account you should definitely remove it.
Quite a few high profile very security conscious people (e.g. Vitalik Buterin) have had their accounts hacked because of this.
That is a very convincing argument for why SMS should be replaced entirely for everyone.
We really need better standards for MFA. Probably we should have a legal definition of MFA and SMS should be described as 2SA (Two-step authentication) on par with email or whatever. While MFA should be restricted to actual Yubikeys and other hardware certificate based things.
I'd also say people shouldn't be able to advertise MFA if they only support a single token per method.
It's not reasonable to expect people to have Yubikeys. iPhone Keychain is about as good as it'll get realistically, and that somewhat relies on hardware security.
"iPhone Keychain" - no thanks, I'll stick with a non-vendor specific provider.
I am trying to escape that awful ecosystem, not dig myself further in.
you know its trival to export, right? There's nothing more secure than Keychain if you're in the Apple ecosystem. Nothing gets more scrutiny from the entire industry, at least.
If you know of a way to export a passkey from iCloud Keychain to a non-Apple device, please do share it!
Otherwise I'd call that lock-in as well.
It's easy on a Mac since Safari has a CSV export feature. No such thing on an iPhone.
Have you tried exporting a passkey that way?
Last time I did, I only got passwords out, not passkeys (not that there is an interoperable standard for them anyway).
Oh, I didn't realize passkeys and totp aren't the same thing. Totp secrets go into the CSV. Don't think I even have any passkeys to test with. And supposedly 1Password doesn't let you export either.
This seems bogus. I'd rather simply use a random per-site password; looks like passkeys are the same except non-interoperable.
Bitwarden lets you export them as part of at least their JSON export, but unfortunately there's no specified interoperable format yet, so you can only import them back into Bitwarden (which you can at least self host; you could reimplement their serialization format if you're really determined).
There's some movement in that area in the related FIDO working groups, but I think we'll (by design) never see something like CSV export, and it'll be more like a standardized account migration.
I'd rather simply use a random per-site password; looks like passkeys are the same except non-interoperable.
They're significantly better than a random per-site password since they can't be compromised on the server side (due to being based on public key cryptography), unlike regular passwords and TOTPs.
I guess the real advantage is, if their server is temporarily compromised, they don't have to make me reset my password to get back in. But it's a per-site password, so the attacker can't use it elsewhere.
That's a horrible idea, no different than extracting your ssh private key.
You're asking for Apple to introduce a vulnerability for your convenience.
The "ecosystem" comes as non-several package. Like for instance, my pet issue "if" I'm in the ecosystem, I'd have to give up my headphone jack. And all the rest of it. The "if" is probably most of the problem.
I’d have to give up my headphone jack
Not to mention your 3.5” floppy drive!
I don't really have much use for that. Usb drives totally replace them for my use cases.
Do you understand the advantages that headphone jacks have? If not, you could start there.
Indeed the jack removal was the first thing that ever made me think of switching. That was a scam.
The option of Yubikeys is fine as long as the basic 1P thing is painlessly usable too.
Actually I maybe misspoke and I might go further than that and say that services shouldn't be allowed to make any requirements about how hardware tokens work. This means if someone wants to use a software token that should be supported.
And also I think this is why the passkey standard is bad, it sets rigid hardware requirements and the manufacturers will use this to drive planned obsolescence. If Apple and Microsoft have their way we will throw away $1000+ phones and laptops because someone found an exploit in the TPM that requires physical access.
Yes, that and WEI
https://www.cisa.gov/sites/default/files/publications/fact-s... ("CISA.gov: Implementing Phishing-Resistant MFA")
Its funny how you can't work for a secure government agency if you can't get clearance, and that a primary litmus test for clearance is how much debt you are in. (AKA how easy you are to bribe). But then for huge swaths of our infrastructure we have privatized it and left it in the hands of minimum wage employees who probably have auto and student debt and can be bribed for pittances.
Login.gov is a thing (and over 300 federal agencies use it as their idp as of this comment). USPS provided identity proofing in person for it. All federal gov agencies are moving towards it. The "right" way would be a national smart card ID system like Estonia has (built on cryptographic primitives), but you have a cohort of crazies who think it's the "mark of the beast" and other wild tales. So, we walk when we could run. This problem is at the people/policy OSI layer.
The Defense Dept already does this: CAC/common access cards [1]. Create a civilian root and do it already. A PIV/CAC can also be used as an auth factor with Login.gov [2].
[1] https://www.cac.mil/common-access-card/
[2] https://www.login.gov/help/get-started/authentication-method... (Physical PIV (personal identity verification) cards or CACs (common access cards) are secure options for federal government employees and military personnel. These cards, with encrypted chip technology, are resistant to phishing and difficult to hack if stolen.)
Papers Please.
This is why the US will never have functioning anything. People just immediately leap to why it's going to lead to dystopia.
Unfortunately that was literally true from the beginning. Much of the US Constitution is devoted to separation of powers. But the powers are so separated that it's practically impossible to do anything. Our checks and balances are badly overbalanced.
The government persists because the executive branch takes a lot on itself. The Supreme Court is currently deciding that this may be too much overreach, and the government will grind completely to a halt.
We already have that and have for a long time, it’s just more way time-wasting and far less secure than it could be.
This is a tired argument. If you want better governance, it's a political problem, not a tech problem. "Papers Please" exists today due to a lack of law enforcement oversight and current statute [1]. A properly functioning national ID system and infrastructure doesn't change that.
The databases already exist [2] [3] [4] [5]; because you do not have the physical card does not mean you don't live this reality today. On the contrary, you already don't have the privacy you think you have, without any of the quality of life improvements a national ID card would provide.
CBP has successfully implemented facial biometrics into the entry processes at all international airports, known as Simplified Arrival, and into the exit processes at 49 airport locations. CBP also expanded facial biometrics at 39 seaports and all pedestrian lanes at both Southwest Border and the Northern Border ports of entry.
To date, CBP has processed more than 490 million travelers using biometric facial comparison technology and prevented more than 1,900 impostors from entry to the U.S.
[1] https://en.wikipedia.org/wiki/Stop_and_identify_statutes
[2] https://www.dhs.gov/biometrics
[3] https://www.tsa.gov/biometrics-technology/evaluating-facial-...
This is a silly retort. We already have multiple identity systems in the US:
- Social Security
- Passports
- NAPHSIS
- Most states' ID systems using Real ID w/ SPEXS
- The DoD's ID card system
I love me some ID.me and think every bank and financial institution should be required to use it. It goes so far beyond to do good multi-factor auth and even accounts for the un-homed and un-phoned in their multifactor. Thousands of people can't bank or use many services because they can't get a phone number, but they can use id.me at a library or other public computer with few issues just having an old offline phone running an authenticator
Edit: TIL login.gov is the new hotness
Is Id.me and login.gov the same thing?
ID.me is a for profit private provider of identity proofing services. Login.gov is provided by the US General Services Administration. All federal agencies are moving to Login.gov. IRS is one of the last digital services that will move. There were some congressional hearings on ID.me, due to distorting the truth.
https://news.ycombinator.com/item?id=30430851 ("HN: IRS to adopt Login.gov as user authentication tool (Feb 2022)")
https://news.ycombinator.com/item?id=39691325 (a previous comment I wrote on the topic)
https://cyberscoop.com/idme-irs-identity-verification-congre... ("ID.me misled IRS on processing times for identity verification, congressional investigators found")
https://cyberscoop.com/id-me-ceo-backtracks-on-claims-compan... ("ID.me CEO backtracks on claims company doesn’t use powerful facial recognition tech")
https://cyberscoop.com/id-me-aclu-oregon-states-messaging-fa... ("Documents shed light on ID.me’s messaging to states about powerful facial recognition tech")
https://arstechnica.com/tech-policy/2022/11/id-me-made-basel... ("ID.me lied to IRS about unemployment fraud, average wait times, House Dems say")
I was neutral on id.me until I started getting unsolicited marketing emails through them. https://help.id.me/hc/en-us/articles/202709194-Why-am-I-rece...
id.me was steaming garbage the last time I used it.
"Scan the front and back of your Driver's License."
[upload scan of front of DL @ 200DPI]
"Unable to find a face in the image you uploaded."
[upload scan of front of DL @ 300DPI]
"Unable to find a face in the image you uploaded."
[upload scan of front of DL @ 72DPI]
"Thank you, now please upload the back of your Driver's License."
Hmm, 72DPI worked for the front, so...
[upload scan of back of DL @ 72DPI]
"Unable to read a barcode in the image you uploaded."
[upload scan of back of DL @ 200DPI]
"Unable to read a barcode in the image you uploaded."
[upload scan of back of DL @ 300DPI]
"Thank you for verifying your Driver's License".
An unmitigated turd.
mark of the beast
what bothers me the most about unfalsifiable predictions is that their predictive quality can only be retroactively applied, undermining its ability to be predictive at all
it relies on total ignorance of everything prior that fit, and other catastrophes that also looked like the “end times”
how was world war I not? everyone dying of mustard gas followed by famine, plague.
world war II?
the year 536?
other maladies in other countries? for many people it was the end time because their entire family and culture were killed and wiped out
I wonder if America will shake its Evangelical death cult. People are becoming unaffiliated with religion here but I feel like the mysticism is ingrained into the culture either way for another generation or two
Talking about it being the "mark of the beast" is a strawman. What you should talk about instead to win support among those same groups of people is to explain how it isn't/wouldn't be a means of government abuse. They're worried about it backdooring personal financial freedom the same way you would worry about the government backdooring encryption.
It’s not a strawman if thats exactly what the people being referred to will say.
But semantics aside, I agree that addressing their actual concerns is more productive. And there is no way to guarantee that.
a primary litmus test for clearance is how much debt you are in
As someone on the outside, I'm curious if that's true. I've never applied for clearance but I was always under the impression that it was more about how many people could vouch for you. Is it true that it actually just comes down to your bank account?
There are a handful of key litmus tests that are part of the background check. If you are/were a felon, If you lie at all during the check, If you are in extreme debt, If they find public record of you being anti-american, If you fail a drug test.
These all come up during the screening interviews of your peers, family, and coworkers. I have done about a half dozen or so of these for former peers, friends, and colleagues who have moved on to do public sector or join private military companies that needed clearance.
You can read clearance hearing/appeal decisions for contractors[1] to see some of what goes into it. On the money part specifically it’s less the raw status of your bank account and more how you’re handling debt and delinquency if at all.
On a topical note, a not-uncommon issue is failing to pay income tax or file a tax return :p the result of those appeals depended on if and how the appellant tried to resolve that.
[1] https://doha.ogc.osd.mil/Industrial-Security-Program/Industr...
First and foremost, if you use any services online that have two-factor authentication, be sure it is not SMS-based. Use an app like Google Authenticator or Authy for this purpose instead.
It really disappointing that in 2024, this is the "right" guidance to give, but we still know there's a whole lot of really important stuff that still uses SMS for 2-factor authentication.
Half the time, even if a service supports autheticator app 2FA and not just sms, all it takes is just clicking “use another method” on the 2FA page, and it defaults to sms-based 2FA anyway. And it would still require a phone number when registering, so there is no way to avoid that fallback anyway. Borderline useless.
The services require a phone number not because it adds security, but because it is a monetary challenge for scammers. If a service allows for multiple 2FA types it usually demands SMS for the initial setup, but once that is done you can remove your phone number to force it to switch to TOTP or a token. It's generally a good idea to not have your phone number stored in a zillion websites anyway, every copy is just another vulnerability for hackers to exploit when they knock over that service.
That’s totally fine, i am not against services requiring phone numbers during registration. I am just against those services allowing sms to be used as an easy 2FA fallback when an app-based 2FA is enabled. Because doing so makes app-based 2FA kinda useless.
I agree with your points, it just feels insanely rate to see a service utilizing phone number requirement for registration the proper way (i.e., the way you describe).
That’s totally fine, i am not against services requiring phone numbers during registration.
I am completely opposed to services having any PII (Personal Identifiable Information) beyond an email address because the dumbass services keep my PII and then lose it when they get hacked.
If I can go collect a million dollars from a company that loses my PII, I'd let them collect it. SInce I can't, my best option is to refuse.
If you want to verify, take a credit card number. At least I can cancel and change that when some dumbass get hacked and loses it.
It's generally a good idea to not have your phone number stored in a zillion websites anyway, every copy is just another vulnerability for hackers to exploit when they knock over that service.
Are you relatively confident that these sites actually delete removed phone numbers?
All I'm confident about is that they certainly won't delete them if you leave it as a 2FA option.
Google Authenticator makes it very unclear to average users how you back up or transfer stuff to other devices. Sites that support Google Auth are gonna have to deal with lots of locked-out users trying to recover access, which can negatively impact security.
If anything hopes to replace SMS, it needs to be as user-friendly as SMS.
Google auth is not the only authenticator that supports TOTP. Any time a site tells you to use google authenticator you should be using a better service like 1password, bitwarden, lastpass, etc... to scan the QR code and store the TOTP code.
I'm flabbergasted every time I switch jobs and some jamook in IT or Security says we have to sue google authenticator and that other authenticators aren't allowed. Then there are constant lockout events generating tickets for those teams when people delete the app or get new phones.
Yeah, it needs to be clear to users that they can use other things, especially some built-in option. Currently it's not.
Many services will happily remove the authenticator from your account if you email them and say you lost it. The whole thing is a joke.
It syncs everything to the cloud by default these days: https://arstechnica.com/security/2023/09/how-google-authenti...
Why should someone outsource one more important identity thing to Google?
Google Authenticator is client side.
It's not the best 2FA app though; it makes it unreasonably hard to transfer codes.
It's the opposite these days – they sync your HMAC secrets to your Google account now unless you opt out: https://security.googleblog.com/2023/04/google-authenticator...
It doesn't have to be Google Auth, it can be any 2FA app (1password, Bitwarden, Authy, Microsoft Auth), whatever. It's just a safer way to do 2FA than SMS.
Google Auth is just one of the earlier popular apps, so it's a common example. It kinda sucks though, cuz if you lose your phone you have to reset all your 2FAs.
Every freaking time I get a new phone I forget the step of porting my authenticator keys. Wow, is it ever a drag trying to set them up again. Often, you need to do zoom calls to verify your identity. Takes days. This is the type of thing that will push almost everyone towards SMS. Also, it's easy for users and developers, and no one needs to learn anything. Solves these issues and we are good to go.
AI is probably going to end Zoom auth calls. They'll almost become so trivial to fake as to be useless.
You didn't write down your rescue keys like almost every website tells you to do when setting up totp?
It's actually unbelievable how often SMS OTP is used, when it's public knowledge that it just replaces one attack vector with a worse attack vector... Cracking a password or breaking into an encrypted database is 10x harder than getting a sim swap.
My bank recently added the feature of removing SMS as an 2FA option - requiring TOTP. Now if they'd only add webauthn, but TOTP is pretty secure against phishing with a browser-integrated password manager (no autofill results in suspicion).
What bank is this and are they available nationwide?
Yes. Why are banks with TOTP so rare?!
I have no idea, and I despise it. USAA and eTrade both have TOTP, exclusively with the shitty, non-backup-able Symantec VIP app. Break your phone? You're boned! Symantec VIP on those sites don't provide 2FA verification (the thing where the phone asks to confirm the number on the client-side) and it doesn't provide push notifications.
It's literally a worse version of regular TOTP. And they're in the minority even having 2FA!
This works for Charles Schwab too!
First Tech CU. Their physical locations are PNW only, but that hasn't stopped me from continuing to use them electronically on the east coast. They are also part of the CU alliance, so access to alliance branches and ATMs is possible (I've never had the need to test this).
My bank finally added 2FA today actually. It is, of course, SMS or Email only because banks the worst online security for reasons I'll never understand.
It's not really "replacing" though. Prior to SMS OTP it would just be the password. Having password + SMS OTP is strictly better, regardless of how shitty SMS OTP might be.
Having password + SMS OTP is strictly better, regardless of how shitty SMS OTP might be.
Unfortunately one can claim to "forgot my password" and use SMS OTP to reset it. Now it becomes a single factor authentication with a compromised phone.
Password + SMS OTP is strictly worse than a password. At least you cannot SIM swap your password.
Many sites do allow logging in with just an SMS OTP, no password required (even if you’ve set a password for the account). If it absolutely must be used (it shouldn’t), then SMS OTP should be a second factor, not the only factor.
But once you manage it, you've got a lot of compromised accounts at the same time.
Everything based on username + password alone today should be replaced by passkeys. The problems they don't solve are 2FA and account recovery.
Cracking a good password - which a large percentage of people don’t have or will readily input in any phishing web form without a second thought.
Time-constrained 2FA codes can be broken with sim swaps or targeted phishing which are less widespread than a wide-net spam-based phishing campaign.
Now don’t get me wrong I hate SMS 2FA with a passion but still :)
It’s easy, it’s free for the customer, and with feature’s like iPhone’s “code autofill”, it’s the easiest UX. Swim swapping happens to such a small number of people that it’s not worth the effort for anyone involved. I hate it myself, but such is the reality.
Oh no! Who could have known that designating utility companies as the guardians of authentication and identification/KYC would have any downsides?
While simultaneously degrading the value of employment to any of these conglomerates.
This is the same reason you want well paid politicians and FBI staff.
Well paid politicians do everything to get reelected rather than doing everything to increase general welfare.
Also as others have commented, even well paid people do shady things. TFA isn't an endorsement of higher wages, it's a denouncement of our terrible collective security and authentication protocols.
Well paid politicians do everything to get reelected rather than doing everything to increase general welfare.
Yes. Parent comment is literally completely backwards - we've seen from Wall Street that paying people extremely well leads to corruption.
High pay has the opposite effect. Things that work include oversight, transparency, audit logs, removal of human processes, active anti-corruption investigation, and the like.
What you're observing is the climbing the latter effect of absent regulation. Social economics has already identified that people only care about relativistic wealth so a business industry surrounded by greed will of course, produce more greed.
Slap some actual consequences and you'll see better results.
Sure, but please let the takeaway here not be "the employees of Con Edison, PG&E, National Grid etc. need to be paid and vetted like bank tellers, then it'll all be good".
The intrinsic overlap of incentives and strengths between utility providers and identity verification organizations (whether private or public) is minimal, and I suspect extrinsically forcing them into that role can't end well either.
Good thing there are no corrupt politicians and FBI agents.
I'll throw out an idea that seems simple to me...
An *opt-in* option to require that lines on your account can not be moved to a new SIM unless the current SIM is offline as far as the cell grid is concerned.
This could even be made into something that customer service could be blocked from overriding.
If someone steals your phone, they try to get it into airplane mode as fast as possible to avoid activation locks. If you drop your phone in the ocean or off the side of a cliff, it's probably not going to remain working for long. If you're concerned about losing it somewhere where it'd remain active but you'd never find it, then don't opt in to this.
There is an opt-in SIM protection available. You can lock the SIM card and can't move the line until it is unlocked.
Taking the device offline requires you to either have control of or destroy the current phone, while that SIM protection sounded like something a customer service rep could be tricked into working around.
Send a message to the SIM card saying “do you want to move”
If you don’t respond then it takes 48 hours to move.
If you say “yes” then it moves
If you say “no” then whoever asked for the move has some questions to answer
T-Mobile already does exactly this for eSIM transfers, though the waiting period is 10 minutes, not 48 hours.
Yes, or even require a challenge sent to the current line with a grace period, and you get to choose your own grace period up front. In this way, someone can't jack your line while they know you're on a flight.
So, I lose my phone (maybe it's sitting on the side of the road somewhere) and need a new line. Since I can't reply to it my line will transfer after 8 (?) hours of no response to the challenge.
Yet, most banks in the US force the use of SMS 2FA without offering TOTP as an option. Truly incompetent institutions we've created.
SMS 2FA is one thing. Bad, but ineffective. SMS-based account recovery is far worse. Every time a major website asks me for a phone number "in case you lose access to your email account" I freak out internally before ensuring I never enter it.
Right. The SMS 2FA risk is overstated IMO - at worst it makes it as insecure as password-only, and at best it creates a roadblock for attackers that can be significant for locked SIMs.
But SMS account recovery is definitely opening the door to attack.
I think the popularity of phone numbers is not because it’s a good auth factor but because it is a little more work to Sybil flood with generated identities, compared to say email. So it’s not for our security exactly, but more for the company’s anti-abuse systems, and maybe the marketing department that loves hoarding phone numbers. That it works as a second factor is just a “happy” coincidence.
Which in turn annoys me to no end given that phone numbers are regional. Having no access to banks when moving, let alone traveling, to an area with no cell service or a different country, is infuriating. It’s like “what’s your mother’s maiden name” all over again.
My bank took away the ability to do 2FA via email and is phone-only now. At least with the typical Gmail/equivalent account you have the option of making that less vulnerable to social engineering and outright bribes.
Yet other institutions do single TOTP with SMS backup instead of TOTP with a 2nd TOTP backup.
The former is as bad as SMS.
“Inside job” SIM swap attacks are not necessarily new; a close friend’s T-Mobile phone got hit this way in March 2020.
The news here is the intersection of a data breach with SIM swapping: criminals are using the employee phone numbers from a recent T-Mobile breach data dump to text tons of employees at once, offering $300 per swap.
Previously, criminals would develop the inside agent either through personal connections or by applying and getting hired themselves. With the breached data, they can automate and scale.
I wonder why people risk their jobs for $300.
exit strategy?
this has been going on regarding crypto since early 2018 afik.
As others have suggested, the trick is put out fake honeypot offers, to strike at the weak point of the scheme, which is that lack of trust and anonymity run both ways.
In other words, the "old way" isn't just about cultivating an insider agent, but also about establishing that the insider can trust the requestor.
There's a very simple solution which is to centralize the process. Banks learned this decades ago. It's why your teller can't do anything that an ATM machine can't do anymore.
What do you mean? Sometimes when I forget my ATM card, I go to the teller, who can help me after checking my photo ID and maybe some security questions.
Right, but they still can't do anything you wouldn't be able to achieve over the phone with the centralized support line. Maybe verifying your identity for a cash withdrawal, but that still requires knowing the same secrets you'd need to just replace the card. The branch employee has no more access to your account than you do.
But isn't that kinda the crux of it? If I can withdraw cash by presenting a photo ID instead of using my 2FA online, it is both more convenient for me as an end-user and also less secure (opens the account up to social engineering, fake IDs, etc.).
Similarly, some 2FA implementations allow human support agents to manually reset the 2FA, sometimes making that the weakest link.
The ruthless alternative is "If you lose your 2FA, you lose your entire account and there's nothing we can do about it". I've rarely seen that implemented in normal apps.
Yeah, I was thinking at the very least changing SIM assignment, given the huge target this is for bad guys, should require confirmation by at least 2 unrelated employees.
Where did this private information come from?
Still, the biggest issue here is how this person (or multiple people) obtained the employee phone numbers. We’re not sure yet which employees are impacted, but based on comments online it seems at least a few third-party employees are affected, and we’ve independently confirmed current corporate employees have also received the message.
Sadly, the idea that phone numbers of people are private should be considered laughable at this point. There is LinkedIn, and even if you're not directly connected to someone it would be easy to correlate publicly available LinkedIn data to phone number data.
Also, note that TMobile explicitly provides a "SIM Protection" feature, https://www.t-mobile.com/support/plans-features/sim-protecti.... Why this isn't enabled for everyone by default I don't know.
The website does not make it clear - what does SIM protection do? Does it put a waiting period on changes? Requires a website login first?
What happens if I legitimately need a new SIM?
I had to deal with this recently. Basically, they put a hold on the account. The request is forwarded to another internal department for verification. Once verification is complete and the team determines the request is not fraudulent (asking for "verification pin" or "account password"). Then the request is forwarded to the appropriate tech team for further processing.
SMS and calling was blocked during that entire time (~24-36 hrs) since the backend teams are likely operating in offshore timezones.
Doesn’t that mean the PIN and password are communicated in clear text?
I'm curious how that feature works on the backend. If the premise is employees abusing internal access to fiddle account data, and the feature can be toggled on an account page, can't the insider abuse a password reset flow, toggle the setting off, then proceed as normal? I'm assuming that there's some "customer walks into store and needs to reset their password" functionality employees can access. Maybe a mandatory waiting period?
The easiest solution would be a two employee requirement with a 3rd remote in corporate office. In smaller stores at least one remote. Using a camera for live video that was installed and inspected by corporate.
...and uh, make sure they're paid far above minimum wage.
Reasonably well paid people are susceptible to bribes, too.
Yeah but if you're not resorting to just hiring anyone off the street who can talk sales, you get less morons applying in the first place. Less morons, less people who might be willing to treat that "stand in a mall and upsell people" job like they'd do flipping burgers and snotting into the mayonaise, or who need some "side hustle" cash just to make rent.
Pay peanuts and everyone and their dog will apply, pay appropriately and you'll get higher quality applications that you can afford to actually vet.
Look at it like a probabilistic scenario.
Minimum wage, as demonstrated by the pandemic, is nowhere the level of pay.
Of course everyone can be corrupted, but the probability diminishs greatly with just basic care.
SMS based OTP has been known to be unreliable way to authenticate someone because exactly this type of social engineering hacks.
All software providers and the industry should ban SMS based OTPs as a standard practice. Either leapfrogging to a Passkey implementation or just time based OTPs.
What software provider or industry group is in a position to enact a ban on an MFA strategy?
the US government.
Maybe organizations in charge of cybersecurity compliance frameworks? We'd see a lot of companies drop SMS 2FA pretty quickly if it became a requirement to maintain their SOC compliance.
I don't think we need a complete sweeping ban to get it to largely fall out of use, just a critical mass to drop it so it's no longer defensible as an industry standard
after years with no issues, my bank stopped supporting my google voice number and said I have to use regular SMS as it's more secure
I lost my phone a few weeks back and was astonished that I was able to go into T Mobile and get my number switched to my new phone without showing any ID
That’s horrifying!
I had the ability to swap numbers for 3 carriers as a minimum wage paid Radio Shack employee.
It was just a web form with a few boxes to fill out based on customer provided info followed by enter.
Even when ID is checked, a decent fake ID is like $50 these days, and grants access to wealthy bank accounts.
At the time we were heavily incentivized to speed run anything that did not generate a commission so checking ID carefully if at all was not high on our list of priorities.
Americans like to believe they live in a high trust society. That must be why things like this are even possible. It brings convenience (and I guess profit, as time is money) but the trust required is very high.
Did you have a pin on your account?
One would hope it’s not possible to swap unless that is entered, no matter how corrupt the employee.
To everyone pushing for a different 2FA method - what if I lose the 2FA device? Would it mean I won't be able to get into my bank account anymore? If not, then the method I could use to get my account back in that case could be the method that will be attacked..
If employees can be bribed, that's the problem.. there must be a human element somewhere, otherwise we'd have to be permanently locked out if we lose all 2FA devices
What if you lose (access to) your phone number? If your bank doesn't have a plan for that, I'd strongly consider switching banks.
If they do, you'd just use that.
I would wonder what the bank's plan for that is.
If your bank can be "talked out of" requiring the second factor, then what good is 2FA? Hopefully they would at least require actual identification.
It's why you write down the recovery keys when setting up 2FA.
I know everybody says how bad SMS 2FA is, and how we should replace it with the next cool thing $BIGCORP invented (thus requiring you to have an account with them, which only defers the problem).
But couldn't we pressure the telecoms to improve it?
I have an idea that would make SIM swaps way harder to execute. Namely a website that wants to authenticate you should be able query the telecom for some kind of SIM card ID. This would happen before sending a 2FA code.
With such a feature it would be easy to store the SIM card ID in a database when enrolling the phone number. Later when the user tries to authenticate and the ID does not match what saved before, the account is locked out. For enterprise accounts you would need to explain yourself to IT and for personal accounts a fallback 2FA would have to be used. Alternatively the authentication would be delayed for a few days to give the legitimate owner of the SIM card time to react.
Another thing that could be added on top of this is to send a SMS to the old "inactive" SIM, alerting the original owner of the attack.
EDIT: To add to this, here are some advantages of SMS 2FA over time based OTP or passkeys:
1. My grandma can use it with her dumb phone and poor digital skills. 2. Your SIM card will most likely survive if your phone is destroyed due to water or physical damage. (Sadly not true for eSIM) 3. You can dictate an SMS/OTP code over the phone, or forward it to somebody you trust. 4. Banks can append a short description of what you are currently authorizing. It can tip you off in case your computer is infected with malware, or you are victim to one of those TeamViewer scams.
In your scheme, how do I transfer money from my bank after my phone is stolen and I need to get a new phone without access to the original sim? Or access my email?
If that’s just impossible, how do I fix the issue? A “fallback 2FA” what is that exactly?
Probably one time use recovery codes you are supposed to print and keep in a safe place. In case of a bank this could also mean a trip to the nearest branch for ID verification.
The same issue you mentioned applies to other 2FA methods. Your TOTP codes and passkeys also live on your phone, Yubikeys can be stolen too.
I think this is conceptually wrong from a layering perspective because youre punching through the abstraction and making it leaky on purpose. This just moves the problem down one layer in the stack - there will be legitimate new use cases for “sim card ID spoofing” and then we’re back to square one. Also from a usability standpoint “getting a new phone” is precisely the wrong time to lock users out of their accounts
A perfect analogy would be trying to implement security with mac addresses but applied to internet. It just makes a mess of an abstraction layer and then you have to rebuild it because those abstractions were useful (mac address spoofing has legitimate uses because mac addresses were used for security and then people realized they needed to be able to transparently swap things out)
This isn’t just an sim/T-Mobile issue
Most customer service representatives are on very low incomes (especially in other countries) and it’s not hard to find one who will take actions for a (western) small amount of money. CSRs often have powerful capabilities and access to sensitive information. With poor access controls.
Solve the SMS/MFA issue and they’ll attack the next thing in line
Yeah, but ideally the next thing in line is much more secure than a financially vulnerable, low wage worker.
Afaik SMS 2FA is the easiest to compromise of all the methods. At least with, say, email, you need a password and potentially a different 2FA first.
Most customer service representatives are on very low incomes (especially in other countries) and it’s not hard to find one who will take actions for a (western) small amount of money. CSRs often have powerful capabilities and access to sensitive information. With poor access controls.
Another reason to implement my proposal of a law requiring all customer service serving US customers to be located in the US, UK, Ireland, Canada, Australia, or New Zealand.
Who would be stupid enough to commit a federal crime for $300? Doing this will leave a clear paper trail to the respective employee (I hope, if not that'd be disastrous) and the crime itself has a high likelihood of being reported.
Am I missing something?
Who would be stupid enough to commit a federal crime for $300?
Probably hundreds, if not thousands, of low level employees that work for carriers in retail positions.
I think a lot of people are forgetting that most of this customer service is being outsourced to other countries.
I work in crypto and see Sim swaps happen all the time, mostly for Twitter account takeovers of famous people where they then post phishing links and steal their followers coins. T-Mobile is easily the biggest offender for this, most people reporting they use it, so this has been going on for a long time.
The other big problem with Twitter security is you can have your account taken over even if you use non-sms 2FA! If you have your phone number on your account it can be used for recovery completely bypassing 2FA. They've had this security flaw for years and still haven't fixed it.
A lot of sites have this security flaw, turning SMS 2FA into 1FA: all you need is the phone number. Although allowing it even if you use non-sms 2FA is even worse, 100% defeating the purposes of using an alternate form of 2FA.
Almost everybody supporting 2FA has this security flaw today.
The number of sites that actually let me never provide a phone number, or at least not have it be a recovery method, is tiny.
Even things like a simple time lock (e.g. SMS-OTP "2"FA recovery only being possible after 24 hours, combined with sending a blast of "careful, your account is about to be recovered by somebody that might not be you" and a way to stop that for the legitimate accountholder, would go a long way.
The article is vague. Is this "sim-swapping" physically replacing the SIM card in the customer's phone? Or entering the wrong IMSI into some T-Mobile database to change the association between IMSI and customer?
Sim swapping is typically "put their phone number on this sim card I control" the point being to bypass any SMS based 2 factor auth / alerts.
In a typical SIM swapping attack, the attacker will contact the Cellular Carrier (either in-person at a retail store, or by phone/online support), impersonating the victim and claim that they've lost their phone (including SIM) and that they need a new SIM for their account.
Carriers should have procedures in place to ensure that the identity of someone who presents themselves with this situation is verified, but it can often be bypassed.
In the case of the article, corrupt employees of the carrier are being bribed to bypass the ID and security checks that should take place in the above situation.
In other attacks, there are social engineering ways of bypassing the ID checks - such as claiming to be the victim of a robbery where both the phone and wallet were taken - so they don't have any ID, credit cards, or phone to prove who they are and that getting a new SIM would really help them out.
SIM swap attacks are the reason I do not use SMS 2FA. Everything has been switched to use software or hardware based MFA. Opting for "magic link" sign in where necessary. E-mail protected by one or more non-SMS MFA.
The only services that I use with SMS 2FA are honeypot accounts.
So you didn't have any trouble finding financial institutions which allow software or hardware based MFA?
Any reports of Verizon employees getting approached like this?
I've heard of them off and on in the past, typically a Verizon employee requires a significantly higher payoff ($2000-3000) to get a SIM swap across, so they're generally a lot more expensive all around.
https://old.reddit.com/r/verizon/comments/1bnnsbc/kick_out_t...
Common to see people get approached on communities like carrier subreddits if they post that they work at a store and be dangled offers like that.
Humans remain the biggest vulnerability in cyber security.
"cyber security" is a misnomer. "HCI security" is more accurate.
Not even joking: there is probably a market for starting a mobile provider company that actually requires a DNA sample to change. The DNA could be collected from multiple sources simultaneously (blood, saliva, and randomly chosen fingernails) and run through a hash so that the provider never stores the DNA string itself. Some level of innovation may be required here, I know DNA itself isn't exactly a UUID, but I'm certain it could be done. VIPs would pay for this service and you could offer limited insurance for hackage.
Edit to add: there was an episode of "Forensic Files" where a suspect injected someone else's blood sample (at great personal risk) to evade a DNA test for a sexual assault charge. So just acknowledging that DNA methods can be attacked too. Hence the necessity of multiple random samples.
or a eyeball scan like that sam altman worldcoin thing.
Surely we are close to the point a fully self-service cell account is possible via secure portal? Choose to eliminate human customer service, expose portal to user with appropriate MFA access controls etc.
I guess what I'm asking for is a cellphone plan with no human customer service, similar to how there is basically no one I can call if I have a problem with a gmail account. Remove the source and the temptation of this attack in one go.
I appreciate not every customer would like or want this, but could be offered to more security conscious users as an option. It's not unheard of to get a discount for pre-paying or enabling auto-payments on cell plans around the world, perhaps you could even get a few bucks off a month for choosing to not have option to call a contact center too.
There's a service called 3Num where you can get a number controlled by a private key. No one else has access to your number/account. Only supports SMS messages currently though, it's not a full phone service.
Don't new iPhones not even have physical SIM trays? And T-Mobile also lets you lock your number so it can't be ported out.
That doesn't mean an employee can't activate your line on a pSIM and hand it over to a threat actor.
T-Mobile has a SIM lock feature that you can enable to block at least most employees from being able to swap your SIM. You can enable it in the account management app or website.
I was able to verify that it worked because an employee in a store literally could not transfer my SIM with it enabled. Their iPad app just gave an error of "customer has SIM lock enabled".
Interestingly the T-Mobile employee had never even heard of this feature, which suggests that basically no one uses it.
You can find the settings under My account > Profile > Privacy and Notification.
This has been going on for 5+ years, and there is an entire community behind this.
Typically, teenagers ranging from 14 - 19 will select targets, or “targs” to conduct a “Sim Swap” on.
Desired targets are often individuals with “rare” or “OG” handles on social media platforms, as they’re worth a lot of money. Or, individuals with large crypto wallets (Think: Coinbase, Binance, Etc)
Darknet Diaries has a couple episodes about this. Two I remember are:
* The Pizza Problem
* Tennessee
There has got to be some sort of two-man rule (https://en.wikipedia.org/wiki/Two-man_rule) integrated into the system that can't be bypassed by the people with authority to make changes to accounts. Otherwise any insider / careless spear-phishing victim will make the changes they want.
Sometimes, services may have SMS as the only option for two-factor. If this service is a bank or a crypto wallet, consider switching, because that isn’t great.
Most banks I've interacted with fit in this category, except for online only banks. If you need a bank with a local presence, switching might not be an option.
When you have $15/hr employees who can enable a $100,000 scam this is bound to happen.
I need to find someone who can do this so I can get back into my Google account. I have the email, password and recovery email, but not the phone number.
Even in the black market of SIM swaps, that is a lowball offer.
It's a good thing that this is finally becoming common. Hopefully it will put an end to SMS as 2nd factor and the registration by phone number epidemic.
I just have a visceral reaction every time I see "SMS" anywhere. It's a garbage human verification method (hello boxes of SIM cards available in [certain markets] for spare change), it's a garbage 2fa mechanism (especially when its the only one). It's a garbage platform through and through. I don't care if I burn karma here, it's the worst technology that I'm forced to use on a regular basis. And I hate seeing it defended and used in new places.
s/garbage/[stronger words]/g
I mean, it's not quite as cheap, but even now I can provision fungible, resellable eSIMs, non-wholesale, for less than $5. Throw a little HS + acceptxmr, sit in front of Airalo/holaSIM/etc, or just figure out who their upstreams are. It's all a complete and utter farce.
So looks like FCC is implementing some new rules to protect against SIM swapping and that's taking effect on July 8, 2024. Though from the press release, I'm not quite sure if that'll protect the customer from a carrier employee being the bad actor.
https://www.fcc.gov/consumer-governmental-affairs/fcc-announ...
This isn’t limited to T-Mobile employees, I work for a T-Mobile MVNO and received the offer
Never say publicly who your bank or broker is! Anyone can pay off a tmobile employee and empty your bank account.
I was initially pleased when I discovered T-Mobile itself supported using TOTP apps like Google Auth and then flabbergasted when I found you could not disable SMS 2FA even after enabling alternatives.
Amazon working on behalf of individual interests and/or the government to strategically target individuals? Sounds about right.
Yeah this has been a thing since 2012ish and became more popular around 2016/17. Brian Krebs has documented this for the past 8 years. No new news here.
2FA is broken.
If I want to get a new cell phone number, I am absolutely fucked on everything. This isn't sustainable.
T-mobile could do many things (not sure it’s legal to pretend you want to pay for simswaps, but that’s beside the point), but first we need to establish why they would care.
I haven’t seen much evidence in the past they would.
They don't care. Source: got swapped on TMo, front-line CSR fixed it but no one else at the business cared; would not even refund my final bill. Solution: move to Google Fi. It has a word-of-mouth reputation for being resistant to this, which I believe if nothing else because Google has almost no human support to bribe/phish.
Google Voice too. No human tech support. It's kind of weird how having no human to talk to can be a good thing in these high security matters. No social engineering attack surface.
Imagine making a mean comment on YouTube and losing access to your bank account (everything runs on SMS 2FA)
No human to talk to, no appeals process. Don't trust Google, they are indifferent.
That’s a real reason I don’t comment on YouTube or risk using any other Google services except Gmail and Voice.
God forbid I chargeback a purchase on Google Pay (or whatever their PayPal is this year) and trip some anti-fraud system that locks me out of my 20 year old email account. We all know their support is either automated or nonexistent, so it’s not worth the risk.
And you effectively can't even run your own system, as has been discussed here many times.
But there‘s many providers that you pay actual money to (Like Fastmail) and if something goes wrong you, as a customer and not a potential ad target, are their top priority and you can call a human on the phone.
Exactly, vote with your dollars. Email is important and worth paying a few bucks a month for solid service.
Oddly enough, the EU isn’t racing to bust down the door of these “gatekeepers” and require third-party interoperability with this socially-critical service.
Pretty much just an apple thing as far as I can see.
switch to Fastmail or literally anything else :)
It's crossed my mind, but would require more effort than not commenting on YouTube or using Google Cash
Today it's commenting, tomorrow it might be watching a few bad videos
My class read a science fiction story in CS about a guy getting executed on death row for a late library book in a comedy of errors where a series of automated systems glitch out and a detached bureaucracy is slow to react. Or something like that.
I feel like it should be required reading to protect against "automate all the things" hubris.
Do you remember what it was called?
I had a fuzzy memory of this story from years back, and recently stumbled across it recently on Wikipedia: https://en.wikipedia.org/wiki/Computers_Don't_Argue
Sounds somewhat reminiscent of the Terry Gilliam film Brazil. Basically a fly dies and gets caught in a teletype machine, causing the name on an arrest warrant to be misprinted. This snowballs into all sorts of darkly humorous and depressing hijinks.
Literally a bug in the system.
Basically a modernized version of the premise of "The Trial" by Franz Kafka. An unknown authority charges the character with a unstated crime and bureaucracy chugs along on errors and assumptions.
I think this is one of the reasons that Google Plus failed. It's like if North Korea set up a social network. Nobody would post cause post the wrong thing and get executed.
If you see what people post with their real name on newspaper comments, Instagram or Facebook it‘s clear that people don‘t care, or don‘t think that far ahead.
Google Plus failed for many reasons but I doubt that one was a big factor.
You can have multiple Google accounts. Just make sure you use app-based 2FA on each so you don't get locked out.
I've just realized that, even though I've used Google Voice as my primary phone number since before it was Google Voice -- for about 18 years now -- I have never really had a problem with it[0], and I've also never paid a dime for it[1].
It seems like a well-oiled machine.
0: Well, some places don't like using GV for 2FA (and demand a "real" cell phone number), and some other places don't think it can do short-code messages at all, but those aren't issues that anyone at GV could ever solve even if those people did exist.
1: Yeah, sure. I'm the product. Blah blah.
GV numbers are in some database as being VOIP. If there was some there that could do something, they could get the numbers out of that database.
Do these databases see through number portability, or are they just verifying that the area code + prefix is assigned to a traditional telco?
Because you can port a landline to Google Voice for $20, and, in my experience, random Internet "phone number lookup" sites still show it as a landline years later.
The number gets classified differently in the "official" phone number database when you port it to a new carrier, including Google Voice. I used to have my US number in GV but ran into a lot of the 2FA issues as as well as trying to use it overseas extensively. Eventually, Google will figure it out to the point where it is no longer tenable to try and keep working around it. I caved and bought a $5/mo eSIM plan from Tello. They don't seem to care that I'm not in the US 10 or 11 months out of the year. I can use wifi calling to send/receive texts for 2FA for free, and iOS even supports using the data of one SIM/eSIM as the "wifi" for a different phone line also present on the device. So even if I'm out, I hop into settings, turn on the second line, it uses my EU data plan to fetch new messages via "wifi calling" and then I get my 2FA code or whatever. Takes about 30 seconds in total.
Is it the most convenient thing ever? No. I have an older iPhone because I'm a cheap bastard so I turn off the other line when I'm not using it, otherwise it will constantly look for a compatible roaming signal which it will never find because I have not authorized any international charges on that account (battery drain).
CNAM is the database you're looking for, maybe LIDB too. Once you port the number the CNAM should change.
Many services won't even text 2FA codes to voip numbers, google voice included.
Some may call, most not even that.
Its more of a recent thing, but I am a little worried about how common it is becoming. I've used my GV number since atleast 2007 for everything.
My bank accounts at banks I like have never complained about my Google Voice number and still don't. My bank account at Bank of America had some security check I needed to complete at some point and my Google Voice number that had been in their system for a decade I was told was not eligible anymore and I needed to actually use my real phone number.
I could almost put up with it if it was for things that need to be secure, but my 7-11 rewards account rejected my phone number at the gas pump a few years ago and Target rewards also started blocking my GV number.
Sometimes, it's like neither loyalty nor consistency nor history actually mean anything.
"I have cheerfully been using your service in this exact same way for seventeen years."
"FUCK YOU! GET OUT!"
I've still got my .10 Grand Central introductory credit.
I use Google voice as my main number on my Pixel, but also on a burner phone to harass overly aggressive recruiters. When I set up Google voice in the burner it made me load it with credit but surprisingly all the calls and texts I've made with it are free.
Things are pretty stable because Google Voice has barely changed in the past decade, but when things do go wrong there's no one around to look into it.
There was a time many years ago when Google Voice would intermittently fail to ring or even forward calls to another number when I tried that, and then give no indication that a call was ever made to your number that you missed (I verified it by asking when people I knew called me and said I never got back to them), which is pretty bad when you're expecting to receive important calls sometimes. This went on for months. I received bare minimum support which didn't even come close to helping the issue even though my issue was voted to the top of the support boards because many other people were having the same issue at the time. I'm glad you personally haven't had an issue but you should be prepared to have one at some point and get essentially no help.
what if you lose access to google voice yourself?
There is usually a way to get into your own account. It’s just harder than fibbing to a customer support agent in a chat box.
The downside of course is if you do run into a problem, you have nor recourse.
Still seen swaps with Google Fi. Efani is a much better option if you actually want protection. I am a cyber lawyer and that’s our recommendation to any clients who care. I can’t recall if Efani is throttled on AT&T or Verizon as MVNO, but one isn’t. Easy to ask them.
Their website says it's $99/month. That seems a bit steep to me considering all they're providing over a regular provider that charges $29/month is that they do a bit more verification when you claim that you lost your sim. It's not even clear whether they protect against a port-out attack, which is probably worth worrying about as well.
Presumably Efani accomplishes that additional protection by maintaining a human support staff they put more resources into training than the average carrier. That's expensive, especially when you consider that it's a relatively niche service (so small user base to amortize that cost over) and presumably only used by people that really care about sim swaps, likely because they are frequently targeted for sim swaps, and thus the training needs to really work. They also have no other lines of business like device sales/financing that could help cover those human operational costs.
That, plus the fact that it's a premium service that is mostly only useful to higher net worth / higher income people, makes it seem reasonable that it would be quite expensive relative to a regular provider.
According to the BLS "Computer User Support Specialists" get paid $30 on average[1]. Whatever training they give to staff to resist sim-swap attacks, I can't imagine they can't be more complicated than the certifications that "Computer User Support Specialists" have to get through, so I think it's reasonable to model their support costs at $30/hr per person. With the premium they're charging over a budget MVNO they can afford two support people per customer. How many fraudulent sim swap attacks could the worst client possibly attract? Is it really that hard to train someone to deny sim swaps until they go through 11 steps of verification like their website says?
[1] https://www.bls.gov/oes/current/oes_nat.htm
I mean yeah that's the more reasonable answer. It's a luxury product and priced accordingly.
T-Mobile blocks my Google Voice calls. They have to run inside a VPN.
I've mentioned this a few times and don't feel like restating it but if you're curious about my "i was locked out of every single Google service for "fraud" that I didn't commit, don't know what they were talking about, and never got a single response even after sending them my drivers license multiple times to prove my identity" story it's somewhere in my comment history.
It's probably a tiny chance it happens to many people but it's something to consider. I had nobody to talk to. No store to go to. I lost cell service for a week until I migrated everything off of google.
Just something to be wary of.
edit: I tried to dig it up it's about a year old and .. oof yeah i'm not going through pages and pages of paginated yn comments. Moral of the story is what I said above
https://news.ycombinator.com/item?id=36336256
This one seems to fit. Happy I've never had reason to write one like it.
lol That's it. Thanks, you're persistent!
Lazier than you think! You almost nerdsniped me into seeing how fast I could whip up a crawler but then I checked the search and found out it can find comments and use a custom date range.
https://hn.algolia.com/?dateEnd=1700092800&dateRange=custom&...
deletes entire account
This is less traumatizing than when I found irclogs of me from 10-14 thankfully.
Doesn't Google Fi use T-Mobile's network as an MVNO? Are they insulated from this kind of thing still?
Same goes for Mint mobile. They are/were an MVNO now owned by T-Mobile. I have no reason to go into a store since the service just works and I never do much but confirm auto-pay is working. Looking at the site now, it's been T-mobilized with stuff like carrier-locked phones but otherwise I've seen no meaningful changes.
My main problem with google fi is that I also use gmail heavily, and if the algorithm decides to cut me off one day for some reason, I don't want to lose access to my primary phone number and primary email address at the same time.
What were they after?
I'm pretty sure T-mobile could legally do that to their own employees. Corporate security teams are always sending fake phishing email to test their employees' gullibility and send them off to Re-education Camp.
Phishing emails don’t usually ask people to do something illegal, though.
what law would the company or the employee be breaking?
The initial claim was that employees were doing something illegal. You can not send employees an email to instruct them to do something illegal.
Yeah, I'm sure a well paid attorney could probably come up with some legal theory that "makes it OK" to attempt to entice an employee into committing a crime for the purpose of rooting out employees who would commit a crime in exchange for money.
A well paid attorney worth their salt will likely tell you that you don't want to test that theory with a court and the various employment watchdogs.
Engaging in such a plan and through happenstance and human fallibility ending up actually creating harm to an actual customer could potentially expose you to a tort claim.
We call it concentration camp here. Because of all the thinking.
I don't see a big difference between this, and sending fake phishing emails to employees to see if they bite, which is a fairly common practice.
In this case though, it doesn't necessarily have to be T-mobile that does it. It could be local law enforcement, and they could potentially trade immunity for information on real bribers.
Clicking on fishing link is not illegal. Therefore, it is ok for corporate to sent fake fishing emails. This would be instructing employees to do something illegal.
Likewise, CEO can not instruct the accountant to steal money from company account as a test.
You could solve this by simply sending out a memo not to respond to such offers or risk termination.
It shouldn’t just be termination, it should be jail time. It’s no better than selling a gun to a person you know intends to use it to commit a crime.
Just so we’re clear: getting shot is quite a bit worse than having your phone number stolen.
A person getting a gun is not the same as someone getting shot.
Well yeah, a person getting their SIM swapped is not the same as someone getting scammed.
Until it is.
Guns have legitimate uses sim swapping does not.
Sure... except the thread you're in started with:
Though I guess you could be making the case that crime is a legitimate use of guns?
Many people--rich or poor--would rather get shot and survive than lose all their wealth.
We talking a grazing, or a colostomy bag and a wheel chair?
I wouldn't, but I think a lot of people would.
Well that could really depend.
If your phone number being stolen causes your savings to get drained for long enough that you run into problems making important payments like rent, taxes, car payments; That can pretty quickly spiral into even worse situations. In a world/country where many people have too few savings to go even a month without being paid, losing even that can get extremely dangerous. Not to mention the stress of such a situation alone will probably take quite a bit of your life expectancy off.
While I absolutely understand the point you're making....
At least in the United States, we also live in a society where the financial ramifications of getting shot could lead to equally bad financial outcomes (whether directly or indirectly).
It's actually significantly better.
T-Mobile should make a few loud examples out of those proven to be doing this. Deterrent is the best medicine. Of course they don't want this kind of attention so they'll do as little as possible.
Or, crazy idea, we do not give minimum wage paid retail sales reps the ability to control access to the online accounts of hundreds of millions of people.
Reps for T-Mobile are not making minimum wage. Almost nobody in the US earns minimum wage at this point, it's less than 1/2 of 1% of labor.
You can make $15/hr as an entry-level cashier - your first job, zero job history - at CVS and Walgreens, with tolerable health/dental/eye insurance.
And if you're not entirely braindead you can trivially become a pharmacy intern (then tech) and start at $18-$20, with benefits. They'll pay for your licensing. You can make $18-$22 to start as a telemetry or video tech, with zero experience. Hospitals are filled with people sitting in rooms watching video monitors making sure patients don't fall over or hurt themselves, it pays 3x the minimum wage and requires zero experience.
If you're making $7.50 /hr at this point, you're either living somewhere very barren (almost zero economic opportunities), or it's your own fault.
Sounds like a great gig! How do the pharmacy techs at Walgreens enjoy working there?
I think you may have missed the point.
Even so, retail sales jobs are often heavily commission adjusted which makes this not so cut and dry.
Sell sell sell, or you are well below the poverty line and quickly replaced by someone more willing to cut corners on the activities that are not profitable like carefully checking ID.
Almost nobody makes federal minimum wage.
It's gotta be at 2%+ making state minimum wage though.
CA for example has a minimum wage somewhere north of $15, and like 10% of the population makes minimum wage or less. That right there pulls the number for the whole country up to at least 1% making minimum wage, because CA is >10% of the population. (Extreme example, since CA also has the highest real poverty rate in the US (SPM, not the hilariously undercounting OPM)).
Red teams do this sort of things all the time. How about you don't accept bribes? Arguably that's a bigger dick move.
audit log tied to the one who authorizes the swap along with guaranteed criminal penalties would be a stronger disincentive I believe.
Is it? It'd be a good way to catch people doing something that's seriously damaging to others for personal gain.
I don't think I have much sympathy if you lose your job for doing something this damaging and probably illegal.
How is knowingly doing sim swapping not already a dick move?
Honestly what the OP suggested is simply a sting operation.
Your reaction to it is ... more scary.
A telling reply.
SIM swapping? No comment. Trying to catch SIM swappers? Suddenly you have feelings about it!
Wow, genius, just tell people not to break laws, why didn't they think of that...
Or pay people enough so they don't get tempted to begin with.
Lol Martha Stewart has $400m and she got done for $230k worth of insider trading.
And Matt Levine every now and then talks about a guy making a few million a year insider insider trading a few thousand and settling.
Bechtolsheim too
That is exactly who I was thinking of but I couldn't remember the name. $16 b and he was fingered for $400k hahaha.
Wasn't it because she lied about it?
The point is that she was already rich. High pay doesn’t stop people from doing crimes.
Billionaires have literally committed financial crimes for more money. Pay has very little to do with it.
Billionairism. Addiction to the accrual of wealth and the power wealth affords. They should be in asylums not boardrooms.
There's plenty of room for them in the Fletcher Memorial Home.
Such a weird song, yet surprisingly memorable.
“And give them a home / a little place of their own…”
What is the dollar value of getting access to a phone number belonging to a celebrity or a billionaire? I don't know the exact amount, but it is 100% more than what T-Mobile can feasibly pay all of its employees. Do you think security guards protecting the federal reserve's gold vault get paid more than the value of the gold in that vault?
They can
1. require two employees PLUS an agent on the phone to do it.
2. call the desired number and speak to whoever answers and ask if they're aware the number will be ported
3. have a 24-hour period to try to reach someone at that number before the swap occurs.
4. Offer a very large bounty ($10,000 or more) for providing evidence that a co-worker is taking bribes
Buried at the bottom of the article is a link to
T-Mobile’s New SIM Protection https://tmo.report/2022/12/t-mobiles-new-sim-protection-is-n...
and it of course doesn't show up in my tmobile account. Though mine is prepaid.
fwiw this series of steps worked for me
I believe there are telecommunications regulations in olved that prevent them from erecting barriers during the sim swap process. This might be one of the mains reasons it's such a juicy vector.
You may be right! They might not be able to do a "24 hour cooling off" period. Even sending text messages to that number once an hour for a day saying "TEXT STOP TO STOP SIM TRANSFER OR CALL 611" would stop a lot of these.
I'll have to google a bit and see if they are restricted.