1. I believe it began with the hacker getting DOB/SSN.
2. Called wireless provider, and hacker forward all calls and texts to a burn phone. Eventually, the hacker ported my wireless phone to another provider/number (not sure which), and the phone registered to my provider did not work anymore. The landline phone was also forwarding calls to another number.*
3. Hacker gained access to email (as that email was also within the telco's site). At the beginning, the hacker did not reset the password. After I changed the email's password, hacker was still gaining access to our emails and he/she eventually reset the email blocking my access. (reason was all the text and calls was forwarding to his/her burn phone so he/she can reset the pass anytime)
5. Requested 2FA from bank.
6. Gained access to bank account.
This was over a course of 3 months. It was a nightmare to resolve and paranoia still remained. The hacker later on went opening several bank accounts. Fortunately, this was discovered early. The entire situation was communicated to the FBI, local police, and bank institutions, but I do not think anyone cared.
*I saw two numbers that were being used within my wireless account site to forward the calls.
> The entire situation was communicated to the FBI, local police, and bank institutions, but I do not think anyone cared.
Why would they care? It happens dozens of times a day, and the criminals are out of their jurisdiction.
If only the police, FBI, politicians, etc. could go after the banks and telcos to improve their security. But no... they see it as their job to destroy security, in order to make you "safe".
Did you file a report with FBI? I once was scammed on ebay for a laptop worth $1200 around year 2002. The local police did not get involved so I went to the FBI website and filed a report. I thought nothing is going to happen. They eventually caught the guy and I got my payments in installments (restitution) over several years.
They won't go after an attacker if there's not a high amount of damage, like $250K or more. FBI guys are swamped with people calling, and there's just not enough agent time to go around. Same for bank fraud. Ever wonder how people get away with popping someone's bank account, transferring to another local account, and walking off with the cash? For a couple grand, no one's gonna spend the time and effort to track you down.
Liability for data breaches limited to companies over X size would be a good idea though.
Maybe we should increase the number of agents investigating this stuff, then? Fraud affects many more people than terrorism, but nobody gives the "there's just not enough agents" excuse for that.
Also, only investigating fraud when there's lots of money involved means we're only helping rich people, who need the least help. Losing less money doesn't mean less impact on someone's life if that's all they have.
Because people are more terrified about a random bomb hitting a random place once in a while more than their accounts getting hacked and then finding themselves in a big trouble?
And yet then you see things like this [1], where the 4 year old case of a very minor eBay scammer is personally prosecuted by a state Attorney General. I guess it depends on who has time to kill. These two guys are looking at decades in prison for a scam that looks to have netted about $3K.
Why do you think he personally prosecuted it? His name's on the complaint, but it's on all the complaints referenced in their press releases. The press release says the case "was investigated and is being prosecuted by the Attorney General’s Fraud Unit".
Which is interesting because it should be the other way around. If you have $250k stolen, it is bad but you are probably wealthy enough you won't go in deep trouble stress.
If your whole account is $2k it might be a different world for you and you might relying on these to pay rent, medical expenses which is more serious than an investor not having access to his $250k.
Not meaning it is fine to steal $250k from wealthy people but that poor ones being affected (at $2k) is more urgent from a humanitarian perspective.
>> If you have $250k stolen, it is bad but you are probably wealthy enough you won't go in deep trouble stress.
Or it might be your entire life's savings and if you can't get it back you kill yourself from the stress of losing 40+ years of work. It's very dangerous to make assumptions about other people's money.
I have all my life savings in a checking account. So in my case if I got hacked and my money from that account stolen I would be in big trouble and have suicidal thoughts very likely.
>>I'm not saying that investigating the $250k is not important; but just not more urgent than the $2k theft.
Absolutely not. Ignore the case when this 250k was your entire life savings (30-40 years of saving remainder of your salary every month and slowly building savings for retirement).
It could be mortgage money which you are about to buy a house with or it could be company money for payroll. Suddenly employees of a small business don't get paid. Those employees of course have to pay mortgage/rent/medical bills and suddenly paycheck they counted on doesn't come. This could affect many people in very negative ways.
I think $250k stolen should definitely get a priority to be investigated by agents over $2k stolen as it is more likely it will mess up lives of many people in a bad way.
Interesting. When two crimes both take similar effort to commit, and similar effort to investigate, I'm not sure if the higher dollar amount should be defacto prioritized.
I am going away from SMS based 2FA where I can. For services where it is used, anyone have opinions on using 2FA via a SMS to VOIP number with a provider who has better account security/authentication tools than most telcos (e.g. google, etc)?
The argument for giving more priority to higher amounts is that since criminals are stealing the money, they can commit more crime with more money(in simple terms - you can buy more drugs/guns with 250k than with 2k)
"I'm not sure if the higher dollar amount should be defacto prioritized."
Why not? Higher net worth equates to higher taxes paid - the 250k victim has been paying the investigators a more substantial sum, and should receive a more substantial response from them. "Size matters" sums it up to me.
That's not how modern Western societies work. Plutocracy has been tried, and found to be devastating for society, human dignity, and the human condition in general, not to talk about the rampant corruption it invites.
No, they are not. But ideally the advantage the 'richer' party has in influencing the effort of the investigators/judiciary to put forth more effort on their behalf is not written policy, it is corruption/cronyism. Should we create policy that prioritizes investigating an auto theft of a $100,000 automobile with more resources and severity that the theft of a $20,000 one, simply because the value is larger, or weight the effort based on the tax contribution of the victim? I would say absolutely not.
I guess the theft of a more expensive car should be investigated with higher priority because selling it gives criminals more money to work with and leads to more severe crime. A group that can steal and sell a Lamborghini likely runs a much larger and more organized operation than a group which steals and sells old cheap cars.
This is all guessing though, I'd love to see more data on it.
This assumes a linear margin on units of stolen cars to value. Smaller ticket items are easier to fence specifically because they are common. It's hard to sell the Mona Lisa. It's easy to sell a mass-produced TV. Cops would spot a stolen Lamborghini as soon as the APB comes in. Not so much for a Toyota Camry.
Yeah, and that's why I said that a group that can actually steal and sell a Lamborghini successfully should be investigated with more resources, since you are more likely to find a well organised criminal organisation behind it, if they can shift Lamborghinis the can probably shift drugs and guns too.
We disagree then, I think they absolutely should prioritize that because of the tax contribution of the victim. If I pay someone $1000 for a job, and you pay the same person $100 for an opposing job - you should lose. That's only my capitalist opinion, but I don't think it's an unpopular one.
Probably disagree on some aspects, and I may not have choosen the best example, or clarified my position enough. In a situation where two parties are voluntarily engaging in competition(for a job applicant), the party who offers more value usually does win, and I think that's appropriate. And I support allocating resources to fight crime based upon the effect of the crime's proceeds in supporting or leading to further crime. In mandatory participation systems like public civil services I am for at least a baseline allocation of resourses not directly correlated to financial input of the particular recipient.
I was using google voice for this for a while but if you are worried that someone may have access to your computer / email, then they may effectively access to your google voice as well. voice.google.com
Taking money out of an IRA into your checking bank account is usually two clicks with my bank, I'd get a warning about losing interest if I take the money out but I can do it anyway and the money is available instantly - for all intentions and purposes it might just as well be in a checking account, and it certainly won't make any different to an attacker who got into my account.
>>I'm not saying that investigating the $250k is not important; but just not more urgent than the $2k theft.
I'd argue that it's a lot more urgent. What if you were paying for a house tomorrow, and the money is gone, so you lose the house? Or you are a small company that has to pay its tax bill for the year, but the money is gone? Or you have to pay for an expensive operation that won't go forward otherwise?
2k is not as important in a way that if you are really short of 2k, then there is a plethora of options to come up with 2k on a short notice(some astonishingly bad like payday loans but there are options) - while if you are out of 250k and need 250k then most likely you are absolutely screwed.
Again, to repeat my final point - don't make assumptions about people's money.
We are in dire need of specific cyber security public divisions are people can go to. FBI I believe will have many problems to deal with, and as far as I know, there isn't any cyber-police division capable at the city/state level.
Atleast nothing capable of handling incidents like the one mentioned above. The debate of who's job it is can get hairy. Especially with the future where internet is becoming more pervasive, there can be more damage.
The FBI claims jurisdiction on crimes committed by foreign national against Americans. It's just hard to investigate and arrest individuals who aren't on US soil, but not absolutely impossible. They arrested a Russian ID theft a while back, but they had to lure him out of Russia to do so, as the Russian authorities didn't cooperate.
The is a direct correlation between security and fraud related interest/insurance in regards to the cost of use and exposure to fraud.
They aren't out to "destroy" your security, it's a liability threshold calculation. At the end of the day secure yourself in life, this include choosing banks that are more stringent based on your needs and what you want to pay.
Most Dutch banks (except for ING, which does still use SMS) use hardware devices that use the chip on your debit card to authenticate. You unlock the chip with your PIN, enter the challenge code supplied by the banking website for the transaction, and the device shows you a one time code you enter in the banking website. This is a decade old technology that works rather well.
Same in Ireland. In France I've also seen a combination of SMS and pre-shared secret (SMS asking for a code from a grid printed in a small card you can store in your wallet).
I don't know but I've been using this technique for a year or two now with great success. The Google authenticator just stores its secrets in the salute db every app gets.
Autocorrect kicked in there... sqlite* (it is absurdly difficult to put an asterisk at the end of a message on HN. it seems to require a trailing whitespace[1] for it to show up, however the input is trimmed, so...)
I have not, but I have extracted the backup with https://sourceforge.net/projects/adbextractor/ and inspected the contents, visually confirming the secrets are there. Even if a restore doesn't work, I can re-enter them manually from the information in the sqlite database. However I fully expect a restore to work.
Thats exactly why I copy and save every 2fa QR Code in my KeePass database, along with backup codes. Phone changed? No worries, install Google Auth, rescan those QRs, and voila, your 2fa system is back and running !! :)
Most 2FA services that allow authenticators offer recovery codes. I keep the recovery code saved in my password manager, and if I ever lost my phone I use that to log into the site and then get a new QR code.
Yes, that's also a way, but why not save the QR code first time you see it, instead of loosing it, resetting with recovery code, and then again getting a new one? Recovery codes are fine, and should be kept safe and such, but also the Original QR code can also be saved and screenshot. That way, phone lost? open database, load QR code, scan in new phone.
I have used Yubico's U2F key since shortly after they came out (Nov 2014). They are very robust and relatively cheap. Moreover, in contrast to some cheaper keys, they require physical confirmation by a finger press.
"What is better? Authenticator apps/hardware devices?"
Mobile signature (SIM-based)(0) is the most secure method as far as I've seen in banks. Citing wiki: "supporting the authentication on the Internet with a parallel closed network like mobile/GSM and a digital signature enabled SIM card is the most secure method today against the man in the middle attack."
The ACH model is fundamentally insecure: anyone who knows your account number can pull money from it, and the protocol makes no allowance for the bank to check with you first. I don't think choice of bank matters very much.
You can manage your risk somewhat by:
1) Using credit and not debit cards for day to day spending.
2) Maintaining your long term wealth in separate accounts at separate institutions and not linking them directly to anything except your checking
account. This minimizes what can be stolen if your checking account is compromised, and makes it less likely that your savings can be stolen directly (account number is used in fewer places).
3) Turning on all the alerting and notification settings you can find, so that you'll hear about unauthorized activity immediately.
I read somewhere that companies that do a lot of ACH payments use different accounts for receiving and sending payments. The receiving account is locked so that it can't send and the sending account is supposed to stay secret. I don't know if that actually works in practice, though.
Yeah but for 90%+ of transactions, if you are being paid by a company, you can almost always request a paper check instead of an ACH transfer (sometimes with a fee). In that case they either have yet another account for check writing (which won't be "secret") or they give away their "secret" ACH account.
Why they keep that system? In most of Europe you got "normal" banking system where you can give everyone your account number and worse thing they can do is to put some money there.
In US it seems #freemarket is putting externalities (security) on the customer.
ACH is a service of the Federal Reserve, actually.
It also provides wire transfers, which are a little more secure because they're push only, but also less secure because they're instantaneous and irreversible. All banks charge at least ~$15 per transaction and they're really only used for high value, time sensitive deals.
For SEPA-DD, 8 weeks is for no questions asked refund; in general for non-authorised payments you have 13 months to request a refund, but if it's 8+ weeks they can verify the lack of direct debit mandate before hand - but it seems to be the policy of most banks that they'll refund anyway immediately and let the merchant handle the problems.
So what? Someone set up a direct debit, he can just cancel it and get the money back. Of course it will take a bit (a few seconds with online banking nowadays) but you wouldn't lose any money. There's no way someone can get money from a UK bank account by just knowing the account number, assuming that you check your account regularly.
I had somebody buying products on Amazon using my company's IBAN numbers. Amazon were super frustrating to deal with. They kept asking for my amazon account details and I kept explaining that the company doesn't have an amazon account. They didn't know how to proceed ! But in the end they did reverse the charge.
My girlfriend had somebody buying groceries using her numbers. They just write numbers in and signed the sheet of paper at the store. The store refused to take responsibility for doing this without ID-ing the person. The police were more understanding.
My CEO went to a local large bank and demanded as a condition of his business with them that they have an out-of-band communication (a phone call or SMS or whatever) with him before any outbound wire transaction can be attempted. They rejected his condition because they interpreted it as both (1) added liability due to all of the customers that could potentially claim they should have been similarly protected and (2) too much effort/cost/resources/whatever.
I don't deny that there are _corporatist government regulations_ (which largely prevent the best qualified engineers/entrepreneurs from wanting to tackle the consumer fintech problems), but banks are dragging their feet and the #freemarket hasn't developed a viable alternative yet.
The business model of all fintech is to ensure straight-through processing for as close to 100% of transactions as possible; if you have slightly more manual processing than competitors, then you can't be competitive price-wise.
A requirement "out-of-band communication [..] before any outbound wire transaction can be attempted" easily turns the processing cost (not price) from $0.02 to $20+ per transaction, a thousandfold increase, and that's assuming that this'd be offered as standard product and not a special case for a single customer.
If it's not made as a standard product, then it's really painful - it would mean that either the whole staff&systems would have to be trained for that customers needs (not likely unless you're bringing 10+% of the whole bank's revenue) or the customer wouldn't be able to use any standard banking channels ever, not the normal branches, not the normal online services, not the normal call centres, only directly through your private bankers.
I never experienced this directly, but when Chip'n'Pin first came out, wasn't it the case that some European banks held customers responsible when it got hacked? The theory was apparently that it was "impossible" to hack Chip'n'Pin so something must have been the customer's fault...
Isn't it still impossible? You can only hack it if you can guess the PIN or in cases where the victim wrote it on the card. The latter happens quite often and this is where banks sometimes refuse to pay.
If you keep your PIN secret it's a very secure system (unless the attacker is very lucky).
> 1. I believe it began with the hacker getting DOB/SSN
We [the US] dramatically over-rely on SSN. At least one upside to ubiquitous biometrics will be that we can start layering more authentication measures in an effective and consumer friendly way.
Relying on it is not the problem. Treating it (or "date of birth" or "mother's maiden name") as a secret for use in authentication is a big problem. These things are not secret, and having me say mine does not prove that you're talking to me.
In my (shared) office, everyone knew each other's last 4 SSN digits, because whenever on the phone to some random customer service rep, we had to give them to "authenticate".
It would be just fine to rely on SSN as an identifier, even to a much larger scale as USA does now, if only it would be clearly assumed that this number isn't secret.
Yeah, Identity theft is one of those crimes where the authorities don't really care. It can be quite lucrative for the folks carrying it out since there are no consequences.
The police are so overwhelmed and typically it is out of jurisdiction so their options are 0 to none to prosecute.
The only way to guard against it is to keep your foot print small and give as little info as required.
> Yeah, Identity theft is one of those crimes where the authorities don't really care.
There is no such thing as "identity theft". You can't steal who someone is, that's bullshit. It's rather some party not making sure it's actually you they are talking to, and then claiming that you are responsible for it anyway because they fell for someone else's scam.
Unfortunately, it doesn't work that way. The Uniform Commercial Code (in the US) has provisions about what constitutes accepting an instrument of payment taken in good faith, and that indemnifies a business. Maybe those laws should not exist and insurance should be the mechanism to cover loss stemming from fraud, but it doesn't work that way.
The problem with the phrase "identity theft" is that it puts the onus of security onto the consumer to secure their personal details instead of onto the bank/telcos/etc to secure their systems.
We should call it what it is: fraud. Whether that's bank fraud, computer fraud or wire fraud, banks should be responsible for compensating individuals for the losses incurred. One way to encourage this change is a change in the language we use surrounding these crimes.
> The problem with the phrase "identity theft" is that it puts the onus of security onto the consumer to secure their personal details instead of onto the bank/telcos/etc to secure their systems.
And it's really even worse than that, as you are assigned blame for something that the party blaming you is itself forcing you to do. Like, they won't open an account for you unless you tell them your SSN, but then they blame you if you don't keep your SSN secret.
It's reasonable to some degree to expect that you keep your password secret. It's a different thing altogether to take information that is unavoidably known to lots of parties, or in many cases even outright essentially public info (like, stuff you can just buy as a database) as proof of identity, and then insist that you are legally responsible for a contract or whatever they made with someone who knew your DOB or something.
It's really not much different than just throwing darts at a phone book, and then pretending that the fact they hit your name proves that you now have a contract with them ... no, it doesn't, and it's your fucking problem if you think it does.
A few months ago I took 3 of my 4 kids to a birthday party at a minigolf course. I played some holes with my youngest I had taken with me, and then left the two older ones at the birthday party with the understanding that their mother would pick them up (as we had discussed earlier)
After leaving the party with my youngest, I went to the grocery store, and then on home. When I got home my wife was gone, which I expected since she was picking up the older kids from the party.
Throughout this afternoon I had not been checking my phone in an attempt to be a bit less connected on the weekends.
About half an hour later my wife comes home totally freaked out and frazzled.
Apparently after I had left, someone went into a T-Mobile store and somehow convinced the associate that my number was theirs. I had received a couple of texts from T-Mobile with a pin number where the store associate had attempted to do something, but I was not aware of them until later.
Once this person had my number, they called my bank, reset my online password, and transferred all of our money from various accounts into one of my checking accounts. The bank then put a hold on everything (thank god).
My wife happened to have been paying bills online while this was happening, and saw it all go down. Her first thought was to call me, then when I didn't answer to call the mom throwing the birthday party.
Birthday party mom told my wife I had left, so my wife assumed that myself and our 3 year old were being mugged or something. The police were involved and she spent a good amount of time freaking out trying to find me.
All in all I had a pretty good afternoon :P
For real tho, it was a freaking mess. Took weeks to get our accounts safe, and we try to avoid using phone numbers for 2fa now.
>someone went into a T-Mobile store and somehow convinced the associate that my number was theirs.
I had to regain access to an employee's phone a few months ago. T-mobile gave me account control after providing them a phone number that phone had dialed "recently". I am disappointed, but not shocked.
In Singapore they give us a physical token. We have to enter the 2Fa we receive into it to receive a third code to enter into the website. Well I guess it's 3Fa. It is a bit of a hassle but better safe than sorry.
Yea, my wife uses a physical token generator now, and I use the app which is bound to my phone. Someone would have to physically have my phone (and unlock it) in order to access my bank now.
Are you sure your bank wouldn't allow someone to disable it over the phone like they allowed someone to change your password? People lose cell phones just as they forget passwords, so there is surely a way for customer support to deal with it.
Banks over here only reset those tokens with instructions sent to your known address. You can only change that address with a working token or showing government issued ID (which everyone around here has and is also required to open an account in the first place). At worst you need to send a copy by mail but going to a branch or post office or a video chat are more common.
Banks can always ask you to go into a branch for more important things like that. They do that in the UK. If you're not in the country, you can write a letter on paper and have the local police or lawyer confirm your identity. I've done that before. It's a nightmare but it eventually works.
In such cases the bank would offer to send new tokens by physical mail to the registered address or receive them in a branch with proper ID.
I recall a case where an important customer was stuck abroad with everything stolen; they were sent replacement tokens and cards to be received at the embassy, which could properly ID them.
Why can a bank have such a robust procedure for replacing tokens, and be trusted to follow it, but not have a similarly robust procedure for handling password resets?
They definitely can, but some of them don't, especially in USA for various reasons.
I mean, any bank with proper procedures doesn't really have the concept of "online password" that's sufficient to do anything and makes 2FA mandatory; I believe in EU now it would be forbidden for a bank to have simply a username-password authentication.
I think it's worth noting that while physical token is needed for adding new payees and changing transaction limits, it is not necessary for online purchases, which only requires sms verification (at least for DBS).
I think it's a fine approach balancing security and convenience.
"Apparently after I had left, someone went into a T-Mobile store and somehow convinced the associate that my number was theirs."
How that can happen? When I visit my cell provider's store, nobody is going to talk about any account details while you haven't provided a government issued ID to prove that you are an account holder. Sure, it's not 100% bulletproof method, but if somebody went a great lengths to counterfeit my ID, phone number is the least of my worries then. I assume, this happened in USA, so is ID check so unpopular there or it's easily circumvented somehow?
Yes, ID check is easily circumvented. People are the weakest link. The store reps are not government officials or police officers, nor do they scan ids. They may be convinced not to check your if, accept an id that isn't your drivers license, or anything else.
The point is that by using an SMS as 2fa, is placing much of your security in underpaid cell phone store workers.
"The store reps are not government officials or police officers, nor do they scan ids."
Neither they are here (in EU), but nobody is going to talk to you unless you provide an ID anyway. Asking for ID doesn't seem too hard, even for non-trained personnel. You don't have to be a detective to match name/code on ID with the name/code on account.
Having access to potentially thousands of dollars from cleaning up victim's accounts is an incentive to go and obtain a fake ID. Do the store clerks scan and verify that the ID is genuine somehow (check against a database, look at the photo) or do they just look at it in passing and give it back.
From an EU perspective, obtaining a fake ID isn't that likely - counterfeiting anything certainly is possible, but it's hard and expensive (harder than counterfeiting money), risky (being caught with a fake means jail time, it's a more severe crime than theft and there's no "take-backsies" if they don't like the ID) so fraud with fake IDs is extremely rare.
It may happen with certain large scale scams involving organized crime, but not for small amounts; it simply doesn't show up in practice. What does happen is use of real IDs that are stolen (or bought from homeless people), but most places that have some risks have access to registries where they can verify if the ID has been reported as stolen.
Sure, but the excuse is then, "I had everything stolen! My phone, my wallet, etc. I just need to get my phone back so I can pay my rent and get an Uber to the DMV to get my new license." Then if the clerk says, "Sorry can't help you until you have an ID," you freak out and start yelling and the manager comes over and says, "I'm so sorry sir, let's get this worked out," and does whatever you ask him to.
Not happening in EU - since in such a case the company not verifying the ID tend to get liability for losses, all companies have policies where such managers are prohibited to do so; they would be risking their own money (and job) for giving you stuff without proper authorisation.
I mean, as soon word would get out that some company allows that, they'd be exploited for free stuff in large amounts; all of the obvious loopholes have been tried and plugged in the last couple decades. USA has the problems only because they treat it as "stolen identity" instead of "someone defrauded a company with fake ID", and don't have proper universal IDs and try to make do with a mishmash of driver licences, names, addresses, SSNs, etc.
> someone went into a T-Mobile store and somehow convinced the associate that my number was theirs.
The fact that the T-Mobile employees can get hold of your mobile phone number is disturbing and a red flag for using your phone number for sensitive stuff (such as money). You should always assume malice from unknown actors.
I don't know where OP is from, but over here(Poland) you need two forms of ID(Passport/national ID/driving licence) if you want the T-Mobile clerk to do anything for you in-store. I got quite annoyed once because I needed a new sim-card for my company phone, but despite having two forms of ID confirming that I am the company owner, they also wanted to see the incorporation papers saying so.
I think the point of the grandparent is that the T-Mobile clerk has the power to register a new SIM card for your account. That makes them an extremely weak link (easy to blackmail, corrupt, etc.).
Without meaning to pick on T-Mobile, the stories I'm hearing here, including yours, lead me to believe that T-Mobile is liable for damages. As in, they didn't take reasonable precautions to safeguard your account, and you suffered financial damages as a result.
I am generally of the philosophy that you should trust no one to do the right thing, but these cases seem to be overlooking the obvious that the phone companies are fucking up on security.
Large companies like cell providers have concentrated benefits and their customers have diffuse costs. They force a large contract on you (because they have an oligopoly and you have only ~4 or fewer realistic choices) and that contract almost always contains a "no class action" and a "forced arbitration" clause. While those clauses exist, we are at the mercy of cell providers. Potentially very large customers (large companies and governments) might be able to demand changes in the contract, but it's unlikely to automatically filter down to the individual consumer.
I'm starting to worry about similar weak process security on the part of the IRS and Social Security. You can theoretically opt out of using a cell phone, but it's far harder to opt out of government programs that are forced on you with the threat of state force.
So, I've read the article a couple of times, It's pretty long. For those of you looking to get the most bang for your buck, I think the following advice is Golden:
1. Do NOT secure your sensitive accounts (facebook, primary email, bank accounts, twitter, etc) with your telco phone #. Telco Phone number is NOT secure!
"Create a brand new Gmail email account. Do not connect it to any of your existing email accounts. (When signing up for a new Gmail, you don’t need to enter a phone number or current email, although there are fields for you to do so. Leave them blank.) Once you’ve created the new island-unto-itself email address, create a new Google Voice number." Use this Google Voice # to secure your primary accounts, and don't have your telco # listed in any of those accounts.
But, make sure your New Gmail account is super secure, with a security key, as mentioned in the article.
2. Check the password recovery methods for all your sensitive accounts and make sure the answers aren't duplicated from any other site. Actually, it's best to remove them, if you can.
If any security experts want to chime in, please do.
"Once you’ve created the new island-unto-itself email address, create a new Google Voice number." Use this Google Voice # to secure your primary accounts, and don't have your telco # listed in any of those accounts."
The problem with this otherwise good idea is that google will not allow you to keep this account as an island.
Eventually you will get the "we've noticed something suspicious about your account" dialog which requires entering some other, unrelated phone number. You're locked out until you do so.
The suspicious behavior is, of course, signing up without a live phone number.
Ironically, they will accept any number you input with no verification that it is related to the account in any way. They just want to see a live, carrier number input.
Twitter does that too. At some point I created another account without specifying a phone number, posted a tweet from there and next thing you know they are flagging it for suspicious activity and asking for my phone number to unlock the account.
I don't doubt that. In my experience sometimes a phone number is required and sometimes not. When it prompted for a phone I didn't find a way to work around that.
I find that when I create a dummy account from a clean browser (no cookies) with a VPN, a phone number is required. I wouldn't be surprised if they do some internal risk/dodginess assessment based on several factors.
They do sometimes though depending on how "risky" they deem you based on a secret criteria. I've never been able to bypass their phone number requirements.
Or use a Google Voice number to setup
2FA on the same account. That way you can only ever login if you have a device on your person already logged in. If somehow you're away from technology long enough that all your devices are locked, use a printed backup code to unlock one.
Use Google Authenticator or any other time-based token app. Print out the private key, store in a safe. Also print out extra codes and also put in a safe.
But, if you use Google Voice number on your other Gmail account, they say it's not recommended because you can get locked out of both.
I think you can use Google Voice number on everything other than your main Gmail account.
So, to be extra safe, after you've set up your 2FA for gmail, make sure to change your recovery phone # to something other than your main telco or google voice number.
Same account. You can use the Google Voice number to 2FA its associated gmail account. A printed backup key will protect you from getting permanently locked out. But nobody will be able to login without physical access to your device or printed key.
This is how 2FA was meant to work. It should always require a physical device only you have access to. Otherwise it's just using 1FA two times.
Somewhere on YouTube somebody got locked from his google account while streaming live because of similar setup as your suggestion, Google 2fa codes to Google voice, and the look on the face when he realised it was hilarious. Not sure, but maybe he sorted it out somehow.
It seems Google Voice is US only, and a bit abandoned. From the UK, the website throws various errors, and searching for "Google Voice" in Apple's App Store just shows spam apps.
Last year when I upgraded my phone I was amused — but mostly horrified — by how easily one could get a SIM card for my own phone number with less than a modicum of information on me.
As I required to upgrade my Micro SIM to a Nano SIM, I went to one of my provider's shops and asked for a Nano SIM for phone number X. I was then asked to verbally confirm my name and address — and that's it. No ID card confirmation, no nothing. "Here you go sir, your new SIM card will be active within a few minutes. Can I help you with anything else?". What. the.
Last week I walked into a T-Mobile store and asked for a new SIM card to replace one I lost. I gave them the phone number and apparently an invalid pin (the sales rep verified that I gave him the wrong PIN). I asked if I should do something else to verify it was my account and nothing. They didn't ask for name, ID, or anything else, and they didn't charge me for the SIM card. I went home and popped it in and my account had clearly been transferred -- I didn't have to do any other activation steps or anything.
Great customer service experience, but horrible security.
Your story reminds me of when I ordered a $200 video card from Staples ship to store. I went to the cashier and told them they should have a video card I ordered. They asked for my name and gave it to me (inside the shipping box so they didn't even know the contents). It's not as bad as getting your phone number stolen but it opened my eyes how easy it would be to "steal" a package.
The problem with all these stories is that there is a physical interaction. Maybe there is a video or whatever, but for some reason people easily let their guard down when transaction is conducted in person.
That physical interaction is important. It means there's a human being in your country committing a crime on video. That same person could just pick up a product off the shelf and walk out with it too. Either way, they're putting themselves at risk of arrest.
When it's online, there's almost no risk because they're probably in Russia and leave no physical evidence.
Recently my dad entered his SIM PIN incorrectly three times and it locked him out. Turns out his mobile operator has an IVR service which hands out the PUK to any phone number you enter! No authentication whatsoever, just the phone number. How common is this?
Exact same thing happened to me. Upgraded my phone, needed to switch over to nano sim, walked into T-Mobile and chatted up the sales clerk and then walked out with my new nano sim without showing ID. I was dumb founded that it was so easy.
NIST has already been discouraging the use of SMS for 2fa[0], but that apparently won't stop the subset of incompetent IPSec consultants who still recomment SMS based 2fa.
It doesn't stop incompetent dataroom operators either from forcing their users to give them their phone numbers for 2fa purposes.
And there is absolute gold in those datarooms if you know where to look.
Recent offender:
"iDeals proposes to protect your account with 2 factor authentication. It means that each time when you will be accessing the project/ changing your password/ accessing the protected versions of documents in the data room - an sms code will be sent to your cell phone. "
This after me pointing out that SMS for 2fa is not a good idea.
PayPal only supports SMS based 2FA, or, if you dig through their old website with archive.org, you can find a way to use one of their proprietary 2FA devices.
Sadly you can easily and trivially bypass the VIP token by providing a credit card number or a few other identifying details. It's worse than the SMS loophole. And another reason why I'm trying to delete my Paypal account. ;-)
Thanks! I didn't realize that was possible either. I just switched my paypal account to use google authenticator instead of sms, which besides being more secure, is much more convenient since I don't get cell reception in most of my apartment and have to put my phone near a window to get the sms.
You can still use Symantec’s VIP (Validation & ID Protection) authenticator app instead of SMS. I just set it up a few moments ago following these instructions:
Paypal also couldn't walk you through a 2FA payment for eBay on mobile. At all. You had to use a desktop. This was about a year or two ago. One would think that a payment company would have better security, especially given they're owned by eBay.
There are also measures that can be taken when using SMS based MFA, via services that check if the SMS is forwarded to a burner phone, or do a SIM check with the phone.
In addition the SMS based MFA services should be leveraging fraud score and number deactivation checks for the target numbers to catch the most obvious fraud scenarios.
Not sure a lot of the companies providing these services actually do that though. And all-in-all, non-SMS based MFA is going to be better anyway.
Because their target markets contain both people who'll gladly spend 50 quid on the latest account security dongle, as well as people who have a Pentium 4 desktop and a 50 quid feature phone. The latter get much more secure when apart from a password, probably on a post it stuck next to the screen, they are inconvenienced to also type in a few digits from SMS.
You are 100% correct. But I'm genuinely curious why institutions such as banks/telcos couldn't spare the resources to offer both SMS 2FA and more secure options for those who do care. I can't imagine it's a matter of technical resources as it wouldn't take much. Is it institutional inertia? technical debt?
Security model of banks is completely different from everything else. They will only consider 2FA if the total calculated cost /to them/ becomes significant if they don't.
...and if they were to offer a more advanced 2fa option, it'd possibly only appeal to a niche of users that wouldn't significant change (improve) their calculated cost?
That's why they probably wouldn't roll out to a voluntary subset on regular accounts.
Tbf, I've had a handful accounts in a few different countries. I've had proper 2FA in most of them (the one I've started with around 2005 uses printed one use codes), SMS codes in one and no 2FA in one.
They also (most likely) include many other, even network packet level checks in addition to primary and secondary authentication. Its not as simple as it looks to the honest end user.
REAL 2fa with SMS is marginally safer (but not much more so), since it requires password and SMS to do anything.
The problem is that nearly every single 2fa setup out there does something radically stupid such as use your 2fa method for password reset, or a combination of 2fa + email. This is horribly, horribly broken and worse than "no 2fa at all." All it takes is a SIM clone to steal your phone #, which you use to reset the email, and then email + phone/SMS can be used to reset nearly every single credential under the sun. The only exceptions are those that use proper 2FA such as one-time password apps -- but not Authy which just syncs your OTP/2fa credentials to the cloud and happily transfers to the cloned device :(
Could you elaborate on why Authy is not safe? In my setup,
1) after adding the devices I wanted to add, I've disabled multi-device (which keeps the existing devices, but prohibits adding new devices),
2) for new devices, it requires a backup password (once) to decrypt the credentials retrieved from the cloud, and
3) IIRC, it requires authorisation from one of the trusted devices to add a further device.
All in all, it seems much better (in terms of the security/availability trade-off) than Google Authenticator. But I've read opinions similar to yours a few times, and I wonder where they come from, whether they've been reasonable in the past, and whether they still are.
How well do you trust the customer service rep at Authy against social engineering? Especially when someone has control over your email, phone, and potentially many other accounts already.
It's certainly safer than only using a password if you use the same password on lots of sites, since the odds of any password database being hacked are higher than the odds of your phone being targeted.
More importantly, a lot of web framework templates using 2FA with an SMS provider will still be around. Of particular note is ASP.NET's template, which is very easy to get up and running with 2FA with SMS/Email.
Can anyone recommend a US based bank (or a bank that accepts US customers) that 1) has either a 2FA token for phone e.g. with Google Authenticator, a hardware token, or some kind of other token based factor; and 2) has strong security when calling? I generally don't need a physical presence.
My current two banks don't have direct 2FA enabled. As far as I remember, the questions available to one of my banks (credit union) are simple enough that you could probably find out by doing a public info search somewhere, and the other bank (Chase) has SMS 2fa, but outside of that it's just public database questions (I know this because I had my card number stolen recently, I currently don't have access to my phone as I'm out of the country, and they asked me a few different questions from a public database, like if I had ever lived at ABC Dr., do you know this person, and what is the full name, etc.). I'd much rather be able to give the banks some kind of information that they are required to verify before they can access my account, like a verbal passphrase, but I don't think that's possible (as in, I wouldn't be able to access my account over the phone without the passphrase).
Although the list is a bit misleading. German banks are all listed without 2FA whereas in reality they all use some form of a TAN (transaction number). Not as safe as a hardware token but if you keep it safe, it's as secure as a hardware token.
And most Sparkasse branches will use actual hardware tokens. So the reality is not as bad as the list suggests.
The problem seems to be that no German bank I know of support 2FA for login purposes which is what that list tracks[0] (although they don't state that clearly – it took me a few minutes to track that down)
But listing "Sparkasse" as one German bank is misleading as there are 400 independent banks sharing that brand with different policies. They use at least a few different backends for their online system although there seemed to have been some consolidation in recent years.
You USED to be correct. I'm not military and I have a USAA bank account. For a couple/few years they opened accounts to civilians, but then reversed that decision about a year or so ago. Now bank accounts are only offered to military again.
Is that for Chase, or J.P. Morgan? My understanding is that Chase doesn't offer a 2FA besides SMS and when I go into my account settings I don't see anything that lets me enable 2FA.
They don't advertise this, but schwab offers 2fa with either a hardware token that they will ship you OR a 2FA token on your phone using https://m.vip.symantec.com/ . You have to call them up, but their customer service is pretty good.
It's insane how much easier it is to transfer a phone number than a domain name.
I also find it odd Facebook, and other sites will let you signup solely with a phone number. There's prepaid cell phone providers that recycle phone numbers, etc. Just seems so stupid to rely on a phone number for authentication alone, but two factor I'm okay with since you still need to know the password. Twitter has a developer product where you can be texted a code to login using only a phone number, which to me just seems wrong to do.
It'd be nice if trying to port a number, change important info, etc if they had to actually call you or text you first to confirm. But one of the problems is people will lose their phones, and need a new sim or phone... That I think I'd have a requirement to actually visit the store - but that doesn't work to well with prepaid phone providers without physical stores selling via other stores like Walmart, Target, etc. Maybe in that case without nearby stores, partner with your retailers to verify ID or fax a ID in.
"There's prepaid cell phone providers that recycle phone numbers, etc. "
This isn't limited to prepaid phone companies or even cell phones. This practice has gone on for years. (I worked at GTE/Verizon around the time of the merger). My understanding is that the bigger issue is that it is fairly easy to run out of phone numbers if we never repeat. If I remember correctly, most hold the number unused for 3-6 month and fewer folks change now since they can port numbers to a new company at times, if the company that owns the number allows for it. (Yes, the phone company at least used to own the number).
I can't speak for whether or not Facebook is doing it, but the carrier of the number is usually a determining factor on whether or not an arbitrary line is allowed for registration.
I wish we could kill phone numbers once and for all. It's insecure, device-dependent, carrier-dependent, country-dependent, subject to snooping and censorship, and all of these are recipes for disaster as an authentication scheme, especially in the event that a device gets stolen. Phone calls and text messages should emphatically NEVER be used to verify anything.
Conversation with one of my banks the other day:
Them: Can we please verify a code sent to your phone number?
Me: Umm, sure, although that won't verify anything. Use something else to verify that it's me.
Them: Can you please verify your phone number?
Me: Umm, I don't know what phone number I used with you? Try XXX-XXX-XXXX, XXX-XXX-XXXX, XXX-XXX-XXXX, XXX-XXX-XXXX, XXX-XXX-XXXX, XXX-XXX-XXXX, and XXX-XXX-XXXX? They all belong to me depending on where I am.
Them: Can we use XXX-XXX-XXXX? Do you have this phone with you right now so we can we send a text message with a verification code?
Me: Send your insecure SMS to any of my numbers. They all go to my e-mail inbox. [I don't need to have my "phone" with me -- my "phones" are virtual.]
This isn't a literal transcript of the conversation, more like what was going on in my head vs. what they said ;) Of course I was nice to them in explaining that I have a ton of virtual phone numbers and really don't know which one I used, etc.
While conversation is probably not a good example of anything, I agree with the main statement: phone numbers must die. They are insecure, unremarkable remnants of an outdated system.
Well in many countries you are required to show and submit ID to the provider that ties you to a particular sim/number. While I see this more as a control mechanic than a security measure, it does give some reason as to why organisations tie identity to a phone number.
I must assume that the USA does not do this?
To be fair, you really don't own a domain. You still rely on the TLD honoring your purchase and not hand it over to someone else in the same way you rely on the phone company to treat your number as yours.
Some domain registrars are so completely incompetent (ie Dotster), I'm disappointed they're still in business. Literally clueless "customer support" staff that either don't auth (experienced that personally), or refuse to follow the written rules to everyone's detriment.
Note - Don't use Dotster (specifically) for your domains. If you're using them now, switch away. Saying that because if you experience any trouble with your domains, you'll be wanting to contact competent staff who can fix problems. Dotster's can't. :(
In the same way that you rely on a county deed office to own your land. The only difference is the amount of legal precedence in place and physical occupancy, neither which can be solved with the wave of a hand.
This needs to change as well. We nee to do away with the concept of a select few TLDs, indeed we need to scrap payed for subdomains/domains in general.
"was amazed with how antiquated the port request system truly is"
Absolutely. In the UK, I could easily port someone or many someone's landline number and slap a trunk on it. Sadly though I would also end up paying the bill for it. However its much easier to simply fake your outbound CLID to show the call centre you are the mark.
I have no numbers for this but I'll bet that CLID is used by banks etc as part of the security checks for your identity.
So 2FA reset via SMS is bad, which I agree but what are the alternatives to prevent a meltdown when your 2FA device dies?
I have had two phones die on me that was my 2FA device, plus OS upgrades, so I have gone through resetting 10-20 2FA accounts a few times. Though with upgrades usually I foresaw that and downgraded my 2FA before hand.
All I wish for was that resetting 2FA would be a very very slow step by step process and spammingly broadcasted to all emails, sms, postal etc associated with the account. But I know for cost cutting customer services departments that wont happen.
If all this information is in 1Password then I guess you are back down to one factor - your 1Password master password. Which may be ok with you. Just pointing it out.
If you use an Android phone that's rooted, you can use Titanium Backup to copy your Google Authenticator app data between devices. It's up to you to copy that data somewhere else, but it is a very low level alternative to storing everything in 1Password or similar.
Even without rooting, just do that that next time when you register for 2FA, save that QR image, or screenshot it, and/or save that 16+ chars string somewhere safe, same as where you save passwords. Phone died/changed/lost? Install Google Auth, rescan that QR/Screenshot.
2FA systems have a code that serves as the seed for the token. If you keep this code you can set up 2FA on a new device any time you want without having to reset it. Just be careful securing the code.
I've had this happen with Microsoft/Office365. Lost access, couldn't get the recovery email. They sent emails and made me wait a day or two before resetting things.
Not answering security questions truthfully is tricky.
Yes, it's a problem that security questions turn hacking into a simple public records search.
BUT most terms of service have a line like 'you warrant that you've been entirely truthful with us' or something. If you give the wrong security question to your bank, they potentially have grounds to freeze your money or screw you later.
Why isn't the answer 'consumers have the power -- punish services that don't support FIDO by not using them'.
At best this article is saying 'don't connect anything to anything'.
I one time called a service that I used a randomly generated string for the security questions.
After they asked the question I said "oh it's a giant random string of crap, hold on..." The person replied "yeah that's good enough" and started the next step before I even had a chance to find the actual string!
This. I've had the exact same experience with support accepting "a long string of random crap" as an answer. Now I recommend people to use diceware to generate their security answers with actually readable words.
No need for diceware - use lines of poetry. They're made for people to memorize and use strange connections between words. Plus they often have odd punctuation.
I answer mandatory security questions with things like
these:
“This account must never be unlocked over phone, chat, or email.”
“Never reveal any information about this account (such as address or CC numbers) via support channels”
“The person you are discussing with is a hacker trying to illegally access this account”
I expect to never, ever have to use the security questions myself.
...and then some dumbass IT configuration administrator decides that nobody needs to have more than 10 characters to type in their aunt's cousin's roommate's name. This is, of course, the secret question they use, so why would anyone else use something different?
Do you have an recovery scenario in case you'd actually need those?
I was almost there once. Authenticator device had died, and to my horror the primary backup was corrupt as well. I had a secondary backup (and even an off-site tertiary one, although it's somewhat dated), so I was able to recover... But I also had the idea that I won't ever have to use recovery processes and even though I hadn't, after the incident my certainty it's not so iron-clad.
I wish I could elect to have my recovery option be painful. I'll use a yubikey and backup codes. If I lose both of those, mail me something to confirm my identity, all the while notifying me on all other channels (email, sms, phone) that an account reset is happening. I am okay waiting a few weeks for access to my account if I manage to lose my primary and backup access methods.
This seems pretty easy to beat within a few calls, eventually an agent will give away whats up with the questions and then it's only a matter of "uhh, it's just me rambling something about hackers trying to access my account"
I don't use real answers either because I'm paranoid about this stuff, but it always causes trouble when I have to interact with an institution.
Examples:
- I lost my health insurance for 6 months because I couldn't dig up my 'secret answer' in time to activate COBRA.
- My credit card expired while I was traveling and I couldn't reactivate it because I didn't know what answer I had given to 'mother's maiden name'. (In the end I convinced them I didn't need a secret answer to verify my identity, which in its own way is even worse).
- Some company had a form that stripped numbers from the secret answer and mine had numbers in it (hilarity ensues).
Instead of working around institutional nonsense, we should fire bad companies and hire / start good ones.
I always, always store my bogus answers in 1Password. One of many reasons I love the tool.
Most security questions are either trivial for someone else to figure out with a little research or I don't know what my real answer would be. Name of my first pet? Well, I had several that could meet that definition, and I definitely don't remember the name of the first one.
Consider what would happen if you're accidentally exposed to a malware that steals data from the password managers (by introspecting process memory after the data was already decrypted)
Better keep those eggs in the different baskets (Update: Point was, I think 1Password doesn't have multiple databases, does it?)
I would expect greater risk if I spread that information around more. Is it really better if only 1/3rd of my passwords are stolen, at least relative to the 3x risk I face by using multiple sources?
My idea is to have two password databases. One is the usual, for the passwords. Another is infrequently opened and is used for the recovery codes and insecurity questions.
I don't see how a secondary normally-closed password vault would degrade security. It's still encrypted, and safe. On the contrary, it should increase security a little - for the abovementioned local malware scenario. Price paid is that because database is rarely used, it could get corrupt without user noticing, or access details could be forgotten.
Or I'm missing something important? Why the 3x risk?
1/3rd / 3x was based on the idea of splitting my passwords across 3 databases. Let's take your idea instead.
My concern was that if there is a risk of compromise, by using two different software solutions you've doubled the odds that a vulnerability will expose your data. (I once consulted for a company that had two data centers for high availability, but they had split their production services across the data centers, effectively doubling the odds of an outage instead of reducing their exposure.)
If instead you use the same software and two different data stores, I can see a benefit in having a store that you rarely open, but I'm not sure it outweighs the extra work, at least for me. If someone grabs my password store, having the security questions and answers protected would only help for a few accounts (admittedly, my bank being an important one) and the protection would only last as long as it took an attacker to social engineer their way past it.
I admit, now that you've raised the issue I'm going to at least think about moving my bank q&a info, but I doubt I'll go to the trouble; I suspect I'd either end up forgetting how to get to the credentials or leaving them somewhere someone could get at them.
I always fill in security questions with ascii85- or base64-encoded data from /dev/random , as much as the field allows. Then I throw the random string away.
This will bite me when I lose a password, and also when the web site uses security questions for anything else than password recovery. The latter almost bit me once on Adobe's forum website, when right after creating an account I wanted to change my initial password to something more secure. Luckily, I hadn't closed the window with the data yet, so I could still recover, and saved the random strings in the notes field of my password manager.
I always answer security questions with a known grammatical transformation of the question's sentence structure. That way, as long as they use the same parts of speech in the question to prompt me, I'll never forget an answer or have it guessed by an attacker.
I am old enough to remember how everything used to make sense (as little as 5-7 years ago). Today, "don't connect anything to anything" sounds like the last line of defense against the horde of Progress-worshiping geeky retards.
This recently happened to a friend of mine. It was devastating. As mentioned, U2F is very scarcely supported today.
The best way he came up with to secure services that insist on using SMS for 2FA (or credential reset) was to register the number of a pre-paid phone for those services.
Inconvenient? YES. But a pre-paid phone number can not be ported by a negligent (or willfully criminal!) operator.
It's still very trivial to tell a customer rep that you lost your SIM card and have the rep send all new communication to the phone number to a separate SIM card with a pre paid phone.
If you only use this pre-paid phone for authentication, then the fraudster has to discover that phone number before they launch their attack. For additional security, you can rotate this pre-paid phone number every few months, and only use it for authentication to online services.
What settings exactly do I have to change to get GMail to never unlock my account by SMS alone?
I have enabled proper 2FA on my Google account with U2F, but I haven't disabled everything else yet because I only have one token, and I still need something like TOTP for stuff that uses Google accounts, but doesn't support U2F.
As a closely related remark, I wish U2F would just get popular enough, it's pretty convenient, isn't vulnerable against the kind of attack SMS-based 2FA is, and protects against phishing. But almost nobody outside Google supports it, and OS/Application support is rather incomplete or requires additional setup.
Something that is infuriating is that when you have 2FA enabled on Google, they insist that you add a backup phone number that a bot calls to give you a verification code, in case, you know, you lost your second factor. Which is nice and all, but now, you're back to having a second factor that is about as vulnerable as SMS.
The Tech Solidarity guide at https://techsolidarity.org/resources/security_key_gmail.htm has detailed instructions on how to set up 2FA with U2F and then remove SMS 2FA. (I've been holding off because I use Firefox - hopefully U2F will get more support soon!)
U2F is ludicrously hard to implement. Adding TOTP 2FA to an existing webapp will take a competent developer a few hours, using only a 10-line code snippet and the standard library. Adding U2F means learning a ton of complicated concepts and either using a giant, poorly documented library provided by Yubico or writing a bunch of tricky crypto code from scratch. :(
I disagree, U2F is relatively easy to implement once you understand it, I've contributed to several open source implementations and eventually wrote one of my own.
Basically, the safest is, add Google Auth via App to your account, then remove all the phone numbers from Google. If any phone number is linked to your account, no matter what your account recovery options are, Google will always give you option to "recover" it by SMS.
And remove SMS from the listing. I currently have 3 2FA mechanisms listed: Security-Key/Yubikey (default), Authenticator App (set on two devices), and Backup codes which I downloaded (and at some point will print and place in a safe deposit box).
Losing access to my two gmail accounts would be a complete nightmare---more so than my bank/brokerage accounts. Some brokerages like TD Ameritrade do not even offer 2FA. In my case, paranoia mode for email accounts is completely warranted.
I really wish U2F becomes the standard across all web services. It seems insane that, in some scenarios, the only barrier against financial ruin is the gullibility of your cell-phone provider's customer service rep.
I might be wrong, tried long ago, but maybe it is that even if you don't list SMS as your backup code delivery option, clicking forgot password (need only your username), and then going to Other Options, and choosing to gey identified by providing a phone number (Google shows type your number * * * * * * -1234), hijacking its SMS, can provide access to your account.
Also, Google only supports U2F in Chrome – even if you have an addon to support it in Firefox, Google won’t support it (because they activate it based on Useragent, not on actually available functionality)
I don't have a phone number in any of my Google accounts, just Google Authenticator for 2-step verification.
I don't recall ever having a problem with this setup. Are there services that require a Google account to sign in, but don't work if you don't have a phone number?
Would this attack be neutralized by a mandatory waiting period of a few weeks for number porting?
I recently ported my number to another operator (in a European country), I had to wait for a month and received at least two warning SMS.
It would but the average user would be pissed if they went into a retail store and were told that they had to wait weeks to use their new phone. They might decide to abort the purchase.
Meh, I'd just report your phone as stolen and get the IMEI blocked. You wont get the warning SMS and might not even get a new phone in time to figure out what's going on.
2FA (including U2F and whatever else) has one big problem that this article fails to mention. And when 2FA is suggested, this really should be said explicitly.
Users aren't warned enough about the fact that everything fails, and they will have to go through 2FA deactivation/account recovery process sooner or later. They must be really reminded to DO BACK UP the recovery code(s). With "back up" as in "keep not just somewhere, but where you can actually find it, when you'll need it". (But not in your password manager)
This is true for SMS 2FA as well, but completely losing the number (as long as one's a paying customer) must be significantly less common than losing a device.
This is what somehow doesn't get mentioned as much as security. It's a tradeoff between not getting hacked, not getting locked out by accident, and convenience. If you get locked out of Gmail, you're up the creek. Google won't help. It's just gone forever.
Having 2 factors increases the chance that you'll lock yourself out. If you've got two, then you really need 4:
1) Password
2) 2FA
3) Backup codes for when you lose the 2FA device/number
4) Phone number or email address for password recovery when you forget your password. Not the same number as 2 of course.
So true! We have thousands of employees at our company using GitHub.com, and every week someone loses access to their account permanently. Why? They never bothered to store the original recovery codes for the account.
Many phone companies will allow you to (a) add an annotation to your account to declare the number you are using should never be ported to another company, and (b) add a password to the account that you will have to provide to customer service representatives when making changes. This helps to minimize the chance that an attacker can use social engineering to redirect your number to a system under his or her control. If these are not options for your phone company, find a better phone company.
Even given that, since it relies upon human choice and behavior, and does nothing versus attackers with assets within the phone company, it seems a bad idea to have 2FA via SMS.
5 or 6 years ago, my phone number got ported by someone else without my knowing. My phone suddenly didn't work anymore. I called into AT&T right the way to ask what's going on and they said someone has "took over billing" from my account and AT&T transferred the number over. WTF? I was adamant to get the number back since that's the number I give it out to people. They won't bungle saying it's out of their hand. Finally they said they could place the number into the free pool for re-allocation which would freeze it for 3 months before it could be used again. I was concerned it could be used as a vector against my bank accounts. It was a nightmare.
So basically as long as a hacker wouldn't mind paying your phone bill for a month they could easily take over billing of it, then clean your accounts out, then cancel the number.
This is another one of those messy human areas where computer systems are either too strict or not strict enough.
I highly suggest having at least 2 phone numbers, one that is your main number that you use and give out. The others are kept private and never for calls or texts, but only for 2FA.
I did this with TMobile when they had get 3 lines and get 4th free. I use the 4th free line as my 2FA. The 2FA line is an old android phone and is always plugged in & on in my basement. I have a little script on the phone that reports any SMS messages a db running on my home server (RPi) and I access it with in my network (or via VPN).
Great. Now that we've succeeded in compiling a list of personal sad stories to one up one another, why not not discuss how we could encourage the banks / phone companies to make this situation impossible.
1) Ban SMS as a second factor for high risk targets like banks.
2) Telecom companies should require social security number or uniquely identifying information to provide account access.
> 1) Ban SMS as a second factor for high risk targets like banks.
As others have pointed out, if it were just a second factor they would also need your password. SMS is being used for full account recovery, so as a single factor.
> 2) Telecom companies should require social security number
This is exactly what we should not be doing. I would like it to be harder to steal my identity than getting a 9-digit number, which can never be rotated, and which I am required to provide in plaintext to many different people in many different situations (renting an apartment, opening a credit card, etc.).
To make matters even worse, up to the first 5 digits of an SSN can be easily guessed if you know the person's age and birthplace, and the last 4 digits are used even more haphazardly than the entire number is (e.g. sometimes the last 4 are displayed in plaintext on a website while the first 5 are starred out).
Some kind of cryptographic challenge-response system might be a good solution but I don't know how to get your average computer user and customer support rep to use a system like that. All the ones I can think of are designed for computers to talk to each other so they aren't very user friendly. Is there something like Kerberos but for humans?
As I have commented elsewhere for this article, there are other countries which require and record ID for every phone number and sim. I see this as more of a control issue (from the Government perspective) since it won't be used by customer service staff for security.
Security while we all say is super important will never be important until people doing the customer service actually care. When my identity was stolen 20 years ago it was a nightmare involving writing letters to a postbox and getting form letters in return... doing to the police, the banks, and the utilities and being treated like an idiot because I filled out a rental application that someone used to get credit cards is a nightmare that still follows me to this day. It's as if all forms of customer service needs to go through a third party.
A few months back I lost my phone, so I went to my operator with passport to get new sim with my old number (in Thailand) . She said the sim isn't actually in my name but my ex-girlfriend's, and I told I remember I took the sim with her id as I didn't carry my passport with me, so I guess there's nothing I can do.
She just replied well we could change the sim to your name, didn't even check with the original owner and 5 minutes later I was on my way with new sim.
A couple of years ago i got a new phone which used mini sim instead of the micro sim that my older phone used. So i went to an AT&T store to get it and the rep asks for my name and my phone number and 5 minutes later comes back with a new sim saying it'll activate my noon the next day.
There was no authentication at all. Literally anyone could have walked in gave my name and phone no and would have gained access to my phone. I stopped using my phone for 2FA since then.
Companies are calling it "two factor authentication", which it is not. Please, hn, don't promote sms 'authentication' at your jobs. TOTP is easy to implement and not never difficult for users to understand.
This kind of attacks could lead to total disasters in China where the standard is to login and register solely on a phone number using a confirmation text.
In China your phone number is pretty much as valuable as all your password combined, all services are solely linked to it.
Even though phone companies ask for id before issuing a SIM card, I'm pretty sure a tiny bribe is enough to get past most store clerks
ID isn't just for security, it's so the police can track you. So they'll be putting pressure on phone companies to do it thoroughly. They take a copy of my passport when I get a SIM card. Probably not going to bribe them into leave missing documentation on your file. They could easily be caught by their boss at any time in the future.
A few weeks ago I was vacationing in Big Bend National Park, which is in a remote corner of Texas. When trying to pay for our breakfast, my credit card was declined.
On the phone with them, they said the card had been flagged as being used in fraud because we were off in the middle of nowhere, away from our normal spending patterns. The ONLY way to reactivate the card is for the CC company to SMS text us with a code, which we have to read back to them. The thing is, the very reason they flagged us - that we were way off in the middle of nowhere - also meant that we had no cell phone service, and couldn't receive the SMS. And given the vast size of Big Bend (getting out of the park from the hotel is a 45 minute drive), it was questionable if I'd be able to drive to a location with cell service if I couldn't fill my gas tank first.
The hotel manager overheard me arguing on the payphone with the credit card company, and he drew me a map of some pockets of cell service within the park, so in the end I was able to get it taken care of.
One ironic part of this was that the card is in my wife's name. When they wouldn't listen to her, she gave them verbal authorization to talk to me in her stead. They were willing to believe her identity for this, but not for the re-activation of the card, which doesn't make sense.
I also asked their CSR why they flagged the card. They said that I should always notify them if I'm going away. I asked them what the criteria is for that, since this was an in-state trip (I live in Austin, and Big Bend is also in Texas). The CSR said that's odd, and he doesn't know why that would happen.
So good for them that they watch for fraud, but the failure mode for their heuristic is the most catastrophic possible. If the very reason they flag me also prevents me from fixing the problem, then it's a rather badly-designed system.
This used to happen to me all the time with Lloyds "Worldwide Service". When I would travel, I would tell them ahead of time where and when, and inevitably the first time I used my card in another country it was declined and I'd need to call in to card security and clear it. Mind you this would cost a couple quid due to the overseas use of my phone. These weren't exotic locations either, it would happen in NYC.
Then one time to me it happened when I was exhausted after a very long flight, trying to check into a hotel. I got on the phone with them, sternly told them the history of events and the situation, and demanded to be compensated for the time and hassle otherwise I would switch banks. I pointed out their bank was misnamed "Worldwide Service". They put £100 in my account, and the problem seemed to go away after that point (I still needed to inform them ahead of time, but that did the trick).
This is a big reason I carry multiple credit cards and multiple debt cards with multiple banks. I'm paranoid about getting locked out of my funds while travelling. Wouldn't help if my wallet was stolen but there is still redundancy there.
Does this hack work on Google accounts? I just tried the "forgot password" feature there and as far as I can tell there's no way to actually complete a password reset with only a compromised phone number.
The issue I have with 2FA without sms is that I need to also take care of recovery codes. Basically, it's like erasing all the benefits of going digital, since now I have to store (and take care of) paper copies of recovery codes.
If I use a 2FA app like the Google one and lose my phone, I need to have the codes ready. If I were to use my phone number, I kind of don't need that since I just get a new sim and a new phone. But at the same time that is not safe now.
So what is the solution here? I liked the idea of something like DUO but not enough places use it.
> If I use a 2FA app like the Google one and lose my phone, I need to have the codes ready.
It is a trade off. You either want difficult access if you lose your phone (via printouts) - or you want quick access (via SMS).
I dont think you can realistically have it both ways.
Having a "slow" method to retrieve a major access to your accounts seems to be the safest method, especially when you are likely to rarely use your phone.
You could also give a copy of the printouts to a family member or close friend, who you could ring if you were remote.
You could try Authy. The restore is not immediate but it keeps track of the services you have set up for 2FA. Trusting a huge honeypot like that with your auth is up for debate.
Years ago, when SMS 2FA first became a thing, I remember people familiar with telecom stuff pointing out SS7 vulnerabilities and porting/SIM takeover issues. People shouted them down and claimed that they were being too paranoid and exaggerating the risk, or that most people aren't attractive-enough targets for someone to dedicate so much effort for hacking their accounts (and that SMS 2FA was thus good enough for most people).
If I want to change my number to a new SIM, my telco requires me to log in, and fill in a form. If I forgot my password their email it to me.
They don't have any offices open to the public, nor any hotline, and are really the cheapest alternative where I live, but it seems that their attempts to save money have resulted in them ending up with a securer infrastructure than some notorious ones from very advanced countries.
You should also make sure providers like Google don't fall back to less secure account recovery methods. I blogged about this here, after I realized that I was still vulnerable even while using real 2FA:
Regarding the $8k of bitcoin stolen (https://medium.com/@CodyBrown/how-to-lose-8k-worth-of-bitcoi...), that's what you get for storing your coin in Coinbase or someone else's service. If you're not in control of your keys, you don't own the coins. This uncomfortable truth has a way of occasionally poking out, like that story.
What's funny is... my Bank does not allow me to use any special characters and for the investor accounts numerical only. They do not have 2FA either.
CIBC Canada
Addendum also several of my purchases were flagged as hacked purchases by them and I had to call them three times so far this year. All purchases from same Amazon account, same IP too. So I do not think they have a good services team.
Seems pretty silly putting any form of security apparatus into a technology which could possibly have been engineered from the ground up to be SIGINT-enabled. It's as if GSM was deliberately designed by the intelligence community to be available for eavesdropping. They build the protocol with just enough good security that Johhny can't intercept his wife's calls to check for cheating, but with enough bad security that intelligence services (and sophisticated criminals) can play Mallory[0]
Anyone here happen to know how hard it is to steal a Twilio number as compared to a number issued by eg T-Mobile or Verizon? Is the only way to do so, by accessing the Twilio account that controls the number (whether directly or by API)?
"If you follow several of the steps I outline in this story (unless you go with Google Voice), you’ll end up with at least three email addresses: your current primary one, one just for your mobile carrier, and one that you use for other sensitive accounts such as online banking or Facebook or Dropbox."
Why not just have all sites that require SMS 2FA (there are a lot, including tele co.s) be directed to a personal google voice number? And also remove the any SMS 2FA from this google and your personal? Wouldn't that solve the issue they are suggesting? Why do you need a third account?
I read a blog where someone got hacked through a simcard clone, and they went into the details of how easy it was to do. This prompted me to enable 2fa on everything I could, but the funny thing is, a lot of the backup options for 2fa is -- you guessed it -- your cell phone number. Some of them don't even allow you not to use your cell phone as a backup. I think Github and Slack are like this, but I may be wrong, it has been a while since I turned them on.
The most important thing is: DONT use your telco phone number in any of your sensitive accounts. Replace that phone number with a Secure phone number: the article recommends using Google Voice -> since this can't be compromised in the same way that a telco phone # can be.
It's another gadget to carry arround, and if you lose it or forget it somewhere, you're SOL. Better have a KeePass2 database on your phone synced to a cloud storage. Even if the cloud account is compromised, without the KeePass password, your credentials should be safe. If you need, you can open the database using a webapp in any browser.
Remember this the next time you may tend to agree with governments' push for backdoors. If they get their way even Google Authenticator won't be safe, just as SMS isn't anymore for 2FA, all because the surveillance agencies preferred to keep the SS7 vulnerability and others like it so they can exploit it (outside of the "rule of law", as otherwise they wouldn't need it).
But...if a public that doesn't understand the nature of backdoors is fearful of the consequences of backdoors being cracked, it's a short step to turn attempts to crack the backdoor into something terrifying, in which case an attempt to crack the backdoor becomes a justification for its existence.
For 2FA I like how Microsoft does it. You have an app on your phone. When they need to authorize you, they push to the all and it automatically pops up with approve and decline buttons. You verify the code is the same on the phone and screen and hit approve. It's an easier workflow than having to open Google authenticator, find the code, and enter it.
I'm SHOCKED this wasn't a thing earlier. Spoofing a phone number is insanely easy. When I was in High School we figured out how to do it and used to prank call people from other peoples numbers. Eventually, we realized that if you call someone's cell from their own number it takes you directly into the voicemail admin menu. Fun times.
I've noticed a number of people using https://jmp.chat/ to get a second number for 2FA. It supports most of the short codes companies use for 2FA, but it doesn't require you have a Google account (or even an existing phone number).
These attacks have been going on for at least a decade in South Africa. The fact that it's still going on, and if the coverage is to be believed, spreading globally, is a pretty shocking indictment of the industry.
I wonder what other scams are being incubated in lesser-known parts of the world, that are waiting to be unleashed.
Articles like this ramp up my paranoia, especially since I got a phone call from the UK three days ago. Nobody on the other end. Hung up after saying hello three times. Never heard back since. It has me worried, especially since I just came back from my holidays (not in the UK).
It seems a simple solution would be for the phone company to send a confirmation SMS or automated voice call to confirm number porting or any other major action. Is there a reason they don't do this? It seems like a good balance between convenience and security.
Where I live you need a copy of your passport to port a number, in addition the new sim can only be sent to your government registered address, I think that would be quite hard to game.
Even so, hackers can still use SS7 to hijack phone numbers.
Take a look at the article by Cody Brown regarding his coinbase account being drained of ETH and BTC due to the same fundamental problem: way too easy to steal someone's phone number.
Did you read the article? The victim who've had their phone number stolen weren't the ones that fell prey to social engineering - it's the customer service people at the phone provider who are persuaded to do a port of the phone number.
Unless you operate your own phone carrier, it would be hard to avoid this attack.
How, exactly, would you prevent someone in a call center on the other side of the world from being convinced to port your number away?
Outgoing port "blocks" are nothing more than a note in your file - what's to say that the attacker couldn't just make up a story? "I know I called a while back and asked you to prevent porting, but I really want to switch to X carrier to get their exclusive new handset. Can you remove the block request, my mothers maiden name is..."
Pretending like you could prevent this sort of attack is laughable, which is why it's so dangerous.
As I said, like the DNS system : you lock the number, only allowing porting upon presentation of a secret that only you know. Default state is : locked.
I don't agree with his post. However it was clearly a reasonable position and not "unsubstantive comments and rants" as you are claiming. That is not a reasonable claim at all. Your post is unwarranted and is highly abusive. Just stop. Bullying valid minority viewpoints is not cool and does not contribute to the quality of polite rational debate and discussion.
No, you totally, utterly fail to understand the interaction here and it is you that should stop. If you want to second guess the moderation here you're on very thin ice, this is a pretty clear cut case of someone purposefully ignoring the meat of an article to stir the pot.
Note that the victims here are not party to the exchange, contrary to what is claimed in that comment, it is the call center employees of the phone company that are being social engineered into making an unauthorized change to a subscribers record.
If you want to limit the use of the words 'social engineering' to the cases where the victims are the ones being social engineered you're ignoring about 3 decades worth of use of the term to apply to any situation where through clever exchanges an elevated level of access was achieved to some resource or other, and those exchanges do not have to be directly with the victim.
Typical example: call the secretary from the 'IT department' to gain access to the system of the boss.
The comment in question was in poor taste by mocking victims of hacks for being stupid, and the premise of it was wrong anyway (not understanding that it's the telco customer service at fault more than the people who got hacked).
That's about as unsubstantive/low quality as comments go, and really doesn't qualify as "polite rational debate and discussion". It makes sense for a mod to step in and say something.
I must disagree with this. Monsieur Lerie clearly and specifically objects to the use of the term "social engineering". This does in fact deal with situations where naïve persons can be fooled by con artists. This is a problem in the field. A problem we are all aware of.
Denying that it is a problem is counterproductive. Denial does not address the core issues, of exploits that utilize and depend upon the naïvity of the mark.
I do not agree with him that a solution is to prevent the technologically naïve from having access to phones. Nonetheless, this is still an issue that must be addressed. Security schemes intended to protect the general market of customers must not rely upon the customer's sophistication in defense against social engineering scams. Many customers, quite reasonably, are technically naïve in some aspect or another. In is completely improper as a security protocol for mass market products to rely upon customers having enlightened opsec.
The part you are missing is that the mark is not the one being socially engineered. The attacker is getting a completely random telco to hijack the mark's phone number by socially engineering the telco. There is nothing 'the mark' can do to prevent this.
If a bad actor gets your data in a breach, the article posits that only person that has to fall victim to any level of social engineering is the customer service rep of your cell provider or some other service you use.
So while you might be above nigerian prices, free cruises, and the like - do you have the same faith in the as-cheap-as-possible customer service rep from your provider?
The problem is that you can socially engineer the Telecom service desk. It's not that hard. I did it when I pretended to be my dad (at his request) to switch his phone plan.
Two factor authentication is nothing more than a massive vulnerability. We've seen people somehow change our listed contact numbers through unknown exploits, then hijack ownership of properties using the new number to prove they are us. This wouldn't be possible if not for 2nd factor authorization schemes.
Only for 2-factor schemes that rely on your phone number. Those are horribly insecure, there's a reason NIST and pretty much all security experts recommend against using them.
SMS authentication was created as a cheap hack to get around needing SecurID tokens, and should have been abandoned when ToTP (Google Authenticator and the like) became possible.
I agree with you completely that those are totally insecure. However, 2nd factor as a dictionary vernacular term has become synonymous in the press with a telephone number and some sort of texting scheme. Before this there was little incentive to hijack phone numbers. No longer is that the case.
Having a phone number is not secure in any way, proves nothing, and offloading security onto a totally insecure system such as the possession of phone numbers was a massive cop out and completely irresponsible.
Maybe as you say there are 2nd factor schemes that don't use phone numbers but it hardly matters since the term 2nd factor has unfortunately come to mean phone numbers in the vernacular.
> 2nd factor as a dictionary vernacular term has become synonymous in the press with a telephone number and some sort of texting scheme
I don't think that's true. Both my bank issues hardware tokens for challenge response type authentications, these are widely in use and understood to be 2fa, the same goes for many other services.
It's a typical case of all cows are animals but not all animals are cows, I've yet to see the press categorically making that kind of mistake for 2fa, though I'm sure there will be some offenders on the whole people - and the press - seem to know the difference. And it's up to us to correct these things where and when we see them so if you do spot an article that incorrectly labels SMS as the one true 2fa then you should mail the author or the editor to get them to correct the record pointing out that they are perpetrating a fallacy that could cause their readers to be at risk.
This is not as far as I can see a lost battle - yet.
The biggest issue today is password reuse, and 2FA does help mitigate the liabilities of that. Is it perfect? No. Does it introduce more attack surface? Yes. But for the average user, it almost certainly increases their opsec.
Not just that, it's a bad solution to the problem it's attempting to solve. (What if your password manager gets compromised?) To have that problem, someone must both have your password manager database and the master password and/or keys to unlock it. Since you need your password manager on your phone, the assumption that having your phone somehow provides an additional factor over having your password manager is just plain wrong from the beginning. 2FA as implemented isn't even a second factor.
And, as others have mentioned, it increases the likelihood of getting locked out of your accounts (if you don't have your phone with you or the battery died or whatever). Which encourages service providers to make account recovery easier (it needs to be easier if people are more likely to get locked out.) And making account recovery easier makes it easier for other people to 'recover' your account.
3rd-party authentication (other people vouching that you are who you say you are) might be better, but would have its own problems.
In the end, the real solution to the problem of 'what if your password manager gets compromised?' is to minimize that possibility by _not_ having it online, having really strong master password and/or keys, and avoiding malware. 2FA doesn't help with that at all. It just adds its own problems.
1. I believe it began with the hacker getting DOB/SSN. 2. Called wireless provider, and hacker forward all calls and texts to a burn phone. Eventually, the hacker ported my wireless phone to another provider/number (not sure which), and the phone registered to my provider did not work anymore. The landline phone was also forwarding calls to another number.* 3. Hacker gained access to email (as that email was also within the telco's site). At the beginning, the hacker did not reset the password. After I changed the email's password, hacker was still gaining access to our emails and he/she eventually reset the email blocking my access. (reason was all the text and calls was forwarding to his/her burn phone so he/she can reset the pass anytime) 5. Requested 2FA from bank. 6. Gained access to bank account.
This was over a course of 3 months. It was a nightmare to resolve and paranoia still remained. The hacker later on went opening several bank accounts. Fortunately, this was discovered early. The entire situation was communicated to the FBI, local police, and bank institutions, but I do not think anyone cared.
*I saw two numbers that were being used within my wireless account site to forward the calls.