This is exactly the kind of thing that needs to start happening to actually motivate the companies to stop allowing this BS. Good luck!
Also, don't have your life savings in crypto, but if you must, then please for the love of everything holy don't put it someplace where a SIM swap attack is enough to get it out. Irreversible transactions are kind of the whole point of it, so you need to be much more careful with crypto credentials than, say, your bank password or credit card.
@ChaseSupport
Hey Chase, when will offline TOTP be added for a more secure login?
Thank you for reaching out! What we have is the multi-factor authentication on all online accounts. You can visit https://tinyurl.com/y7r2fztd for more info on how we protect and secure your information. ^AA
I'm still looking at how to best communicate with my bank too, to get actual answers. :D Not this cookie cutter kind of support.
No matter how precisely I describe the problem, I get copy paste or poorly thought out response. That's why I like smaller businesses, where there's still a connection between doers and support people, or where the doers are the support people.
I've been suffering from the same frustration, and have been thinking about switching to a smaller bank. There are apparently more than 7,000 FDIC insured institutions out there.
It's rather sad that Canadian banks still view SMS as the best way forward. They'll text you, they'll email you, they'll validate over the phone... all of which are really this same problem.
I'm waiting for the days our banks will accept multiple 2FA solutions.
Tell me about it. The whole thing makes me cringe. Frequently I wonder if the goal is just to have enough insurance, such that when people and their money are separated, life is fine.
The banks already know what happens when you issue every customer a 2FA token, because they issue you a bank card. You have to verify the customer is who they say they are before giving them the token, and have processes for dealing with a lost or stolen token.
No matter how careful you are, the service(bank, SNS and everything) you're using aren't. If you hand over them a phone number and they think phone number alone can identity you, you're done for.
The only solution is not using the phone. The phone reached it's limit. It's not trustworthy communication method.
> Irreversible transactions are kind of the whole point of it
Just as a sidenote, the problem isn't that the transactions are irreversible, they're also irreversible for banks. You never reverse the actual transaction, you just create another transaction in the opposite direction. Sometimes banks accidentally sent money to the wrong (foreign) bank and kissed them goodbye. The other bank had no obligation to send it back and if the 2 don't have a relationship and don't plan on having one it's free money for the recipient.
The difference with crypto is that you're basically dealing with "untrustworthy" parties since there's no central trustworthy authority over the whole network. The advantage is that nobody can control the network. The disadvantage is that you have no leverage over the receiving party.
It's like a private individual ad-hoc lending money to a friend vs. lending money to a total stranger. There's probably no legal obligation to return it but friends most likely will.
From the perspective of the bank customer, in the US, bank transactions are reversible, by fiat. It does not matter to the customer whether the bank is out money or not. All that matters is that you are made whole in the case of a fraudulent transaction.
Exactly. Cryptocurrency, in my view, are meant to be intermediary currency. Keeping a lot of it is just too risky.
Tech nerds seem to like cryptocurrencies because it's a cool and fancy gadget, but the reality is that normal banks are more secure. If your money gets stolen, banks can trace it, cancel transactions, and there are insurances in place to recover your money. Governments are involved in bank security.
Currencies are not trivial things. Only libertarians and anti-government, anti-federal-reserve people will actually prefer cryptocurrencies to their own risk.
I get that the AT&T employee is guilty, but the victim was asking for it.
He's got good evidence. The SIM-swappers have actually been convicted. ATT says it's "an industry" problem, but it's 100% their problem. They are doing nothing to stop employees from robbing their customers.
Of course the victim could probably have protected his "life savings" better, but that's not the point.
AT&T's going to say "you don't own that phone number--it's ours--and we never said it was intended for verifying your identity. Take it up with whoever stole your number and your--wait, someone stole your cryptocurrency? You realize banks are insured against mistakes like this and bitcoin wallets aren't, right?"
Well, most companies, AT&T including, do not have truly irreversible actions. If someone steals your account this way, with enough complaining you will likely get it back, mostly, eventually. Same thing with traditional banking.
This breaks down for internet giants which provide free services which can still be very valuable, like gmail, and that’s why they are moving away from it.
The amazing thing is with Wells Fargo that if you have a RSA SecurID 2FA FOB for access to your bank accounts, and you have a phone number configured for the account, you can use EITHER the 2FA RSA one-time pin, OR SMS verification to log into your bank account web page.
Which almost furthers the point that this is bad, isn’t this an acknowledgement by them that SMS 2FA is less secure? If it’s less secure and you have SecurID, why can’t I disable SMS?
There is support cost for disabling sms. While you may be technically inclined to be comfortable with disabling sms, they have to balance the cost of hacking vs support cost for all users.
Had this happen to me last week. Thankfully they only tried to get into a few e-mail accounts, which I was quick enough to get into, kill their session, and recover them before any real damage was done. AT&T of course claimed it was impossible for that to happen, despite a different phone showing up in my account, a bunch of unexplained SMS messages I never received, and two calls accessing my voicemail that I didn't make.
Currently working on finishing moving passwords from a Google account to my password manager and resetting them all, as well as replacing anything that uses an SMS 2FA with a time based authenticator or other alternative where possible. Planning on getting a FIDO key to use where I can. Also setting up a Voice number on an account that's used for nothing else besides 2FA in the instances where there is no better form of authentication.
One thing I've noticed lately is that Google Voice numbers are working with fewer and fewer companies. For example, I don't think that they work with Wells Fargo or Chase. Wells Fargo said flat out that the phone number can't be validated.
I've been using Voip.ms to pretty reasonable success. They support most SMS short codes, and everything else I've needed it for has worked as a voice call.
There are thousands of AT&T and Verizon accounts for sale online with PIN, SSN, DoB, email address, email password, etc. Some of them are paired with known bank account login information, credit report, etc. They're less than 300 USD.. Once you have the phone and information you can either use fake ID + SSN + phone to use established credit line at a retailer or if you have banking information perform a wire transfer. It's rampant.
As of a year or two ago when I worked at a authorized att dealer, manager logins can access any account without a pin and any employee can access prepaid accounts without a pin.
Edit:for whatever its worth att does keep a record of what employees accessed an account and when, and notes when managers bypass the pin, so doing this an an employee seems really stupid to me.
Interesting, I figured since they claimed that wasn't possible that they didn't keep records. I'll have to go bug them again to see if they can investigate it further. I'm not sure if this was an instance of targeted social engineering or an employee, though I would assume the former is more likely.
I'm not sure what customer service policy is about telling customers but in store at least we definetely had a notes section of every account with breakdowns of what internal usernames accessed the accounts and when. The fraud dept I assume would be the ones to look at who the employees were from the usernames but we didn't handle that kind of stuff at the authorized retailer stores so no advice to give you unfortunately :/
Are things like this usually targeted, I.e. the hackers know enough about you to know who you are and you probably know their names or at least know someone they know? How do hackers even pick their targets?
The main e-mail they targeted was included in several breaches, specifically of note the CafePress and Yahoo breaches, but various others as well. I would wager they just compiled data from each until they found something that worked.
Even more scary with the Yahoo account in particular, I have it set up as an app-based authentication, so I get a popup on my phone if someone tries to log in. However, when they (I assume) clicked the "I don't have access to this, send an SMS instead" message, that notification immediately disappeared, so I didn't even have time to hit the "don't allow" button before it was no longer an option.
Google at least seems to have this right, in that when they attempted to do the same with those, the notification was still there. I also received a separate "request to reset account password" which stated it would take like 15 days to occur, and I was given the option to cancel it.
Regardless, I think I'm going to try to go hardware key with an TOTP app backup for 2FA going forward, wherever possible.
I wish him the best of luck but considering AT&T was a party in the big Supreme Court decision setting the precedent, I predict this falls down the dark hole of mandatory, binding arbitration about twelve minutes after the first hearing on a motion to dismiss and compel arbitration.
We’ve collectively given up our rights to sue in many instances (including when signing up for HN-backed services run by people who should know better).
Unilaterally is not an accurate description. Your link has exactly one relevant sentence:
>Roughly two-thirds of consumers contesting credit card fraud, fees or costly loans received no monetary awards in arbitration, according to The Times’s data.
Note that
1. This excludes non monetary awards
2. The categories are cherry picked and they give us no data on arbitrations overall
And even under those conditions they show a third of consumers win something, which is hardly a unilateral loss. And of course it's impossible to know how many of those cases were frivolous, and they didn't bother to compare to small claims court and see how consumers fare there.
Anyway it's not relevant to this case, because he's not suing for one of those categories, plus he presumably has a lawyer (lots of arbitrations are done without lawyers and I'd bet that they have lower success rates).
For 2015, it shows the majority of cases settle, about 3k out of 5k. Out of the remaining, more than half get some kind of award. But reporting this data goes against the NYTimes narrative so they cherry picked.
https://levelplayingfield.io/
For 2015, it shows the majority of cases settle, about 3k out of 5k. Out of the remaining, more than half get some kind of award.
I'd imagine there's virtually no cases of consumers and businesses voluntarily using arbitration when there was no contractual agreement. Both sides need to agree to use arbitration.
I can dig through the data in a bit: they have the info under "source of authority", which will say whether it was in the contract or agreed upon later.
This is exactly why I’m only faithful to FIDO U2F keys. Got a couple and ensure they’re safe. No one’s hacking my accounts unless they crack both my passwords and rob me physically... which at this point doesn’t seem like it’s going to happen.
“Hello thanks for calling. I understand you want to reset your password. To verify it’s really you may I have your cryptographically impregnable super token? Oh it’s lost, I see, how about can you verify your billing zip? Splendid you’re all reset.”
Suppose we take Coinbase (I don't use it, but I've heard SIM swapping is done regularly with Coinbase):
Suppose you lose all your physical keys: I don't think you can social engineer hack Coinbase (pretty sure most companies won't allow people to just give away your password/send a reset email to some other email).
Or suppose you get them to send me an email to reset my password. But my email also has FIDO u2f! And I know as a fact you can't social hack my email provider.
You would expect that if you restore the full backup of your iOS device to a new one, because you lost it for instance, that on the new device you could open the Authenticator app and see the same keys as you had on your old device. That is not the case though.
Under the hood Google Authenticator uses keys to generate the codes you see on screen and these keys are not backed up.
It’s a difficult decision of course. If you back them up in iCloud Apple and people who hack your Apple account have access. If you don’t the keys are lost if the device breaks or is lost and you need a workaround.
No, I know because that’s what I do and I had this fail on me when I migrated to a new phone. I switched to a different app that does backup keys when you use an encrypted iTunes backup.
Edit: oh you wanted to restore on the same device. Well that might work but it doesn’t help when migrating or if your phone is not available.
I think he's saying that the private keys to his crypto never leave physical hardware. There is no phone number to call if he loses them, but on the other hand what you are describing is impossible.
The joke is a thief will get ahold a live person and still be easily able to social engineer account access, despite best efforts to lock it down with technology.
Keep two or three, put one in a bank or a safe at home. That should be enough redundancy for most people. As long as you can still get in to revoke/enroll stuff you should be okay.
It’s not so much a problem as it is a balance of security, redundancy, and effort. You decide where you want to be on that balance of considerations.
> When FOX 11 reached out to AT&T for comment on the SIM swap lawsuits against them, the company responded “This is an industry problem,” and referred us to the CTIA for more information.
I’ve mostly disabled 2fa via phone where alternatives exist. Unfortunately some services (such as twitter) require you to verify a number (you can sign up, but you’ll quickly be account-locked without providing a number)
I’m still wondering why I can’t use Touch ID to do U2F...
Phone number is not something you own, it's just a record on someone else's computer system. It's really weird that it passes as "something you own" part of multi-factor auth for so many serious companies.
To me this is more about the lack of internal controls and auditing of those controls at ATT. I know someone who is a supervisor fairly high up with them and I suspect has abused that power to spy on an ex, but she assures me "he can't because of the internal flags"... I figure there are a multitude of ways around that. Events like this don't give me confidence that I am wrong.
Yes. It won't allow the number take over, but you will end up with 1+ new iPhones in hand for the attacker. You can swap the number at any point afterward easier than just setting up a new phone at the store with a suspecting employee.
I am not condoning or justifying criminal behaviour but I have to wonder why on earth he would have his life savings in cryptocurrency, protected only by SMS 2FA, if he knew someone else this had happened to?
I guess you can call most cryptocurrencies volatile but some like BTC and ETH have so much marketcap that it's getting a bit better. Some people truly believe in crypto (and even institutions are... they store in Bakkt) and I guess you have to respect that (pretty sure they understand the risk as well).
I don't want to argue, but it's up 15% since last year (if you bought/sold right you could've also make 400% since last year. I don't personally have anything in crypto, but am watching enthusiastically from the sidelines (and given it's down 23% in the last month is one reason why).
At the end of the day you have to look at it from a bigger picture. Since the next halfing is happening in a year, prices will most likely go up (speculation).
Employees are able to override the pin entering requirement. There is absolutely nothing you can do to stop this from happening if you happen to get targeted. (Speaking from experience)
It’s better than nothing that AT&T finally allows pins at all, but one thing that’s insane about it is every time you log in on the web there’s a checkbox to never ask for your pin again. It’s exactly where you’d expect a checkbox for something like “remember me”, except it opens up a huge security hole in your account if you accidentally check it.
Pins obviously have other issues that make no sense, like the incredibly low complexity allowed that would never be acceptable for a password. But even aside from that I guess AT&T also want everyone to turn their pin off? I hope they do lose a lawsuit and actually have to start giving a shit about pin swapping and make things more secure by default.
Exactly. I have a pin on my account after identity thieves opened a bunch of AT&T and Verizon accounts under my name (thanks Equifax!). Since this happened I’ve been in the AT&T stores when I bought an unlocked phone on two occasions. The employees at the store weren’t able to do a thing until I spoke with a special call center on the phone and did verifications.
One time there was something wrong on their end and no one could do anything until the system to verify my pin was back up.
Also, don't have your life savings in crypto, but if you must, then please for the love of everything holy don't put it someplace where a SIM swap attack is enough to get it out. Irreversible transactions are kind of the whole point of it, so you need to be much more careful with crypto credentials than, say, your bank password or credit card.