CapitalOne is even worse -they locked me out of their app today and asked to send an SMS code - and they let you pick which number to send it to on the spot. Good one fellas. What is the point of having Touch ID and their dumb Swift ID stuff set up if they keep doing dumb stuff like this.
Google does this too when you sign in from "unknown" locations, if you don't have 2FA configured. I think the purpose is to slow down bots. If you try reusing the same number in quick succession on different accounts, Google won't let you.
I'm so glad I'm out of the family tech support "business"; if only firing real customers were so easy...
This really bugs me. I have throwaway Google accounts that I don't want to add my phone number to, so I can only access them from the location I created them.
Enabling 2FA should stop this from happening. Adding TOTP as your 2nd factor would require adding a recovery number, but maybe you can remove it after. I have accounts that has TOTP 2FA w/o recovery number, but perhaps they were grandfathered in.
Alternatively, use a physical token as the 2nd factor, then no recovery number is required.
You can't create a Google account without a phone number (at least last I tried), however once you enable a 2FA method other then SMS you can then delete the phone number. To their credit the phone numbers I gave to Google when setting up my accounts have never shown up in any of the usual law enforcement or skip trace databases so I'm less apprehensive about opening new accounts with them.
T-Mobile sells me out once a year - I don't even give them my real name, they must get it from my credit card or something. This year I used a fake name "authorized user" card, still waiting to see if that keeps my latest number out of the databases or not, around nine months to go.
Wow there's a lock to unpack here. How are you accessing law enforcement or skip trace databases to check?! And what do you mean by T-Mobile selling you out -- where did they give out your info? (They let you get a line without your real name?!)
You can request a copy of your info from those databases from Transunion, LexisNexis, etc. and they'll send it to you. however since they are not used in credit decisions they are not governed by the FCRA and you can not dispute or amend anything. Every phone number I've ever had is in those databases, as well as every address I've ever lived at - plus a few dozen variations that are typos or incomplete which I guess says something about my handwriting, every paycheck I've received over the past twenty-some years is in there, both regular payments and bonus, with taxes broken out and everything (a lot of businesses outsource employment verification to a Transunion subsidiary called The Work Number and in return they get all that information). There is my list of "known associates" which is pretty much all of my family living and dead since the 80s, all of my wife's family, a couple former roommates and their families. Apparently I own a sporting goods store in Austin, Tx (thats false, but can't dispute or amend). Every legal action I've been a party to is there. Every car I've ever driven is in there. I think most people would be shocked if they knew how much data these companies keep. I became aware when a police officer called me about some tenants at a rental property on a phone number I'd never given to anyone. I think the Transunion TXLop database is where I finally found the number. Since then its been my hobby to see how long I can keep my phone numbers out of that database.
I think he means that the hijackers call into T-Mobile customer support who then allow his number to be ported to their sim.
My T-Mobile number was simjacked last year, though afterwards once I reclaimed my number they let me set up a "secret word" that the person calling in has to give them and I haven't had any problems since.
I've asked that my number be unable to be changed to a different sim over the phone. So to change it I need to go into a physical store and present proper ID
Just tested this, I was able to create an account without a phone number. I think it doesn't require a phone number if Botguard is highly confident you aren't a bot. (it does recommend adding a phone number for 2FA though) Also, I created the account through ChromeOS settings, which perhaps is a signal that I'm not a bot?
For me, it shows a short list of phone number endings, and you have to pick the right one. It's far from perfect, but it doesn't just let me enter any number I want.
Correct. I spoke with their digital team recently and got the low-down. Your full name and the phone number you type in is compared (not sure what entity does this comparison) with the telco billing records that also obviously have your name and number paired. In my case I only have a business cell phone which was problematic to use with my personal Capital One account for step-up auth.
It's disgusting to think about the record sharing, and I doubt it even protects against SIM swapping (or does it?).
Is there a US bank (national, not a local credit union) that allows you to use TOTP, U2F and backup codes as your sole 2FA sources? Heck, the US Government lets you do it now (https://login.gov), you think that BofA would...
Looking at that link, pretty much none of the major US banks (Bank of America, US Bank, Wells Fargo, PNC, Chase, etc.) seem to support software 2FA token solutions (e.g., Google Authenticator, Authy, etc.). Not gonna lie, this is abysmal.
My understanding from the situation has been that banks don't care because in a checking/savings account, it's your money getting stolen, not theirs.
For credit cards with awful security, they don't care because the money they get from making it easy to sign up and use their services is far, far greater than the costs of dealing with fraud.
How accurate is this hypothesis of mine? It really can't be an education thing because I'm sure these companies have great engineers working there, both at the lower ranks and (at least sometimes) in upper management.
The vendors foot the bill for credit card fraud, and end up paying transaction fees both ways. I used to work for a company whose website was found by some entity in the stolen credit card ecosystem to be convenient for making small purchases to validate stolen cards. The bank / credit card processor was in a much better place to make fraud decisions, and yet somehow all of the risk was on us and the credit card processors actually made better profits due to the fraud. Incentives are badly aligned.
In most cases checking/savings account hijacking would have little or no loss to the customer (usually there is a time frame the loss has to be reported by and there may be a low minimum fee of $50 or so).
There would be no raw financial loss at the end of the day, but there sure is a lot of time loss involved for both parties. It gotta cost not a non-zero amount of money to deal with all those issues, while with a proper 2FA all those costs would be pretty much cut to zero.
Robinhood impressed me by supporting both strong passwords AND 2FA with Google Auth. They haven't rolled out cash management accounts yet but I think they will my financial center once they do.
I think Fidelity does allow this, but I haven't bothered with it since I use a password manager.
Fidelity has a brokerage account, free checks, free ATM withdrawals via debit card, maybe also your 401k, free money wires, automatic investment etc.
The only thing they don't have are branches where you can deposit cash, but that's really never necessary - in an extreme case you can open another bank account, deposit cash, transfer to fidelity and immediately close it.
I'm not sure why anyone uses a bank other than Fidelity.
Fidelity does it through either SMS or Symantec’s Validation and ID Protection (VIP) Access app. I called and asked if they support another app and they said they don't. Why they couldn't use another (read: non-Symantec) 2FA is beyond me.
I just went and checked because I was excited to set this up. Navy Federal has email, SMS and OTP through their app. USAA has email, SMS and OTP through their app or Symantec VIP. I wish either one would allow the use of U2F or TOTP.
Honestly, what is a good US bank that has a great web/mobile experience, a large financial offering (checking, credit, savings, investment, etc...), great customer support, a good presence internationally, reasonable and no hidden fees.. wait there is none.
I don't think it's fair to assume weaknesses from 6 years ago still persist.
* I just tried to login with the first 8 characters of my password and it was not successful.
* Also this password is autogenerated and contains plenty of special characters.
* Their 2FA system no longer depends on the concatenation of password + token.
Also this reminds me of another HN discussion[1], which basically boiled down to the question of "Do you really think the only thing the bank does to log people on is to check the username and password?" I certainly hope not.
Robinhood for checking/direct deposit/ATM access and small DIY investments, Wealthfront for retirement accounts and savings/emergency fund, Apple Card for payments. Beautiful interfaces, non-SMS 2FA on all, fantastic customer service. I do this and I can’t think of anything else I’d need. The only fee I pay here is Wealthfront’s 0.25% management fee, but I don’t mind since it’s such a great service.
Robinhood is a brokerage but they deposit uninvested balance into normal banks so they are FDIC insured and pay interest, and you get a physical MasterCard debit card. Used to be 1.8% but the coronavirus happened and now it's 0.3% :(
They use normal TOTP for 2FA so it'll work with whatever authentication software you use.
However they follow the modern tech trend of not having live tech support; you have to email them for support. But I've heard response times have gotten better recently.
I moved most of my money into RH for the interest, but still maintain Chase checking and credit card accounts. For sonething as important as banking, there's no substitute to having tons of physical locations with humans. For example I recently went to the bank to deposit tax refunds, which were not 'normal' checks. I don't think you can even deposit normal checks into RH. And I trust Chase's fraud protection systems more than RH.
It's the same bank that doesn't send you spam emails which make you used to receiving unsolicited communication from your bank. These emails make it easier to sneak in phishing emails. That's why I use that bank.
Correcting myself in case anyone reads this: that seems to have been true in the past but they are moving investing to charles schwab and victory capital (separate companies). So long-term I wish I knew if that is nearly as good as not in the ways that matter for this discussion.
My account was abused because of SIM swap. It was banned. I explained them that I did not do it. They won't budge.
We need to enforce tech companies to have proper customer support. We need to make a regulation that enables users to appeal or sue tech companies decision about their account. No more 'fix through hacker news submission or reply' please.
Paypal is less of a tech company and more of a finance company.
This kind of behavior is caused by rules that put the cost of fraud on the payment processor rather than the customer, even though the payment processor's primary tools to prevent it basically involve locking the customer's account based on vague suspicion and hearsay.
When someone has stolen your identity, there isn't really anything you can tell someone to prove you're you. Having your password or SSN or access to your email or the answers to your security questions tell them nothing. The perpetrator could have those things. Your account may have been created by the perpetrator to begin with and the person whose name is on it has never even used their service. How are they supposed to tell? Even if you're you, the perpetrator may still have access to whatever method was used to access your account to begin with and if they turned it back on there would be more fraud (which causes the payment processor to lose money instead of you). So your account is locked forever and you can pound sand.
The alternative to people getting locked out of their accounts is having accounts without reversible transactions. You don't want this for your brokerage account, but you do want it for the account you're using to buy things with petty cash. Because then the account never has more than $1000 in it to begin with, which limits your losses to that amount, but then the payment processor doesn't have any incentive to ban your account because the losses are yours. If you're careless and reuse passwords, you might lose the $1000, but you don't get banned forever from making financial transactions. Then you learn your lesson and do better next time.
That would also result in lower transaction fees, because most of the transaction fees go to paying the cost of fraud protection. And it would reintroduce the incentive to prevent fraud to the people best situated to do that (stop reusing passwords, people), so there would also be less fraud, which is better for everybody.
PayPal is the worst - a couple days ago they disabled my password (including both 2FAs) and sent me an e-mail asking me to reset it. The only way to reset it is via SMS which I don’t do. I’m locked out of my account now and also support now since the only way to contact them is by logging in. I’m hoping Synchrony has an in with them because I have balances on PayPal MasterCard and PayPal line of credit that can only be accessed by logging in.
It's really the same problem. As soon as they suspect your account could be compromised, they can't trust your authentication methods anymore and the risk calculation favors losing your business over reactivating your account and then having fraud losses on it. It's a math problem, not a customer service problem.
Granted it's obviously bullshit if they try to keep the money when your account had a positive balance.
What I love is when they refuse to help you except by talking on the phone. As-if somehow my speaking to someone who has never met me and is completely unfamiliar with my voice is more secure then when I log in to their "secure message portal" and leave a message. Too bad there is no Tony for security theater. ;)
Plenty of countries already do, but at least judging from reading about America on HN its much more difficult to do anything like that in America because of distrust in government. You even vote without ID which is extremely weird for the rest of the world.
> You even vote without ID which is extremely weird for the rest of the world.
The system they use actually works pretty well. They have a list of registered voters and when you vote they cross your name off the list. You have no way of knowing who has already voted, so if you give someone else's name you risk their name already being crossed off, and then you may be in for some questioning.
If you want to do something that would actually impact the election results (i.e. vote thousands of times and not just twice) then you would also have to come back in over and over using different names, which creates the obvious potential for the poll workers to recognize you. Avoiding that would require some kind of large conspiracy so that each person doesn't reappear enough times to be recognized or use the same names as one another, which then makes it much more likely that you're caught because one of your co-conspirators turns you in.
So the risk of getting caught is pretty high even without ID, especially if you're doing it with enough scale to really matter. Meanwhile the penalty is typically something like a year in prison per offense, which is a pretty high price to pay for one extra vote.
Here are several reasons why we should never do that.
The first reason is that those IDs would then become massive theft targets. Because they're uniform, it provides economies of scale for criminals to figure out how to extract the private key from the ID, then pickpocket IDs and extract the private keys from them (or worse, figure out how to do it from across the room when it's in your pocket) and then we're back to square one.
Associating public keys with names, which is in general completely unnecessary (the key itself is the identity), also becomes a separate centralized single point of failure. Anyone who compromised that system could associate their own public keys with your name, and the more centralized the system is the more powerful the likely attacks against it would be because compromising it then has a higher payout.
A large centralized system like that is also inherently slow to change, which would result in a catastrophic failure if a vulnerability was ever discovered in the cryptosystem it uses or its implementation, because not only would every system relying on that system become simultaneously vulnerable, they would all have to be updated, which for a large bureaucratic system could take months or years. In the meantime you're forced to choose between continuing to operate the vulnerable system and being subject to an unlimited amount fraud, or shutting it down and having systems across the country offline for a lengthy period of time while everyone reimplements their interfaces with it.
A universal public key is also itself a huge privacy vulnerability. We already have this problem with social security numbers, which were never intended to be used outside of social security but have already entered use as a means to correlate surveillance data about a person. But social security numbers at least are considered sensitive data because they're used as shared secrets. A public key authenticates by use of the associated private key, so knowing the public key doesn't impair its security properties which would almost certainly lead to relaxed security requirements for their disclosure, and thereby further enable problematic public and private mass surveillance by using the public key as a universal database index.
The far better solution is to use public key cryptography, but have a separate keypair for each relationship. So you have a bank card and it has your private key associated with your bank account, which allows you to authenticate to your bank. Your employee ID allows you to authenticate to your employer. But then nobody can steal money from your bank account with your employee ID or break into your office with your bank card. And a general compromise of the security used by the DMV doesn't allow criminals to break into power plants and airports and banks and police stations, because they're not all using the same system. This vastly reduces the scope of compromise.
> figure out how to extract the private key from the ID,
I never said the private key would be embedded inside the ID. In fact, I would think a paper copy at home would be most appropriate.
> Associating public keys with names
DMV, Passports, Banks, RealID already get our fingerprints. In fact, these could be SALT to the private key kept separate.
I hear your argument about centralization, but that genie is already out of the bottle. Making it better is a good idea, no? Also, if any vulnerability occurs, I can go back to DMV and register a new PP pair.
Still, I do like your idea of having PP pairs beyond just centralized entities.. start using them everywhere you have an account.
> I never said the private key would be embedded inside the ID. In fact, I would think a paper copy at home would be most appropriate.
As soon as such a thing existed, people would want to start using it for everything, and nobody is going to want to do cryptography with pen and paper. It would end up in a card or device people would carry on their person so they could use it and then it would be a huge theft target.
> DMV, Passports, Banks, RealID already get our fingerprints.
It's the same problem, you'd have a central database mapping public keys to fingerprints and then it's a single point of failure/compromise. The attacker could get your fingerprints from the DMV, associate their public key with them and then start impersonating you using two factor authentication because they have your fingerprints and the corresponding private key to the public key the DMV has on record for you.
Let each entity maintain the mapping themselves. Your employer has a computer that says the ID badge with public key 1234 is yours. You don't need the DMV to do anything there, and then nobody can cross-correlate anything and if anybody breaks it they only compromise one system.
> I hear your argument about centralization, but that genie is already out of the bottle. Making it better is a good idea, no?
Getting rid of it is a better idea. Or start by making the centralized system worse and more restrictive so people use it for fewer things and replace existing uses with decentralized alternatives, and then get rid of it.
> Also, if any vulnerability occurs, I can go back to DMV and register a new PP pair.
They stole all your money, broke into your company and stole the trade secrets, filed separate fraudulent claims against your home, life, car and medical insurance policies, took out a second mortgage on your house, sold the title to your car and gained access to your computer where they found some information they're now using to blackmail you.
You can go to the DMV and change your public key, but that's closing the barn door after the horse has bolted. Better that only one of those things happen than all of them, no?
We just need a law stating that if a website cross certain number of active users(registered) in a country they should have physical customer care offices. When they reach 10m,they should have it in every district(just like phone service centers). Its nice to think about this although these companies are rich and can lobby against these kind of laws.
Every district? I think you underestimate how big a country like the United States is, and how few 10 million users are for web sites. Facebook has one of the highest revenue per user at $7 a year... so 10 million users would get them about $70 million in revenue a year.. take a phone company like Verizon... they have 2300 stores in the US.... if our hypothetical web company opened up 2300 stores, they would only have $30k per store... and that is just revenue, not taking into account any other expenses.
If they had zero other expenses and just ran the offices, they wouldn’t even be able to hire one worker for each store....
I'm not entirely sure that not allowing them to just close your account, never talk to you again, and walk away with your money is "high customer support standards".
Their suggestion is a bit far reaching, but their point is that eventually the user count of a service reaches a point where due to network effects individuals aren't able to effectively shop around
Agreed completely. I think it's quite easy to imagine that a virtual version of this law could be enacted to require that they actually deal with these situations in a timely manner.
> The easiest way to make it impossible for SIM swappers to take over your accounts after they hijack your number is to unlink your phone number with those accounts, and use a VoIP number—such as Google Voice, Skype, or another—instead.
They don't mention that some carriers offer the ability to secure your account against unauthorized transfers, but it's opt-in. Here's how you can do it on Verizon:
The problem with using a VOIP number is that most app and websites won't let you use anything but a regular carrier number for verification -- they specifically restrict VOIP numbers from use. I presume this is to prevent spammers or just regular users from creating multiple accounts, but I think they're mistaken as it's trivial to buy a temporary "real" carrier number on the internet if you're fine using a somewhat-shady site.
I've been the person at the app banning voip numbers. The problem is there are some services that make it very easy to obtain a voip number at no cost to the user; if they don't have effective protections against bulk registration, spammers abuse them to get thousands of numbers and then use those numbers to abuse the service I was at.
Forcing spammers to have a non-voip number raises their costs, sometimes significantly, reducing their ROI and their interest in spamming our users.
We tried to make exceptions where we could, but it does suck for real people using voip numbers for whatever reasons.
Unless you're doing a dip of the number against proprietary telecom data sets, you have no idea if the number is a "VOIP" number, due to North American number porting laws, you can take any number that was a "Verizon landline" or whatever and move it to a VOIP provider that can overlay SMS capabilities on it.
Even if you dip and see that it belongs to a VOIP provider, it's a completely legit use case for some to own their phone number through Bandwidth, Twilio, Telnyx, Messagebird, whatever.
There are DBs that can get you that info. Some even tell you when the number was ported which is useful to catch mobile number takeovers. Things have moved beyond NPA/NXX lookups.
Of course, that’s what I was referring to. The consumer still has to subscribe to those data sets, keep them updated, and understand which lesser-known company names are “legit” telecom providers (as many large providers are non-household names and have VOIP offerings) vs whatever kind of VOIP provider he feels he needs to protect against.
My point being that if he’s doing it right, he’s probably spending more time and money than it’s worth, and if he’s not, he’s banning legit users for the crime of not having a big-4 provider.
How can an arbitrary number be used to abuse your service? At least for SMS "2FA" you only need to be able to send a message to an number associated with an existing account.
As long as you aren't using SMS as your rate limiting step to aquire an account then then it doesn't matter if someone has 1 phone number or 1000 numbers. In the case that SMS verification is the rate limiting step, why not switch to an open captcha or similir system?
They're also mistaken in their filtering oftentimes.
I have a smaller lesser known telephone operator friendly to a more advanced users, and my SIM-bound mobile phone number is rejected by big services like Google.
Not that I care anymore, I'll certainly not go to great lengths to use services which start their onboarding by blocking my number and forcing me to use big telco's services or some shady website.
They also don't mention that Venmo (and presumably PayPal also) won't actually let you sign up with a Google Voice number. They check to make sure it's an actual cell phone.
You can (or at least used to be able to) sign up for PayPal with an email address. Or at least I'm fairly sure, since PayPal keeps prompting me to put in a mobile phone number, and so far I've always been able to exit out of that dialogue without entering anything.
Venmo, on the other hand, I will never use because of this "feature".
I created a Venmo account this week because it was the easiest way to get out two payments to friends who I can't see face to face at the moment. The next day Paypal added my new Venmo phone number to my Paypal account that previously didn't have a phone associated. Good times.
Yep, we had a PIN in place before and it did no good, because the transfer is initiated from outside of Verizon - and for some reason Verizon just allows it (without the enhanced security). We were told that Verizon's enhanced security requires actually having to provide photo ID in person at a corporate Verizon store to allow a number to be transferred out.
PIN does not block customer service's ability to do something that affects the account. It prevents an automated system from being able to affect customer's account without the PIN.
A CS agent can continue without a customer providing a PIN. It is the case for AT&T, T-Mobile and Sprint. I do not have a personal experience with Verizon but someone I know who works selling phones at a major retailer says that all PINs are just flags that pop up a message on screen.
At the native company stores for AT&T a customer must authorize everything with a PIN in addition to the ID.
I tried using a Twilio number with my bank. I found out that any service that uses SMS shortcodes for their SMS '2FA' won't work as this kind of service. SMS shortcuts are a value addon that carriers provide that is only suppose to work with real numbers.
It's possible that services more centered around VOIP vs an automation plateform might work. It's also possible that using a foreign VOIP number might work but that also might also cause issue if you try using it with a US bank.
And I'd rather not have some half baked solution using Google Voice.
If anyone knows how to get an shortcode enable number (not a short code number but rather a number that can recieve SMS from shortcodes) on Twilio or similar platform, it would be very easy to set up an SMS 2 EMAIL gateway. Perhaps if a number is ported to Twilio it will retain shortcode capabilities?
Besides finding a solution to the above problem, I suppose I could just get a GSM usb modem & SIM card for this purpose.
>If anyone knows how to get an shortcode enable number (not a short code number but rather a number that can recieve SMS from shortcodes) on Twilio or similar platform
you can use jmp.chat, which is a SMS to XMPP service.
What's "half baked" about Google Voice for this purpose? Verification code shows up in email and hangups client, select and paste into snake oil annoyance. This has worked everywhere I have tried it (number originally ported from Sprint).
Plus the more people that give out Google numbers, the harder it will be for banks to push back on this.
I tried Burner, Twilio, Textra and voip.ms. None of them played well with SMS 2FA services. Voip.ms was the best for reachability but its time to deliver for SMS messages was pretty bad.
OK but I'm very suspicious about their ability to do that properly. I want a solution that cannot be socially engineered around, which I fear is the case here.
Same here, but disturbingly some sites are making it a requirement.
The Match Group dating sites like Plenty of Fish and OkCupid recently made it a hard requirement to setup a 2FA phone number, even for existing accounts.
It's a super annoying trajectory, and I imagine potentially dangerous if one considers the dating sites and victims of abusive relationships attempting to get out. Making physical access to the phone all one needs to gain access to a dating profile is a clear regression from unsaved passwords.
Without any form of national ID it's a really hard problem to solve. As someone who runs my own login system, I require phone numbers to prevent botting. Obviously you can make a bot through Twilio etc, but it becomes economically nonviable to mount attacks through bot registration, which is my goal.
What are you doing to combat the risks of attacks like SIM-swapping?
Personally I find using phone numbers for this purpose as a cop-out, and like you said it's just a Twilio account away from being defeated. Like captchas it's only a matter of time before that is the baseline capability for bots and you're in no better place than before, except now your users have worsened security.
IMHO the true business incentive for requiring numbers is just getting identity-coupled phone numbers which add significant value to their collection of PII.
Agreed. Especially if it's unclear whether or not that's used for any kind of magical and probably broken account recovery process. I have to click through the Paypal "give me your phone number" question every time I log in... It sucks.
While SIM swapping is certainly a concern, this article makes it sound like it's universally bad to rely on phones as a form of authorization. What are the alternatives? I'd argue that email is far riskier; it's more commonly compromised, easier to compromise, and less visible when compromised. Ideally, users employ more secure 2FA methods like TOTP apps or dongles, but it's like pulling teeth to get anyone to adopt those. Relying on SMS in addition to email is better than relying on either one in isolation. I don't think I agree that Google Voice numbers are necessarily harder to hijack, because to do that they just need access to your Google login (typically your email credentials).
There are risks all around, but this article doesn't offer any good solution that customers are likely to adopt in meaningful numbers. Maybe PayPal and other companies should require people to use secure 2FA, but they'd lose too much business.
U2F can't spread fast enough. For about a year or so it's been good enough that almost all U2F keys Just Work on all major browsers / platforms without installation or tweaks. That's huge, and it's actually a relatively recent state of affairs. I believe Firefox defaulted it to enabled ~1 year ago.
The next big hurdles are getting support from e.g. banks, getting keys into peoples' hands, and getting people familiar with them. Those efforts are underway in the corporate world and I am optimistic that they will cross-pollinate well into personal security. HN-ers are well positioned to help with all of these steps.
People already accept that they should lock their front doors and their cars with keys. Most people already lug a keychain around. I don't think it will be steady-state problematic to convince people to secure their bank accounts and email with keys. Example: my parents. I expected it to be difficult to convince them that they should use a U2F key to secure their gmail. It wasn't. Their response was more along the lines "of course we should use keys, why weren't we doing this before?" They don't know anything about crypto, but they get the metaphor, and since it gives them a clear path to action, they are willing to engage with it. The answer to why we weren't doing it before is that the previous implementations were a PITA in a way that U2F isn't (TOTP was slow and fiddly, ISO7816 required non-portable setup), but now that we have U2F, I think people will be more willing than many here expect.
If we can channel the fear of SIM swaps into U2F adoption, I think it actually stands a chance.
I think the ultimate problem here is that the average person has no hardened mechanism for authentication. Using the infrastructure we have today, a combination of passwords and OTPs is better than other consumer-accessible alternatives.
Ultimately we need some mechanism for trusting and administering identity that is low friction and which can be used by 99.9% of users. The government offering a `login with apple id` like service would make sense. Then they could qualify various security chips, like the T2 or a YubiKey for use with the service. As an added benefit, we could stop using stupid things like SSNs, tax ids, and drivers license id numbers to prove identity.
Eventually we could do interesting things like abstracting mailing addresses. Instead of mailing a package to my street address, send it instead to "me", and then I can authorize USPS, UPS, FedEx, or whoever requests it to look up my real address when they are sorting and delivering mail. When I move, I just update the _one_ database with my new address and I am done.
There are some obvious concerns with the government acting as a clearing house for identity. Perhaps the better option would be for private companies to be able to implement some sort of standard API, and limit the government's involvement to auditing these services.
TOTP apps are fine, if they're properly implemented (either completely on-device, or properly encrypted before stored in cloud). Services should properly implement account restoration codes if access to TOTP secret is lost. SMS should never be used for 2FA, ever.
There are some apps that if my TOTP secret is lost, as horrifyingly annoying as it would be, I'd much rather need to take the time to get a registered public notary to stamp that they saw me in person, and checked my ID or other such documents, before the account recovery process can begin.
The "old ways" are usefully slow, have protections built around them for centuries of our culture, and I'd rather the annoying administrative headache and "slow" over the quick abuse of account recovery systems for theft and fraud.
Email might get compromised more often, but that's usually due to some kind of user error. The problem with these sim swapping attacks is that the only way as a user to guard against this is not to give the company your phone number. This often means that you can't do 2FA.
It is annoying that some of these companies refuse to allow me to use a Twilio number when they insist on using SMS as 2FA. If they are going to insist on the weakest possible form of 2FA and INSIST that I use a number which is subject to SIM hijacking, how are they not liable through negligence?
This is because these companies use APIs to establish trust for numbers which do so using a combination of proprietary telco data, machine learning models, and reports from customers. voip numbers like twilio and google voice are a surprisingly large source of fraud, so often the recommendation returned is to block based on how risk adverse the company is.
This method is highly effective at reducing fraud at the cost of penalizing a minority of legitimate users who actually do have to use Google voice / etc.
It should be noted though that factors like why is this number being looked up are considered too, ie: OTP is less risky than say account creation at a bank.
Can't Google Voice numbers be outside the US? I've read of foreigners trying to take over Google Voice numbers so they can use them like they are in US.
This was (is?) also possible with Lyft. When I was interning in the US, my visa sponsor sent me a SIM card that they clearly reused several times a year. Opening the Lyft app with this SIM automatically logged me in to the attached account. I didn’t noticed this and took a 70$ trip from SF to SV. Next morning I realized it wasn’t my account and credit card details. Wrote to Lyft support but never heard back. It wasn’t even possible to log out of this account and create a new one.
Is there a recommended defense against a SIM Swap attack at the carrier level? Do carriers offer some form of two factor? I suppose the weakest link is the in store associate who just can't be bothered to verify identities.
Yes, you can add additional security onto your account - at least with Verizon. I highly encourage everyone to do so. Once enabled, you will need to present photo ID at a corporate Verizon store to allow your phone # to be transferred to a new carrier.
My wife got SIM jacked just a few weeks ago and we got extremely lucky that it didn't turn into a bigger problem. They did get a hold of her Venmo account, but fortunately it's not actually linked to our bank account (Venmo restricts the # of users that can link to a single bank account).
This doesn’t work because many SIM swaps are now done with stolen corporate credentials or bribed retail employees. They login to the corporate portal and check the box that says “I verified the customer’s ID” and proceed with the sim swap.
This only protects you from the old way where a scammer tries to convince well intentioned phone support or retail employees.
Thanks for the tip! I'm glad to see they've implemented this. Though I'm still very frustrated about how long it took for them to do anything about this problem.
(I'm a googler, opinions are my own. I don't work on Fi.).
Google Fi provides sim swap attack protection. To bind a Google Fi # to a phone, you need to be able to log into your Google account on that phone (from the Fi app). There is no other way to bind a Fi number to a phone (customer service doesn't even have the power to do this).
This means that whatever 2FA you have setup on your Google account is the same protection you get against sim swap attacks.
That is good to hear, but I am more worried about google suspending my account and ignoring all appeals for automated reasons.
To be fair, this has not happened to me yet (with gmail) or anyone I personally know, but it remains a concern for me due to the high impact such an event could have on my life.
Is there any bulletproof way that a non-US citizen could get their account reinstated or at least recover associated accounts?
Even for US citizen's, there isn't a full-proof way to deal with account recovery. I'd say your account getting locked for incorrect reasons is pretty rare.
I think one important thing to know is that account-suspension stories you read on the internet aren't always legitimate cases. While, yes, getting publicity about an account lock can get it a second look, bad actors know this as well. Those who have done "bad" things will use this same approach to try to get their accounts unlocked. Google won't publicly comment on any individual case, so you are getting a one-sided story about why an account was locked, so be skeptical when you are reading them.
One of my relatives suffered three SIM swap attacks over about six months. I asked our carrier after the first two times what we could do to prevent it from occurring again. The answer each time boiled down to "nothing." After the third time, my relative got a new phone number.
I'd love to be able to opt in to having to provide a photo id at a physical location in order to complete the SIM swap.
Or maybe the carrier can try to call or text the number for some sort of confirmation process. In our case, we never even got a warning that the swap was going to occur. We found out after my relative's email account was compromised.
This issue alone is enough to make me want to switch carriers, but AFAIK, all of them do not provide robust protection measures for this issue. I've considered Google Fi, but it might have poor coverage where some of my relatives are.
Just looked it up, T-Mobile has a NOPORT account level security protection. It requires that a valid ID is presented in store to port your number to another carrier or swap SIMs.
Even if there is, there are still so many different carriers in the world. I doubt all of them are going to implement safeguards against this, which means that accounts will be at risk as long as websites rely on these phone numbers.
Please stop supporting sms for 2FA. It's not better than nothing, it's worse than nothing. Given the extent of technology workers on hacker news please work to remove this antipattern from your products.
The problem is that the SMS is being used not to implement 2FA, but 1/2FA where you can get into the account with just one of the two factors, rather than requiring both.
2FA should never be SMS based. I've deprecated SMS for all communications and block all SMS messages to my phone.
I use a virtual number for all such services that demand an idiotic SMS verification code. I won't state which one I use here, but there are several services you can choose from that provide virtual numbers.
Oddly enough, today I finally had to give my mobile number to paypal - apparently due to incoming EU PSD2 regulations. I was also automatically signed up to paypal "one touch", where my device is now able to make transactions with no need for a password. Another thing I have to turn off.
PayPal is legitmately the biggest piece of crap flying around the internet. I'm amazed they are still a thing, given the sheer number of stories we all hear about "PayPal stole my 10k and wouldn't give it back for months" and then, this.
It's been such a relief to stay in SE asia for sometime where PayPal isn't associated with all kinds of online shopping. I can actually order online AND be given the choice to either pay online OR in person in cash.
