Lots of comments here along the lines of "SMS 2FA is bad", but hell, if the phone companies had an appropriate level of liability here (which should be a shit ton), this should be impossible.
And it's not just about 2FA, most of humanity expects that if someone else texts them, those texts will go to their phone and only their phone unless they've given explicit verifiable consent.
I mean, in this case all the hacker did was fill out a form and say pretty please. I hope phone companies that allow this get sued.
This would also be impossible if services stopped demanding your phone number to make an account.
This is a growing trend in consumer services, and it's a privacy nightmare.
Imagine if they demanded your SSN to sign up? A phone number is no different or less sensitive a unique identifier, perhaps even moreso these days.
There are widespread reports of delivery businesses selling their phone number databases (with associated credit card suffixes, delivery addresses, order history, et c) to large advertising companies for data mining.
Providing your direct cell number to an app is basically like providing your home address and a bunch of other sensitive data. Don't do it, or make a burner gmail account to get a disposable Google Voice number for each account that you must have that demands a phone number. Then, that number isn't reused and an attacker that obtains your mobile number can't attack your login method for other apps.
Reusing phone numbers is about as bad as reusing passwords.
> Imagine if they demanded your SSN to sign up? A phone number is no different or less sensitive a unique identifier, perhaps even moreso these days.
I have extremely bad news for you. US Social Security Numbers are not in fact unique, and the fact they're "sensitive" is a terrible joke because it's pretty easy to discover the SSN for an individual based on public information, especially older people because SSNs weren't even randomised at issuance until relatively recently.
Any system that depends on keeping public facts secret is horribly broken, yes that also includes "verifying" credit cards based on a bunch of digits that are written right on the card itself.
I work on such a system. I have the same sentiment as you, but the reality is that every entity along the way, including federal, state, county, city, and sub-city level governments all treat SSN as a unique identifier and accept no substitutes. The one and only way to get away from this is to pass massive legislature and have the federal government provide better IDs to the public, something most people don’t actually want. It will never happen unless a massive amount of people get defrauded overnight. Like 10-40% of the country, and literally in a short enough period of time to create a news shitstorm. This cannot be changed by your software system being different, and if it is, it will already start at a disadvantage for not being compatible with everything around it.
I'm aware, I'm a hacker (in the evening news definition of the term as well as the TMRC one). I was referring to the fact that most USians would not sign up for a whatever b2c service that demanded their SSN, but wouldn't hesitate to provide their phone number.
> Imagine if they demanded your SSN to sign up? A phone number is no different or less sensitive a unique identifier, perhaps even moreso these days.
The goal is for the service to have a unique identifier, and phone numbers happen to be a really good one to prevent spam also since it outsources verification of human entity to the phone companies.
> since it outsources verification of human entity to the phone companies.
That's not the reason phone numbers are used. They are used, because they are something you have in addition to something you know like an SSN or password. This is two factor authentication.
The US has plenty of centralized identity systems, including the Real ID one, a backdoor federal ID system that is required to board all commercial flights in that country.
But what is an appropriate level of liability here? Phone companies never signed up to be the guardians of our digital lives, and the tech industry at large has just built a castle on shakey foundations.
And there are obvious trade-offs here, if we make number portability harder, it means you're somewhat hostage to your phone provider.
No, this is exactly what they signed up for. When I sign a contract with my phone company to give me access to their network I expect that they will not just give it to someone else instead under my name.
Phone companies are guardians of our our accounts with them. The absolutely bear responsibility if poor security or loopholes allow someone to gain any sort of access to our accounts. Security and convenience are often a trade off. Clearly service providers are not properly judging where that balance should be.
> Phone companies never signed up to be the guardians of our digital lives
The parent comment addressed this point. This is not just about 2FA. SMS users expect their communication are private, except (debatably) by the courts with a warrant.
When cell phones first became big, probably 10-15 years ago at least, there was a website for my area I lived in at the time (southern Illinois) that would list texts and people could vote on the funniest ones. There were some really private messages that would hit the top (obviously phone numbers weren’t displayed.) So it used to be people had the assumption that texts were public, because for some carriers they basically were.
If I understand correctly, the initial telephone systems were run by manual operators at a physical switchboard, who could listen in to anything that was said on any line. Many people also had party lines, where someone (in another house or apartment) could pick up their phone and listen to your conversations.
So, no, not much of an expectation of privacy - at least, there shouldn't have been.
I'm under the assumption that wiretapping to create evidence is illegal, but wiretapping to get a warrant probably happens all the time. (AKA Judge and Police officer listen to illegally captured audio - Judge approves official warrant to make future recordings legal)
And it's not just about 2FA, most of humanity expects that if someone else texts them, those texts will go to their phone and only their phone unless they've given explicit verifiable consent.
I mean, in this case all the hacker did was fill out a form and say pretty please. I hope phone companies that allow this get sued.