Hacker News new | past | comments | ask | show | jobs | submit login

That isn't 2FA. That is a single factor recovery process. SIM-swapping only defeats SMS-based 2FA if the attacker also has your password, which is difficult to accomplish if you are using good passwords that are unique.



I had to remove this detail from my original post as it was too long:

Boost mobile is negligent and not following industry standards. Their whole security model is based on a 4-digit pin. At first I thought somebody had a script working its way up through all the combinations at the login screen, but I no longer feel that is the case. The fact that at least nine of us had this same issue within days makes me think there is a wide-spread issue here.


I don't have a source to hand, but I've heard from other post-mortems that in SIM-jacking attack the carrier has been socially engineered into not bothering with the pin, ongoing court cases RE negligence perhaps on-going.


If they're able to issue a new SIM card without the system requiring them to enter the PIN first, then it's a very terribly designed system.


They have to be able to issue a new SIM card without a pin in the case of a lost phone though. In that case they should probably check government identification, of course, and not be available remotely.


I thought you needed the PIN if you wanted that, too? As in, if you lose your phone and don't have the PIN set up with your carrier, you've lost your number and can't restore it.


That would mean eventually there would be no phone numbers left for anyone.


No, that would mean they would eventually disconnect the service on that line for non-payment and give that number to a new subscriber.


The "industry standard" is that SIM-swapping it not difficult. Arvind Narayan's group at Princeton demonstrated this pretty convincingly. This isn't unique to Boost.


Does coinbase really allow account recovery with just an SMS? It seems to me like the attacker must have had more than just control over your SMS number.


Yeah the attacker now also has email control.


Maybe it would make it more clear that this was not 2FA attack.

It might be confusing but that was account recovery attack.

For account recovery there is no "password" as thieves just made their own password while having your phone number.

So phone number as a password recovery option is not secure without any additional checks. Not 2FA because with this attack there was no second factor.


Remember that there's also the traditional way of pulling this off, which is to pay someone at the phone company to do things in their support system for them.


With just a SIM swap, isn't it possible for an attacker to reset the password on your main email account (e.g. gmail) via the phone, then from there reset the password on your money account through the stolen email?




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: