SIM swaps and port-out scams are a fact of life. New rules aren't likely to change that.
See full article...
See full article...
The FCC says new rules will curb SIM swapping. I’m pessimistic
- Thread starter JournalBot
- Start date
Nothing will change if the carriers are choosing the method. If you must use a phone number for SMS 2FA use a VOIP service like Google Voice since that's ironically easier to control and secure.
Really what we need is for companies (banks are the worst offenders IMO) to stop using SMS based 2fa in the first place, because while it's better than nothing, it's about the worst 2fa there is.
Really what we need is for companies (banks are the worst offenders IMO) to stop using SMS based 2fa in the first place, because while it's better than nothing, it's about the worst 2fa there is.
Upvote
117
(120
/
-3)
Upvote
151
(156
/
-5)
Banks are consistently the goddamned worst about supporting good security practices.
They're also the ones most likely to block pasting into auth fields, which basically cockblocks using password managers and good, unique passwords. I fired my previous credit union over that one and made it very clear why, on the off chance they cared.
Upvote
180
(180
/
0)
Dan Goodin said:
[Christopher Walken voice]Sorry but how does this help? It seems unlikely the CSR is also a close, personal friend of the target.[/CWV]
Upvote
33
(36
/
-3)
use authenticator apps whenever possible, but until MFA does away with SMS, it's going to be an issue
Upvote
37
(38
/
-1)
It's absolutely insane to me that my cell provider, T-Mobile, has support for a proper authenticator app while my bank does not.
Moreover, I have hundreds of IT consulting clients. While I don't see them all every single year, since their needs vary greatly, and while I don't assist all of them with banking stuff, I've had about half of them of them have enough trouble with their online banking to pay me to assist them over the years. I have yet to see a standard consumer bank that properly supports 2FA. It's asinine.
Upvote
73
(73
/
0)
Put the people with the money in jail. Shit will stop toot sweet.
Also, take all their money. Burn it.
Also, take all their money. Burn it.
Upvote
27
(38
/
-11)
“We always ask them for their address and mother’s unmarried name. We believe this meets the standard for ‘secure authentication.’”
Upvote
87
(88
/
-1)
I’ve had “dom.clipboard.events” disabled in FF for years, almost entirely because stupid banks do this with every field, including ones like wire and ACH instructions that are SAFER to paste it from databases. Bank IT seems to think that inconvenience == security. It’s a really bizarre take, but it seems industry-wide.
Upvote
112
(112
/
0)
StopTheMadness can bypass a lot of these blocks on Apple platforms. It is a paid solution though.
I never understood what the logic behind this blocking is. My county's real estate tax portal also blocks you from pasting in your bank account number. WHY???!! I sent them an email asking how this made sense, and the response was that they use a 3rd party payment plugin and don't have control over the code. Fair enough, but which moron thought that was a good idea?
Upvote
75
(75
/
0)
If the victim's SIM card is still in a phone that's turned on, wouldn't the carrier see that and refuse to transfer it?
Upvote
49
(52
/
-3)
I insist it's decidedly not better than nothing. By hijacking the mobile number, a password reset becomes a cinch. But without SMS, that vulnerable attack vector doesn't work. I'd rather have my strong, unique password not be resettable via easy-to-compromise SMS 2FA. At least my carrier, Verizon Wireless, offers the pin feature.
Give me TOTP at least. All my other 2FA-enabled accounts offer TOTP except my stupid bank even after much carping to their security team. But banks don't want to use TOTP because too many muggles can't safely manage the secrets and not lose them through stupidity or ignorance.
Upvote
41
(42
/
-1)
I use Google Voice for SMS 2FA whenever I can, but a lot of companies will specifically not let you use a Google Voice number, saying it has to be a "real" phone number. More rarely, it'll take the Google Voice number but then the text messages just don't send/arrive until you switch to a "real" number.
Upvote
54
(54
/
0)
Even better is how the US federal government is the worst offender on using SSN alone to authenticate people. You constantly have to tell it to people if you deal with the DOD. While still maintaining the pretense that it's a secret number that you shouldn't tell people.
Upvote
39
(41
/
-2)
Then DoD is an outlier, I deal with the US Gov regularly and the only time my SSN has been asked for is for a security clearance. Cripes, for the websites we build we have to jump through a few million hoops if we want to ask people for their SSN.
Upvote
36
(36
/
0)
I read once that the SSN was specifically never supposed to be used for any sort of personal identification outside of the social security system itself.
I could be accidentally spreading bullshit but it wouldn't surprise me if true.
Upvote
66
(67
/
-1)
Valid point.
Yup. The most important day to day thing people need to protect has the worst protection.
Upvote
15
(15
/
0)
There are social solutions to social engineering scams. Make it an option for those who value the security of their telecom account to require an in-person visit for a sim swap.
Upvote
27
(30
/
-3)
are there equivalent against landlines? as in certain banks ring a number (and you set it to a landline instead of mobile) and get you to input some numbers displayed on the browser into the call (or the call tells you a number and get you to input into browser)
Upvote
-5
(1
/
-6)
Or the carrier could send a text message, app notification, or email asking for confirmation of the transfer. The confirmation could be bypassed if the phone was reported as lost through Apple or google’s phone tracker service.
Upvote
3
(5
/
-2)
Yeah, I've seen that before but it's luckily been with companies that aren't majorly dangerous if there's a compromise. If my banks required my carrier number, I'd switch banks.
Upvote
4
(4
/
0)
I was porting out my phone number and it was a pain in the ass it wasn't easy at all.
Upvote
3
(7
/
-4)
Upvote
-7
(9
/
-16)
The painful part is usually arguing with the retention team to get the port out code, but anyone that does these scams would be good at that.
Upvote
26
(26
/
0)
Small banks or big ones? That's crazy. All the banks I have accounts at (not twenty lol, we don't even have twenty different banks in the whole country!) offer some sort of OTP smartphone app, "secured" by a PIN or biometrics or both.
Sure, it's still not ideal, but at least you can opt out of the SMS "MFA" altogether, only allowing auth via the OTP app. Won't help against targeted phishing via impersonating links and such if you don't follow basic security of not clicking any bank links, but at least it works against a SIM swap.
[edit: hit the post button without finishing the post and some typos]
Last edited:
Upvote
9
(9
/
0)
Here in Denmark, the standard way for financial institutions to handle login is to show a QR code on the screen. You then use a special app on your phone to take a picture of the QR code and that completes the login. No phone number involved.
Last edited:
Upvote
12
(17
/
-5)
The procedure for telcos here is outlined by law, and requires them to give you an OTP porting number on request. Which they won't without a national ID (which they did scan for the valid checksum last time I did that, but that obviously won't work without national IDs), or at least a passphrase told to the helpline or a valid login into the web app.
Some of which can still be circumvented, of course, but at least makes it a bit harder than just bullshitting and social engineering some overworked L1 tech support person on the line. They might still steal login credentials by MITM or phishing with false website links, though, and get your OTP porting number that way, but at least it removes the easiest way of doing so.
EDIT: And from my experience of porting a number or two here, the telcos also send you a text that "you" asked for the porting OTP and that your number will be ported per "your" request, so even if totally phished without any of your knowledge, you'd still get a warning on your phone before it stopped working altogether.
Last edited:
Upvote
6
(8
/
-2)
Part of the problem is that the employee that transfers the number to a new sim is in on it a lot of the time. Which is so incredibly shocking given their low pay and easy access to powerful administrative tools…/s
Upvote
22
(23
/
-1)
What I recall is they specifically had to promise it wouldn't be used as an ID number to get the legislation passed. And when it was new people would get their SSN tattooed on their arm so they couldn't forget it.
Upvote
13
(13
/
0)
Fortunately there are no negative historical connotations for ID numbers tattooed on arms.
Upvote
28
(31
/
-3)
Upvote
-6
(3
/
-9)
Apparently Google Fi solves this problem by having no customer service to scam.
Upvote
53
(53
/
0)
Any competently built TOTP generator can run on multiple devices as long as you use the same seed.
I use 1password's built in generator and it works delightfully for machine accounts that are shared by multiple people at work, and across all devices.
Upvote
28
(28
/
0)
It was before the Holocaust.
It just shows that the number was very much not considered secret, but really important to remember so you could get your benefits.
Upvote
19
(20
/
-1)
Huh I'll be damned. For some reason I had it in my head that the social security program as we know it was a 50s thing but you're right.It was before the Holocaust.
It just shows that the number was very much not considered secret, but really important to remember so you could get your benefits.
Upvote
10
(11
/
-1)
And even better, it's actually illegal for a government agency to require the use of an SSN as an identifier for anything except Social Security services (it's in the name!), except in particular circumstances (like systems that are still in place that required it before 1975, when the law went into effect). But they never give you any other option on forms or tell you that you have that option, except, ironically, the IRS which can assign a different individual tax ID. And private companies are free to refuse to provide service if you won't give them that number along with other details that would let them impersonate you easily, which is bullshit.
Upvote
15
(15
/
0)
Mint Mobile seems to have a solution to this. You have to wait on hold (phone or online chat) for two hours to get your transfer PIN to change providers. But then it's just the last 4 digits of your phone number (at least in my case).
Boost Mobile was a little less time, but they required that they call me back on my number to give more assurance that it was actually me.
Verizon made it accessible after logging into their portal, which seems most secure, if they were to require OTP.
A transfer PIN that can only be accessed by the app or portal, with OTP to even log in, seems most secure, particularly if Android/iOS began requiring a passcode for all devices so even a stolen one couldn't be used (although MFA apps generally require a code/password or biometric anyway). I'm of the strong opinion that at the root of it all should be a password or at least a PIN that is only in the user's head. That's the only true authentication AND authorization.
Boost Mobile was a little less time, but they required that they call me back on my number to give more assurance that it was actually me.
Verizon made it accessible after logging into their portal, which seems most secure, if they were to require OTP.
A transfer PIN that can only be accessed by the app or portal, with OTP to even log in, seems most secure, particularly if Android/iOS began requiring a passcode for all devices so even a stolen one couldn't be used (although MFA apps generally require a code/password or biometric anyway). I'm of the strong opinion that at the root of it all should be a password or at least a PIN that is only in the user's head. That's the only true authentication AND authorization.
Upvote
9
(10
/
-1)