Listen to a SIM-Jacking, Account-Stealing Ransom

(motherboard.vice.com)

167 points | by petethomas 62 days ago

10 comments

  • themagician 62 days ago

    This is something that really worries me. I use token based 2FA when I can but the reality is that I have like 50 accounts with 2FA and I forget which ones have SMS as a backup. I'm sure there's an account in there somewhere that's at risk. I have AT&T and use the extra security PIN code, but I know it's not 100% guaranteed. The other day I got a robocall asking for my PIN and last for of my social. I didn't do it, but just knowing my number was on that list worried me. I called AT&T and asked them to put a note in my account that said not to allow my phone number to be transferred to another SIM. They said they did it, but again I don't know how effective that is.

    I understand why they make it possible to move a number to a new SIM, but I really wish you had an option to force a notification and delay the transfer for a number off days. Even a three day delay would be enough. You'd put in the request and they'd send a notification via SMS/call and email, and then the transfer wouldn't happen for 72 hours.

    I would gladly deal with the potential inconvenience of not having access to my phone for a few days if it meant that it would make it harder to transfer my number to a different SIM. I don't think this should be mandatory, but I'd like the option.

    It's just WAY too easy to call a cell provider and have them transfer your number to a new SIM and all the security measures that they use are easily defeated. Once you have someone's social security number you can spend 99¢ on a public records dump and get enough information to convince just about any customer service person to do whatever you want.

    • phire 61 days ago

      I talked to my cell phone provider and asked them if there was anything they could do to prevent transfering of my number.

      They said the best they could do was to add a note to my file to check id in store before transferring.

      This is better than nothing, but relies on the CS representative actually seeing the note on my file. Even then, there might be ways around it.

      And more importantly, it does noting to stop someone asking another provider to port my number to them. Apparently Inter-provider ports are all automated and there is nothing anyone could do to stop it.

      • narrator 61 days ago

        Running it through google voice will make it subject to your google 2fa.

        • davchana 61 days ago

          Could you please elaborate about google thing you mentioned? I am interested in making my ATT sim morr secure..

          • zimbatm 61 days ago

            It replaces the SMS 2FA with a Google prompt app on the phone for Gmail verification.

            So it doesn't make the SIM more secure but the SIM get hacked it doesn't allow the attacker to gain access to Gmail.

            • narrator 61 days ago

              Also if your public SMS reset number is in google voice, a hacker can't port it off of Google easily because you need to log into your google account to port it, which requires 2fa. They have to figure out your real number, but you never give that out to anyone or you just use google hangouts SMS instead of forwarding text messages to your insecure phone.

        • im3w1l 61 days ago

          > Apparently Inter-provider ports are all automated and there is nothing anyone could do to stop it.

          "Phone number" is truly the most dysfunctional social network.

        • snuxoll 62 days ago

          T-Mobile has put in place some protections to prevent unauthorized transfers of your account to new SIM cards, I just had to deal with them last night - actually. Swapping SIM cards for a line must either be done in-store where your photo ID can be verified, or over the phone but only after confirmation of a OTP sent to account managers via SMS.

          I know T-Mobile actually had some issues with this in the past, so even though I miss the convenience of going to t-mobile.com/sim to swap a card out I feel it's a much better solution security-wise.

          • notyourday 62 days ago

            The lack of security of cell phone providers is absolutely infuriating considering the sheer number of people who are paid $20/h that have ability to see and manipulate records at the likes of AT&T, Sprint, TMO and VZ not to mention those who work for resellers like BestBuy that are authorized to make activation and porting related changes.

            It reminds me of MJR confidently stating that the maximum cost of gaining access to any secure network is min:

            1) A yearly salary of the lowest paid employee who has access (i.e. someone's secretary)

            2) A price of a Desert Eagle

            • wikibob 61 days ago

              Ah just FYI the pay is around $10-$11 an hour.

            • eksemplar 61 days ago

              In my country you can’t transfer your sim or number without signing the transaction with our national two-factor digital identity that is provided by the government.

              You also need to supply your secret social security number in a safe validation form.

              So to me it’s much safer than a token auth that I’ll accidentally wipe whenever I buy a new phone. At least Authy allows SMS restore.

              • Liquix 62 days ago

                There definitely needs to be more stringent protocols in place for transferring numbers, but I have to disagree with the 72-hour delay idea - it may hamstring those who are porting numbers for legitimate reasons.

                For example, I lost my phone on a Thursday a couple months ago and desperately needed it for work the following week. Ordered a replacement phone as well as SIM with express shipping. Received both over the weekend, called the provider to port from the lost SIM to the new one, and was able to work on Monday.

                Having an unavoidable X-hour long delay before the port went through would've been awful. I'm sure there's another way to accomplish the same goal - perhaps requiring more info than just account number / PIN / password, implementing physical ID verification, etc.

                • cj 62 days ago

                  > Having an unavoidable X-hour long delay before the port went through would've been awful

                  What if that "unavoidable X-hour long delay" prevented your 2-FA codes from being compromised during a targeted attack?

                  To be fair, very few people are individually targeted in these types of attacks (statistically).

                  It would be great to have a 72-hour delay on transfer if it were on an opt-in basis.

                  (Side note: has anyone tried to disable web access to text messages on a Verizon line?)

                  • themagician 62 days ago

                    That's why I said it should be optional. A lot of people wouldn't want this. Some would. I definitely would.

                    For me the potential delay in the event of a lost/stolen/upgraded device is well worth it when the flip side is the potential nightmare resulting from the damage done if the person gets into an important account.

                    It seems to me like requiring some secondary form of authentication can always be bypassed at the discretion of the agent helping you because there will always be a possibility that the customer lost/can't remember the secondary key or ID.

                    Although, now that I think about it… UPS does something interesting to verify your account. They ask you to input a unique set of numbers that appear on your last invoice to link your account and verify your ID. Not foolproof by any means, but it's enforced for every authentication by design. Definitely more secure than the current PIN.

                • exabrial 62 days ago

                  Dear everyone at Apple, Facebook, Google, etc. Please stop and remove the ability to use texting as 2FA. The mobile telecom industry is not hardened.

                  • mikeash 62 days ago

                    2FA over SMS is fine. It’s not the most secure thing, but it’s an improvement over just having a password.

                    The problem is when people forget the “2” part and allow SMS to be a substitute for having the password. That should never be done.

                    The related problem is that, as a used, it’s hard to tell when some service wants your number for proper 2FA, or when they want it as a separate authentication mechanism they just happen to call “2FA.”

                    • ilikepi 62 days ago

                      > ...it’s hard to tell when some service wants your number for proper 2FA, or when they want it as a separate authentication mechanism they just happen to call “2FA.”

                      ...or when they want it to be able to call or text you with other BS entirely. I hesitate to give my cell number to any company. I have a separate number (formerly a landline, now strictly a voicemail box) that I use specifically for companies.

                      I gave my cell number to a new dentist recently, thinking "medical office, probably important they be able to reach me." That turned out to be a mistake. They subscribed me to an automated appointment confirmation service, and they also send me a text (from a different number than the confirmation service) after I finish a visit to solicit reviews. This is exactly why I hate giving it out.

                      • hnaccy 62 days ago

                        Just today Google prevented me from logging in with the correct password and asked for a phone number as additional verification. Any phone number.

                        The account has no associated number so it's not a verification at all!

                        • cataflam 62 days ago

                          That's not for your benefit, that's for them to verify you're a human / not a spammer / collect information (at least that seems like the most reasonable explanation to me).

                        • floatboth 62 days ago

                          The "best" part is password recovery — where SMS is typically the "second factor" to a completely insecure "secure question"

                          • Terr_ 62 days ago

                            It frustrates me how almost every company's "secure question" system is utterly retarded and recklessly dangerous.

                            1. They draw from fixed unimaginative pools of often-overlapping questions, so that a breach in one company compromises you on multiple others.

                            2. Unlike a password, the actual secret question is often plaintext

                            If I had to design a replacement... The user would always be allowed to define custom questions, all questions could be assigned multiple synonymous correct answers (e.g. "Dr. Smith", "Doctor Smith"), and they all go through a one-way hash with salt.

                            • palunon 62 days ago

                              You have no obligation to answer the secure questions truthfully, or not to write a long random string of text... Starting with "Do not accept the answer if I can't spell this exactly" in case a human gets involved...

                              • jandrese 61 days ago

                                Of course you'll be SOL if you legitimately lose your password and the answers to those questions.

                                • psergeant 61 days ago

                                  Sounds like a good reason to use a password manager and good backups to store them?

                            • z3t4 62 days ago

                              If you register your phone nr your password basically get useless as someone can remotely (from another country even) steal your phone number and then reset your password.

                              • mulmen 62 days ago

                                That would be one factor, no?

                                • z3t4 61 days ago

                                  I mean if SMS is not just used as second factor, but also used for password reset/override, it basically become a one factor. So yes.

                            • chris_mc 62 days ago

                              Google has a new account setting called Advanced Protection. All it accepts is two hardware U2F keys (primary and backup) and your password. It supposedly makes your Google account pretty hardened. The only issue is that you can only use Chrome with U2F keys right now because Firefox U2F isn't fully baked yet.

                              I'm using it with the Titan keys (they're not my favorite, but work) and it works pretty well. I can't do as much 3rd party stuff, but I only keep my Google account (right now) for my old email address that's already forwarded to my new email address, Google Music, and Google Pay, so that doesn't affect me much. If you use a lot of 3rd party apps or get your mail via IMAP and the like, it's going to be more difficult.

                              A weird thing is that Google doesn't seem to allow for U2F key use without Advanced Protection turned on, which is puzzling to me.

                              • cmg 61 days ago

                                For what it's worth, I use a U2F key regularly with Firefox. Just enable the security.webauth.u2f flag under about:config. I realize that's not a good solution for everyone, but if you're just looking to do it for yourself it works.

                                • chris_mc 61 days ago

                                  You know, I figured out what the problem was and it works now. I had setup FF Sync on a PC that didn't have U2F turned on yet.

                                • crazysim 62 days ago

                                  Weird, I have U2F keys in my non-Advanced Protection account.

                                  • chris_mc 61 days ago

                                    Maybe I was looking in the wrong place, good to know, thanks.

                                • walrus01 61 days ago

                                  > The mobile telecom industry is not hardened.

                                  The PSTN and phone system telecom industry in general is not hardened. The more you see the underpinnings of it, as I have, the more it looks like a bunch of 30-year-old bullshit held together with the technological equivalent of duct tape and twine.

                                  SS7 needs to be burnt to the ground, the ashes stomped around on a bit, and shoveled into a dustbin.

                                  • toomuchtodo 61 days ago

                                    > The more you see the underpinnings of it, as I have, the more it looks like a bunch of 30-year-old bullshit held together with the technological equivalent of duct tape and twine.

                                    This happens to every system eventually if it lives long enough.

                                    • walrus01 61 days ago

                                      My biggest takeaway from it is that many things standardized before a certain era are based entirely on two concepts of operations:

                                      a) only a certain elite group of people or companies will be able to use it (in this case, PSTN operators)

                                      b) total trust between all parties using it, so there's no need for provably-hardened cryptography.

                                      both of which are now laughable in a modern network security threat environment.

                                      In this case SS7 was just never designed with the concept that malicious third parties might get access to it, or that it would not be operated by RBOCs (regional bell operating companies), or the international equivalent thereof (national run telcos such as British Telecom, Telecom Italia, etc).

                                  • clydesdale 62 days ago

                                    You know pre-paid burner phones are a reasonable option to harden security at your own pace, right?

                                    No one is forcing you to use the same number for everything. And don't complain that it's just too expensive and unrealistic to maintain more than one phone number, because that is simply untrue.

                                    Yes, I am aware of NIST's guidelines, regarding SMS as a layer of multi-factor authentication [0]. Those guidelines are for large organizations that dictate user behavior in a top-down hierarchy. Individual security profiles are much more flexible, and don't require the same degree of adherence to recommended practices.

                                    [0] https://pages.nist.gov/800-63-3/sp800-63b.html

                                    • sgwae 62 days ago

                                      Seems pretty wasteful solution if everyone maintains a secondary burner phone for login. But it works for the short term, and I would worry about fees, and inactivity cancelations.

                                    • devwastaken 62 days ago

                                      Or, allow it, and inform them there's a safer method called Google authenticator. Authenticators make your logins dependent upon 3rd party software, and is only as secure as how that single source of failure is.

                                      • shittyadmin 62 days ago

                                        There's many 2FA apps compatible with the TOTP and HOTP standards and they rarely, if ever require an update.

                                        Absolutely minimal 3rd party involvement, I'd say less than most web browsers these days as there really isn't a significant attack surface for the apps.

                                      • joewee 62 days ago

                                        Many of these services, I believe google is one, still require mobile phone as a fallback option.

                                        • nobodyshere 62 days ago

                                          Google requires at least 2 ways of 2fa protection. You can enable a third one and disable the phone completely.

                                          • seppin 62 days ago

                                            Paypal, an actual bank, still only allows SMS 2fa. It's stupid.

                                            • Avamander 62 days ago

                                              Wrong. TOTP is supported, although hidden.

                                              • jdeibele 62 days ago

                                                https://www.paypal-community.com/t5/Tips-from-Moderators/Pay...

                                                It uses Verisign's VIP app instead of Google Authenticator (or Authy or whatever).

                                                • Avamander 61 days ago

                                                  You can use any TOTP app.

                                                • seppin 55 days ago

                                                  It's not hidden, it's de facto disabled for 99% of users. Fix this, Paypal.

                                                  • npunt 62 days ago

                                                    According to some threads I've read it doesn't work in all circumstances.

                                                    Personally I wouldn't risk it since it could mean risking getting locked out of your account.

                                                    • Avamander 61 days ago

                                                      I've been using it for a few years now and I haven't encountered a place where I couldn't use it. It might force you to enter the TOTP code at the end of your password though, but it works.

                                            • sschueller 62 days ago

                                              I think it depends on the mobile provider and country.

                                              Most of these attacks are social engineering.

                                              • wcoenen 62 days ago

                                                For paypal, texting is even the only 2FA option for non-US citizens. Baffling.

                                                • awakeasleep 62 days ago

                                                  You can use a symantec hardware token.

                                                  Paypal’s ceo is head of symantec’s board. Paypal must use symantec software wherever it is available, and their mfa is no exception.

                                                  This is still baffling as you say though, because symantecs mfa system does allow for other mechanisms.

                                                  • Avamander 62 days ago

                                                    Paypal's Symantec HW token can be replaced with a TOTP app.

                                                    • wcoenen 59 days ago

                                                      I can't. It only seems to be available for US citizens.

                                                • baybal2 62 days ago

                                                  One does not even need to bribe or defraud telecom employees, the biggest gaping hole is the fact that roaming requests are insecure, and SMSes are plaintexted.

                                                  On "certain Russian forums" the talk is that was the way how British MPs were deprived of their email mailboxes in 2016. Somebody dug up their IMSIs from leaks and public dbs, and sent roaming requests through Megafon - Russia's biggest telco

                                                  • droopybuns 62 days ago

                                                    I doubt that was necessary. Many of the telcos use atrocious pin security for voicemails- and they fail to prevent spoofed calls to their voicemail servers. Makes for a bad combination.

                                                    SS7 hacking to achieve that end would be a higher barrier to entry and more likely to get caught.

                                                    • gammateam 62 days ago

                                                      > One does not even need to bribe or defraud telecom employees

                                                      wow, no proof of stake required, rating 1/5

                                                    • ghop02 62 days ago

                                                      2FA security aside, it really is remarkable how Jared was able to talk the hacker down. We seem to really undervalue those sorts of social skills. Jared's one conversation could have saved hundreds of thousands of dollars (for himself and others).

                                                      • notyourday 62 days ago

                                                        When a social engineer I meets a social engineer II the better social engineer gets the upper hand. In this case it was not the hacker.

                                                      • slivanes 62 days ago

                                                        I remember reading somewhere that Google Voice numbers cannot be ported - and are useful in having them set as your 2FA for email accounts etc. Is that still correct?

                                                        • Rjevski 62 days ago

                                                          For UK numbers I can also recommend these guys: https://www.aa.net.uk/telecoms.html

                                                          Their technical support is actual tech support, with tech guys that won't take any bullshit, especially if you have 2FA (TOTP-based) on your account.

                                                          The numbers are not recognised as VoIP and will work with every single service (I have yet to find one that will fail). I believe they are partnered with a local carrier that does some magic (call forwarding to some internal number?) so from the outside they look just like any other mobile number from that carrier.

                                                          (no affiliation besides being a satisfied customer for years)

                                                          • plantain 62 days ago

                                                            Except their text messages only appear to be processed every half hour or so... which makes it useless for 2FA most of the time (the only reason I went with them).

                                                            • Rjevski 62 days ago

                                                              Strange - I get their texts immediately.

                                                              Which numbers are you using? 07 ones or 020?

                                                              • plantain 61 days ago

                                                                07. Forwarded to email.

                                                          • majormajor 62 days ago

                                                            I ported one out last year, I had to make it portable from inside my Google Voice account (a quite poorly documented pain, actually), but that's still a much higher bar than your average cell carrier.

                                                            • ironcan 62 days ago

                                                              And since there is no google customer service, nobody can social engineer it out of you!

                                                              • cj 62 days ago

                                                                Google Voice is on track to be a core service in Gsuite, which has pretty impressive phone support in my experience.

                                                                • toast0 61 days ago

                                                                  I interacted with Google support (when it was called Google apps) for two things, the first one was I wanted to disable links in Gmail -- the support people couldn't understand what I wanted for about 30 minutes, then couldn't understand why I wanted it, then said it couldn't be done.

                                                                  I don't remember what the second one was, but it ended with the support person agreeing it was a problem, but suggesting I post to product forum.

                                                                  If that's amazing support, I'd rather rely on the normal channels: writing an angry blog post and posting it to HN, or suckering your smart friends into interviewing at Google and bribing them to fix your problems once they get there.

                                                              • markovbot 62 days ago

                                                                did you try to port it without marking it as portable in Google Voice? I would be interested to see if that flag actually matters.

                                                                • techsupporter 62 days ago

                                                                  I tried to port out in early 2017 without unlocking the number at GV and the receiving provider said the sending provider had rejected the port request.

                                                              • lotsofpulp 62 days ago

                                                                Bank of America does not or is not able to send 2FA SMS to Google Voice numbers.

                                                                • deanmoriarty 62 days ago

                                                                  That's not true, I have both my Bank Of America and Merrill Edge accounts protected with 2FA using my Google Voice number, and it's been working fine for at least a couple years (when I switched to that method), I use both of them weekly receiving their authentication text via GV and never had a problem.

                                                                  • lotsofpulp 62 days ago

                                                                    Interesting, I tried years ago and it didn't work, maybe it has changed. Good thing is BoA also emails 2FA codes, so don't need SMS anyway.

                                                                • gammateam 62 days ago

                                                                  I ported my Google Voice number to T-mobile about 6 years ago, replacing my main number

                                                                  Great decision as I got to reset my social graph - no services would try to auto-connect me with everyone from high school and college that had data dumped their contacts

                                                                  10/10

                                                                  • deanmoriarty 62 days ago

                                                                    Is it worth it though? Now you can't fully rely on your phone number for 2FA, T-mobile is one of the providers notoriously known for transferring numbers without asking too many information.

                                                                    My daily number, not connected to any 2FA (for which I use Google Voice) is a T-mobile, and a couple years ago I bought a nano sim to replace a larger sim, and the call center operator transferred the number without me having to answer almost anything overly personal, I think they just asked for a PIN which I'd obviously forgotten and with some mild additional information it was reset right there. It was truly shocking, the old sim just got disconnected from the network instantly.

                                                                    For 2FA via text, Google Voice is IMHO the only choice, by far.

                                                                    And for social graph implications, on your google account you can choose to not be discoverable to other people via your phone number, and that includes the Google Voice number since it's explicitly listed there (of course I assume it doesn't work the other way around, which seems to be the thing you are bothered by, I'm usually worried about being discovered by others than being shown a list of people I might know).

                                                                  • wlesieutre 62 days ago

                                                                    I've ported one back out, you have to sign into your account and allow it.

                                                                  • mherdeg 62 days ago

                                                                    The "OG account" stuff is fascinating. ( see e.g. https://waypoint.vice.com/en_us/article/43ebpd/the-long-weir... for screenshots of forum or https://medium.com/@N/how-i-lost-my-50-000-twitter-username-... ).

                                                                    Also fascinating is that the only functional support channel is "write a blog post and hope a lot of people upvote it on a news aggregator".

                                                                    Two really interesting trends there.

                                                                    • 61 days ago
                                                                      [deleted]
                                                                    • jameslk 62 days ago

                                                                      This marketing entrepreneur talks down a ransom seeker with a heart warming story AND manages to record it? Sounds a little too good to be true

                                                                      • FeteCommuniste 62 days ago

                                                                        The accent of the "scammer" in the call is definitely not German.

                                                                        • socialist_coder 62 days ago

                                                                          Germany has a ton of immigrants, they don't all speak with German accents.

                                                                      • Exuma 61 days ago

                                                                        Can someone please point out what is the solution to bypass all these headaches? Can I get a separate phone account that is under a business entity or something (not a personal name)? Would that work?

                                                                        • walrus01 61 days ago

                                                                          For anyone who wants to know how easy it is to social engineer big-4 mobile phone carrier customer service people... I highly recommend reading Mitnick's "art of deception" book on social engineering in general.

                                                                          • aviv 62 days ago

                                                                            Taking over the SMS functionality of any phone number in the US is trivial and can be done in 2 minutes. The phone will continue to operate as normal and the victim will likely take a while to notice anything is wrong. Never ever use SMS to secure anything.

                                                                            • yborg 62 days ago

                                                                              >can be done in 2 minutes

                                                                              Citation needed. Extra credit for WikiHow step by step with badly drawn art.

                                                                              • noselasd 62 days ago

                                                                                Trivial if you have access to an SS7 network that has a direct access or a roaming agreement with the network of the victim, and the proper tools to do that. But you will not manage to do it within 2 minutes if you have.

                                                                                • aviv 61 days ago

                                                                                  You are thinking about it from the wrong angle. Even less than 2 minutes.