This is something that really worries me. I use token based 2FA when I can but the reality is that I have like 50 accounts with 2FA and I forget which ones have SMS as a backup. I'm sure there's an account in there somewhere that's at risk. I have AT&T and use the extra security PIN code, but I know it's not 100% guaranteed. The other day I got a robocall asking for my PIN and last for of my social. I didn't do it, but just knowing my number was on that list worried me. I called AT&T and asked them to put a note in my account that said not to allow my phone number to be transferred to another SIM. They said they did it, but again I don't know how effective that is.
I understand why they make it possible to move a number to a new SIM, but I really wish you had an option to force a notification and delay the transfer for a number off days. Even a three day delay would be enough. You'd put in the request and they'd send a notification via SMS/call and email, and then the transfer wouldn't happen for 72 hours.
I would gladly deal with the potential inconvenience of not having access to my phone for a few days if it meant that it would make it harder to transfer my number to a different SIM. I don't think this should be mandatory, but I'd like the option.
It's just WAY too easy to call a cell provider and have them transfer your number to a new SIM and all the security measures that they use are easily defeated. Once you have someone's social security number you can spend 99¢ on a public records dump and get enough information to convince just about any customer service person to do whatever you want.
I talked to my cell phone provider and asked them if there was anything they could do to prevent transfering of my number.
They said the best they could do was to add a note to my file to check id in store before transferring.
This is better than nothing, but relies on the CS representative actually seeing the note on my file. Even then, there might be ways around it.
And more importantly, it does noting to stop someone asking another provider to port my number to them. Apparently Inter-provider ports are all automated and there is nothing anyone could do to stop it.
Also if your public SMS reset number is in google voice, a hacker can't port it off of Google easily because you need to log into your google account to port it, which requires 2fa. They have to figure out your real number, but you never give that out to anyone or you just use google hangouts SMS instead of forwarding text messages to your insecure phone.
T-Mobile has put in place some protections to prevent unauthorized transfers of your account to new SIM cards, I just had to deal with them last night - actually. Swapping SIM cards for a line must either be done in-store where your photo ID can be verified, or over the phone but only after confirmation of a OTP sent to account managers via SMS.
I know T-Mobile actually had some issues with this in the past, so even though I miss the convenience of going to t-mobile.com/sim to swap a card out I feel it's a much better solution security-wise.
The lack of security of cell phone providers is absolutely infuriating considering the sheer number of people who are paid $20/h that have ability to see and manipulate records at the likes of AT&T, Sprint, TMO and VZ not to mention those who work for resellers like BestBuy that are authorized to make activation and porting related changes.
It reminds me of MJR confidently stating that the maximum cost of gaining access to any secure network is min:
1) A yearly salary of the lowest paid employee who has access (i.e. someone's secretary)
There definitely needs to be more stringent protocols in place for transferring numbers, but I have to disagree with the 72-hour delay idea - it may hamstring those who are porting numbers for legitimate reasons.
For example, I lost my phone on a Thursday a couple months ago and desperately needed it for work the following week. Ordered a replacement phone as well as SIM with express shipping. Received both over the weekend, called the provider to port from the lost SIM to the new one, and was able to work on Monday.
Having an unavoidable X-hour long delay before the port went through would've been awful. I'm sure there's another way to accomplish the same goal - perhaps requiring more info than just account number / PIN / password, implementing physical ID verification, etc.
That's why I said it should be optional. A lot of people wouldn't want this. Some would. I definitely would.
For me the potential delay in the event of a lost/stolen/upgraded device is well worth it when the flip side is the potential nightmare resulting from the damage done if the person gets into an important account.
It seems to me like requiring some secondary form of authentication can always be bypassed at the discretion of the agent helping you because there will always be a possibility that the customer lost/can't remember the secondary key or ID.
Although, now that I think about it… UPS does something interesting to verify your account. They ask you to input a unique set of numbers that appear on your last invoice to link your account and verify your ID. Not foolproof by any means, but it's enforced for every authentication by design. Definitely more secure than the current PIN.
2FA over SMS is fine. It’s not the most secure thing, but it’s an improvement over just having a password.
The problem is when people forget the “2” part and allow SMS to be a substitute for having the password. That should never be done.
The related problem is that, as a used, it’s hard to tell when some service wants your number for proper 2FA, or when they want it as a separate authentication mechanism they just happen to call “2FA.”
> ...it’s hard to tell when some service wants your number for proper 2FA, or when they want it as a separate authentication mechanism they just happen to call “2FA.”
...or when they want it to be able to call or text you with other BS entirely. I hesitate to give my cell number to any company. I have a separate number (formerly a landline, now strictly a voicemail box) that I use specifically for companies.
I gave my cell number to a new dentist recently, thinking "medical office, probably important they be able to reach me." That turned out to be a mistake. They subscribed me to an automated appointment confirmation service, and they also send me a text (from a different number than the confirmation service) after I finish a visit to solicit reviews. This is exactly why I hate giving it out.
It frustrates me how almost every company's "secure question" system is utterly retarded and recklessly dangerous.
1. They draw from fixed unimaginative pools of often-overlapping questions, so that a breach in one company compromises you on multiple others.
2. Unlike a password, the actual secret question is often plaintext
If I had to design a replacement... The user would always be allowed to define custom questions, all questions could be assigned multiple synonymous correct answers (e.g. "Dr. Smith", "Doctor Smith"), and they all go through a one-way hash with salt.
You have no obligation to answer the secure questions truthfully, or not to write a long random string of text... Starting with "Do not accept the answer if I can't spell this exactly" in case a human gets involved...
Google has a new account setting called Advanced Protection. All it accepts is two hardware U2F keys (primary and backup) and your password. It supposedly makes your Google account pretty hardened. The only issue is that you can only use Chrome with U2F keys right now because Firefox U2F isn't fully baked yet.
I'm using it with the Titan keys (they're not my favorite, but work) and it works pretty well. I can't do as much 3rd party stuff, but I only keep my Google account (right now) for my old email address that's already forwarded to my new email address, Google Music, and Google Pay, so that doesn't affect me much. If you use a lot of 3rd party apps or get your mail via IMAP and the like, it's going to be more difficult.
A weird thing is that Google doesn't seem to allow for U2F key use without Advanced Protection turned on, which is puzzling to me.
For what it's worth, I use a U2F key regularly with Firefox. Just enable the security.webauth.u2f flag under about:config. I realize that's not a good solution for everyone, but if you're just looking to do it for yourself it works.
The PSTN and phone system telecom industry in general is not hardened. The more you see the underpinnings of it, as I have, the more it looks like a bunch of 30-year-old bullshit held together with the technological equivalent of duct tape and twine.
SS7 needs to be burnt to the ground, the ashes stomped around on a bit, and shoveled into a dustbin.
My biggest takeaway from it is that many things standardized before a certain era are based entirely on two concepts of operations:
a) only a certain elite group of people or companies will be able to use it (in this case, PSTN operators)
b) total trust between all parties using it, so there's no need for provably-hardened cryptography.
both of which are now laughable in a modern network security threat environment.
In this case SS7 was just never designed with the concept that malicious third parties might get access to it, or that it would not be operated by RBOCs (regional bell operating companies), or the international equivalent thereof (national run telcos such as British Telecom, Telecom Italia, etc).
You know pre-paid burner phones are a reasonable option to harden security at your own pace, right?
No one is forcing you to use the same number for everything. And don't complain that it's just too expensive and unrealistic to maintain more than one phone number, because that is simply untrue.
Yes, I am aware of NIST's guidelines, regarding SMS as a layer of multi-factor authentication . Those guidelines are for large organizations that dictate user behavior in a top-down hierarchy. Individual security profiles are much more flexible, and don't require the same degree of adherence to recommended practices.
Or, allow it, and inform them there's a safer method called Google authenticator. Authenticators make your logins dependent upon 3rd party software, and is only as secure as how that single source of failure is.
It always bugged me how Google Authenticator doesn't back up accounts "by design." I know its more secure, but damn its a major hassle if you use it for a lot of things and you need to get a new phone.
One does not even need to bribe or defraud telecom employees, the biggest gaping hole is the fact that roaming requests are insecure, and SMSes are plaintexted.
On "certain Russian forums" the talk is that was the way how British MPs were deprived of their email mailboxes in 2016. Somebody dug up their IMSIs from leaks and public dbs, and sent roaming requests through Megafon - Russia's biggest telco
2FA security aside, it really is remarkable how Jared was able to talk the hacker down. We seem to really undervalue those sorts of social skills. Jared's one conversation could have saved hundreds of thousands of dollars (for himself and others).
Their technical support is actual tech support, with tech guys that won't take any bullshit, especially if you have 2FA (TOTP-based) on your account.
The numbers are not recognised as VoIP and will work with every single service (I have yet to find one that will fail). I believe they are partnered with a local carrier that does some magic (call forwarding to some internal number?) so from the outside they look just like any other mobile number from that carrier.
(no affiliation besides being a satisfied customer for years)
I interacted with Google support (when it was called Google apps) for two things, the first one was I wanted to disable links in Gmail -- the support people couldn't understand what I wanted for about 30 minutes, then couldn't understand why I wanted it, then said it couldn't be done.
I don't remember what the second one was, but it ended with the support person agreeing it was a problem, but suggesting I post to product forum.
If that's amazing support, I'd rather rely on the normal channels: writing an angry blog post and posting it to HN, or suckering your smart friends into interviewing at Google and bribing them to fix your problems once they get there.
That's not true, I have both my Bank Of America and Merrill Edge accounts protected with 2FA using my Google Voice number, and it's been working fine for at least a couple years (when I switched to that method), I use both of them weekly receiving their authentication text via GV and never had a problem.
Is it worth it though? Now you can't fully rely on your phone number for 2FA, T-mobile is one of the providers notoriously known for transferring numbers without asking too many information.
My daily number, not connected to any 2FA (for which I use Google Voice) is a T-mobile, and a couple years ago I bought a nano sim to replace a larger sim, and the call center operator transferred the number without me having to answer almost anything overly personal, I think they just asked for a PIN which I'd obviously forgotten and with some mild additional information it was reset right there. It was truly shocking, the old sim just got disconnected from the network instantly.
For 2FA via text, Google Voice is IMHO the only choice, by far.
And for social graph implications, on your google account you can choose to not be discoverable to other people via your phone number, and that includes the Google Voice number since it's explicitly listed there (of course I assume it doesn't work the other way around, which seems to be the thing you are bothered by, I'm usually worried about being discovered by others than being shown a list of people I might know).
For anyone who wants to know how easy it is to social engineer big-4 mobile phone carrier customer service people... I highly recommend reading Mitnick's "art of deception" book on social engineering in general.
Taking over the SMS functionality of any phone number in the US is trivial and can be done in 2 minutes. The phone will continue to operate as normal and the victim will likely take a while to notice anything is wrong. Never ever use SMS to secure anything.
Trivial if you have access to an SS7 network that has a direct access or a roaming agreement with the network of the victim, and the proper tools to do that. But you will not manage to do it within 2 minutes if you have.