1. I believe it began with the hacker getting DOB/SSN.
2. Called wireless provider, and hacker forward all calls and texts to a burn phone. Eventually, the hacker ported my wireless phone to another provider/number (not sure which), and the phone registered to my provider did not work anymore. The landline phone was also forwarding calls to another number.*
3. Hacker gained access to email (as that email was also within the telco's site). At the beginning, the hacker did not reset the password. After I changed the email's password, hacker was still gaining access to our emails and he/she eventually reset the email blocking my access. (reason was all the text and calls was forwarding to his/her burn phone so he/she can reset the pass anytime)
5. Requested 2FA from bank.
6. Gained access to bank account.
This was over a course of 3 months. It was a nightmare to resolve and paranoia still remained. The hacker later on went opening several bank accounts. Fortunately, this was discovered early. The entire situation was communicated to the FBI, local police, and bank institutions, but I do not think anyone cared.
*I saw two numbers that were being used within my wireless account site to forward the calls.
> The entire situation was communicated to the FBI, local police, and bank institutions, but I do not think anyone cared.
Why would they care? It happens dozens of times a day, and the criminals are out of their jurisdiction.
If only the police, FBI, politicians, etc. could go after the banks and telcos to improve their security. But no... they see it as their job to destroy security, in order to make you "safe".
> 1. I believe it began with the hacker getting DOB/SSN
We [the US] dramatically over-rely on SSN. At least one upside to ubiquitous biometrics will be that we can start layering more authentication measures in an effective and consumer friendly way.
Yeah, Identity theft is one of those crimes where the authorities don't really care. It can be quite lucrative for the folks carrying it out since there are no consequences.
The police are so overwhelmed and typically it is out of jurisdiction so their options are 0 to none to prosecute.
The only way to guard against it is to keep your foot print small and give as little info as required.
A few months ago I took 3 of my 4 kids to a birthday party at a minigolf course. I played some holes with my youngest I had taken with me, and then left the two older ones at the birthday party with the understanding that their mother would pick them up (as we had discussed earlier)
After leaving the party with my youngest, I went to the grocery store, and then on home. When I got home my wife was gone, which I expected since she was picking up the older kids from the party.
Throughout this afternoon I had not been checking my phone in an attempt to be a bit less connected on the weekends.
About half an hour later my wife comes home totally freaked out and frazzled.
Apparently after I had left, someone went into a T-Mobile store and somehow convinced the associate that my number was theirs. I had received a couple of texts from T-Mobile with a pin number where the store associate had attempted to do something, but I was not aware of them until later.
Once this person had my number, they called my bank, reset my online password, and transferred all of our money from various accounts into one of my checking accounts. The bank then put a hold on everything (thank god).
My wife happened to have been paying bills online while this was happening, and saw it all go down. Her first thought was to call me, then when I didn't answer to call the mom throwing the birthday party.
Birthday party mom told my wife I had left, so my wife assumed that myself and our 3 year old were being mugged or something. The police were involved and she spent a good amount of time freaking out trying to find me.
All in all I had a pretty good afternoon :P
For real tho, it was a freaking mess. Took weeks to get our accounts safe, and we try to avoid using phone numbers for 2fa now.
>someone went into a T-Mobile store and somehow convinced the associate that my number was theirs.
I had to regain access to an employee's phone a few months ago. T-mobile gave me account control after providing them a phone number that phone had dialed "recently". I am disappointed, but not shocked.
In Singapore they give us a physical token. We have to enter the 2Fa we receive into it to receive a third code to enter into the website. Well I guess it's 3Fa. It is a bit of a hassle but better safe than sorry.
"Apparently after I had left, someone went into a T-Mobile store and somehow convinced the associate that my number was theirs."
How that can happen? When I visit my cell provider's store, nobody is going to talk about any account details while you haven't provided a government issued ID to prove that you are an account holder. Sure, it's not 100% bulletproof method, but if somebody went a great lengths to counterfeit my ID, phone number is the least of my worries then. I assume, this happened in USA, so is ID check so unpopular there or it's easily circumvented somehow?
> someone went into a T-Mobile store and somehow convinced the associate that my number was theirs.
The fact that the T-Mobile employees can get hold of your mobile phone number is disturbing and a red flag for using your phone number for sensitive stuff (such as money). You should always assume malice from unknown actors.
Without meaning to pick on T-Mobile, the stories I'm hearing here, including yours, lead me to believe that T-Mobile is liable for damages. As in, they didn't take reasonable precautions to safeguard your account, and you suffered financial damages as a result.
I am generally of the philosophy that you should trust no one to do the right thing, but these cases seem to be overlooking the obvious that the phone companies are fucking up on security.
So, I've read the article a couple of times, It's pretty long. For those of you looking to get the most bang for your buck, I think the following advice is Golden:
1. Do NOT secure your sensitive accounts (facebook, primary email, bank accounts, twitter, etc) with your telco phone #. Telco Phone number is NOT secure!
"Create a brand new Gmail email account. Do not connect it to any of your existing email accounts. (When signing up for a new Gmail, you don’t need to enter a phone number or current email, although there are fields for you to do so. Leave them blank.) Once you’ve created the new island-unto-itself email address, create a new Google Voice number." Use this Google Voice # to secure your primary accounts, and don't have your telco # listed in any of those accounts.
But, make sure your New Gmail account is super secure, with a security key, as mentioned in the article.
2. Check the password recovery methods for all your sensitive accounts and make sure the answers aren't duplicated from any other site. Actually, it's best to remove them, if you can.
If any security experts want to chime in, please do.
Last year when I upgraded my phone I was amused — but mostly horrified — by how easily one could get a SIM card for my own phone number with less than a modicum of information on me.
As I required to upgrade my Micro SIM to a Nano SIM, I went to one of my provider's shops and asked for a Nano SIM for phone number X. I was then asked to verbally confirm my name and address — and that's it. No ID card confirmation, no nothing. "Here you go sir, your new SIM card will be active within a few minutes. Can I help you with anything else?". What. the.
NIST has already been discouraging the use of SMS for 2fa[0], but that apparently won't stop the subset of incompetent IPSec consultants who still recomment SMS based 2fa.
Can anyone recommend a US based bank (or a bank that accepts US customers) that 1) has either a 2FA token for phone e.g. with Google Authenticator, a hardware token, or some kind of other token based factor; and 2) has strong security when calling? I generally don't need a physical presence.
My current two banks don't have direct 2FA enabled. As far as I remember, the questions available to one of my banks (credit union) are simple enough that you could probably find out by doing a public info search somewhere, and the other bank (Chase) has SMS 2fa, but outside of that it's just public database questions (I know this because I had my card number stolen recently, I currently don't have access to my phone as I'm out of the country, and they asked me a few different questions from a public database, like if I had ever lived at ABC Dr., do you know this person, and what is the full name, etc.). I'd much rather be able to give the banks some kind of information that they are required to verify before they can access my account, like a verbal passphrase, but I don't think that's possible (as in, I wouldn't be able to access my account over the phone without the passphrase).
It's insane how much easier it is to transfer a phone number than a domain name.
I also find it odd Facebook, and other sites will let you signup solely with a phone number. There's prepaid cell phone providers that recycle phone numbers, etc. Just seems so stupid to rely on a phone number for authentication alone, but two factor I'm okay with since you still need to know the password. Twitter has a developer product where you can be texted a code to login using only a phone number, which to me just seems wrong to do.
It'd be nice if trying to port a number, change important info, etc if they had to actually call you or text you first to confirm. But one of the problems is people will lose their phones, and need a new sim or phone... That I think I'd have a requirement to actually visit the store - but that doesn't work to well with prepaid phone providers without physical stores selling via other stores like Walmart, Target, etc. Maybe in that case without nearby stores, partner with your retailers to verify ID or fax a ID in.
I wish we could kill phone numbers once and for all. It's insecure, device-dependent, carrier-dependent, country-dependent, subject to snooping and censorship, and all of these are recipes for disaster as an authentication scheme, especially in the event that a device gets stolen. Phone calls and text messages should emphatically NEVER be used to verify anything.
Conversation with one of my banks the other day:
Them: Can we please verify a code sent to your phone number?
Me: Umm, sure, although that won't verify anything. Use something else to verify that it's me.
Them: Can you please verify your phone number?
Me: Umm, I don't know what phone number I used with you? Try XXX-XXX-XXXX, XXX-XXX-XXXX, XXX-XXX-XXXX, XXX-XXX-XXXX, XXX-XXX-XXXX, XXX-XXX-XXXX, and XXX-XXX-XXXX? They all belong to me depending on where I am.
Them: Can we use XXX-XXX-XXXX? Do you have this phone with you right now so we can we send a text message with a verification code?
Me: Send your insecure SMS to any of my numbers. They all go to my e-mail inbox. [I don't need to have my "phone" with me -- my "phones" are virtual.]
While conversation is probably not a good example of anything, I agree with the main statement: phone numbers must die. They are insecure, unremarkable remnants of an outdated system.
To be fair, you really don't own a domain. You still rely on the TLD honoring your purchase and not hand it over to someone else in the same way you rely on the phone company to treat your number as yours.
"was amazed with how antiquated the port request system truly is"
Absolutely. In the UK, I could easily port someone or many someone's landline number and slap a trunk on it. Sadly though I would also end up paying the bill for it. However its much easier to simply fake your outbound CLID to show the call centre you are the mark.
I have no numbers for this but I'll bet that CLID is used by banks etc as part of the security checks for your identity.
So 2FA reset via SMS is bad, which I agree but what are the alternatives to prevent a meltdown when your 2FA device dies?
I have had two phones die on me that was my 2FA device, plus OS upgrades, so I have gone through resetting 10-20 2FA accounts a few times. Though with upgrades usually I foresaw that and downgraded my 2FA before hand.
All I wish for was that resetting 2FA would be a very very slow step by step process and spammingly broadcasted to all emails, sms, postal etc associated with the account. But I know for cost cutting customer services departments that wont happen.
2FA systems have a code that serves as the seed for the token. If you keep this code you can set up 2FA on a new device any time you want without having to reset it. Just be careful securing the code.
I've had this happen with Microsoft/Office365. Lost access, couldn't get the recovery email. They sent emails and made me wait a day or two before resetting things.
Not answering security questions truthfully is tricky.
Yes, it's a problem that security questions turn hacking into a simple public records search.
BUT most terms of service have a line like 'you warrant that you've been entirely truthful with us' or something. If you give the wrong security question to your bank, they potentially have grounds to freeze your money or screw you later.
Why isn't the answer 'consumers have the power -- punish services that don't support FIDO by not using them'.
At best this article is saying 'don't connect anything to anything'.
This recently happened to a friend of mine. It was devastating. As mentioned, U2F is very scarcely supported today.
The best way he came up with to secure services that insist on using SMS for 2FA (or credential reset) was to register the number of a pre-paid phone for those services.
Inconvenient? YES. But a pre-paid phone number can not be ported by a negligent (or willfully criminal!) operator.
It's still very trivial to tell a customer rep that you lost your SIM card and have the rep send all new communication to the phone number to a separate SIM card with a pre paid phone.
What settings exactly do I have to change to get GMail to never unlock my account by SMS alone?
I have enabled proper 2FA on my Google account with U2F, but I haven't disabled everything else yet because I only have one token, and I still need something like TOTP for stuff that uses Google accounts, but doesn't support U2F.
As a closely related remark, I wish U2F would just get popular enough, it's pretty convenient, isn't vulnerable against the kind of attack SMS-based 2FA is, and protects against phishing. But almost nobody outside Google supports it, and OS/Application support is rather incomplete or requires additional setup.
Something that is infuriating is that when you have 2FA enabled on Google, they insist that you add a backup phone number that a bot calls to give you a verification code, in case, you know, you lost your second factor. Which is nice and all, but now, you're back to having a second factor that is about as vulnerable as SMS.
The Tech Solidarity guide at https://techsolidarity.org/resources/security_key_gmail.htm has detailed instructions on how to set up 2FA with U2F and then remove SMS 2FA. (I've been holding off because I use Firefox - hopefully U2F will get more support soon!)
U2F is ludicrously hard to implement. Adding TOTP 2FA to an existing webapp will take a competent developer a few hours, using only a 10-line code snippet and the standard library. Adding U2F means learning a ton of complicated concepts and either using a giant, poorly documented library provided by Yubico or writing a bunch of tricky crypto code from scratch. :(
Basically, the safest is, add Google Auth via App to your account, then remove all the phone numbers from Google. If any phone number is linked to your account, no matter what your account recovery options are, Google will always give you option to "recover" it by SMS.
And remove SMS from the listing. I currently have 3 2FA mechanisms listed: Security-Key/Yubikey (default), Authenticator App (set on two devices), and Backup codes which I downloaded (and at some point will print and place in a safe deposit box).
Losing access to my two gmail accounts would be a complete nightmare---more so than my bank/brokerage accounts. Some brokerages like TD Ameritrade do not even offer 2FA. In my case, paranoia mode for email accounts is completely warranted.
I really wish U2F becomes the standard across all web services. It seems insane that, in some scenarios, the only barrier against financial ruin is the gullibility of your cell-phone provider's customer service rep.
Also, Google only supports U2F in Chrome – even if you have an addon to support it in Firefox, Google won’t support it (because they activate it based on Useragent, not on actually available functionality)
I don't have a phone number in any of my Google accounts, just Google Authenticator for 2-step verification.
I don't recall ever having a problem with this setup. Are there services that require a Google account to sign in, but don't work if you don't have a phone number?
Would this attack be neutralized by a mandatory waiting period of a few weeks for number porting?
I recently ported my number to another operator (in a European country), I had to wait for a month and received at least two warning SMS.
2FA (including U2F and whatever else) has one big problem that this article fails to mention. And when 2FA is suggested, this really should be said explicitly.
Users aren't warned enough about the fact that everything fails, and they will have to go through 2FA deactivation/account recovery process sooner or later. They must be really reminded to DO BACK UP the recovery code(s). With "back up" as in "keep not just somewhere, but where you can actually find it, when you'll need it". (But not in your password manager)
This is true for SMS 2FA as well, but completely losing the number (as long as one's a paying customer) must be significantly less common than losing a device.
Many phone companies will allow you to (a) add an annotation to your account to declare the number you are using should never be ported to another company, and (b) add a password to the account that you will have to provide to customer service representatives when making changes. This helps to minimize the chance that an attacker can use social engineering to redirect your number to a system under his or her control. If these are not options for your phone company, find a better phone company.
Even given that, since it relies upon human choice and behavior, and does nothing versus attackers with assets within the phone company, it seems a bad idea to have 2FA via SMS.
5 or 6 years ago, my phone number got ported by someone else without my knowing. My phone suddenly didn't work anymore. I called into AT&T right the way to ask what's going on and they said someone has "took over billing" from my account and AT&T transferred the number over. WTF? I was adamant to get the number back since that's the number I give it out to people. They won't bungle saying it's out of their hand. Finally they said they could place the number into the free pool for re-allocation which would freeze it for 3 months before it could be used again. I was concerned it could be used as a vector against my bank accounts. It was a nightmare.
I highly suggest having at least 2 phone numbers, one that is your main number that you use and give out. The others are kept private and never for calls or texts, but only for 2FA.
Great. Now that we've succeeded in compiling a list of personal sad stories to one up one another, why not not discuss how we could encourage the banks / phone companies to make this situation impossible.
1) Ban SMS as a second factor for high risk targets like banks.
2) Telecom companies should require social security number or uniquely identifying information to provide account access.
> 1) Ban SMS as a second factor for high risk targets like banks.
As others have pointed out, if it were just a second factor they would also need your password. SMS is being used for full account recovery, so as a single factor.
> 2) Telecom companies should require social security number
This is exactly what we should not be doing. I would like it to be harder to steal my identity than getting a 9-digit number, which can never be rotated, and which I am required to provide in plaintext to many different people in many different situations (renting an apartment, opening a credit card, etc.).
To make matters even worse, up to the first 5 digits of an SSN can be easily guessed if you know the person's age and birthplace, and the last 4 digits are used even more haphazardly than the entire number is (e.g. sometimes the last 4 are displayed in plaintext on a website while the first 5 are starred out).
Some kind of cryptographic challenge-response system might be a good solution but I don't know how to get your average computer user and customer support rep to use a system like that. All the ones I can think of are designed for computers to talk to each other so they aren't very user friendly. Is there something like Kerberos but for humans?
As I have commented elsewhere for this article, there are other countries which require and record ID for every phone number and sim. I see this as more of a control issue (from the Government perspective) since it won't be used by customer service staff for security.
[+] [-] TaylorSwift|8 years ago|reply
1. I believe it began with the hacker getting DOB/SSN. 2. Called wireless provider, and hacker forward all calls and texts to a burn phone. Eventually, the hacker ported my wireless phone to another provider/number (not sure which), and the phone registered to my provider did not work anymore. The landline phone was also forwarding calls to another number.* 3. Hacker gained access to email (as that email was also within the telco's site). At the beginning, the hacker did not reset the password. After I changed the email's password, hacker was still gaining access to our emails and he/she eventually reset the email blocking my access. (reason was all the text and calls was forwarding to his/her burn phone so he/she can reset the pass anytime) 5. Requested 2FA from bank. 6. Gained access to bank account.
This was over a course of 3 months. It was a nightmare to resolve and paranoia still remained. The hacker later on went opening several bank accounts. Fortunately, this was discovered early. The entire situation was communicated to the FBI, local police, and bank institutions, but I do not think anyone cared.
*I saw two numbers that were being used within my wireless account site to forward the calls.
[+] [-] adekok|8 years ago|reply
Why would they care? It happens dozens of times a day, and the criminals are out of their jurisdiction.
If only the police, FBI, politicians, etc. could go after the banks and telcos to improve their security. But no... they see it as their job to destroy security, in order to make you "safe".
[+] [-] doktrin|8 years ago|reply
We [the US] dramatically over-rely on SSN. At least one upside to ubiquitous biometrics will be that we can start layering more authentication measures in an effective and consumer friendly way.
[+] [-] lordvon|8 years ago|reply
[+] [-] hourislate|8 years ago|reply
The police are so overwhelmed and typically it is out of jurisdiction so their options are 0 to none to prosecute.
The only way to guard against it is to keep your foot print small and give as little info as required.
[+] [-] chrisper|8 years ago|reply
[+] [-] 49531|8 years ago|reply
After leaving the party with my youngest, I went to the grocery store, and then on home. When I got home my wife was gone, which I expected since she was picking up the older kids from the party.
Throughout this afternoon I had not been checking my phone in an attempt to be a bit less connected on the weekends.
About half an hour later my wife comes home totally freaked out and frazzled.
Apparently after I had left, someone went into a T-Mobile store and somehow convinced the associate that my number was theirs. I had received a couple of texts from T-Mobile with a pin number where the store associate had attempted to do something, but I was not aware of them until later.
Once this person had my number, they called my bank, reset my online password, and transferred all of our money from various accounts into one of my checking accounts. The bank then put a hold on everything (thank god).
My wife happened to have been paying bills online while this was happening, and saw it all go down. Her first thought was to call me, then when I didn't answer to call the mom throwing the birthday party.
Birthday party mom told my wife I had left, so my wife assumed that myself and our 3 year old were being mugged or something. The police were involved and she spent a good amount of time freaking out trying to find me.
All in all I had a pretty good afternoon :P
For real tho, it was a freaking mess. Took weeks to get our accounts safe, and we try to avoid using phone numbers for 2fa now.
[+] [-] raisedbyninjas|8 years ago|reply
I had to regain access to an employee's phone a few months ago. T-mobile gave me account control after providing them a phone number that phone had dialed "recently". I am disappointed, but not shocked.
[+] [-] xbmcuser|8 years ago|reply
[+] [-] kbart|8 years ago|reply
How that can happen? When I visit my cell provider's store, nobody is going to talk about any account details while you haven't provided a government issued ID to prove that you are an account holder. Sure, it's not 100% bulletproof method, but if somebody went a great lengths to counterfeit my ID, phone number is the least of my worries then. I assume, this happened in USA, so is ID check so unpopular there or it's easily circumvented somehow?
[+] [-] csomar|8 years ago|reply
The fact that the T-Mobile employees can get hold of your mobile phone number is disturbing and a red flag for using your phone number for sensitive stuff (such as money). You should always assume malice from unknown actors.
[+] [-] dhfhduk|8 years ago|reply
I am generally of the philosophy that you should trust no one to do the right thing, but these cases seem to be overlooking the obvious that the phone companies are fucking up on security.
[+] [-] pascalxus|8 years ago|reply
1. Do NOT secure your sensitive accounts (facebook, primary email, bank accounts, twitter, etc) with your telco phone #. Telco Phone number is NOT secure!
"Create a brand new Gmail email account. Do not connect it to any of your existing email accounts. (When signing up for a new Gmail, you don’t need to enter a phone number or current email, although there are fields for you to do so. Leave them blank.) Once you’ve created the new island-unto-itself email address, create a new Google Voice number." Use this Google Voice # to secure your primary accounts, and don't have your telco # listed in any of those accounts.
But, make sure your New Gmail account is super secure, with a security key, as mentioned in the article.
2. Check the password recovery methods for all your sensitive accounts and make sure the answers aren't duplicated from any other site. Actually, it's best to remove them, if you can.
If any security experts want to chime in, please do.
[+] [-] ghouse|8 years ago|reply
[+] [-] devuo|8 years ago|reply
As I required to upgrade my Micro SIM to a Nano SIM, I went to one of my provider's shops and asked for a Nano SIM for phone number X. I was then asked to verbally confirm my name and address — and that's it. No ID card confirmation, no nothing. "Here you go sir, your new SIM card will be active within a few minutes. Can I help you with anything else?". What. the.
[+] [-] noobermin|8 years ago|reply
[0] www.slate.com/blogs/future_tense/2016/07/26/nist_proposes_moving_away_from_sms_based_two_factor_authentication.html
[+] [-] yladiz|8 years ago|reply
My current two banks don't have direct 2FA enabled. As far as I remember, the questions available to one of my banks (credit union) are simple enough that you could probably find out by doing a public info search somewhere, and the other bank (Chase) has SMS 2fa, but outside of that it's just public database questions (I know this because I had my card number stolen recently, I currently don't have access to my phone as I'm out of the country, and they asked me a few different questions from a public database, like if I had ever lived at ABC Dr., do you know this person, and what is the full name, etc.). I'd much rather be able to give the banks some kind of information that they are required to verify before they can access my account, like a verbal passphrase, but I don't think that's possible (as in, I wouldn't be able to access my account over the phone without the passphrase).
[+] [-] Keverw|8 years ago|reply
I also find it odd Facebook, and other sites will let you signup solely with a phone number. There's prepaid cell phone providers that recycle phone numbers, etc. Just seems so stupid to rely on a phone number for authentication alone, but two factor I'm okay with since you still need to know the password. Twitter has a developer product where you can be texted a code to login using only a phone number, which to me just seems wrong to do.
It'd be nice if trying to port a number, change important info, etc if they had to actually call you or text you first to confirm. But one of the problems is people will lose their phones, and need a new sim or phone... That I think I'd have a requirement to actually visit the store - but that doesn't work to well with prepaid phone providers without physical stores selling via other stores like Walmart, Target, etc. Maybe in that case without nearby stores, partner with your retailers to verify ID or fax a ID in.
[+] [-] dheera|8 years ago|reply
Conversation with one of my banks the other day:
Them: Can we please verify a code sent to your phone number?
Me: Umm, sure, although that won't verify anything. Use something else to verify that it's me.
Them: Can you please verify your phone number?
Me: Umm, I don't know what phone number I used with you? Try XXX-XXX-XXXX, XXX-XXX-XXXX, XXX-XXX-XXXX, XXX-XXX-XXXX, XXX-XXX-XXXX, XXX-XXX-XXXX, and XXX-XXX-XXXX? They all belong to me depending on where I am.
Them: Can we use XXX-XXX-XXXX? Do you have this phone with you right now so we can we send a text message with a verification code?
Me: Send your insecure SMS to any of my numbers. They all go to my e-mail inbox. [I don't need to have my "phone" with me -- my "phones" are virtual.]
[+] [-] blhack|8 years ago|reply
They didn't make this policy, and I'm sure they think its just as stupid as you do.
[+] [-] lostmsu|8 years ago|reply
[+] [-] godzillabrennus|8 years ago|reply
The problem is that the phone company owns your phone number and you just get access as part of a service. Unlike a domain name where you own it.
If we change the law we'd bring more accountability.
[+] [-] Klathmon|8 years ago|reply
[+] [-] gerdesj|8 years ago|reply
Absolutely. In the UK, I could easily port someone or many someone's landline number and slap a trunk on it. Sadly though I would also end up paying the bill for it. However its much easier to simply fake your outbound CLID to show the call centre you are the mark.
I have no numbers for this but I'll bet that CLID is used by banks etc as part of the security checks for your identity.
[+] [-] matt_wulfeck|8 years ago|reply
There are many, better and more secure options for communicating these days.
[+] [-] flurdy|8 years ago|reply
I have had two phones die on me that was my 2FA device, plus OS upgrades, so I have gone through resetting 10-20 2FA accounts a few times. Though with upgrades usually I foresaw that and downgraded my 2FA before hand.
All I wish for was that resetting 2FA would be a very very slow step by step process and spammingly broadcasted to all emails, sms, postal etc associated with the account. But I know for cost cutting customer services departments that wont happen.
[+] [-] laurencei|8 years ago|reply
I've started getting a recovery code for each of my major accounts, printing it out, then literally putting it in a safe.
[+] [-] prebrov|8 years ago|reply
[+] [-] josu|8 years ago|reply
[+] [-] MichaelGG|8 years ago|reply
[+] [-] awinter-py|8 years ago|reply
Yes, it's a problem that security questions turn hacking into a simple public records search.
BUT most terms of service have a line like 'you warrant that you've been entirely truthful with us' or something. If you give the wrong security question to your bank, they potentially have grounds to freeze your money or screw you later.
Why isn't the answer 'consumers have the power -- punish services that don't support FIDO by not using them'.
At best this article is saying 'don't connect anything to anything'.
[+] [-] willow9886|8 years ago|reply
The best way he came up with to secure services that insist on using SMS for 2FA (or credential reset) was to register the number of a pre-paid phone for those services.
Inconvenient? YES. But a pre-paid phone number can not be ported by a negligent (or willfully criminal!) operator.
[+] [-] FT_intern|8 years ago|reply
[+] [-] fabian2k|8 years ago|reply
I have enabled proper 2FA on my Google account with U2F, but I haven't disabled everything else yet because I only have one token, and I still need something like TOTP for stuff that uses Google accounts, but doesn't support U2F.
As a closely related remark, I wish U2F would just get popular enough, it's pretty convenient, isn't vulnerable against the kind of attack SMS-based 2FA is, and protects against phishing. But almost nobody outside Google supports it, and OS/Application support is rather incomplete or requires additional setup.
[+] [-] glandium|8 years ago|reply
[+] [-] gregstoll|8 years ago|reply
[+] [-] aftbit|8 years ago|reply
[+] [-] davchana|8 years ago|reply
Basically, the safest is, add Google Auth via App to your account, then remove all the phone numbers from Google. If any phone number is linked to your account, no matter what your account recovery options are, Google will always give you option to "recover" it by SMS.
[+] [-] aleph_naught|8 years ago|reply
And remove SMS from the listing. I currently have 3 2FA mechanisms listed: Security-Key/Yubikey (default), Authenticator App (set on two devices), and Backup codes which I downloaded (and at some point will print and place in a safe deposit box).
Losing access to my two gmail accounts would be a complete nightmare---more so than my bank/brokerage accounts. Some brokerages like TD Ameritrade do not even offer 2FA. In my case, paranoia mode for email accounts is completely warranted.
I really wish U2F becomes the standard across all web services. It seems insane that, in some scenarios, the only barrier against financial ruin is the gullibility of your cell-phone provider's customer service rep.
[+] [-] kuschku|8 years ago|reply
[+] [-] metafunctor|8 years ago|reply
I don't recall ever having a problem with this setup. Are there services that require a Google account to sign in, but don't work if you don't have a phone number?
[+] [-] occamrazor|8 years ago|reply
[+] [-] drdaeman|8 years ago|reply
Users aren't warned enough about the fact that everything fails, and they will have to go through 2FA deactivation/account recovery process sooner or later. They must be really reminded to DO BACK UP the recovery code(s). With "back up" as in "keep not just somewhere, but where you can actually find it, when you'll need it". (But not in your password manager)
This is true for SMS 2FA as well, but completely losing the number (as long as one's a paying customer) must be significantly less common than losing a device.
[+] [-] exratione|8 years ago|reply
Even given that, since it relies upon human choice and behavior, and does nothing versus attackers with assets within the phone company, it seems a bad idea to have 2FA via SMS.
[+] [-] ww520|8 years ago|reply
[+] [-] mathrawka|8 years ago|reply
[+] [-] tbrock|8 years ago|reply
1) Ban SMS as a second factor for high risk targets like banks.
2) Telecom companies should require social security number or uniquely identifying information to provide account access.
3) ???
[+] [-] dcosson|8 years ago|reply
As others have pointed out, if it were just a second factor they would also need your password. SMS is being used for full account recovery, so as a single factor.
> 2) Telecom companies should require social security number
This is exactly what we should not be doing. I would like it to be harder to steal my identity than getting a 9-digit number, which can never be rotated, and which I am required to provide in plaintext to many different people in many different situations (renting an apartment, opening a credit card, etc.).
To make matters even worse, up to the first 5 digits of an SSN can be easily guessed if you know the person's age and birthplace, and the last 4 digits are used even more haphazardly than the entire number is (e.g. sometimes the last 4 are displayed in plaintext on a website while the first 5 are starred out).
[+] [-] bumblebeard|8 years ago|reply
[+] [-] daemin|8 years ago|reply