T-Mobile has a new feature where you have an [edit:] 6-12 digit pin associated with the account, and it's used in the store or when porting a number. When activating the pin (which requires calling them), they used an SMS text message to verify me. I asked if people can change the pin like I just did, he said that they'd always be sent a text message.
I hope that's true, because if so that'd mean a hacker would need my phone.
I think that guards against the attack whereby someone steals your number by porting it to another provider. Assuming what T-Mobile is saying is true.
I also use Google Authenticator, but that terrifies me since someone could steal my phone or I could lose it, and I'd have to find (and I'd better re-create NOW) printouts of all the words to recover / move Google Authenticator access tokens.
IIRC all that pin does is slow things down. Legally they can't prevent you from porting your number, and if you can verify your identity another way they will ignore the pin.
There just isn't any way around it, phone numbers are just not secure.
Why can mobile providers be still so easily social engineered to this day? Seems like calling them and activating a new SIM (i.e. stealing a number) is still quite easy.
Because there will always be people like my mom who can't remember their account PIN but get super pissed when on the phone, ask to speak to a manager, etc...
Defending against social engineering attacks is HARD, because the only real mitigations against them could also result in locking out the real owner of the account.
In Russia unlike Europe one has to provide an ID to reissue a SIM card, but criminals often have accomplices inside a provider who can do it without any documents.
Google Authenticator, the one time password (OTP) app made by Google, is storing data locally on the device. To my knowledge it has no link with your phone number.
[+] [-] mancerayder|8 years ago|reply
I hope that's true, because if so that'd mean a hacker would need my phone.
I think that guards against the attack whereby someone steals your number by porting it to another provider. Assuming what T-Mobile is saying is true.
I also use Google Authenticator, but that terrifies me since someone could steal my phone or I could lose it, and I'd have to find (and I'd better re-create NOW) printouts of all the words to recover / move Google Authenticator access tokens.
[+] [-] Klathmon|8 years ago|reply
There just isn't any way around it, phone numbers are just not secure.
[+] [-] acct1771|8 years ago|reply
[+] [-] zinxq|8 years ago|reply
[+] [-] chatmasta|8 years ago|reply
Defending against social engineering attacks is HARD, because the only real mitigations against them could also result in locking out the real owner of the account.
[+] [-] mannykannot|8 years ago|reply
[+] [-] codedokode|8 years ago|reply
[+] [-] relik|8 years ago|reply
[+] [-] Klathmon|8 years ago|reply
It's a blessing and a curse, but with a bit of work (like backing up all codes at creation time) it's a non-issue for me that I actually appreciate.
[+] [-] martind81|8 years ago|reply
[+] [-] joeblow9999|8 years ago|reply