I see these problems from a different angle than the usual commentators. I continue to ask myself: Why is mobile used for important things, e.g., banking, payments, etc.?
A great example is authenticating a person's identity via possession of a SIM card, i.e., their mobile number. If one can switch SIM cards, then one can switch identities. This flexibility is not a flaw in mobile communications; the ease-of-use is what makes mobile so useful. However it is silly to pretend mobile is as safe as landline for all uses. Mobile may be altogether more useful than landline -- few could argue otherwise -- and at the same time it can be entirely inappropriate for use in important things like banking. This concept seems non-existant. Instead the prevailing thinking is all-or-nothing.
In addition to "convenience", mobile has introduced a new class of problems when used for important things like banking and payments. These problems either do not exist or exist at a much lower scale with respect to landline. Who owns landline service? Crooks?
From where I stand, the risks of using mobile for important transactions outweigh the benefits. Unfortunately, I also see that "convenience" continues to prevail over common sense. I am willing to sacrafice convenience for peace of mind. Meanwhile banks and others push harder and harder for customers to use mobile, including as a means of verifying identity.
Businesses only care about fraud losses they have to pay. SIMs only exist because cellphone companies wanted to cut off free riders. The efficiency gain from online transaction versus teller asissted far exceeds fraud losses. Passwords remain the default authenticator, which are often Password1, Linkedin2009, 123456. Password reset questions are added to minimize tech support costs or just check an audit box. SMS is the band-aid over guessable passwords. Not everyone has a smartphone. If businesses don't want to pay for password reset calls, they certainly aren't going to issue customer smartcards or open retail locations where they check two forms of ID.
In the developing world, this is often the only link people have to the Internet at large. I worked in a company with primarily Nigerians and one of the biggest developments in recent years are payment systems built over mobile networks.
Since most other countries don't bundle the phone with a contract and SIM-lock them, SIM-swapping is a very reasonable way to pay-as-you-go while hopping between mobile networks and regions.
>However it is silly to pretend mobile is as safe as landline for all uses
What's the alternative for people lacking wired infrastructure? It's not desktop systems, it's not landlines, and they can't rely on the government to solve these problems for them.
As a personal hacking project in my spare time, I switched from T-Mobile to anveo and an asterisk setup. I can send and receive SMS on my server and can make WiFi calls on my phone. SMS gets sent to my email as well. This costs maybe $45 USD a year. I've thought about documenting my setup but I don't know if there is any interest.
Some responses:
Its reliable enough to pay my credit card bills over the phone using public bus WiFi
SMS is trickier as I only know enough programming to write a script in bash to send sms. I can't send pictures or videos, so I try to convince friends to use signal instead.
911 works with no sim card, as required by federal law.
I do have working SMS to email however, so viewing SMS is a piece of cake :)
I use Anveo for my "land" line and Google Voice for my cell. Instead of Asterisk, I use an Obi. The Obi also connects to my GV number so my home office can make/receive calls to either number.
I have an Anveo call flow[1] that implements a white/grey/black list setup that works great. There were a couple really persistent callers that I had to block the entire NPA NXX which is harder for the caller to spoof. I get almost no robocalls.
Yes! I've wanted to decouple SMS from the phone I carry, be able to respond to SMS via other devices. Right now the best option I have is to convince as many people I can to start using Signal.
I am rarely in the same country very long and use https://www.aa.net.uk/ in the UK for a UK 07 number that can retrieve SMS and that I can use a VOIP phone with. As far as I'm aware they're the only service in the UK allowing this with 07 numbers.
I definitely have an interest In hearing more about how you achieved this for such a low cost. My own sms/voip setup costs about $50 a month. I still gladly pay it for the control it offers, but would love to pay less but not lose reliability.
I use voip.ms in a similar capacity but with a much simpler/adequate setup. My problem is that certain senders (banks, credit card companies, etc.) are unable to text the number in question. Is Anveo better in this regard?
It's hard not to get really depressed when you think about all the political institutions that were setup to protect consumers and have since been hijacked by the corporations to protect them from the consumers.
Maybe you won't be so depressed when you realize that some of the quotes in that article by Gigi Sohn ("complete and total abdication of oversight") are prima facie hyberbole, and thus we can dismiss them as politically motivated. How can I say it's hyberbole? The rest of the article tells us that there are lawsuits, prosecutions, and FCC investigations. That doesn't sound like a complete and total abdication of oversight. Is the problem serious? yes. Is it ongoing? yes. Is there regulatory capture? yes. But is nothing being done about it? no.
It's inevitable unless regulators and consumer activists maintain the upper hand (in which case businesses will complain about a business unfriendly environment).
Badly behaved businesses reap concentrated benefit while imposing diffuse losses on others. It's kind of like how a factory worker in a declining city notices the harm of a layoff much more than the benefit of TVs costing 25% less.
Curiously enough, an edition of the Encyclopedia Galactica that had the good fortune to fall through a time warp from a thousand years in the future defined the telecommunications executives of America as "a bunch of mindless jerks who were the first against the wall when the revolution came."
AT&T's response to this sounds pretty bad. They're not going to prevent SIM swaps but they're going to let banks (not Google, not cryptocurrency exchanges) discover that you got swapped after the fact.
Eventually, this could make legitimate SIM swaps unusable. The point of SIM swaps was to retain a phone number when swapping carriers or SIM chips. If a number becomes untrusted after a SIM swap, you may be better off getting a new number.
Should be more than that, data leaks are everywhere, and anything worth more than the fee for a phone line should have it’s own number.
I wonder if the government wants people to be as paranoid as the people running the government, or they’re just ignorant. Most of these protocols were developed during the Cold War, not after.
this happens to people that store their cryptocurrency on services with sms-based 2fa.
any service that uses sms-based 2fa without any other option like client side generated one time passcodes (otp) should be sued for negligence at this point. the otp should be the default choice.
people are currently masquerading incompetence as an indictment to cryptocurrencies as a concept. this is allowing negligent, incompetent businesses to get a free pass, because the people that should be in charge of protecting consumers are thinking the cryptocurrency itself is insecure or "got hacked" which so far isn't what is happening.
(with regard to storing cryptocurrency on someone else's server, yeah those users are being negligent too.)
Are any providers offering an opt-in SIM freeze of sorts with some kind of enhanced authentication in order to unfreeze? Wouldn't such a feature/service easily prevent the SIM-swap risk? I don't know how easy this is to prevent regarding the infrastructure (do networks detect a SIM-swap via change in host IMEI?). I understand the article describes a rogue employee but it seems to me that an added layer for such a service could easily prevent unauthorized access.
I didn't know AT&T was just selling real time data in defiance of the FCC rules and I'm quite inclined to just terminate my service after holding an account for nearly 20 years with them over it.
[+] [-] 3xblah|6 years ago|reply
A great example is authenticating a person's identity via possession of a SIM card, i.e., their mobile number. If one can switch SIM cards, then one can switch identities. This flexibility is not a flaw in mobile communications; the ease-of-use is what makes mobile so useful. However it is silly to pretend mobile is as safe as landline for all uses. Mobile may be altogether more useful than landline -- few could argue otherwise -- and at the same time it can be entirely inappropriate for use in important things like banking. This concept seems non-existant. Instead the prevailing thinking is all-or-nothing.
In addition to "convenience", mobile has introduced a new class of problems when used for important things like banking and payments. These problems either do not exist or exist at a much lower scale with respect to landline. Who owns landline service? Crooks?
From where I stand, the risks of using mobile for important transactions outweigh the benefits. Unfortunately, I also see that "convenience" continues to prevail over common sense. I am willing to sacrafice convenience for peace of mind. Meanwhile banks and others push harder and harder for customers to use mobile, including as a means of verifying identity.
[+] [-] blankcheque|6 years ago|reply
In fact, most of my payments these days are with Apple Pay. My interactions with my bank and the stock market are all through my phone.
My bank protects me from fraud. It's really not that big of a deal - especially not to a point where using a landline makes any sense.
[+] [-] wvenable|6 years ago|reply
Except for an ever-growing amount of the population doesn't have a landline -- only mobile.
[+] [-] supertrope|6 years ago|reply
[+] [-] pixelbath|6 years ago|reply
In the developing world, this is often the only link people have to the Internet at large. I worked in a company with primarily Nigerians and one of the biggest developments in recent years are payment systems built over mobile networks.
Since most other countries don't bundle the phone with a contract and SIM-lock them, SIM-swapping is a very reasonable way to pay-as-you-go while hopping between mobile networks and regions.
>However it is silly to pretend mobile is as safe as landline for all uses
What's the alternative for people lacking wired infrastructure? It's not desktop systems, it's not landlines, and they can't rely on the government to solve these problems for them.
[+] [-] nimbius|6 years ago|reply
[+] [-] nimbius|6 years ago|reply
SMS is trickier as I only know enough programming to write a script in bash to send sms. I can't send pictures or videos, so I try to convince friends to use signal instead.
911 works with no sim card, as required by federal law.
I do have working SMS to email however, so viewing SMS is a piece of cake :)
[+] [-] js2|6 years ago|reply
I have an Anveo call flow[1] that implements a white/grey/black list setup that works great. There were a couple really persistent callers that I had to block the entire NPA NXX which is harder for the caller to spoof. I get almost no robocalls.
1. https://ibb.co/bBs2RsJ
[+] [-] gruez|6 years ago|reply
$3/month gets you an US/Canada phone number that you can make/receive voice calls using SIP, and send/receive SMS using XMPP.
[+] [-] asteli|6 years ago|reply
[+] [-] peteretep|6 years ago|reply
[+] [-] ct520|6 years ago|reply
[+] [-] PenguinCoder|6 years ago|reply
[+] [-] abawany|6 years ago|reply
[+] [-] dsd|6 years ago|reply
[+] [-] g82918|6 years ago|reply
[+] [-] gtdawg|6 years ago|reply
[+] [-] fredmonroe|6 years ago|reply
[+] [-] OedipusRex|6 years ago|reply
[+] [-] mikedilger|6 years ago|reply
[+] [-] supertrope|6 years ago|reply
Badly behaved businesses reap concentrated benefit while imposing diffuse losses on others. It's kind of like how a factory worker in a declining city notices the harm of a layoff much more than the benefit of TVs costing 25% less.
[+] [-] Causality1|6 years ago|reply
[+] [-] dylan604|6 years ago|reply
[+] [-] CumcastSux|6 years ago|reply
[deleted]
[+] [-] wmf|6 years ago|reply
[+] [-] incompatible|6 years ago|reply
[+] [-] supertrope|6 years ago|reply
[+] [-] maximente|6 years ago|reply
- SIM swap to get obtain SMS/telephone capability
- hijack email, if known + non-2FA or known SMS/telephone 2FA
- using gathered intel from email (e.g. monthly statements), call up banks/financial account (many of which are non-2FA or SMS/telephone 2FA)- password reset/etc any accounts without 2FA or with SMS/telephone 2FA
- social engineer way into bank/financial accounts
- drain and profit
i've seriously considered tying up financial stuff to an undisclosed phone number on its own account.
[+] [-] ryacko|6 years ago|reply
I wonder if the government wants people to be as paranoid as the people running the government, or they’re just ignorant. Most of these protocols were developed during the Cold War, not after.
[+] [-] rolltiide|6 years ago|reply
any service that uses sms-based 2fa without any other option like client side generated one time passcodes (otp) should be sued for negligence at this point. the otp should be the default choice.
people are currently masquerading incompetence as an indictment to cryptocurrencies as a concept. this is allowing negligent, incompetent businesses to get a free pass, because the people that should be in charge of protecting consumers are thinking the cryptocurrency itself is insecure or "got hacked" which so far isn't what is happening.
(with regard to storing cryptocurrency on someone else's server, yeah those users are being negligent too.)
[+] [-] calvano915|6 years ago|reply
[+] [-] KirinDave|6 years ago|reply
That's beyond unacceptable.
[+] [-] the_arun|6 years ago|reply
[+] [-] iflywithbook|6 years ago|reply
Love the combination of investigation and cybersecurity.
[+] [-] beeschlenker|6 years ago|reply
[deleted]