This is great; it's a Princeton research project from Arvind Narayanan's (@random_walker) group, in which their team made 10 attempts to SIM-swap each of 5 different carriers, including T-Mobile, AT&T, and Verizon (all three of which were, weirdly, less secure in some ways than the 2 MVNOs they tested).
Most notably: AT&T and Verizon both use call logs to authenticate SIM swaps from people who don't know the account PIN; requestors are asked to list recently made outbound calls, or in some cases inbound calls. A targeted attacker can trick a customer into making a known call (or, obviously, can simply call the customer to make inbound call records), and then authenticate with them.
AT&T uses billing statement data as a factor. But the research team was able to "spoof" billing statement data by purchasing prepaid refill cards and applying them to a target's account.
The report also identified a bunch of online services for which SMS was used not just as a second factor but, through account recovery, as a sole factor, meaning you're substantially worse off with SMS authentication than you are without it at those services. The reality is probably worse than the report highlights, since a lot of account recovery processes are informal and ad-hoc, and can be socially engineered into relying on SMS.
Seems straightforward, all these phone companies have endless kiosks and offices. Legislate that a phone number can only be transferred by making a confirmation call to the old phone or in-person with a salesperson who is checking ID.
My understanding is that you don't even need to do a SIM swap, because the SS7 signaling system is insecure. SIM Swap is likely the easiest way as wage-slave employees are quite pliable to bribes[0]. But if you want to be even more anonymous, you can apparently re-route texts remotely [1].
Yep, the security problems with the mobile system are ghastly.
- Stingrays...
- Operator app pushes to SIM cards...
- Secret GSM processors and software internals
- Voice / text / data "ciphering"
- Protocol-level "emergency" tracking features
- Silent SMS (sounds like its from a bad cop show but its actually a real thing it turns out.) "They do not show up on a display, nor trigger any acoustical signal when received. Their primary purpose was to deliver special services of the network operator to any cell phone." -- sounds like it has a completely legit use...
The list goes on. It's enough to make anyone want to get the tin foil out. But at least in this case there's a simple and clear recommendation: --not to use 2-factor auth by SIM--.
The SIM Swap would seem to be a bit more accessible to the average fraudster. Hacking SS7 apparently requires setting up a "hub" and obtaining a carrier license from a lax country. That is, until we get to the bit about "illicit merchants offering ‘Connection-as-a-Service’ to such hubs."
If people knew how telcom (and the internet) was held together with bubblegun and duct tape...
Multiple proposed fixes and replacements to SS7, to the best of my knowledge none of them are going anywhere. And even if it was pushed hard, it has to be a global thing.
I am pretty sure this is how they got Bezos' texts. All you need to do is register a CLEC and then you can get your official hookup to SS7. My experience isn't with messaging but I'd imagine if you bid* to deliver messages to a certain area much lower than other carriers, you can target people.
* Bidding doesn't happen in real time, but you can tell carriers your "rates" so to speak.
In the future, the term SIM Swap will likely be replaced with something like "SIM identity theft" so that banks and telecoms are not liable. Then we can all buy SIM identity protection.
Not in Russia. Numerous examples exist when victim's number was linked to attacker's sim card to obtain 2FA code, then linked back to victim's sim so he does not notice anything.
This happened both by government-linked parties, where they are able to coerce providers to do it, mostly targeting prominent political opposition members. It also happened without government involvement, done by provider's personnel with sufficient access and some entrepreneur attitude.
The rule of thumb to protect against it:
- do not use SMS 2FA
- if you do, use a foreign SIP number with SMS capabilities
- if you HAVE to use local sim, use SIM that belongs to someone else and noone knows you use it
Just google for "форум пробив" and you will find black market for accessing any kind of information, including SMS, phone location, etc and associated services for hacking accounts (VK, Gmail, etc). You don't need to be a government, it is open for everyone.
It's also important to know your threat model. Namely, random attacks versus targeted attacks.
Shitty 2fa will still deter people who get a list of a hundred million emails/usernames and passwords and try them on banks, Twitter etc from putting in the extra work to break into your account specifically.
If you expect targeted attacks - from governments, because you oppose them, from determined criminals, because you have a lot of nice stuff to steal, or from people around you, because you know too many assholes - maybe it might as well not exist, but for most people, most of the time, any 2fa is better than none.
> if you do, use a foreign SIP number with SMS capabilities
Any good providers? I've tried Twilio SMS forwarding, but different services (e.g. Steam) reject it for 2FA since they're pretty much considered throwaway numbers, I suppose there's some sort of blacklist
I want my things protected by a human with a process to unlock/reset/.. given some kind of proof of identity.
Because with 99.99% certainty the person that needs to unlock the account is me, and not an attacker.
Even with a dozen backup yubikeys and spare codes written down I’d still be much more likely to lock myself out than be attacked.
If it’s one thing I have learned the hard way it’s that the most dangerous person in the equation is myself. I won’t trust myself with any kind of security.
> I want my things protected by a human with a process to unlock/reset/.. given some kind of proof of identity.
Anytime you have a human in the loop you have the risk of human failings. I.e., that human forgets to follow critical step X in the protocol. Or that human falls for the attackers emotional sob story and takes pity on the attacker and lets the attacker unlock your account. Or that particular human is amenable to bribery to obtain the outcome the attacker wants.
In fact, many sim swaps have been reported to have occurred because of "human at cell phone store did not follow protocol" or "human at cell phone store was taking bribes".
So having a human in the loop is not an absolute solution to solving the problem.
That's how https://jmp.chat/ works, and you can make your phone number as arbitrarily secure as you want with JMP.
Any port-out requests are handled manually - you are contacted by a human to ensure that you made the request. You can ask them to put a verification code on file for you to confirm when this happens if you're concerned about the security of your XMPP account (which itself could use whatever kind of authentication scheme you like).
Yup, I have the same misgivings. I hate getting locked out, but at the same time, I'm pretty paranoid and want secure passwords, don't leave copies of them around.
So I've been working on a backup plan. Current incarnation is to use a simple Go cli tool with Shamir's secret sharing algo to break a password into N/M shards. The user can then do whatever they please with the shards, give some to their family, friends, attorney, make a pirate map, get an rfid chip, anything you want.
Even with a dozen backup yubikeys and spare codes written down I’d still be much more likely to lock myself out than be attacked.
I am not sure this is true. Most people regularly get phishing e-mails and apparently fall for it.
SMS and TOTP (due to the window of time the TOTP code is valid) only provide limited protection against active phishing attacks, since phishing site can 'proxy' the the SMS/TOTP code besides the password.
I think I would prefer losing access to an account (since I make backups of critical stuff anyway) than my account getting compromised, which could lead to identity theft/fraud, etc.
Worth noting that this is just for US and for prepaid SIMs, from their paper
“We examined the types of authentication mechanisms in
place for such requests at 5 U.S. prepaid carriers—–AT&T,
T-Mobile, Tracfone, US Mobile, and Verizon Wireless”.
It doesn’t mean that for the rest of the world SMS 2FA is completely secure, it’s just a lot more difficult (or impractical/impossible) to do a SIM swap so easily.
As mentioned in another comment below, SS7 vulnerabilities are another attack vector, globally available and without requiring a SIM swap.
I thought this was going to be one of the otherwise-plaintext black and white web pages with <h1>NO.</> centered in the middle, but interestingly it's actual research, and a nice read (even if nothing new) at that.
Have you seen the prompt system, as used by Google, Micosoft, Okta, et al.?
In my strictly personal opinion, responding to a notification that asks if a login attempt is you is clear enough that people need minimal training to make use of it. This might just be me, though.
In my career, I've definitely seen people actively choose SMS over other factors on offer. It was easier for them, and in many cases shouldn't have been offered. Your point about SMS being better than nothing is wise and true and insightful, but it's perhaps not always the question as faced in practice.
Well if that's the case they could still offer true MFA. Make at least SMS 2FA mandatory but offer OTP/token based MFA.
Obviously banks are a place with a lot of low-value targets and a few very high-value targets, but the cost to implement MFA is the same so they might as well do it.
It uses the SIM to implement a challenge-response mechanism where a PIN is prompted by your phone.
While not perfect, it's vastly better than using SMS, without being less convenient.
I don't know if other places leverage the fact that SIMs are smart cards which are perfectly able to perform this kind of stuff given the proper infrastructure.
if you get a SIM replaced after providing proofs of identity, residence and biometrics, it would get activated after few hours.
The kicker is that it wont get SMSes for 24 hours after the SIM is activated.
In the US, won't it be cheaper as well as secure to get a virtual phone number from Twilio for purposes of two factor authentication? (In India, there is no service at the rate what Twilio offers, but there are some which charge around $30-$40/month for virtual phone numbers with incoming SMSes)
...which is not as secure as a unclonable totp system
...which is not as secure as a hardware token based otp system
...which is not as secure as a hardware token that also requires you enter a pin and a fingerprint to activate it and only communicates using hard coded encrypted messages with the legit service that issued it.
To defeat the Authy account recovery process, you need to perform an active SMS attack (SIM swap, etc) and then prevent the target from seeing the recovery warning emails for 24 hours. Therefore, Authy customers should only tell trusted people that they are going on a weekend off-the-grid camping trip.
The big benefit of SMS for the website is that it outsources the problem of lost 2FA tokens. What happens if the user loses a yubikey. Or changes phones and did not back up their TOTP. With SMS authentication, even if the user loses a phone, they can go down to the local cell phone store and get a new phone on their number and be back in business without the website having to get involved.
Joking aside, I've moved almost every 2FA to hard token, soft-token, or google voice. But the root of trust is still LastPass & Google. I don't see an easy way out of dependency other than power of attorney. Even worse: I worry what happens to my protected assets as I age and possibly face memory loss.
github & gitlab require you to register a TOTP authenticator app before you can enable U2F (presumably to avoid manual resets, although they don't say)
google's enhanced protection requires you to have 2 distinct yubikeys to sign up
I agree. "SMS is not 2FA-secure" implies SMS is not suitable for 2FA at all. In reality, SMS 2FA is still very valuable to most people, even though it's not secure enough.
Just use a token like yubikey. I have a small fleet and am very happy with the decision.
The only problem is there are very few services that get it right. Get it right means support multiple tokens and allow to truly disable any other means of logging in or recovering the password.
Most services seem bent on allowing many ways of logging in without giving a choice. For example, they will advertise they use 2fa tokens but then if you can't produce one they will still allow you to log in with SMS or mail (ie. password recovery by mail). Facebook will not even let you set up tokens without having SMS set up as a factor and the phone number verified.
I hope slowly developers will get more aware and they will be better tooling (and stack exchange answers to ctrl+c ctrl+v...) to do it correctly.
And yet my bank (Chase) only supports email and sms 2fa with no option for OTP/TOTP. Is this just a institution dragging their feet or are there more regulatory reasons why they won't allow more secure authentication?
DontPort.Com - I built this to fix this. I've been a victim of this 4 times and was too much frustrated. Unfortunately Sim swap is only one way to get your 2FA but the risks are much higher which I am working to solve one by one
You know what's funny? LinkedIn is supposed to be a 'professional' social network (Microsoft owned) and a friend of mine was asked to add a phone number 'For security purposes'. I knew this was suspiciously involving 2FA SMS + a bonus of spam callers and I told him to press "Not Now". Whilst the world is moving to U2F and time-sensitive codes, a security system using SMS 2FA is now equivalent to a single PC running Windows XP in a bank.
But its not just LinkedIn. Its a huge list of major companies including some FAANG ones too. Oh dear.
All of this happens because we've outsourced digital identity to the telecom companies. Telecom companies are not competent at establishing identity. It's not their job. There is only one entity that is the real root provider of identity and that is the government.
We are never going to get the benefits of digital identity until the government wakes up and brings its services into the digital age.
Definitely not. In my home country the banks use SMS 2FA.
It's a complete shitshow. Occasionally syndicates manage to get both sides of 2FA lined up (insiders) and clean out someone's account.
Then the bank says not my problem - you didn't keep your password safe. And the cell provider says not my problem - not intended as security mechanism. Leaving the customer poor and sht out of luck.
[+] [-] tptacek|6 years ago|reply
Most notably: AT&T and Verizon both use call logs to authenticate SIM swaps from people who don't know the account PIN; requestors are asked to list recently made outbound calls, or in some cases inbound calls. A targeted attacker can trick a customer into making a known call (or, obviously, can simply call the customer to make inbound call records), and then authenticate with them.
AT&T uses billing statement data as a factor. But the research team was able to "spoof" billing statement data by purchasing prepaid refill cards and applying them to a target's account.
The report also identified a bunch of online services for which SMS was used not just as a second factor but, through account recovery, as a sole factor, meaning you're substantially worse off with SMS authentication than you are without it at those services. The reality is probably worse than the report highlights, since a lot of account recovery processes are informal and ad-hoc, and can be socially engineered into relying on SMS.
[+] [-] theonething|6 years ago|reply
But if in those cases you disable SMS auth, then you can't recover your account right? That might be considered worse off in some cases.
[+] [-] cortesoft|6 years ago|reply
[+] [-] Pxtl|6 years ago|reply
[+] [-] xenospn|6 years ago|reply
[+] [-] rckoepke|6 years ago|reply
0: https://www.nbcbayarea.com/news/local/mans-1m-life-savings-s...
1: https://www.kaspersky.com/blog/ss7-hacked/25529/
I thought both these vectors were already common knowledge to HN readers.
[+] [-] 0xff00ffee|6 years ago|reply
One person can't know everything... that's why I come here. Thanks for the info!
[+] [-] Uptrenda|6 years ago|reply
- Stingrays...
- Operator app pushes to SIM cards...
- Secret GSM processors and software internals
- Voice / text / data "ciphering"
- Protocol-level "emergency" tracking features
- Silent SMS (sounds like its from a bad cop show but its actually a real thing it turns out.) "They do not show up on a display, nor trigger any acoustical signal when received. Their primary purpose was to deliver special services of the network operator to any cell phone." -- sounds like it has a completely legit use...
The list goes on. It's enough to make anyone want to get the tin foil out. But at least in this case there's a simple and clear recommendation: --not to use 2-factor auth by SIM--.
[+] [-] incompatible|6 years ago|reply
https://www.kaspersky.com/blog/hacking-cellular-networks/106...
[+] [-] SlowRobotAhead|6 years ago|reply
If people knew how telcom (and the internet) was held together with bubblegun and duct tape...
Multiple proposed fixes and replacements to SS7, to the best of my knowledge none of them are going anywhere. And even if it was pushed hard, it has to be a global thing.
[+] [-] yellow_lead|6 years ago|reply
* Bidding doesn't happen in real time, but you can tell carriers your "rates" so to speak.
[+] [-] bubblethink|6 years ago|reply
[+] [-] RavlaAlvar|6 years ago|reply
Scary thought
[+] [-] Andrew_nenakhov|6 years ago|reply
This happened both by government-linked parties, where they are able to coerce providers to do it, mostly targeting prominent political opposition members. It also happened without government involvement, done by provider's personnel with sufficient access and some entrepreneur attitude.
The rule of thumb to protect against it:
- do not use SMS 2FA
- if you do, use a foreign SIP number with SMS capabilities
- if you HAVE to use local sim, use SIM that belongs to someone else and noone knows you use it
[+] [-] jetzzz|6 years ago|reply
[+] [-] saalweachter|6 years ago|reply
Shitty 2fa will still deter people who get a list of a hundred million emails/usernames and passwords and try them on banks, Twitter etc from putting in the extra work to break into your account specifically.
If you expect targeted attacks - from governments, because you oppose them, from determined criminals, because you have a lot of nice stuff to steal, or from people around you, because you know too many assholes - maybe it might as well not exist, but for most people, most of the time, any 2fa is better than none.
[+] [-] laurentdc|6 years ago|reply
Any good providers? I've tried Twilio SMS forwarding, but different services (e.g. Steam) reject it for 2FA since they're pretty much considered throwaway numbers, I suppose there's some sort of blacklist
[+] [-] alkonaut|6 years ago|reply
Because with 99.99% certainty the person that needs to unlock the account is me, and not an attacker.
Even with a dozen backup yubikeys and spare codes written down I’d still be much more likely to lock myself out than be attacked.
If it’s one thing I have learned the hard way it’s that the most dangerous person in the equation is myself. I won’t trust myself with any kind of security.
[+] [-] pwg|6 years ago|reply
Anytime you have a human in the loop you have the risk of human failings. I.e., that human forgets to follow critical step X in the protocol. Or that human falls for the attackers emotional sob story and takes pity on the attacker and lets the attacker unlock your account. Or that particular human is amenable to bribery to obtain the outcome the attacker wants.
In fact, many sim swaps have been reported to have occurred because of "human at cell phone store did not follow protocol" or "human at cell phone store was taking bribes".
So having a human in the loop is not an absolute solution to solving the problem.
[+] [-] ossguy|6 years ago|reply
Any port-out requests are handled manually - you are contacted by a human to ensure that you made the request. You can ask them to put a verification code on file for you to confirm when this happens if you're concerned about the security of your XMPP account (which itself could use whatever kind of authentication scheme you like).
[+] [-] kortex|6 years ago|reply
So I've been working on a backup plan. Current incarnation is to use a simple Go cli tool with Shamir's secret sharing algo to break a password into N/M shards. The user can then do whatever they please with the shards, give some to their family, friends, attorney, make a pirate map, get an rfid chip, anything you want.
[+] [-] microtonal|6 years ago|reply
I am not sure this is true. Most people regularly get phishing e-mails and apparently fall for it.
SMS and TOTP (due to the window of time the TOTP code is valid) only provide limited protection against active phishing attacks, since phishing site can 'proxy' the the SMS/TOTP code besides the password.
I think I would prefer losing access to an account (since I make backups of critical stuff anyway) than my account getting compromised, which could lead to identity theft/fraud, etc.
[+] [-] NKosmatos|6 years ago|reply
It doesn’t mean that for the rest of the world SMS 2FA is completely secure, it’s just a lot more difficult (or impractical/impossible) to do a SIM swap so easily. As mentioned in another comment below, SS7 vulnerabilities are another attack vector, globally available and without requiring a SIM swap.
[+] [-] kick|6 years ago|reply
[+] [-] theonething|6 years ago|reply
Of course there are much better 2FA options, but for the general public, they are probably too complicated to use.
Everyone understands SMS.
[+] [-] Kalium|6 years ago|reply
In my strictly personal opinion, responding to a notification that asks if a login attempt is you is clear enough that people need minimal training to make use of it. This might just be me, though.
In my career, I've definitely seen people actively choose SMS over other factors on offer. It was easier for them, and in many cases shouldn't have been offered. Your point about SMS being better than nothing is wise and true and insightful, but it's perhaps not always the question as faced in practice.
[+] [-] rocqua|6 years ago|reply
[+] [-] KingMachiavelli|6 years ago|reply
Obviously banks are a place with a lot of low-value targets and a few very high-value targets, but the cost to implement MFA is the same so they might as well do it.
[+] [-] minimaxir|6 years ago|reply
[+] [-] hocuspocus|6 years ago|reply
It uses the SIM to implement a challenge-response mechanism where a PIN is prompted by your phone. While not perfect, it's vastly better than using SMS, without being less convenient.
I don't know if other places leverage the fact that SIMs are smart cards which are perfectly able to perform this kind of stuff given the proper infrastructure.
[+] [-] sairamkunala|6 years ago|reply
if you get a SIM replaced after providing proofs of identity, residence and biometrics, it would get activated after few hours.
The kicker is that it wont get SMSes for 24 hours after the SIM is activated.
In the US, won't it be cheaper as well as secure to get a virtual phone number from Twilio for purposes of two factor authentication? (In India, there is no service at the rate what Twilio offers, but there are some which charge around $30-$40/month for virtual phone numbers with incoming SMSes)
[+] [-] chirau|6 years ago|reply
[+] [-] MrStonedOne|6 years ago|reply
The word "secure" is not binary.
sms as a 2fa is secure.
Just not as secure as a authy totp account
...which is not as secure as a unclonable totp system
...which is not as secure as a hardware token based otp system
...which is not as secure as a hardware token that also requires you enter a pin and a fingerprint to activate it and only communicates using hard coded encrypted messages with the legit service that issued it.
[+] [-] offmycloud|6 years ago|reply
[+] [-] RcouF1uZ4gsC|6 years ago|reply
[+] [-] 0xff00ffee|6 years ago|reply
Always buy two. ;-)
Joking aside, I've moved almost every 2FA to hard token, soft-token, or google voice. But the root of trust is still LastPass & Google. I don't see an easy way out of dependency other than power of attorney. Even worse: I worry what happens to my protected assets as I age and possibly face memory loss.
[+] [-] awinter-py|6 years ago|reply
google's enhanced protection requires you to have 2 distinct yubikeys to sign up
[+] [-] thephyber|6 years ago|reply
Your website is outsourcing security to any company which can service a cell phone account, which may be better than your website security or worse.
[+] [-] willvarfar|6 years ago|reply
[+] [-] danellis|6 years ago|reply
The question is "Is SMS 2FA secure?", not "Is SMS 2FA-secure?" There is no such property as 2FA-secure.
Title should read: "SMS 2FA is not secure".
[+] [-] esolyt|6 years ago|reply
[+] [-] frenchyatwork|6 years ago|reply
[+] [-] lmilcin|6 years ago|reply
The only problem is there are very few services that get it right. Get it right means support multiple tokens and allow to truly disable any other means of logging in or recovering the password.
Most services seem bent on allowing many ways of logging in without giving a choice. For example, they will advertise they use 2fa tokens but then if you can't produce one they will still allow you to log in with SMS or mail (ie. password recovery by mail). Facebook will not even let you set up tokens without having SMS set up as a factor and the phone number verified.
I hope slowly developers will get more aware and they will be better tooling (and stack exchange answers to ctrl+c ctrl+v...) to do it correctly.
[+] [-] skunkworker|6 years ago|reply
[+] [-] professorTuring|6 years ago|reply
Is SMS 2FA enough for most of the people today? Yes
Is SMS a cost-benefit solution for most uses? Yes
[+] [-] ahaseeb|6 years ago|reply
[+] [-] rvz|6 years ago|reply
But its not just LinkedIn. Its a huge list of major companies including some FAANG ones too. Oh dear.
[+] [-] solatic|6 years ago|reply
We are never going to get the benefits of digital identity until the government wakes up and brings its services into the digital age.
[+] [-] baybal2|6 years ago|reply
Anybody with direct access to SS7 can send a fake roaming request for your sim card.
[+] [-] Havoc|6 years ago|reply
It's a complete shitshow. Occasionally syndicates manage to get both sides of 2FA lined up (insiders) and clean out someone's account.
Then the bank says not my problem - you didn't keep your password safe. And the cell provider says not my problem - not intended as security mechanism. Leaving the customer poor and sht out of luck.