WingNews logo WingNews
top | item 29582014

(no title)

krebsonsecurity | 4 years ago

That's nice to hear. So the SIM swappers have to double their bribes.

I think the best solution is to cut the mobile providers out of the equation altogether. I've long advised removing your phone number from anything you can, or at least substituting a voip service that can't be social engineered over the phone. Some services don't let you use voip services for multi-factor or signup, so your mileage may vary.

Also, it's important where possible to use types of multi-factor that don't rely on your phone number. The tricky part is, so many sites will let you reset your password if you can receive a link via SMS at the phone number on file for the account. Which means anyone who SIM-swaps you then can reset the passwords on those accounts that allow SMS resets (which is a lot, still).

discuss

order

DarylZero|4 years ago

You must have to pay more than double to bribe two people simultaneously -- since each one then has to rely on an extra person to cover up the corruption.

menage|4 years ago

One of the advantages of using Google Fi as your phone provider on a Google phone: there's no SIM, and you have to log in to the phone on your Google account in order to transfer phone/SMS service there. So an attacker can't use a SMS hijack to steal 2FA codes unless they've already compromised your Google account (which is hopefully a higher bar than convincing some random phone shop employee).

e40|4 years ago

I have an iPhone with Google Fi and I have a SIM. The entire family does and they also have them.

However, the point of needing to login to your Google account is well taken. And I have 2FA on that.

ndesaulniers|4 years ago

One thing I don't understand about the suggestion to remove my phone number from 2FA is that 1FA seems worse. I'd prefer something like Google authenticator, but none of my banks offer that. Did I misunderstand the suggestion? Is there something else I should do?

chinathrow|4 years ago

> but none of my banks offer that. Did I misunderstand the suggestion? Is there something else I should do?

Yes there is: change your bank. If your bank is still using SMS based 2FA, get the hell out of there. If you really need to keep that account for reason X, move out all your assets to another bank and keep enough funds to fund X there.

PeterisP|4 years ago

The problem is that often adding the phone number just says "2FA" but in reality becomes as another single authentication factor (e.g. in credential reset workflow) - and, given the risk of SIM swap, it may be weaker than proper 1FA e.g. a good password.

walrus01|4 years ago

> or at least substituting a voip service that can't be social engineered over the phone

unfortunately it's also very easy for somebody to submit falsified port documentation to port away your voip number to their own carrier.

In many cases even easier than doing a SIM swap, since the oldschool way to do a port is to literally print out one page of a bill with your name on it (Anybody could edit this by inspect element on a legit bill of their own and swap your name), print it, sign it in ink, scan it, and send it to the carrier requesting the port-in

Jerrrry|4 years ago

>That's nice to hear. So the SIM swappers have to double their bribes.

Most SIM-swappers are retiring with their ill-gotten crypto, but the ones remaining are at the "bribing prosecutors" level now.

With crypto skyrocketing and the pitfalls of SMS becoming more apparent, I fully expect the jump to amateurs purchasing and leveraging state-level 0days against unwitting wallet holders.

The gap between profit and cost is getting larger, and more crypto-millionaires are going to get their Teamviewer 0dayed.

ghaff|4 years ago

One of the few things I miss about giving up my landline a couple years ago is that I pretty much have to give out my cell phone number for anything that needs a valid phone number. (yes, I could use Google Voice or some sort of VOIP number but that starts making things complicated.) I used to be very selective at giving out my cell number.

Maursault|4 years ago

> yes, I could use Google Voice or some sort of VOIP number but that starts making things complicated.

You should soldier through it. Google Voice is a decent free service domestically, unless paranoid. I use it in the reverse manner as I expect you would intend (if you'd intend to generate many virtual throw away numbers to forward back to your phone until the forwarding is manually severed). My actual phone number has changed many times over the years, but my GV number stays the same. Eventually, I got rid of my phone altogether. That was January 2014. But jobs will often require I carry the on-call cell (which I almost never need to use and just for work). Boy I sure miss those cell phone bills every month, not. I just realized GV has saved me at least $10K since I cancelled my cell contract.

mhb|4 years ago

What about a second cell phone? Depending on whether ~20/month is worth it.

dbancajas|4 years ago

> one number on file for the account. Which means anyone who SIM-swaps you then can reset the passwords on those accounts that allow SMS resets (which is a lot, still).

> reply

Why not use a special phone number for 2FA? How do hackers know your phone number?

PeterisP|4 years ago

If you use a special separate phone number for 2FA in multiple places, then it likely has both been exposed in some data breach, and also been sold for marketing/tracking purposes; attackers can get access to both these types of sources.

rp1|4 years ago

Hackers can easily get anyone’s phone number. Just Google <name> phone number. There are so many data brokers out there happy to sell this information.