This is great; it's a Princeton research project from Arvind Narayanan's (@random_walker) group, in which their team made 10 attempts to SIM-swap each of 5 different carriers, including T-Mobile, AT&T, and Verizon (all three of which were, weirdly, less secure in some ways than the 2 MVNOs they tested).
Most notably: AT&T and Verizon both use call logs to authenticate SIM swaps from people who don't know the account PIN; requestors are asked to list recently made outbound calls, or in some cases inbound calls. A targeted attacker can trick a customer into making a known call (or, obviously, can simply call the customer to make inbound call records), and then authenticate with them.
AT&T uses billing statement data as a factor. But the research team was able to "spoof" billing statement data by purchasing prepaid refill cards and applying them to a target's account.
The report also identified a bunch of online services for which SMS was used not just as a second factor but, through account recovery, as a sole factor, meaning you're substantially worse off with SMS authentication than you are without it at those services. The reality is probably worse than the report highlights, since a lot of account recovery processes are informal and ad-hoc, and can be socially engineered into relying on SMS.
What worries me isn’t that I might not be able to recover my account if it uses some other form of authentication, it’s that I might not be able to recover my account because it requires authentication from a phone number I lose access to.
This just happened with my AWS account. Changed phones and forgot to update the number. Didn’t realize it until it was too late. Their recovery process without the phone is incredibly onerous (as it should be) and way too much hassle for me to go through for a small personal account. I just deactivated the credit card that was getting billed and let the account get cancelled. That was a hassle, but not nearly as much as getting back into the account.
Walk into a store and provide a government ID and the original SIM card. If customer doesn’t have the sim/phone, send a recovery code to the billing address on file in lieu of the SIM card.
> Walk into a store and provide a government ID and the original SIM card.
This is how it works in Poland since September 2019, after some recent SIM-swap attacks. You can swap SIM or get a replacement if stolen only at store showing government ID. It is free of charge with Orange and not always free with T-mobile.
But this has some downsides in real life.
1) I had to walk my 88 yo Mom to the store to swap SIM card.
2) Every clerk at every shop can do that so for a determined criminal it is possible to bribe or threaten one.
3) Virtual operators (MVNOs) usually do not have physical locations and there is a dozen of them.
The problem is that the ID is still checked by the clerk. They could be bribed or tricked by a fake ID.
A recovery code snail-mailed/e-mailed to the account holder when they first open the account is the correct way to go, and if they can't provide it they need to go through a lengthy process where many factors are used to authenticate them (verify their physical address, verify their ID, ask to confirm last call records, billing details, etc).
The clerk has to use some kind of online system to connect the new sim to the customers phone number. The system would obviously require the clerk to authenticate himself and could require him to enter the passport number or other document ID he checked to verify the customers identity.
If later it turns out this was a sim swapping attack you can verify if the clerk entered a valid document ID. He can’t do that without having been presented a proper document, so you can tell if he checked.
Its just convenience over security. Lot of things can be done but then the extra burden that companies have to go through. Think about that people don't use app based authentication because it's inconvenient even though it matters to them. How can you expect carriers to do it
I wasn't sure how would you solve the problem of verifying the ID card without showing the previously recorded number to the clerk. But simply requiring to every time just punch in the ID (and maybe scan the whole card to check the photo later) could work - if the system only returns a big OK or BAD signal.
Currently here, in Hungary, the clerks just photocopy the IDs though. And there was a big scandal a few years ago (in connection to the ISIL/ISIS attacks in EU) about some groups obtaining hundreds of thousands of SIMs for just a few names.
On your second point, a determined criminal could always deploy rubber-hose cryptanalysis on a 2-factor authentication scheme, but it's still a significant improvement.
If you make the carrier liable for damages in case of fraud, there would be process to mitigate the risk from one bad actor. Like the bank requires a manager approval for certain high risk transactions like international wires.
Too long of a moon shot. Generally the T&C are limited to actual loss, like you lost your internet for 2 days so they'll reimburse you for 2 days of bill but not if you lost a business deal. Similarly in case of airline if you missed your game. they're not responsible for the game tickets
Before you go abroad you could notify your bank. Then in period you declared you are abroad they should lower expectation from "in person and ID" to phone call and other means of verification. After that period you are automatically back to normal security.
That is for example how my debit card works. If I want to use it abroad I have to turn that feature on for whatever time I am abroad.
In Europe you have a telephone PIN codes, you have number generators on the app. There are lots of ways to authenticate yourself. IN Europe you no longer need to tell them whether you're abroad or not; I guess the ML algo's that monitor for fraud are so much better than before that this isn't needed.
Losing a bank card isn't as critical as losing a phone # so companies have to act quickly. Think about it - Can you live without your bank card for few days vs living without your #
I think we just need to be prepared for these sorts of things. Travel with cash, your debit card, and one or two credit cards. If you can afford it, have a backup SIM (Twilio sells SIM cards for about $3 and the cost to keep them activated is $1/mo, and nothing more if you don't use it [0]). Use a Twilio or Google Voice number that you don't use for anything else for 2FA or account recovery for services that require a phone number (some providers reject these numbers, but many will accept them).
[0] Full disclosure: I work at Twilio and built the first version of the wireless product, so I'm a bit biased.
Cool. What store? Do all services that provide accounts need physical stores now? How do you ensure the store endpoints are trustworthy, and actually checking said IDs and SIMs?
Use backup verification codes and a recovery email address.
Also, remember the date when you created your Google account. The best way to find that date may be to look at the first email you received in the account.
What you can do with email is move the problem to your most secure account or to an account that you know how to recover under essentially all circumstances.
As I mentioned before that it's just convenience. SMS based authentication is flawed and is also prone to SS7 Attacks but people just do it because it's simple. Nothing in the world is hack proof
Yes, like my mobile service is provided by a German supermarket chain that has outsourced the operation to somebody else, who run it as a virtual network over somebody else's cell network. The nearest of these supermarkets is hundreds of kilometres away, and the checkout operators are unlikely to be of much help.
Problem with a government photo ID, There's no way to verify its authentic besides a visual inspection. I consider them as secure as SMS 2FA. For $200 and someone could get passable ID with your name on it.
That's the key problem that US needs to solve - the businesses don't really have a solid gov't ID system to fall back on. In most of Europe (UK seems to be more like USA as far as I understand) passing on a counterfeit ID to a mobile shop is harder (and more rare) than paying with counterfeit money, the IDs can be checked, employees are required to verify online if that ID has been reported lost or stolen, etc.
I mean, in Europe if criminals want to get a bunch of stuff on credit from some place with a disposable identity, they generally recruit poor/homeless people with real IDs, because that is simpler/cheaper/safer than trying to do it with counterfeit IDs.
SMS hijacking, just as the core identity theft issue is so much rare elsewhere - it demonstrates that it's a solvable issue if the USA wanted to solve it. (in some sense the discussion on identity theft reminds me of https://www.theonion.com/no-way-to-prevent-this-says-only-na...) However, the straightforward way to do that would require a proper single centralized (i.e. federal) gov't ID issued to almost all people, which seems to be anathema in USA.
>In most of Europe (UK seems to be more like USA as far as I understand) passing on a counterfeit ID to a mobile shop is harder (and more rare) than paying with counterfeit money, the IDs can be checked, employees are required to verify online if that ID has been reported lost or stolen, etc.
Can you detail which "most" of Europe you are talking about?
In Italy, while obviously you have to produce an ID card, there is no way that it can be checked online by "an employer", only Police (and Carabinieri) can do those checks, and of course ony for Italian issued ID's, moreover in some other businesses besides SIM card selling where the ID is needed (as an example hotels, AirBnB's and similar, car or tools renting, etc.) the actual employee never had a formal, official training to recognize forged ID's so everything is demanded to the single employee common sense and experience/knowledge (often zero or next to zero).
Particularly with "foreign" or "uncommon" pieces of ID's even if Italian (besides the "normal" ID cards and passports there are a number of other documents that have ID value) it is extremely difficult to understand if it is forged.
In UK AFAIK there is no national ID card, so you are limited to passport and/or (if valid for the scope) the driver license.
Plus Italy's national ID is laughably insecure. It's a laminated piece of paper. I remember when I was growing up I had an Italian friend in the UK who went out to a bar for her actual 18th birthday. When they asked for ID, she showed it to them and they kicked us out because they thought it was fake. It was not.
No, it isn't (anymore), not everywhere, but in spots.
For the record - for a period it was laminated, and then it was forbidden to laminate it (as forgeries were somewhat simpler with the laminated one, though I don't know the details).
Old ID card (paper, large, duration - theorical - 5 years, then extended to 10 years, practically indestructible, i.e. they actually lasted the 5 or 10 years):
New ID card (electronic, credit card size, with chip[1], duration - theorical - 10 years, usually illegible after 2 or 3 years in a wallet unless you use a protective cover):
And whether you get the one or the other may depend on the city (comune) as most will use all the empty paper documents they have in storage before starting issuing the new electronic format.
[1] for which noone or nearly noone has a reader BTW, the whole stuff is somehow experimental, even now that we have an app (Android only):
You can get a federal ID. It's called a passport card. It costs $65.
The US also has the REAL ID[0] standard that requires IDs to meet minimum standards in order to be accepted by the federal government.
If carriers just required a REAL ID compliant ID in order to get a new SIM, and actually checked it via the chip or magnetic strip, I think we'd be good.
You can get a federal ID. It's called a passport card. It costs $65.
Which is usually a really crappy idea when you want to save a few bucks compared to a real passport.
They're umpteen stories of heartbreak and hurt, by people not being allowed to board an international flight, or a cruise which stops at destinations not covered by a passport card.
They're also those that thought it's a great idea to get them for their kids.
With the same consequence. A passport card does not allow you to fly internationally. Not even to Mexico or Canada.
I'm not saying use it for international travel, I'm saying use it as an ID? Literally any American citizen can get an ID card for $65 that is accepted everywhere someone asks you for ID.
If we started taking things a bit more seriously, we could also get that fee down by subsidizing it.
I have a counterpoint from my experience in France.
A few years back I have lost my phone and went to get a new SIM. The attendant in the shop only had a quick look over my ID card. He didn't scan it nor did he enter the ID number in the computer to check anything. I think he only verified that the name was the same as the one on file and the photo looked like me.
The same happens at the post office when you go to collect a parcel / registered mail.
On the other hand, in almost every bar I've been, staff would do a quick check with a pen on every 50 € note they would get, and those notes are fairly common (two cocktails in a random bar in Paris can often cost more than 20 €). I don't know how effective that is in actually detecting counterfeit bills, but there's clearly more effort that what the other clerk did.
The pen contains a chemical that interacts with the paper that's always used to make these bank notes. Specifically it blackens the starch found in wood pulp, and the paper in your laser printer, photocopier, etcetera uses wood pulp because that's cheap. Bank notes use a higher quality paper and so they aren't turned black.
This forces crooks to use more expensive and traceable high quality papers for their counterfeit notes or they'll get rejected in stores and bars.
Having IDs that actually look up to anything at all is a relatively modern idea. When I was born if you suspected a passport in my country of being bogus it'd probably take a bunch of clerks several hours of physically looking through filing cabinets to check.
And where we build systems that can check often people don't. The UK government built a system which lets a driver prove to the government who they are and then get a token value back which they can give to anyone - that token can be exchanged for viewing the government records for that driver. So e.g. hire firms could insist on this token to see you're not disqualified and actually have the entitlements your physical driving license says you have.
They don't. Some of them will let you give them this token reluctantly but all prefer you give them a print out, which obviously you could just fake.
I'm in retail in the UK at the moment. For doing credit, the main way we use is by drivers license. I plug the details into a form at the till and check the face. It does an online check with the DVLA.
I’m not in the US, but the only ID card without a chip that I can think of here is a European driving license, which is just a plastic credit-card-sized thing that is often used as informal verification eg to collect a parcel.
$200 and greater risk of getting caught -- that's still a step forward. Right now it only takes sitting at home spending a few cents to call customer service and social engineering them.
This is not true everywhere. There are Aadhar cards in India where you can confirm your identity with biometrics at any store using government-provided equipment that many stores have.
Does the bar code act as a key to lookup a record in a central database, or does it just encode "I am 21, trust me" without any cryptographic signature?
Unless it's the former it's as good as a standard paper ID as far as forgeries go. If anything, having it machine-readable decreases security as it means the person inspecting it spends less time looking at it and just scans it in a machine.
A sim transfer/ account recovery process should come
with a transition period of multiple days during which SMSs with warnings are sent to the original sim card.
On top of that, one could think of:
A passphrase to authenticate a number transfer to another sim.
I've implemented something like this at Dontport. There are few work arounds but again security isn't something that's on top of traditional carrier because it's a problem with a small set of people
Apps like Google authenticator, or more conveniently, a Google voice number. The Google voice solution works well since it can't be Sim swapped, and can be accessed via email (admittedly, a potential downside).
Well first of all using a password manager should be the last resort recovery strategy. Unlike device based 2FA a password manager allows you to make an unlimited number of backups.
After that 2FA should always be device specific. If you want to do 2FA with your phone then the 2FA challenge should not get sent via an identifier like a phone number that may change owners. Instead you should download a 2FA app that generates a private/public key pair where the public key is linked to your account. That way the only thing you need to do is wipe your phone remotely if it gets lost.
What about setting up two mobile phone numbers for recipients of the recovery code: 123 sent to phone #1 and 456 sent to phone #2? (Phone #1 is yours and phone #2 is your elected trusted partner’s)
Doesn't have to be SO. It can be a trusted friend who knows in advance that you may voice call them in a password recovery scenario (voice calls not via text).
Edit: regarding the "lack of availability" at the point of wanting to reset the password: the urgency of resetting passwords should be considered a lesser inconvenience than the risk of having lost control of your account through insecure 2FA.
(I am simply supporting my original brain storming thought through ... I am not married to this idea in any way or form. Just a thought.)
Seems straightforward, all these phone companies have endless kiosks and offices. Legislate that a phone number can only be transferred by making a confirmation call to the old phone or in-person with a salesperson who is checking ID.
In Europe, neither of these is viable without a complete overhaul.
- There are online-only providers. E.g. Giffgaff in the UK, Mobile Vikings in Belgium, etc.
- Many European countries offer prepaid SIMs that aren't tied to ID. Instead, you can just buy them in the supermarket the same way like you would a gift voucher.
On the contrary, in most European countries, due to anti terror regulations, you now need an ID to buy a SIM card or if you've bought one before this new law came into place you have to send a picture of your ID to the Telecom operator or your sim card gets deactivated.
Not saying I like this or that this is good way forward but it's a reality that contradicts your assumption.
This will do nothing to deter malicious SIM swaps. Someone who's happy to take over your number and then steal your money is also happy to present a fake ID and pretend to be you.
What kind of ID is it? A proper barcoded photo ID that corresponds to a government database? Because with that you can verify that the ID picture matches the one in the government database.
I don't live in Europe, but with Orange, I had to upload a photo of my EU passport (they didn't accept a non-EU passport to extend the lifespan of the SIM card).
Offtopic: those laws seem kind of silly if you can still get a valid SIM for 10 days without any ID. Seems more to be about surveillance than about anti-terrorism.
Assuming that ID gets logged in a database accessible to customer service people, it seems like a database check for IDs and IMEIs would be workable as a way to confirm "sorry, we can't port that number to your new SIM card, the ID card registered to its IMEI doesn't match your old phone number's ID card". You could still do it over the phone, then, since an ID was logged against your sim card when you bought it.
After using TOTP like Google Authenticator since around 2013, I now think the friction needed is just too great. Especially for banks which log you out after 15 minutes or so of idleness. Google doesn't do that.
Not to mention Google Authenticator deliberately prevents these stored tokens to be backed up and transferred to a different device, which makes upgrading devices troublesome.
I wish everyone would start using Yubikeys. WebAuthn is now widely supported by browsers.
Why not use an open TOTP app like AndOTP. I use it all the time for sites that claim to require Google Authenticator, it works, and its easy to backup the secrets as plain text or encrypted with a password. I keep it current on my primary phone and a cheap offline backup, in addition to backing up the encrypted secrets file.
I use Authy on iPhone and Mac. I am looking for an OSS replacement but would not want to setup everything from scratch after I change device reinstall the app like Google Authenticator.
I've wanted to get off Google Authenticator for awhile now, mostly because of the backup-restore problem, also a general trend of limiting my involvement with the company.
Bitwarden does a decent job of storing and syncing TOTP codes. Make sure you always use a long password with Bitwarden though, to avoid a known and unpatched issue with their password-based key derivation.
People recommend Authy. As far as I can tell they rely on cloud sync/backup like any other app in that space.
Isn’t google authenticator not using this on purpose? Central account and sync is googles thing and yet they deem it too insecure. Completely understandable
So how can using a central service that adds yet another attack vector be of value?
What I would love to have is a paper export.
Every time you add a new account to google authenticator you can print it as QR code for later reimport.
Yes many services already provide this for you via recovery codes but having it on a per service basis directly from authenticator is probably much easier to use and not less secure
That sounds good but put them in Authy. That lets you have multiple devices whereas Google limits you to one device.
It's great that people use can use one app for both factors but it seems less secure than two apps.
For example, use Authy for TOTP and LastPass for long passwords. That's two things that have to be compromised. And both of them allow you to have multiple devices (for example iPhone and iPad).
Its great functionality but it reduces your security. Say someone somehow figures out your 1Password password and security key - if you store your OTPs in Authy, your passwords are useless (well, less useful anyway). If you store your OTPs in 1Password, they have the keys to the kingdom.
This is technically true, but the most likely scenarios that result in the discovery of your secret key (128bits of entropy) + master password (?? additional bits) involve things like a device compromise. If your machine is compromised, you’re probably already exposed to things like session cookie stealing. At that point your attack surface is already blown wide open.
The biggest thing 2FA protects against is credential stuffing. If you’re using a password manager and have high entropy site-unique passwords, the additional entropy by TOTP is mostly moot anyway.
Passwords - protect against unauthorized access of my service accounts, and 1Password - can be compromised via logging or breaches or just plain peeping
Secret key - acts as 2FA for my 1Password and thus protects my master password from unauthorized use - can be compromised if someone steals the physical paper on which it's stored
TOTP - protect against unauthorized use of my service accounts - can be compromised if someone compromises my mobile phone or phone number. Highly unlikely someone would spend that kind of effort and €€€ on me though
All in all its a pretty nicely tiered system. If someone gets my master password, they still need the secret key. If a burglar steals my secret key, they don't have my master password. If someone somehow compromises both of those, they still don't have access to my TOTPs and thus can't login into any of my 'cricital' accounts (basically e-mail, hosting providers, finance, etc. etc.)
Now imagine you have an malicious spouse or housemate or whatever: they could easily learn your master password by peeping over your shoulder, piecing it together bit by bit (ha). They have a lot of opportunity to search for your secret key as well. If you put your TOTPs on 1Password, you're boned. But if you have them in an authenticator app, even having access to your password manager means jack because they can't login without your TOTPs.
I know one of the big faux pas is to talk about your security but most of this stuff can be deducted pretty easily so I don't feel too exposed.
Wow that’s awesome! I had no idea 1Password had this functionality so thanks for sharing. I just had a rough time after upgrading my phone dealing with Google Authenticator since I hadn’t realized my Auth info would not migrate along with the rest of my data...
> Not to mention Google Authenticator deliberately prevents these stored tokens to be backed up and transferred to a different device, which makes upgrading devices troublesome.
It doesn't offer export in the app UI. It's not doing anything to prevent you from backing up the tokens yourself; they're stored in the clear in the sqlite database for the app.
>Not to mention Google Authenticator deliberately prevents these stored tokens to be backed up and transferred to a different device, which makes upgrading devices troublesome.
If that were possible then you would face the same problems that reused SMS numbers suffer from.
That is not true. Banks in the EU seem to vary a lot, as the definition of “strong” is not defined (plus many banks have not introduced it yet). Biometric is definitely not required. I use hw tokens but at least one of my banks is trying to move to weaker auth.
I didn't say biometric is required, I said it's normal to have 2fa with friction, an hardware token is just as much friction as TOTP or biometric.
I am surprised your bank is moving to a weaker auth, what does that mean?
I have 3 bank accounts in 2 countries and they all switched to biometric because it's just a simpler experience then the hardware token or "mobile token" they used before.
What absolutely confuses me is.. aren't TOTP authenticators like the cheapest 2FA option to begin with?? No need to have some fancy SMS Enterprise account with a Telecom or pay okta or duo or entrust a bunch of money. It's FREE, all you have to do is implement the server side which is very straightforward.
A cost of implementing TOTP is ID verification at the time the user needs replacement credentials, eg when they lose the phone that had their TOTP secret. With SMS, this cost is offset to the mobile carrier, though as discussed here, carriers have their own vulnerabilities.
A further cost is that they usually require the user to install and set up an app, contrary to SMS.
OTP using an app has a very low adoption rate. You'll be surprised that even on crypto exchange 90% of the users don't have access to any kind of 2FA let alone Apps. Only less than .1% of the users have an app installed. It's not convenient
I wonder how that looks like for bank apps? Banks could (and I’m sure they have) offer their own TOTP client, perhaps a bit more integrated. I’m sure that would be easier and offer a better experience than downing some random. "Google Authenticator" app.
Yes, that works well. My bank has integrated this functionality this functionality into their mobile app, allowing one to use it to login on a computer. When large amounts are to be transferred, the bank-supplied 2FA device is still needed though (which can be annoying, but seems sensible).
This scheme also works really well with payments from your computer. Just use the bank app to scan a qr-code on checkout, verify the payment details on your phone, touch a button, and you're done.
I'd guess that a majority of the bank's clients are using this method. This is in the Netherlands, by the way.
> aren't TOTP authenticators like the cheapest 2FA option to begin with??
They are precisely equivalent to asking for two passwords on login instead of one password. "Something you know" and "something else you know". So pretty much, yeah. SMS may not be especially secure, but it is at least an actual second factor.
My banking app requires a pin (or fingerprint) to read data, and a password to make transactions.
The website requires a temporary code, generated by a card reader and my card. It works like a 2FA code, as I need to _have_ my card and to _know_ its pin.
My brain isn't working right now... Can you tell me why something like google authenticator could not be executed as a website? Does it have to be an app?
Just wondering if there could be an easier non installed version that was always available.
But how do you protect access to the website - with a username and password? Or do people now need to remember another code like "JBSWY3DPEHPK3PXP" to set up the authenticator everytime they visit?
Mobile apps were one way to solve this although the hardware U2F tokens like Yubikey provide another authentication factor in a usable way (and more secure than TOTP because you can't be phished to enter them on the wrong site).
That's right, in fact if people remember that secret then it's not a "second factor" it's just another part of their password. A "factor" in the context of authentication means one of the various ways that can be used to verify someone's identity: "something you know" (password), "something you have" (non-duplicatable object, eg a SIM card or OTP token containing a secret that cannot be easily guessed or extracted), or "something you are" (biometrics).
> in fact if people remember that secret then it's not a "second factor" it's just another part of their password.
This is more generous than it should be. Your TOTP secret is just another part of your password regardless of whether you personally remember it or not; what matters is that, if I would like to be you, I only need to know the secret.
TOTP has a secret which is basically the seed of the calculation. The security basically comes from that secret being only on the phone you have and not being copyable. Moving it to the server removes that proximity. At least thats how i see it, but you could do it very easily server side if you wanted with equivalent security loss.
Having the secret only exist on a single phone is the most secure, but keeping a backup of the secret for recovery if you lose the phone only lowers security a negligible amount if you are careful about it.
If it is an account you set up from home, probably the simplest thing to do is print the setup page before you scan the QR code for the secret. Even better, print the page, and then scan that QR code from the printout. Then store the printout where you keep other important papers (e.g., mine would go in my fire proof safe).
Another possibility is to scan the code on two devices. I scan on both my iPhone and my iPad. Nearly all realistic scenarios that involve me losing both of those at near the same time also involve me dying.
People chasing perfect security by only putting their TOTP codes in one place seems like perfect being the enemy of good. Back up you codes people! Put them in an encrypted file and back that file up in a bunch of places.
Encrypting a file is a bit arcane, but not difficult:
Do you have one encrypted file with all the codes, or do you have one file per code?
I prefer one file per code. When I get a new code, I make a directory named after the account the code is for, save a screenshot of the QR code in there, save a text file with the text version of of the code and any one-time recovery codes the site provided. I then make a .zip for .tgz from that directory, encrypt that, and save a copy in the cloud and locally. The local copy is in a location that is included in offsite backups.
If you use one file per code, I'd recommend using a public key system for the encryption. That way you don't have to enter any secrets to encrypt a new code. You only enter anything secret when decrypting.
This has a few advantages.
1. Less chance of accidentally exposing the key.
2. If like most people you use the same key for all the files, no chance of unknowingly mistyping the key resulting in a file that you cannot decrypt later.
3. If you need to recover a code, you only need to decrypt that code.
If as you suggest you wrap this in shell scripts, you can address #2 there. Have a reference file encrypted with your symmetric key. For encryption, the script can ask for your key and verify it was typed correctly by using it to decrypt the reference file.
Also worth considering is using an encrypted disk image. I believe that all major desktop operating systems provide reasonably easy ways to create, mount, and dismount such volumes. Whether you use one file per code or all codes in one file, the file or files can live on an encrypted volume that you only mount when you are saving a new code or recovering an old code.
The advantage of that is that there is no need to use any arcane commands or install any extra software.
Having a simple encrypted file means you can stuff it on an online backup though. The point is to have the keys stashed in several places so the loss of any one or two devices doesn't lock you out of your life.
I prefer keeping it as simple as possible since the consequences of screwing it up are a whole lot of hassle and possibly being locked out of some accounts forever. One downside is when you add or change a code you have to update all of your backups. A second script that syncs all of the backup files is also helpful to have.
I could see Apple offering 2FA as a core feature, at least on iOS.
In fact, Apple should redesign Keychain into a user friendly, 1Password-lite product with 2FA built-in (1Password offers this too) or as a separate app that works with Keychain.
iCloud Keychain is already a better-than-1Password 1Password-lite and 2FA itself for your Apple id is built into iOS and macOS. I think the limiting thing there is desktop Safari - you don't really notice the full integration unless you're using Safari on macOS as well.
Yes, super annoying. Now I can no longer get into my Apple Developer account without walking to my development mac I use to run xcode builds (for a react native app), since for some bizarre reason the only 2FA they support is their own which requires Apple hardware.
It's bad enough their development toolchain requires you to buy their hardware, now to log into their websites you also have to buy their expensive hardware.
It depends. If your iMessage account is tied to an Apple ID used on multiple devices with 2FA enabled then the code is sent to one of those other devices to validate the login on the new device. So if you are fully in the Apple ecosystem and have 2FA enabled then I believe it would be secure. I know I get alerts on my other devices any time I have had to re-add my phone number to an Apple ID. It tells me my phone number is now being used on another device. So at the very least you would probably be notified.
iMessage is only tied to an Apple ID for the e-mail part (where they can send iMessage to your e-mail). The phone number part is independent of that and you can take it over provided you prove ownership of the phone number (by inserting the SIM into an iPhone, it'll send an invisible SMS to Apple and back and that then activates iMessage on that number on that new device).
I think there’s an SMS sent without any visual indication and without asking for explicit permission (or I missed it if there was a tiny text warning). I noticed it when I saw an SMS, in my bill, sent to a Singapore number which, as an international SMS, was changeable (SMS is mostly free here).
My understanding is that you don't even need to do a SIM swap, because the SS7 signaling system is insecure. SIM Swap is likely the easiest way as wage-slave employees are quite pliable to bribes[0]. But if you want to be even more anonymous, you can apparently re-route texts remotely [1].
Yep, the security problems with the mobile system are ghastly.
- Stingrays...
- Operator app pushes to SIM cards...
- Secret GSM processors and software internals
- Voice / text / data "ciphering"
- Protocol-level "emergency" tracking features
- Silent SMS (sounds like its from a bad cop show but its actually a real thing it turns out.) "They do not show up on a display, nor trigger any acoustical signal when received. Their primary purpose was to deliver special services of the network operator to any cell phone." -- sounds like it has a completely legit use...
The list goes on. It's enough to make anyone want to get the tin foil out. But at least in this case there's a simple and clear recommendation: --not to use 2-factor auth by SIM--.
The original purpose of silent SMS was to send voicemail or missed call notifications to handsets, which would trigger an icon to be displayed on the device. Sending a regular SMS would be annoying as the user would have to delete it - after you've listened to your voicemail, another silent SMS can be sent to turn off the notification. Also originally SMS was stored in the SIM itself which had limited memory, so it would be not be very convenient if you didn't receive a voicemail message as your SIM was full. Remember this is a 28 year old feature of GSM.
The tracking argument seems somewhat mute, maybe when this first came to light 10 years ago it wasn't the case, but nowadays I would be very surprised if operators do not keep detailed logs of all the IMEI (unique identifier for a given device) and IMSI (same, but for the SIM) that connect to their towers.
The SIM Swap would seem to be a bit more accessible to the average fraudster. Hacking SS7 apparently requires setting up a "hub" and obtaining a carrier license from a lax country. That is, until we get to the bit about "illicit merchants offering ‘Connection-as-a-Service’ to such hubs."
Carrier license sounds much more involved than what it is. It's not uncommon to sell full SS7 access to companies that are not operators in the regular sense.
If people knew how telcom (and the internet) was held together with bubblegun and duct tape...
Multiple proposed fixes and replacements to SS7, to the best of my knowledge none of them are going anywhere. And even if it was pushed hard, it has to be a global thing.
More than that it's the amount of work and cost. Average consumer doesn't care about it so why fix something that's not broken. People won't pay more for it
I am pretty sure this is how they got Bezos' texts. All you need to do is register a CLEC and then you can get your official hookup to SS7. My experience isn't with messaging but I'd imagine if you bid* to deliver messages to a certain area much lower than other carriers, you can target people.
* Bidding doesn't happen in real time, but you can tell carriers your "rates" so to speak.
In the future, the term SIM Swap will likely be replaced with something like "SIM identity theft" so that banks and telecoms are not liable. Then we can all buy SIM identity protection.
Not in Russia. Numerous examples exist when victim's number was linked to attacker's sim card to obtain 2FA code, then linked back to victim's sim so he does not notice anything.
This happened both by government-linked parties, where they are able to coerce providers to do it, mostly targeting prominent political opposition members. It also happened without government involvement, done by provider's personnel with sufficient access and some entrepreneur attitude.
The rule of thumb to protect against it:
- do not use SMS 2FA
- if you do, use a foreign SIP number with SMS capabilities
- if you HAVE to use local sim, use SIM that belongs to someone else and noone knows you use it
Just google for "форум пробив" and you will find black market for accessing any kind of information, including SMS, phone location, etc and associated services for hacking accounts (VK, Gmail, etc). You don't need to be a government, it is open for everyone.
That type of service can allow the attackers to access SMS contents, but not from swapping numbers back and forth between SIM cards. And without it, the victim will know he is being attacked.
It's also important to know your threat model. Namely, random attacks versus targeted attacks.
Shitty 2fa will still deter people who get a list of a hundred million emails/usernames and passwords and try them on banks, Twitter etc from putting in the extra work to break into your account specifically.
If you expect targeted attacks - from governments, because you oppose them, from determined criminals, because you have a lot of nice stuff to steal, or from people around you, because you know too many assholes - maybe it might as well not exist, but for most people, most of the time, any 2fa is better than none.
> if you do, use a foreign SIP number with SMS capabilities
Any good providers? I've tried Twilio SMS forwarding, but different services (e.g. Steam) reject it for 2FA since they're pretty much considered throwaway numbers, I suppose there's some sort of blacklist
For UK numbers lookup Andrews & Arnold. They have mobile numbers from a national carrier's numbers block so no way for them to be flagged as VoIP. They work fine with both calls & SMS.
I've had a lot of luck with Voip.ms as a provider for short-codes. Their wiki states that they cannot guarantee they work (which I take no surprise in), but I don't recall having one fail since they rolled it out. I've used it for Signal, Whatsapp, and more that I'm sure I've forgotten. Even better, SMS is forwarded to email - available from my desktop or phone.
I want my things protected by a human with a process to unlock/reset/.. given some kind of proof of identity.
Because with 99.99% certainty the person that needs to unlock the account is me, and not an attacker.
Even with a dozen backup yubikeys and spare codes written down I’d still be much more likely to lock myself out than be attacked.
If it’s one thing I have learned the hard way it’s that the most dangerous person in the equation is myself. I won’t trust myself with any kind of security.
> I want my things protected by a human with a process to unlock/reset/.. given some kind of proof of identity.
Anytime you have a human in the loop you have the risk of human failings. I.e., that human forgets to follow critical step X in the protocol. Or that human falls for the attackers emotional sob story and takes pity on the attacker and lets the attacker unlock your account. Or that particular human is amenable to bribery to obtain the outcome the attacker wants.
In fact, many sim swaps have been reported to have occurred because of "human at cell phone store did not follow protocol" or "human at cell phone store was taking bribes".
So having a human in the loop is not an absolute solution to solving the problem.
> Anytime you have a human in the loop you have the risk of human failings. I.e., that human forgets to follow critical step X in the protocol
This is exactly my point. If the risk of an attack is X, the risk of me being that person who fails or forgets a critical step of the protocol (backup yubikey, whatever) is a hundred times higher. So this system of “flawed humans interacting” to me looks like the lesser evil.
I don’t want my things protected by foolproof protocols. I‘m the fool you see.
Bingo. This is why crypto currency won't take off without more humane tech being inserted into the process. People aren't robots. We want many many ways to un-screw ourselves when we inevitably screw ourselves.
That's why I'm bullish on things like Shamir's Secret Sharing and other social recovery tools.
That's how https://jmp.chat/ works, and you can make your phone number as arbitrarily secure as you want with JMP.
Any port-out requests are handled manually - you are contacted by a human to ensure that you made the request. You can ask them to put a verification code on file for you to confirm when this happens if you're concerned about the security of your XMPP account (which itself could use whatever kind of authentication scheme you like).
In practice it seems to work fine with the banks I've tried. There may be one or two that don't accept numbers whose type is listed as "voip", but they are in the minority.
There is also work being done to update the type field of JMP numbers so they appear as "mobile" instead.
Note this is a pretty recent movement in banking security, several months or so. E.g. Wells Fargo did work previous autumn, not anymore. More can be googled.
Type field is interesting. Not sure this can pass the radars for too long though.
Yup, I have the same misgivings. I hate getting locked out, but at the same time, I'm pretty paranoid and want secure passwords, don't leave copies of them around.
So I've been working on a backup plan. Current incarnation is to use a simple Go cli tool with Shamir's secret sharing algo to break a password into N/M shards. The user can then do whatever they please with the shards, give some to their family, friends, attorney, make a pirate map, get an rfid chip, anything you want.
Even with a dozen backup yubikeys and spare codes written down I’d still be much more likely to lock myself out than be attacked.
I am not sure this is true. Most people regularly get phishing e-mails and apparently fall for it.
SMS and TOTP (due to the window of time the TOTP code is valid) only provide limited protection against active phishing attacks, since phishing site can 'proxy' the the SMS/TOTP code besides the password.
I think I would prefer losing access to an account (since I make backups of critical stuff anyway) than my account getting compromised, which could lead to identity theft/fraud, etc.
My ideal solution for an ultimate reset/unlock solution would be to show up and have my DNA sampled. Impossible for me to lose the reset key there, and with appropriate DNA extraction procedures, it is nearly impossible to spoof.
I think requiring you to be physically present and having a human take the sample in a prescribed manner serves as an effective 'password' - unless it's a live sample, the DNA is useless.
I think there's a misunderstanding of what is possible with DNA[0]. We take DNA from dead stuff all the time.
I will agree with "you have to be physically present" is good enough password. This is Yubikey, which works fantastic. The problem with DNA is when it is compromised - you can't throw it away/change it without exorbant effort (bone marrow transplant? and then you're simply taking on someone else's identity? is that identity theft?).
I think people are misunderstanding what is being suggested here. The idea is that, for example, to unlock your bank account, you have to go to the bank where trusted bank employees will extract your DNA and have it sequenced, resulting in you being given access again. Others cannot spoof being you in this scenario because they cannot implant your DNA in themselves.
Carriers have already demonstrated their complete across the board failure to have appropriate security procedures. Your DNA isn't hard to find, you leave it literally everywhere you go.
And do you really want mobile carriers creating a DNA database of their every customer? The same companies that already sell your location data to bounty hunters?
This is where countries like India are going with Biometric Auth plus 2FA (though the implementation has issues). The government provides a public API for sending fingerprint or Iris scan data plus SMS 2FA to authenticate identity with a cost.
Worth noting that this is just for US and for prepaid SIMs, from their paper
“We examined the types of authentication mechanisms in
place for such requests at 5 U.S. prepaid carriers—–AT&T,
T-Mobile, Tracfone, US Mobile, and Verizon Wireless”.
It doesn’t mean that for the rest of the world SMS 2FA is completely secure, it’s just a lot more difficult (or impractical/impossible) to do a SIM swap so easily.
As mentioned in another comment below, SS7 vulnerabilities are another attack vector, globally available and without requiring a SIM swap.
These 5 carriers were studied, but where's the evidence that any other carrier is any better (or that you're any better off as a post paid customer of AT&T, T-Mobile or Verizon)?
MetroPCS (prepaid MVNO now something like a subsidiary of TMo) required the 8-digit PIN on the account in order to change IMEIs. A bot would take down all the info, then if/when it was to a phone you'd never used on their network before, you got put on hold to wait to talk to a human and provide your PIN and new IMEI all over again. Then you'd hang up, power off, and move your SIM. But that was ~18 months ago, before it became "Metro by T-Mobile", so I don't know.
I thought this was going to be one of the otherwise-plaintext black and white web pages with <h1>NO.</> centered in the middle, but interestingly it's actual research, and a nice read (even if nothing new) at that.
If it's nothing new then why do people keep saying it's better to have SMS 2FA then to not have it. The research says "websites should eliminate SMS based MFA altogether".
Have you seen the prompt system, as used by Google, Micosoft, Okta, et al.?
In my strictly personal opinion, responding to a notification that asks if a login attempt is you is clear enough that people need minimal training to make use of it. This might just be me, though.
In my career, I've definitely seen people actively choose SMS over other factors on offer. It was easier for them, and in many cases shouldn't have been offered. Your point about SMS being better than nothing is wise and true and insightful, but it's perhaps not always the question as faced in practice.
They (and similar corporate 2FA solutions like PingID and similar systems used by banks) basically assume uninterrupted access to the internet which is generally a poor assumption. It often breaks down when you're traveling either due to network or roaming issues just when you desperately need access.
In all these situations, I've found companies which offer a back up SMS option very valuable since it usually gets delivered.
I'm pretty sure the Microsoft authenticator has a backup TOTP token you can have it display if you have issues receiving the notification. It is quite a user friendly auth scheme, at least I've never had to resort to any kind of SMS backed auth.
In my opinion, that sounds like precisely the sort of system that should not offer an SMS fallback unless the goal is to create a false sense of security in the user. But YMMV, I don't generally need to access my online banking applications when I don't have useful internet access.
I tend to use TOTP for systems where I'm concerned about offline usage. But again, YMMV.
Yeah, and my local walmart has a section where there is no network coverage; I was browsing the store and wanted to check something on my bank app; it prompted me for SMS code, which I didn't receive because of no network; & I would not have received the Google prompt if I needed one for the same reason.
It's been my experience that it's often reasonably clear to users that they did perform a login themselves in the past few seconds. Adding an approximate location and a short verification token to the prompt generally helps.
Your experience and standards of clarity may be different from mine, obviously.
This is really a criticism that Google called their system 2FA but actually was using it as a sole factor. That's bad security and bad naming. Had they actually used it as a second factor, then you would have seen a security benefit.
Well if that's the case they could still offer true MFA. Make at least SMS 2FA mandatory but offer OTP/token based MFA.
Obviously banks are a place with a lot of low-value targets and a few very high-value targets, but the cost to implement MFA is the same so they might as well do it.
Because they want your phone number. They are more and more used to link to identities, as people tend to keep (and port) their phone number
Hint: if a store ask for a phone number to get a discount, try the local areacode then 634 5789. This is from an old song, and many people seem to have created "anonymous" account with it!
It uses the SIM to implement a challenge-response mechanism where a PIN is prompted by your phone.
While not perfect, it's vastly better than using SMS, without being less convenient.
I don't know if other places leverage the fact that SIMs are smart cards which are perfectly able to perform this kind of stuff given the proper infrastructure.
if you get a SIM replaced after providing proofs of identity, residence and biometrics, it would get activated after few hours.
The kicker is that it wont get SMSes for 24 hours after the SIM is activated.
In the US, won't it be cheaper as well as secure to get a virtual phone number from Twilio for purposes of two factor authentication? (In India, there is no service at the rate what Twilio offers, but there are some which charge around $30-$40/month for virtual phone numbers with incoming SMSes)
Airtel also makes you to accept that SIM Swap request on old sim if you are not coming in person to a store with ID documents; most of which is Adhaar number verification.
Presumably there's an applet in the SIM card that holds a key pair and allows you to sign stuff by providing the SIM PIN. You interact with it via STK which is an old standard allowing SIMs to tell the phone to draw rudimentary UIs and ask the user for input.
I'm not aware of the details, but I imagine something very similar to EMV payments.
The only difference is that you need to register your SIM with the service beforehand, using a reasonably secure process. Banks make you use their own MFA before you can enable Mobile ID (and no, it's never over SMS).
...which is not as secure as a unclonable totp system
...which is not as secure as a hardware token based otp system
...which is not as secure as a hardware token that also requires you enter a pin and a fingerprint to activate it and only communicates using hard coded encrypted messages with the legit service that issued it.
To defeat the Authy account recovery process, you need to perform an active SMS attack (SIM swap, etc) and then prevent the target from seeing the recovery warning emails for 24 hours. Therefore, Authy customers should only tell trusted people that they are going on a weekend off-the-grid camping trip.
The big benefit of SMS for the website is that it outsources the problem of lost 2FA tokens. What happens if the user loses a yubikey. Or changes phones and did not back up their TOTP. With SMS authentication, even if the user loses a phone, they can go down to the local cell phone store and get a new phone on their number and be back in business without the website having to get involved.
Joking aside, I've moved almost every 2FA to hard token, soft-token, or google voice. But the root of trust is still LastPass & Google. I don't see an easy way out of dependency other than power of attorney. Even worse: I worry what happens to my protected assets as I age and possibly face memory loss.
Bad idea: google will disable your google voice after some time of not logging in.
I got bitten in a bad way!
Hopefully twilio will start creating "recognized" numbers someday, as my twilio number is unusable for TOTP. There seems to be a blacklist of all twilio voip numbers.
I read an article here some time ago that banks take no responsibility if they lose/destroy the contents of their boxes as someone learnt the hard way with precious family possessions.
github & gitlab require you to register a TOTP authenticator app before you can enable U2F (presumably to avoid manual resets, although they don't say)
google's enhanced protection requires you to have 2 distinct yubikeys to sign up
I agree. "SMS is not 2FA-secure" implies SMS is not suitable for 2FA at all. In reality, SMS 2FA is still very valuable to most people, even though it's not secure enough.
Just use a token like yubikey. I have a small fleet and am very happy with the decision.
The only problem is there are very few services that get it right. Get it right means support multiple tokens and allow to truly disable any other means of logging in or recovering the password.
Most services seem bent on allowing many ways of logging in without giving a choice. For example, they will advertise they use 2fa tokens but then if you can't produce one they will still allow you to log in with SMS or mail (ie. password recovery by mail). Facebook will not even let you set up tokens without having SMS set up as a factor and the phone number verified.
I hope slowly developers will get more aware and they will be better tooling (and stack exchange answers to ctrl+c ctrl+v...) to do it correctly.
True, and this is the reason I instead direct friends to options such as Authy or Aegis which allow the use of more than one device.
Unfortunately my bank (ANZ) and my government's online platform (myGov) in AU both have dedicated OTP apps which only allow single-device installations. When I lived overseas, my bank in Germany also had their own dedicated OTP app but they allowed installation on a backup device as well. Much better.
Only if they neglected to offer backup codes (which anyone who does TOTP should).
Otherwise, you can just grab a few backup codes out of your fireproof safe and register your new totp code, or go to the bank and get them out of your bank vault.
Sure, the fireproof safe costs as much as a few yubikeys, but if you go the yubikey route you both need the yubikeys and a fireproof safe and bank vault for your spare yubikeys too.
Don't use text file. Use regular piece of paper, put it in tamper-evident envelope and keep register with events regarding envelopes.
When you take something from envelope, note the date, the why, the number of envelope you opened and the number of envelope you then put the piece of paper in. Every time you open envelope check with the register that the numbers agree.
And yet my bank (Chase) only supports email and sms 2fa with no option for OTP/TOTP. Is this just a institution dragging their feet or are there more regulatory reasons why they won't allow more secure authentication?
At least they offer codes via email. I can (and do) secure access to my email account and domain registration with a very long password and a Yubikey. That’s “good enough” for my purposes.
Absolutely, a state-level opponent could get up to some shenanigans though I would argue that a state has much easier methods to go cracking into my Visa card. My threat model doesn’t include nation states targeting me specifically because, simply, if one comes after me I am screwed anyway.
As for email being unencrypted, I think most of it now is encrypted during transit (thanks to the Big Two providers knocking points off a spam score if a message does come via TLS) and even if it weren’t the password is also not known so the second factor is not useful. For example, I just tried to log in to chase.com and the code they emailed me at 1752 MST is 067315.
If I’ve been phished so hard that posting this is useful, again I’m screwed.
For anyone who wants a US bank with TOTP, schwab works! I was pleasantly surprised to discover this. It uses some symantec stuff (as did paypal earlier), but it's TOTP underneath and can be used with any TOTP app.
Port a number to GV, it will work, but you are at risk of losing it if you don't log in often enough. I lost an important number that way (along with my grand fathered free google apps account for my domain)
In a previous company, one of the employees enabled 2FA for their staff account (it was mandatory), stored the backup codes on his phone (presumably as a photo) and it fall in the ocean the next day.
With large enough numbers, you'll see everything, but you don't even need large numbers to get people whose lives are made more difficult by technology.
Yes, that is exactly what I want. Life should be much more difficult without the TOTP and backup codes, so much that it takes a great deal of resources to get around it, if at all possible. Maybe even providing heavy documentation such as a Facetime call with various proof so that fraudulent actors are sufficiently deterred.
Dude. If somebody wants into your account specifically, they’ll get into it. 2FA, specifically SMS based 2FA, is really about the provider getting mass compromised because people recycle their password across all their sites.
It great for keeping people using scripted attacks against a huge list of accounts. It isn’t really to keep people specifically after your account out.
If somebody wants your shit and specifically your shit.... they’ll get it...
> If somebody wants your shit and specifically your shit.... they’ll get it...
How? I don't think Brian Krebs has been hacked, even though he's extremely targeted by hackers (his site is literally the benchmark for performing DDOS attacks on).
In a previous job I implemented a recovery page with a long random key (also posted as a QR code) that you could print out and use as an emergency password reset if ever required. You'd scan the QR code and it would take you to a page where you could set a new password directly.
This, coupled with a "I know what I'm doing, never let support reset my password" option that disabled changing the user's password for anyone without direct write access to the production database was pretty good for security, I feel.
There is a reason for that, most average Joes just can't handle the technology. You can change OTP-SMS in Banks for TOTP, but it involves more complexity and probably it will be more prone to user errors.
Configuring the seed, remembering an extra password to use the OTP... For me it's not that hard, but probably my mom will need some help in order to remember all the steps...
DontPort.Com - I built this to fix this. I've been a victim of this 4 times and was too much frustrated. Unfortunately Sim swap is only one way to get your 2FA but the risks are much higher which I am working to solve one by one
You know what's funny? LinkedIn is supposed to be a 'professional' social network (Microsoft owned) and a friend of mine was asked to add a phone number 'For security purposes'. I knew this was suspiciously involving 2FA SMS + a bonus of spam callers and I told him to press "Not Now". Whilst the world is moving to U2F and time-sensitive codes, a security system using SMS 2FA is now equivalent to a single PC running Windows XP in a bank.
But its not just LinkedIn. Its a huge list of major companies including some FAANG ones too. Oh dear.
Not true. Not true by far. That's an over statement. 2FA is only one of two factors, you need the the password, you need the mobile number and you need to obtain a duplicate or being close to your victim.
You should be worried if you are a POI or you are being targeted personally. And if it is so, SIM Swapping it's just one option and if it doesn't work there are other methods (breaking in, stealing yubikeys, mobiles...)
LinkedIn is absolute scum in that regard. They pestered me for my number for ages until eventually they finally implemented TOTP 2FA which I then enabled.
They still ask for a phone number when applying to jobs through their platform. I always put zeros or random digits in the field and put the real one in the resume.
All of this happens because we've outsourced digital identity to the telecom companies. Telecom companies are not competent at establishing identity. It's not their job. There is only one entity that is the real root provider of identity and that is the government.
We are never going to get the benefits of digital identity until the government wakes up and brings its services into the digital age.
Definitely not. In my home country the banks use SMS 2FA.
It's a complete shitshow. Occasionally syndicates manage to get both sides of 2FA lined up (insiders) and clean out someone's account.
Then the bank says not my problem - you didn't keep your password safe. And the cell provider says not my problem - not intended as security mechanism. Leaving the customer poor and sht out of luck.
Want to point to the Google blog article about the effectiveness of different 2FA techniques. SMS is between 76% targeted -100% autoamted bot effective.
I don't really trust Authy being used as much as I think anyone else would. For the sites that I have used it with, an Authy account, or just the app is not required. Therefore codes are just sent over plain SMS.
Consider this scenario. Twitch now enforces the use of all accounts that want to stream all require the use of 2FA, after the whole artifact fiasco. Anyone over the age of 13 is able to do this. I don't expect everyone at this age to have a phone number, and I assume these people would rely on their parents phone to pass this.
As authy is completely optional, people may choose to not require another app for their account, in effort of just quickly jumping through another hoop blocking them from going live, or the device owner not wanting to have an app installed.
It just feels weird knowing that this can be a point of failure for a service that solely relies on a single 2FA method that could from an attack like this down to the individual and how they operate.
Touch ID and other biometrics are enforced locally.
The device is first enrolled, the website gives the device a secret value which the device can put in its secure element. When needing to authenticate again the device checks biometrics locally and if correct then the secure element releases the secret value which is then either passed onto the website or used as part of a challenge-response authentication.
This means if you lose or reset your device you can't get back in despite having the right biometrics.
Yes, that's a security feature. It's also true for Google Authenticator, by design. You cannot officially back up/share codes because of the potential vulnerabilities that a backup would open up.
Yubikey has the same problem you describe. If your key stops working, you'd also be locked out. Yubikeys can spontaneously stop working in my experience.
To mitigate this, sites like login.gov allow you to add multiple devices, so you can have it on e.g. your laptop and your phone, and yubikeys if you'd like. I generally do all three for important sites (or multiple Yubikey when touchID is not offered).
Anyway, my point is that offering TouchID makes a more secure 2FA very, very convenient for the average person. I'm just surprised more developers haven't offered it even though it's been in Chrome for a couple years.
Using a few old Google accounts, I experimented with Google’s account recovery options and discovered that if a Google account does not have a backup phone number associated with it, Google requires you to have access to the recovery email account OR know the security questions in order to take over an account. However, if a backup phone number is on the account, Google allows you to type in a code from an SMS to the device in lieu of any other information.
This relies on carrier cooperation. Given they are the ones that caused this shit-show in the first place I wouldn't trust them to make it right. An insider capable of SIM-swaps would also be able to override this mechanism.
The sad part about all of this is the complexity of the new solutions. Webauthn is strong but fiendishly complex. How did we get here?
Websites used weak hashes (md5 and sha1... efficient to compute and attack) to store passwords and allowed users to set short, weak passwords (12345, letmein).
Long passwords randomly generated by password managers and stored as strong hashes (Argon2id) by websites are secure, not guessable and even difficult/expensive to attack offline when the database is dumped.
This approach is simple and easily understood by everyone involved (users and site admins) and would be suitable for the security of 99% of websites. Leaving 'Account Recovery' as the only remaining challenge.
This research doesn't seem complete; particularly the use of a phone number for authentication, that isn't SMS.
Facebook Messenger uses a phone number either tied to your Facebook Account, or identified as the phone number on your mobile device, to immediately log you into a Messenger account, with zero authentication. They literally ask you "Is this your account?" and you just click "Yes" and you are in that account. Even if it's not yours.
If you use prepaid phone numbers, or link one to your account, you can often get into Facebook Messenger accounts that aren't yours.
The odd thing about SMS 2FA is the amount of critical services that rely on it as the only method of extra protection.
You want your: bank, utility provider, entity-that-has-lots-of-personal-data-on-you to offer other secure options.
This might be a costing issue though. When your customers number in the millions, your call center is probably handling thousands of "im locked out" issues per day and these need to be handled in x-minutes. Other security options might cause the time meant to handle these scenarios to increase and SMS is generally 'simple' compared to them.
The only good solution at this point is to legislate cell carriers to make SMS more secure. Everyone perceives it as secure, everything uses it for auth, and it aught to be secure for its own sake.
In Turkey if you change your SIM card your bank is notified and you cannot login to your bank account. You have to re-validate yourself with a long phone call and re-create a new password.
Word of warning if you know somebody who uses Bank of America: their customer support has a mechanism to push you a 2nd factor code over SMS and then they actually ask you for the code over the phone. The text message looks 99% identical to the 2nd factor code you get when normally logging in to your bank account.
Support does this to 'verify your identity' and authorize doing arbitrary things like even moving $100,000 out of your bank account.
Ran Bar-Zik, from Israel, created a technique to hack most voice 2FA by using a weak voicemail password. It was largely used in 2019 to hack Brazilian politicians, including state ministers. The hacked telegram messages were passed to Glenn Greenwald, linked to Assange.
It would be nice if the carriers allowed you to specify you wanted to restrict SIM swapping. When I lost my 3 SIM to get the number transferred to a new one I went to a 3 store with my passport. I'd be fine with that being the only method they'd allow.
The amount of knowledge one needs to port a phone number is unbelievably little, and peoples very nature to be helpful works against us. Up until maybe just very recently you needed the account number of the phone number and the last four of a social security number... sometimes, just the account number. Also, the last four of one's social security number is perhaps the shittiest way to authenticate _ANYTHING_. For many years, a lot of sites online would show you the last four of an account holder's SSN (and some places still probably do) if you have an email address, correct name, and phone number or physical address.
Getting the account number would likely be even easier thanks to helpful store reps... Just go in and make up an excuse why you need it or forgot it, it's like "social engineering 101" because it seems so benign to most people. You already know the name, address, and phone number-- you just "forgot" your id at home... Or one could just listen to them call each-other write down their info and then call another store.
With those two things in hand, the phone number is pretty much the attacker's, and getting it back would take more than enough time for extensive amounts of damage... ESPECIALLY if that is the only line on the account (or they took all the lines)... I'd guess a bare minimum with near immediate recognition of the real problem (your number heisted) and police involvement, probably a minimum of ~12 hours.
So, if phone numbers are so bad why are they ever used? IMHO, that's because they aren't to provide security, they're to provide easy tracking between your virtual life and your physical one. You're only securing the businesses data pipeline, not your personal data.
If you want 2FA (and everyone should) use Google Authenticator or a Yubikey... or whatever I'm not trying to shill brands just ideas that work.
Unrelated -- I love how the domain name is literally the average Google query for when this becomes breaking news. Clever to make your domain name a literal Google query if you want to spread an idea...
Now I only need to find out on which ones of my 200+ accounts this feature is enabled… Honestly, it would be easier for me if the EU just made it illegal, forcing services to disable it for me.
Why? It's not "secure" but it's more secure than nothing.
The paper mentions some websites that claim to use SMS 2FA, but actually use SMS as a single factor for password resey. While that's really bad I think the solution is to fix those broken implementations not to stop using SMS 2FA everywhere in favor of using nothing.
This is my conclusion too. A payg that you recharge with cash, so it is unliked to your name in the telecom operator databases is the best protection against rogue employees.
What's with all the redacted entries? Without some context, I assume that these are companies that threatened some sort of legal action if their name was published?
They say there are 361 sites pulled from TwoFactorAuth.org's list of sites, and they were able to access 145 of them.
In describing the set they initially drew from, it seems like they've described the 17 redacted sites simply by describing their complementary set (the 128 sites that are secure).
I wish more websites (and other application protocols) would support client-side certificates in addition to the username and password for authentication.
Where were these five providers based? Was it just in the US? I wonder if the controls are more stringent; my suspicion would be that they are in Europe.
Not sure why you're getting downvoted, I hadn't heard of this before and found it quite amusing as well as somewhat relevant to the topic, although a blanket statement providing not much value.
My vote would just be not to vote (neutral). There is certainly more (in)appropriate stuff to downvote.
People always focus on SIM swaps and signal security, but neither of those apply to Google voice numbers. So in the context of Google voice, is there still any reason to not use SMS 2FA?
I don't know, all I know is I can't receive BoA 2FA SMS on my Google Voice number. This is what BoA says:
>You are consenting to be contacted at the phone number selected for the purpose of receiving an authorization code. If you selected text message, Wireless and text message fees may apply from your carrier.
Supported carriers include: Alltel, AT&T, Cellular One, T-Mobile, Virgin Mobile, U.S Cellular and Verizon Wireless.
Although I just remembered this person on Hacker News replied to me 1+ year ago that their Google Voice number does work with BoA 2FA SMS, so maybe it's just my specific GV phone number?
When my gf lived in Malaysia, she added her phone number to FB and forgot about it. Years later, after having moved back to Vietnam, the number was recycled and someone was able to use that number to gain access to her FB account and reset the password.
Getting access back to her account took a bunch of steps, including adding her current number.
The interface for FB really makes it seem like you might lose access to your account if you don't provide them with your number. Even better is that FB exposes a small list of your friends (and the total count) of everyone who has given them their phone number.
The article says "We found 17 websites on which user accounts can be compromised based on a SIM swap alone", that seems like a pretty clear indication that it can be worse than nothing.
I happen to think the benefits of SMS 2FA, even when working as intended, are negligible. It seems like a bad idea to waste the finite amount of developer good will we have asking services to implement it.
Literally the only attack that SMS 2FA has any impact on is credential stuffing, and even then it's debatable. Credential stuffing is using the credentials stolen from one service to compromise another. If you don't reuse passwords, then you don't need SMS 2FA.
If you do reuse passwords - then it seems impossible you're not also vulnerable to phishing. After all, you're already willing to hand over your credentials to anyone who asks. SMS 2FA is not a solution to phishing, as the tokens themselves can be phished.
If you can compromise the account, based on a SIM swap alone, then that site has 1FA (The phone number).
2FA requires you to have 2 factors at the same time.
e.g. When I log onto amazon from a new browser with valid username+password it additionally requires me to confirm via my phone number.
1or1FA (e.g. reset your password via SMS if you forget your password) is just increasing the attack area on 1FA (would be more secure without it).
Problem it's trying to solve, is that it's conventionally unacceptable to lock people out of their accounts.
Did we ever seriously doubt that? 2FA is just a made-up reason to have your phone number anyway, all the services that require that don't really want anything other than that.
HN seems to be getting a lot of these submissions lately where the question asked in the title is the same as the domain name. Sometimes the content of the page doesn't even answer the question.
Feels like some kind of spammy PageRank manipulation going on. I'm happy to be wrong about this, but I wanted to see if anyone else has noticed. Maybe I'm just smoking crack waffles again.
Most notably: AT&T and Verizon both use call logs to authenticate SIM swaps from people who don't know the account PIN; requestors are asked to list recently made outbound calls, or in some cases inbound calls. A targeted attacker can trick a customer into making a known call (or, obviously, can simply call the customer to make inbound call records), and then authenticate with them.
AT&T uses billing statement data as a factor. But the research team was able to "spoof" billing statement data by purchasing prepaid refill cards and applying them to a target's account.
The report also identified a bunch of online services for which SMS was used not just as a second factor but, through account recovery, as a sole factor, meaning you're substantially worse off with SMS authentication than you are without it at those services. The reality is probably worse than the report highlights, since a lot of account recovery processes are informal and ad-hoc, and can be socially engineered into relying on SMS.