I work as a sales rep in-store for a telco. From a security perspective, it's ridiculous.<p>We use computer monitors which customers face from the same angle as us. I'm sure someone thought it would make the retail scenario more inclusive, but security-wise it's a mess. I can't verify account details without pulling up those same details for the customer to see. So I ask people for their details, click the button, and cross my fingers that they're right. If they're wrong, what then? They might legitimately not have known whose name it was under. It might be under their dad, mom, partner or business' name. Doesn't matter, the system has absolutely no design affordances to allow multiple people various levels of security privilege in accessing and altering accounts which are used by more than one person.<p>Furthermore, we have no organisational clarity about access privileges. Everyone makes up their own standards. Some people in the company are very strict, and won't do a SIM swap without photo ID or full ID over the phone. Some people will do one if the customer quotes the same last name and could be theoretically the account-holder's child. But does it matter when any customer can easily find out name, DOB and address from coming in store, then call up and get the SIM changed over the phone? We do have account PINs but very few people set them. And you could find it out in store if you were sharp-eyed.<p>There's a constant tension between providing a good customer experience and protecting security and privacy. But our commission is based partly on customer experience feedback scores - and if you're the one asshole who tries to follow all the rules (or follow what you decide should be the rules, because there aren't any haha) then you're gunna get a) bad feedback and b) alienate and make life difficult for the majority of ambiguous security events, which I'm sure are 95-99% trustworthy people.<p>Anyone relying on two-factor auth with a phone number who uses my company is vulnerable. Simple as that. It would take a determined attacker a day to get control of your number. All you'd notice was that your SIM stopped working. It would all be too late by the time you'd gotten a new one re-activated - and you're still vulnerable.<p>I'm not sure what telcos are like in other countries but I doubt much better.
Disable SMS for 2-step and SMS for password resets and use a 2-step mobile app.<p><a href="https://support.google.com/accounts/answer/1066447" rel="nofollow">https://support.google.com/accounts/answer/1066447</a>
What strikes me most in these stories, is how you always have to find some higher ranking company employee through personal connections in order to get a tiny possibility to take your account back.<p>These companies build on their users but, when their users need them, they betray them.
This just happened to me. The same timeframe, the same vector of attack, but a different target. They wanted my Twitter handle. Fortunately it was an old handle that Twitter had locked down and was not transferable. The hacker succeeded in making me lose my handle for a few days, but some friends came to my aid and I was able to get resolution through Twitter support.<p>My telecom company was helpful at first, but then we began to see circle-the-wagons behavior from them. We were at least able to get the call forwarding off of the account, but they would not tell us any details about what had happened on the account.<p>Until your story (and even now) I'm not exactly sure if my hacker had been able to forward the text messages or simply routed the phone call to his phone and using Google's password reset process was able to get a robo call to accomplish the same thing.<p>All of this is seriously making me consider creating my own 2FA service, only slightly better.<p>One quick recommendation I would add would be to put a passcode on your account with your mobile provider. Just call them and say "I'd like to add a passcode to my account", so you can at least add one extra layer of security there.
This article is conflating two things:<p>- two factor login (you need password + sms text)<p>- account recovery (using only a phone) THIS IS DUMB.<p>I only use an alternate email for recovery (my wife and I cross). Thus, each recovery account is still 2FA secured.<p>There's already been a story floating around about a young kid charging his dad's credit card because of the phone recovery option (he had the android phone in this case). This is NOT the same as 2FA auth.
There's a balance between keeping others out and preventing yourself being locked out. Every time you add another factor, you also have to add another recovery option in case you lose that factor:<p>1) Password(A)<p>:| Hacker must break A<p>:| Losing A locks you out<p>2) Password(A) + SMS recovery(B)<p>:( Hacker must break A or B<p>:) Losing A and B locks you out<p>3) Password(A) + SMS(B) 2FA<p>:) Hacker must break A and B<p>:( Losing A or B locks you out<p>4) Password(A) + SMS(B) 2FA + SMS password recovery(B)<p>:| Hacker must break B<p>:| Losing B locks you out<p>5) Password(A) + SMS(B) 2FA + SMS password recovery(B) +
Code sheet(C)<p>:( Hacker must break B or (A and C)<p>:) Losing B and (A or C) locks you out<p>6) Password(A) + SMS(B) 2FA + Code sheet(C) + 3rd channel password recovery(D)<p>:) Hacker must break (A and (B or C)) or (D and (B or C))<p>:) Losing (A and D) or (B and C) locks you out<p>Only the 6th option is unambiguously better than a single password. I guess using a friend's phone for password recovery and your own for 2FA would achieve that.
"and every so often, I would get authorization code texts for the Gmail account that was tied to my Instagram handle"<p>As far as I know these authorization texts are only sent when your Gmail username and password have been entered correctly. This would indicate that the attacker knew your long random password. Keylogger? From there they only need your 2fa to access your account.
Well I heard from a friend of mine that in Argentina the cellphone provider can access to your info.<p>The case was this one. He was cheating her girlfriend, a friend of her accessed to my friend's text messages log, saw the evidence, and told to the gf about it. Apparently, but I never confirmed this, the friend (the one who read the messages) worked in the cellphone provider of my friend.<p>Since then I know I can't trust in my cellphone ever again, but I always was suspicious about this could be possible.
This is why I always recommend against using SMS-based 2-factor. Without even doing any serious research, it seemed pretty obvious to me from day one that <i>at the very least</i> someone like NSA/FBI could forge your number somehow with or without the carrier's help, but there's also the potential for other attackers to do it, too.<p>Call forwarding didn't even cross my mind, but it just goes to show how ridiculously broken SMS-based two-factor authentication really is then, and even worse than I thought.<p>Ideally what I'd want is an NFC ring or a smart band/watch that can use FIDO's U2F or a similar protocol that works through NFC, to do 2-step verification for me.
This is a good reminder that your phone may not be as secure as you think. In many countries governments are able to get access or ask for this type of change to be made from the national telco's.<p>The reactions you can take at the moment are to use a mobile App, (or preferably a security key!) rather than SMS backup, and if You're feeling especially uncharitable to your phone company, change the backup number google makes you enter to a google voice number rather than that of your actual phone - creating a circular situation where it can't really be used as a method for account recovery / hijacking.
This article brings up a question about protecting email addresses that I'm hoping a HN reader can answer.<p>I have a unique email address for PayPal--different from my normal email address--that I want to keep secret. The problem is that every time I make a purchase, the merchant gets this email address (in addition to the normal email address I gave to the merchant). I know that merchants get it because I get junk mail at my secret PayPal address from merchants I did business with.<p>Is there no way to make a PayPal payment without PayPal handing my email address over to the merchant?<p>As a related question, why do I have to trust the merchant to redirect me to PayPal's website to make the payment? There are many ways I can get fooled into entering my PayPal password directly into merchant's website (for example, the merchant opens the PayPal site in a frame or pop-up, so you can't verify that it's really PayPal). Isn't there a way I can open my <i>own</i> browser window, login to PayPal, and give some sort of invoice number to PayPal to direct payment to the merchant?
This is why "2FA" is supposed to actually be two factors. If you're using a phone number for 2FA, then authentication still boils down to the same thing: Something you know.
Interesting, so adding 2FA actually decreased security... Well shit. Interesting case that shows just how unpredictable such things can be.<p>As far as I understand, though, 2FA increased the attack surface in this case. A web interface itself still remains impenetrable, doesn't it (know your hard-to-guess password and you should be fine)? Mobile provider was the weakest link and any system is as secure as its weakest link.
1. Email account with 2FA<p>2. Email randomized password stored in PasswordDatabase<p>3. PasswordDatabase is stored in CloudDrive<p>4. CloudDrive randomized password stored in PasswordDatabase<p>5. CloudDrive with 2FA<p>6. PasswordDatabase secured by weak password<p>7. 2FA codes from 2FApp<p>8. PasswordDatabase, CloudDrive, Email only available together on devices with a human-friendly password. Those 3 and the 2FApp are all on the phone, secured by human-friendly password, on me always.<p>(How do I make 8 mathematically stronger?)
<a href="https://news.ycombinator.com/item?id=8255807" rel="nofollow">https://news.ycombinator.com/item?id=8255807</a><p>SMS is not two factor authentication, and should never be part of an authentication system.
This is precisely why I thought Digits was such a terrible idea (check my comment history, it's there.) SMS is so incredibly insecure that anyone relying on it should not consider themselves security savvy. SMS TFA is lipstick on a pig. Cellphones are so cheap these days, they should all come with a TFA app pre-installed. I'm also not too keen on websites making it so easy to change your username. The story of @N on Twitter comes to mind. Is anyone working on Digits without the SMS part?
This leaves so many open questions. Foremost: How did they guess his GMail password? Is there a way to access GMail without knowing the password? Ie. by sending a reset password per SMS?
At least now, more people will accurately describe it as two-step verification rather than two-factor authentication.<p>They are entirely different. If SMS OTPs were actually 2FA, the hacker would have needed to steal the phone too.<p>The difference between two-step verification & two-factor authentication.
<a href="https://ramblingrant.co.uk/the-difference-between-two-factor-and-two-step-authentication/" rel="nofollow">https://ramblingrant.co.uk/the-difference-between-two-factor...</a>
This sounds like an argument for adding hardware multi-factor auth in google. It's not a panacea, but a good starting point that can't be easily spoofed or hijacked.
So is the takeaway that we should all disable SMS-based options for receiving 2FA codes, because it weakens your 2FA to the level of your (non-2FA) cell phone account?<p>I think when I enabled iCloud 2FA it included 2 channels for communication with my phone: one as a named iOS device (where the OS handles receiving and displaying codes), and another as just its phone number. Is that for SMS? Why would they even do that?
Wild.. you know, using google voice for a number of years, I switched to using mvno operators for my cell phone a few years back... Now, I'm glad they don't allow call forwarding on those accounts.<p>Though it seems like a lot of work, It's hard to imagine going through this... with a similar mindset.
A bit late to the party but here's a good story about this: <a href="http://williamedwardscoder.tumblr.com/post/24949768311/i-know-someone-whose-2-factor-phone-authentication-was" rel="nofollow">http://williamedwardscoder.tumblr.com/post/24949768311/i-kno...</a>
Yet one more reason we shouldn't be letting telcos provide our phone numbers. They are painfully inadequate when it comes to security. And our mobile numbers are now probably the most important identifiers we have, due in no small part to the proliferation of SMS 2FA.
Incredible the lack of barriers in place for adding a forwarding number to a cellphone account. Maybe the attackers got the last 4 of his CC from a hacked set? Or maybe the same for his social. And from there they were able to authenticate with the telco rep
voicemail, then call forwarding, i wonder what is the next. People often ignore many of the service settings and leave them as is (me as well), which potentially creates chances for intruders.
His recovery email address attached to the account must've also been hacked if he had two-factor on, as google always starts the recovery process from that email.
This story sounds like a déjàvu: <a href="https://news.ycombinator.com/item?id=7141532" rel="nofollow">https://news.ycombinator.com/item?id=7141532</a>