I used to work at BestBuy mobile about 3 years ago. The level of access I had to as a retail employee making $9 an hour was incredible.
Verizon accounts are by default secured only by the last 4 SSN numbers of the account holder, with an optional 5 alphanumeric password. AT&T was worse as there was no default verification required, it was only presented as a recommended validation to me. I could type in any AT&T phone number and click the "Skip Verification" button. Many employees get in the habit of doing this by default to save time and that makes the problem worse, as they ignore the large "VERIFY CUSTOMER" text.
Don't remember the password? No problem, It was not uncommon for me to make a quick call to my account manager for whatever carrier and simply ask them for the last 4 digital of the social or the password. Im not sure if they just trusted me, or if this was normal practice. But I could get into anybodys account, for the 3 major carriers, with little to no verification.
Thats not even mentioning being able to search through BestBuys entire customer database.
Porting of numbers if an obvious vector for this kind of attack, but its also worth noting that swapping the ICCID on the line (the SIM card number) is a much more effecient solution, as it doesn't require the attacker to setup new cell phone service anywhere. Carriers are starting to catch on to this though as more of these attacks happen to high profile users.
You don't need to have your number ported for this to work, Signalling System 7 (SS7) hacks can redirect SMS messages.[0] For the truly paranoid (or high value targets) SMS is not secure.
And if anyone were still undecided about SMS 2 factor security, attackers can simply call your provider and fwd all messages to a 2nd number, possibly without you being notified of the change. The susceptibility probably varies across providers.
Yeah, it's a big flaw in the setup. The instructions I linked have users add it temporarily, to unlock the rest of the options, and remove it afterwards.
The problem isn't that Google knows your phone number but that they will use it (or more precisely the attacker will use it after redirecting your texts) for account recovery which you can prevent by removing the number.
Yes, and Facebook and Dropbox have enabled Yubikey/U2F support in the same way. It's stupid and it gives you a false sense of security (because you're using hardware tokens, which you'd expect to be more secure).
Even though you can remove SMS as a 2FA, it looks like Google still asks for an email and phone for "Account recovery options". Probably should remove that as well?
Yes, you should. They demand phones because normal users who aren't being guided through the setup would be likely to lock themselves out of their account without it, but if you know what you're doing you can eliminate the phone dependency.
Or create an email account. It's impossible to sign up to any web email service to be able to send email not just receive if you don't have a phone.
I needed an untraceable email to send from for reasons I won't go into but couldn't create one.
If you're poor but need a webmail account you need a phone. You can't even put in a fake number since you need to reply to the approval link setup email. Gmail, Outlook, Yahoo, everyone one I tried all require a phone.
They may allow you to do that. If you are on an IP that they deem not trustable enough, like if you are on a dynamic IP or come from the wrong country, they'll refuse to create the account without some phone verification (to hinder spammers)
I don't get it. Asking for civility in a public forum is not a bad thing (HN does it sometimes), and certainly not a factor you should be taking into account when evaluating security devices.
The article states that Google Authenticator is more secure than Authy? As someone who has been using GA for a long time but thinking about moving to Authy - what is the rationale behind this assessment? Is it because Authy stores your 2FA sites in the cloud?
I was going to use that as a plus, as I have now had to switch phones twice, and re-setting up my GA 2FA sites on the new phone was a major PITA - I thought Authy would make that easier, but now I guess that feature could be an attack vector too?
Because Authy is SMS-based it's subject to phone number hijacking. If someone manages to convince your mobile carrier to enable your number on their SIM then you just lost all your 2FA protection. There are also ways to hack the SMS system so that you don't even need to have your phone number ported to fall victim.
SS7 which is used to route calls, sms, can be spoofed. Any person with access to a cell tower (hop over a fence, break the padlock, plug your laptop in) or access to the Telecom backbone (hack a Telecom provider, buy a link). Can hijcak any number.
Wait, is the Authy App SMS based as well? I thought it just used a clock sync to generate the keys like GA does? I could be totally wrong as I haven't set it up, but that's what I gathered from reading their site and downloading their app?
I thought the main difference was that the 2FA service details were saved in the cloud so you could sync up to multiple mobile devices using the Authy app?
Authy backs up the 2FA secrets to the could to enable "multi-device support". To restore the backup it's usually a matter of verifying your phone number via SMS. See how this turned bad?
I'd recommend disabling multi-device support which is enabled by default or adding a backup/restore prassphrase to make it more difficult to add new devices without also cracking the prassphrase.
Sorry, but I think some comments below contain incorrect or partial info.
Authy can be used just as a SMS-based 2fa, and this is as insecure as Google SMS. Note that this is still more secure than you (or me) implementing you own code via sms, because they do intelligence on the phone numbers, especially on critical operations like changing phone/merging accounts.
Then there's Authy app with the TOTP code, similar to Google Authenticator. From a security perspective it is true that having Authy on multiple devices slightly decreases your security, as an attacker could steal any device and bypass your 2fa.
I'm not convinced when people say that they can turn off Authy with just a phone verification (i.e. stealing the phone number), vs you can't on Google Authenticator. The fact that you have Google Authenticator, maybe even as a default, doesn't mean you don't have SMS too as an option, so the same attack can happen on Google.
Also, note that for many critical operations, in Authy and Google, you receive a notification. In particular, if you have many devices connected, you'll receive multiple notifications with an higher probability of catching the issue on time.
It would be nice to see explicit examples of the attacks mentioned. If you have someone's password and phone number [], you have a lot, and you can probably fool Google, Facebook, or any big as you can fool Authy.
let's also remember that 2fa is the 2nd factor. Your first factor, the password, should be strong as well.
People say "Google Authenticator" because they feel silly saying "TOTP", which is a term that no normal user knows. But you can substitute any TOTP application for Google's (Duo's is a popular alternative, and there's no phone number link in the Duo onboarding process).
Facebook calls these "code generator applications" and maybe that term will catch on.
I'm not sure you're following. You don't have to register with Google or with Duo to use their TOTP applications. Google Authenticator installed on your phone doesn't ask for your Google account or your phone number; it just sits there waiting for you to show it a bar code for a TOTP site. Same with Duo.
Used that way --- the default way --- you can't bypass it with SMS.
Responses were like GA is better because there's no SMS.
This is true if you look at GA vs Authy mobile apps.
This is false, if you look at the consumer services where you enabled 2fa (Google, Facebook, Twitter, Instagram, Coinbase, Twitch...). They all require SMS to setup 2fa, and let you use SMS to bypass GA.
You can not bypass GA with an SMS (the TOTP), you can bypass the service 2fa, because for availability reasons they must provide you more than a single 2fa method.
I would still say it's not recommend to backup those keys in the cloud, and I hope LastPass at least has the common sense not to keep those keys on the same server as the LastPass passwords. However, a middle ground may be backing up the keys before you change/reset your phone, and then disabling the feature (I'm not sure if they actually wipe or reset those keys every time you disable the backup feature, though, but I hope they do that).
The way I try to sort this phone-change-re-authorise Auth Codes are that I save the QR code each time I opt into some two-factor service. That way I just need to savr that QR code with service name in KeePass database, and I could scan it in any new phone to keep using the Google Autheticator.
This is a bit of a tangent, but Authy allows recovery of an account without access to either the original device or the original phone number. Does anyone know what actually happens when you go through this flow?
It says they may perform "additional security checks" in the help but what are they? The wooliness of this makes me very nervous. (I don't use Authy fwiw)
I don't think he did learn his lesson... I thought everyone knew by now: your account security is only as strong as it's weakest link.
Account recovery and 2 factor auth is always that week link. If you don't want to get hacked in this unsophisticated way just because someone is targeting you - then just remember your password the old fashioned way and close all the other doors. even postit notes are more secure because they are not remotely exploitable.
Learned this lesson the hard way, enabled 2FA for a certain major service which in turn opened me up to an exploit that didn't effect those not using 2FA. So in enabling 2FA I weakened my acct security and opened a new attack vector. At best if everything is implemented properly you're still now only as secure as your telecoms customer service security practices.
To hack coinbase 2FA, you need access to both the phone and the email account.
So if one can obtain the phone number (which can often be found publicly) and though social engineering have the carrier route the number to a new device, just from the phone alone one can break into gmail and thus also coinbase.
it is not 2FA ..more like 0 factor authentication because all you need is a phone number and the ability to impersonate the account holder
this is the exact reason I removed all of my phone numbers from Google account. No Matt what recovery options you choose, if Google has a phone number connected to account, it will always offer to senf an sms to let you regain access. Downside: Google everytime bothers me with notification on MyAccount page that my phone number is missing. But worth it.
i just got off a DM with TMo support. they officially don't have a way for you to block this. Sucks considering they are the best of the worst. Every Tmo customer is in danger of having their identity stolen.
I haven't heard of a 'do not port' instruction, but you can call T-Mobile and add an additional password that will be required before customer service will service your account.
Apparently, the following Verizon SMS text[1] Cody Brown got was genuine:
>Free VZQ Msg: You're on the phone with Verizon and just authenticated with an alternative method. Not you? Please call us at 800-922-0204 immediately.
And one of CB's followup recommendations is:
>Make urgent text alerts actionable through SMS. If I received the original alert and was able to text a reply stopping it, or even delaying it, this entire hack would have stopped in its tracks. Instead I was told to ‘immediately’ call a number for Verizon that no one was there to answer.
It seems inevitable that the Verizon SMS alert as a bonafide safety check would embolden social engineers to use that very same method to trick people into calling their own 800-555-2222. Then, a fake Verizon customer service agent "phishes" for even more sensitive identification data by asking official-sounding questions in the guise of "verifying the account".
The tone of that Verizon SMS is panic-inducing and it's very easy for people to not realize they need to verify that the 800-922-0204 is actually a legitimate Verizon phone#. Even if non-techies take the extra step of googling "800-922-0204", they may get conflicting information and get confused on whether it's safe to call back: e.g. http://stopthecap.com/2015/10/05/got-a-call-from-1-800-922-0...
EDIT ADD: I think it's very challenging to come up with a generalized decision tree for non-techies (e.g. your 75-year old grandmother) to follow such that they know they are "really really REALLY talking to Verizon".
If the techie-grandson thinks they can simply the decision matrix by instructing his grandmother to simply get a hold of him when she receives such an alert, then in the 15 minutes plus it takes the grandson to research the legitimacy of the SMS, the grandmother's life savings in the bank account is drained. In that scenario, the alert was legitimate. The extra delay introduced by the grandson made the situation worse.
In substituting in-person transactions that require biometric verification (e.g. thumbprint at the bank counter) with non-physical "information verifying other information over information channels to unlock access", it creates new vectors of social engineering attacks. It's a very hard safety problem to solve for the mass population.
Fortunately, the banks are on Grandma's side on this one. Unlike Bitcoin, banks will not let someone who obtains a few credentials simply transfer an arbitrary amount of money to anywhere in the world in seconds. Banks seems to have many layers of checking for potentially suspicious activity, and ways to reverse transactions that are later proven to be fraudulent.
Bitcoin has some interesting properties, but holding bitcoins directly is definitely not right for anyone who can't be trusted to keep their critical credentials secure no matter what.
"Banks seems to have many layers of checking for potentially suspicious activity,..."
I don’t think so. I had this kind of incident and nobody from bank noticed it (60 euro paid over night 3:35 AM from central europe to fake company somwhere in tax paradise, summer 2014). If i asked why and how it was possible, they replied with formal letter how much sorry they are. Nothing more.
I was in touch with ViSA guys and they confirmed payment as fraud and returned my money back to me.
Around 10 years ago i was in national bank. We had small project for entrance gateway automation. Control unit was strange DIY solution.
Banks aren’t so secure as we think. At least in my country.
I worked for big oil company and even their infrastructure and solutions are far from ideal. So i don’t have false expectations about security.
I'm talking about bank transfers, not debit cards. Try and transfer $50k to another account and see how many steps you have to go through, presuming it's a individual account and not a business. And then see how long it takes to actually go through, and how many times they call you to make sure you are really trying to do that before it goes through.
IMO, the real lesson to learn for that is that your phone number will never be really secure, so don't use possession of it for any hard verification if you have any other options.
>"Call your cell phone provider and put a “do not port under any circumstances” hold on your phone number.
Is "porting" the same as call forwarding (which I assume would also forward SMS) ? Or is porting a means to upgrading to a new phone or changing carriers while keeping your phone number ? The latter isn't something I want to disable.
I think it means configuring a new SIM on a new phone controlled by the thief with Cody Brown's Verizon cell phone number. This would allow the thief to receive SMS authentication texts from Coinbase.
Mobile phone carriers are permitting phone numbers to be ported to a new phone held by a thief with nothing more than a billing address. The idea behind adding that "don't port under any circumstance" message is to force an in-store visit with some type of legal identification before a phone number is ported to a new device.
If you don't use SMS to secure your bank account, then maybe this advice is overkill. But if you are using a service that holds a large part of your assets and can only 2FA with SMS, then you really ought to make taking over your mobile phone number as hard as possible.
I did wonder why I got an email from Coinbase yesterday:
"We strongly recommend you update your second-factor verification to Google Authenticator. Authy and SMS are vulnerable to phone porting attacks. [...] as of July 31, 2017, we will be requiring that all customers with significant balances use an Authenticator app as their second-factor verification."
Every time these hit the news, the exchanges harden their defenses. That's good for holders of Bitcoin, but I wonder if usability for small transactions is hurt.
I asked someone with no prior Bitcoin experience to test a checkout process with Bitpay[1], and the 3rd[2] time they had to pull out their phone they were really frustrated at all the steps. Plus, doing that many on-chain transactions is going to add a 30% overhead to a common purchase.
Am I wrong to advise users interested in single <$100 transactions to skip all the apps and use their exchange's wallet? I hear a lot of people recommending that everyone operate their own wallet. But since this page is in Bitpay's checkout funnel the wallet must be very important.
2. 2fa makes people think they're safe, when they're often not. (ss7 is weak thus sms, etc)
3. There's not really a "secure" email account. The admin can read your mail. There's not really a "secure" phone number. The admin can use your number.
4. This seems ok, if your phone isn't pwned.
5. If you don't hold the keys, you don't own the coins. DO YOUR OWN COLD STORAGE.
This is precisely why I removed my phone as a 2fa option. I scan the authenticator on two devices (one primary, one backup) and simply use the google push app for all logins.
What do you mean by "google push app"? Are you referring to Google Authenticator? The reason I ask is that I also removed 2FA SMS from my account and instead use the Google app whether to authorize the login or not.
A useful tool for cybercrooks would be a 'do not fuck with' list, of people who are in or connected to the security community and are likely to create more blowback than normal. Fred should be on it, and Brian Krebs [0]
I went through the online chat, after much back and forth the only thing they offer are (to a regular user like myself, don't know about business accounts):
2- passcode you setup online, 4-8 digit number, in addition to your number, that is required for both online or in persona interactions with ATT support
1- "we will inform you before we transfer your number"
Recently using windows 10 I observed that the screen flashed every 5 minutes or so, using firefox without javascript, and the same happen in Edge. I used two antivirus: Defender and Karspersky, a full scan doesn't find anything bad, but I think my computer is being controlled. Last time I used my computer for transfering money a strange messaged appeared: The platform is iniciating, I aborted the operation and I am not longer using this computer for accesing to my bank account. I think that my router and my computer can be compromised, so now I only use my mobile phone and avoid using wireless since that could introduce new trojans while updating the phone. I could try to find if there is MITM attack, redireccion of urls in the ip tables, and so on, but I am lazy and if my computer is compromised I think that the hackers can avoid and restore any backdoor. Can you give my any advice about how to proceed?
Perhaps there should be a service able to reboot your computer remotely and scan any hardware device, bios configuration, iptables, init programs and much more, applying machine learning or other tools to detect hidden agents waiting to attack.
Not to start an OS war, but there might be serious reasons to do banking with another OS.
+ How easy is it to see all the processes running on your machine?
+ Is it easy for you to limit the permissions of your browser?
+ Is it easy to monitor weird network activity?
+ Do you have some idea about the security standards of the software you use? This does not say that it needs to be open source, there might be other ways.
+ Do you have the right setup to receive security updates.
+ Do you restrict yourself to non-mainstream software to reduce the chance to be a target?
+ Do you consider read-only media at the time you do your banking?
There is a lot you can do without opening up your computer to a remote scan.
Completely off topic, I saw your 150 days old link: Why does unsupervised deep learning work? (arxiv.org), I wonder if you have more links, it seems interesting. Also the Diaconis article you link to is one of my prefered one. I wonder if group theory can help to illustrate why deep learning works.
I will take your advice and use another os and computer for banking, but the problem is that perhaps the router is pwned and so there is no secure wire to operate.
For the readers here, your comment added no value to the article in question. Your comment was all about your suspicion of being hacked that read pretty tinfoil hat - "my screen blinks so I think someone hacked my computer and router but I cannot find any hard evidence that that is the case."
Fred Wilson's post discussed how he was hacked, how he knew he was hacked, and what actions should be taken to avoid being hacked.
Thanks for you comment. As someone using computers for more than 30 years I can tell when my screen is being monitorized (I think a snapshot is being taken every 5 minutes or so). Anyway I don't have a formal proof and I see that my comment can be read as a tinfold guy.
Verizon accounts are by default secured only by the last 4 SSN numbers of the account holder, with an optional 5 alphanumeric password. AT&T was worse as there was no default verification required, it was only presented as a recommended validation to me. I could type in any AT&T phone number and click the "Skip Verification" button. Many employees get in the habit of doing this by default to save time and that makes the problem worse, as they ignore the large "VERIFY CUSTOMER" text.
Don't remember the password? No problem, It was not uncommon for me to make a quick call to my account manager for whatever carrier and simply ask them for the last 4 digital of the social or the password. Im not sure if they just trusted me, or if this was normal practice. But I could get into anybodys account, for the 3 major carriers, with little to no verification.
Thats not even mentioning being able to search through BestBuys entire customer database.
Porting of numbers if an obvious vector for this kind of attack, but its also worth noting that swapping the ICCID on the line (the SIM card number) is a much more effecient solution, as it doesn't require the attacker to setup new cell phone service anywhere. Carriers are starting to catch on to this though as more of these attacks happen to high profile users.