Bottom line up front: When sending tokens via SMS, you must include a "do not share this token with anyone besides X.com" text. Otherwise account takeovers become trivial.
The article's attack is relatively benign - the user simply goes to a website. Sure they may end up putting info in that website, but probably not. Plus existing systems for malicious website filtering can kick in to prevent this.
The more concerning attack is the social engineering one where a third party says something like "let me 'verify' your identity, I'll send you a number tell me what it is" then triggers an identity verification request on the domain (this can be done either manually or part of a sign up flow for some honeypot service). Now the target needs only relay 6 digits to someone they already "trust" and are in a conversation with, versus in the article's example they needed to put their full account info into an unknown website.
There are valid use cases to ignore the text message security advice. When I set up an account with my bank, I got an SMS security code that I had to read out to my banker to proceed with the account. The SMS did say not to share the code with anyone, I knew he was signing into the banks system, and I deduced that the system bankers use must be the same system normal users use, so this made sense to me. But an unsophisticated user would not know this, and would become to trusting of the helpful stranger asking for the SMS code despite the message text.
There are institutions out there that are training your users to ignore your security advice.
They phish users with horribly made emails with no formatting, then they send the same sort of emails for legitimate things. They give security advice and then break their own security advice.
Unless you’re a government (or contractor) your threat model isn’t some side channel timing attack on your CPU, its users complacent with security created by you. Legitimate emails should look legitimate the first time, security advice applies always and everywhere. It’s not that hard.
I did exactly this with Fidelity's customer service, and I was impressed to see that the text message I received did NOT say "don't share this with anyone", like their normal login messages do. Instead, it said "give this code to the customer service representative". I was so pleasantly surprised I actually had to commend them on it.
Even better would be: ask your rep what his or her favorite animal is. If he or she answers giraffe, then share this code. Otherwise hang up and dial the number on the back of your card.
If the warning not to are is not worded carefully enough then a second message could be sent by an attacker before or after instructing the user to disregard the warning.
Hello, this is Fidelity customer service, and to confirm this, we will send a text message with a code to the phone number you registered with us. For security, please confirm you are our customer by responding with the code.
Narrator: No, it was not Fidelity, but a scammer who needed the code to drain the customer's Fidelity account.
> We are training a large group of users to automatically click "agree" on a random box that appears on the bottom of the page (sites violating GDPR). Absurd.
I think a lot of people on this thread are forgetting just how easy it is to spoof SMS.
- SMS has a field called sender ID, which is set by the sender, requires no identity verification, and can be any arbitrary short string.
- This allows anyone to send messages to any number, identifying themselves as whoever they want to impersonate.
- And since there’s no sender phone number in the message, your phone can’t tell real and fake messages apart.
- And so it groups them into the same conversation
I’ve noticed multiple companies abuse this system by having customer support verify your identity with an SMS code that also includes the “don’t share this with anyone” snippet.
Even my former bank did this. Companies can include the warning all they want, but they’re already teaching consumers to ignore it and break the rules.
Android supports "verified SMS" wherein the sender proves their identity to Google, tells Google the hashes of messages they send, and Google can tell recipients if the message hash is legit or not: https://developers.google.com/business-communications/verifi...
Note that for short messages, hashes are unlikely to effectively conceal the content. English text has about 1 bit of information per character, and auto-sent messages are going to contain even less information. Not that google is likely to have a particular interest in that one-time code you receive via SMS, but it could almost surely brute-force the hash in a fraction of a second if it did.
I figured it was unlikely google would make such a mistake, so I looked at the docs. They use public key cryptography to generate a private shared secret that is hashed alongside the message. This prevents the brute force hash attack.
Awesome! Thanks for looking this up, instead of just speculating.
Btw, in some sense this is exactly the same stuff you'd have to do to make committing to a single-bit work. Or encrypting a short message, in a way that's not easy to crack.
Maybe implement a two-way verification, for example:
In the app/website:
"You will receive an SMS with two 6-digit numbers, one to certify that we sent it to you and another to type bellow. Our chosen number is 887-987, type the another one"
In the SMS:
"Two-way verification. Check if it's us with number 887-987 and confirm with number 543-621"
If you're going to do that, please make the two codes more different. e.g. Make one alphas and the other numeric, or give them different lengths, so it's stupidly obvious which one the user should type in.
I think one common way to "bypass" 2FA is to have the carrier send you (the attacker) a second SIM card. If I'm not misremembering, the text message is then delivered to both cards, the original holder and the attacker. So sending two numbers would not defend against this type of 2FA bypass.
You are right, a duplicate SIM will stop the two-number method described from adding any protection.
But it will still protect against the fake messages like the ones being discussed here, and if someone has a duplicate SIM you are buggered in a number of other ways too.
Though this method, and several others that are effectively the same, only offers any protection if the user has the ware-with-all to bother verifying the other number. Unfortunately that means that in many cases it won't help at all because many would not be aware of the other number and expect to find it when the fake messages come in - unless the user knows to expect and require it the fact a fake message doesn't have it makes no difference.
Werewithal (or werwithal) forthcoming dictionary definition: transformational withal, typically during a full moon, though it regularly manifests in Hacker News posts, causes not yet fully determined. The withals can be complex.
If that happens though you are screwed no matter what they do. The above does sound like a big improvement though and is sort of like what Google does when you turn on advanced protection and it occasionally will ask you to match the number on your computer screen to the one on your phone
Unfortunately I don't think that will work because the attacker is in the middle. They can request the verification number, then forward it to the victim.
It sounds like we want identity verification, which while solved for computers, is much harder for humans.
This could work - similar to what happens in some bluetooth pairing flows. But you could still send a text message with a phishing link under the same Sender ID and fool someone into opening it.
You'd really need to know that the specific sender would never a) send you a link, or b) send you anything without the "two-way verification" flow you suggested. I don't think any of those options are realistic at a certain scale.
Maybe I'm missing something, but why would this work? Isn't it just 12 digits going to one phone number instead of 6? (also thinking about this is bringing me back to SYN-ACK from the old days)
Banning sending URLs via SMS is a terrible idea, there are too many valid use cases.
Potentially disabling URLs from alphanumeric senders is a good idea, but it’s also very easy to get virtual numbers for sending SMS spam.
I think a good balance would be making URLs not clickable for any number that is not in your contacts which also makes it difficult to copy and paste for an average user.
The onus is then on providers to make sure anyone they may send links to saves the number as a contact and that they always use the same number, and have that number on their website.
So when you register for delivery notifications a message goes out saying you should save the contact number. If all Fedex notifications come from the same number the user only needs to do this once.
Anyone can send use from fedex’s sender id and your phone will put it right in that saved contacts conversation. Both SMS and phone calls need to be upgraded to use secure identity protocols.
Yeah I never realized that a sender could spoof the number in a way that would make my phone insert it into an existing conversation. I had assumed (foolishly, it would seem!) that getting a message in a thread means it is from the same sender as the previous messages.
I guess this is one reason Apple has verified iMessages when you talk to them. The background is a different color, I think, to signify their verified status.
They can only do it if they have access to an SMS service that lets them arbitrarily set the sender ID which they can’t do if they’re just connecting via a retail gateway without first authorising the number.
The problem is text messages are being abused for purposes they were never intended. I don’t need people sending me links in text messages. If I wanted that I would use some internet messenger
So what you’re saying is that if you’re communicating with someone over txt because you have an iPhone and they have an android and you want to send them a link then you’d rather ask them whether or not they have the same OTT messenger as you, then tell them you will send a link to them using that, then send the link, rather than simply sending the link to them in the existing thread?
No what I’m saying has nothing to do with Android vs iPhone vs blackberry or any other phone. I can get a link on Skype or signal or anything. I don’t need clickable links in my SMS messages on any phone. Thanks
Telecoms lobby against this because they generate big revenues servicing SMS spammers whom end-users aren't able to effectively block since the ID is trivially spoofed.
I don't use WhatsApp, so with people who do not have Telegram I use SMS. The more annoying and conotated with spam SMS is, the more pushy people become with insisting on WhatsApp. Luckily I'm often in a position to absolutely resist, but I can see how others, such as job hunters or Tinder hookups, would be pressured into installing the spyware.
This is not being done by Facebook/WhatsApp themselves, but keeping SMS annoying is certainly in Facebook's interest.
Hmm... for all 10 digit US numbers the telcos introduce 10 DLC registrations last year that require you to register and verify your business in order to send any meaningful amount of SMS traffic. You have to provide details like a DUNs number, an EIN, and addresses that match those registrations. https://support.bandwidth.com/hc/en-us/articles/150000242224...
They haven't gotten to blocking messages that don't register but have raised the fees and fines for folks who don't register and they're able to track down.
I wouldn't be surprised if telecoms themselves were the ones coordinating some SMS scam operations. This may sound tinfoilish, but we're talking about the same telecoms that were once caught red-handed tricking people into calling back foreign numbers...
I have a VOIP business account, and I can set any caller ID I want (including on SMS). And this is validated at the carrier level.
The main use case for this is redirection, when I get a call from A to my office O, it will also call my mobile phone M, but it is my PBX at O that start the call, so normally I would have O as caller on my phone, but I want A, so my PBX must be able to set the caller ID to A. I cannot use redirection at the carrier level, because a number might redirect to multiple mobile phone at the same time or recording the call or any feature that are provided by a PBX.
I guess this is a very common use case and it make it trivial to spoof caller ID.
"I have a VOIP business account, and I can set any caller ID I want (including on SMS). And this is validated at the carrier level."
There is an easy fix to this and I believe Twilio does this ...
You allow senders to announce CID for any number they have validated with your service (in this case, Twilio) ... so you prove to Twilio that you control that number and they they let you set that number as CID.
Seems like a very simple and elegant solution ... and allows for the use-cases that you are alluding to.
Super interesting. I've been getting increasingly intense phishing stuff related to citi bank credentials (my account was hacked verify my credentials on shady citi site) as well as AT&T bill being paid (collect my prize for paying my bill).
They haven't managed to hijack an actual sender though, and their domain names still look slightly shady because they're things like citi01.
They AT&T one is html wrapped so I can't even click the link without seeing what it is (and don't want to because maybe there is some exploit that launches an app that does something? Am I too paranoid?)
Don't click on the link itself from any device that has personal data, but I wonder if there's any exploits/cybersecurity fellow out here who'd like to check the link to see what it has.
I have two phone numbers. One is for 2-way authentication, the other I give out freely on any website that requires a phone number (and to all my friends).
It's basically the same setup I use with emails.
Not entirely sure if it's safer that way. But so far I get SMS spam only on the "burner" number.
It's so fucking annoying. I was wondering if there exists some kind of service that I can install a browser plugin with and all it does is provide me a number to receive bullshit sms codes on, then I can quickly copy and paste quickly without having to used a phone
"I was wondering if there exists some kind of service that I can install a browser plugin with and all it does is provide me a number to receive bullshit sms codes on ..."
That just shifts the trust to another company. There used to be a desktop app that did this with Twilio, which is more trustworty, but I don't remember what it was called or if it's still around.
Whenever I searched for anything similar it was not avaible in the EU. I think EU has no regulation on access to phone numbers. About the only thing that got regulated is emergency calls on 112. E.g. Germany has national regulation that non-residents need a special area code, which is not widely used and expensive to call to. Would not be surprised if it had also connectivity problems from various providers. But each country is completely different, so I wouldn't expect that anyone builds reasonable services based on phone numbers.
It's even worse when you think of how phone companies often recycle dead phone numbers. I remember in Brazil you would often hear of people accidentally stealing someone else's account in apps where login == phone number due do this. It's an awful verification system all over.
I changed phone numbers with Verizon to make use of a phone deal (wouldn’t let me apply it to an existing line) and they had reassigned my number within 60 days of switching it off.
This is another reason why using password managers is good. I let it auto fill, so if I got redirected to a bad domain, it wouldn't autofill, and I'd double-check the domain.
Doesn't make any sense. Companies can stop sending, but that doesn't prevent scammers from sending it. If anything, Apple or Google can run an in-device ML model to understand if a link is scammy/phishy vs genuine. They do it all the time on your browser.
> Doesn't make any sense. Companies can stop sending, but that doesn't prevent scammers from sending it.
It makes a lot of sense. Just like "we will never ask for this code over the phone", it becomes a rule "we will never send a URL in an SMS", and people learn not to click any of them.
FWIW, I have 4 "banking" accounts, 3 of which are major American banks and one is a local credit union. The latter is the ONLY one to offer 2FA via TOTP while the major banks only allow SMS or email 2FA.
I'm still a little salty about Blizzard handing out free TOTP fobs at conventions and implementing an iOS app to do it, years or even a decade before financial institutions offered anything.
It's a fucking game, protecting against gold farmers. How about protecting my non-virtual gold?
I mean, they could do that because, with few hard legal obligations to you, their own internal assessment that implementing TOTP has a good chance of cutting support load and probably won't cause too many problems is Good Enough to move forward with it.
Banks have to price in the risk that, if something does go wrong, they could have regulators on their back. And uh, have poor incentive structure wrt being perfectly allowed to do everything by the book and slipping responsibility if the book is just wrong.
I don't know why (maybe criminals are more likely to go for your WoW account assuming the legal consequences are less) but I would advise all companies to examine how Blizzard, Valve, and others handle account security.
I work for Twitch and previously worked in AAA games. People are often surprised, even coming from Amazon or Banking, how much Gamers try to 'hack' thinks. Gamers are used to trying to find edges in the system. Gamers are pretty tech savy. i've had several people ignore my advise that we would be looking at a whole nother level of people trying to game the system when working with gamers.
"add number two to your backlog if you work on iOS or Android"
I would...but as an iOS and Android developer, how do I know if it's a non-verified sender ID? The reason browsers can warn on these things is because of public key infrastructure, but that doesn't exist SMS phone numbers. Am I missing something?
No, you're not missing anything. The author of the article just suffers from a naive and simplistic misunderstanding of the SMPP protocol and the mobile grid.
What I ask is for iOS and Android to have the "this message was not verified" warning, as shown in the last screenshot, whenever the sender ID is displayed without any form of verification (such as, the aforementioned country-specific sender ID registries).
If browsers show "not secure" unless verified by SSL, apps should show "not verified" unless verified _somehow_.
The "how" may or may not be possible at this moment, but in any case, warn by default.
Yes. The _somehow_ is unfathomably more complex for SMS than it is for certificates. These two ecosystems don't even begin to compare the slightest, whether from technical perspective or from regulatory perspective. Warning by default would be completely pointless until there's a way to also achieve the opposite; a verification and "approval". It would just do more harm, and it would upend a tremendous number of legitimate businesses and use cases.
in the same vein, email providers need to stop unverified email senders setting their own identifiers. if it's not from an email I've interacted with before, show me the email address itself and nothing else.
there's really no good reason for the automatic contactification of email addresses. if I want someone's emails to be marked as being from John Smith, I will do that myself. if amazon or x known company is sending me an email, I do not care, identify the sender as the email address it was sent from.
I really dont want a phone number any more, I dont need one for any friends of family contact. Really the only reason is for 2fa which is ironic as it seems the weakest link.
I don't even want a (smart)phone anymore. The lack of control you have over your user experience, especially on Apple devices, is horrendous. you can't even really jailbreak apple devices anymore. on your PC you can reprogram anything, navigate around or fully prevent most malicious time-wasting practices (infinite feeds, reels, adverts) that you're near enough at the mercy of on a phone. the way I see it, smartphones are made for idiots
Ideally I'd carry round a phone-sized PC running Linux with mobile capabilities, but as it is I settle for my laptop and a brick phone. I appreciate that android would be better - and is in fact a computer running linux the size of a phone, but it's not really the same.
Can't agree more! For 2FA there are much better options, like TOTPs which are more secure against phishing and account takeover (because they don't allow outside parties to trigger a verification request on your device). Let's see how the Bluetooth-based web auth proposal turns out to be implemented by big tech.
My understanding is that US carriers don't support Sender ID at all, so having the caller ID/sender ID spoofed is not common (and maybe not possible?) on major US carriers.
Whenever I get phishing SMS they always come from a random 10-digit phone number so it's pretty clear they're scams. Reputable companies send these types of messages with short-codes, which are a 5 or 6-digit numbers that is very expensive and require thorough vetting by the carriers.
They're not _that_ expensive (usually $500-$1k/mo) and I wouldn't really characterize the vetting as "thorough".
Don't get me wrong, carriers have been making strides to lower the amount of spam that's sent through the air (A2P requirements, toll-free number verification requirements, etc), but a determined scammer can still exploit SMS/MMS pretty easily.
I've provisioned several shortcodes. There's a 12-week approval process (every carrier has to independently review & approve) and if you get flagged/reported for spam they will come after you for it. IMO this makes it prohibitively difficult & time-consuming for a bad actor to use effectively.
I think the processes are getting better each day, but it was only a couple of years ago that you could share a shortcode. My main point is that even with all of the safeguards it's still a ridiculously easy system to exploit.
Most people will trust a toll-free number just as much as a shortcode, and since tons of legitimate companies use toll-free numbers for messaging it just blurs the line of what a "reputable" number looks like.
Even SendGrid, which is owned by Twilio, uses toll-free numbers for their 2FA messages instead of shortcodes.
It also makes it difficult and time-consuming for a good actor to use effectively.
As far as I could tell (although I retired in 2019, so might be out of date), you can't use one short code through multiple aggregators, so if you want the benefits of multiple routes, you've got to have multiple shortcodes or live with sending from regular phone numbers.
Regarding caller ID, stir/shaken is being used in some situations and I know AT&T supports it within their own network (call history will have a checkmark to indicate it was verified).
> Whenever I get phishing SMS they always come from a random 10-digit phone number so it's pretty clear they're scams
Sadly, Novant Health (a hospital system) uses a regular 10-digit number for their patient portal 2FA. When I was in college, accessing sensitive info like your SSN and W2s in Banner also had 2FA via a 10-digit number. (This was an entirely separate system from the login 2FA provider, Duo, which uses shortcodes in addition to U2F tokens and their app.)
I mean, we're protected from SMS from spoofed alphanumeric sender ids. What more do you want?
Probably no nation has protection from spoofed numeric sender ids, but based on the sms phishing attempts I get, that's not a big deal. Apparently people will tap on links from their bank from any number anyway.
Phones were here way before 2FA and Internet. The technology is poorly designed for modern attack vectors but it's so widespread it's crazy. Every single person out there has a phone number - one of the primary reasons it is still offered as a 2FA option.
Not to mention how widespread the coverage is. There are many places around the world where you have cell connectivity but no Internet.
In short, you can't get rid of it short of throwing away the SIM. Is it possible to have SMS v2 that's safer like we went from 2G to 5G?
The world is filled with strongly authenticated messaging solutions. There's an excellent one available from literally every major tech company. Technology is not the problem here.
Securing SMS sender ID may prevent you trusting a URL from a text, but that's not enough. We can't prevent people from ever clicking on a phony URL, so we need to ensure even if you hit a phishing page that you can't have credentials stolen. SMS and TOTP can't do this, even with if they are secured, because phishing pages can forward the credential.
The only solid way to prevent phishing is non-forwardable credentials, ie FIDO/U2F. We need to make this easier and more ubiquitous.
Huh. I received a text message a couple of weeks ago, informing me the "gift" that I had "bought" had been delivered to the "location agreed upon" by me, and to please visit this really suspicious looking URL for details.
The Internet, for better or worse, has taught me a healthy amount of skepticism, plus I definitely had not bought any gifts (how is it a gift if I buy it myself?). But I can see how it is easy to fall for these scams if you aren't used to looking for them.
Many years ago, an IT security person I was talking to referred to humans as "the one security-critical component that cannot be updated". It's a bit cynical, but not entirely incorrect.
I got a phone number prepaid cash card, got someone else previous mobile phone number. Get snapchat 2fa code which is not mine. Dont trust SMS for 2FA.
I wish we would just stop using phone numbers as the primary user identifier and SMS as the primary communication channel, period.
The amount of cruft involved in SMS delivery is unbelievable, and phone numbers are neither particularly stable, nor particularly well protected against takeovers.
As someone who’s moving overseas shortly, changing/removing your number is a nightmare. It really is the primary UID. So many things use it for 2FA. In a lot of cases you HAVE to list a phone number. I ported my number to Google Voice as a decent alternative, but you kinda have to know what you’re doing ahead of time. My gf who moved first did not and deeply regrets it.
It's also not a long-term solution. At some point, your ported number will be updated and flagged as a "voip number" since it's now associated to Google Voice. At that point, you'll start having issues as many services don't like it when people use a number they can acquire for free in a couple minutes as the UID.
Doesn’t work that way for Canadian numbers. Only original issuer is public info. Porting info is on a need-to-know basis (ie: telecoms need to terminate calls; but that’s it).
This can work against you of course, so a good strategy is to get a burner phone and port that number to your VoIP provider.
Before I retired (2019), I was getting emails from our telecom providers that Canadian regulators were mandating that they not share porting information with customers (us), although it was generally available before, and was still available in other countries of interest (mostly US), for a fee.
Shouldn't it be the same for the US and Canada? Both are administered by NANPA. Last time I looked into this (early 2020), you generally couldn't get porting info for US numbers, though original issuer was public and easily accessible.
I've used a google voice number as my primary number for quite a while, and it's actually pretty rare to have issues with it. I'd say that much less than 1/10 of services require me to use my cell's actual number.
Google
Voice needs to be linked to a valid +1 land or mobile number to function long term. My google voice number lasted for almost exactly 6 months after the us cell number it was linked to was disconnected (moved overseas for a while). It’s classification as a valid mobile lasted a bit less long and now I can not use it to send/receive SMS at all (voice mail works but it will not ring through and I can no longer use it to call. Before that many banks etc stopped
Sending SMS 2fa messages through (as the are supposed according to latest NIST guidelines). Thankfully (?) the same banks seem ok to do voice 2fa to my overseas number. Sadly the still do not support better mfa Authenticators.
Would love to know how to maintain a US SMS presence without sketchy obviously for spammers products.
I've been using jmp.chat and have been pretty happy with them. But I haven't tried using them as 2fa provider, they may be blocked by places that block common voip providers.
Burner phone numbers in the US seem to be of a particular range of numbers and can also be flagged. I used to use pay as you go burners for random tasks in the past and noticed they gave me trouble when trying to use them to get verification codes sometimes.
I'm not sure what you mean when you say "burner phone". I know for a fact that you can get a regular prepaid plan from T-Mobile and pay for it cash, no IDs; that fits the "burner phone" requirements for me. Do you mean that every prepaid plan uses that range of numbers?
Prepaid plan vs post-paid, probably not, but some discount prepaid providers are probably considered “less trust-worthy”, or less profitable when evaluating VoIP numbers.
I went abroad from Canada for two years, tried to park two numbers to Virgin on cheap prepaid (still paying 5-10$ just to hold a number). Well they fucked up credit card payments on both accounts, closed them after a couple of months and stole our numbers. So aggravating to go through the trouble of parking the numbers, paying perhaps 300$ and then the aggravation of trying unsuccessfully to get those numbers back, and the aggravation of trying to figure out which services use those numbers for 2FA.
Canadian telcos are basically a scam (and Virgin is now my top hated one, assholes).
That's interesting, although my ISP seemed to know I was calling from a VoIP number (my "land line", as it were). She even knew my secondary number was a VoIP number.
I think in the end she put one of the numbers down in the application after a little pursuasion.
For whatever it's worth, that's not permanent. My current number was originally a GV number and used to get flagged as a voip number. But I ported it out to a mobile carrier a year ago (which Google makes you pay for) and haven't had an issue since.
The dark side of the mobile number portability that we all wanted. I wonder what would have happened in the alternate universe where a lot of people would presumably have been changing mobile numbers with at least some frequency.
I also have to wonder how Google Voice has survived Google's ax all these years.
I’ve lost access to a phone number on Google Voice. After my parents died, I ported their landline to Google Voice. This number was in my family for more than 50 years.
After porting a second number into Google Voice (and involving Google Fi) I lost access to the first. A 50+ year old phone number that everyone important to me already had memorized.
If you call the number now, it’s answered by a Google voice subscriber message. So I know the number is still with Google. I just can’t access it anymore.
After ~15 years with it, starting back in the GrandCentral days, I recently moved from Google Voice to voip.ms, on my path to degoogling. The new service is paid, in a competitive domain, and so needs and has excellent customer service, and a much improved set of features. I'm happy to be the customer instead of the product.
Top tier consipircacy detective work there Sherlock! Just surprised someone has the identical experience as me and curious what solutions they're using in the interest of sharing and learning together. Who would have thought?
Wait until you move to your new country and discover that you need a local bank account to get a local phone number, but you need a local phone number to open a bank account.
Yes Ireland has this too. It's frustrating. They don't have a population registry so proof of address is a 'utility bill'. But to sign up for utilities you need a bank account which requires proof of address. Well you get it.
Also relying on something from a commercial entity that's so easy to fake is weird.
It's sometimes the case in the US as well. When I got my RealID driver's license I had to show some sort of utility bill as a proof of address--which, as you say, could be pretty easily faked.
I recently did this and had two utility bills. But two isn't accepted so I was given an affidavit form where I wrote down that I was who I claimed to be.
It was pretty ridiculous. I already had a passport, other state DL, SSN, and birth certificate. The points for proof of residence are the dumbest part of RealID.
Someone I knew had some rigamarole to get their kid his first license because he didn't have any utility bills or whatever to prove his address. :-/
There's this weird thing that de facto you need state residency and a permanent address to live "normally," have government ID, etc. but there's not AFAIK any actual specific legal requirement to have same.
Note that many services do not permit Google Voice numbers!
Instagram and Facebook will quickly disable your account and demand a real phone number. I recently had a delivery app inform me at signup that it's not even a real phone number (it happily slurped up the submitted Voice number and later sent me ads about pizza anyway)
I tried something similar when I went overseas. In my case, I tried to use Twilio and even got everything setup to forward correctly to the number I got in whatever country I was in at the time.
But that doesn’t work for 2FA. I ended up locked out of my online banking accounts for my whole trip and it was a huge headache. My recommendation would be to port your number over to Google Fi and then just use that in whatever country you’re going to. It’s a bit more expensive that local cell service in many countries, but there’s nothing like having your phone just work wherever you go.
I ended up porting my (Canadian) number to a cheap pre-paid MNVO service that was $100/yr for unlimited talk/text and no data (within Canada), but seemingly allows me to roam forever and receive SMS for free. Cheapest option I could find in Canada, besides maybe some VOIP providers.
I think this goes to the fact that we need a new sort of UID. Something thought through very carefully rather that something that comes to be. There's a sort of hidden infrastructure, hidden legacy, hidden stability that's been built around phone numbers and email. For instance, "valid Google email address" is a proxy for "a real person with X likelihood". Same goes for SSN + demonstrated knowledge of your last few residences, etc etc. It's a mess.
Start from first principles, what do we really need to know about a person? What could we build? On the other hand, maybe if it's too good it'll be bad for privacy, and escaping into the shadows, should that become necessary for someone.
The question I think I'm getting at is about who you are and why that matters in a given case. Blockchains are good for keeping identities intact once established, which is different though maybe it'll help overall.
I've paid the $20 Google charges to make a number "permanent" once for myself and a couple of times for organizations.
For myself, it's a highly secure phone number. I still only use a phone number when I absolutely have to, like with Twitter, preferring to use a hardware key or Authy.
For organizations, it's like an answering machine. My kids' soccer club had a cell phone that was supposed to be answered by the VP when parents or coaches had messages. It was much easier to port the number into Google Voice, put it into Do Not Disturb mode permanently, and have the transcriptions forwarded to the VP on the extremely rare occasions that there were any.
I kept my old number and switched it to a provider that offered a yearly prepaid plan with an eSIM. $20 a year and I can keep my old number and switch to it as an active sim to receive a 2FA whenever necessary. I agree to always using 2FA via TOTP however.
To add, I've experienced a few too many services that seem to block Google Voice numbers for 2fa purposes (although, maybe they're blocking based on area code and there wouldn't be a problem if I ported my existing number to GV).
This. A bunch of Canadian government interactions also use SMS as 2FA and I live abroad for months every year. At least most tech companies let you switch to an authenticator app...
Canadian roaming rates are so utterly shit the SIM card comes out the second I'm on the plane. It's like $15 per day to roam in the EU. Not per month, per day, let that sink in... I can get a plan in Europe for 30€ month that puts my Canadian plan ($90/month) to shame...
> Canadian roaming rates are so utterly shit the SIM card comes out the second I'm on the plane. It's like $15 per day to roam in the EU. Not per month, per day, let that sink in... I can get a plan in Europe for 30€ month that puts my Canadian plan ($90/month) to shame...
That's cheap. My Austrian provider charges 1 Euro per 100 KB when roaming in Canada (no - that's not a typo). So for 10 GB that's a cheap 100k Euros.
Ok, I see. That's nuts. I've been to Canada with my EU SIM but apart from each SMS costing few cents instead of being free if didn't cost me much to keep using 2fa.
I currently have plan for 22€ that gives me unlimited everything in my country (maybe there is cap to minutes but I don't call much) including unlimited data + 10gb data in EU.
I remember that in Canada I was paying through the nose for some basic pathetic plan though.
I removed all mobile based 2fa from all my sites that rely on it and strictly use TOTP and u2f. Now I only subscribe to services that provide this kind of authentication. There are a few sites that I still use that rely on SMS 2factor but its a short list now. Most of my sites that have TOTP and U2f support have the option of using SMS auth but does not require it.
What's exactly the problem? Is this something US specific? I've been living in different countries for years and always kept my original number in addition to getting local number as well. Never had any trouble with 2fa.
It’s probably trivial for the average HN reader, the key is to do it before you move. Otherwise it can be difficult since Google Voice is not available in most countries. (Will need a VPN). FYI iMessage is real wonky that I’ve removed my phone number.
Should be obvious but you will lose your phone service, so you want to time it close to when you are leaving.
We don't really, here in Europe. WhatsApp is the main communication method.. I think SMS is still so popular in the US because it's a fallback for iMessage. But here the levels of iPhone users are much lower.
So for me 2fa is pretty much the only thing I still use SMS for. Which makes a suspicious sms stand out a lot more.
I wish we'd stop using it for 2fa though because it was never meant to be hardened for this.
Heavy SMS usage predates iMessage in the US. But iMessage was presumably a big contributor to making unlimited SMS messages the norm on most phone plans. In any case, there was just never a big incentive in the US to use anything other than iMessage when available and fall back to SMS otherwise. And without that incentive "no one" (who isn't texting people overseas) bothers to use different apps.
Oh this is true here too. SMS usage was huge pre-WhatsApp.
What happened was that the networks were capitalising on that. SMS was historically quite expensive so it became a big cash cow. SMS bits must have been made of gold because they were hundreds of times more expensive than other bits.
WhatsApp completely killed SMS usage here however. Leading to some carriers wanting to charge extra for WhatsApp usage to recuperate some of the 'lost' revenue. This sparked a big discussion about net neutrality which was then enshrined in EU law, so the discussion was finished. By this time, SMS became practically free but it was too late.
Interesting. It looks like WhatsApp predated iMessage in the US but it never really took off. Maybe US text bundles were more consumer-friendly in the US? Though I don't really remember it that way. (I didn't do a lot of texting though and mostly expensed the handful of work-related texting I did do; friends didn't really text at that time.)
> We don't really, here in Europe. WhatsApp is the main communication method.
This is only partially true. There are also countries like France where WhatsApp only has a Market share of about 22%. Switzerland is very split too, I personally know more people using signal or telegram than 'still using' WhatsApp.
Oh really? I have many colleagues in France and they're all on WA. What else do they use? Is there a local app? I know France loves their local things :)
Most people I know use WhatsApp (I refuse, and since I run Lineage OS without Google services I simply tell people my phone doesn't support it), Signal, or Telegram.
I've just googlet that. Statistica and co show a number of 22% for France in WhatsApp usage.
Reality is if you ask someone 'do you have whatsapp' or just message them a lot more than 22% will have WhatsApp in a way or another I guess. Buts it's not what they choose if someone asks which app they prefer.
Just as nearly everyone I know has telegram but I highly doubt it's their main way of communicating for most.
The main issue with WhatsApp you're locked to a single provider and their service (unless SMS which works across different carriers), as well as their privacy practices. In a way this is similar to people moving away from email to proprietary messaging systems instead - while you gain security and functionality benefits, you lose in terms of choice and compatibility. Sadly alternatives haven't really gained traction.
I agree, I don't like whatsapp. Though I do like it more than SMS.
One of the things I like about it is group messaging. The seamless images/files, the encryptuon...
And I don't think most mainstream users feel this as a lockin. After all whatever phone they can buy they can install whatsapp on it (and soon even import their hitory!).
Personally I prefer Matrix. Not a fan of Signal either due to the ban on 3rd party apps.
Yeah I personally use Matrix myself, I run a selfhosted instance for internal family use. They're the only people actually willing to use it - everyone else is on WhatsApp and similar services.
At least Germany and Austria heavily rely on SMS-OTP for all kinds of services, banking and otherwise. I've never received an OTP via WhatsApp.
Austria even has an eIDAS-compatible e-signature scheme based on SMS-OTP that allows people to create a legally binding PDF signature using SMS-OTP and a static password...
I use SMS because it's been the default messaging solution on every non-iphone I've ever owned. My first few phones were all "dumb" phones so SMS was the only option. On my android phones I've always just used the built-in messaging app which is typically SMS and switches to MMS when doing group texts or sending pictures. I've never had a need to install any 3rd party apps for messaging.
Bunch of humbug. I was once away in Europe (many years ago) and everyone used Whatsapp. But now, here in Europe (the same place that I came from), no one uses it (or at least no one tells me about it).
I was of course in a different country in Europe. Since it’s a mini-continent and all that.
E-mail seems to be the solution. It's out of bound; authentication/authorization are required; there's standards to flag an invalid origin; filters spam. It's not encrypted, but neither is SMS. Most of today's dumb phones can check e-mail, so it's almost ubiquitous. The only way it doesn't work is for rural users who have no data but do have GSM/SMS.
We should lobby them to change the rules, as a second e-mail account would literally be a second factor. Then it's up to the user to hook it up to their phone.
And if they get access to my phone number they get access to my texts and phone calls. That's why neither should ever be the only authentication factor (nor a single-factor recovery method for that matter).
That said, my phone number is significantly easier to take over than my email address and mailbox.
Companies use it as a cheap and easy way to combat spam without any engineering on their end. It's purely out of financial interest, nothing more. The mobile apps which require a phone number to use are doing this because if they only required email to sign up they'd have people sniffing their API and very quickly overwhelming it with fake accounts, and the cat and mouse game begins.
By forcing the users to validate with a phone number, they're essentially pushing their spam problems upstream and out of their hands. More sophisticated actors know it's possible to automate SMS verification, but it does stop a lot of spam at the door.
There's no reason that a service's "proof of personhood"/anti-bot mechanism has to be the same as that used for OTP delivery, though.
Google does this very well: They require a phone number of spam account creation prevention – once. After that, I can delete the phone number from my account and use a FIDO key, TOTP or any other 2FA method.
The problem here I think is that these sorts of failures are bursty, and account protection algorithms are typically not capable of tracking behaviors over time, because that would be expensive.
Exactly. I deprecated SMS 12 years ago in favor of e-mail. E-mail supports encryption, >140 characters, attachments, alphanumeric IDs, and works across country borders and SIM cards. There is literally zero reason to use SMS.
Not as mobile: you need internet and a smartphone. I still have a friend with a dumb phone. I'm sometimes in zones without internet but my mum call me and ask me to give her some confirmation code I receive.
Not as simple: stuff arrive in the spam folder. Some providers just reject your valid mail (my main email tld is exotic, it causes lots of troubles). People receive so much junk they lose your message in 1000 of unread mails or are afraid of checking them.
Not as interoperable: there are new kids that just don't have emails setup on their phone. They check them once a month at home on the computer. Email is for old people (although text is getting there too).
Plus email is almost as easy to spoof and intercept, so the gain would be minimal.
Sometimes I'm traveling and don't want to pay exorbitant roaming fees. Or sometimes I'm in a building or basement without phone service.
I'm sure there are a few people without email on their phones but I don't think the number is dramatically different than those without SMS right now. If I have cell signal I have email, but I can have email without SMS access.
If you don't have internet, you arguably don't need to receive OTPs either (since these are usually used to log in to some online service or confirm a transaction in one), no?
E.G: last week, my brother wanted to try one of my service account on his ipad (we set it up only on his computer). He tried to connect with my password, but any new device requires a 2FA. So he calls me, and I gave it to him.
Now, in this particular example, I was at home, so I had access to internet.
But I'm often traveling to places where I don't.
In fact, I lived in Mali for 2 year where this has been a big trouble for all administrative stuff. Nowadays, I would assume a lot of Malian people have a phone numbers, but no emails, anyway.
But without going that far, the French country sides have plenty of places where you get text but not internet. And being in a car or train is often enough for that.
I don't think SMS is a good 2FA. I have 3 yukikeys at home.
But I believe any geek should first spend a month working in a call center before making a comment about 2FA.
There is a looooong tail of things getting wrong, and there is a reason corporations chose SMS: they tried all the rest, and it was worse.
Now thing are getting better with in app 2FA notifications, but of course it assumes you have a smartphone.
> Not as mobile: you need internet and a smartphone.
> I'm sometimes in zones without internet but my mum call me and ask me to give her some confirmation code I receive.
We're talking about multifactor authentication here. Where/how are you authenticating without internet access?
> Email is for old people
I guess that makes me old. Does that disqualify me from using multifactor authentication?
> Not as simple: stuff arrive in the spam folder. Some providers just reject your valid mail (my main email tld is exotic, it causes lots of troubles).
All of this happens to me with SMS much more often than it does with email.
> Plus email is almost as easy to spoof and intercept,
Agreed on spoofing, but that's not a problem for OTP authentication. Complete disagree on interception – I believe SMS is much easier to intercept, on average.
The remedy for this lies with Apple and Google to compete over. They’re naturally incentivized in various ways. Mozilla too but Mozilla can’t seem to figure out what to do until it’s passed by, even when the opportunity is still there. Imagine paying it forward to not have calls and text and voicemails related to your expiring warranty, reliable messages, etc. I don’t think even slack can touch this. Otherwise they would have already. Allow me to point out the planet has been networked for over 100 years and this is the best our lawmakers and tech companies can muster. It’s as though everyone has lost sight of doing something practical (for money).
Call ID is the same. Some trunks come with ability to set any number you like, without any verification. You just provide the number you like in a SIP INVITE message header, and that's it.
The more I read about phones and texting, the more I realize that they were never intended to be used as security verification.
It just was not one of the design goals. My understanding of caller id is that anyone can put anything there--it was made decades ago to serve as convenience--not to verify.
Likewise with the sender id in SMS.
It's a good lesson on how protocols are hijacked. Someone thought it was a good idea to send text messages. Another person decided to leverage it for security. Ét voila, we have a security apparatus that isn't very secure.
> it [caller id] was made decades ago to serve as convenience
It was made decades ago as a profit center when the telephone network was a monopoly company operating an isolated network.
Because only the monopoly phone company operated and had access to the isolated telephone network, there was no need for any authentication or verification because all caller ID data came from "themselves" and they were not going to start trying to scam themselves.
It (caller id) was a profit center because when it first rolled out it cost somewhere in the range of $20 to $30 per month. The phone company was already tracking which number called which other number for billing purposes, and they found a way to monetize that tracking by allowing the call receiver a tiny sliver of visibility into their billing tracking data, all for a nice sum per month. It rolled out circa 1985 or so and factoring for inflation that $20/month fee at the time was the equivalent today of paying $54.33/month. All for data that was effectively free to the phone company because they were already tracking it for long distance billing purposes and/or for local toll purposes if one was on a "local toll plan" instead of an "unlimited" plan.
Clickable links also enabled people to lose control of their WhatsApp accounts. The message was legit but the request was not. If they had sent a code, the attacker would have to convince people to give it to them. With the link, a lot of users assumed they needed to click to keep using Whatsapp. Not sure what Facebook was thinking but it was a pretty bad move.
Not familiar with SMS Sender ID Verification, but after quick Google, I was unable to find any signs that it counters SMS spoofing.
SMS as a 2FA channel is broken. There are so many vulnerabilities that it just makes no sense to use; for example: corrupt telco employees, SS7, sim card cloning, sim swap, spoofing, governments, etc.
Beyond that, if you’re located or traveling internationally, it’s a nightmare to deal with.
NIST has not recommended SMS based 2FA since 2016:
SMS has a unique advantage that no other channel has: No user onboard needed. Got a SIM ? got SMS.
I send lots of 2FA SMS for a number of banks here in Europe and they - because of the costs after PSD2[1] went live - want users to use their app for getting notifications as 2FA. They have launched several communication campaigns over the last 2-3 years, but only 30% of users have migrated from SMS to in-app notifications, mostly because they won't even install their app.
Then, we have uses cases where users don't have a regular relation with your business (p.e. e-sign for consumer goods financing on spot). In this case, I would say that SMS is the only channel you have to serve these users.
For better or worse, I do not see SMS disappearing anytime soon.
There are people who don't have a cell phone because they see it as a distraction engine that will gobble up their life. Digital addictive drugs. But it's almost impossible to maintain this stance in modern life. Have you seen the trend of restaurants that no longer print menus? Instead there is a QR code that opens up their website to get the menu. Every service now wanting SMS verification adds to their problems.
It's not only about having a SIM but also have one 'they' like. I am with a small provider here in Switzerland (that is the daughter of the biggest provider) and things like Twitter, Twitch, .. don't even support that number for whatever reason.
I personally only use throwaway rental numbers on the web, basically giving me the worst security possible for any kind of account that falls back to SMS for security.
I know people who have tried to save money or tried to avoid giving money to unethical companies by only having a virtual phone number. Turns out that virtual SMS numbers are treated like radioactive Ebola by most services.
It's a lot more complex than that actually. With Signalwire for example you can rent Canadian (and US) numbers at 0.2/m that work well with surprisingly many services, but not all. In a similar fashion you always find the right company to use/abuse any service that asks for a number. You won't get around the internet with a single cheap VOIP number tho. Plus there are providers with more or less perfect Sims but they are expensive.
There are also services that are specialized on providing the right number for a one time fee. This usually works well, but more often than not destroys future account security (they all will give numbers out again, not relevant what they claim)
I could literally write a book about my life without a 'real' phone number.
Things like my bank refusing to work with me over the phone because the person literally did not believe I could have a number starting with 666. That's timeless :)
I have asked for a paper menu in these cases and almost all restaurants have been happy to oblige. One time the restaurant let me use their ipad to see the menu.
I wouldn’t count on this, but I’m trying to give a business money. Most are happy to satisfy reasonable requests.
I was at a food court recently where one of the restaurants didn't have a menu. Just a QR. I asked, and there's no paper version available. I asked what they do for blind people and got a blank stare.
So I went to the restaurant next door. If you can't even bother to scribble a menu on a chalkboard, you're not a real business.
>Instead there is a QR code that opens up their website to get the menu.
This is a trend here in Brazil. And do they send you to a lightweight, mobile-optimized web page? No way in hell, you can be pretty damn sure they will send you to a 20MB PDF that was designed for printing.
Well yes, doesn't literally everything need a phone number to work these days? Can't open a bank account, can't get paid, can't pay bills, can't exist.
> but only 30% of users have migrated from SMS to in-app notifications, mostly because they won't even install their app.
You say 'even' but it's hard to make sure apps aren't able to track me at all, and I while I trust my bank to keep my money safe I don't trust their app to be tracker-free.
That may be so, but the alternative approach something like Google/KeePass/whatever Authenticator which has the issue of not being bound to your number (unlike SMSs) so if your phone gets destroyed you can't simply get a new phone and sim from the operator and continue as usual, you're completely fucked instead.
Depending on the authenticator used, you are absolutely not fucked. It even works while waiting for your new phone / sim (had this happened to me on a Saturday night in France. Nothing's open Sundays).
There's Authy that does backups and you can even run it on a computer (even Linux!). 1Password can store OTPs, too, and is also backed up. There are probably a bunch of others and I'd expect KeePass to be able to do backups.
Plus, you're usually able to get the OTP seed which you can store on your own. This usually shows up as "can't scan this code?" or similar when registering.
I'm now traveling overseas, and have a local SIM in my phone. I have an older iPhone, so no dual-SIM for me. If I had to receive an SMS I guess it would still be better than my older Galaxy S5 which required a reboot, but it'd still be a pain to have to switch SIMs.
If I lost my Phone but still had my laptop, I'd be AOK with my current OTP setup. Except for a few sites which don't allow me to have anything else besides an SMS, but luckily they're not critical.
Well some do it properly I suppose, but on the other hand Google Auth has 100M users and no ways to back up. All of those people are royally screwed if anything happens.
I have been one of those people. There must have been a lot of them because “export” is now an option which dumps all or selected keys and a giant non standard? QR code that can be imported into another instance. Mine are now on two devices.
not true. that QR code you scanned to add the key to your app? well, that was your key. you could have saved it somewhere else secure that does allow exporting.
They're worse than that. I had pattern lock on my phone and it stopped working one day. After a factory reset all authenticator apps lose your credentials.
You are only in trouble if you didn't keep a copy of your private keys backed up.
Unfortunately many of these apps treat the private keys like the app owns it which is where people run into trouble. Some will even back up to the app provider's cloud service which is just asking for it to be stolen.
On Android, if you use AndOTP, the app allows you to easily back up all your OTP secrets to an exportable file, with optional password encryption. Trivial to then import into another phone.
That's not 100% true... the one alternative is to first enable U2F hardware-based 2FA (which can be emulated on a PC using softu2f), then you can enable regular app-based TOTP codes.
As far as I am aware there is no reasonable way for carriers to verify sender IDs or to communicate a verified status with an SMS message.
So you would end up labelling all messages as not verified, which might provide some clarity for a short time until it just becomes noise that gets ignored.
Voice calls have the same issue. Most leased lines and VoIP providers let you set your own P-Asserted-Identity header which can be used to spoof caller ID to anything you want.
Origin-bound codes & Web OTP codes [1] are interesting initiatives, but platform adoption has been poor. For example, it still isn't possible to use Web OTP in Chrome on MacOS from a Chrome Web app on iOS. The communication isn't there yet.
And for what it's worth - origin bound OTP codes aren't _strongly_ bound - there isn't anything physically stopping someone from typing that short 6 digit code into a phishing site. Compare with a Magic Link token - you're much less likely to take `https://example.com?token=some-long-uuid` and manually enter that code somewhere else.
Where does it say how the actual phishing message itself is easy to send? I see no explanation there. How does one send a message with a different SenderID?
Neither SNS nor Twilio support arbitrary Sender ID's for US destinations, that's why I was asking... I wasn't aware that anyone actually allowed this anymore. Companies that used to allow sending fake messages without authorization, like Sakari and Beetexting, no longer do. CTIA even made a statement that "no carrier has been able to replicate" this kind of attack, according to a VICE article.
A lot of people in this thread saying SMS is bad for 2FA. It’s not. Just because you can send spoof the sender field doesn’t mean you can spoof being a receiver. Only the valid number will ever receive the 2FA code.
SMS is bad for 2FA not because it can be spoofed, bit because of SIM-swapping attacks that let the attacker trivially take your 2FA codes from you---gaining access to your protected accounts while you're locked out. NIST recommended against using SMS for this reason in summer 2016.
How do the examples in the article cause any problem. You only get sent a code when you request it. And you type it into a website that you are familiar with.
What about the FedEx one? I cannot count the number of times I’ve seen companies or even government offices using complicated and scammy-like URL names.
It’s difficult to know if URLs are legit or not. HTTPS used to be a good enough indication of legit URLs, but not anymore.
You could also think on googling the company. But those ads that look like real search results are well known to include scam websites!
I’m a developer and I find it difficult to distinguish some URLs. Now imagine how difficult it can be for grandpa or really any person out there that doesn’t know about these kind of scams.
The article's attack is relatively benign - the user simply goes to a website. Sure they may end up putting info in that website, but probably not. Plus existing systems for malicious website filtering can kick in to prevent this.
The more concerning attack is the social engineering one where a third party says something like "let me 'verify' your identity, I'll send you a number tell me what it is" then triggers an identity verification request on the domain (this can be done either manually or part of a sign up flow for some honeypot service). Now the target needs only relay 6 digits to someone they already "trust" and are in a conversation with, versus in the article's example they needed to put their full account info into an unknown website.