I am with Boost Mobile. On Sunday night I received a text message that my PIN was changed. Within minutes I confirmed this to be true on my PC. I used the Boost application on my phone to change the PIN and received a confirmation text.
A few minute later I received a text message welcoming me to Metro PCS.
A few minute later I received emails to my business email that my account security information was deleted from my person email account. They used SMS authentication to my mobile number, that they now have control of to gain access.
A few minutes later I received an email there was an account recovery attempt on my coinbase.com account.
It took less than 30 minutes for these events to transpire.
I've spent about 15 hours trying to get my phone number and my email address back to my control.
I've accumulated a list of eight other people in the Boost Mobile Reddit.com forum where the exact same thing happened to them.
I filed a police report and filed a report with the FCC. I received a response from the FCC that they have started the inquiry and contacted Boost.
I finally did get my cell phone number ported back to Boost. I have not gained control of my Microsoft email address.
I didn’t realize I could only have messages of 2,000 characters. So I will wrap this up.
When account settings were changed, Coinbase gave me a link to lock my account, Microsoft gave me a link to log in to my account, which I no longer have control of.
Unlike competitors, which allow pins from 6 to 15 characters and for accounts to be administrative locked, Boost offers none of these options. The last Boost operator suggested I pick a more secure PIN.
I am calculating my losses and documenting all interactions.
The very things that make SMS a uniquely good second factor make it an awful only factor. Use of SMS for account recovery should in general (or at least for important accounts) have a delay (order of days) that allows the real user to intervene.
Even in a situation where the attacker would have needed the password too, consider how much more vulnerable you are now that they have a significant piece of your auth - could they leverage that to social engineer an account recovery?
Phone numbers are terrible at conveying identity, unfortunately, so bringing them into the "who are you" heuristic is kinda just a net loss.
Yeah, and it requires me to use a U2F token, which I can loose, etc. You have to balance security and usability, and SMS as a second factor seems like a perfectly reasonable balance.
It is possible that if we spent more time as a community encouraging the use of password managers that the net improvement in security posture would be greater, but this does remain a nontrivial benefit of SMS.
U2F and 2FA came to life just because people are bad at making passwords and remembering them.
Making non technical people to use password manager with generating passwords for each page is still hard.
Making non technical people use SMS as a second factor is easy.
Making non technical people use tokens is still hard.
There is a lot of value in having SMS 2FA still, yes you can phish it or you can hijack the number. But that is argument like: "there is no point in having any security at all because if you install malware on your computer you will get hacked".
Yes SMS alone is not going to save you, but people have phones and understand that they type code that comes via SMS to the phone number they provided when registering. Barrier to entry for it is so trivial that I think it still has value.
Barrier to entry to take over someones phone is not high but random kid on the street is not going to do that just like random kid that can find your email + de-hashed password from database dumps.
If you have someone who is motivated to get you then probably given enough time they will get you anyway.
So take into account what that SMS 2FA prevents and what issues it is solving. Don't just throw it away.
Not only that, but you can remove the username too: WebAuthn supports a "usernameless" mode where you press "login", touch your authenticator and you're in.
U2F is only an authentication tool, not security/encryption one.
If you have your smartphone/browser/pc pwned, you are even more screwed than with offline key table/token.
For something truly security critical, you need security against MITM on your own device, which only leaves smartcards as an option.
The one thing I distinctly remember was two of my GMail accounts starting the recovery process. Thankfully, that process apparently gives either 14 or 30 days to stop the recovery and secure my own account. Had I not been connected, that may have been my only saving grace, as I was able to secure those accounts and subsequently use them to recover other compromised accounts.
The larger lesson for me was to always use TOTP tokens where possible over SMS, and to completely disable SMS recovery for accounts that didn't have a delay on SMS-only recovery.
Now is SMS the best second factor? Of course not and a proper U2F token will be a lot more secure in many cases but for most people SMS should be perfectly suitable. All this of course requires the auth provider to be somewhat competent and not use SMS as an only factor in any circumstances.
Where it's used as a second factor, this still has an impact which is, if an attacker can get the password (and there's been enough breaches and keystroke logging for that to be common) they can then grab the number to get full control of the account.
TOTP or hardware tokens don't generally suffer from the same problem.
If you see it as "don't bother, they can just steal your SMS number" instead of "that's slightly better, at least now they can't get in without stealing my number" then you're not thinking about this reasonably.
It's inane to neglect to use SMS where it's the only second factor available. The exception is when a service allows you to use SMS alone for password resets, which isn't MFA, is 1FA with a weaker factor than a password.
What would you think if someone took you for a joyride in a classic car and said "shoulder belts would be so much better than these lap-only belts, so don't bother buckling up!"
For those reasons, even as a second factor it's a terrible one. SMS is just not a good method of authentication at all and has no place in a login form.
At it's best, SMS is only useful as a read-only notification system for non-sensitive purpose.
SMS 2FA was vaguely reasonable before TOTP applications and smartphones capable of running them were widely available. That's no longer the case.
But how many hardware tokens or TOTP tokens are users willing to deal with? I currently have eight for various clients and systems at work. If each online account required a TOTP token or a custom hardware token it would be a confusing mess of tokens.
I don't know if there's a safe and easy way of reusing the same token across sites. Until then SMS really is the only "solution".
you can phish SMS exactly the same way you can phish TOTP, I'd say :)
I deprecated SMS 10 years ago and the only way I receive SMS codes is via an online interface that is password access.
For most people, SMS fails miserably when you need to change your SIM card or fly to another country, or work out of a place with no cell reception but has wired or wi-fi internet access. That's a big part of the reason why I deprecated it in favor of e-mail, which works flawlessly anywhere in the world you have an internet connection.
I only support U2F or TOTP based 2FA and it's upto providers to get with the beat if they want me to use real 2FA.
To move my phone number (consent or not) between any phone companies requires an SMS, my National ID, and verification of my ID, and personal details in the government database.
SMS by itself is not secure.
I hate it that Twitter forces you to enter a mobile phone number even when you set up an authenticator code generator as 2FA.
Oftentimes the weakest link in most of these services is the account recovery part.
When we set up the self service account recovery in saas pass password manager and authenticator we added all of these customizable options to mitigate against potential SIM Swap attacks.
No, SMS shouldn't be a single factor, period. It doesn't prove much, and is insecure, as the current post shows.
One option I’ve heard might be different is to not your your mobile sms on accounts, but to get a voip based sms number. It might leave things at the mercy of a different system but the footprint might be different.
It's a little mind boggling though. Securing money with a $15/mo phone plan. It's an extremely ghetto phone service. If anyone's to blame, it's Boost Mobile. Cricket Wireless. Pay for a major carrier plan.
I moved countries and I am now locked out of my bank account abroad since they verify logins via OTP over SMS.
But I feel your pain. It is very frustrating situation to be in.
I sometimes wonder why Google has kept it running for so long, when they’re so keen to kill off boring, under-performing products.
I suggest a bank which doesn't suck, such as bunq.
I moved from Ireland to the US and kept my Irish number active - the cost was a €5 topup every 6 months.
Going in reverse is much harder - a lot of the budget phone providers in the US don't have any roaming offering. Best I can tell, you really need to have an account with a real provider, and that realistically looks like $20/mo (Google Fi), 20x more expensive than the reverse.
Let's not blame the victim here.
It is a mistake to ask consumers to protect, backup, and secure their digital lives themselves. Consumers don't have the time or skills to keep up with the hackers. If Apple, Google, ATT, Verizon etc. cannot provide digital security, this is an opportunity for someone else to step in. My personal suggestion is this is a ripe opportunity for someone like the US Post Office or Department of Motor Vehicles. Consumers would go to the US Post Office or DMV and purchase a Yubi key from them. The additional value they add, is they can verify the identity of the consumers who is purchasing the Yubi key and replace the key if it is lost/stolen. Similar to how they process driver licenses or passports. This service is optional and would actually cost money. I would gladly pay a monthly fee for this peace of mind.
Uh... what does (in)secure mean to you?
It is 100% insecure, and been exploited for nearly a decade.
1. Anybody with access to raw SS7 network can basically click a finger, and have you traffic rerouted
2. GSM interception gear is widely available
The person who invented "SMS verification" was a round idiot
Pay some $ for the key, renew it every 2 years for a fee, pay for a replacement if needed.
No one wants another monthly fee, taxes should keep the infra up like any other license.
It's usable for almost all government agencies or official stuff online here, but I haven't seen anyone use it for third party auth as it costs roughly 10 cents per login for the service using it.
In Norway, Sparebank1 is pushing an app to get one-time codes now. I wonder if we'll see more of these in the future?
I use the Microsoft authenticator to get access to my Microsoft work account.
I bet if everyone starts making their own apps for one-time codes EU will demand a single app to do all of this.
This sounds like it might be a so-called “flash” SMS. https://en.wikipedia.org/wiki/SMS#Flash_SMS
If there is not a self-service recovery option for me losing my phone, I won't use it.
---
FWIW I keep a copy on my desktop and on my phone (Keepass) and sync them every few weeks. I try not to add new passwords to my phone copy in order to keep things simple, but Keepass can do diffs and merges.
"But if your safe is owned, then all your accounts are owned!" Yes, that's the balance I take. If someone is able to get my safe and use my bio auth on the phone OR otherwise crack it, I'm screwed.
> The additional value they add, is they can verify the identity of the consumers who is purchasing the Yubi key and replace the key if it is lost/stolen.
This is exactly how digital signatures work in my country. A government institution vouches for digital certificate companies which verify and certify people's identities. It can be used to file taxes and lawsuits, for example. To most people this is just yet another layer of bureaucracy.
Boost mobile is negligent and not following industry standards. Their whole security model is based on a 4-digit pin. At first I thought somebody had a script working its way up through all the combinations at the login screen, but I no longer feel that is the case. The fact that at least nine of us had this same issue within days makes me think there is a wide-spread issue here.
It might be confusing but that was account recovery attack.
For account recovery there is no "password" as thieves just made their own password while having your phone number.
So phone number as a password recovery option is not secure without any additional checks. Not 2FA because with this attack there was no second factor.
(OP, you are calculating your losses, but didn't specify what those losses were. Did the theif get your crypto?)
My account is locked, and I am pretty sure my funds are still there. It will be a significant loss, but not devastating as this was my non-primary investment account.
I still don’t know the full extent of my losses.
So far, my losses are primarily loss of billable time. I am not a litigious person, but I am also going to educate myself as to what ‘pain-and-suffering’ means. Both my personal and business bank accounts are ok. I now understand why banks do not use email addresses as the login id. The thief would not (easily) be able to align my email address with my bank login id.
Once through this, I plan disassociate any portion of my login id with my name.
You haven't even tried to regain access to it? Instead of spending time on HN you might want to reach out to Coinbase.
This is an important point and one I've been thinking about for years. There's so much discussion about using password managers and good password practices and 2fA but almost no discussion on how using a single identifier to log into all these various services is in itself a huge security vulnerability. If we had different login usernames for each service, gaining access to people's accounts would be that much more difficult.
Email should be reserved for communications and not double as a means for authentication.
What happens if a legitimate customer's phone gets lost and they quickly transfer the number and reset their accounts?
I think they should do a video call verification.
SMS is very bad as a 2FA, in that someone can fairly easily social-engineer your phone company to send them a new SIM card for your account, and once it's in their phone, all your SMS messages go to them. They now have control of your "protected" account (and yeah, they have to get your password as well, but if you're a big enough target, it's worth it).
This is why getting rid of SMS entirely as a 2FA is seen as an improvement in security.
If they do require it, then I believe the consensus is that 2FA via SMS is a very bad choice. And since Google Authenticator (and other such apps) are free to download and use, it's not really a burden.
Experts know this (because it's obvious) but large companies like Google continue to insist on using it either because they like the data collection or because they're just covering their asses.
This is especially popular within Fintech.
Wise (formerly Transferwise) recently started requiring 2FA for signing in - SMS is the one and only option. Revolut requires it for acknowledging transactions and changing/viewing debit card info.
That legacy banks do this is expected, but I'm really concerned about this trend among newer global and big actors who otherwise present themselves as modern.
I strongly urge other users here to reach out to customer support of these companies and request them to supplement this with some other more secure means of 2FA, such as TOTP (hey, we gotta take what we can get), U2F, or Webauthn.
So, I would say quite the opposite to unstoppable.
For extra convenience, PSD2 also mandated a logout after 5 minutes of inactivity.
Some of the ideas behind PSD2 are great, but the outcome is about as good as the cookie directive.
Despite that, despite still having access to the email the account is on, I cannot recover the Microsoft account. Despite Microsoft notifying me that the account is still, years later to this day, being abused, cannot use any form of recovery. I cannot access the account with help from support or even after visiting a brick-and-mortar store.
It's one big reason that I've long since refused to purchase anything more from Microsoft and have ditched Windows.
Good luck recovering your stuff.
This happened to me. I was briefly a contractor at MSFT and was able to escalate the issue -- after a few years, these accounts get automatically deleted. It's likely that your account is completely wiped and no longer exists.
If that's the case then why do I get emails notifying me that unusual sign-in activity is occurring? And, why am I unable to create a new account with the same email?
Protonmail is the best beacause it does not require backup emmail or SMS, just the username and password and 2fa being optional (but you must have the password), which is how it should be. So many people have gotten hacked through phones and or recovery emails.
The irony is that my security is now worse. At least my password was randomly generated.
I'm not sure what there is to do about this, other than educating as broadly as we can and hope that engineers advocate in their own organizations to change this.
Open a case with customer service and represent it for what it is; a security hole that prevents you from using the service.
You also used to be unable to set up a U2F/FIDO 2FA without first setting up SMS 2FA (but you could delete the phone number from the account later). Not sure if that's still the case.
https://finance.yahoo.com/news/coinbase-hacked-accounts-get-...
So this indeed seems to be how Coinbase handles it.
The threat model is increasing for personal use as solely SMS based account recovery is becoming more widespread. The increase in crypto usage is another accelerant.
Good luck solving this unfortunate incident.
Please don't use cheap providers like Boost. I have done audit and I found Sprint to be superior; however, they got merged with T-Mobile now. Sprint was the best provider that prevented most hijacks.
https://help.coinbase.com/en/coinbase/privacy-and-security/d...
Does anybody have any work arounds to this should it start happening to a few people?
For Vodafone India, in addition to traditional info (date of birth, passport number, address), they actually asked me to give the number of someone whom I've called with this SIM, then they called that person and asked them to verify my identity. I found this to be quite secure.
But maybe the procedure is different for foreigners (at least the SIM creation procedure is different).
I agree that SMS 2FA is not secure and a terrible idea. I've moved countries and my old mobile number has been given out to someone else. I don't even know what accounts I have might be tied to that phone number and I don't have any way to find out.
I have had friends message that person without knowing it as well. He could easily impersonate me on WhatsApp and fish for my personal info from those contacts.
Luckily, he seems to be a decent person but I not only have to trust this stranger to be honest, but also need to trust that the number stops at him or goes to another honest person if he drops it.
Phone numbers are not identity and using it for verifications of this sort is a horrible idea.
The barrier is higher than random automated port scans but the value of being able to get access to financial accounts is high enough to justify the investment.
I use Authenticator apps wherever I can. Where I can’t, I use a completely private number for 2fa (I run a virtual number product that is like Google voice for Australians to do so http://www.benkophone.com)
* SMS authentication is not the same thing as 2FA, but people think that it is.
* SMS account recovery is convenient for the bad guys.
* The fact you got a welcome text from Metro PCS. If that was sent to your Boost device, someone from TMobile (they operate the networks that both Boost and Metro ride on) needs to take a look as that should not have been able to happen.
* In order to port a number you have to know the account security question's answer. Boost does have this. Was this bypassed?
It was a bit complex, but I eventually got Keepass to generate the TOTP codes which so far are pretty awesome.
I think it's a shame most banks (at least here in the UK) implemented 2 factor auth with sms only just to comply with "strong" auth regulations.
Authy on your phone or multiple u2f tokens are definitely better than SMS.
I wish computer manufacturers started including tokens with computers, so that at least people would start using them.
Bank says not my problem if your password got compromised. Cellphone provider says not my problem - SMS was never advertised/intended as secure.
So the user just has to deal with bank account being drained
The amount of 'splaining going on in this discussion helps illustrate the trouble. If SMS2FA were actually fit for purpose it would not require so many internet defenders.
[0] https://blog.cmpxchg8b.com/2020/07/you-dont-need-sms-2fa.htm...
Interesting, yet an attacker would have to spend some amount of money per attempt. Unless they are targeting high value individuals this does not seem a likely threat for the average person.
Other methods exist, such as SIM-jacking [2]. I wish the article included a list of phones that might be vulnerable to this attack. Are iPhone's vulnerable?
And yet, while "free" this still requires a massive automated net to be deployed in order to gain some information and then socially engineer your way into gaining access to sites and services that might be of value.
I guess my question is: How common are these attacks? What's the scale of the activity? I have never heard of anyone in my immediate and even extended circles having any such issues. OK, I have indoctrinated most of my family into not clicking links in SMS messages and most of my extended circles are technically savvy. What does this look like in the general population?
[0] https://www.vice.com/en/article/y3g8wb/hacker-got-my-texts-1... [1] https://news.ycombinator.com/item?id=26468892 [2] https://medium.com/auedbaki/how-hackers-hack-phone-using-sms...
At the end, they acknowledged it was fraud. Additionally, added guards on the account with an additional passcode and wording stating that a person must confirm with me specifically before anything like transferring services is done again.
It did however blow my mind that something like that could happen and if someone intended on getting access to my accounts, the situation could have been much worse.
Even if it's only second factor today, what really prevents the company from allowing password resets one day? Nothing, I likely would not even notice it until it is to late.
I can own an email address, but I can never own a phone number. Nearly all contracts clearly state that the number is not actually yours in different wordings and nothing prevents anyone from reclaiming the number and give it to someone else.
It's stupid. And annoying.
SMS 2fa is okay but SMS recovery is not okay and high risk.
It's also ideal to have obscure email addresses used for, say, coinbase so that in the data dump they they likely have, containing your email to phone number mapping, points them to the email address not linked to coinbase.
Payment is not done over SMS but separately through cash or Venmo, so it seems like the worst that could happen is a delivery gets nefariously ordered for someone who didn’t want it.
You get another number and you should be safe from sim swap attacks.
The problem is how to effectively store the secrets for recovery.
SMS 2FA is not for you.
They say it's for you (for your security or your protection or your ease of use or whatever) but that is a lie.
In cases where SMS 2FA is forced, to the exclusion of all other proofing mechanisms, it is generally because the provider has a brutally difficult spam/scam problem that is complicated to solve.
So, instead of solving their spam/scam problem, they just throw some sand in the gears (of their users) and very loosely attempt to piggyback on the physical phone / physical SIM / physical ID confluence that constitutes a "normal user".
This is, of course, a very leaky mapping and anyone determined can, of course, work right around this. But it does seem to lessen their (again, brutally difficult) spam/scam problem.
The most ironic deployment of this (desperate) technique is Twilio whose own numbers cannot be used for SMS 2FA auth[1] and yet they require a true, mobile (non-VOIP) number to use their own service.
[1] Twilio numbers are not mobile numbers. Most SMS 2FA is sent from "short codes" and short codes cannot SMS non-mobile ("voip") numbers.
