undefined | Better HN

0 pointsrsync4y ago0 comments

That is what a “2FA mule” is for.

I have two - both on MVNOs, not in my name, and sitting in my office doing nothing but relaying sms to email:

https://news.ycombinator.com/item?id=28251107

0 comments

2 comments · 1 top-level

buran774y ago· 1 in thread

If you need it one time for registration while staying anonymous using a burner SIM will work just fine. This way you anonimously create the account and then keep your location hidden using Tor. Authorities may even know who you are but will be unable to locate you.

But the mule only gives you some extra functionality, resilience, and is like having an email address just for spam or a home VPN endpoint. It gives you very little in terms of anonimity, which is why you'd go to Tor anyway. It's still in your proximity even if it's not in your name so anyone able to obtain your IPs from the services you use would also be able to get the location of your mule. And you forward to your own mail server which again does little to hide anything. That's a long traceable chain that can be compromised or at least broken (to force you out) at every link.

This is great to make sure companies don't sell your phone number or use it to create some social graph, and to access your accounts independent of your normal phone. But if you're looking to hide your identity or location from your service provider and the authorities then it's barely a speedbump.

rsyncOP4y ago

Let me explain both my threat model and my use-case.

My threat model is not state level actors or law enforcement. My threat model is simply individuals working at providers I use that get curious and go hunting for my traffic. So, for instance, someone that works at my ISP or for my cellular provider or (github/twilio/twitter).

I don't want these private actors to see my name or my phone number. However, VOIP numbers are typically blocked by providers for purposes of authentication and security because they need you to "burn" an actual SIM card number just to incur costs on you. This is their blunt response to a rather difficult spam/scam problem that would just explode if no costs were involved.

...

My use-case is that I don't want to carry around three phones everywhere I go and eSIMs don't work for these functions (again, their numbers are often discriminated against). I also don't want a single SIM card to correlate across multiple providers - that is why I have three (one personal SIM (not in my name) and two "mule" SIMs).

...

"It's still in your proximity even if it's not in your name so anyone able to obtain your IPs from the services you use would also be able to get the location of your mule."

No, they are rarely in my proximity. In fact, at this moment they are 12000 miles away from me. I keep them at my office and might move them to a datacenter ... but only if I can convert them from a phone form factor to a rpi-with-cellular-hat form factor ... or maybe ssh into the phone ?

Well, remember - their interactions with these 2FA Mules are SMS only - there is no IP/network connection made here. So the providers, at least, don't have an IP address to look up. Also, in case it is not obvious, I fully control my entire mail and dns infrastructure - as in, I own the machines and rent the racks.

j / k navigate · click thread line to collapse