undefined | Better HN

0 pointsmike_d2y ago0 comments

Based on the article (which notes it is unlikely to be a SIM swap) and the fact the users Authy (a locally installed 2FA app that syncs via iCloud) was compromised as well - I do not believe this disproves anything I said. We obviously can't know for sure, but it seems quite likely that the attacker had extensive access to the users accounts, possibly including the ability to access their Google account.

0 comments

2 comments · 1 top-level

simfree2y ago· 1 in thread

The bottom line is you're still stuck on T-Mobile's infrastructure, which is a mishmash of old Oracle databases, insecure defaults and has a history of being breached.

Heck, up until the last year or two you could go to TracFone or any of their subsidiaries websites to refill/top up, type in a phone number on AT&T, Verizon or T-Mobile and get the IMEI and sim number of the line, then use that to authenticate yourself as the end user with T-Mobile. The other details like name, address, birth date and such are publicly available in state voter rolls for the vast majority of account holders.

US carriers need to provide fraud prevention APIs for free that indicate whether a phone number has changed SIM card or IMEI # in the last week, and they also need to provide free access to their LRN databases so you can see if the carrier of a phone number has changed (eg: a port out attack).

As is, some banks have implemented the LRN query check already to deregister you from Zelle and phone number authentication when you call or text them for banking, but this significant cost burden due to phone provider insecurity should be borne by the industry creating the security problem.

supertrope2y ago

I came to an alternate conclusion. While cellular network operators generally have abysmal authentication procedures they are not responsible for bank fraud. If a bank relies on SMS delivered codes to confirm large funds transfer, they have taken a measured risk in offloading identity binding to a third party. Banks could use TOTP, USB dongles, CAP, have a customer support employee check knowledge based questions, physically mailed TANs, app push notification, etc. But SMS is used because it’s cheap, less worse than passwords only, and most people have a cellphone.