Slashdot Mirror
Two-Factor Authentication Fail: Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency (nytimes.com)
Reader Cludge shares an NYT report: Hackers have discovered that one of the most central elements of online security -- the mobile phone number -- is also one of the easiest to steal. In a growing number of online attacks, hackers have been calling up Verizon, T-Mobile U.S., Sprint and AT&T and asking them to transfer control of a victim's phone number to a device under the control of the hackers. Once they get control of the phone number, they can reset the passwords on every account that uses the phone number as a security backup -- as services like Google, Twitter and Facebook suggest. "My iPad restarted, my phone restarted and my computer restarted, and that's when I got the cold sweat and was like, 'O.K., this is really serious,'" said Chris Burniske, a virtual currency investor who lost control of his phone number late last year. A wide array of people have complained about being successfully targeted by this sort of attack, including a Black Lives Matter activist and the chief technologist of the Federal Trade Commission. The commission's own data shows that the number of so-called phone hijackings has been rising. In January 2013, there were 1,038 such incidents reported; by January 2016, that number had increased to 2,658. But a particularly concentrated wave of attacks has hit those with the most obviously valuable online accounts: virtual currency fanatics like Mr. Burniske. Within minutes of getting control of Mr. Burniske's phone, his attackers had changed the password on his virtual currency wallet and drained the contents -- some $150,000 at today's values. Most victims of these attacks in the virtual currency community have not wanted to acknowledge it publicly for fear of provoking their adversaries. But in interviews, dozens of prominent people in the industry acknowledged that they had been victimized in recent months.
A wide array of people have complained about being successfully targeted by this sort of attack, including a Black Lives Matter activist (bold mine)
Why include this fella, really?
That is out of 1,000 victims or so...?
Why use SMS at all? It's best to use time based codes with an app like Google Authenticator. It's an open standard so other apps are available and it works with many services.
The only disadvantage is that you can't easily move it to another phone with the Google app, you basically have to generate new codes for all the services that use it.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
While I was out having dinner, Verizon called me three times to verify if I'd lost my phone. Each time I said no, the second time I was asked if I wanted to add a passcode and lock the account. I did. (It was Verizon, I checked later and they had the logs of all three calls to me, but I'm not sure if callers can spoof the Verizon internal caller ID)
Later that evening, I found myself locked out of my email accounts. I could see it happening in real time, but couldn't stop it. I called Verizon by landline and was told that they'd activated my spare iPhone after I dropped my phone in a pool. NO! I might have said a number of harsh words to them.
In the meantime, American Express had called my cell and emailed me to confirm a dodgy transaction, and the folks who had my phone number and email confirmed the transaction. By the time I called Amex, it was too late (although I ended up with no liability)
I tried to file a complaint with the local PD and was told "I don't have time for this" by the receptionist.
I see no part of the two factor scheme that failed. The title is misleading, at best.
This was password recovery/reset that was exploited, not the two factor auth. In fact, this sort of issue is PRECISELY why two factor should be used, because one of the factors may be compromised, and the account would still be secure. The auth still was secure, but the attackers exploited the weak password reset security - weakest link and all that.
I know that some sites only allow phone-based (i.e., SMS and.or voice) verification. But most of the big ones support things like U2F and TOTP. Why not use those instead?.
I always recommend TOTP to people since you can save the secret and store it in a safe or some other secure location if, for example, you ever lose your phone. Then you can simply load up the authenticator app (pick your favorite) and reload the secret. In fact, I can't think of a major on-line service that offers 2FA or MFA that doesn't offer TOTP support. Of course, there is also U2F and if you want to be really secure you can get something like a YubiKey and not even store the secrets directly on your device. With a phone/tablet that supports NFC you can just have the YubiKey close by or you could plug it into the USB port on your computer if that happens to be more convenient.
The point is that the pain threshold for SMS-based 2FA/MFA is the same as the pain threshold for a TOTP/U2F solution and the TOTP/U2F solution is demonstrably more secure.
Security experts have been warning about this and saying that two channel authentication (like text messages or emailing codes) is not true two factor authentication. For two factor authentication, it has to be tied directly to a device and the device cannot be changed without a enrollment process (for example, with Google Authenticator, where you see the code once and cannot retrieve it again). In this way, you either have to use a phishing mechanism to get the code or have physical access to the device. Getting access to the users phone number or email address does not allow you to get the code with two factor authentication because it is truly something you have (your device).
This seems like a bit of a problem with the method of two factor authentication. One factor should only ever possibly be in one place, on your phone in your hand. This works well with RSA tokens as the only way to use them is to be able to see the display. Not saying I have a solution but it doesn't seem right to be able to use the two factor authentication without the phone in your hand.
I have T-Mobile and have my account set to *require* in store identification to move phone number.
I tested it and so far they've not let me move my phone number away to my spare phone, replying only that "I'm sorry sir but your account is very specific that you must go into our store and provide proper identification and pin before you can move your number. I would be happy to provide you a temporary number until you can get to a retail location."
So, they could still rack up charges on my account with a temp number I suppose, but at least can't redirect my actual number.
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
This is just the way security goes. Things get increasingly fragile when we're talking about targeted attacks. Most people still don't need to worry about this in generalized attacks seeking for massive ammounts of data, but for targeted attacks social engineering always seems to find a way to work around security schemes.
To the point, there is no failure on two factor here. There's a failure on mobile networks' security checks for highly sensitive operations like transfering a number to another device. It's taken lightly when it shouldn't.
But people have been talking about cases like these for a while now, recommending that instead of using SMS, you'd better use apps like Google Authenticator and whatnot, inside a locked down phone.
SMS is also vulnerable to interception, so there's also that. Apps like Google Authenticator are vulnerable only when someone gets hold of your phone unlocked, which SMS also is. But if someone hijacks your phone number alone and puts it into another device, they cannot replicate authenticator apps. It's tied to the device.