HackerTrans
TopNewTrendsCommentsPastAskShowJobs

Maryland woman loses $17K in SIM card swap scam despite 2FA(wjla.com)

14 points·by mooreds·vor 2 Jahren·19 comments
wjla.com
Maryland woman loses $17K in SIM card swap scam despite 2FA

https://wjla.com/features/i-team/scams-verizon-bank-of-america-two-factor-step-authentication-cell-phone-sim-card-swap-criminals-crime-hackers-money-iphone-5g-service

19 comments

travisporter·vor 2 Jahren
"Here are some tips to help you avoid being a victim of a sim card swap: Use authenticator apps, hardware tokens, or your fingerprint or face scans"

I'm sorry but which bank uses non-SMS 2FA in the US?? I've been waiting for nearly a decade
therealcamino·vor 2 Jahren
One possibility: with an ETrade account you can get a Morgan Stanley checking account, and ETrade lets you use the Symantec VIP app as an authenticator.
rvz·vor 2 Jahren
2FA authentication via SMS is the most insecure option to ever exist. It is 2024 and it is still unbelievable that this dreadful option is still used waiting for users to lose their money.

Who still thinks continuing to use SMS 2FA in a banking website / app is a good idea? (Hint: It isn't)
phyphy·vor 2 Jahren
Can anyone explain why SIM swapping works? Do telecom companies in US allow you to buy a new SIM without a government issued ID?
valdiorn·vor 2 Jahren
You pay one of the minimum wage support staff working for the telephone company a hundred bucks to do it.

That's literally it. Inside man.
FireBeyond·vor 2 Jahren
A lot of times, there's suspected, or known, inside actors who enable the process.
gumby·vor 2 Jahren
“Despite 2FA” is the wrong way for the article to describe it. The sim swap was specifically done to get around text-message-based 2FA.

Everybody should lock their SIMs. But the real problem is the reliance on SMS “authentication”
mooreds·vor 2 Jahren
Well, she thought she'd set up 2FA and she was told she'd set up 2FA.
gumby·vor 2 Jahren
Yes, I didn't mean to criticize the victim so thank you for pointing that out!

She did everything she was told to do and so unsurprising is shocked at what happened.

The tragedy is that nobody is calling out the vacuity of using a text message as an authenticator. Hell, even the MIT alumni association does this and they should definitely know better!

It's going to take someone serious, like the FTC, to force a change in this lazy and dangerously ineffective approach. But TBH I fear that the alternatives that might work for the bulk of the population (who, after all, have other things to do with their lives than become computer security experts) will just move do a different, and equally dangerous point in the option space. Its not like most people can manage a password manager, much less its dynamic key features.

For example choosing a very large third party (like "log in with google"/Apple/Facebook and so on) just allows a different kind of attack to lock you out of everything, likely with no recourse.
mooreds·vor 2 Jahren
Good points.

I'm struggling to come up with a better second factor for "normal people".

* Email: good if it is different than your login identifier and not tied to something ephemeral like work or school. But how many folks have two email accounts they regularly check.

* Passkeys: tied to a single device, so you need multiple devices. Or you can trust a bigco to sync private keys (!) across devices.

* Social sign-on: has the issues you point out, primarily that it is a single point of failure and the company providing the service doesn't do customer support (typically).

* Paper mail: latency is too high.

* Phone call: subject to same SIM card issues as SMS.

* Questions about identity, such as mother's maiden name: hard to find ones that are secure/private but can be accessed at scale only by "good" actors.

TOTP: hard to get normal folks to adopt.

What am I missing? Am I reluctantly forced to conclude that SMS is better than, or at least on par with, the alternatives?
phyphy·vor 2 Jahren
> TOTP

Cannot count the number of times I have fomatted my phone and had to beg support teams for access to my accounts. I like to use custom ROMs and I cannot afford another phone just for TOTPs. I hate TOTPs. so much.
gumby·vor 2 Jahren
My password manager mamages the TOPS keys along with the other protected data.
mooreds·vor 2 Jahren
Which, frankly, would scare me. Unless you know how it is implemented under the hood, you have combined factors.
j_not_j·vor 2 Jahren
There are three more I have to use:

4x4 matrix: you are challenged with letter/number for row/column and must respond with the matrix entry. Not much better than totp; try to find it on your phone.

photo array: given an array of challenge photographs, select the one you know is your secret photo.

not-so-secret Q&A: what is your mother's maiden name? Name of your first car? Your second wife's third brother's cousin's name?
mooreds·vor 2 Jahren
Thanks for sharing these. Is the 4x4 matrix a shared secret you get at registration?

I've definitely seen photo array as an additional factor in a 3 factor setup, never as the second factor.
mooreds·vor 2 Jahren
Asked on a slack and someone mentioned push notifications, which is a good option if your company has an application that someone would want to download. Not always possible for consumer apps (no thanks Chipotle, I don't want your app) but for some cases like banks it makes sense.
egberts1·vor 2 Jahren
TOTP is a great concept, except for trying to obtain the hash algorithm and secret key associated with the QR-based registration so that one can equally sync it across multiple devices/laptops/cellphones/desktop-PCs.
justinclift·vor 2 Jahren
> The tragedy is that nobody is calling out the vacuity of using a text message as an authenticator.

In Australia the federal government requires 2FA using SMS in order to sign in to government services.

Yep, it's as brain damaged as that sounds.

And yep, the exact same government is trying to centralise even more data and hook it up into this system.

They literally do not listen to anyone, and just do whatever the hell they want. :(
jwsteigerwalt·vor 2 Jahren
Use hardware tokens!!!!