Maryland woman loses $17K in SIM card swap scam despite 2FA(wjla.com)
wjla.com
Maryland woman loses $17K in SIM card swap scam despite 2FA
https://wjla.com/features/i-team/scams-verizon-bank-of-america-two-factor-step-authentication-cell-phone-sim-card-swap-criminals-crime-hackers-money-iphone-5g-service
19 comments
One possibility: with an ETrade account you can get a Morgan Stanley checking account, and ETrade lets you use the Symantec VIP app as an authenticator.
2FA authentication via SMS is the most insecure option to ever exist. It is 2024 and it is still unbelievable that this dreadful option is still used waiting for users to lose their money.
Who still thinks continuing to use SMS 2FA in a banking website / app is a good idea? (Hint: It isn't)
Who still thinks continuing to use SMS 2FA in a banking website / app is a good idea? (Hint: It isn't)
Can anyone explain why SIM swapping works? Do telecom companies in US allow you to buy a new SIM without a government issued ID?
You pay one of the minimum wage support staff working for the telephone company a hundred bucks to do it.
That's literally it. Inside man.
That's literally it. Inside man.
A lot of times, there's suspected, or known, inside actors who enable the process.
“Despite 2FA” is the wrong way for the article to describe it. The sim swap was specifically done to get around text-message-based 2FA.
Everybody should lock their SIMs. But the real problem is the reliance on SMS “authentication”
Everybody should lock their SIMs. But the real problem is the reliance on SMS “authentication”
Well, she thought she'd set up 2FA and she was told she'd set up 2FA.
Yes, I didn't mean to criticize the victim so thank you for pointing that out!
She did everything she was told to do and so unsurprising is shocked at what happened.
The tragedy is that nobody is calling out the vacuity of using a text message as an authenticator. Hell, even the MIT alumni association does this and they should definitely know better!
It's going to take someone serious, like the FTC, to force a change in this lazy and dangerously ineffective approach. But TBH I fear that the alternatives that might work for the bulk of the population (who, after all, have other things to do with their lives than become computer security experts) will just move do a different, and equally dangerous point in the option space. Its not like most people can manage a password manager, much less its dynamic key features.
For example choosing a very large third party (like "log in with google"/Apple/Facebook and so on) just allows a different kind of attack to lock you out of everything, likely with no recourse.
She did everything she was told to do and so unsurprising is shocked at what happened.
The tragedy is that nobody is calling out the vacuity of using a text message as an authenticator. Hell, even the MIT alumni association does this and they should definitely know better!
It's going to take someone serious, like the FTC, to force a change in this lazy and dangerously ineffective approach. But TBH I fear that the alternatives that might work for the bulk of the population (who, after all, have other things to do with their lives than become computer security experts) will just move do a different, and equally dangerous point in the option space. Its not like most people can manage a password manager, much less its dynamic key features.
For example choosing a very large third party (like "log in with google"/Apple/Facebook and so on) just allows a different kind of attack to lock you out of everything, likely with no recourse.
Good points.
I'm struggling to come up with a better second factor for "normal people".
* Email: good if it is different than your login identifier and not tied to something ephemeral like work or school. But how many folks have two email accounts they regularly check.
* Passkeys: tied to a single device, so you need multiple devices. Or you can trust a bigco to sync private keys (!) across devices.
* Social sign-on: has the issues you point out, primarily that it is a single point of failure and the company providing the service doesn't do customer support (typically).
* Paper mail: latency is too high.
* Phone call: subject to same SIM card issues as SMS.
* Questions about identity, such as mother's maiden name: hard to find ones that are secure/private but can be accessed at scale only by "good" actors.
TOTP: hard to get normal folks to adopt.
What am I missing? Am I reluctantly forced to conclude that SMS is better than, or at least on par with, the alternatives?
I'm struggling to come up with a better second factor for "normal people".
* Email: good if it is different than your login identifier and not tied to something ephemeral like work or school. But how many folks have two email accounts they regularly check.
* Passkeys: tied to a single device, so you need multiple devices. Or you can trust a bigco to sync private keys (!) across devices.
* Social sign-on: has the issues you point out, primarily that it is a single point of failure and the company providing the service doesn't do customer support (typically).
* Paper mail: latency is too high.
* Phone call: subject to same SIM card issues as SMS.
* Questions about identity, such as mother's maiden name: hard to find ones that are secure/private but can be accessed at scale only by "good" actors.
TOTP: hard to get normal folks to adopt.
What am I missing? Am I reluctantly forced to conclude that SMS is better than, or at least on par with, the alternatives?
> TOTP
Cannot count the number of times I have fomatted my phone and had to beg support teams for access to my accounts. I like to use custom ROMs and I cannot afford another phone just for TOTPs. I hate TOTPs. so much.
Cannot count the number of times I have fomatted my phone and had to beg support teams for access to my accounts. I like to use custom ROMs and I cannot afford another phone just for TOTPs. I hate TOTPs. so much.
There are three more I have to use:
4x4 matrix: you are challenged with letter/number for row/column and must respond with the matrix entry. Not much better than totp; try to find it on your phone.
photo array: given an array of challenge photographs, select the one you know is your secret photo.
not-so-secret Q&A: what is your mother's maiden name? Name of your first car? Your second wife's third brother's cousin's name?
4x4 matrix: you are challenged with letter/number for row/column and must respond with the matrix entry. Not much better than totp; try to find it on your phone.
photo array: given an array of challenge photographs, select the one you know is your secret photo.
not-so-secret Q&A: what is your mother's maiden name? Name of your first car? Your second wife's third brother's cousin's name?
Thanks for sharing these. Is the 4x4 matrix a shared secret you get at registration?
I've definitely seen photo array as an additional factor in a 3 factor setup, never as the second factor.
I've definitely seen photo array as an additional factor in a 3 factor setup, never as the second factor.
Asked on a slack and someone mentioned push notifications, which is a good option if your company has an application that someone would want to download. Not always possible for consumer apps (no thanks Chipotle, I don't want your app) but for some cases like banks it makes sense.
TOTP is a great concept, except for trying to obtain the hash algorithm and secret key associated with the QR-based registration so that one can equally sync it across multiple devices/laptops/cellphones/desktop-PCs.
> The tragedy is that nobody is calling out the vacuity of using a text message as an authenticator.
In Australia the federal government requires 2FA using SMS in order to sign in to government services.
Yep, it's as brain damaged as that sounds.
And yep, the exact same government is trying to centralise even more data and hook it up into this system.
They literally do not listen to anyone, and just do whatever the hell they want. :(
In Australia the federal government requires 2FA using SMS in order to sign in to government services.
Yep, it's as brain damaged as that sounds.
And yep, the exact same government is trying to centralise even more data and hook it up into this system.
They literally do not listen to anyone, and just do whatever the hell they want. :(
Use hardware tokens!!!!
I'm sorry but which bank uses non-SMS 2FA in the US?? I've been waiting for nearly a decade