Your phone, SMS, telcos, and your security/identity

ahofer · Mar 20, 2023

I read this with some fear, some recognition:

My $340k Hack

On Monday, April 4, 2022, a hacker stole $340,000 worth of crypto from my 401k’s Kraken account. Below is a post-mortem in that, hopefully...

falkenblog.blogspot.com

It’s just too easy for a mobile telco employee to port a number to a new SIM. I also resent how banks and other important on-line vendors insist on taking you back to SMS (even after you 2FA with something better). SMS is not a good way to manage security, and just undoes what I had hoped to achieve with real 2FA systems. Everyone’s savings are at risk to this sort of hack. In this case it was crypto, but this could just as easily have gone to a bank, and you’d have only their pattern AI holding the activity, which usually results in…a text message.

Be careful out there. If anyone has a way they think gets around this without becoming a cyber-monk, I’m all ears.

UPDATE: My son, a true cyber-monk, “the attack surface on telcos is just incredible”

MaxwellsEq · Mar 20, 2023

If you are using a device as your 2FA responder, or the destination for text-based authentication, don't install banking apps or do banking on it in a web-browser, to maximise the separation.

ahofer · Mar 20, 2023

MaxwellsEq said:
If you are using a device as your 2FA responder, or the destination for text-based authentication, don't install banking apps or do banking on it in a web-browser, to maximise the separation.

It seems to me that wouldn't have helped. The bank would allow you to recover your account based on a text message to your phone. Anyone with the ability to receive your texts could execute in your bank account by any means.

In the scenario in the OP, they didn't have his *phone*, they stole his *phone number*.

antcollinet · Mar 20, 2023

Have I just learned that google password manager USES YOUR RESETTABLE GOOGLE ACCOUNT PASSWORD TO DECRYPT YOUR PASSWORDS?

That is *incredibly* stupid - and a good reason for NO-ONE to use google password manager.

ahofer · Mar 20, 2023

Everyone should use proper 2FA on their financial accounts and their primary email. What's annoying about this story is how the stupid telco and company policies effectively defeat this common sense technique.

One independent password manager was already hacked. True, the passwords were encrypted, but if the companies are going to give away your identity, that doesn't matter. All you need is the phone number and the roadmap they already have. Changing your password, moving to another password manager, makes no difference.

ahofer · Mar 20, 2023

tonycollinet said:
Have I just learned that google password manager USES YOUR GOOGLE ACCOUNT PASSWORD TO DECRYPT YOUR PASSWORDS?

That is *incredibly* stupid - and a good reason for NO-ONE to use google password manager.

Lastpass, Dashlane, and Onepass all do this as well. Although in that case, it isn't your email password - unless you set them the same.

antcollinet · Mar 20, 2023

ahofer said:
Lastpass, Dashlane, and Onepass all do this as well. Although in that case, it isn't your email password - unless you set them the same.

The difference - there is no password recovery reset mechanism. (At least on last pass (which I no longer use), and bitwarden (which I do) ).

My password is known only to me. If I forget it/lose it, then I lose all my passwords also. There is no recovery possible. My passwords are only ever decrypted locally on my machine - only the encrypted form is transmitted/held over the net. So no matter what info of mine is stolen, my passwords cannot be decrypted excapt via brute force which currently will take centuries. Unless someone develops a mind hack.

ahofer · Mar 20, 2023

tonycollinet said:
The difference - there is no password recovery reset mechanism. (At least on last pass (which I no longer use), and bitwarden (which I do) ).

My password is known only to me. If I forget it/lose it, then I lose all my passwords also. There is no recovery possible. My passwords are only ever decrypted locally on my machine - only the encrypted form is transmetted/held over the net. So no matter what info of mine is stolen, my passwords cannot be decrypted excapt via brute force which currently will take centuries. Unless someone develops a mind hack.

True, but if they steal your phone number, they don't need to decrypt anything. They just get on your bank website and say they've lost the password, the bank sends an SMS to verify and...now they can just change it. It helps if they've already gained access to your email, but may not be necessary depending on bank policy. This is what I mean by company policies defeating our security measures for us.

Incidentally, 1pass encrypts the entire vault as a blob, so if their server is hacked, the hackers don't even get the roadmap to where you bank, etc. 1Pass also stores part of your key locally on your device (which is copied by QR code from one device to another, never on their server).

antcollinet · Mar 20, 2023

ahofer said:
True, but if they steal your phone number, they don't need to decrypt anything. They just get on your bank website and say they've lost the password, the bank sends an SMS to verify and...now they can just change it. It helps if they've already gained access to your email, but may not be necessary depending on bank policy. This is what I mean by company policies defeating our security measures for us.

Incidentally, 1pass encrypts the entire vault as a blob, so if their server is hacked, the hackers don't even get the roadmap to where you bank, etc. 1Pass also stores part of your key locally on your device (which is copied by QR code from one device to another, never on their server).

My bank doesn't use SMS verification either.

ahofer · Mar 20, 2023

tonycollinet said:
My bank doesn't use SMS verification either.

Which one is that? I know that Citi, First Republic, and BofA all use it.

antcollinet · Mar 20, 2023

ahofer said:
Which one is that? I know that Citi, First Republic, and BofA all use it.

A UK Bank. I'm not going to name it in public. But I think most are more switched on over here. Security is via a biometrically enabled app locked to the phone (not the number), and if I lock myself out of that I have to phone up, give my phone based security info, and they use voice biometrics also. If that fails they resort to snail mail.

ahofer · Mar 20, 2023

tonycollinet said:
A UK Bank. I'm not going to name it in public. But I think most are more switched on over here. Security is via a biometrically enabled app locked to the phone (not the number), and if I lock myself out of that I have to phone up, give my phone based security info, and they use voice biometrics also. If that fails they resort to snail mail.

Ah!. Well I suspect the telco rules may be different outside the US as well.

Your phone, SMS, telcos, and your security/identity

ahofer

Master Contributor

My $340k Hack

MaxwellsEq

Major Contributor

ahofer

Master Contributor

antcollinet

Master Contributor

ahofer

Master Contributor

ahofer

Master Contributor

antcollinet

Master Contributor

ahofer

Master Contributor

antcollinet

Master Contributor

ahofer

Master Contributor

antcollinet

Master Contributor

ahofer

Master Contributor