[HN Gopher] PayPal and Venmo are still letting SIM swappers hija...
___________________________________________________________________
PayPal and Venmo are still letting SIM swappers hijack accounts
Author : danso
Score : 158 points
Date : 2020-04-06 14:34 UTC (8 hours ago)
(HTM) web link (www.vice.com)
(TXT) w3m dump (www.vice.com)
| mikece wrote:
| It is annoying that some of these companies refuse to allow me to
| use a Twilio number when they insist on using SMS as 2FA. If they
| are going to insist on the weakest possible form of 2FA and
| INSIST that I use a number which is subject to SIM hijacking, how
| are they not liable through negligence?
| dheera wrote:
| 2FA should never be SMS based. I've deprecated SMS for all
| communications and block all SMS messages to my phone.
|
| I use a virtual number for all such services that demand an
| idiotic SMS verification code. I won't state which one I use
| here, but there are several services you can choose from that
| provide virtual numbers.
| tpmx wrote:
| There should be a well-known website with a neat domain name that
| lists well-known companies that allow this to continue to happen.
| maallooc wrote:
| My account was abused because of SIM swap. It was banned. I
| explained them that I did not do it. They won't budge.
|
| We need to enforce tech companies to have proper customer
| support. We need to make a regulation that enables users to
| appeal or sue tech companies decision about their account. No
| more 'fix through hacker news submission or reply' please.
| toomuchtodo wrote:
| The term you're looking for is an "Ombudsman".
|
| https://en.wikipedia.org/wiki/Ombudsman
| TheChaplain wrote:
| It's a great idea as long as they have teeth to make shady
| businesses fear them.
| eqtn wrote:
| We just need a law stating that if a website cross certain
| number of active users(registered) in a country they should
| have physical customer care offices. When they reach 10m,they
| should have it in every district(just like phone service
| centers). Its nice to think about this although these companies
| are rich and can lobby against these kind of laws.
| valuearb wrote:
| Yep, because more laws solve every problem without unintended
| side effects!
|
| Or, just hear me out, you could stop using services that
| don't meet your high customer support standards?
| __s wrote:
| Their suggestion is a bit far reaching, but their point is
| that eventually the user count of a service reaches a point
| where due to network effects individuals aren't able to
| effectively shop around
| adjkant wrote:
| Agreed completely. I think it's quite easy to imagine
| that a virtual version of this law could be enacted to
| require that they actually deal with these situations in
| a timely manner.
| Eldt wrote:
| So what, keep trying different services and getting burned
| until... eventually... you don't get burned?
| stronglikedan wrote:
| > and getting burned until... eventually...
|
| _you have nothing left to burn_
| RHSeeger wrote:
| I'm not entirely sure that not allowing them to just close
| your account, never talk to you again, and walk away with
| your money is "high customer support standards".
| cortesoft wrote:
| Every district? I think you underestimate how big a country
| like the United States is, and how few 10 million users are
| for web sites. Facebook has one of the highest revenue per
| user at $7 a year... so 10 million users would get them about
| $70 million in revenue a year.. take a phone company like
| Verizon... they have 2300 stores in the US.... if our
| hypothetical web company opened up 2300 stores, they would
| only have $30k per store... and that is just revenue, not
| taking into account any other expenses.
|
| If they had zero other expenses and just ran the offices,
| they wouldn't even be able to hire one worker for each
| store....
| AnthonyMouse wrote:
| Paypal is less of a tech company and more of a finance company.
|
| This kind of behavior is caused by rules that put the cost of
| fraud on the payment processor rather than the customer, even
| though the payment processor's primary tools to prevent it
| basically involve locking the customer's account based on vague
| suspicion and hearsay.
|
| When someone has stolen your identity, there isn't really
| anything you can tell someone to prove you're you. Having your
| password or SSN or access to your email or the answers to your
| security questions tell them nothing. The perpetrator could
| have those things. Your account may have been created by the
| perpetrator to begin with and the person whose name is on it
| has never even used their service. How are they supposed to
| tell? Even if you're you, the perpetrator may still have access
| to whatever method was used to access your account to begin
| with and if they turned it back on there would be more fraud
| (which causes the payment processor to lose money instead of
| you). So your account is locked forever and you can pound sand.
|
| The alternative to people getting locked out of their accounts
| is having accounts without reversible transactions. You don't
| want this for your brokerage account, but you do want it for
| the account you're using to buy things with petty cash. Because
| then the account never has more than $1000 in it to begin with,
| which limits your losses to that amount, but then the payment
| processor doesn't have any incentive to ban your account
| because the losses are yours. If you're careless and reuse
| passwords, you might lose the $1000, but you don't get banned
| forever from making financial transactions. Then you learn your
| lesson and do better next time.
|
| That would also result in lower transaction fees, because most
| of the transaction fees go to paying the cost of fraud
| protection. And it would reintroduce the incentive to prevent
| fraud to the people best situated to do that ( _stop reusing
| passwords, people_ ), so there would also be less fraud, which
| is better for everybody.
| zxcvbn4038 wrote:
| PayPal is the worst - a couple days ago they disabled my
| password (including both 2FAs) and sent me an e-mail asking
| me to reset it. The only way to reset it is via SMS which I
| don't do. I'm locked out of my account now and also support
| now since the only way to contact them is by logging in. I'm
| hoping Synchrony has an in with them because I have balances
| on PayPal MasterCard and PayPal line of credit that can only
| be accessed by logging in.
| dangus wrote:
| 1-888-221-1161
| AnthonyMouse wrote:
| It's really the same problem. As soon as they suspect your
| account could be compromised, they can't trust your
| authentication methods anymore and the risk calculation
| favors losing your business over reactivating your account
| and then having fraud losses on it. It's a math problem,
| not a customer service problem.
|
| Granted it's obviously bullshit if they try to keep the
| money when your account had a positive balance.
| mycall wrote:
| This is why I think we should have public keys we choice on
| our government IDs. Then we can prove who we are.
| 9HZZRfNlpR wrote:
| Plenty of countries already do, but at least judging from
| reading about America on HN its much more difficult to do
| anything like that in America because of distrust in
| government. You even vote without ID which is extremely
| weird for the rest of the world.
| tpmx wrote:
| > Paypal
|
| So my instinctual habit of adding and then deleting my credit
| card details whenever I need to do a Paypal payment was correct,
| after all...
| caymanjim wrote:
| While SIM swapping is certainly a concern, this article makes it
| sound like it's universally bad to rely on phones as a form of
| authorization. What are the alternatives? I'd argue that email is
| far riskier; it's more commonly compromised, easier to
| compromise, and less visible when compromised. Ideally, users
| employ more secure 2FA methods like TOTP apps or dongles, but
| it's like pulling teeth to get anyone to adopt those. Relying on
| SMS in addition to email is better than relying on either one in
| isolation. I don't think I agree that Google Voice numbers are
| necessarily harder to hijack, because to do that they just need
| access to your Google login (typically your email credentials).
|
| There are risks all around, but this article doesn't offer any
| good solution that customers are likely to adopt in meaningful
| numbers. Maybe PayPal and other companies should require people
| to use secure 2FA, but they'd lose too much business.
| valuearb wrote:
| Authentication apps.
| jjoonathan wrote:
| U2F can't spread fast enough. For about a year or so it's been
| good enough that almost all U2F keys Just Work on all major
| browsers / platforms without installation or tweaks. That's
| huge, and it's actually a relatively recent state of affairs. I
| believe Firefox defaulted it to enabled ~1 year ago.
|
| The next big hurdles are getting support from e.g. banks,
| getting keys into peoples' hands, and getting people familiar
| with them. Those efforts are underway in the corporate world
| and I am optimistic that they will cross-pollinate well into
| personal security. HN-ers are well positioned to help with all
| of these steps.
|
| People already accept that they should lock their front doors
| and their cars with keys. Most people already lug a keychain
| around. I don't think it will be steady-state problematic to
| convince people to secure their bank accounts and email with
| keys. Example: my parents. I expected it to be difficult to
| convince them that they should use a U2F key to secure their
| gmail. It wasn't. Their response was more along the lines "of
| course we should use keys, why weren't we doing this before?"
| They don't know anything about crypto, but they get the
| metaphor, and since it gives them a clear path to action, they
| are willing to engage with it. The answer to why we weren't
| doing it before is that the previous implementations were a
| PITA in a way that U2F isn't (TOTP was slow and fiddly, ISO7816
| required non-portable setup), but now that we have U2F, I think
| people will be more willing than many here expect.
|
| If we can channel the fear of SIM swaps into U2F adoption, I
| think it actually stands a chance.
| rabuse wrote:
| TOTP apps are fine, if they're properly implemented (either
| completely on-device, or properly encrypted before stored in
| cloud). Services should properly implement account restoration
| codes if access to TOTP secret is lost. SMS should never be
| used for 2FA, ever.
| WorldMaker wrote:
| There are some apps that if my TOTP secret is lost, as
| horrifyingly annoying as it would be, I'd much rather need to
| take the time to get a registered public notary to stamp that
| they saw me in person, and checked my ID or other such
| documents, before the account recovery process can begin.
|
| The "old ways" are usefully slow, have protections built
| around them for centuries of our culture, and I'd rather the
| annoying administrative headache and "slow" over the quick
| abuse of account recovery systems for theft and fraud.
| Mirioron wrote:
| Email might get compromised more often, but that's usually due
| to some kind of user error. The problem with these sim swapping
| attacks is that the only way as a user to guard against this is
| not to give the company your phone number. This often means
| that you can't do 2FA.
| Skunkleton wrote:
| I think the ultimate problem here is that the average person
| has no hardened mechanism for authentication. Using the
| infrastructure we have today, a combination of passwords and
| OTPs is better than other consumer-accessible alternatives.
|
| Ultimately we need some mechanism for trusting and
| administering identity that is low friction and which can be
| used by 99.9% of users. The government offering a `login with
| apple id` like service would make sense. Then they could
| qualify various security chips, like the T2 or a YubiKey for
| use with the service. As an added benefit, we could stop using
| stupid things like SSNs, tax ids, and drivers license id
| numbers to prove identity.
|
| Eventually we could do interesting things like abstracting
| mailing addresses. Instead of mailing a package to my street
| address, send it instead to "me", and then I can authorize
| USPS, UPS, FedEx, or whoever requests it to look up my real
| address when they are sorting and delivering mail. When I move,
| I just update the _one_ database with my new address and I am
| done.
|
| There are some obvious concerns with the government acting as a
| clearing house for identity. Perhaps the better option would be
| for private companies to be able to implement some sort of
| standard API, and limit the government's involvement to
| auditing these services.
| ppf wrote:
| Oddly enough, today I finally had to give my mobile number to
| paypal - apparently due to incoming EU PSD2 regulations. I was
| also automatically signed up to paypal "one touch", where my
| device is now able to make transactions with no need for a
| password. Another thing I have to turn off.
| zxcvbn4038 wrote:
| CapitalOne is even worse -they locked me out of their app today
| and asked to send an SMS code - and they let you pick which
| number to send it to on the spot. Good one fellas. What is the
| point of having Touch ID and their dumb Swift ID stuff set up if
| they keep doing dumb stuff like this.
| RJIb8RBYxzAMX9u wrote:
| Google does this too when you sign in from "unknown" locations,
| if you don't have 2FA configured. I think the purpose is to
| slow down bots. If you try reusing the same number in quick
| succession on different accounts, Google won't let you.
|
| I'm so glad I'm out of the family tech support "business"; if
| only firing real customers were so easy...
| GordonS wrote:
| For me, it shows a short list of phone number endings, and
| you have to pick the right one. It's far from perfect, but it
| doesn't just let me enter any number I want.
| ladberg wrote:
| This really bugs me. I have throwaway Google accounts that I
| don't want to add my phone number to, so I can only access
| them from the location I created them.
| markdown wrote:
| How do you even create a Google account without a phone
| number?
| ladberg wrote:
| I made the account while ago and it let me, I guess they
| don't let you anymore though
| RJIb8RBYxzAMX9u wrote:
| Enabling 2FA should stop this from happening. Adding TOTP
| as your 2nd factor would require adding a recovery number,
| but maybe you can remove it after. I have accounts that has
| TOTP 2FA w/o recovery number, but perhaps they were
| grandfathered in.
|
| Alternatively, use a physical token as the 2nd factor, then
| no recovery number is required.
| ThePowerOfFuet wrote:
| Why haven't you gotten the hell out then?
| csomar wrote:
| Honestly, what is a good US bank that has a great web/mobile
| experience, a large financial offering (checking, credit,
| savings, investment, etc...), great customer support, a good
| presence internationally, reasonable and no hidden fees..
| wait there is none.
| choward wrote:
| It's the same bank that doesn't send you spam emails which
| make you used to receiving unsolicited communication from
| your bank. These emails make it easier to sneak in phishing
| emails. That's why I use that bank.
| zachberger wrote:
| Schwab? I've been using them for about 2 years and have no
| complaints now.
| mcny wrote:
| previously, on hn:
| https://news.ycombinator.com/item?id=8783790
| https://archive.fo/xPtn5
| jedberg wrote:
| They all fit that description. If you're rich.
|
| Put a few hundred thousand in the bank and you'll get all
| that stuff for free!
| enjo wrote:
| USAA fits that bill for me.
| SkyMarshal wrote:
| Isn't USAA restricted to military or spouse/child of
| military?
| jedieaston wrote:
| Is there a US bank (national, not a local credit union) that
| allows you to use TOTP, U2F and backup codes as your sole 2FA
| sources? Heck, the US Government lets you do it now
| (https://login.gov), you think that BofA would...
| pixel16 wrote:
| Both usaa and navy fed allow this as well as schwab.
| nitrogen wrote:
| I believe SoFi allows TOTP (full disclosure: I used to work
| there but not on 2fa)
| toomuchtodo wrote:
| https://twofactorauth.org/#banking
| filoleg wrote:
| > https://twofactorauth.org/#banking
|
| Looking at that link, pretty much none of the major US
| banks (Bank of America, US Bank, Wells Fargo, PNC, Chase,
| etc.) seem to support software 2FA token solutions (e.g.,
| Google Authenticator, Authy, etc.). Not gonna lie, this
| is abysmal.
| dpifke wrote:
| radiusbank.com does.
| fossuser wrote:
| I think Fidelity does allow this, but I haven't bothered
| with it since I use a password manager.
|
| Fidelity has a brokerage account, free checks, free ATM
| withdrawals via debit card, maybe also your 401k, free
| money wires, automatic investment etc.
|
| The only thing they don't have are branches where you can
| deposit cash, but that's really never necessary - in an
| extreme case you can open another bank account, deposit
| cash, transfer to fidelity and immediately close it.
|
| I'm not sure why anyone uses a bank other than Fidelity.
| imajoo wrote:
| Fidelity does it through either SMS or Symantec's
| Validation and ID Protection (VIP) Access app. I called
| and asked if they support another app and they said they
| don't. Why they couldn't use another (read: non-Symantec)
| 2FA is beyond me.
| fossuser wrote:
| Ah that's lame, I saw the 2FA app support and assumed it
| would be any app.
| dabernathy89 wrote:
| This is the recommended solution:
|
| > The easiest way to make it impossible for SIM swappers to take
| over your accounts after they hijack your number is to unlink
| your phone number with those accounts, and use a VoIP number--
| such as Google Voice, Skype, or another--instead.
|
| They don't mention that some carriers offer the ability to secure
| your account against unauthorized transfers, but it's opt-in.
| Here's how you can do it on Verizon:
|
| https://twitter.com/ramsey/status/1235227940054585344
| ping_pong wrote:
| Thank you! I didn't know this existed, it puts my mind at ease
| for now.
| Nextgrid wrote:
| I've heard stories where an account PIN or other "enhanced
| security" was still bypassed during fraudulent SIM swaps.
|
| Presumably, the PIN is supposed to be verified by the tech
| support advisor which can get social-engineered or bribed.
|
| Maybe the solution is to actually have _real_ technical support
| that is tech-savvy and paid a good wage instead of the monkeys
| we currently have?
| dabernathy89 wrote:
| Yep, we had a PIN in place before and it did no good, because
| the transfer is initiated from outside of Verizon - and for
| some reason Verizon just allows it (without the enhanced
| security). We were told that Verizon's enhanced security
| requires actually having to provide photo ID in person at a
| corporate Verizon store to allow a number to be transferred
| out.
| markovbot wrote:
| They also don't mention that Venmo (and presumably PayPal also)
| won't actually let you sign up with a Google Voice number. They
| check to make sure it's an actual cell phone.
| eslaught wrote:
| You can (or at least used to be able to) sign up for PayPal
| with an email address. Or at least I'm fairly sure, since
| PayPal keeps prompting me to put in a mobile phone number,
| and so far I've always been able to exit out of that dialogue
| without entering anything.
|
| Venmo, on the other hand, I will never use because of this
| "feature".
| brewdad wrote:
| I created a Venmo account this week because it was the
| easiest way to get out two payments to friends who I can't
| see face to face at the moment. The next day Paypal added
| my new Venmo phone number to my Paypal account that
| previously didn't have a phone associated. Good times.
| KingMachiavelli wrote:
| I tried using a Twilio number with my bank. I found out that
| any service that uses SMS shortcodes for their SMS '2FA' won't
| work as this kind of service. SMS shortcuts are a value addon
| that carriers provide that is only suppose to work with real
| numbers.
|
| It's possible that services more centered around VOIP vs an
| automation plateform might work. It's also possible that using
| a foreign VOIP number might work but that also might also cause
| issue if you try using it with a US bank.
|
| And I'd rather not have some half baked solution using Google
| Voice.
|
| If anyone knows how to get an shortcode enable number ( _not_ a
| short code number but rather a number that can recieve SMS
| _from_ shortcodes) on Twilio or similar platform, it would be
| very easy to set up an SMS 2 EMAIL gateway. Perhaps if a number
| is ported to Twilio it will retain shortcode capabilities?
|
| Besides finding a solution to the above problem, I suppose I
| could just get a GSM usb modem & SIM card for this purpose.
| yitzif wrote:
| Hi, I've actually used BurnerApp to get a number that you pay
| monthly for. Something along the lines of 5$ for every 90
| days I believe.
| [deleted]
| gruez wrote:
| >If anyone knows how to get an shortcode enable number (not a
| short code number but rather a number that can recieve SMS
| from shortcodes) on Twilio or similar platform
|
| you can use jmp.chat, which is a SMS to XMPP service.
| [deleted]
| stormdennis wrote:
| I used Google authenticator for 2fa for PayPal. I don't recall
| if PayPal have my mobile number. If they do am I vulnerable?
| karlding wrote:
| According to this post [0] on /r/verizon, it's not available to
| Prepaid and Business accounts.
|
| [0]
| https://old.reddit.com/r/verizon/comments/eve25m/comment/fkq...
| hasham11 wrote:
| The problem with using a VOIP number is that most app and
| websites won't let you use anything but a regular carrier
| number for verification -- they specifically restrict VOIP
| numbers from use. I presume this is to prevent spammers or just
| regular users from creating multiple accounts, but I think
| they're mistaken as it's trivial to buy a temporary "real"
| carrier number on the internet if you're fine using a somewhat-
| shady site.
| toast0 wrote:
| I've been the person at the app banning voip numbers. The
| problem is there are some services that make it very easy to
| obtain a voip number at no cost to the user; if they don't
| have effective protections against bulk registration,
| spammers abuse them to get thousands of numbers and then use
| those numbers to abuse the service I was at.
|
| Forcing spammers to have a non-voip number raises their
| costs, sometimes significantly, reducing their ROI and their
| interest in spamming our users.
|
| We tried to make exceptions where we could, but it does suck
| for real people using voip numbers for whatever reasons.
| skrtskrt wrote:
| Unless you're doing a dip of the number against proprietary
| telecom data sets, you have no idea if the number is a
| "VOIP" number, due to North American number porting laws,
| you can take any number that was a "Verizon landline" or
| whatever and move it to a VOIP provider that can overlay
| SMS capabilities on it. Even if you dip and see that it
| belongs to a VOIP provider, it's a completely legit use
| case for some to own their phone number through Bandwidth,
| Twilio, Telnyx, Messagebird, whatever.
| adrr wrote:
| There are DBs that can get you that info. Some even tell
| you when the number was ported which is useful to catch
| mobile number takeovers. Things have moved beyond NPA/NXX
| lookups.
| skrtskrt wrote:
| Of course, that's what I was referring to. The consumer
| still has to subscribe to those data sets, keep them
| updated, and understand which lesser-known company names
| are "legit" telecom providers (as many large providers
| are non-household names _and_ have VOIP offerings) vs
| whatever kind of VOIP provider he feels he needs to
| protect against.
|
| My point being that if he's doing it right, he's probably
| spending more time and money than it's worth, and if he's
| not, he's banning legit users for the crime of not having
| a big-4 provider.
| stqism wrote:
| There are companies that will sell you the ability to
| look up this information and/or determine if you should
| trust this number.
| KingMachiavelli wrote:
| How can an arbitrary number be used to abuse your service?
| At least for SMS "2FA" you only need to be able to send a
| message to an number associated with an existing account.
|
| As long as you aren't using SMS as your rate limiting step
| to aquire an account then then it doesn't matter if someone
| has 1 phone number or 1000 numbers. In the case that SMS
| verification is the rate limiting step, why not switch to
| an open captcha or similir system?
| megous wrote:
| They're also mistaken in their filtering oftentimes.
|
| I have a smaller lesser known telephone operator friendly to
| a more advanced users, and my SIM-bound mobile phone number
| is rejected by big services like Google.
|
| Not that I care anymore, I'll certainly not go to great
| lengths to use services which start their onboarding by
| blocking my number and forcing me to use big telco's services
| or some shady website.
| dang wrote:
| The article this is pointing to was discussed here:
| https://news.ycombinator.com/item?id=22687927
|
| and the study here: https://news.ycombinator.com/item?id=22016212
| Raphaellll wrote:
| This was (is?) also possible with Lyft. When I was interning in
| the US, my visa sponsor sent me a SIM card that they clearly
| reused several times a year. Opening the Lyft app with this SIM
| automatically logged me in to the attached account. I didn't
| noticed this and took a 70$ trip from SF to SV. Next morning I
| realized it wasn't my account and credit card details. Wrote to
| Lyft support but never heard back. It wasn't even possible to log
| out of this account and create a new one.
| jedberg wrote:
| Lyft probably decided it was cheaper to eat the $70 than admit
| this attack vector exists.
| latchkey wrote:
| To be clear, Paypal owns Venmo.
| wronglebowski wrote:
| Is there a recommended defense against a SIM Swap attack at the
| carrier level? Do carriers offer some form of two factor? I
| suppose the weakest link is the in store associate who just can't
| be bothered to verify identities.
| kube-system wrote:
| Some carriers have security questions they are supposed to ask
| before making changes to an account. Not sure how well these
| actually work in practice.
| imglorp wrote:
| There should be an explicit lock like there is for credit
| agencies.
| littldevl wrote:
| Verizon Wireless allows you to block ports and SIM swaps. Open
| App --> Account --> Account Settings --> Security --> Number
| Lock.
| Jimpulse wrote:
| Just looked it up, T-Mobile has a NOPORT account level security
| protection. It requires that a valid ID is presented in store
| to port your number to another carrier or swap SIMs.
| dabernathy89 wrote:
| Yes, you can add additional security onto your account - at
| least with Verizon. I highly encourage everyone to do so. Once
| enabled, you will need to present photo ID at a corporate
| Verizon store to allow your phone # to be transferred to a new
| carrier.
|
| Instructions:
| https://twitter.com/ramsey/status/1235227940054585344
|
| My wife got SIM jacked just a few weeks ago and we got
| extremely lucky that it didn't turn into a bigger problem. They
| did get a hold of her Venmo account, but fortunately it's not
| actually linked to our bank account (Venmo restricts the # of
| users that can link to a single bank account).
| dguo wrote:
| Thanks for the tip! I'm glad to see they've implemented this.
| Though I'm still very frustrated about how long it took for
| them to do anything about this problem.
| [deleted]
| kyrra wrote:
| (I'm a googler, opinions are my own. I don't work on Fi.).
|
| Google Fi provides sim swap attack protection. To bind a Google
| Fi # to a phone, you need to be able to log into your Google
| account on that phone (from the Fi app). There is no other way
| to bind a Fi number to a phone (customer service doesn't even
| have the power to do this).
|
| This means that whatever 2FA you have setup on your Google
| account is the same protection you get against sim swap
| attacks.
| johndough wrote:
| That is good to hear, but I am more worried about google
| suspending my account and ignoring all appeals for automated
| reasons.
|
| To be fair, this has not happened to me yet (with gmail) or
| anyone I personally know, but it remains a concern for me due
| to the high impact such an event could have on my life.
|
| Is there any bulletproof way that a non-US citizen could get
| their account reinstated or at least recover associated
| accounts?
| kyrra wrote:
| (I'm a googler, opinions are my own)
|
| Even for US citizen's, there isn't a full-proof way to deal
| with account recovery. I'd say your account getting locked
| for incorrect reasons is pretty rare.
|
| I think one important thing to know is that account-
| suspension stories you read on the internet aren't always
| legitimate cases. While, yes, getting publicity about an
| account lock can get it a second look, bad actors know this
| as well. Those who have done "bad" things will use this
| same approach to try to get their accounts unlocked. Google
| won't publicly comment on any individual case, so you are
| getting a one-sided story about why an account was locked,
| so be skeptical when you are reading them.
| Mirioron wrote:
| Even if there is, there are still so many different carriers in
| the world. I doubt all of them are going to implement
| safeguards against this, which means that accounts will be at
| risk as long as websites rely on these phone numbers.
| dguo wrote:
| One of my relatives suffered three SIM swap attacks over about
| six months. I asked our carrier after the first two times what
| we could do to prevent it from occurring again. The answer each
| time boiled down to "nothing." After the third time, my
| relative got a new phone number.
|
| I'd love to be able to opt in to having to provide a photo id
| at a physical location in order to complete the SIM swap.
|
| Or maybe the carrier can try to call or text the number for
| some sort of confirmation process. In our case, we never even
| got a warning that the swap was going to occur. We found out
| after my relative's email account was compromised.
|
| This issue alone is enough to make me want to switch carriers,
| but AFAIK, all of them do not provide robust protection
| measures for this issue. I've considered Google Fi, but it
| might have poor coverage where some of my relatives are.
| Finnucane wrote:
| I try to avoid having my phone linked to accounts as much as I
| can. When the web sites say, "add your phone" I say "no."
| NullPrefix wrote:
| IIRC, gmail says no too and you are left without an email
| address.
| Finnucane wrote:
| No, _you_ are left without an email address. I don't use
| gmail.
| dividuum wrote:
| Agreed. Especially if it's unclear whether or not that's used
| for any kind of magical and probably broken account recovery
| process. I have to click through the Paypal "give me your phone
| number" question every time I log in... It sucks.
| pengaru wrote:
| Same here, but disturbingly some sites are making it a
| requirement.
|
| The Match Group dating sites like Plenty of Fish and OkCupid
| recently made it a hard requirement to setup a 2FA phone
| number, even for existing accounts.
|
| It's a super annoying trajectory, and I imagine potentially
| dangerous if one considers the dating sites and victims of
| abusive relationships attempting to get out. Making physical
| access to the phone all one needs to gain access to a dating
| profile is a clear regression from unsaved passwords.
| nexuist wrote:
| Without any form of national ID it's a really hard problem to
| solve. As someone who runs my own login system, I require
| phone numbers to prevent botting. Obviously you can make a
| bot through Twilio etc, but it becomes economically nonviable
| to mount attacks through bot registration, which is my goal.
| pengaru wrote:
| What are you doing to combat the risks of attacks like SIM-
| swapping?
|
| Personally I find using phone numbers for this purpose as a
| cop-out, and like you said it's just a Twilio account away
| from being defeated. Like captchas it's only a matter of
| time before that is the baseline capability for bots and
| you're in no better place than before, except now your
| users have worsened security.
|
| IMHO the true business incentive for requiring numbers is
| just getting identity-coupled phone numbers which add
| significant value to their collection of PII.
| [deleted]
| choward wrote:
| Why isn't there more of an emphasis on the phone companies?
| They're the ones literally giving your phone number to someone
| else.
| kome wrote:
| can we please stop using cellphones and smartphone for anything
| serious please?
| jlebar wrote:
| PayPal / Venmo also don't have support for proper security keys.
| :(
| fuzzy2 wrote:
| PayPal supports Symantec tokens though? They even sold hardware
| tokens in the past.
___________________________________________________________________
(page generated 2020-04-06 23:00 UTC)