[HN Gopher] SMS phishing is way too easy
___________________________________________________________________
SMS phishing is way too easy
Author : ricardbejarano
Score : 384 points
Date : 2022-06-24 14:52 UTC (8 hours ago)
(HTM) web link (www.bejarano.io)
(TXT) w3m dump (www.bejarano.io)
| sgoto wrote:
| The first SMS from github is origin bound, it cannot be used for
| phishing: https://wicg.github.io/sms-one-time-codes/
| maxwellg wrote:
| Origin-bound codes & Web OTP codes [1] are interesting
| initiatives, but platform adoption has been poor. For example,
| it still isn't possible to use Web OTP in Chrome on MacOS from
| a Chrome Web app on iOS. The communication isn't there yet.
|
| And for what it's worth - origin bound OTP codes aren't
| _strongly_ bound - there isn't anything physically stopping
| someone from typing that short 6 digit code into a phishing
| site. Compare with a Magic Link token - you're much less likely
| to take `https://example.com?token=some-long-uuid` and manually
| enter that code somewhere else.
|
| [1]: https://wicg.github.io/web-otp/
| silvestrov wrote:
| Another possible solution: Government enacts a law that telecom
| companies MUST ensure that SenderID is valid for the company that
| sends the SMS.
| feet wrote:
| Yea but that would require that the government actually
| regulate something g which they haven't done since what, the
| 70s?
| onelesd wrote:
| Telecoms lobby against this because they generate big revenues
| servicing SMS spammers whom end-users aren't able to
| effectively block since the ID is trivially spoofed.
| newsclues wrote:
| Ding ding ding!
|
| It's profitable on multiple levels to allow this, so
| corporations ensure the political class doesn't enact
| legislation for consumers.
| ruff wrote:
| Hmm... for all 10 digit US numbers the telcos introduce 10
| DLC registrations last year that require you to register and
| verify your business in order to send any meaningful amount
| of SMS traffic. You have to provide details like a DUNs
| number, an EIN, and addresses that match those registrations.
| https://support.bandwidth.com/hc/en-
| us/articles/150000242224...
|
| They haven't gotten to blocking messages that don't register
| but have raised the fees and fines for folks who don't
| register and they're able to track down.
| remix2000 wrote:
| I wouldn't be surprised if telecoms themselves were the ones
| coordinating some SMS scam operations. This may sound
| tinfoilish, but we're talking about the same telecoms that
| were once caught red-handed tricking people into calling back
| foreign numbers...
| dotancohen wrote:
| Furthermore, SMS competes with Whatsapp.
|
| I don't use WhatsApp, so with people who do not have Telegram
| I use SMS. The more annoying and conotated with spam SMS is,
| the more pushy people become with insisting on WhatsApp.
| Luckily I'm often in a position to absolutely resist, but I
| can see how others, such as job hunters or Tinder hookups,
| would be pressured into installing the spyware.
|
| This is not being done by Facebook/WhatsApp themselves, but
| keeping SMS annoying is certainly in Facebook's interest.
| kome wrote:
| that's why i never used 2FAs using SMS: they are crap.
| 0xbeefeed wrote:
| A lot of people in this thread saying SMS is bad for 2FA. It's
| not. Just because you can send spoof the sender field doesn't
| mean you can spoof being a receiver. Only the valid number will
| ever receive the 2FA code.
| conductr wrote:
| But who can read the messages that go to the valid number? How
| can unwanted people gain that access?
| jkepler wrote:
| SMS is bad for 2FA not because it can be spoofed, bit because
| of SIM-swapping attacks that let the attacker trivially take
| your 2FA codes from you---gaining access to your protected
| accounts while you're locked out. NIST recommended against
| using SMS for this reason in summer 2016.
| smitop wrote:
| Android supports "verified SMS" wherein the sender proves their
| identity to Google, tells Google the hashes of messages they
| send, and Google can tell recipients if the message hash is legit
| or not: https://developers.google.com/business-
| communications/verifi...
| [deleted]
| baxtr wrote:
| I have two phone numbers. One is for 2-way authentication, the
| other I give out freely on any website that requires a phone
| number (and to all my friends).
|
| It's basically the same setup I use with emails.
|
| Not entirely sure if it's safer that way. But so far I get SMS
| spam only on the "burner" number.
| semitones wrote:
| Funny how friends, life, and everything other than 2-way auth
| is on the "burner" :)
| jimmywetnips wrote:
| It's so fucking annoying. I was wondering if there exists some
| kind of service that I can install a browser plugin with and
| all it does is provide me a number to receive bullshit sms
| codes on, then I can quickly copy and paste quickly without
| having to used a phone
| franga2000 wrote:
| That just shifts the trust to another company. There used to
| be a desktop app that did this with Twilio, which is more
| trustworty, but I don't remember what it was called or if
| it's still around.
| amenghra wrote:
| Use Google Voice as your 2nd number.
| O__________O wrote:
| Stop using SMS for 2FA.
|
| Not familiar with SMS Sender ID Verification, but after quick
| Google, I was unable to find any signs that it counters SMS
| spoofing.
|
| SMS as a 2FA channel is broken. There are so many vulnerabilities
| that it just makes no sense to use; for example: corrupt telco
| employees, SS7, sim card cloning, sim swap, spoofing,
| governments, etc.
|
| Beyond that, if you're located or traveling internationally, it's
| a nightmare to deal with.
|
| NIST has not recommended SMS based 2FA since 2016:
|
| https://www.schneier.com/blog/archives/2016/08/nist_is_no_lo...
| mfbx9da4 wrote:
| Can you provide reading links for SS7 and co please. I really
| don't understand why it's so insecure.
| fasteo wrote:
| SMS has a unique advantage that no other channel has: No user
| onboard needed. Got a SIM ? got SMS.
|
| I send lots of 2FA SMS for a number of banks here in Europe and
| they - because of the costs after PSD2[1] went live - want
| users to use their app for getting notifications as 2FA. They
| have launched several communication campaigns over the last 2-3
| years, but only 30% of users have migrated from SMS to in-app
| notifications, mostly because they won't even install their
| app.
|
| Then, we have uses cases where users don't have a regular
| relation with your business (p.e. e-sign for consumer goods
| financing on spot). In this case, I would say that SMS is the
| only channel you have to serve these users.
|
| For better or worse, I do not see SMS disappearing anytime
| soon.
|
| [1] https://ec.europa.eu/info/law/payment-services-
| psd-2-directi...
| jandrese wrote:
| Don't have a SIM? Get fucked.
|
| There are people who don't have a cell phone because they see
| it as a distraction engine that will gobble up their life.
| Digital addictive drugs. But it's almost impossible to
| maintain this stance in modern life. Have you seen the trend
| of restaurants that no longer print menus? Instead there is a
| QR code that opens up their website to get the menu. Every
| service now wanting SMS verification adds to their problems.
| moffkalast wrote:
| > Don't have a SIM? Get fucked.
|
| Well yes, doesn't literally everything need a phone number
| to work these days? Can't open a bank account, can't get
| paid, can't pay bills, can't exist.
| dijonman2 wrote:
| I have asked for a paper menu in these cases and almost all
| restaurants have been happy to oblige. One time the
| restaurant let me use their ipad to see the menu.
|
| I wouldn't count on this, but I'm trying to give a business
| money. Most are happy to satisfy reasonable requests.
| reaperducer wrote:
| I was at a food court recently where one of the
| restaurants didn't have a menu. Just a QR. I asked, and
| there's no paper version available. I asked what they do
| for blind people and got a blank stare.
|
| So I went to the restaurant next door. If you can't even
| bother to scribble a menu on a chalkboard, you're not a
| real business.
| Dylan16807 wrote:
| > I asked what they do for blind people and got a blank
| stare.
|
| Probably talk to them? I'm not sure where you're going
| with this because a paper menu isn't going to help with
| blindness.
| herbst wrote:
| It's not only about having a SIM but also have one 'they'
| like. I am with a small provider here in Switzerland (that
| is the daughter of the biggest provider) and things like
| Twitter, Twitch, .. don't even support that number for
| whatever reason.
|
| I personally only use throwaway rental numbers on the web,
| basically giving me the worst security possible for any
| kind of account that falls back to SMS for security.
| jandrese wrote:
| I know people who have tried to save money or tried to
| avoid giving money to unethical companies by only having
| a virtual phone number. Turns out that virtual SMS
| numbers are treated like radioactive Ebola by most
| services.
| herbst wrote:
| It's a lot more complex than that actually. With
| Signalwire for example you can rent Canadian (and US)
| numbers at 0.2/m that work well with surprisingly many
| services, but not all. In a similar fashion you always
| find the right company to use/abuse any service that asks
| for a number. You won't get around the internet with a
| single cheap VOIP number tho. Plus there are providers
| with more or less perfect Sims but they are expensive.
|
| There are also services that are specialized on providing
| the right number for a one time fee. This usually works
| well, but more often than not destroys future account
| security (they all will give numbers out again, not
| relevant what they claim)
|
| I could literally write a book about my life without a
| 'real' phone number.
| jandrese wrote:
| I would buy and read that book, even though I know a lot
| of it will be out of date by the time it was ready for
| sale.
| fasteo wrote:
| We actually scrape like 30 sites offering virtual numbers
| to block them all. Our customers don't like seeing their
| SMS appearing in random sites.
| Dylan16807 wrote:
| They should stop being so nosy and looking over the
| user's shoulder, then.
| toomanydoubts wrote:
| >Instead there is a QR code that opens up their website to
| get the menu.
|
| This is a trend here in Brazil. And do they send you to a
| lightweight, mobile-optimized web page? No way in hell, you
| can be pretty damn sure they will send you to a 20MB PDF
| that was designed for printing.
|
| It's mind boggling how insane this is.
| npc12345 wrote:
| Skype
| Dylan16807 wrote:
| > but only 30% of users have migrated from SMS to in-app
| notifications, mostly because they won't even install their
| app.
|
| You say 'even' but it's hard to make sure apps aren't able to
| track me at all, and I while I trust my bank to keep my money
| safe I don't trust their app to be tracker-free.
| eftychis wrote:
| Make a guess how fast one can SIM swap you if you are a good
| target. Phone calls and SMS should not be used for any such
| communication period.
|
| 2FA is ideally user generated to begin with, and not the
| other way around.
|
| This is more to check the box and state to the court you
| tried your best.
|
| P.S. Example: We had serious issues when people gave Google
| their phone numbers and the corporate accounts got hijacked.
| pilgrimfff wrote:
| Google won't even allow you to enable app-based 2FA until
| you've signed up for SMS-based 2FA.
|
| Unless you go back into the 2FA interface after the fact,
| there's no indication that app-based is even an option for
| Google accounts.
| ranger_danger wrote:
| That's not 100% true... the one alternative is to first
| enable U2F hardware-based 2FA (which can be emulated on a PC
| using softu2f), then you can enable regular app-based TOTP
| codes.
| moffkalast wrote:
| That may be so, but the alternative approach something like
| Google/KeePass/whatever Authenticator which has the issue of
| not being bound to your number (unlike SMSs) so if your phone
| gets destroyed you can't simply get a new phone and sim from
| the operator and continue as usual, you're completely fucked
| instead.
| jandrese wrote:
| You are only in trouble if you didn't keep a copy of your
| private keys backed up.
|
| Unfortunately many of these apps treat the private keys like
| the app owns it which is where people run into trouble. Some
| will even back up to the app provider's cloud service which
| is just asking for it to be stolen.
| moffkalast wrote:
| > if you didn't keep a copy of your private keys backed up
|
| Most people don't. The average person doesn't even know
| that's a thing since like 1 in 100 services prompts you to
| even do that.
| kevin_thibedeau wrote:
| They're worse than that. I had pattern lock on my phone and
| it stopped working one day. After a factory reset all
| authenticator apps lose your credentials.
| jkepler wrote:
| On Android, if you use AndOTP, the app allows you to easily
| back up all your OTP secrets to an exportable file, with
| optional password encryption. Trivial to then import into
| another phone.
| vladvasiliu wrote:
| Depending on the authenticator used, you are absolutely not
| fucked. It even works while waiting for your new phone / sim
| (had this happened to me on a Saturday night in France.
| Nothing's open Sundays).
|
| There's Authy that does backups and you can even run it on a
| computer (even Linux!). 1Password can store OTPs, too, and is
| also backed up. There are probably a bunch of others and I'd
| expect KeePass to be able to do backups.
|
| Plus, you're usually able to get the OTP seed which you can
| store on your own. This usually shows up as "can't scan this
| code?" or similar when registering.
|
| I'm now traveling overseas, and have a local SIM in my phone.
| I have an older iPhone, so no dual-SIM for me. If I had to
| receive an SMS I guess it would still be better than my older
| Galaxy S5 which required a reboot, but it'd still be a pain
| to have to switch SIMs.
|
| If I lost my Phone but still had my laptop, I'd be AOK with
| my current OTP setup. Except for a few sites which don't
| allow me to have anything else besides an SMS, but luckily
| they're not critical.
| ranger_danger wrote:
| Ironically the only sites that force me to use SMS for 2FA
| are banks.
| moffkalast wrote:
| Well some do it properly I suppose, but on the other hand
| Google Auth has 100M users and no ways to back up. All of
| those people are royally screwed if anything happens.
| ranger_danger wrote:
| >no ways to back up
|
| not true. that QR code you scanned to add the key to your
| app? well, that was your key. you could have saved it
| somewhere else secure that does allow exporting.
| moffkalast wrote:
| Which all people of course do. Or is it more like 0%?
| amichal wrote:
| I have been one of those people. There must have been a
| lot of them because "export" is now an option which dumps
| all or selected keys and a giant non standard? QR code
| that can be imported into another instance. Mine are now
| on two devices.
| kwhitefoot wrote:
| How do the examples in the article cause any problem. You only
| get sent a code when you request it. And you type it into a
| website that you are familiar with.
| elboru wrote:
| What about the FedEx one? I cannot count the number of times
| I've seen companies or even government offices using
| complicated and scammy-like URL names.
|
| It's difficult to know if URLs are legit or not. HTTPS used to
| be a good enough indication of legit URLs, but not anymore.
|
| You could also think on googling the company. But those ads
| that look like real search results are well known to include
| scam websites!
|
| I'm a developer and I find it difficult to distinguish some
| URLs. Now imagine how difficult it can be for grandpa or really
| any person out there that doesn't know about these kind of
| scams.
| ranger_danger wrote:
| Not everyone is that smart.
| orliesaurus wrote:
| Request for proposal: SPF, DMARC, DKIM authenticity
| authentication but for SMS
| megous wrote:
| Call ID is the same. Some trunks come with ability to set any
| number you like, without any verification. You just provide the
| number you like in a SIP INVITE message header, and that's it.
| ricardbejarano wrote:
| Didn't know that, jeez.
|
| Imagine what that could look like with voice AI getting better
| and better.
| bricemo wrote:
| Very sad to see the United States as "No" and "No" listed next to
| the protections page linked
| njovin wrote:
| My understanding is that US carriers don't support Sender ID at
| all, so having the caller ID/sender ID spoofed is not common
| (and maybe not possible?) on major US carriers.
|
| Whenever I get phishing SMS they always come from a random
| 10-digit phone number so it's pretty clear they're scams.
| Reputable companies send these types of messages with short-
| codes, which are a 5 or 6-digit numbers that is very expensive
| and require thorough vetting by the carriers.
| saltminer wrote:
| > Whenever I get phishing SMS they always come from a random
| 10-digit phone number so it's pretty clear they're scams
|
| Sadly, Novant Health (a hospital system) uses a regular
| 10-digit number for their patient portal 2FA. When I was in
| college, accessing sensitive info like your SSN and W2s in
| Banner also had 2FA via a 10-digit number. (This was an
| entirely separate system from the login 2FA provider, Duo,
| which uses shortcodes in addition to U2F tokens and their
| app.)
| kazz wrote:
| They're not _that_ expensive (usually $500-$1k/mo) and I
| wouldn't really characterize the vetting as "thorough".
|
| Don't get me wrong, carriers have been making strides to
| lower the amount of spam that's sent through the air (A2P
| requirements, toll-free number verification requirements,
| etc), but a determined scammer can still exploit SMS/MMS
| pretty easily.
| njovin wrote:
| I've provisioned several shortcodes. There's a 12-week
| approval process (every carrier has to independently review
| & approve) and if you get flagged/reported for spam they
| _will_ come after you for it. IMO this makes it
| prohibitively difficult & time-consuming for a bad actor
| to use effectively.
| toast0 wrote:
| It also makes it difficult and time-consuming for a good
| actor to use effectively.
|
| As far as I could tell (although I retired in 2019, so
| might be out of date), you can't use one short code
| through multiple aggregators, so if you want the benefits
| of multiple routes, you've got to have multiple
| shortcodes or live with sending from regular phone
| numbers.
| kazz wrote:
| I think the processes are getting better each day, but it
| was only a couple of years ago that you could share a
| shortcode. My main point is that even with all of the
| safeguards it's still a ridiculously easy system to
| exploit.
|
| Most people will trust a toll-free number just as much as
| a shortcode, and since tons of legitimate companies use
| toll-free numbers for messaging it just blurs the line of
| what a "reputable" number looks like.
|
| Even SendGrid, which is owned by Twilio, uses toll-free
| numbers for their 2FA messages instead of shortcodes.
| judge2020 wrote:
| Regarding caller ID, stir/shaken is being used in some
| situations and I know AT&T supports it within their own
| network (call history will have a checkmark to indicate it
| was verified).
| ASalazarMX wrote:
| Meanwhile countries like Congo, Bangladesh, Cambodia, etc. have
| Yes | Yes. We need some of that third world SMS protections.
| toast0 wrote:
| I mean, we're protected from SMS from spoofed alphanumeric
| sender ids. What more do you want?
|
| Probably no nation has protection from spoofed numeric sender
| ids, but based on the sms phishing attempts I get, that's not
| a big deal. Apparently people will tap on links from their
| bank from any number anyway.
| O__________O wrote:
| Link you're referring to is:
|
| https://support.sms.to/support/solutions/articles/4300056265...
| danschumann wrote:
| This is another reason why using password managers is good. I let
| it auto fill, so if I got redirected to a bad domain, it wouldn't
| autofill, and I'd double-check the domain.
| aero-glide2 wrote:
| Was very annoying when protonmail.com became mail.proton.me
| remram wrote:
| _very_ annoying?
| acd wrote:
| I got a phone number prepaid cash card, got someone else previous
| mobile phone number. Get snapchat 2fa code which is not mine.
| Dont trust SMS for 2FA.
| grantla wrote:
| SMS really just needs to die, and we'll all be better off.
| krylon wrote:
| Huh. I received a text message a couple of weeks ago, informing
| me the "gift" that I had "bought" had been delivered to the
| "location agreed upon" by me, and to please visit this really
| suspicious looking URL for details.
|
| The Internet, for better or worse, has taught me a healthy amount
| of skepticism, plus I definitely had not bought any gifts (how is
| it a gift if I buy it myself?). But I can see how it is easy to
| fall for these scams if you aren't used to looking for them.
| jandrese wrote:
| Halfway through reading this article I got a SMS from a New
| York City number saying: Your package
| delivery details are incorrect and we cannot deliver.
| https://usppagestrport.com/2vlv
|
| Obvious phishing attack, but you know some people are going to
| fall for it.
| krylon wrote:
| Many years ago, an IT security person I was talking to
| referred to humans as "the one security-critical component
| that cannot be updated". It's a bit cynical, but not entirely
| incorrect.
| Gunax wrote:
| The more I read about phones and texting, the more I realize that
| they were never intended to be used as security verification.
|
| It just was not one of the design goals. My understanding of
| caller id is that anyone can put anything there--it was made
| decades ago to serve as convenience--not to verify.
|
| Likewise with the sender id in SMS.
|
| It's a good lesson on how protocols are hijacked. Someone thought
| it was a good idea to send text messages. Another person decided
| to leverage it for security. Et voila, we have a security
| apparatus that isn't very secure.
| longrod wrote:
| Phones were here way before 2FA and Internet. The technology is
| poorly designed for modern attack vectors but it's so widespread
| it's crazy. Every single person out there has a phone number -
| one of the primary reasons it is still offered as a 2FA option.
|
| Not to mention how widespread the coverage is. There are many
| places around the world where you have cell connectivity but no
| Internet.
|
| In short, you can't get rid of it short of throwing away the SIM.
| Is it possible to have SMS v2 that's safer like we went from 2G
| to 5G?
| cwoolfe wrote:
| "add number two to your backlog if you work on iOS or Android" I
| would...but as an iOS and Android developer, how do I know if
| it's a non-verified sender ID? The reason browsers can warn on
| these things is because of public key infrastructure, but that
| doesn't exist SMS phone numbers. Am I missing something?
| daneel_w wrote:
| No, you're not missing anything. The author of the article just
| suffers from a naive and simplistic misunderstanding of the
| SMPP protocol and the mobile grid.
| bckygldstn wrote:
| I believe the author means if you work at Apple or Google. So
| working ON iOS or Android, rather than working ON [top of] iOS
| or Android.
| mikece wrote:
| And yet almost every bank requires it for 2FA and only a precious
| few offer TOTP or some other reasonable and secure form of 2FA.
| sha256sum wrote:
| FWIW, I have 4 "banking" accounts, 3 of which are major
| American banks and one is a local credit union. The latter is
| the ONLY one to offer 2FA via TOTP while the major banks only
| allow SMS or email 2FA.
| hinkley wrote:
| I'm still a little salty about Blizzard handing out free TOTP
| fobs at conventions and implementing an iOS app to do it,
| years or even a decade before financial institutions offered
| anything.
|
| It's a fucking game, protecting against gold farmers. How
| about protecting my non-virtual gold?
| Gunax wrote:
| Videogames are oddly the most secure of all.
|
| I don't know why (maybe criminals are more likely to go for
| your WoW account assuming the legal consequences are less) but
| I would advise all companies to examine how Blizzard, Valve,
| and others handle account security.
| z3t4 wrote:
| Could build your own protocol ontop of SMS. Double opt-in,
| encrypted and signed. See for example MMS.
| smokey_circles wrote:
| Phone numbers and email: the primary identifiers that were never
| meant to be used as such.
|
| No idea what a good alternative is though. Preferably something
| federated though
| jkepler wrote:
| Are you familiar with https://identity.foundation/ ? Its a
| group of companies and developers working on decentralizing
| identity.
| turrini wrote:
| Maybe implement a two-way verification, for example:
|
| In the app/website: "You will receive an SMS with two 6-digit
| numbers, one to certify that we sent it to you and another to
| type bellow. Our chosen number is 887-987, type the another one"
|
| In the SMS: "Two-way verification. Check if it's us with number
| 887-987 and confirm with number 543-621"
| Gunax wrote:
| Unfortunately I don't think that will work because the attacker
| is in the middle. They can request the verification number,
| then forward it to the victim.
|
| It sounds like we want identity verification, which while
| solved for computers, is much harder for humans.
| woobar wrote:
| IBM ISAM (enterprise access manager) was doing this 5+ years
| ago. The prompt for one time code will look like this [1]:
|
| 1234-_______, and email/sms will have two numbers 1234-554566.
|
| Don't think they explained the reason for the first part in the
| message though. Just highlighted it in a different color.
|
| [1] https://philipnyecom.files.wordpress.com/2017/02/otp.jpg
| alexcosan wrote:
| This could work - similar to what happens in some bluetooth
| pairing flows. But you could still send a text message with a
| phishing link under the same Sender ID and fool someone into
| opening it. You'd really need to know that the specific sender
| would never a) send you a link, or b) send you anything without
| the "two-way verification" flow you suggested. I don't think
| any of those options are realistic at a certain scale.
| remuskaos wrote:
| I think one common way to "bypass" 2FA is to have the carrier
| send you (the attacker) a second SIM card. If I'm not
| misremembering, the text message is then delivered to both
| cards, the original holder and the attacker. So sending two
| numbers would not defend against this type of 2FA bypass.
| Melatonic wrote:
| If that happens though you are screwed no matter what they
| do. The above does sound like a big improvement though and is
| sort of like what Google does when you turn on advanced
| protection and it occasionally will ask you to match the
| number on your computer screen to the one on your phone
| dspillett wrote:
| You are right, a duplicate SIM will stop the two-number
| method described from adding any protection.
|
| But it will still protect against the fake messages like the
| ones being discussed here, and if someone has a duplicate SIM
| you are buggered in a number of other ways too.
|
| Though this method, and several others that are effectively
| the same, only offers any protection if the user has the
| ware-with-all to bother verifying the other number.
| Unfortunately that means that in many cases it won't help at
| all because many would not be aware of the other number and
| expect to find it when the fake messages come in - unless the
| user knows to expect and require it the fact a fake message
| doesn't have it makes no difference.
| 37 wrote:
| Maybe I'm missing something, but why would this work? Isn't it
| just 12 digits going to one phone number instead of 6? (also
| thinking about this is bringing me back to SYN-ACK from the old
| days)
| degenerate wrote:
| The user chooses the second 6 numbers. For dumb users this
| won't add any security, but for smart users this ring alarm
| bells.
|
| I like it, at least, for now. It's better than the current
| situation.
| tuyenhx wrote:
| This has been a problem for Bank in Viet Nam for a year.
|
| They faked Bank's message, and send the link with the same UI of
| the bank. Many people got hacked.
|
| I got a few messages like this. The only thing I could do was
| informing my friend (none-tech) to avoid these things.
| rr888 wrote:
| I really dont want a phone number any more, I dont need one for
| any friends of family contact. Really the only reason is for 2fa
| which is ironic as it seems the weakest link.
| permo-w wrote:
| I don't even want a (smart)phone anymore. The lack of control
| you have over your user experience, especially on Apple
| devices, is horrendous. you can't even really jailbreak apple
| devices anymore. on your PC you can reprogram anything,
| navigate around or fully prevent most malicious time-wasting
| practices (infinite feeds, reels, adverts) that you're near
| enough at the mercy of on a phone. the way I see it,
| smartphones are made for idiots
|
| Ideally I'd carry round a phone-sized PC running Linux with
| mobile capabilities, but as it is I settle for my laptop and a
| brick phone. I appreciate that android would be better - and is
| in fact a computer running linux the size of a phone, but it's
| not really the same.
| rockbruno wrote:
| It's even worse when you think of how phone companies often
| recycle dead phone numbers. I remember in Brazil you would often
| hear of people accidentally stealing someone else's account in
| apps where login == phone number due do this. It's an awful
| verification system all over.
| herbst wrote:
| My contract does state nowhere that I own or have any right to
| the number they gave me.
|
| Even thought I never saw that happen nothing is stopping them
| from just giving my number some else.
|
| It's so stupid to depend on something like this
| kayodelycaon wrote:
| This is why I have a password on my Telegram account.
| theginger wrote:
| As far as I am aware there is no reasonable way for carriers to
| verify sender IDs or to communicate a verified status with an SMS
| message. So you would end up labelling all messages as not
| verified, which might provide some clarity for a short time until
| it just becomes noise that gets ignored.
| ranger_danger wrote:
| Voice calls have the same issue. Most leased lines and VoIP
| providers let you set your own P-Asserted-Identity header which
| can be used to spoof caller ID to anything you want.
| jakear wrote:
| Bottom line up front: When sending tokens via SMS, you _must_
| include a "do not share this token with anyone besides X.com"
| text. Otherwise account takeovers become trivial.
|
| The article's attack is relatively benign - the user simply goes
| to a website. Sure they _may_ end up putting info in that
| website, but probably not. Plus existing systems for malicious
| website filtering can kick in to prevent this.
|
| The more concerning attack is the social engineering one where a
| third party says something like "let me 'verify' your identity,
| I'll send you a number tell me what it is" then triggers an
| identity verification request on the domain (this can be done
| either manually or part of a sign up flow for some honeypot
| service). Now the target needs only relay 6 digits to someone
| they already "trust" and are in a conversation with, versus in
| the article's example they needed to put their full account info
| into an unknown website.
| advisedwang wrote:
| Securing SMS sender ID may prevent you trusting a URL from a
| text, but that's not enough. We can't prevent people from _ever_
| clicking on a phony URL, so we need to ensure even if you hit a
| phishing page that you can 't have credentials stolen. SMS and
| TOTP can't do this, even with if they are secured, because
| phishing pages can forward the credential.
|
| The only solid way to prevent phishing is non-forwardable
| credentials, ie FIDO/U2F. We need to make this easier and more
| ubiquitous.
| projektfu wrote:
| Clickable links also enabled people to lose control of their
| WhatsApp accounts. The message was legit but the request was not.
| If they had sent a code, the attacker would have to convince
| people to give it to them. With the link, a lot of users assumed
| they needed to click to keep using Whatsapp. Not sure what
| Facebook was thinking but it was a pretty bad move.
| lxgr wrote:
| I wish we would just stop using phone numbers as the primary user
| identifier and SMS as the primary communication channel, period.
|
| The amount of cruft involved in SMS delivery is unbelievable, and
| phone numbers are neither particularly stable, nor particularly
| well protected against takeovers.
| GekkePrutser wrote:
| We don't really, here in Europe. WhatsApp is the main
| communication method.. I think SMS is still so popular in the
| US because it's a fallback for iMessage. But here the levels of
| iPhone users are much lower.
|
| So for me 2fa is pretty much the only thing I still use SMS
| for. Which makes a suspicious sms stand out a lot more.
|
| I wish we'd stop using it for 2fa though because it was never
| meant to be hardened for this.
| herbst wrote:
| > We don't really, here in Europe. WhatsApp is the main
| communication method.
|
| This is only partially true. There are also countries like
| France where WhatsApp only has a Market share of about 22%.
| Switzerland is very split too, I personally know more people
| using signal or telegram than 'still using' WhatsApp.
| GekkePrutser wrote:
| Oh really? I have many colleagues in France and they're all
| on WA. What else do they use? Is there a local app? I know
| France loves their local things :)
| jkepler wrote:
| The French government adopted Matrix for all their
| internal and inter-ministerial communications, to avoid
| dependence on foreign corporate products. https://archive
| .fosdem.org/2019/schedule/event/matrix_french...
|
| Most people I know use WhatsApp (I refuse, and since I
| run Lineage OS without Google services I simply tell
| people my phone doesn't support it), Signal, or Telegram.
| avgcorrection wrote:
| Bunch of humbug. I was once away in Europe (many years ago)
| and everyone used Whatsapp. But now, here in Europe (the same
| place that I came from), no one uses it (or at least no one
| tells me about it).
|
| I was of course in a different country in Europe. Since it's
| a mini-continent and all that.
| MomoXenosaga wrote:
| I'm seeing more services using email for 2FA nowadays.
|
| SMS is actually easier, with email I have to go into the
| outlook app.
| lxgr wrote:
| > We don't really, here in Europe.
|
| At least Germany and Austria heavily rely on SMS-OTP for all
| kinds of services, banking and otherwise. I've never received
| an OTP via WhatsApp.
|
| Austria even has an eIDAS-compatible e-signature scheme based
| on SMS-OTP that allows people to create a legally binding PDF
| signature using SMS-OTP and a static password...
| GekkePrutser wrote:
| Yes like I said for such services, yes. Here in Spain it's
| used sometimes too. Though once a month would be the
| maximum I'd receive one.
| rr888 wrote:
| Dont you need a phone number for whatsapp though?
| digitallyfree wrote:
| The main issue with WhatsApp you're locked to a single
| provider and their service (unless SMS which works across
| different carriers), as well as their privacy practices. In a
| way this is similar to people moving away from email to
| proprietary messaging systems instead - while you gain
| security and functionality benefits, you lose in terms of
| choice and compatibility. Sadly alternatives haven't really
| gained traction.
| GekkePrutser wrote:
| I agree, I don't _like_ whatsapp. Though I do like it more
| than SMS.
|
| One of the things I like about it is group messaging. The
| seamless images/files, the encryptuon...
|
| And I don't think most mainstream users feel this as a
| lockin. After all whatever phone they can buy they can
| install whatsapp on it (and soon even import their
| hitory!).
|
| Personally I prefer Matrix. Not a fan of Signal either due
| to the ban on 3rd party apps.
| digitallyfree wrote:
| Yeah I personally use Matrix myself, I run a selfhosted
| instance for internal family use. They're the only people
| actually willing to use it - everyone else is on WhatsApp
| and similar services.
| ghaff wrote:
| Heavy SMS usage predates iMessage in the US. But iMessage was
| presumably a big contributor to making unlimited SMS messages
| the norm on most phone plans. In any case, there was just
| never a big incentive in the US to use anything other than
| iMessage when available and fall back to SMS otherwise. And
| without that incentive "no one" (who isn't texting people
| overseas) bothers to use different apps.
| GekkePrutser wrote:
| Oh this is true here too. SMS usage was huge pre-WhatsApp.
|
| What happened was that the networks were capitalising on
| that. SMS was historically quite expensive so it became a
| big cash cow. SMS bits must have been made of gold because
| they were hundreds of times more expensive than other bits.
|
| WhatsApp completely killed SMS usage here however. Leading
| to some carriers wanting to charge extra for WhatsApp usage
| to recuperate some of the 'lost' revenue. This sparked a
| big discussion about net neutrality which was then
| enshrined in EU law, so the discussion was finished. By
| this time, SMS became practically free but it was too late.
| ghaff wrote:
| Interesting. It looks like WhatsApp predated iMessage in
| the US but it never really took off. Maybe US text
| bundles were more consumer-friendly in the US? Though I
| don't really remember it that way. (I didn't do a lot of
| texting though and mostly expensed the handful of work-
| related texting I did do; friends didn't really text at
| that time.)
| BiteCode_dev wrote:
| Sure, if you find something as interroperable, free, simple and
| mobile, go for it.
| kevincox wrote:
| email?
| BiteCode_dev wrote:
| Not as mobile: you need internet and a smartphone. I still
| have a friend with a dumb phone. I'm sometimes in zones
| without internet but my mum call me and ask me to give her
| some confirmation code I receive.
|
| Not as simple: stuff arrive in the spam folder. Some
| providers just reject your valid mail (my main email tld is
| exotic, it causes lots of troubles). People receive so much
| junk they lose your message in 1000 of unread mails or are
| afraid of checking them.
|
| Not as interoperable: there are new kids that just don't
| have emails setup on their phone. They check them once a
| month at home on the computer. Email is for old people
| (although text is getting there too).
|
| Plus email is almost as easy to spoof and intercept, so the
| gain would be minimal.
| kevincox wrote:
| Sometimes I'm traveling and don't want to pay exorbitant
| roaming fees. Or sometimes I'm in a building or basement
| without phone service.
|
| I'm sure there are a few people without email on their
| phones but I don't think the number is dramatically
| different than those without SMS right now. If I have
| cell signal I have email, but I can have email without
| SMS access.
| BiteCode_dev wrote:
| > If I have cell signal I have email, but I can have
| email without SMS access.
|
| In the US populated area, maybe.
|
| In the French country side, definitely not.
| lxgr wrote:
| If you don't have internet, you arguably don't need to
| receive OTPs either (since these are usually used to log
| in to some online service or confirm a transaction in
| one), no?
| BiteCode_dev wrote:
| Of course I do.
|
| E.G: last week, my brother wanted to try one of my
| service account on his ipad (we set it up only on his
| computer). He tried to connect with my password, but any
| new device requires a 2FA. So he calls me, and I gave it
| to him.
|
| Now, in this particular example, I was at home, so I had
| access to internet.
|
| But I'm often traveling to places where I don't.
|
| In fact, I lived in Mali for 2 year where this has been a
| big trouble for all administrative stuff. Nowadays, I
| would assume a lot of Malian people have a phone numbers,
| but no emails, anyway.
|
| But without going that far, the French country sides have
| plenty of places where you get text but not internet. And
| being in a car or train is often enough for that.
|
| I don't think SMS is a good 2FA. I have 3 yukikeys at
| home.
|
| But I believe any geek should first spend a month working
| in a call center before making a comment about 2FA.
|
| There is a looooong tail of things getting wrong, and
| there is a reason corporations chose SMS: they tried all
| the rest, and it was worse.
|
| Now thing are getting better with in app 2FA
| notifications, but of course it assumes you have a
| smartphone.
| lxgr wrote:
| > Not as mobile: you need internet and a smartphone.
|
| > I'm sometimes in zones without internet but my mum call
| me and ask me to give her some confirmation code I
| receive.
|
| We're talking about multifactor authentication here.
| Where/how are you authenticating without internet access?
|
| > Email is for old people
|
| I guess that makes me old. Does that disqualify me from
| using multifactor authentication?
|
| > Not as simple: stuff arrive in the spam folder. Some
| providers just reject your valid mail (my main email tld
| is exotic, it causes lots of troubles).
|
| All of this happens to me with SMS much more often than
| it does with email.
|
| > Plus email is almost as easy to spoof and intercept,
|
| Agreed on spoofing, but that's not a problem for OTP
| authentication. Complete disagree on interception - I
| believe SMS is much easier to intercept, on average.
| byteflip wrote:
| As someone who's moving overseas shortly, changing/removing
| your number is a nightmare. It really is the primary UID. So
| many things use it for 2FA. In a lot of cases you HAVE to list
| a phone number. I ported my number to Google Voice as a decent
| alternative, but you kinda have to know what you're doing ahead
| of time. My gf who moved first did not and deeply regrets it.
| j_calvert wrote:
| I ported my number from Google Voice to Google Fi and lost
| all the SMS messages sent/received while using the number
| with Voice.
|
| Mentioned this to a friend who works at Google on their
| messaging products. His take: "Yup. It's a mess"
| el_nahual wrote:
| I did the same switch and can still access all my old SMS's
| and voicemails at voice.google.com
| javajosh wrote:
| The hardware solution is either to have two phones, or one
| phone with two sim cards (which are common in Europe, for
| example).
| curun1r wrote:
| I tried something similar when I went overseas. In my case, I
| tried to use Twilio and even got everything setup to forward
| correctly to the number I got in whatever country I was in at
| the time.
|
| But that doesn't work for 2FA. I ended up locked out of my
| online banking accounts for my whole trip and it was a huge
| headache. My recommendation would be to port your number over
| to Google Fi and then just use that in whatever country
| you're going to. It's a bit more expensive that local cell
| service in many countries, but there's nothing like having
| your phone just work wherever you go.
| ankaAr wrote:
| I Will face the same soon.
|
| There is a guide or something to help you with that?
|
| I know that is just a simple task, but it is a really long
| chain of stuff to do and prevent yourself being at the other
| side of your services
| byteflip wrote:
| It's probably trivial for the average HN reader, the key is
| to do it before you move. Otherwise it can be difficult
| since Google Voice is not available in most countries.
| (Will need a VPN). FYI iMessage is real wonky that I've
| removed my phone number.
|
| Should be obvious but you will lose your phone service, so
| you want to time it close to when you are leaving.
| herbst wrote:
| I lost my SIM shortly after I moved and never got a
| replacement. I advocate against phone numbers since then :)
|
| My best advice is to find alternatives and don't depend on
| anything that depends on a phone number. Things can ALWAYS
| turn wrong.
| Mikeb85 wrote:
| This. A bunch of Canadian government interactions also use
| SMS as 2FA and I live abroad for months every year. At least
| most tech companies let you switch to an authenticator app...
| ihateolives wrote:
| But you still get SMS when roaming?
| lxgr wrote:
| Not very reliably, usually.
| Mikeb85 wrote:
| Canadian roaming rates are so utterly shit the SIM card
| comes out the second I'm on the plane. It's like $15 per
| day to roam in the EU. Not per month, per day, let that
| sink in... I can get a plan in Europe for 30EUR month
| that puts my Canadian plan ($90/month) to shame...
|
| I'm not paying $450/month to roam...
| gst wrote:
| > Canadian roaming rates are so utterly shit the SIM card
| comes out the second I'm on the plane. It's like $15 per
| day to roam in the EU. Not per month, per day, let that
| sink in... I can get a plan in Europe for 30EUR month
| that puts my Canadian plan ($90/month) to shame...
|
| That's cheap. My Austrian provider charges 1 Euro per 100
| KB when roaming in Canada (no - that's not a typo). So
| for 10 GB that's a cheap 100k Euros.
| pkulak wrote:
| And most things block Google Voice.
| iLoveOncall wrote:
| Wait until you move to your new country and discover that you
| need a local bank account to get a local phone number, but
| you need a local phone number to open a bank account.
| GekkePrutser wrote:
| Yes Ireland has this too. It's frustrating. They don't have
| a population registry so proof of address is a 'utility
| bill'. But to sign up for utilities you need a bank account
| which requires proof of address. Well you get it.
|
| Also relying on something from a commercial entity that's
| so easy to fake is weird.
| ghaff wrote:
| It's sometimes the case in the US as well. When I got my
| RealID driver's license I had to show some sort of
| utility bill as a proof of address--which, as you say,
| could be pretty easily faked.
| kevin_thibedeau wrote:
| I recently did this and had two utility bills. But _two_
| isn 't accepted so I was given an affidavit form where I
| wrote down that I was who I claimed to be.
| GekkePrutser wrote:
| Lol if you're going to take the user's word for it, why
| even bother asking for proof :)
| gorbypark wrote:
| I ended up porting my (Canadian) number to a cheap pre-paid
| MNVO service that was $100/yr for unlimited talk/text and no
| data (within Canada), but seemingly allows me to roam forever
| and receive SMS for free. Cheapest option I could find in
| Canada, besides maybe some VOIP providers.
| judge2020 wrote:
| To add, I've experienced a few too many services that seem to
| block Google Voice numbers for 2fa purposes (although, maybe
| they're blocking based on area code and there wouldn't be a
| problem if I ported my existing number to GV).
| lxgr wrote:
| This is pretty common, unfortunately (and a major factor in
| choosing a service provider for me when there are multiple
| options).
| CamelRocketFish wrote:
| I kept my old number and switched it to a provider that
| offered a yearly prepaid plan with an eSIM. $20 a year and I
| can keep my old number and switch to it as an active sim to
| receive a 2FA whenever necessary. I agree to always using 2FA
| via TOTP however.
| TheCraiggers wrote:
| It's also not a long-term solution. At some point, your
| ported number will be updated and flagged as a "voip number"
| since it's now associated to Google Voice. At that point,
| you'll start having issues as many services don't like it
| when people use a number they can acquire for free in a
| couple minutes as the UID.
| refurb wrote:
| What I've seen is services will verify the number at sign
| up then never again.
| bityard wrote:
| For whatever it's worth, that's not permanent. My current
| number was originally a GV number and used to get flagged
| as a voip number. But I ported it out to a mobile carrier a
| year ago (which Google makes you pay for) and haven't had
| an issue since.
| Scoundreller wrote:
| Doesn't work that way for Canadian numbers. Only original
| issuer is public info. Porting info is on a need-to-know
| basis (ie: telecoms need to terminate calls; but that's
| it).
|
| This can work against you of course, so a good strategy is
| to get a burner phone and port that number to your VoIP
| provider.
| byteflip wrote:
| Great to know, so far I've been able to still receive SMS
| 2FA messages but it's only been a couple of days since
| porting.
| dvngnt_ wrote:
| discord is a big offender
| delecti wrote:
| I've used a google voice number as my primary number for
| quite a while, and it's actually pretty rare to have
| issues with it. I'd say that much less than 1/10 of
| services require me to use my cell's actual number.
| amichal wrote:
| Google Voice needs to be linked to a valid +1 land or
| mobile number to function long term. My google voice
| number lasted for almost exactly 6 months after the us
| cell number it was linked to was disconnected (moved
| overseas for a while). It's classification as a valid
| mobile lasted a bit less long and now I can not use it to
| send/receive SMS at all (voice mail works but it will not
| ring through and I can no longer use it to call. Before
| that many banks etc stopped Sending SMS 2fa messages
| through (as the are supposed according to latest NIST
| guidelines). Thankfully (?) the same banks seem ok to do
| voice 2fa to my overseas number. Sadly the still do not
| support better mfa Authenticators.
|
| Would love to know how to maintain a US SMS presence
| without sketchy obviously for spammers products.
| kernelbugs wrote:
| I've been using jmp.chat and have been pretty happy with
| them. But I haven't tried using them as 2fa provider,
| they may be blocked by places that block common voip
| providers.
| ant6n wrote:
| I went abroad from Canada for two years, tried to park
| two numbers to Virgin on cheap prepaid (still paying
| 5-10$ just to hold a number). Well they fucked up credit
| card payments on both accounts, closed them after a
| couple of months and stole our numbers. So aggravating to
| go through the trouble of parking the numbers, paying
| perhaps 300$ and then the aggravation of trying
| unsuccessfully to get those numbers back, and the
| aggravation of trying to figure out which services use
| those numbers for 2FA.
|
| Canadian telcos are basically a scam (and Virgin is now
| my top hated one, assholes).
|
| 2FA using phone numbers is idiotic.
| remram wrote:
| For sure, the second factor is supposed to be "something
| you own" and phone numbers are not that.
| Scoundreller wrote:
| Should have portes to VoIP.ms or similar.
| julianlam wrote:
| That's interesting, although my ISP seemed to know I was
| calling from a VoIP number (my "land line", as it were).
| She even knew my secondary number was a VoIP number.
|
| I think in the end she put one of the numbers down in the
| application after a little pursuasion.
| giaour wrote:
| Shouldn't it be the same for the US and Canada? Both are
| administered by NANPA. Last time I looked into this
| (early 2020), you generally couldn't get porting info for
| US numbers, though original issuer was public and easily
| accessible.
| Scoundreller wrote:
| Since US and Can have number portability, it's managed by
| a Number Portability Administrator. That's Neustar in
| Canada:
|
| https://www.npac.com/canadian-number-portability/the-
| npac-ne...
| namecheapTA wrote:
| Burner phone numbers in the US seem to be of a particular
| range of numbers and can also be flagged. I used to use
| pay as you go burners for random tasks in the past and
| noticed they gave me trouble when trying to use them to
| get verification codes sometimes.
| remram wrote:
| I'm not sure what you mean when you say "burner phone". I
| know for a fact that you can get a regular prepaid plan
| from T-Mobile and pay for it cash, no IDs; that fits the
| "burner phone" requirements for me. Do you mean that
| every prepaid plan uses that range of numbers?
| Scoundreller wrote:
| Prepaid plan vs post-paid, probably not, but some
| discount prepaid providers are probably considered "less
| trust-worthy", or less profitable when evaluating VoIP
| numbers.
| lxgr wrote:
| SMS gateways know the destination provider too, and I
| believe this is how blocking VoIP numbers is implemented
| in practice.
| toast0 wrote:
| Before I retired (2019), I was getting emails from our
| telecom providers that Canadian regulators were mandating
| that they not share porting information with customers
| (us), although it was generally available before, and was
| still available in other countries of interest (mostly
| US), for a fee.
| orblivion wrote:
| I think this goes to the fact that we need a new sort of UID.
| Something thought through very carefully rather that
| something that comes to be. There's a sort of hidden
| infrastructure, hidden legacy, hidden stability that's been
| built around phone numbers and email. For instance, "valid
| Google email address" is a proxy for "a real person with X
| likelihood". Same goes for SSN + demonstrated knowledge of
| your last few residences, etc etc. It's a mess.
|
| Start from first principles, what do we really need to know
| about a person? What could we build? On the other hand, maybe
| if it's _too_ good it 'll be bad for privacy, and escaping
| into the shadows, should that become necessary for someone.
| aarreedd wrote:
| This a problem some people are trying to solve with
| blockchain technology.
|
| I'm not necessarily saying this is a good idea. It's just
| an interesting potential solution.
| orblivion wrote:
| The question I think I'm getting at is about who you are
| and why that matters in a given case. Blockchains are
| good for keeping identities intact once established,
| which is different though maybe it'll help overall.
| trinsic2 wrote:
| I removed all mobile based 2fa from all my sites that rely on
| it and strictly use TOTP and u2f. Now I only subscribe to
| services that provide this kind of authentication. There are
| a few sites that I still use that rely on SMS 2factor but its
| a short list now. Most of my sites that have TOTP and U2f
| support have the option of using SMS auth but does not
| require it.
| ihateolives wrote:
| What's exactly the problem? Is this something US specific?
| I've been living in different countries for years and always
| kept my original number in addition to getting local number
| as well. Never had any trouble with 2fa.
| lxgr wrote:
| There are many problems with this approach (I'm using it
| currently as well, out of necessity, not choice):
|
| - SMS delivery is not always very reliable when roaming.
|
| - Prepaid SIMs usually expire after a while of not topping
| them up.
|
| - Good luck losing one of these SIMs and getting a
| replacement abroad. (eSIMs make this both better and
| worse.)
| jdeibele wrote:
| https://support.google.com/voice/answer/1065667?hl=en#zippy=.
| ..
|
| I've paid the $20 Google charges to make a number "permanent"
| once for myself and a couple of times for organizations.
|
| For myself, it's a highly secure phone number. I still only
| use a phone number when I absolutely have to, like with
| Twitter, preferring to use a hardware key or Authy.
|
| For organizations, it's like an answering machine. My kids'
| soccer club had a cell phone that was supposed to be answered
| by the VP when parents or coaches had messages. It was much
| easier to port the number into Google Voice, put it into Do
| Not Disturb mode permanently, and have the transcriptions
| forwarded to the VP on the extremely rare occasions that
| there were any.
| lelandfe wrote:
| Note that many services do not permit Google Voice numbers!
|
| Instagram and Facebook will quickly disable your account and
| demand a real phone number. I recently had a delivery app
| inform me at signup that it's not _even a real phone number_
| (it happily slurped up the submitted Voice number and later
| sent me ads about pizza anyway)
| ghaff wrote:
| The dark side of the mobile number portability that we all
| wanted. I wonder what would have happened in the alternate
| universe where a lot of people would presumably have been
| changing mobile numbers with at least some frequency.
|
| I also have to wonder how Google Voice has survived Google's
| ax all these years.
| lxgr wrote:
| For Google Workspace accounts, it's a paid service (I
| believe $10 or $20 per number and month). The personal
| version is presumably a loss leader.
| dasil003 wrote:
| Probably because execs use it.
| TedDoesntTalk wrote:
| I've lost access to a phone number on Google Voice. After
| my parents died, I ported their landline to Google Voice.
| This number was in my family for more than 50 years.
|
| After porting a second number into Google Voice (and
| involving Google Fi) I lost access to the first. A 50+
| year old phone number that everyone important to me
| already had memorized.
|
| If you call the number now, it's answered by a Google
| voice subscriber message. So I know the number is still
| with Google. I just can't access it anymore.
| hirundo wrote:
| After ~15 years with it, starting back in the
| GrandCentral days, I recently moved from Google Voice to
| voip.ms, on my path to degoogling. The new service is
| paid, in a competitive domain, and so needs and has
| excellent customer service, and a much improved set of
| features. I'm happy to be the customer instead of the
| product.
| asdfqwertzxcv wrote:
| Are you me? Exact same story. How are you
| making/receiving calls and texts now?
| JacobThreeThree wrote:
| Why don't you just contact Google customer service?
|
| I'll be here all week.
| krallja wrote:
| > I also have to wonder how Google Voice has survived
| Google's ax all these years.
|
| The infinite surveillance capacity of an monitored voice
| line?
|
| Millennia of training data for AI speech synthesis and
| recognition?
| honkdaddy wrote:
| Companies use it as a cheap and easy way to combat spam without
| any engineering on their end. It's purely out of financial
| interest, nothing more. The mobile apps which require a phone
| number to use are doing this because if they only required
| email to sign up they'd have people sniffing their API and very
| quickly overwhelming it with fake accounts, and the cat and
| mouse game begins.
|
| By forcing the users to validate with a phone number, they're
| essentially pushing their spam problems upstream and out of
| their hands. More sophisticated actors know it's possible to
| automate SMS verification, but it does stop a lot of spam at
| the door.
| lxgr wrote:
| There's no reason that a service's "proof of
| personhood"/anti-bot mechanism has to be the same as that
| used for OTP delivery, though.
|
| Google does this very well: They require a phone number of
| spam account creation prevention - once. After that, I can
| delete the phone number from my account and use a FIDO key,
| TOTP or any other 2FA method.
| sdflhasjd wrote:
| Let's also not forget how unreliable SMS is too. I got locked
| out of an Apple account because I wasn't receiving codes.
| hinkley wrote:
| The problem here I think is that these sorts of failures are
| bursty, and account protection algorithms are typically not
| capable of tracking behaviors over time, because that would
| be expensive.
| reaperducer wrote:
| I haven't been able to use Uber for the last four years
| because I never receive its verification texts.
|
| Uber's screw-up has given Lyft a few thousand dollars.
| reaperducer wrote:
| _I wish we would just stop using phone numbers as the primary
| user identifier and SMS as the primary communication channel_
|
| Come up with a good alternative and make yourself a
| billionaire.
|
| Difficulty: _Good_ alternative.
| dheera wrote:
| Exactly. I deprecated SMS 12 years ago in favor of e-mail.
| E-mail supports encryption, >140 characters, attachments,
| alphanumeric IDs, and works across country borders and SIM
| cards. There is literally zero reason to use SMS.
| 0xbadcafebee wrote:
| E-mail seems to be the solution. It's out of bound;
| authentication/authorization are required; there's standards to
| flag an invalid origin; filters spam. It's not encrypted, but
| neither is SMS. Most of today's dumb phones can check e-mail,
| so it's almost ubiquitous. The only way it doesn't work is for
| rural users who have no data but do have GSM/SMS.
| lxgr wrote:
| I agree, but unfortunately some regulatory bodies like the
| EBA have specifically labeled it "not a factor for 2FA
| purposes"...
|
| Ironically, my email inbox is much better protected than my
| SIM/phone number.
| 0xbadcafebee wrote:
| We should lobby them to change the rules, as a second
| e-mail account would literally be a second factor. Then
| it's up to the user to hook it up to their phone.
| devoutsalsa wrote:
| Email based authentication is lame. If a hacker gets access
| to your email, then they automatically have access to your
| 2FA. Lame.
| lxgr wrote:
| And if they get access to my phone number they get access
| to my texts and phone calls. That's why neither should
| ever be the only authentication factor (nor a single-
| factor recovery method for that matter).
|
| That said, my phone number is significantly easier to
| take over than my email address and mailbox.
| pkulak wrote:
| So if a hacker gets access to your second factor, they
| have access to your second factor?
| ridgered4 wrote:
| Most (but not all) free email providers now seem to require
| SMS verification to sign up for them these days.
| lxgr wrote:
| True, but at least you need an SMS-capable number only once
| (to sign up), and not every time you are trying to
| authenticate to some "secure" website.
| ta988 wrote:
| Most companies use that because that's with credit card numbers
| excellent ways to track people opinions and whereabouts.
| ranger_danger wrote:
| Where does it say how the actual phishing message itself is easy
| to send? I see no explanation there. How does one send a message
| with a different SenderID?
| permo-w wrote:
| in the same vein, email providers need to stop unverified email
| senders setting their own identifiers. if it's not from an email
| I've interacted with before, show me the email address itself and
| nothing else.
|
| there's really no good reason for the automatic contactification
| of email addresses. if I want someone's emails to be marked as
| being from John Smith, I will do that myself. if amazon or x
| known company is sending me an email, I do not care, identify the
| sender as the email address it was sent from.
| blobbers wrote:
| Super interesting. I've been getting increasingly intense
| phishing stuff related to citi bank credentials (my account was
| hacked verify my credentials on shady citi site) as well as AT&T
| bill being paid (collect my prize for paying my bill).
|
| They haven't managed to hijack an actual sender though, and their
| domain names still look slightly shady because they're things
| like citi01.
|
| They AT&T one is html wrapped so I can't even click the link
| without seeing what it is (and don't want to because maybe there
| is some exploit that launches an app that does something? Am I
| too paranoid?)
| chrismarlow9 wrote:
| Not too paranoid. Don't click anything.
___________________________________________________________________
(page generated 2022-06-24 23:00 UTC)