Reply With QuoteSomehow the real clever ones were able to bypass the old rules and take over the account when millions were at stake when crypto accounts were hacked for the 2FA codes.
|
|
|
|
|
I've climbed a cellphone tower
https://arstechnica.com/security/202...m-pessimistic/
to comply it may mean a slow down in the process of moving between devices and/or porting out. would not surprise me if this leads to across the board pairing of IMEI's to SIM's to prevent a SIM being removed from a password locked device and place in a different one to recieve 2FA codes.
working in cell phone retail for close to 20 years I have never seen a clear case of a stranger stealing someone account or any sort of bank or financial fraud related to such a takeover but regularly have angry customers in the store upset someone(nearly always a family member, ex-BF, ex-GF, ex-spouse, etc.) was able to takeover a phone line they believed belonged to them since they were the 'primary' account holder.
Radiation is good
Somehow the real clever ones were able to bypass the old rules and take over the account when millions were at stake when crypto accounts were hacked for the 2FA codes.
I've climbed a cellphone tower
unfortunately what would be more effective tends to also be what would be most inconvenient.
most effective would be a mandatory delay(of days not minutes or hours) to give time for account holder to take action after being informed of number being moved and requirement to call into old carrier and request release before number moves to new carrier.
such a delay mechanism would likely also mean the end of switcher related device promotions at least on the prepaid side of things
My screen is bigger than yours
Whoever, many years ago, decided that 2FA security should be tied to a phone number should apologize to society.
And whatever companies ONLY have text based 2FA should be ashamed of themselves.
The FCC should come out and declare that text based 2FA will stop in 2 years. Only TOTP, hardware keys, or email based 2FA. That would put an end to SIM swaps and bring us into the 21st Century.
I've got more phones than fingers
Ugh... So Metro's process of pairing the SIM with the device could expand like a cancer everywhere else which will undoubtedly bring the same headaches as well as device change fees, restrictive whitelists like AT&T's, and other massively anti-consumer nonsense back into the fold. Yeah, I can see carriers going crazy for the chance to get regulatory permission to be their old selves...
I've climbed a cellphone tower
https://www.techdirt.com/2023/11/22/...jacking-fraud/
article with another take on the issue
seems to me the ultimate solution would be for the FCC to mandate a 'break up' or separation of calling/texting into over the top apps(similar to Google Voice, Textnow, etc. except with all the QOS benefits of VoLTE/VoNR) separate from the service tied to the SIM card which would become a data only service.
number porting would than become totally a thing of the past and a SIM swap would not also include a phone number.
with less 'tie in' associated with the number it would likely also make cellular service far more competitive and result in many benefits for consumers.
security would be on par with that of email, might not be perfect but I have nto heard the same concerns as around phone service despite email being a primary way to authenticate 2FA.
on the other hand I am pretty sure the carriers would not like the idea and fight back.
Post Machine
As many here know, that's exactly how I've used my GV # (that I've had since 2009) since 2017, when I started using data only SIMs. Yes, there are some challenges with the occasional 2FA, but fortunately, all of my primary banks allow 2FA to my GV #.
I've climbed a cellphone tower
interestingly there are many articles from a few years ago explicitly recommending a GV # specifically for using for 2FA if not for calling purposes. that was before more institutions started blocking GV for 2FAOriginally Posted by Boz1
i have lots of 2FA that has been setup from years to use my GV number and all still work, the same institutions though will mostly no longer allow GV # for new signups or as number updates.
for most situations its the initial registration of the number that gets rejected not the sending of the codes themselves once setup.
I've got more phones than fingers
It would be a shame to lose that ability (2FA to GV), though I can see it being a security risk...
Since GV is also completely useable via a PC or other web browser, you can literally trigger a 2FA challenge and satisfy it all with the same device (like an iPAD or PC) without any phone involved. I do that sometimes when I'm too lazy to go grab my phone or its charging somewhere else.
I've climbed a cellphone tower
no one seems to consider that a problem for email based 2FA
with most carriers a SIM can be pulled out of a phone(assuming the phone has security to begin with) and placed in another phone and be used to receive 2FA to the number. even if not a skilled hacker would just clone the IMEI form the source device.
computers don't have an 'email card' or a 'GV card' that could be pulled out and placed in an unlocked laptop to receive messages. proper security on the hard drive such as bitlocker and its not in any way easy to get into that computer without wiping it clean.
also very often on a phone you do not even need to type the 2FA code into the app it literally all automatic.
i consider a password protected website more secure than a SIM card any day.
I've climbed a cellphone tower
It is the FI's policies and the screening service they use that determines whether or not a given VoIP number will work or not in the FI's system.
Sometimes cannot even use it as a profile contact number when that is separate from your 2FA number.
I have a TextNow number that works with FIs that blackball my gV numbers, bit of a roll of the dice.
Out if my many dozens of FIs now only a few care about VoIP at all for 2FA
My main point here is, this is not something gV itself can affect
I've climbed a cellphone tower
And also, the topic being discussed in the past few posts
really has nothing to do with that in the OP
I've climbed a cellphone tower
i use my GV number for lots of 2FA purposes with services that will no longer accept such numbers for new registrations, since i set it up years ago it still works though.
although a couple banks literally removed my GV number from my account will not even allow it to be registered as a contact number. the reps at the bank have no idea why just that is 'does not stick' i can login in update as my primary contact number, save, log out, log back in and its not there.
I've climbed a cellphone tower
If you get a rep with a clue, and posit the idea that
"I guess your system is rejecting VoIP numbers now"
you may get an acknowledgement.
Or they may be suppressing that topic under their "no tipping off potential fraudsters" policies.
Also note, how a given number reports its type under different database cleaning / blackballing services does change, over time.
Same with trying to use commercial letterbox forwarding services as your legal domicile / residence address, similar to Real ID requirements.
The only constant is, YMMV
Why yes, that is a bag phone
The root cause of the problem is a 2FA based on phone number. All banks, financial providers, healthcare providers, government bodies, social media sites etc. must be forbidden to force users to use 2FA based solely on phone number.
If 2FA is enabled by specific service, the service MUST provide at least these three options in any combination selectable by user (only one option, two or three):
- email address
- TOTP (like Google Authenticator, Aegis etc.)
- SMS to cell phone
Otherwise we get like in T-mobile: you can enable TOTP but can't disable SMS
Actually, 2FA based solely on SMS to phone number reduces security of account and not increases it.
Bookmarks