Google Fi seemingly affected by latest T-Mobile data breach(9to5google.com) |
Google Fi seemingly affected by latest T-Mobile data breach(9to5google.com) |
> Additionally, on January 1, 2023 for about 1 hour 48 minutes, your mobile phone service was transferred from your SIM card to another SIM card. During the time of this temporary transfer, the unauthorized access could have involved the use of your phone number to send and receive phone calls and text messages. Despite the SIM transfer, your voicemail could not have been accessed. We have restored Google Fi service to your SIM card.
[1]: https://old.reddit.com/r/GoogleFi/comments/10pjtie/google_fi...
Good reminder that SMS 2fa fucking sucks and so do the institutions that insist on it, especially those that offer other forms of 2fa but treat SMS as a fallback (why why why why why).
People will lose their 2FA. It's a fact of life. Lost keys with your yubikey. Broken phone without a backup of your totp. Etc.
After that, how do you prove that someone owns their account?
Send a photocopy of your passport? No way to edit a picture, right?
Answer some security questions, which you certainly forgot the answer to. And people are likely using the same questions with the same answer on many sites.
Tell them tough luck?
The problem is there isn't a good answer for the most common failure mode. SMS 2FA isn't perfect, but it is accessible to nearly everyone and delegates ownership proof to the telephone company.
Surely from their logs they know if these calls/texts happened?
If, during that period no calls/sms's occurred, then there has been no breach - the attacker was close to their target, but walked away with nothing.
If messages/calls were made, the user really needs to know who they were to/from to make any informed decisions. And Google has those logs.
> limited data including when your account was activated, data about your mobile service plan, SIM card serial number, and active or inactive account status.
> It does not contain your name, date of birth, email address, payment card information, social security number or tax IDs, driver’s license or other form of government ID, or financial account information, passwords or PINs that you may use for Google Fi, or the contents of any SMS messages or calls.
I mean, that's almost the minimum amount of data T-Mobile has to have to provide the service to Google Fi customers, and nothing else. The actual customer data is probably stored at Google, and is perfectly safe. The chances of someone being able to use the leaked data in a nefarious way seem practically nil.
>system is used for Google Fi customer support purposes and contains limited data including when your account was activated, data about your mobile service plan, SIM card serial number, and active or inactive account status.
>It does not contain your name, date of birth, email address, payment card information, social security number or tax IDs, driver’s license or other form of government ID, or financial account information, passwords or PINs that you may use for Google Fi, or the contents of any SMS messages or calls.
Also, they only report the breaches they actually know about. From my understanding of T-mobile, they probably only find a breach when someone completely stumbles into it. For every one they discover I bet there’s 10 they don’t, hah
I buy my SIM cards anonymously. I never use cellular near my house and only use it for data over a VPN. So it would not affect me if all of their data was breached.
T-Mobile detected the breach January 5 and shut it down “within a day”
But
It started approximately November 25th, so the attackers were there for at least a month and a half, pulling 37,000,000 records before anyone noticed.
Are you sure? In the previous T-Mo breach Ting claimed the opposite.
https://help.ting.com/hc/en-us/community/posts/4405384603291...
>the kind of Ting Mobile customer data at issue in this data breach is not stored on T-Mobile servers. Ting Mobile holds its own customer database on our own servers. The kind of data T-Mobile does have access to are things that are network-specific, like your phone number, SIM card number, usage data, and IMEI.
>T-Mobile does not have access to the Ting Mobile database of names, email addresses, credit card information, etc. Your information is protected and secure from what the hackers claim to have collected.
Unless you run this yourself, I don't understand why you nor anyone thinks that adds to their data integrity? VPNs can, have, and are the subject of break-ins and have their own agenda and or government oversight.
People think that VPNs are this magical black box that makes you secure and private, because the YouTube ads told everyone so, the reality is that you are just adding an extra point of trust or potential failure. The needle has barely moved.
All while making performance, in particular latency, worse.
What's the methodology for doing this successfully?
Use virtual card from service such as privacy.com to add funds.
Never make calls or SMS with the SIM card number. Instead use VOIP such as jmp.chat or voip.ms.
Which for all intents and purposes don't exist anymore.
Sure, I would probably trust Cogent over Comcast, but the current state of the VPN market seems very stagnant in actually diverse network routing.
It's really hard to recommend a VPN for people who are actually privacy conscious simply because you're moving your data to a handful of transit providers that aren't put under nearly as much scrutiny as a normal consumer ISP.
About the only meaningful feature VPN provides is presenting a different IP address to the server.
VPN provides negligible extra security for most people, while adding extra exposure.
VPNs create a separation between the client and the server (as you mentioned) so not only can the server (or those eavesdropping on the server's connection) not see the client's IP, those eavesdropping on the client can't see what services they are connecting to (other than the VPN).
Of course by combining knowledge from multiple sources you can still build a fingerprint but VPNs with sufficient utilization can serve as a mixer to obfuscate which users are taking part in which traffic. Doubly so if the VPN supports multi-hop routing where the client side VPN and the server side VPN are at different sites.
Really as long as you aren't leaking DNS and you use a reasonably secure + well utilized VPN, your client should appear as a black box that shouts opaque contents at a single server without leaking many details about the actual communication taking place.
Compare this with HTTPS + no VPN where only the contents are obscured and everyone eavesdropping (aka the ISP or anyone on the same network) can see every service you are connected to. That alone should be enough to fingerprint a given connection to a specific user.
ISPs have historically done slimey things like hijacking DNS, and HTTPS leaks tons of metadata like what sites you’re browsing and for how long, and what user agents you have can easily be fingerprinted. And there are still too many IoT and mobile apps that don’t strictly use TLS for everything.
It's a nice and smooth process.
Businesses could also use the German government ID, which has a chip with cryptography functionality built in.
Same goes for the whole EU, it's in the new ID card standard: https://en.wikipedia.org/wiki/National_identity_cards_in_the...
I hope we start seeing some neat use cases with them. Being able to cryptographically (and in some cases anonymously) prove one's unique identity online would be pretty cool.
Meanwhile, I have multiple yubikeys that are as hard to lose or break as a house key. Google is kind of the only site that supports hardware tokens, but you can add multiple to your account. I can't think of a single site that allows multiple phone numbers for SMS 2fa.
Unfortunately, hard and easy are interchangeable in this sentence. And if you lose your house key you can always call a locksmith or just break a window to get inside.
Even if you don’t have identification on you, if the cops show up you can have your neighbors vouch for you (assuming the cops don’t already personally know you).
By 2023 it's high time for these forms of identification to catch up with the digital age. It's high time to end the joke of verifying identity by birthday, SSN, "in-security questions", and other easily leaked information. And obviously 2FA by SMS is not good either.
I'd honestly just prefer TOTP or hardware tokens be mandated as an option for 2FA if you offer it.
In comparison SMS works the same for all services - its an easy choice.
I felt stupid and embarassed taking my own selfie with a piece of paper with a number written on it. But then I would have lost my account, had to do it.
I understand needing to verify the identity of people transferring large amounts of money, but it was a ridiculous ask for someone who just wanted it to send a friend 10 bucks for lunch. I just used another app, and my identity is still frozen in Venmo to this day. The silver lining is that no one can open an account with my information to circumvent the freeze, so I'm safe in that respect on Venmo.
You have to use the camera on a device, you can’t upload an image file (which just makes things more obnoxious, not any more secure) They tell you they’ll keep the photo stored for a year to better improve their process or whatever other bullshit. You can opt to have them only store it for one month (how nice of them) but when you do that I totally resets the flow of everything so you have to do everything all over again and it makes it seem like you’re stuck in an endless loop of doing that so you’ll just let them keep it for a year.
I caved and did it. There was no time to verify. I was just able to login.
So no, they didn’t need it for any actual verification or security reason. They just wanted the data. It’s almost funny how naked it was.
The multi-day delay even sounds like a good idea, in case someone triggers that system with the intent to steal mail -- it gives the still-able-to-login real user time to veto it.
(If you want a level of anonymity, you can rent a PO box, use a commercial mail handling agent, register c/o a lawyer, etc.)
Maybe I should just round-robin the off-site key. It's just tedious to keep track of what's been registered with which key and making sure they're all in sync. I really wish there were a secure way to simply have a key backup.
Not to mention, this is kind of expensive and also non-obvious as Yubikey primarily sells single keys. I'd love to see wider adoption, but can't see the general population putting up with this.
The disadvantage here is obviously it's just another password manager instead of taking full advantage of hardware tokens, but I want to be able to enroll passwords or tokens without the key present all the time. (Also, yubikeys have limited slots for keys)
Unless you need the GnuPG or SSH applets, I just use the $14 FIDO keys from Identiv. They are also NFC capable for my mobile devices also. I keep one at my office, one at home and carry one in my pack.
I too wish there were a way to keep them in sync or back them up.
Maybe a virtual FIDO key? https://github.com/bulwarkid/virtual-fido
Edit: also, if your house burns down, won’t you probably have your keys on you if you’re not home?
Then a printed backup sheets like 1password somewhere offsite (still needs master password to be usable)
As for a fireproof safe, I do have one, but they're rated for X hours and degrade over time. I should probably get a new one.