How SMS fraud works and how to guard against it(apuchitnis.substack.com) |
How SMS fraud works and how to guard against it(apuchitnis.substack.com) |
https://support.twilio.com/hc/en-us/articles/360014170533-Us...
If you require me to use SMS (deprecated), you are doing me a disservice and you should pay for the consequences.
Use e-mail. It's free, works across countries, across SIM cards, allows for alphanumeric IDs, and is decentralized and not controlled by telcos.
And the email that my service sends you so that you can complete registration will land straight in spam where you won’t find it.
I’ll stick to SMS for activating accounts.
What was wrong with authenticator applications?
Were they really THAT user unfriendly?
If you operate a mobile app, this allows you to force a data packet over the device’s SIM that the carrier can validate. Platforms like Twilio/Boku have worked with the carriers to provide an API for this.
SMS is completely removed from the process and SMS pumping becomes a non issue.
Another option that could be mentioned in the article is using WhatsApp for OTP delivery. It’s the de facto messaging app in many countries with scketchy carriers, precisely because people don’t enjoy paying 5 cents per SMS.
I don't think that would go over very well in the less sketchy countries - I know many folks (myself included) who would be up in arms if a service requires WhatsApp just to send an OTP - in that (and any) case I'd prefer 2FA via authenticator apps
It pains me to say this since Bank of America sucks, but their system now supports adding a Yubikey for login, nearly as good as Schwab before they stopped issuing physical TOTP tokens in 2020.
Are you really suggesting having 5 different devices with separate SIM cards to receive 2FA messages? What exactly is the point here, just having different numbers? In that case some kind of text message forwarding service that gives you multiple virtual numbers would (still not free but much more reasonable than dealing with multiple devices)
I've only ever signed up for such sites from my desktop, so it was easy to use my phone or tablet camera to get the QR code from my desktop's screen.
How do you scan a QR code that is on your phone's screen using your phone?
I take issue with a lot of the assumptions in the article but this is funny:
> Identify and block premium rate phone numbers, using libphonenumber. Whilst this seems promising, I don’t know how reliable the data and how effective this approach is.
here's this purpose-built and well maintained* library from google which does exactly what I want but i'm not even going to consider it.
* the actual number database has been updated 5x so far this year: https://github.com/google/libphonenumber/commits/master/meta...
Re libphonenumber: I think you misread me? I was definitely saying consider it :) I just don't have much personal experience with that approach.
in finland non-standard numbers must start with different numbers so its easy to block them as invalid.
Is there any chance that this isn’t actually fraud and that companies who send out tons of text messages to any number a person specifies are just paying for their extraordinarily poor design?
It's basically a referral marketing campaign where the fraudster does revenue share with local sketchy infrastructure providers.
Maybe this is taken care of in the user agreement or the terms of services? “User warrants that he is not trying to profit by use of the two factor auth system?” I’ve never read an agreement like this one.
For everyone else, it would be a cascading series of installation and password and app switching and immediacy problems. This would create a great deal of frustration, and ultimately a call to family tech support (me) or the service provider if human tech support is an option which is not the case for many companies such as Google and social media firms.
So, yeah, there's no way I could get her to use an Authenticator app. (Also, there's, "...all these apps scare me.", which isn't a bad thing considering the first (and last) app she installed on her Android phone was a malicious 'flashlight' app that kept displaying some sort of crypto ads.)
As a data point, USAA (which is not the biggest bank, of course, but it is not tiny either) has supported TOTP for years. There are probably others, but at least some banks support relatively modern security.
I'm worried about losing my phone and being locked out.
With SMS, I can show my ID to the Verizon rep, get a new phone, and I'm good to go.
[1] https://en.wikipedia.org/wiki/Signalling_System_No._7
[2] https://web.archive.org/web/20201219144441/https://www.thebu...
Some companies do require a phone number to setup an account (because it's the best proxy we have for "one per real person" or "expensive for one person to get many of"), but if they're competent then you can remove it as a 2FA option if you replace it with a TOTP code. [0]
If you ask me, it should be illegal to require SMS 2FA without an opt-out to TOTP. Perhaps relatedly, I'm also curious about the percentage of Twilio revenue from 2FA messages.
[0] RANT: Google, in typically creepy fashion, makes it difficult to enable TOTP without first either providing a phone number, or downloading a Google app to "tap to login!" on your phone. But they do allow you to setup a hardware token, so I found a workaround [1] to configure TOTP without providing a phone number, which is (perhaps ironically) to use Chrome DevTools to create a virtualized WebAuthn device and add it as a hardware token 2FA option. Then it's possible to setup TOTP and remove the virtualized device, leaving you with only TOTP 2FA and no com.google apps begging you for entitlements on your phone.
Oh, I wish that were true for financial institutions. But for my sample size of 3 credit unions, 1 large bank, and 1 brokerage, only one (small CU) supports TOTP. All the others have SMS as the only, mandatory 2FA. It drives me crazy how backwards that is.
Yes, that's pretty user unfriendly.
It's a lot more common to lose your phone than lose your phone number.
Don't ever keep your TOTP seed solely on a phone. Yes, that is asking for trouble. But you can save it in a safe place and then you control it.
I hate SMS 2FA but it makes sense.
Obviously not something anyone who respects their privacy would subject themselves to, but it seems to me like the easy path leads to these things being backed up.
Obviously if google has your 2FA keys and you were using 2FA keys to log into your google account then you would need to recover your account, but you would be stuck in the same situation as if you had damaged/lost your SIM (e.g. if you lose your phone).
It's all too easy to realize after the fact you needed to transfer something between the old phone to the new phone to keep the authenticator working. Sometimes that's not available (phone damaged), or don't realize you need it until after you've already sent the phone in for trade in.
So yes, they are user unfriendly.
This is just a matter of using one of the many TOTP authenticators which allow backups of the keys.
If people drop or lose their phones, do they lose all their contacts, photos, passwords? I bet not. I am pretty sure this is a solved problem by now.
Moreover, even if you do lose the keys, that's what account recovery processes are for.
If this is work related authentication and they expect you to use your personal property to run an app, then you're just playing a role as a puppet in their useless security theater. If your employer was serious about security then you'd be issued a dedicated device for auth.
Basically authenticator apps create a much bigger problem than getting hacked, and there's a far greater probability of me losing my phone (has happened before) than getting hacked.
Authenticator apps (at least those that use TOTP/HOTP) can't do that. SMS can. So can card readers but people hate having to carry them around. So we're stuck with SMS.
If he stated the truth: sms validation is costing millions per week, twillio would lose quite some customers, because companies would finally realize there’s another way that’s cheaper
The other issue is that many smartphone owners don't have a computer they would back things up to. Just "cloud".
- How's grandma doing? Is she gonna be okay?
- Well, let me ask you, does she complain much?
- All the time!
- Then grandma's doing fine. It's when she stops complaining - then, it's time to be concerned.
Which means that anyone else who can fake an ID is good to go with that verizon rep. Or the rep themselves.
I will always avoid connecting any account to SMS if at all possible, it's the worst of all options.
TOTP is the best, as it is an open standard and doesn't tie you to any device nor any vendor.
> I prefer SMS for 2FA because some authenticator apps get tied to a device.
No need! Just save the TOTP seed in a safe place such as a computer under your control (i.e. not a phone) or even a piece of paper in a safe.
The biggest downside is if the site isn't set up correctly it is a long trek into Settings to get the code and it makes the site seem less trustworthy.
The head security guy at USAA and I had a talk where he explained in some detail how it all went down. He was refreshingly honest, and they didn't balk at getting our funds restored, but still -- humans are often the weakest link when they can defeat all of your security precautions. Probably the bank shouldn't give phone reps that much authority, and always require a dedicated security team response for such unusual situations.
You can transfer your Google Authenticator state to another phone. This is accomplished through scanning QR codes -- no data is transferred over a network. This is a relatively new feature; for many years, Google Authenticator refused to provide any way to extract the authenticator state from the phone at all. You literally had to root your phone to get the state out.
It's designed this way because if your TOTP state were backed up to your Google account then it would no longer provide any additional security over Chrome's password manager, which is also backed up to Google. The two factors in "two factor" are supposed to be "something you know" (password) and "something you have" (phone, or security key). In order for the authenticator app to really be "something you have", it has to be hard to copy.
Again, if you want auto backup to the cloud then you might as well just not use 2FA and rely on your password manager alone.
Personally I use hard keys wherever possible. Much better UX (and security) than any authenticator app. Just have to buy and register a few of them so you have backups if one breaks.
The only thing it provides is a way to export from one device to another, but that requires having the first device still with you. [1]
On the other hand, yes fortunately Authy does provide cloud backups. But your average end user generally doesn't have the slightest idea of why they should use one authenticator app over another. Expecting them to do the research to figure out that they should use Authy over Google Authenticator in case they lose their phone is asking way too much. Again, completely user unfriendly.
I can't see any reason you couldn't start the export process without having a new phone and take screenshots of the QR codes, then back those screenshots up to some secure place.
You should be able to later use those screenshots to restore those accounts to a new phone without needing to have the old phone.
I don't use Google Authenticator so have not tried this.
While the above should work, I'd recommend saving the QR code for each site when you sign up for TOTP at that site. That way you can easily transfer to any other TOTP authenticator. The Google Authenticator export seems to make QR codes that combine multiple accounts and I'm not sure any other authenticators would know what to do with those.
But in practice it's utterly ridiculous. I already do all this work to store passwords in a password manager.
Now I'm supposed to have an entire separate backup strategy for 2FA that depends on screenshotting QR codes or remembering to save their text equivalents? It's just crazy user-hostile.
And I fully agree with him
These are risks you have just by owning a cell phone, having an authenticator app doesn't change that.
> SMS is also subject to attacks against the telecom, such as by tricking their staff into producing a new sim card with your number.
This is absolutely a legitimate concern, and the lack of security in carrier practices in particular honestly makes me want to avoid 2FA entirely. Fortunately, I've never needed it for account recovery. I use a password manager so all accounts get unique logins and I'm savvy enough not to fall for your typical phishing scams which helps. There's no guarantees my luck will hold out though so I'll be looking into privacy preserving options for the most critical things or for cases where I'm not left with any choice.
Also, we're SIM-swapping global nomads now, not some potatoes that sit on a couch in one country all year long. Phone numbers don't work anymore.
If you have a keylogger, it will just steal your TOTP.
The only one who told me losing backup codes means losing your data forever was my bitcoin wallet. (Ironic)
