Announcement

Collapse
No announcement yet.

Why SMS 2FA is insecure & why you shouldn’t give out your mobile number

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Why SMS 2FA is insecure & why you shouldn’t give out your mobile number

    Why SMS 2FA is insecure & why you shouldn’t give out your mobile number

    I saw a tweet today from Zooko (CEO of ZCash) that got me thinking about how SIM swapping (Also known as SIM-jacking) has become more prevalent lately. More and more people are relying on an inherently flawed system under the illusion of security.
    I’m going to explain 3*things:
    1. Why you shouldn’t give out your mobile number freely, to*anybody.
    2. How SIM swaps actually*happen.
    3. What is a better way of securing yourself*online
    You see, I work in telecommunications for my day job, so I know a thing or two about how this works. That said, even before this job, I still knew better than what the quoted article*says.
    [IMG]https://cdn-images-1.medium.com/max/921/1*p9X0zVpMEY4CvZWdeMIs0g.png[/IMG]https://twitter.com/zooko/status/1134957114311335936So the article basically says:
    Tuttle said SIM swapping happens in one of three ways. The first is when the attacker bribes or blackmails a mobile store employee into assisting in the crime. The second involves current and/or former mobile store employees who knowingly abuse their access to customer data and the mobile company’s network. Finally, crooked store employees may trick unwitting associates at other stores into swapping a target’s existing SIM card with a new*one.
    This is complete nonsense. None of that*happens.
    Here’s how it really*happens.
    Let’s take Zooko, as an*example.
    Disclaimer: Don’t do this to Zooko, please, I’m just using his name as an example but presume the same could also happen to*you.
    Let’s pretend you’re an attacker, and you want to get in to Zooko’s Coinbase account. You presume he uses it based on some tweets you’ve seen mentioned. It’s likely protected through SMS 2FA (2-Factor authentication), but that’s not going to stop*you.
    First thing first: You need to find a mobile number. This can be done through a number of ways, but the easiest way is to find a website that’s been previously hacked, that had the targets contact details. The easiest way to get details of the mobile number is through someones email address, which is much more common /readily-available.
    A quick search online shows he’s got several emails, most of which it seems are pretty public knowledge.
    Take that email and pop it in to www.haveibeenpwned.com and see what leaks it’s been a part*of.
    [IMG]https://cdn-images-1.medium.com/max/958/1*GQir-2Rk-igQIfeiqgwBmQ.png[/IMG]One of the data breaches that show up in the*resultsYou can see that there have been a number of breaches that link his mobile with email, along with some additional data that will make life easier for an attacker to SIM-swap.
    Side-note: Have you ever received an email telling you “I know your email password, it’s XYZ. I’ve infected your computer with a trojan and seen you watching porn. Send me 1BTC or I send pictures of you pleasuring yourself to all your contacts”? Well, this is how they get your details, and they’re hoping you re-use your passwords, and that you won’t call their*bluff.
    Now the “haveibeenpwned” website doesn’t contain those specific details, but, just keeps an easily searchable list of email addresses to see if you *were* a victim to those data breaches.
    So, we know that he’s been victim to multiple data breaches. It’s not surprising, it happens far more than it should in this day & age. Try putting your own email in to haveibeenpwned and see what comes*up.
    Next, an attacker would go and track down the details of that “dump” from the particular data breach. This one says his phone number is in there along with his date of birth (Though, you can also find his DOB easily enough through a Google search, with Wikipedia results). Having the DOB is also helpful because it’ll make an attacker seem more credible.
    Often times the results from these breaches are available on “clipboard paste” websites that just keep text lists. They are also on torrent sites too. Alternatively you can do a quick search on Google just asking “What is this persons mobile number”, which comes up with a few*results.
    Next, we need to find out who his mobile phone is with. It looks like he lives in the USA, so we know it’s most likely to be one of a handful of providers:
    AT&T, Verizon, T-Mobile or*Sprint
    That’s only 4x telcos to have to take a guess at, shouldn’t be too difficult.
    So an attacker will go out and buy themselves a SIM card, for each of the aforementioned 4x mobile telcos. Presuming it’s a few bucks each, might cost an attacker $20*total?
    In NZ you can buy them from your local corner dairy, or supermarket, and we really only have 3x main telcos here (Vodafone, Spark and 2degrees, though we also have Skinny mobile who resell*Spark).
    Then, the attacker will ring up each of the telco’s one at a*time.
    “Hi, I’m Zooko. Look, I’m out travelling on business and my mobile phone has been stolen. I think I left it on the table at a food court to be honest. Anyways, I’ve got another SIM here with me already, and I’ve got a spare phone to pop the SIM into. My date of birth is 1st of April 1987 (You tell them this because you know it’s bound to be one of the questions they ask). I’m expecting an important business call soon, can you help me out and get the number transferred? If you can also block the IMEI number of that other phone too, I don’t want the person who stole it to be able to use my*phone.”
    That’s pretty much*it!
    Most of the time the person on the other end of the phone is just going to say “Sure, here you go, the number is transferring through to that SIM card. It’ll be done in an*hour”.
    People can “put notes” on their account with their mobile carrier, but often times the person on the other end of the line is just trying to be*helpful.
    Are you scared? You should*be!

    This is why mobile (SMS) 2FA is completely 100% unreliable and should not be used. If you’ve ever logged in somewhere and they’ve sent you a text message to “verify” you are you, that’s an easily-bypassed security method that simply makes it more likely your entire identity will be stolen, just to get access to your Crypto exchange*account.
    Have you got your Cellphone as a way to get back into your Gmail account, or similar? Go remove*it!
    Once an attacker has your mobile phone number in their control, they will usually also attempt to log in to your email account with the “Forgot my password”. This password reset procedure will often send a text to your phone (Or an attackers phone now they have your mobile number), you enter the code it sends you, and then it’ll let you choose a new password.
    Has an attacker got in to the persons email account? You can now request a password-reset for most online accounts, such as their Crypto Exchange accounts.
    Of course if you have a company / corporate email then usually you’ll have a slightly different password-reset process. If you have a Gmail, or Outlook email though, that’s usually how you get back in to your*email.
    It’s not difficult, sadly.
    Alternatively if the person re-uses usernames / passwords, and all that stands between the attacker and the victims crypto exchange account is SMS-2FA, then they’re in with a grin now, without even having to get into their email*account.
    So what can be done about*this?

    Two things come to*mind:
    1. Don’t use your cellphone for 2FA. It’s not secure and can’t be trusted. If you must, for, say, a single exchange, don’t re-use your mobile number. Get a burner mobile. Alternatively, just use a better exchange.
    2. Use Digi-ID by DigiByte. It’s far safer and removes many of the incentives to ever even attempt SIM-jacking.
    You see if your credentials are not a username, password, and SMS-2FA, it removes any incentive to try and SIM-swap in the first place. There’s nothing to be gained, no financial reason for an attacker to invest that time, and so you can largely minimize the hacking attempt even before it has occurred.
    I’ve seen a number of reports doing the rounds lately of high-profile SIM-swap attacks. Often times to the tune of 6–7 figures (USD) worth of cryptocurrency gets stolen. Many of the responses I see have been belittling the victim for poor security practice, while many often overlook the cryptocurrency exchange / service itself which enables such a poor practice.
    Let’s be real*here:
    • We know SMS-2FA is*insecure
    • We know we shouldn’t use*it
    • We know there are far better, safer, faster, and more secure alternatives
    Why then is there not a more public outcry for security from the cryptocurrency exchange or other such service*then?
    What we need to start doing is demanding better security practices from cryptocurrency exchanges. There is really no excuse for them to be enabling this kind of poor practice under the illusion of security. Many end-users simply don’t know better, and if the Engineering Manager at BitGo (a blockchain security company) can get his funds stolen, then how is your grandma supposed to know any better as she gets in to cryptocurrency?
    This is where we need to support a new wave of exchanges that support this level of security, such as ChangeAngel and*Crytrex.
    [IMG]https://cdn-images-1.medium.com/max/1024/1*xwRthw8CfDeZSrWHGIjxGQ.png[/IMG]Sign in to ChangeAngel with Digi-ID /*AntumIDThese exchanges have Digi-ID support implemented, and there’s no way they can SIM-swap and get in to your account with*Digi-ID.
    Think about it for a*minute:
    By removing the ‘vulnerability’ of a 3rd-party that is your mobile carrier, then even IF an attacker successfully SIM-swaps, they still can’t get anything out of your exchange*account.
    If there’s no way a SIM-swap can get an attacker in to your account, you remove the incentive for an attacker to steal your phone*number.
    So it’s time we start demanding better security from cryptocurrency exchanges and digital asset management solutions.
    It’s time we start demanding Digi-ID.
    Want to learn more about it? We’ve got a quick introduction video, or you can learn more at www.digi-id.io
    https://medium.com/media/7e7de827dc9...877ac62b3/href

    More Josiah Digibyte Updates on Medium...
    Cryptocurrency Trading Courses http://www.digitalcurrencytraders.com
Working...
X