The whole dependency on phone line/number is staggering. You can't do anything nowadays without a number. Can't apply for a visa, buy anything online or do your taxes. All of this while phone calls are anti-feature - they are low quality, abused by scammers and (at least on iOS) - no way to disable entirely.
What's even more weird - if you happen not own a phone - there's no digital service/website where you can call 911 (or local equivalent). You can't even text 911 in most countries.
When I was a child, we didn’t have a phone for awhile. I don’t know why. People would ask for our number and their responses to finding out we didn’t have one ranged from blank confusion to assuming we were trying to scam them somehow. But once we got past that, we could still get what we needed because we were dealing with people (and frequently pen and paper).
(This was also back when, “Our system doesn’t let us do that” wasn’t an economically or socially acceptable response from someone representing a business or agency.)
This is funny to read as where I live (Germany) banks have been slowly migrating away from SMS-based verification to app-based code generators that in turn require one-time authorization via physical mail.
And we're generally lagging behind when it comes to digital solutions, so I would expect other countries to be ahead of the curve and no longer using SMS for anything important.
Banks are a great use case for TOTP or other 2FA auth methods that aren't SMS, as if you need to verify identity in person, you can require the user come to a physical branch (in the US, you can get something called a "medallion signature guarantee" [1], which is typically required to verify your identity if you're moving more than $250k in assets between financial service firms). Services that can't provide identity verification services in meatspace are at a disadvantage, which is why they fall back to SMS as identity verification and management.
ID cards that support cryptographic functions (such as Estonia's National ID [2], or in the US, DoD CACs [3]) would go a long way to fixing these problems.
FWIW in Germany we have PostIdent, which consists of taking a printout to the local post office, showing your ID card and then having the clerk fill out and sign the printout and send it to the organisation you're trying to authenticate with. This is typically done for age restrictions in online delivery services (e.g. being able to order goods marked as 18+ on Amazon -- not signing up for porn sites or stuff like that), for example.
The ID card technically comes with a PIN and there were supposed to be special readers that could be used with a handful of authorized online services to verify your identity but as far as I can tell not much came from that as end users would have needed to buy special hardware and services interested in using that would have required special licensing or something.
That said, SMS is less secure than e-mail, so this seems like an odd choice these days (much like magnetic stripes rather than chip and pin).
IMHO governments should be doing more to provide modern identity verification solutions so there isn't a need to rely on more or less decentralized systems that can be so easily gamed.
This was a common occurrence in Sweden a few years ago, they would target small businesses by changing their address by sending in an address change, then take over the phones and then order a ton of stuff online for which they are never cought. It could go up to millions of SEK in debt before it was discovered by the victim, because invoice time is usually 30 days and credit score will be perfect until after the scam.
Since BankID (identity verification) became a norm, this has essentially stopped.
> a relatively new kind of fraud calling "SIM swapping"
Either the journalist has misinterpreted information given to them or the Ontario police are at least a decade behind current scams. SIM swapping or port-fraud is at least a decade old problem.
It also doesn’t help that Canadian cell phone plans usually include no roaming at all or horribly expensive roaming.
So if an attacker knows you’re making a day trip to go to one of the malls that dot the border, they can pounce and you won’t know until damage is done.
Meanwhile, T-Mobile plans include so much Canadian roaming that your plan is better than local Canadians’.
>Meanwhile, T-Mobile plans include so much Canadian roaming that your plan is better than local Canadians’.
Truth. I know a guy who works for NORAD and his (US-based) data plan is 60/month and includes unlimited data anywhere in Mexico, Canada, or the US. No roaming, no nothing.
How the Canadian telcos haven't been prosecuted for price-fixing is beyond me.
> How the Canadian telcos haven't been prosecuted for price-fixing is beyond me.
Because they - and the Canadian banks and a whole bunch of other entities - are monopolists with a wink. Their competitors only exist for them to be able to claim they are not a monopoly.
There is also the LCBO, which is an outright state operated monopoly.
Canadians pay way too much for many services and goods compared to those South of the border because of these quasi monopolies and the associated lack of competition.
> Because they - and the Canadian banks and a whole bunch of other entities - are monopolists with a wink.
Do you think that neo-bank Revolut will make it? I remembered ING direct managed to come to Canada a decade ago, but was brought back by Scotia Bank right after (now named Tangerine) - as you said - to façade competition.
Can confirm. I pay $45/line and my mom (in Canada) has been one of the lines on my account for about 5 years now. The only downside is that she has a US number, but she now has unlimited data/texts in over 150 countries and unlimited calling to/from Canada/US/Mexico.
Less for the calling she does, but moreso to handout to local companies that dread calling LD, or have to get a dialing PIN from someone else just to call one.
E.g. retail shops, clinics, utilities, etc.
Some local friends may be paying 20cpm to call her.
I once had a small telecom refuse to accept my 1-800 number...
Ya, I was more thinking about incoming calls. I know her friends just text her and she calls them, but I wouldn't be surprised if some of the services she uses (like the ones you mentioned) can't even call her at all.
Ok, so, how does a paranoid individual protect themselves from this attack?
Aside from "don't link your phone to these accounts" which isn't always possible as many banks in Canada only recently added SMS based 2FA.
Some ideas:
- separate phone for 2FA. This seems quite annoying in practice.
- a daily twilio script that SMS's your number as an indication that you've still got it. Easy to implement, but also easy to ignore and would only indicate after the fact that you lost your account.
In Sweden you now require hardware identity verification which can only be issued by a bank or similar authority. (It also work similar to Venmo but without the fees)
I'd love love love if government Id card could be used as U2F via NFC.
Also, in Lithuania (and many other countries) 2FA is hardware locked to your SIM card - can't really get new one without showing your Id in a shop (the shop doesn't really use the chip on Id tho).
BankID is really nice,
I think when I move back to Aus I will feel like I've gone back in time.
I don't know about Canada but I feel like if you tried to implement this in Australia there'd be a lot of paranoia over a system like BankID with regards to privacy or gatekeeping
Fastmail once offered as part of their mail service a list of random numbers you could print out and then use as a second factor, one at a time, when you logged in.
I really miss that feature, and wish more online services supported something like it.
Maybe you could use VOIP numbers for 2FA? Many VOIP providers (i.e. voip.ms) can forward SMS to e-mail, SIP client, callback URL or an other phone number. There's a cost, but I guess it's minimal, all considerations done.
Your second scenario is like a dead man's switch. It's interesting, as it could prompt you with a daily challenge that only you can answer. But I don't see how it could be implemented in a normal person's life?
I guess then the risk is whether or not the VOIP provider is more secure than my phone provider? I need to think that one through.
With the second scenario I was just thinking that, if I personally didn't receive the text on a given morning, I would know that my number has been ported and I would begin to freak out and try to race the attacker.
I think it's more of a "security by obscurity" thing than anything, but if the number is really unknown except for you and the 2fa provider, that would probably be "good enough".
This episode of Reply All involves one of the hosts pissing off a group of SIM swappers, and him trying to go through the process of making himself safe. TL;DR -- It's really hard to do successfully.
Actually I'm starting to think the cell phone operators are doing a smart thing on this.
In an ideal world you could trust the cell phone operators to diligently protect your number and you could rely on this to help Google/Chase/GoDaddy identify your account. The problem is this makes it complicated for the cell phone operators and why should they be the ones to have to enforce your identity protection to benefit FANGs/Banks/etc? It always seemed a bit dumb to me that you need a phone number for most accounts in this internet age.
Maybe they could offer a service for a fee where they will be stricter and you have to show a passport to the office to get a new sim issue.
In the meantime I'm sure they've figured out its more benefical in the long term that they just sell cell phone plans that are flexible and we need a better solution to identify people and their accounts.
No one should be able to receive a text message meant for my number, regardless of the specific purpose of the message. That should be a basic security feature of the service, not something that comes for an extra fee.
It's sort of odd that the list of precautions omitted the most obvious one: don't link online accounts to your phone number if that account can be reset with access to that phone number. Yeah, using a password manager is great, but not if it can be trivially bypassed. The phone companies should not be expected to be some sort of security gateway service.
1) Consumers are largely at the mercy of platforms (Google, Apple, FB, etc) and they don't _really_ control their data.
2) Phone companies don't care enough to perform adequate due diligence, and regulation hasn't caught up. The phone companies lean toward making changes easy to prevent customer backlash.
Issue 1 can be improved slightly by not placing your entire digital life in the hands of one or two companies. Additionally, don't link your phone with these accounts if possible (although many, if not all, now require a phone number). Even better, store your data on your own computers instead of "the cloud" (which just means giving your data to someone else).
Issue 2, I suspect, can only be resolved if there's a change in regulation. Phone companies aren't going to go out of their way unless it starts to hurt them in their pocket books, which it would if they were fined when this happens.
I'm not clear on how #1 is related to the SIM swapping problem.
Yes, I encounter a lot of services that put way too much weight on phone number (maybe because phone number has some legal status) but not the big platforms. For Google, at least, they go well beyond making other methods available - they really seem to encourage/push users to use better second factors.
In my experience the big platforms are the least guilty. My Google account/data is by far the most secure account I have online or off.
I'm not sure if - given my threat model - it makes sense for me to disable phone based 2FA on my Google account.
I'm not prominent at all, so I don't expect to be individually targeted. I store 2FA tokens in my password manager (1Password) so that I could recover from my phone being stolen or damaged. However, I don't have a printout of my 1Password backup code stored under my mattress (or in my desk) because I don't completely trust my roommates.
If I had my phone and laptop with me and was mugged, or if both were damaged at the same time, I would be locked out of everything if I didn't have phone-based 2FA. With it I could get a replacement SIM card, regain access to my Google account, and then use that to bootstrap password resets to everything else.
(For the same reason, my only duplicate passwords are memorized randomly generated passwords for phone, primary Google account, and laptop (and there is some duplication between them))
Why not simply save the backup codes on a couple usb keys encrypted with a reasonably long password that you can remember, and leave one at home and one in another geographical area (e.g. parents house)? I do that and feel pretty good in completely ditching SMS 2fa. Once a year or so I plug the USB keys to check they still work. I, like you, don’t expect to be a target and have a very minimal social media/web presence with my real name.
Any advice on finding a small object you need infrequently in say a parent's house? I have a poor track record with that sort of thing that makes me hesitant.
> I'm not clear on how #1 is related to the SIM swapping problem.
If controlling a phone number was not how platforms authenticated users, the impact of SIM swapping would end in someone else being able to run up a cell phone bill.
I’m practice, authentication of web platforms is based on the authentication and security protocols of the weakest cell phone provider (because cell phone numbers can be transferred from provider to another provider).
We have no comprehensive authentication system, so our security is held hostage to the weakest link in a chain of (email provider, cell provider, platform OAuth provider, commodity web system)
Phone number is already a 2FA for regular logins in many services. The problem is their processes also allow it to used in a 1FA reset scenario, so it's not true 2FA.
...which has been happening for years and is well known to telcos who seem to be doing very little about it despite the fact that it's their security flaw.
What's even more weird - if you happen not own a phone - there's no digital service/website where you can call 911 (or local equivalent). You can't even text 911 in most countries.