This is a horrifying and incredibly detailed piece by @lorenzofb about a growing subculture of hackers who impersonate their victims, steal their phone numbers, then steal their Instagram photos and sell them for Bitcoinhttps://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin …
-
-
Meanwhile, hackers are actively sitting inside T-Mobile's networks; one of them sent Lorenzo his own personal information when askedpic.twitter.com/m38SMwI6SX
এই থ্রেডটি দেখান -
story is currently getting two visitors from the T-Mobile intranetpic.twitter.com/iN3PT6x4zl
এই থ্রেডটি দেখান
কথা-বার্তা শেষ
নতুন কথা-বার্তা -
-
-
NIST knows about this but my guess is telcos had an issue with a government agency saying their service is too insecure to be used as 2FAhttps://twitter.com/Sc00bzT/status/920857842319585280 …
-
1) In Norway & parts of Scandinavia we use «BankID» as 2FA for login & transaction auth with banks, insurance, gov & more. Runs as an app on your SIM card, no trace in your phone OS. Uses encrypted data over SMS for comms. Discussed this with
@jimfenton earlier. cc@wdudley2009 -
2) It struck me that disallowing SMS could be a bad move, as it is fully possible to encrypt data sent over SMS. So don’t block or disallow the channel, but encrypt data sent through that channel. Now obviously creating/fixing solutions that can do that isn’t done overnight.
-
The issue is partly solved by encryption but also SMS is supposed to be a proxy for ensuring that you have physical possession of something, so switching to a different SIM needs to be harder.
-
Software SIM will take care of that, right? ;-)
-
With SMS (not Norway BankID) what matters is not the SIM but the association of a SIM with the phone number. That's easy to change because people lose their phones all the time. Software SIM doesn't change that.
-
Great discussion. I've learned a great deal. Appreciate the early CC. FYI. the original NIST document had recommended deprecating SMS for
#2FA; however, that recommendation was removed in the final. Just never got the news coverage, though. -
Early indications were that “deprecated” was widely misunderstood. Current “restricted authenticator” wording is much more specific on conditions where it may be used.
- 1টি আরও উত্তর
নতুন কথা-বার্তা -
লোড হতে বেশ কিছুক্ষণ সময় নিচ্ছে।
টুইটার তার ক্ষমতার বাইরে চলে গেছে বা কোনো সাময়িক সমস্যার সম্মুখীন হয়েছে আবার চেষ্টা করুন বা আরও তথ্যের জন্য টুইটারের স্থিতি দেখুন।
There is no issue with SMS, ignore fake news of account resets.