"SIM swap" attacks have been in the news for years. They’ve enabled serious financial crimes and even a hack of the Twitter CEO's account. We spent 6 months researching how vulnerable wireless accounts are to these attacks. Our draft study is out today. https://www.issms2fasecure.com/
-
-
My guess is that in most of these cases the website operators don’t realize how insecure their configuration is. We’ve redacted the names of these websites for now and have begun notifying them. Unfortunately, some of these websites have billions of users each.
Prikaži ovu nit -
While we were doing this research, it got personal for me. Around midnight on a Saturday, I got the dreaded text saying my service was being transferred to a new SIM. Smart move by the attacker—they counted on having the rest of the night to get into my online accounts.
Prikaži ovu nit -
The reason the attacker didn’t manage to ruin my life is that I was on baby duty that night with a newborn who was keeping me awake. My wife was extremely confused when I woke her up, handed her a crying baby, and said I had to go take care of an emergency.
Prikaži ovu nit -
When I called customer service, I was in for a shock. They were not able to authenticate me (despite apparently having no problem authenticating the attacker). In particular, their system for emailing me a one-time password failed but they insisted the problem was on my end.
Prikaži ovu nit -
In the craziest twist, we had *just* completed our initial analysis and knew the weaknesses of my carrier’s authentication protocol, and so I was able to use that info to talk the rep into handing me back my own account.
Prikaži ovu nit -
Until the carriers fix these problems, you’re at risk of a SIM swap. But you can protect yourself right now. Take a few minutes to check all your online accounts. Make sure 2-factor authentication is enabled, and it’s a secure option such as an authenticator app, and not SMS.
Prikaži ovu nit
Kraj razgovora
Novi razgovor -
-
-
I reported exactly this issue to a US financial institution (!). They escalated it to security, then didn’t change anything. Ping me for details.
-
@random_walker: just emailed you details
Kraj razgovora
Novi razgovor -
-
-
Worse yet, many banks offer no 2FA or else rely only on SMS. The mind boggles.
- Još 1 odgovor
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.