16
Aug 18

Hanging Up on Mobile in the Name of Security

An entrepreneur and virtual currency investor is suing AT&T for $224 million, claiming the wireless provider was negligent when it failed to prevent thieves from hijacking his mobile account and stealing millions of dollars in cryptocurrencies. Increasingly frequent, high-profile attacks like these are prompting some experts to say the surest way to safeguard one’s online accounts may be to disconnect them from the mobile providers entirely.

The claims come in a lawsuit filed this week in Los Angeles on behalf of Michael Terpin, who co-founded the first angel investor group for bitcoin enthusiasts in 2013. Terpin alleges that crooks stole almost $24 million worth of cryptocurrency after fraudulently executing a “SIM swap” on his mobile phone account at AT&T in early 2018.

A SIM card is the tiny, removable chip in a mobile device that allows it to connect to the provider’s network. Customers can legitimately request a SIM swap when their existing SIM card has been damaged, or when they are switching to a different phone that requires a SIM card of another size.

But SIM swaps are frequently abused by scam artists who trick mobile providers into tying a target’s service to a new SIM card and mobile phone that the attackers control. Unauthorized SIM swaps often are perpetrated by fraudsters who have already stolen or phished a target’s password, as many banks and online services rely on text messages to send users a one-time code that needs to be entered in addition to a password for online authentication.

Terpin alleges that on January 7, 2018, someone requested an unauthorized SIM swap on his AT&T account, causing his phone to go dead and sending all incoming texts and phone calls to a device the attackers controlled. Armed with that access, the intruders were able to reset credentials tied to his cryptocurrency accounts and siphon nearly $24 million worth of digital currencies.

According to Terpin, this was the second time in six months someone had hacked his AT&T number. On June 11, 2017, Terpin’s phone went dead. He soon learned his AT&T password had been changed remotely after 11 attempts in AT&T stores had failed. At the time, AT&T suggested Terpin take advantage of the company’s “extra security” feature — a customer-specified six-digit PIN which is required before any account changes can be made.

Terpin claims an investigation by AT&T into the 2018 breach found that an employee at an AT&T store in Norwich, Conn. somehow executed the SIM swap on his account without having to enter his “extra security” PIN, and that AT&T knew or should have known that employees could bypass its customer security measures.

Terpin is suing AT&T for his $24 million worth of cryptocurrencies, plus $200 million in punitive damages. A copy of his complaint is here (PDF).

AT&T declined to comment on specific claims in the lawsuit, saying only in a statement that, “We dispute these allegations and look forward to presenting our case in court.”

AN ‘IDENTITY CRISIS’?

Mobile phone companies are a major weak point in authentication because so many companies have now built their entire procedure for authenticating customers on a process that involves sending a one-time code to the customer via SMS or automated phone call.

In some cases, thieves executing SIM swaps have already phished or otherwise stolen a target’s bank or email password. But many major social media platforms — such as Instagramallow users to reset their passwords using nothing more than text-based (SMS) authentication, meaning thieves can hijack those accounts just by having control over the target’s mobile phone number.

Allison Nixon is director of security research at Flashpoint, a security company in New York City that has been closely tracking the murky underworld of communities that teach people how to hijack phone numbers assigned to customer accounts at all of the major mobile providers.

Nixon calls the current SIM-jacking craze “a major identity crisis” for cybersecurity on multiple levels.

“Phone numbers were never originally intended as an identity document, they were designed as a way to contact people,” Nixon said. “But because of all these other companies are building in security measures, a phone number has become an identity document.”

In essence, mobile phone companies have become “critical infrastructure” for security precisely because so much is riding on who controls a given mobile number. At the same time, so little is needed to undo weak security controls put in place to prevent abuse.

“The infrastructure wasn’t designed to withstand the kind of attacks happening now,” Nixon said. “The protocols need to be changed, and there are probably laws affecting the telecom companies that need to be reviewed in light of how these companies have evolved.”

Unfortunately, with the major mobile providers so closely tied to your security, there is no way you can remove the most vulnerable chunks of this infrastructure — the mobile store employees who can be paid or otherwise bamboozled into helping these attacks succeed.

No way, that is, unless you completely disconnect your mobile phone number from any sort of SMS-based authentication you currently use, and replace it with Internet-based telephone services that do not offer “helpful” customer support — such as Google Voice.

Google Voice lets users choose a phone number that gets tied to their Google account, and any calls or messages to that number will be forwarded to your mobile number. But unlike phone numbers issued by the major mobile providers, Google Voice numbers can’t be stolen unless someone also hacks your Google password — in which case you likely have much bigger problems.

With Google Voice, there is no customer service person who can be conned over the phone into helping out. There is no retail-store employee who will sell access to your SIM information for a paltry $80 payday. In this view of security, customer service becomes a customer disservice.

Mind you, this isn’t my advice. The above statement summarizes the arguments allegedly made by one of the most accomplished SIM swap thieves in the game today. On July 12, 2018, police in California arrested Joel Ortiz, a 20-year-old college student from Boston who’s accused of using SIM swaps to steal more than $5 million in cryptocurrencies from 40 victims.

Ortiz allegedly had help from a number of unnamed accomplices who collectively targeted high-profile and wealthy people in the cryptocurrency space. In one of three brazen attacks at a bitcoin conference this year, Ortiz allegedly used his SIM swapping skills to steal more than $1.5 million from a cryptocurrency entrepreneur, including nearly $1 million the victim had crowdfunded.

A July 2018 posting from the “OG” Instagram account “0”, allegedly an account hijacked by Joel Ortiz (pictured holding an armload of Dom Perignon champagne).

Ortiz reportedly was a core member of OGUsers[dot]com, a forum that’s grown wildly popular among criminals engaging in SIM swaps to steal cryptocurrency and hijack high-value social media accounts. OG is short for “original gangster,” and it refers to a type of “street cred” for possession of social media account names that are relatively short (between one and six characters). On ogusers[dot]com, Ortiz allegedly picked the username “j”. Short usernames are considered more valuable because they confer on the account holder the appearance of an early adopter on most social networks.

Discussions on the Ogusers forum indicate Ortiz allegedly is the current occupant of perhaps the most OG username on Twitter — an account represented by the number zero “0”. The alias displayed on that twitter profile is “j0”. He also apparently controls the Instagram account by the same number, as well as the Instagram account “t”, which lists its alias as “Joel.”

Shown below is a cached snippet from an Ogusers forum posting by “j” (allegedly Ortiz), advising people to remove their mobile phone number from all important multi-factor authentication options, and to replace it with something like Google Voice.

Ogusers SIM swapper “j” advises forum members on how not to become victims of SIM swapping. Click to enlarge.

WHAT CAN YOU DO?

All four major wireless carriers — AT&T, Sprint, T-Mobile and Verizon — let customers add security against SIM swaps and related schemes by setting a PIN that needs to be provided over the phone or in person at a store before account changes should be made. But these security features can be bypassed by incompetent or corrupt mobile store employees.

Mobile store employees who can be bought or tricked into conducting SIM swaps are known as “plugs” in the Ogusers community, and without them SIM swapping schemes become much more difficult.

Last week, KrebsOnSecurity broke the news that police in Florida had arrested a 25-year-old man who’s accused of being part of a group of at least nine individuals who routinely conducted fraudulent SIM swaps on high-value targets. Investigators in that case say they have surveillance logs that show the group discussed working directly with mobile store employees to complete the phone number heists.

In May I wrote about a 27-year-old Boston man who had his three-letter Instagram account name stolen after thieves hijacked his number at T-Mobile. Much like Mr. Terpin, the victim in that case had already taken T-Mobile’s advice and placed a PIN on his account that was supposed to prevent the transfer of his mobile number. T-Mobile ultimately acknowledged that the heist had been carried out by a rogue T-Mobile store employee.

So consider establishing a Google Voice account if you don’t already have one. In setting up a new number, Google requires you to provide a number capable of receiving text messages. Once your Google Voice number is linked to your mobile, the device at the mobile number you gave to Google should notify you instantly if anyone calls or messages the Google number (this assumes your phone has a Wi-Fi or mobile connection to the Internet).

After you’ve done that, take stock of every major account you can think of, replacing your mobile phone number with your Google Voice number in every case it is listed in your profile.

Here’s where it gets tricky. If you’re all-in for taking the anti-SIM-hacking advice allegedly offered by Mr. Ortiz, once you’ve changed all of your multi-factor authentication options from your mobile number to your Google Voice number, you then have to remove that mobile number you supplied to Google from your Google Voice account. After that, you can still manage calls/messages to and from your Google Voice number using the Google Voice mobile app.

And notice what else Ortiz advises in the screen shot above to secure one’s Gmail and other Google accounts: Using a physical security key (where possible) to replace passwords. This post from a few weeks back explains what security keys are, how they can help harden your security posture, and how to use them. If Google’s own internal security processes count for anything, the company recently told this author that none of its 85,000 employees had been successfully phished for their work credentials since January 2017, when Google began requiring all employees to use physical security keys in place of one-time passwords sent to a mobile device.

Standard disclaimer: If the only two-factor authentication offered by a company you use is based on sending a one-time code via SMS or automated phone call, this is still better than relying on simply a password alone. But one-time codes generated by a mobile phone app such as Authy or Google Authenticator are more secure than SMS-based options because they are not directly vulnerable to SIM-swapping attacks.

The web site twofactorauth.org breaks down online service providers by the types of secondary authentication offered (SMS, call, app-based one-time codes, security keys). Take a moment soon to review this important resource and harden your security posture wherever possible.

Tags: , , , , , , , , , , , ,

96 comments

  1. Good advice but some companies won’t allow an internet-based telephone service — eg, Google Voice — to be used for authentication.

  2. If I use biometrics to login to my online banking account through my account, is the issue of the SIM swap still present?

    • @Clark

      Sure, it’s still an issue. If I can call your bank from your phone number and if they send a one time code via text or otherwise to your phone, I’m bypassing your fingerprint. It really depends on what the end game is and what the attacker wants to do. The easiest way to think about this is what if your finger was cut off (macabre, I know). How else can you log into your banking account and/or social engineer your bank to give you access back and turn that off?

      • I really wonder about bio-metrics in general – once you record a bio-metric on your device, it just becomes a lot of data, just like anything else – the only difference is the matrix that contains that data. What is keeping crooks from simply stealing that data matrix and replaying it on another device or account? This is what bothers me!

        • This is exactly the issue that a major Laptop vendor had with its fingerprint reader. The fingerprint data was being stored in an unsecure part of the filesystem, unencrypted, as like a 6 digit pin or something simple like that. It was literally way less secure than just having a password on your laptop and completely broke any security you thought you had on it.

        • The original MacGyver (TV series), James Bond (movies), the original Mission Impossible (TV series), and Sneakers (movie) all show that the idea of using biometrics is not a good idea.

          As a general rule, anything that can be measured can be reproduced to a level that it can be measured with the same accuracy.

          Fingerprints are a terrible idea, you leave them everywhere. Your voice is a terrible idea, you use it everywhere. Your likeness is a terrible idea, everyone sees and records it.

          Useful factors are:
          1. Something you know but don’t share (asymmetric processing as opposed to preshared). Or, at least not frequently. The more often you share a secret, the less secret it is.
          2. Something you have which has protections against tampering/cloning (again, asymmetric processing as opposed to preshared keys).

          Biometrics are vaguely useful as a form of a user ID, they are not useful as a form of authentication. Mixing/confusing the two is incredibly dangerous.

      • So true. I recently discovered that a simple phone call to Fidelity Investments can bypass all account security — password and Verisign security token.

  3. The Sunshine State

    The problem with Google Voice is that the phone numbers that you can obtain located close to where you live are becoming scarce .

    • rollingonchrome

      You have two options for this:

      1) don’t worry about it and get a non-local Google Voice number since you’re only using it for recovery/SMS 2FA and not as a day-to-day contact number.

      2) if you do care, buy a prepaid SIM from a carrier with a local number and then port that number over to Google Voice. This costs a few dollars but would get you a local number in any market.

      To amplify #1, the phone number you use for recovery/SMS 2FA shouldn’t be one you share with your contacts. If you embrace this, the non-local area code is a feature not a bug!

    • Why is it important to have a number “close” to where you live? Am I missing something?

      • Used to be important when long distance charges were a thing, you’d want a number in same area code at least as your friends/family.

        Now that nearly all the phone plans include unlimited phone calls nationwide (and prepaid ones it charges minutes regardless of location in US), it doesn’t much matter. Lots of people I know have out of state phone numbers from when they lived in that state.

  4. Since I have asked my cellphone provider to only process service changes, including SIM card issues, when I am in the store with my ID, my chances of being victimized are fewer. Still, a “slug” can bypass this. Maybe Google Voice is for me too?

    • Depending on the target value, the cost of a good fake ID would be a part of the crooks’ business case.

    • Just because you’ve asked that someone check ID doesn’t mean they will. For fun, you could try to convince someone to let you into your own account without providing the information you required, e.g. by being empathic, distressed, forgetful, apologetic…

      At the end of the day, if you’re using SMS for ~2FA, you shouldn’t rely on a real cell phone. There are way too many attacks available. Occasionally people talk about attacking the network instead of socially engineering the customer service representatives.

  5. Luckily, I’m a low-value target. I don’t have email accounts attached to my cell phone. They’re all attached to my landline. Sometimes, though, I feel as if I don’t belong in this world anymore. It’s getting too complex.

  6. There are a lot of authentication options available in the market; one of which is mentioned on this article (app-based one-time codes). There’s fingerprint (and other forms) biometrics; there’s OTP (One-Time Push); there’s Bluetooth option as well. These alternatives are much better than SMS-based authentication – at least, those alternatives are not vulnerable to SIM swaps.

    Thanks for this article, Brian. We need to continue to raise the awareness to the community.

  7. What’s the point of security measures if employees can bypass it? Who in the business world hasn’t heard of an inside job? Good thing that AT&T doesn’t do banking because the janitors would be able to open the vault.

  8. “Mobile phone companies are a major weak point in authentication because so many companies have now built their entire procedure for authenticating customers on a process that involves sending a one-time code to the customer via SMS or automated phone call.”

    This despite REPEATED examples where this form of 2FA is actually worse than single factor authentication ( a robust -randomly generated- password ) that can’t be easily changed by a single call to a third party. What’s worse, is even if you use something like a Yubikey for 2FA most companies won’t let you disable mobile cell phone as a 2FA option. The only option is not to have 2FA at all in such cases because it decreases your security.

    Long past time to start holding companies legally responsible for demonstrated lax security. Only way to change this is to start significantly hitting their bottom line each time their negligence causes a security breach AND require full disclosure of all breaches plus any remedies that have been enacted.

    • But for 2FA sim swapping to work, they still need your password. In this case, SIM 2FA is still better than just the password. The real scandal is Instagram allowing to reset your main password with just your phone number like the article says (and I just confirmed with my own account).

  9. the @FA for google utilizes the android secured connection via google services that is built into all android phones. it is an https secured connection that bypasses the flawed and heavily insecured SMS system. Do what Mr. Krebs says and then enable 2FA on the google account. That locks down your phone and your google account making this sim scam nearly impossible.

  10. My google voice number is refused by many SMS verification systems. Apparently Google uses some kind of forwarder that most phone systems do not recognize as a mobile number capable of receiving texts. Does my GV number receive SMS? Yes. I have tested is numerous ways, and every text sent to it has been received successfully. BUT if I try to use that GV number as a means of verification for services like bitcoin wallets or Godaddy domain purchases, it gets rejected as not being a valid SMS receiver.

    • yeah. for example, cannot use GV number for 2FA for paypal. same for some other services that refuse using GV numbers for 2FA. my experience has been that GV can oftentimes be problematic when trying to set up 2FA. it’s like a miracle if GV can be used for 2FA. there are a bunch of services that just refuse GV for 2FA where the reason given is no VoIP numbers allowed. it’s almost like a catch 22 where you want to use the security of google with a GV number but on the business side there seems to be an automatic negative view on these online phone numbers.

  11. Even with app based codes, some services will give you the option of ‘I don’t have my phone’ and then give you the option to get a code texted to your phone. Dropbox immediately comes to mind, but there are probably others.

  12. I am always amazed at the articles I read here. My cell phone is never used for any kind of a financial transaction – not even to check a balance. I use only a well secured PC for that even though my cell phone is encrypted and uses a pin plus other security. It’s just too dangerous. I see people all the time on open wifi making financial transactions and I cringe because they are begging to get hacked. It would be better to set up a secure home network if one does not own a PC. It’s not hard or very exppensive and much more secure than being on open wifi. JMHO but it’s too dangerous out there.

    • I didn’t understand this article to mean that the device was being compromised while the user was engaging in some sort of financial activity on the device. It is that many providers offer 2FA that rely on the mobile device by way of SMS. If the provider has this option then a SIM swap will leave you vulnerable despite how hardened your network is.

      This sort of thing always makes me think of the convenience vs. security diagram that we often see. Sure SMS 2FA is convenient, but it appears to be inherently not secure. At very least it is built upon a system that has many potential security risks (the mobile store employee, etc.) But it is convenient. And, for the uninformed it gives a false sense of security.

    • BUT, if you ever get any texts from your bank asking you to verify something, or if you’ve ever given your mobile number to the bank, then it’s vulnerable to being hijacked.

    • The problem here isn’t mobile phone security… This is not about people getting their phones hacked on public networks. Your comment is pretty irrelevant.

  13. What is the difference between Google Voice and any other free VOIP service, like Microsoft’s Skype? I wonder if there is any security difference between services like that?

    • rollingonchrome

      You can secure a Google Voice account with Google’s Advanced Protection Program which utilizes hardware security keys.

      Microsoft doesn’t offer security keys as a 2FA method, only OTP, and SMS.

  14. This would be less of a problem if financial sites that support security keys had the option to make them mandatory … no one gets in without a valid key, full stop. But the ones I use don’t do that, they all allow the user to default to SMS and bypass the key. I don’t feel any safer for having bought and registered a Yubikey. It’s mainly implemented as a convenience instead of a security upgrade.

  15. Great advice, and thorough coverage on a critical threat vector. Telecoms companies need to be held accountable when accounts are compromised, either by rogue employees or if they were duped. The systems and processes should safeguard customer accounts, even if it wasn’t about 2FA, or MFA.

    Good advice on Google Voice, which will take some efforts given how many accounts out there are linked to SMS verification, but one can at least start with their most-critical accounts, and work backwards from there. The article is a keeper for future reference.

  16. I’m confused. If we use GVoice and redirect calls and texts from there to our mobile… whoever controls the mobile number is still getting emails and texts? We’ve just added a layer. Once we realize that our mobile is swapped, we can change our GVoice options, but by then, won’t the damage have been done?

    • From the story:

      “Here’s where it gets tricky. If you’re all-in for taking the anti-SIM-hacking advice allegedly offered by Mr. Ortiz, once you’ve changed all of your multi-factor authentication options from your mobile number to your Google Voice number, you then have to remove that mobile number you supplied to Google from your Google Voice account. After that, you can still manage calls/messages to and from your Google Voice number using the Google Voice mobile app.”

      • Or just uncheck the “Forward messages to linked numbers” box. That way you can only receive them via the authenticated GVoice app.

        • Great guidance. Worth a look. It also has me thinking of perhaps two Google Numbers. One for the sensitive stuff, and one that would forward to linked numbers. Kind of the same practice that’s recommended for sensitive accounts. Segregate to a special email address that’s only used for such activities. Thanks!

      • The guidance that Brian quoted seems to conflict with what Collin mentioned. Moreover, when I deleted my two cell phone numbers in the GV app a few minutes ago, I could no longer receive or make calls and texts solely with the GV app. My GV number became essentially worthless. So do you either remove your cell phone number from GV as Brian quoted or uncheck forward as Collin stated? If the former, how exactly do you remove your cell phone number from GV in a way that still gives your GV phone and text functionality? I have not logged onto my GV account with my PC, just deleted the numbers via the GV app as I said earlier. Do you need to login to GV on a PC to adjust some other settings?

        I agree with other posters too that GV can be pain since not all companies support it for texts. Wells Fargo does not (why I bank with WF is for another venue).

        • You mentioned that you had not logged into GV from your PC. That is the way you can accesss GV after removing the phone numbers. Remove the phone numbers, then login in to GV from your PC .

        • There are a couple of applications that let you make calls using Google Voice.

          For a while, the main application was “Google Voice”.

          At some point Google tried to transition people to using “Google Hangouts” to make “Google Voice” phone calls – that’s what I’m using these days.

          Note: I need to install the “Hangouts Dialer – Call Phones” (from Google LLC) https://play.google.com/store/apps/details?id=com.google.android.apps.hangoutsdialer – to make calls from Hangouts.

  17. I find it funny that he’s going after AT&T. I know they are responsible for porting his number out and thus the hackers were able to hijack his accounts (and they probably have a much larger bank account), but AT&T aren’t responsible for the lax security of said crypto accounts. He should be going after the crypto account creators for their poor security practices. It’s been know for quite some time that SMS 2fa is easily hacked via SIM swap. Also I’m sure AT&T never agreed they they would secure his crypto accounts with SMS 2fa.

    • It’s not so much that the crypto account was compromised, it’s that the telecoms account was, and it’s the provider’s responsibility to secure it. This problem needs correcting, once and for all. Telecoms controls are apparently weak. Forget the crypto guy… none of us wants it to happen to us, do we? So, it’s in our best interest, that of all customers, to have their accounts protected by those (who host them). Cheers.

      • I understand that the telecom was the weak point. And I agree that it’s the provider’s responsibility to secure the account for their client’s cell service.

        My point is that it’s not AT&T’s (or any other cell provider’s) responsibility to properly secure some other entities website/service. The telecom providers never agreed to secure any 3rd party website, and SMS was never meant to be a security device. The crypto website/service was hacked because they relied on a known unsecured method (SMS) for 2fa and they should be liable.

    • Look up “joint-and-several liability” aka Deep Pockets Pays

      Sue everyone involved, let the courts work out who pays

      Also reference “fiduciary duties”

      https://en.wikipedia.org/wiki/Fiduciary#Fiduciary_duties_under_Delaware_corporate_law

      IANAL

  18. Here’s an idea for the telcos…

    Instead of displaying the PIN number and relying on the employee to verify that it is correct, change the back-end systems so that the store employee has to enter the PIN that they are given to authenticate it, giving a message stating whether the PIN is correct. Also block the creation of a new SIM card without authenticating the SIM through the PIN system, at a business computing systems level, instead of making it a process that an employee can work around. No PIN … no new SIM.

    • What is your source that their current authentication mechanism displays the customer generated secret on screen?

      • The article. A employee got to bypass it. So obviously he didn’t have to enter the PIN. Also because that is thr way the online callcenters work, so not unreasonble to assume that is how the stores do it.

  19. Any thoughts on web apps such as PushBullet which offer to manage your SMS messages via your phone? (The web app is on a PC.)

    I’m wondering if this isn’t another avenue for leaking one-time pins.

    • Generally apps that don’t have many eyeballs/auditors are a risk. Unless you have a specific reason not to use Google for this service, I wouldn’t spend time trying to find something else.

      1. Does the app get crypto right?
      2. Does the app have protection against process invasion (hooking)?
      3. Does the service provider offer proper 2FA?
      4. Does the service provider allow someone to socially engineer & bypass account protections?
      5. How good is the service provider at protecting their site from direct hacking attempts?

      Because Google is already a big target, they’ve already done this hard work–they need it all to secure all of their properties.

  20. How would I go about getting to the other SIMS #.. I’m extremely, curious. .

  21. Mobile Numbers seem like the new Social Security Numbers… They were created for a basic identification. The someone said, “Hey, everyone has this number, we should just use that to authenticate/verify their identity.” We really need to stop using systems for things they weren’t intended for without considering the security impacts.

  22. I think the adage “Play a stupid game — win a stupid prize” may be applicable to someone that secures his imaginary money with consumer grade services.

  23. I use Google Voice in the manner described. I have my mobile number linked, but I disabled forwarding SMS from GV to the mobile number. In fact I do not use my mobile SMS at all. BTW GV is not VOIP, it is a forwarding service, the SMS portion could be likened to a web based SMS or non-carrier SMS.

    My mobile service is also AT&T. As soon as was offered I enabled the PIN and requirement of ID to access and change service.
    Since a non-management retail level employee can “override” the PIN requirement, I do not think it meets expected security. The fact that enabling the PIN on the account causes the pre-loaded myAT&T app to lose functionality is another indicator that AT&T is not taking security as seriously as they should. The PIN and ID requirements seem to be implemented as just notes on the account and enforcement by the employee at the terminal.

    NIST had at one point deprecated SMS as a 2FA choice. That recommendation changed from draft to final publication on authentication guidance. I think that was wrong, SMS has never been secure.

    The use of SMS as a second factor or recovery for account authentication is a weak link. Using an automated voice call to deliver is not much better. With most email being transmitted over encrypted connections, it may be the better option of what is typically offered.

    I looked into implementing TOTP with software. As a former programmer, I was able to determine that RSA style tokens, Authy-like TOTP software, and email/SMS delivered codes can all be done with the same server side core software. Only small variations need to be made to support each type.

    • As a former programmer you should read the TOS for the myAT&T app. They explicitly make YOU liable for any IP violations their software may have. Now, they are big enough that most patent trolls aren’t going to go after them, but with those license terms, any patent troll can go after you.

      As soon as I saw that in the TOS I deleted the app from my phone.

    • yeah GV is not currently VoIP but really is a forwarding service — and it works better that way — BUT businesses that refuse GV for 2FA seem to tend to lump GV in with all the “VoIP” numbers as online burner numbers that are not seen as legitimate. of course, that is the wrong characterization to have, but that is the impression that one gets with GV being rejected for a bunch of 2FA.

      also, anyways, GV is actually on its way towards gaining an official built-in VoIP capability. not the hangouts version, but the current beta VoIP built into the GV app if you sign up for it. personally have the beta VoIP on a GV number used on an android phone which has my FreedomPop AT&T LTE sim card. since cannot forward GV to FP, just use the beta VoIP in the GV app on that phone. works great.

  24. Readership1 (previously just Reader)

    AT&T Wireless does NOT having any real security for prepaid customers. Just a 4 digit “passcode.”

    Not a password, not a security code.

    And no special SIM-swap preventing code, either, for prepaid customers.

    This is a gripe of mine.

  25. I disagree. If someone gets access to your gmail, they also own the GV, since that’s where its configured. Google may have security for themselves, and offer a face of security, but as they are the company that gives up data the most to the partially criminal/corrupt US government – there is no security.
    This jumping numbers around is security by obscurity and that is none. It’s still all accessible by a single Gmail account.

    • They do have people who are really, really good. Look at google’s Project Zero for some of the things they’ve done.
      I’m not disagreeing that google or any big IT company doesn’t have problems with securing, using or abusing customer’s data.

  26. I thought every security genius knew that. And knew that the transactions could be recorded, and part of the past history cloned onto the new card. and tfa would not have helped. Give the new crook, a day, and they have the second identity method, and can have changed it to their answer. You have to feel for the guy, that lost the money, but he ain”t no genius. And genius”s didn’t make the phone system. he knew it was a common carrier, that he had to do security to keep his money safe, he didn’t. He didn’t self insure, he didn’t hide it, so he lost it. But hes not flipping burgers yet, so? Now suit because he lost money, like a quarter down the drain? for his own stupidity?

    • Don’t cryptocurrencies offer ‘cold wallet’ storage, something like ‘move this string of numbers to a file, encrypt it and then don’t make it -ever- accessible to anything online’? I think if I had $22M in crypto cash I’d make some reasonable effort to protect it other than my cell phone.

  27. I gather this is a problem in the UK too, e.g. https://www.theregister.co.uk/2018/06/01/tsb_letter_cock_up_sim_swapping_scam/

    Google Voice numbers aren’t available here though 🙁

    Also, what’s with all the pro-Google advertising on here lately? Did I miss something?

  28. I have never linked a financial institute to my cell phone. I doubt I will ever do so. The very first time I saw advertisements for that type of service, my internal alarms started ringing. They still are. There is no real incentive for the phone companies to secure your accounts robustly. They are not likely to do so. There are risks I am willing to take. attaching my bank to my phone is not among them.

  29. Anonymous Coward

    I’d like some followup here. The idea of moving to Google Voice seems reasonable, but several comments here indicate that lots of services reject it as a possible place to send SMS messages to. If I knew it would work with my various services, I would do it. And maybe I should set it up for those services that will accept it, but if I can’t move them all over, I am not sure how big an improvement it would be.

    Definitive information about the ins and outs of switching over would be really nice to have.

    And if GV is a poor choice, perhaps there are other services that are better choices that we could be told about? I have no clue who else offers anything like GV, but that might offer it as more of a straight up VOIP service that is managed over the net.

    Thoughts? Security is important, but for this to work it really has to work, and the comments here don’t give me warm fuzzies on that front.

    • “if I can’t move them all over, I am not sure how big an improvement it would be.”

      Say, for the sake of argument, you have two services you want to switch but only one allows it. Even so, your risk for falling victim to a SIM swapping scam has fallen by 50%!

      • Anonymous Coward

        Sort of, but it all depends on which services we’re talking about, doesn’t it?

        If company X will let me use GV, but my risk there is minimal (my profile or account is not a high value target), moving it over is not much of a win in terms of total security.

        But if company Y will not let me use GV, and my account there is high value, that’s clearly a more significant problem.

        Admittedly I am no worse off if I move company X to a GV based solution, but I am probably not much better off than I was before, since company Y is still stuck where it was.

        Perhaps I will just have to try it and see which of my various accounts and services work with GV and which do not. That’ll be interesting.

        • Anonymous Coward

          And the answer is… no. I am on Project Fi, and GV doessn’t work with Fi.

          So that’s out.

          I’d need an alternative service to make this work, and all the services I can find with a quick search are targeted at businesses and cost real money for something that I would only use for authentication. I am less than happy with that outcome. Pondering the alternatives.

          • You could ask a trusted person like a family member to “loan” you their mobile number until you get GV up and running on your phone or tablet. Then decouple it.

  30. I just finished switching several online accounts from SMS to Google Voice. It took a couple of hours to get everything set up but now that I’m finished, logging into the changed accounts is essentially identical to my prior workflow. I successfully got it working with two financial institutions, a social network, an email provider, and a federal government centralized login service.

    What I did (as always, YMMV):
    1. Downloaded and installed the iOS version of Google Voice.
    2. Registered a new Google account. Changed all privacy and tracking settings to the most restrictive possible (used a desktop machine).
    3. Used the new Google account to sign up for Google Voice (used a desktop machine).
    4. Linked a land line and a cellular line to Google Voice (used a desktop machine).
    5. Launched and configured iOS Google Voice app.
    6. Added Google Voice phone number to selected accounts.
    7. Tested logins (at this point, login codes are delivered to both the Google Voice app and the iOS Messages app).
    8. Deleted cellular phone number from changed accounts.
    9. Unlinked cellular phone number from Google Voice (used desktop machine).
    10. Now login code requests are delivered solely to the Google Voice app on my cellular phone. A notification pops up when it arrives, just like when any other app wants attention or an iOS Messages text arrives.
    11. I will not be using Google Voice for any other purposes, so I don’t care if I’m able to make phone calls or *send* texts from it.

    • Anonymous Coward

      Thank you. This gives me hope. I may give it a shot.

    • Anonymous Coward

      Thank you for this research! Your results give me some hope, and indicate I should probably just knuckle down and try it.

    • “11. I will not be using Google Voice for any other purposes, so I don’t care if I’m able to make phone calls or *send* texts from it.”

      you are going to have to make a call or send a text or at least open the GV app on an actual phone every once in a while or else google will eventually reclaim your GV number. no more GV for you.