Mobile number for account recovery is NOT secure, under any circumstances. Don’t use.

alan warms

TL;DR :  Underpinning much of  the recovery and two-factor authentication options today are SMS/texts to your mobile phone number.  These options rest on the “security” that the carriers provide for your number.  That security is simply non-existent.   This should be a much bigger deal and the carriers should he held accountable.  Please share this. 

Well before the Equifax hack had happened, I had already put a four-digit PIN number on my wireless account.  As a regular reader of @fredwilson‘s blog, I read this article last year: https://avc.com/2017/06/getting-hacked-lessons-learned/ where Fred links to this horror story of Verizon negligently porting over a customer’s phone without their consent, enabling a theft from Coinbase.

I had also read extensively Krebs on Security, written by @briankrebs – probably the most deeply reported and up-to-date site on the internet to learn about the latest hacking etc.  In fact, just a few weeks ago, Brian corrected me on a comment that in fact, the four-digit PIN numbers are known to be worthless as a security feature – that they ultimately offer no security on one’s account.  In a recent piece on a SIM-swapping scam, he talks about the carriers’ issues:

I wanted to hear from the REACT team [team of law enforcement officers and prosecutors based in Santa Clara, Calif] what they thought the mobile carriers could be doing to better detect and prevent SIM swaps. I received a range of responses.

“This is a really serious problem among the carriers, the ease with which SIM swaps can occur,” Lt. Rose said. “If you’re working at a mobile phone store and making $12 an hour and suddenly someone offers you $400 to do a single SIM swap, that can seem like a pretty sweet deal if you don’t also have any morals or sense of conscience. ”

Rose said mobile phone stores could cut down on these crimes in much the same way that potential victims can combat SIM swapping: By relying on dual authentication.

It’s still very, very easy to SIM swap, and something has to be done because it’s just too simple. Someone needs to light a fire under some folks to get these protections put in place.”

“Having one employee who can conduct these SIM swaps without any kind of oversight seems to be the real problem,” Rose said. “And it seems like [the carriers] could really put a stop to it if there were more checks and balances to prevent that. It’s still very, very easy to SIM swap, and something has to be done because it’s just too simple. Someone needs to light a fire under some folks to get these protections put in place.”

I was using security best practices:  using either Google Authenticator, Authy, YubiKey, Google Titan, or similar as second form of authentication to work with my password on each critical account.   For accounts that did not offer these device-based authentication methods, I did use my phone number as the second form of authentication.  The rationale there was that a hacker would have to compromise my username, password AND hack my phone number from Verizon (requiring my never-written down PIN number).   I also reasoned that in the event of any attempted port of my phone number, at the very least, I would be notified by Verizon and have a chance to quickly respond.  In other words, even in the event my username and password were breached, I would still protected via the 2FA.

Unfortunately, for an old email address that I haven’t used in any way in years, I had long ago set my phone number as an account recovery option, possibly as a result of a prompt from the service years ago.  This meant that anyone able to secure my phone number on their device would be able quickly gain access and set a new password.  It also rendered any SMS-based 2FA protection on that account worthless.  One takeaway here is to immediately remove phone numbers from all accounts as a recovery option.  If you have accounts older than 2 years you likely have some.

Using a stolen PIN number (possibly from in-person visit to Verizon store a few weeks earlier), hackers ported my phone number to a different SIM card.  Shockingly,  I received no text, no email, no notification WHATSOEVER from Verizon.  Luckily, being at work as opposed to being out or overseas during the hack, I quickly got notification from the old email service of “recovery” happening.  I immediately realized and confirmed my phone number had been stolen.  Apparently someone had called in with my information and stolen PIN  and Verizon hadn’t bothered to use dual authentication nor notification of any kind.  Verizon also apparently does zero checking to realize the existing device has been connected, uninterrupted, to their service and had not moved in about 7 hours.  Very simple dual authentication – requiring email approval – would have prevented this and the other hacks above.

I was fortunate in that I was at my desk and aware of what was happening.  Rather than have 8 hours, the hackers had closer to 15 minutes or so.  Nevertheless, long enough to do some targeted searches in the old email account.

And, had hackers gained access to my user name and password via other services, they could have used the phone as a form of authentication for those services.  This lack of security on phone numbers is why for ChainFront, we explicitly do NOT ALLOW 2FA with SMS because of this potential attack vector.

So a few takeaways:

  1.  Immediately remove your phone number from any recovery option for any account that you have.
  2. Use device-level security as 2FA, not SMS, wherever possible: Authy, Google Authenticator, YubiKey, Google Titan, App-based push approvals, or others,  and stop relying on the carriers to protect our phone numbers.
  3. Do not use your phone number or SMS-text as “backup” for device security or as 2FA, unless you are confident in the security practices of the service offering it.  Better to use other email addresses and device or app based security.  Right now for example there is no 2FA option for Amazon nor LinkedIn that does not include SMS.
  4. Test the dual authentication method by signing in from a different browser.  I personally have found that not all services work as described.
  5. As an industry we need to demand the carriers fix this problem. It is a known issue. Has been a known issue, and it is simply infuriating their failure to act.  In the wake of the Equifax hack last year more and more people are moving more and more to 2FA – but too often SMS which resides on a worthless security foundation.

Please share this and would love to hear your comments and questions.


Also published on Medium.

2fa
mfa
security
SIM-swapping
SMS