[ksec]

I still dont understand this, if SIM Swapping were the problem then it isn't SMS 2FA that is insecure, it is the telco themselves, and specially US Telco.

In many other part of the world, Switching Sim ( SIM Swapping ) requires to show proof of identification, as well as written form and signature.

And any CS accessing customer information are instantly logged, there is no way paying $1000 dollar to change or SIM Swap without going through the proper procedure, ( Should there be one ) and they will be fired for any misconduct.

SMS might not be the best solution to security, but for average Joe, that is near 4 billion of Smartphone users they are better than nothing.

May be had Apple created their own MVNO this problem could be solved.

[Ajedi32]

For the purposes of 2FA implementations it doesn't matter why SMS is insecure, only that it is insecure. Since it's probably not within your power to force your telco to change their insecure business practices, avoiding relying on them for 2FA is your only alternative.

[anarchodev]

Exactly this. Also want to add that phone numbers were never really meant to function as identity providers. For this reason I think it's important not to use the real number on your cell phone for anything -- VOIP numbers are best if the only method of 2FA offered is phone number.

[rando444]

SMS 2FA is insecure because companies implement it in a way that it becomes one-factor.

Forgot your password - reset your password - get an SMS

When there is no second factor involved, it's not 2FA despite people calling it that.

[yabadabadoes]

I agree the problem is that implementation of a backup for 1FA ends up coming back to the phone. But often the target service has no certainty of which mechanisms are going where.

They send to your email.. They use TOTP. They use Oauth, etc, etc. What other things accounts go back to either your SIM or someone stealing your phone, SIM and all?

Even U2F will fall down this hole soon since everyone wants to implement it on phones! Will the attestation certs for phones say multipurpose device that is probably involved in other factors?

[phicoh]

As far as I know, the service telcos provide is the ability to make calls, receive calls, send text messages, receive them, etc.

Telcos don't get paid to securely provide SIMs. They make hardly any claims regarding the security of your calls, text messages, etc.

So it is rather odd to hold telcos reponsible for the failure of some security mechanism they where never part of.

[lucideer]

The rationalisation here is mindblowing.

By the same logic, no company should ever be held responsible for harm to users of their products caused by product defects: after all, they never made any claims regarding their products being safe to use.

[Spivak]

I mean I think the ship has pretty much sailed on this one but I think they've got a case when companies just started using "can receive a text at a given number" as a security verification which suddenly made it the telco's problem to make sure such a thing was secure when before it was a more informal system.

[phicoh]

Normal defects are 'easy': you have a contract to obtain a product or service with certain features. If the product or service doesn't have those feature, it is defect and failure of the providing party to comply with the contract.

Of course, no phone contract says anything about securing SIMs (for the purpose of authentication). So it cannot be a defect.

Safe to use is often in relation to bodily harm, which doesn't apply in this case. Outside any specific law, if you use an unencrypted text messaging service between subscribers for authetication purposes, then you are on your own.

In this case, the actual harm is caused by the companies that decided to use text messaging for authentication purpose without verifying that the underlying service is fit for porpose (or having a contract with telcos that explicitly lists this purpose).

Of course, nobody is going after twitter to recover damanges from them.

[raverbashing]

Sure and Ford never promised cars that wouldn't explode on a rear-end collision

Telcos have a very poor service for the extortionate prices they charge. At some point your phone number is tied to your identity and should be secured as such (ah but nobody cares about that right?)

[dtech]

Since someones phone number is incredibly important for all sorts of reasons, it is definitely the companies fault for making it so easy to hijack.

[phicoh]

That's rather bizar logic. An obligation to keep something secure comes either from a specific law, or from something specific in a contract.

The fact something is important to you, and you failed to negotiate that in your contract, doesn't mean that the company providing the service is somehow required to take that into account.

[SketchySeaBeast]

You're telling me that offering a service comes with no guarantee of the service? If I'm paying you, but you're no longer providing the service to me, but to some third party, how is that upholding the contract?

If you order food in a restaurant and someone takes the food from the waiter before you can have it, what would you want the restaurant to do?

[phicoh]

The service is that you can receive messages. The service is not that you are the only one who can receive those messages. If someone commits fraud and obtains a SIM with your number then the telco is in general quite willing to correct the error. Maybe they will even given you an extra copy of the messages that were lost.

It's like going to a fast food restaurant and later complaining that the meat is of low quality.

[jtbayly]

Am I paying for my number or not? If I am, then if they give it to somebody else while I’m still paying for it, that is breach of contract.

[dtech]

This is really twisted logic you're trying to use.

If I entrust my email to Google, them having corrupt employees who give my email to other people would be a serious issue, for security, privacy and a myriad of other reasons. This is exactly what's happening at phone companies.

[cartoonworld]

I agree with you if you are saying Telcos have no economic incentive to take any security posture for their customers. Regular users cannot fathom that the service they pay for is somehow able to be manipulated and that their communications can be redirected arbitrarily without legal order via technical means.

It is known that there are security issues with ss7 specifically [0][1][2] and the global telecom network was, it seems, never secured. I would conjecture that there are some other problems with mobile phones[3] some that we are not aware of.

I also am in lock step with your claim that this should not be surprising.

Telcos are indeed not paid for security. The security of the telephone network must not be counted on. In fact, military and government business must often be executed on special non-public phone exchanges or SIPRnet. Telcos do not offer any security guarantees, and are rather obstinate toward any demands such as this. Negotiating a more secure service is impossible.

>So it is rather odd to hold telcos reponsible for the failure of some security mechanism they where never part of.

It is certainly not odd. If the general public wakes up and their assigned phone numbers are meaningless, all of their customers will be unhappy, it simply wouldn't pass the sniff test of a 6-year-old.

However, there is positively no incentive for anybody to shop for security in this space. Few living people believe or can even fathom that there could be a problem with using their phones in this manner. Despite the public fraud[2] that has been enabled by the Telco's apparent lack of any security engineering, the market is not providing any security mechanisms for this, I would imagine in part due to the concessions on interoperability made during the development of these global telco protocols.

There (appears to have been) zero work done for the security of this critical system. Customers do not recognize any possible threats, telcos have no interest in improving their networks in this regard, the US government has developed a nickel allergy towards telco regulation in the 30 or 40 years following the 'Bell conclusion. Finally telco's don't care to change, and if they did there would be decades long disputes regarding implimentation.

No, it is wholly unsurprising to find an entrenched, obstinate partner in this field.

[0] https://www.schneier.com/blog/archives/2014/12/ss7_vulnerabi...

[1] https://simjacker.com/downloads/technicalpapers/AdaptiveMobi...

[2] https://arstechnica.com/information-technology/2017/05/thiev...

[3] https://www.schneier.com/blog/archives/2016/09/leaked_stingr...

[vinay427]

Various countries besides the US (often other "Anglo" countries) don't require any identification to get a SIM card, while as you mentioned some countries require identification and sometimes even more steps like physical address verification. In my experience as a tourist, these additional steps are sometimes unnecessarily complex and are often somewhat of a hassle.

An argument can be made that this hassle is worth it for security concerns (which is what they often tend to be sold as) but personally I find it less reasonable for preventing against SIM swap hacks when there are many alternatives to SMS 2FA.

[2rsf]

> to get a SIM card

getting a new card is not the same as swapping

[rasz]

I dont know of any way of transferring phone number to a card you already posses, the only way is re provisioning to a brand new card.

[vinay427]

Swapping a SIM card and verifying identity requires some identity to match with, presumably provided at time of activation.

[balboah]

You can also show fake ID at a competing telco sales point and tell them you want to move the number in Sweden. Happened to me that depending on which provider the call was coming from, sometimes it would reach me and sometimes not.

[cartoonworld]

No, In addition to what you have mentioned, and sibling comments have noted about implimentation, it is SMS that is (has been? --But i can't find info if this has been remedied) insecure as well. This is the "SimJacker" whitepaper describing technical means of hijacking among other games.

https://simjacker.com/downloads/technicalpapers/AdaptiveMobi...

[qrbLPHiKpiux]

> In many other part of the world, Switching Sim ( SIM Swapping ) requires to show proof of identification, as well as written form and signature.

Minimum wage employees don’t give a shit. Always exploited.

[michaelt]

> it isn't SMS 2FA that is insecure, it is the telco themselves

I have some rope at home. The manufacturers specify it's blue, 8mm, polypropylene and for 'general use' but they don't say anything about its strength. Cost about $5.

If I lift something with it and it breaks, is it the rope's fault, or my fault for selecting the wrong rope?

SMS is the same way - is sim jacking the telco's fault, or is a company using SMS 2FA as dumb as lifting a piano with my $5 rope?

[tinus_hn]

Is it acceptable for anyone to be able to just walk into a store and hijack your phone number? Guess it’s just your fault your grandma now gets to talk to a crook when she calls you.

[trollied]

> May be had Apple created their own MVNO this problem could be solved.

I think the only reason they haven't is because they don't want the customer service headache that running & supporting a network generates.

Bad signals, stolen phones, billing etc. Urgh.

[hansjorg]

It's not just SIM swapping that's the problem.

The protocol/network used for international SMS (SS7) is supposedly very insecure and can be used to hijack messages.

[rasz]

haha ;-). Yes, you need a signature and legal document, both checked by your random, always late and in a hurry EMS courier when receiving the new SIM package. Same when starting new CC.