[phicoh]

As far as I know, the service telcos provide is the ability to make calls, receive calls, send text messages, receive them, etc.

Telcos don't get paid to securely provide SIMs. They make hardly any claims regarding the security of your calls, text messages, etc.

So it is rather odd to hold telcos reponsible for the failure of some security mechanism they where never part of.

[lucideer]

The rationalisation here is mindblowing.

By the same logic, no company should ever be held responsible for harm to users of their products caused by product defects: after all, they never made any claims regarding their products being safe to use.

[Spivak]

I mean I think the ship has pretty much sailed on this one but I think they've got a case when companies just started using "can receive a text at a given number" as a security verification which suddenly made it the telco's problem to make sure such a thing was secure when before it was a more informal system.

[phicoh]

Normal defects are 'easy': you have a contract to obtain a product or service with certain features. If the product or service doesn't have those feature, it is defect and failure of the providing party to comply with the contract.

Of course, no phone contract says anything about securing SIMs (for the purpose of authentication). So it cannot be a defect.

Safe to use is often in relation to bodily harm, which doesn't apply in this case. Outside any specific law, if you use an unencrypted text messaging service between subscribers for authetication purposes, then you are on your own.

In this case, the actual harm is caused by the companies that decided to use text messaging for authentication purpose without verifying that the underlying service is fit for porpose (or having a contract with telcos that explicitly lists this purpose).

Of course, nobody is going after twitter to recover damanges from them.

[raverbashing]

Sure and Ford never promised cars that wouldn't explode on a rear-end collision

Telcos have a very poor service for the extortionate prices they charge. At some point your phone number is tied to your identity and should be secured as such (ah but nobody cares about that right?)

[dtech]

Since someones phone number is incredibly important for all sorts of reasons, it is definitely the companies fault for making it so easy to hijack.

[phicoh]

That's rather bizar logic. An obligation to keep something secure comes either from a specific law, or from something specific in a contract.

The fact something is important to you, and you failed to negotiate that in your contract, doesn't mean that the company providing the service is somehow required to take that into account.

[SketchySeaBeast]

You're telling me that offering a service comes with no guarantee of the service? If I'm paying you, but you're no longer providing the service to me, but to some third party, how is that upholding the contract?

If you order food in a restaurant and someone takes the food from the waiter before you can have it, what would you want the restaurant to do?

[phicoh]

The service is that you can receive messages. The service is not that you are the only one who can receive those messages. If someone commits fraud and obtains a SIM with your number then the telco is in general quite willing to correct the error. Maybe they will even given you an extra copy of the messages that were lost.

It's like going to a fast food restaurant and later complaining that the meat is of low quality.

[jtbayly]

Am I paying for my number or not? If I am, then if they give it to somebody else while I’m still paying for it, that is breach of contract.

[dtech]

This is really twisted logic you're trying to use.

If I entrust my email to Google, them having corrupt employees who give my email to other people would be a serious issue, for security, privacy and a myriad of other reasons. This is exactly what's happening at phone companies.

[cartoonworld]

I agree with you if you are saying Telcos have no economic incentive to take any security posture for their customers. Regular users cannot fathom that the service they pay for is somehow able to be manipulated and that their communications can be redirected arbitrarily without legal order via technical means.

It is known that there are security issues with ss7 specifically [0][1][2] and the global telecom network was, it seems, never secured. I would conjecture that there are some other problems with mobile phones[3] some that we are not aware of.

I also am in lock step with your claim that this should not be surprising.

Telcos are indeed not paid for security. The security of the telephone network must not be counted on. In fact, military and government business must often be executed on special non-public phone exchanges or SIPRnet. Telcos do not offer any security guarantees, and are rather obstinate toward any demands such as this. Negotiating a more secure service is impossible.

>So it is rather odd to hold telcos reponsible for the failure of some security mechanism they where never part of.

It is certainly not odd. If the general public wakes up and their assigned phone numbers are meaningless, all of their customers will be unhappy, it simply wouldn't pass the sniff test of a 6-year-old.

However, there is positively no incentive for anybody to shop for security in this space. Few living people believe or can even fathom that there could be a problem with using their phones in this manner. Despite the public fraud[2] that has been enabled by the Telco's apparent lack of any security engineering, the market is not providing any security mechanisms for this, I would imagine in part due to the concessions on interoperability made during the development of these global telco protocols.

There (appears to have been) zero work done for the security of this critical system. Customers do not recognize any possible threats, telcos have no interest in improving their networks in this regard, the US government has developed a nickel allergy towards telco regulation in the 30 or 40 years following the 'Bell conclusion. Finally telco's don't care to change, and if they did there would be decades long disputes regarding implimentation.

No, it is wholly unsurprising to find an entrenched, obstinate partner in this field.

[0] https://www.schneier.com/blog/archives/2014/12/ss7_vulnerabi...

[1] https://simjacker.com/downloads/technicalpapers/AdaptiveMobi...

[2] https://arstechnica.com/information-technology/2017/05/thiev...

[3] https://www.schneier.com/blog/archives/2016/09/leaked_stingr...