[krebsonsecurity]

That's nice to hear. So the SIM swappers have to double their bribes.

I think the best solution is to cut the mobile providers out of the equation altogether. I've long advised removing your phone number from anything you can, or at least substituting a voip service that can't be social engineered over the phone. Some services don't let you use voip services for multi-factor or signup, so your mileage may vary.

Also, it's important where possible to use types of multi-factor that don't rely on your phone number. The tricky part is, so many sites will let you reset your password if you can receive a link via SMS at the phone number on file for the account. Which means anyone who SIM-swaps you then can reset the passwords on those accounts that allow SMS resets (which is a lot, still).

[DarylZero]

You must have to pay more than double to bribe two people simultaneously -- since each one then has to rely on an extra person to cover up the corruption.

[menage]

One of the advantages of using Google Fi as your phone provider on a Google phone: there's no SIM, and you have to log in to the phone on your Google account in order to transfer phone/SMS service there. So an attacker can't use a SMS hijack to steal 2FA codes unless they've already compromised your Google account (which is hopefully a higher bar than convincing some random phone shop employee).

[e40]

I have an iPhone with Google Fi and I have a SIM. The entire family does and they also have them.

However, the point of needing to login to your Google account is well taken. And I have 2FA on that.

[ndesaulniers]

One thing I don't understand about the suggestion to remove my phone number from 2FA is that 1FA seems worse. I'd prefer something like Google authenticator, but none of my banks offer that. Did I misunderstand the suggestion? Is there something else I should do?

[chinathrow]

> but none of my banks offer that. Did I misunderstand the suggestion? Is there something else I should do?

Yes there is: change your bank. If your bank is still using SMS based 2FA, get the hell out of there. If you really need to keep that account for reason X, move out all your assets to another bank and keep enough funds to fund X there.

[kube-system]

> Yes there is: change your bank. If your bank is still using SMS based 2FA, get the hell out of there.

Have any suggestions for a bank that supports TOTP? I have yet to find a decent bank in the US that supports this.

[gnopgnip]

https://web.archive.org/web/20200202222301/https://twofactor... has a list of large banks and 2fa methods.

Charles Schwab and USAA use TOTP but aren't exactly main stream banks. Both use a Symantec client and don't officially support third party authenticator apps.

[ndesaulniers]

Thanks for the link! A more updated source seems to be hosted at https://2fa.directory/#banking currently.

Not too many banks with physical locations in my area AND 2FA more secure than SMS.

[vdqtp3]

First Tech Federal Credit Union and Fidelity both support time/token based auth although it's Entrust or Symantec VIP, not open TOTP

[kube-system]

I really wish there was some bank would support plain TOTP. I don't want 5 different solutions to managing my TOTP tokens. I already have one.

[closeparen]

Phone support at Fidelity will turn off VIP for you as long as you can answer at the account phone number.

[foobiekr]

this and they are not alone, it's horrible

[chinathrow]

I am not in the US but I'm sure fellow HNers can help you out.

[PeterisP]

The problem is that often adding the phone number just says "2FA" but in reality becomes as another single authentication factor (e.g. in credential reset workflow) - and, given the risk of SIM swap, it may be weaker than proper 1FA e.g. a good password.

[walrus01]

> or at least substituting a voip service that can't be social engineered over the phone

unfortunately it's also very easy for somebody to submit falsified port documentation to port away your voip number to their own carrier.

In many cases even easier than doing a SIM swap, since the oldschool way to do a port is to literally print out one page of a bill with your name on it (Anybody could edit this by inspect element on a legit bill of their own and swap your name), print it, sign it in ink, scan it, and send it to the carrier requesting the port-in

[Jerrrry]

>That's nice to hear. So the SIM swappers have to double their bribes.

Most SIM-swappers are retiring with their ill-gotten crypto, but the ones remaining are at the "bribing prosecutors" level now.

With crypto skyrocketing and the pitfalls of SMS becoming more apparent, I fully expect the jump to amateurs purchasing and leveraging state-level 0days against unwitting wallet holders.

The gap between profit and cost is getting larger, and more crypto-millionaires are going to get their Teamviewer 0dayed.

[ghaff]

One of the few things I miss about giving up my landline a couple years ago is that I pretty much have to give out my cell phone number for anything that needs a valid phone number. (yes, I could use Google Voice or some sort of VOIP number but that starts making things complicated.) I used to be very selective at giving out my cell number.

[Maursault]

> yes, I could use Google Voice or some sort of VOIP number but that starts making things complicated.

You should soldier through it. Google Voice is a decent free service domestically, unless paranoid. I use it in the reverse manner as I expect you would intend (if you'd intend to generate many virtual throw away numbers to forward back to your phone until the forwarding is manually severed). My actual phone number has changed many times over the years, but my GV number stays the same. Eventually, I got rid of my phone altogether. That was January 2014. But jobs will often require I carry the on-call cell (which I almost never need to use and just for work). Boy I sure miss those cell phone bills every month, not. I just realized GV has saved me at least $10K since I cancelled my cell contract.

[Larrikin]

More and more places refuse to accept my Google voice number for verification. It started out with nearly all banks but has gotten ridiculous recently.

Target outright refused for Target circle a couple years ago. Recently 7-11 had accepted my Google voice number to get points on in store purchases but now that I live somewhere where I need a car, the gas pump decided the number was invalid when I tried to get the discount on gas from the pump I'm worried since I basically never gave out my actual cell for over a decade now

[Maursault]

Good point, that is a problem, though I can't fathom why a bank wouldn't accept it, but I do recall having issues before with some site not accepting it (possibly Craigslist?). My solution is simple: if my GV number is not accepted, I take my business elsewhere.

[mhb]

What about a second cell phone? Depending on whether ~20/month is worth it.

[dbancajas]

> one number on file for the account. Which means anyone who SIM-swaps you then can reset the passwords on those accounts that allow SMS resets (which is a lot, still).

> reply

Why not use a special phone number for 2FA? How do hackers know your phone number?

[PeterisP]

If you use a special separate phone number for 2FA in multiple places, then it likely has both been exposed in some data breach, and also been sold for marketing/tracking purposes; attackers can get access to both these types of sources.

[rp1]

Hackers can easily get anyone’s phone number. Just Google <name> phone number. There are so many data brokers out there happy to sell this information.