[photon12]

> T-Mobile declined to answer questions about what it may be doing to beef up employee authentication. But Nicholas Weaver, a researcher and lecturer at University of California, Berkeley’s International Computer Science Institute, said T-Mobile and all the major wireless providers should be requiring employees to use physical security keys for that second factor when logging into company resources.

> “These breaches should not happen,” Weaver said. “Because T-Mobile should have long ago issued all employees security keys and switched to security keys for the second factor. And because security keys provably block this style of attack.”

At what point do we consider industry self-regulation on this a total failure? You don't need to make Yubikeys a part of every auth workflow in your corporate enterprise if there are legacy systems/integrations, but you should at least do it for the things that can change customer mobile subscription details and there can't be any excuse.

[thrashh]

I think why regulation hasn’t happened is because the computer industry has changed so quickly. Two-factor auth wasn’t even a commonly accepted best practice two decades ago.

And regulation takes a while to create and put into practice and with the rate things are going, by the time regulation has been out in place, the current best practices will have changed.

Whereas writing regulation on building bridges is easy because the timescale of us building bridges spans literal millenniums.

[photon12]

I agree completely. I didn't ask why government enforced regulation hasn't happened. I asked why industry self-regulation has failed. I've worked in a regulatory/security role for a major conglomerate before.

I'm not saying I expected self-regulation to work. But, if you are in a position of customers seeing direct harm every day, it's not unreasonable to ask why there is a failure here.

[thrashh]

I think it has failed because the industry is moving way faster than most people can keep up.

Even your average developer isn’t going to be aware of security changes in the industry to know what’s important or not. It’s going to be even less likely they someone not in engineering to remotely know what’s important or not.

Security professionals know but do you seek out a cardiologist first before you ask your GP? Probably not because, being not at all trained, you have no clue about anything. And if your GP doesn’t know, you are kind of on your own.

[photon12]

"People" don't need to keep up, the internal controls team needs to keep up, and it's possible to staff such a team with people who know how to mitigate phishing attacks when you are one of the largest corporate targets of phishing by volume on the earth.

[thrashh]

They do because they are the ones hiring.

If you’re trying to decide between electricians but you know nothing about electrical jobs, you’re going to be unable to make any meaningful decision. You’re just going to pick the one that sounds the best.

Heck, you could be using the same mediocre electrician for years and even recommend it to friends because you still have no clue about the workmanship.

[clintonb]

What does it mean for the industry to self-regulate? How do you define industry? Is it telecoms, or all tech companies?

Self-regulation has failed because the cost of a data breach remains relatively low compared to implementing security measures, at least on the surface.

[photon12]

Regulation generally is targeted at preventing consumer harm. Self-regulation is the practice of appropriately mitigating consumer harm. I mean mobile subscription providers here by "industry."

[wahnfrieden]

You can find an answer in their profitability in spite of repeated negligence.

[xorcist]

> Two-factor auth wasn't even a commonly accepted best practice two decades ago.

Maybe, had you said three decades? But not two. It was already mature by then.

Two decades ago was 2003. Even consumer banking was online, and in many countries exclusively 2FA.

I've worked the banking space then and we absolutely had smart cards. Military and defense had them everywhere. Proprietary solutions had already gone away replaced by PC/SC. NT 4.0SP6 had support out of the box, because it was already a hard requirement for many customers two and a half decade ago.

[thrashh]

Sure. My dad had a 2FA dongle in the 90s too

But outside of government, defense and banking, who exactly was using it?

It was not on the radar of the vast majority of people. Most technology takes decades to filter through the world

[xorcist]

Well, the vast majority of people live in impoverished areas of the world, so in a strict sense that's true.

But it was absolutely a standard form of authentication already, and regarded as best practice security for those who cared about such things.

Which perhaps weren't that many, but then again, still isn't.

[unbalancedevh]

I had to use it in the 90s for a job I had at an automotive OEM.

[bearjaws]

I would bet most peoples first encounter with 2fa was 2013+, I didn't even have to use it at my job (in healthcare!) until 2015.

[azinman2]

That’s assuming you regulate a very specific thing versus the end goal. To me the appropriate regulation is to find a way to cause real harm to T-Mobile when they are breached. When repeated like this or if done through effectively negligence, then they shouldn’t be allowed to be in business anymore. We gotta stop the tiny fines.. jail, billions of dollars in fines, remove their business license… something large needs to happen. Once that’s in place, you won’t need specific regulations as the incentive structure will be there to do the right thing.

[phaedrus]

One way to do so would be to make it so wireless companies can lose access to spectrum as a consequence of customer data breaches. Let someone else who can keep customer data secure have it instead.

[fauigerzigerk]

Most countries only have three large mobile carriers. You can't take action against their actual operations because you would be running out of alternatives pretty soon plus you would cause huge disruption to customers.

I think financial penalties are still the best bet if they are large enough to really hit profitability but not large enough to kill the company.

[clintonb]

That ultimately hurts customers more than the data breach. Limiting access means less availability for customers. If all the customers leave, you’ve just contributed to a monopoly/oligopoly.

[azinman2]

Or reserve it for the next company that could pony up at a significant discount.

Look - too big to fail means we let too many companies merge. This isn't a healthy situation that losing T-Mobile means having no competition left. We should probably unwind some mergers first.

[duckmysick]

Aviation industry can introduce new regulation fast. One example would be reinforced cockpit doors. Prompted by events in September 2001, new standards published four months later (January 2002), expected to be completed fifteen months after that (April 2003).

https://avalon.law.yale.edu/sept11/faa_001.asp

[thrashh]

It makes sense for a change about doors. Doors are old as time. Everyone understands how doors work. The impact of a door change is straightforward. There are relatively few moving parts involved in a self contained door (figuratively and literally).

[duckmysick]

It was a first example that I thought of. There are others, less straightforward changes in recent years. They involve safety teams, risk assessment, terrain awareness system, voluntary reporting programs, hazard recognition. They made commercial flights safer and we can measure it.

https://www.faa.gov/newsroom/out-front-airline-safety-two-de...

[clintonb]

Was that the industry, or the government?

[duckmysick]

Both. My point was, with enough motivation and resources it can be done. I gave an example of such industry in the sense of a sector of an economy.

[vxNsr]

My dad worked in telecom for a baby bell and they had 2FA fobs since at least 2004 (probably earlier but I didn’t see it until then). He wasn’t even in a consumer facing company, they made equipment for other companies. If they could implement this 20 years ago, there’s no excuse for Tmobile today.

[wmeredith]

> I think why regulation hasn’t happened is because the computer industry has changed so quickly.

It also doesn't help that the US government is a barely-functioning kleptocracy. They're more concerned with passing legislation about transgender boogymen while they line their pockets than they are about ... well, anything else.

[alex_sf]

A more reasonable alternative view is that regulations are largely opposed by most in the industry for good reasons. Including the fact that the explicit absence of such is what allow for the internet to exist at all.

[gjsman-1000]

You assume that regulation can just make security magically happen.

I see no reason to assume that premise to be correct in practice. It's not like the US Government hasn't been breached countless times or had Supreme Court opinions leaked; and it's not like corporations that really tried and should be examples of best practice haven't also been breached. Also, what law can prevent insider attacks? There's already plenty of laws making that illegal.

There's no law that just "makes security happen" - and, actually, I would be fundamentally opposed to such a law because it turns security into a simple matter of compliance. "We're SCA compliant, therefore we're good!" And technology changes way too much - a security law that was written 10 years ago would be a disaster today. See South Korea's Banking Security laws for an example - they basically enshrined ActiveX in their law with roll-your-own-crypto to this day. And we know now that was a trash idea but nobody wants to take the blame for upsetting the security standards. https://palant.info/2023/01/02/south-koreas-online-security-... and https://www.nytimes.com/2022/07/08/business/korea-internet-e...

[JoshTriplett]

Don't mandate them, just mandate that if you use known-deficient practices you're presumed negligent if an incident occurs. Then issue some guidelines for known best practices and known bad practices, and make it clear that using something newer/better is fine, just not using something on the "known bad" list. (For instance, best practices are to use two-factor authentication with one component being physical security; one-factor with a password is known-bad.)

[photon12]

I'm not calling for regulation on general security outcomes. I'm talking specifically about access controls on sensitive and highly privileged systems that have ripple impacts to consumer security, which should already be obvious best practice.

[gjsman-1000]

You assume that T-Mobile didn't try and just fail miserably, or repeatedly fail to insider attacks. If it was multiple insiders, the systems could be perfect technically and completely useless practically. We also don't know what the similar statistics for Verizon or AT&T or any other global carrier are for comparison.

[photon12]

I'm not assuming anything, I'm pointing out a failure of self-regulation given the TTPs listed in the original article, which are distinct from fully insider-supported attacks, should not happen.

There is obvious, direct, and destructive customer impact here.

Edit: actually I know people working in security roles for T-Mobile, and I am sure they or their sister teams are trying.

[anigbrowl]

What point are you trying to make here? That T-mobile maybe needs to screen employees better? That compromises are inevitable and we just need to deal? That we shouldn't give out so much data to corporations?

[Buttons840]

> There's no law that just "makes security happen"

In another thread I proposed making white-hat hacking legally protected, even without permission from the company. If your system is constantly being tested by mostly white-hat hackers seeking their next responsible disclosure and bounty, then that's something.

Bug bounties already exist, but they're opt-in, and companies that need them the most are not opting-in. We also see the people who do things like press F12 get legally bullied[0].

Changing the laws to protect white-hats and responsible disclosure would help. This would be a law that "just makes security happen".

[0]: https://www.youtube.com/watch?v=lSsvzBV0tyI or https://arstechnica.com/tech-policy/2021/10/missouri-gov-cal...

[clintonb]

Legalizing hacking seems like a large loophole that will backfire. Where is the line between white-hat and black-hat?

[Buttons840]

Did you download 10 gigabytes of personal data and sell it? Or did you responsibly report the vulnerability once it was apparent? There would have to be some guidelines and some attacks like DDoS might still be illegal, etc.

Certainly a risk of this proposal is that some black-hats would get away, but that is already happening, so it's not really a problem of this proposal. This law wont affect black-hats because they already operate outside the law.

The problem is nobody can investigate the security of a company without facing major legal risks. As I linked above, a researcher pressed F12 and next thing he knew the Governor was threatening to prosecute him, and that's just one example. I believe it is a felony if I want to investigate for myself how secure T-Mobile's systems are, because they have not explicitly invited me to do so.

About 10 years ago I was doing some web scraping and came across a website that was exposing PPI (SSNs and more) of thousands of people. It was in an API JSON response, the JavaScript only displayed part of the data though. I just closed the site and never touched it again. I'm not a security researcher, I don't know how to safely report what I saw. It all seems personally risky for little personal gain. So I closed the site and let it go. My attitude has long been that if society wants to offer me some strong legal protections then I'll do the right thing, otherwise, society can burn. Half the nation's personal data can get stolen twice a month, as is already the case. When society cares enough to do something about it maybe I'll change my attitude.

[teaker]

In the absence of legislation (and perhaps even if/when legislation is enacted), an effective approach would be to simply hold entities to a reasonableness standard and to seek relief/damages under a common law negligence theory in lieu of a regulatory/legislative enforcement mechanism. That way, what is considered to be the industry standard (ie reasonable) changes at the pace of technology. The weak link here is quantifying individuals' damages in breaches where there is no clear injury (such as what you have in the the Amazon/GoPro example described above).

[darkhelmet]

Don't underestimate the value of checking all the security compliance check boxes. It solves what really matters - protecting executives from prosecution and/or being dragged in front of Congress to testify. <sarcasm off>

Seriously though, so long as cybersecurity insurance and "industry best practices checkbox management" is easier and/or cheaper than actual meaningful security measures, it will never be solved.

Worse, when a meaningful security measure that could actually make a difference collides with something in a best practices document, you know who will lose.

I'm not cynical at this point, no...

[computing]

an executive or two in jail and we'll sure enough see security magically happen.

[mattmcknight]

Should we throw the President in jail if the government gets breached?

[computing]

no, of course not. (nice straw-man attempt, btw)

Just the way boards of companies have fiduciary duty, there should be some of sort customer information protection duty that companies are responsible / liable for. basic security practices are being neglected at far too many companies.

[mattmcknight]

Really not trying to strawman. You literally said an executive or two should be thrown in jail if their organization was breached. So which government executive would you "throw in jail" if their organization was breached?

[CamperBob2]

If he incited the breach, sure.

[hoofedear]

You’re forgetting an important aspect of making stuff like this law - accountability and recourse. Sure, laws won’t magically make security happen, but it will provide tools against companies that don’t follow outlined laws or regulations to suffer consequences for mishandling data. Companies shouldn’t just be “expected” to do the right thing, because often doing the right thing cuts into profits.

[JohnFen]

Regulations matter in order to make entities do the right thing when they have no other incentive to do so. They certainly aren't a panacea, but they also certainly can have positive effects.

> I would be fundamentally opposed to such a law because it turns security into a simple matter of compliance.

True, but that's better than effectively having no security at all.

[_8j50]

Yubikeys and macs are not magic solutions. That's not good security thinking. The same passwordless b.s. that's spreading like cancer is another thing.

Bigcorp networks are emergent, not pieced together. Threat actors just need one or two flaws. Case in point, the mac and yubikey corp with big fat wallet that was hacked: uber.

Everyone is a backseat driver with silverbullet solutions, meanwhile there are decades of research and best practices solve all these problems.

People who chase absolute securitu through one size fits all solutions do more harm than good.

[photon12]

While normally I would agree wholeheartedly with this, in this very instance I see meaningless abstraction in service of justifying consumer harm. The phishing TTPs outlined in the article can be mitigated with hardware keys, and the places in the corporate network where they must be part of auth workflows can be identified. There are people whose job this is in corporate networks of all levels of piecemeal quagmires. T-Mobile probably has people working on this now.

[_8j50]

I don't disagree that yubikeys are effective but even sms 2fa could have been effective! This is missing the forest for the trees. Even then, what if it wasn't credential harvesting but a download for an infostealer? Then even yubikeys are ineffective due to cookie theft.

You have many many best practices, have a good email protection service/sandbox-detonation, MFA, detection+monitoring after the fact, CAP so threat actors can't just login from any random IP or device, threat hunting, user training,etc... these are all things a good security program should be doing to create the most hostile environment for a threat actor.

People had the same frustrating MFA argument on HN with Uber when it was hacked but long after the news story hype died down it was revealed that the TA got a contractors' creds via infostealer malware. Access to corporate networks is a common trade item in certain forums.

In this case mfa of any kind, cap and url-rewriting email security service are all layers of defense that could have caught this before impact.

[abawany]

This "UnCarrier" should be forced to "UnExist". Their leaks are numerous and the pathetic amounts they pay in damages do nothing to adequately compensate for the risk and inconvenience they impose on their hapless customers. Their insistence on doing credit checks for everything instead of allowing cash customers to skip it is I think part of the problem.

[closeparen]

After an incident our compliance people told us we cannot have different 2FA options for the same user, so yes in fact if you need to use a legacy system ever then you cannot have a yubikey enabled anywhere.

[hughesjj]

wow. Hot take but i think yiur compliance team might suck.

imo you should always have at least two 2fa hids in case one gets damaged or lost or whatever and you need to force log yourself out or something.

[remus]

Sounds like you need new compliance people!