[rvz]

Yet another reason why phone number verification is the most insecure way to verify users and it doesn't matter if a company like Apple is using it or your bank using so called 'Military grade encryption'. The point still stands [4] with countless examples [0] [1] [2] [3].

Unless you want your users to be SIM swapped, there is no reason to use phone numbers for logins, verification and 2FA.

[0] https://news.ycombinator.com/item?id=36133030

[1] https://news.ycombinator.com/item?id=34447883

[2] https://news.ycombinator.com/item?id=27310112

[3] https://news.ycombinator.com/item?id=29254051

[4] https://www.issms2fasecure.com

[saagarjha]

This has nothing to do with SIM swapping or phone numbers.

[jasode]

>phone numbers.

On the official Apple reset form, the "phone number" is one of the id options the hackers can use to MFA bomb the target:

https://iforgot.apple.com/password/verify/appleid

The gp proposes a different "private identification string" that's not public. Public IDs such as "email address" or "phone number" are susceptible to what this article is talking about.

[consp]

> On the official Apple reset form, the "phone number" is one of the id options the hackers can use to MFA bomb the target

Funny thing is you cannot set a passphrase or equivalent recovery code unless you have an apple device. So users who have an apple account for development purposes (I hate apple device UX and wont ever use anything apple again other than to approve releases and manage certificates) and have no apple products are cursed to use ones phone number.

[EasyMark]

I used to be hardcore about stuff like this, but as I grew older I guess I gave up some of my morality and bought things like $150 iphone # and moved on with life if it was making me $$$.

[gruez]

Given that the gp was talking about victims being "SIM swapped", I strongly suspect he's referring to the classic sim swap attack where you sim swap, then use the newly registered sim to receive a password reset code. If it just involves discovering your phone number, you wouldn't need to sim swap at all.

>The gp proposes a different "private identification string" that's not public. Public IDs such as "email address" or "phone number" are susceptible to what this article is talking about.

This is a non-starter for the general public. If they can barely remember their password what are the chances they'll remember a "private identification string" or whatever?

[xamarin]

Yes, like password :)

[xamarin]

That is not true. Please read article, he even bought new phone, and this did not stop attack, because of same phone number. I woul not even call this MFA attack, as they did not need his password. It is more like recovery password attack.

[isoprophlex]

TFA talks specifically about a victim buying a brand new phone, registering a new appleid, and getting MFA bombed immediately when putting in his old SIM...

[klabb3]

> and getting MFA bombed immediately when putting in his old SIM...

I think it’s technically unrelated to the SIM, but rather to create the new Apple ID he used his existing (compromised, lol) phone number for “verification” or something. Which is weird in a way because then Apple must allow multiple accounts per phone number?

[mhdhn]

What's the recommended alternative for mere mortal hackers?

[rsync]

I host my phone number at twilio and have built an SMS firewall between my public phone number and my actual SIM number.

Flatten texts to ASCII-256, blacklists/whitelists, priority tagging, SMS cc'd to an email box, multi-number simul-receive, and so on.

Well, you asked ...

[antihero]

Use HSMs for your Apple ID MFA.

[EasyMark]

that brings in a whole new world of complexity and change that isn't for everyone.

[yieldcrv]

I think we should start doing product liability lawsuits to any organization capable of having user financial data affected from their account, that is using SMS one time codes as either default, enabled by default, and the heaviest legal remedies to financial organizations where that's the only option

we should also update PCI DSS compliance or whatever relevant security standard to call SMS one time codes totally insecure

we can also reach insurers these companies use and tell them to force removal of SMS one time codes

do a multi pronged assault on SMS one time passcodes

[guappa]

I think the more urgent thing is to not use the social security number both as the ultimate secret, and also as a number you must give to hundreds of people.

[klabb3]

> both as the ultimate secret, and also as a number you must give to hundreds of people

Don’t forget the final nail in the coffin, which completes the trifecta: it’s entirely immutable - damage radius = infinite.

[CatWChainsaw]

That. I'm in favor of stopping this societal wave of making phone numbers the equivalent of digital SSNs (they're critical for digital life, everyone wants them, nothing good happens when you hand them out that freely).

[ImPostingOnHN]

I think the more urgent thing is to end world hunger.

[yieldcrv]

non sequitur, make a different thread for that cause

[guappa]

Well if you fine companies for using SMS for security… you should put the CEO in jail for authenticating with social security number… if we go by just the number of people who get affected by skimmed SMS and by stolen ssn.

[chgs]

Not sure what sms one time codes has to do with this story either

[yieldcrv]

It’s one of the MFA methods Apple allows

[adrr]

Never will happen on the consumer side. Consumer lose their device way to often to make TOTP or pass codes viable.

Financial institutions can detect if your phone number has been ported or forwarded.

Bigger threat is phishing and password sharing between accounts. I ran tech at investment firm/ neo bank and never saw an attack on sms 2FA and we had over a million customers. We had email 2FA for a while there was significant number of people who shared passwords between email and their bank.