Hacker News new | ask | show | jobs
by Zren 640 days ago
Feels like SS7 was deliberately left vulnerable from requests within the country for tracking purposes. A lot of the security seems to be done with firewalls within the walled garden so it's easier for the five eyes to track cell phones live without giving direct access to the databases.

That said, the real world example Veratasium used was chilling.

Having LinusTechTips as a 2nd example (whos showing off his new apple phone) was a nice counter too. I'm pretty sure LTT uses multi factor+user auth though so I'm guessing that sms 2fa email was an alt email for personal use.

Gonna have to watch that 2014 presentation on ss7 it seems.
3 comments
cute_boi 640 days ago
These vulnerabilities are something we know and is already scary. I wonder how much 3 letter organization are capable.
link
cromka 640 days ago
I had the same thought on SS7 being kept vulnerable on purpose. With continuous attempts in EU and elsewhere on tapping the E2EE communication and the fact that email remains insecure despite so many proposals makes me think this really is one of those things that get agreed upon behind closed UN doors. And I am NOT a fan of conspiracy theories.

I think that lack of information, i.e. any effort to remediate this, is an information in itself.

link
dyauspitr 640 days ago
It’s kind of nuts, with one of those SS7 tickets you could easily use a bot to drain 1000s of bank accounts an hour based on the 2FA vulnerabilities.
link
IshKebab 639 days ago
How? It's 2FA not 1FA. I have yet to use an authentication system that only required and SMS code.
link
meowster 639 days ago
Lots of authentication systems use an SMS code to reset your password, thereby essentially becoming 1FA.
link
IshKebab 639 days ago
Can you give an example? I don't think I've ever seen that, especially not from a bank!
link
meowster 639 days ago
Banks usually have information they can ask like Social Secuirty Number (which is inevitably in some leak).

eBay is the first one that comes to mind. I know I've run into it a couple of other times where a website will just offer to text you a code, but usually there is a small link you can click that says "use my password instead".

Facebook and Amazon don't have my cell phone number, but I bet they have an option.

I don't usually try to reset my passwords since I use a password manager, so it's probably more common than that.

link