That Much-Vaunted 'Two Factor' Auth? Uh, Yeah.
The Market Ticker - Commentary on The Capital Markets
2017-09-12 07:00 by Karl Denninger
in Technology , 476 references Ignore this thread
That Much-Vaunted 'Two Factor' Auth? Uh, Yeah.
[Comments enabled]  

It was a nice idea; unfortunately it's crippled in its effectiveness by the lax polices and zero accountability of the cell carriers.

Hackers have discovered that one of the most central elements of online security — the mobile phone number — is also one of the easiest to steal.

In a growing number of online attacks, hackers have been calling up Verizon, T-Mobile U.S., Sprint and AT&T and asking them to transfer control of a victim’s phone number to a device under the control of the hackers.

Once they get control of the phone number, they can reset the passwords on every account that uses the phone number as a security backup — as services like Google, Twitter and Facebook suggest.

What do the carriers think about this?  Nothing.

See, it typically doesn't take one such attempt, because most of their agents will follow protocol and refuse without you in some way verifying who you actually are -- such as by using a PIN number you put on the account, and which the thief doesn't know.

So why is it that these guys get dozens or even hundreds of bites at the apple?

See, that's the problem, and it's an intentional problem.  In other words the cell companies could trivially log the number of bad attempts -- when you call into the company asking them to do something and don't know the password their call management software could increment a counter and after some reasonable number of failed tries in some period of time, say three, it would then require you to go to a physical store and present positive identification.

But nope, as is shown here:

Adam Pokornicky, a managing partner at Cryptochain Capital, asked Verizon to put extra security measures on his account after he learned that an attacker had called in 13 times trying to move his number to a new phone.

Verizon should be put out of business for this, and so should the rest of the cellular carriers.

One or two wrong responses is one thing -- yes, people forget, or they use a couple of different PINs and they get the wrong one the first or second time.

Thirteen times?  No, that's quite-obviously attempted fraud and not only did Verizon not lock his account against those repeated attempts after a rational number of failures to authenticate they didn't call him either nor did they follow their own rules despite being warned in advance that his account was under attack!

There's utterly no reason to allow this sort of horse**** to go on, but just like all the other scams of the day utterly nobody at the telcos will be held accountable for what amounts to being an accessory before the fact to grand theft.  The CEO of the jackwad firm deserves to have the entire loss taken out of his ass -- sideways.

Firms that intentionally ignore repeated hack attacks on a customer's account and not only fail to stop them they also fail to notify the customer that they're under attack need to be held financially and criminally responsible for the harm that ensues.

Go to responses (registration required to post)
 
Main Navigation
MUST-READ Selection:
A One-Sentence Bill To Force The Health-Care Issue

Full-Text Search & Archives
Archive Access
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.

NO MATERIAL HERE CONSTITUTES "INVESTMENT ADVICE" NOR IS IT A RECOMMENDATION TO BUY OR SELL ANY FINANCIAL INSTRUMENT, INCLUDING BUT NOT LIMITED TO STOCKS, OPTIONS, BONDS OR FUTURES.

The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be sent unmodified to lawmakers via print or electronic means or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.

 
Comments.......
User: Not logged on
Login Register Top Blog Top Blog Topics FAQ
User Info That Much-Vaunted 'Two Factor' Auth? Uh, Yeah. in forum [Market-Ticker]
Unknownsailor
Posts: 409
Incept: 2009-04-06

Bremerton, WA
Report This As A Bad Post Add To Your Ignored User List
So wait, account security for services you do not physically control is at the mercy of the weakest link of the security chain?

Who was it that said if you do not own the server, you do not own the data again?

:)
Kroyl
Posts: 22
Incept: 2015-11-12

Report This As A Bad Post Add To Your Ignored User List
Banks around here request extended SMS delivery reports with HLR/IMSI data, and lock "two-factor auth/3DSecure" if IMSI has changed.
Had to call each of my banks after upgrading to a Nano SIM card.

"Free" services such as Google/Facebook/etc. don't do that, and they don't have any real customer support either - so you are screwed if the account is really stolen.
Ckaminski
Posts: 4199
Incept: 2011-04-08

Mass-Hole!
Report This As A Bad Post Add To Your Ignored User List
Quote:
"Free" services such as Google/Facebook/etc. don't do that, and they don't have any real customer support either


No ****. Good luck getting help from Google for anything. They closed one of my accounts for "reasons", and my recourse was complaining on public FORUMS having to post my details for all to see.

I'm having some issues getting BSD working on Digital Ocean - apparently freebsd@givenIP doesn't seem to work to let me log in. :(
Tinman
Posts: 284
Incept: 2008-02-16

Report This As A Bad Post Add To Your Ignored User List
That's why I use Net10. You can call them but they don't answer. :)
Mangymutt
Posts: 435
Incept: 2015-05-03

Vancouver WA
Report This As A Bad Post Add To Your Ignored User List
Q: - "Who was it that said if you do not own the server, you do not own the data again?"

A: - Exquifax? Hillary? DNC? I give up who :)


Vernonb
Posts: 1882
Incept: 2009-06-03

East of Sheol
Report This As A Bad Post Add To Your Ignored User List
I always figured the primary reason most of these companies wanted this info was not to protect anyone but to extract as much personal info as possible out of people- including linking phone numbers with accounts.


----------
"Mass intelligence does not mean intelligent masses."
Asimov
Posts: 109479
Incept: 2007-08-26

East Tennessee Eastern Time
Report This As A Bad Post Add To Your Ignored User List
If somebody uses your CC to buy something from google/android store, you have absolutely no right to know who it was.

They *WILL NOT* tell you the account that is spending your money.

We ran into this not long ago when "somebody" (probably a family member) stole my SO's CC# to pay for pandora.

----------
It's justifiably immoral to deal morally with an immoral entity.

Festina lente.
Kroyl
Posts: 22
Incept: 2015-11-12

Report This As A Bad Post Add To Your Ignored User List
Quote:
They *WILL NOT* tell you the account that is spending your money

And that is, most likely, correct - they did not issue the card, so it's not their job to identify the rightful cardholder, especially not by phone/e-mail.

They would send transaction details through the Visa/MC chargeback process, but it could lead to new problems (in addition of the chargeback initiation fee) - such as locking the Google Play account and potentially implicating the "family member" for fraud.
Asimov
Posts: 109479
Incept: 2007-08-26

East Tennessee Eastern Time
Report This As A Bad Post Add To Your Ignored User List
The amount was too low for anybody to be interested in anything other than refunding the money and issuing a new card.

*Shrug*

----------
It's justifiably immoral to deal morally with an immoral entity.

Festina lente.
Robodog
Posts: 260
Incept: 2011-06-12

Report This As A Bad Post Add To Your Ignored User List
With each breach of digital data & security, (rhetorically speaking) I keep waiting & wondering what one will be the last straw to wake the masses from their personal privacy stupor and serve as the catalyst for Newton's Third Law of equal & opposite reaction? The careless organizations who were involved with the most notorious, egregious, far-flung & pernicious trespasses affecting us Yankees that stand out in my mind are: EBay, Equifax, Gemalto, Home Depot, OPM, Sony, Target & Yahoo. As if the the foregoing examples aren't punishment enough, it occurs to my simple mind that the odds of being a victim increase proportionally with the volume of one's digital public presence especially F-book & NiTwitter.

----------
I believe in only one thing: liberty; but I do not believe in liberty enough to want to force it upon anyone. ~ H.L. Mencken
Dudefish
Posts: 131
Incept: 2010-02-20

Report This As A Bad Post Add To Your Ignored User List
Interesting info. I once had a mobile number assigned to somebody else without my consent. Thankfully it was only for a mobile hotspot, not for my actual phone. AT&T couldn't/wouldn't tell me how it happened or who stole my number, but they said "it happens sometimes...File a police report."
Little_eddie
Posts: 1081
Incept: 2009-04-30

Delaware
Report This As A Bad Post Add To Your Ignored User List
Just like the new I-P****.

Quote:
Entering this phone of the future means looking at it directly then swiping up.

Apple said that the chances of a random person using their face to enter your phone is about one in a million.


So off the top of my head, there's at least 7,300 other people that can unlock your phone on the first try.

Just what I want, NOT


----------
Think of how stupid the average person is, and realize half of them are stupider than that. - George Carlin

Dudefish
Posts: 131
Incept: 2010-02-20

Report This As A Bad Post Add To Your Ignored User List
Yeah. Would it be rude to ask how the iPhone can tell the difference between my face and a good photograph of it? Maybe they have this and other obvious hacks worked out to an extent but the hubris is showing.

Also with animated poop emojis, smartphones have officially transitioned from mature to commodity products. Apple's run is over.
Elkad
Posts: 309
Incept: 2009-09-04

Report This As A Bad Post Add To Your Ignored User List
The facial recognition supposedly uses an infrared light and infrared camera, and makes a 3d map. So a photo shouldn't work.

But that doesn't mean a near-lookalike can't. Or someone (or a warm plaster head) the FBI made to look like you.
Asimov
Posts: 109479
Incept: 2007-08-26

East Tennessee Eastern Time
Report This As A Bad Post Add To Your Ignored User List
Dude: IR camera.

----------
It's justifiably immoral to deal morally with an immoral entity.

Festina lente.
Dudefish
Posts: 131
Incept: 2010-02-20

Report This As A Bad Post Add To Your Ignored User List
Ah, clever. Thanks.
Rustyislander
Posts: 46
Incept: 2013-04-08

Report This As A Bad Post Add To Your Ignored User List
I being to get a little paranoid about security. My phone isn't secure (android) and my email isn't secure (it is gmail but I haven't found a good substitute yet). Gonna just have to delete myself from the internet and get a landline.

----------
Never talk to the police.
Login Register Top Blog Top Blog Topics FAQ