That Much-Vaunted 'Two Factor' Auth? Uh, Yeah.
The Market Ticker - Commentary on The Capital Markets
2017-09-12 07:00 by Karl Denninger
in Technology , 473 references Ignore this thread
That Much-Vaunted 'Two Factor' Auth? Uh, Yeah.
[Comments enabled]  

It was a nice idea; unfortunately it's crippled in its effectiveness by the lax polices and zero accountability of the cell carriers.

Hackers have discovered that one of the most central elements of online security — the mobile phone number — is also one of the easiest to steal.

In a growing number of online attacks, hackers have been calling up Verizon, T-Mobile U.S., Sprint and AT&T and asking them to transfer control of a victim’s phone number to a device under the control of the hackers.

Once they get control of the phone number, they can reset the passwords on every account that uses the phone number as a security backup — as services like Google, Twitter and Facebook suggest.

What do the carriers think about this?  Nothing.

See, it typically doesn't take one such attempt, because most of their agents will follow protocol and refuse without you in some way verifying who you actually are -- such as by using a PIN number you put on the account, and which the thief doesn't know.

So why is it that these guys get dozens or even hundreds of bites at the apple?

See, that's the problem, and it's an intentional problem.  In other words the cell companies could trivially log the number of bad attempts -- when you call into the company asking them to do something and don't know the password their call management software could increment a counter and after some reasonable number of failed tries in some period of time, say three, it would then require you to go to a physical store and present positive identification.

But nope, as is shown here:

Adam Pokornicky, a managing partner at Cryptochain Capital, asked Verizon to put extra security measures on his account after he learned that an attacker had called in 13 times trying to move his number to a new phone.

Verizon should be put out of business for this, and so should the rest of the cellular carriers.

One or two wrong responses is one thing -- yes, people forget, or they use a couple of different PINs and they get the wrong one the first or second time.

Thirteen times?  No, that's quite-obviously attempted fraud and not only did Verizon not lock his account against those repeated attempts after a rational number of failures to authenticate they didn't call him either nor did they follow their own rules despite being warned in advance that his account was under attack!

There's utterly no reason to allow this sort of horse**** to go on, but just like all the other scams of the day utterly nobody at the telcos will be held accountable for what amounts to being an accessory before the fact to grand theft.  The CEO of the jackwad firm deserves to have the entire loss taken out of his ass -- sideways.

Firms that intentionally ignore repeated hack attacks on a customer's account and not only fail to stop them they also fail to notify the customer that they're under attack need to be held financially and criminally responsible for the harm that ensues.

View with responses (opens new window)
 
Main Navigation
MUST-READ Selection:
A One-Sentence Bill To Force The Health-Care Issue

Full-Text Search & Archives
Archive Access
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.

NO MATERIAL HERE CONSTITUTES "INVESTMENT ADVICE" NOR IS IT A RECOMMENDATION TO BUY OR SELL ANY FINANCIAL INSTRUMENT, INCLUDING BUT NOT LIMITED TO STOCKS, OPTIONS, BONDS OR FUTURES.

The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be sent unmodified to lawmakers via print or electronic means or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.