Banks and other secure services keep relying on SMS for 2FA. But using your phone as an authentication factor is a terrible idea. Carriers can’t seem to stop scrotes pretending to be subscribers and asking for new SIMs or porting numbers to other carriers.
It’s a huge problem. Will the FCC’s new rules fix it? In today’s SB Blogwatch, we count ’em.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Ô.
What’s the craic? Jonathan Greig reports—“FCC adopts new rules for wireless providers to rein in SIM swapping”:
“Access to passwords”
The FCC’s new rules … are an update to the Customer Proprietary Network Information (CPNI) and Local Number Portability rules previously in place … to stop SIM swap and port-out fraud. … FCC chairwoman Jessica Rosenworcel said they are getting more and more complaints from consumers who have suffered losses … and noted that the Department of Homeland Security has released reports on multiple gangs that have become experts at carrying out the scheme.
…
The practice of SIM swapping … involves convincing a target’s wireless carrier to transfer the victim’s service to a cell phone controlled by hackers, giving them access to passwords and other personal information. … Port-out fraud [is] a similar scam where hackers pose as a victim and open accounts with another carrier under their name [and] then arranges for the victim’s phone number to be transferred.
1. Don’t pick up the phone. Sergiu Gatlan is only calling ’cos he’s drunk and alone—“New Rules”:
“Losses of $72,652,571”
The FCC’s updated rules … now mandate that wireless service providers implement secure authentication procedures before transferring a customer’s phone number to a different device or provider. … Companies must also promptly alert customers whenever a SIM change or port-out request occurs on their accounts. Furthermore, they must take extra precautions to shield customers from SIM swapping and port-out attempts.
…
The FCC’s move comes in response to an ever-increasing wave of consumer complaints about significant distress and financial harm resulting from SIM hijacking attacks and port-out fraud. … The FBI Internet Crime Complaint Center (IC3) received 2,026 SIM-swapping complaints with adjusted losses of $72,652,571 last year.
2. Don’t let him in. Or exabrial will have to kick him out again:
How about instead we just make it illegal to use SMS for identity verification? I’m tired of, “Your phone is your identity.” It’s exclusive of certain society members anyway, horribly not-encrypted, not-authenticated, can be intercepted, replayed, spoofed, phished, and a million other reasons.
Your phone number should not be your gateway to essential services like banking, investments, or even personal life. The madness has to ****ing stop.
3. Don’t be his friend. You know you’re gonna wake up in Frodo Douchebaggins’ bed in the morning: [You’re fired—Ed.]
Banks are consistently the g*ddamned worst about supporting good security practices. They’re also the ones most likely to block pasting into auth fields, which basically cockblocks using password managers and good, unique passwords. I fired my previous credit union over that one and made it very clear why, on the off chance they cared.
Not just banks. RegistrationIsDumb83 thinks they keep pulling us backwards:
Companies keep using SMS 2FA for some reason. Even Valve is rolling out phone 2FA for devs, so you can look forward to your Steam games autoupdating with viruses once that gets compromised.
It’s about time. Sora2566 finally sees the pattern:
Well, it’s about time somebody’s trying to staunch the gushing wound that is port-out fraud. People really need to learn that text-based 2FA is really not secure.
The FCC is from the government and it’s here to help. Dull doesn’t love you:
Sounds good, yet government agencies have a history of grandstanding … and not having the proper resources … to actually enforce anything that would cause changes. In short … it’s all window dressing.
Practice makes perfect. bensecure’s trying to learn it by heart:
Identity is fundamentally the job of the government: The real solution should be ID cards with trusted computing chips in them. Though that will open up a can of worms with regards to privacy and government overreach.
Meanwhile, mrkite77 eats, sleeps and breathes it—rehearses and repeats it:
Google Fi solves this problem by having no customer service to scam.
CW: 80s hair, 80s gimpy dancing, remix≥original, Sandy Struss, Ô Canada.
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Jessica Rosenworcel
Recent Articles By Author