A lot of companies, some quite big and prominent, fool people into thinking that a phone is a second authentication factor. Due to the transferability of the phone number associated with a random SIM card and the ease with which social engineering and even conspirators inside the carrier itself can be used to gain control of that number, it is not and can never be "something you have". That does not stop companies from pretending nor marks from playing along. Motherboard has an article about how the weaknesses around the SIM cards are becoming all the more frequently exploited to perpetrate massive fraud.
First, criminals call a cell phone carrier's tech support number pretending to be their target. They explain to the company's employee that they "lost" their SIM card, requesting their phone number be transferred, or ported, to a new SIM card that the hackers themselves already own. With a bit of social engineering—perhaps by providing the victim's Social Security Number or home address (which is often available from one of the many data breaches that have happened in the last few years)—the criminals convince the employee that they really are who they claim to be, at which point the employee ports the phone number to the new SIM card.
From Motherboard : The SIM Hijackers
(Score: 3, Interesting) by edIII on Thursday July 19 2018, @04:55AM (2 children)
Laughingly, prominent security sites, and basically every crypto exchange views landlines and VoIP lines as easily compromised versus a smart phone with a wireless carrier. Which is, complete and utter backasswards bullshit.
The reason why my "landline" is damn secure from a porting attack is that the policies regarding a port mandate an email to the losing carrier asking them for permission. Smaller outfits can afford a deny-by-default rule requiring that the user (me) consent to the port out. AT&T? They don't give a fuck. Any well formed port request (correct billing info and a signed LOA) gets you an instant port out. Well, except for 14-21 illegal days they take on landlines. Wireless is 24 hours though.
I myself have a default-by-deny miltr rule that responds back instantly with a very firm and direct no, then emails me, txt messages me on my burner, and logs the request to file. The odds of anyone doing it without me knowing it is slim to none, let alone get around my instant denial with the insistence that the bill is not current, that money is owed, and therefore the port must be rejected out-of-hand.
That's not the real vulnerability anyways. It's the SS7 protocol in use by the PSTN that was never very secure to begin with. I think AT&T just recently announced they had rolled out SS7 security protections on their entire network. Crickets from Verizon, T-Mobile, and Sprint AFAIK.
But, yeah sure, a fucking txt message or phone call on a cellphone is a more secure two-factor.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 0) by Anonymous Coward on Thursday July 19 2018, @06:04AM (1 child)
How do you obtain VoIP service? I would love to host my own number.
(Score: 4, Interesting) by edIII on Thursday July 19 2018, @08:02PM
This is fun :)
You become your own telephone company. I charge myself for the bill. That's why I can deny the port out, because I owe my own ass money for the phone all the time. Deadbeat motherfucker....
Now, if somebody attempted a porting attack, you will get an email as the account owner requesting acknowledgment within 24 hours. Twilio is kinda big, and so is Flowroute. Their policies are I think to allow it, if you say nothing. Hence the automatic reply rule you could construct in your email service I'm sure. Either that or Thunderbird can apply rules too. Actually running a miltr server for your email is a bit advanced and you would need to be a fairly good sysadmin with knowledge of different email platforms. Automatic responders are easier to manage in this case. Remember to ask the provider for an example of a port out request. They should email you with it, which helps configure the automatic responder.
In your response to the carrier, you claim that you are white labeling their service and that the client (you) owes you money. Hence, the denial based in the law regarding number porting.
This is why those people claiming cell phones are more secure are full of shit and should stop claiming they know anything about security in telecommunications. Twilio or Flowroute will not respond to social engineering to expedite or assist the port, and at the very least, nothing prevents you from getting the email. An attacker attempting a porting attack would necessarily need to compromise your VoIP account as well, rerouting the emails to them. Layered security FTW.
Technically, lunchtime is at any moment. It's just a wave function.