SoylentNews is people
SoylentNews
Submitted via IRC for Fnord666
If hackers can convince your phone company to turn over your number to them, they can defeat two-factor authentication that relies on text messaging.
Crypto investor Michael Terpin filed a $224 million lawsuit against AT&T in California federal court Wednesday alleging that the phone company’s negligence let hackers steal nearly $24 million in cryptocurrency from him, Reuters reports. He’s also seeking punitive damages.
Terpin says hackers were twice able to convince AT&T to connect his phone number to a SIM card they controlled, routing his calls and messages to them and enabling them to defeat two-factor authentication protections on his accounts. In one case, he says hackers also took control of his Skype account and convinced one of this clients to send money to them rather than Terpin.
The second hack came even after AT&T agreed to put an additional passcode on his account, when a fraudster visited an AT&T store in Connecticut and managed to hijack Terpin’s account without providing the code or a “scannable ID” as AT&T requires, he says.
(Score: 2) by sjames on Tuesday August 21 2018, @05:35PM (4 children)
If the courts decide not caring will cost substantial money. they'll start caring.
(Score: 2) by Knowledge Troll on Tuesday August 21 2018, @06:02PM (3 children)
Let me ask a question here: what is the correct procedure for authenticating a customer when they are dealing with something like AT&T?
Think it all out - what is the burden of proof for the customer? How is this information transmitted? Are they going to have to show up in person with a driver's license? Who is responsible for forged documents? What about evaluation of quality of forgery? Which documents? Is a drivers license good enough or do you need a passport? How about the case where a fraudster convinces the government to issue an ID that allows them to impersonate you?
The reason I ask is because I have heavily considered trying to create a company that would "correctly" and "strongly" authenticate the customers and I can tell you this is entirely non-obvious and highly non-trivial.
So if the courts decide AT&T needs to be punished for not meeting an undefined metric what is that metric to be defined as?
As long as the metric remains undefined the only means for resolution is deciding what is and is not reasonable in a court in front of a judge and possibly jury. In that situation even I would argue consumer level things are not reasonable fit for something like securing $20 million worth of funds.
So what does the "Telecommunication Providers Must Authenticate Users Worth A Shit And Puppies Are Cute" bill that Congress needs to pass going to say?
On the surface it seems like they could all do at least as good as the average bar with an ID scanner but that means you always go to a physical location for every customer service anything that involves authentication.
Do you see why a second class of service is a more appropriate fit for this? The vast majority of people don't need this level of security and aren't going to be interested in that. For a large portion of people there will not be any convenient physical location to go to. For many getting to a physical location is going to be very very difficult. There is also the cost of implementation which will cause prices to go up.
I would personally like a service that has that kind of security but I'm fucking weird.
(Score: 2) by sjames on Tuesday August 21 2018, @06:22PM (2 children)
In the case at hand, as pre-arranged with the customer, knowledge of a password was the criterion. Had the AT&T employee actually asked for the password as AT&T and the customer agreed, this wouldn't have happened.
An alternative that might be offered if agreed with the customer is that a letter is sent to the billing address containing a password that will then be accepted for changing the service. That way when the customer fails to keep track of the password, there remains a way to make a needed change.
It isn't perfect security, but it would make any shenanigans much more hands-on and add a clear felony for tampering with U.S. mail.
(Score: 2) by Knowledge Troll on Tuesday August 21 2018, @06:45PM (1 child)
Considering part of the claim is that someone went down to the location in person yet AT&T didn't use a "scanable" ID is part of the claim and we are talking $20 million here I don't think that password was going to stand in the way.
Of all the things to fault I suggest that showing up in person and not checking the ID is the biggest fuck up because someone can always go "well I forgot my password" and the CS agents are going to be happy to help them get access again. In cases like this the physical presence with physical ID is a requirement and AT&T, if we take the plantif's word for it, did not follow their own policy for the ID.
I suggest though that even that ID check is not obvious on how to handle it and it is not going to tolerate very good forgeries very well.
The idea of having a password sent in the mail is pretty good. Though for $20 million I bet it is easy to afford paying someone to steal the mail for 5 days in a row.
(Score: 2) by sjames on Tuesday August 21 2018, @07:13PM
Actually, if the lack of the password had prevented intercepting the 2FA, it absolutely would have foiled the theft. It was an integral party of the theft.
It was explicitly agreed to by AT&T and then they didn't do it. As a direct result, the phone was hijacked and the 2FA was defeated.
And I already suggested a mechanism for password recovery for the likely case that someone forgets their password. It would actually be harder to scam than creating a fake ID good enough to fool a poorly paid representative in a store.