10 votes

Hackers are breaking directly into telecom companies to take over customer phone numbers

8 comments

  1. [5]
    joplin
    (edited )
    Link
    Having worked for a phone company before, I'm not at all surprised by this. They types of employees they're talking about are the lowest-level employees and they don't get treated very well. The...

    Having worked for a phone company before, I'm not at all surprised by this. They types of employees they're talking about are the lowest-level employees and they don't get treated very well. The jobs are often crap jobs. I recall hearing that employees would basically go out to the street and find people who are just hanging out and bring them in to do tech support. Most wouldn't last a week at the job. There was very high turn over and it paid crap wages so nobody wanted to do the work. I can easily imagine both taking bribes to do stuff you're not really authorized to do, or simply doing the least amount of work possible and just going with the flow when someone calls you and claims to be a technician. At that level of employee, they don't have any incentive to try.

    Regardless, this is just one more reason why you should never use a cell phone number as part of multi-factor authentication. Unfortunately, it will be another decade or more before banks and other web sites stop trying to push it because it allows them an excuse to get your phone number so they can sell it to others. It's shit all the way down.

    8 votes
    1. [4]
      cfabbro
      (edited )
      Link Parent
      Oh, come on now... I'm a pretty paranoid bastard but even I don't think that's why banks and other sites push for multi-factor authentication. IMO the reason they push it so hard, even SMS-based...

      Unfortunately, it will be another decade or more before banks and other web sites stop trying to push it because it allows them an excuse to get your phone number so they can sell it to others.

      Oh, come on now... I'm a pretty paranoid bastard but even I don't think that's why banks and other sites push for multi-factor authentication. IMO the reason they push it so hard, even SMS-based (which admittedly has the potential to be bypassed using spoofed/stolen phone numbers), is because practically every cybersecurity expert out there agrees that it's still one of the best ways we have to protect user accounts from being compromised, despite its flaws. It's not about some cynical ploy to acquire and sell phone numbers, it's primarily about minimizing liability by making sure their users are not low hanging fruit, which multi-factor accomplishes in spades.

      And only SMS based multi-factor solutions typically require a site having to know your phone number. Most others (e.g. USB/dongle, TOTP/HOTP based, and even dedicated apps) don't generally require revealing your phone number to the host site at any point.

      Tildes' is TOTP based, BTW.

      5 votes
      1. [3]
        joplin
        Link Parent
        I never said that. My point was that they won't switch from SMS-based multi-factor authentication because it also allows them to sell your phone number. And you're right, that is a pretty cynical...

        I don't think that's why banks and other sites push for multi-factor authentication.

        I never said that. My point was that they won't switch from SMS-based multi-factor authentication because it also allows them to sell your phone number. And you're right, that is a pretty cynical way to look at it. But I think it's deserved given how both Facebook and Twitter did this.

        the reason they push it so hard ... is because practically every cybersecurity expert out there agrees that it's still one of the best ways we have to protect user accounts from being compromised, despite its flaws.

        I think your premise is flawed. Most sites aren't pushing it at all from what I've seen. My bank, which is a large international bank, only allows multi-factor authentication for their super-gold-elite-premiere accounts that require you to keep something like $50,000 in them at all times. For normal checking and savings, they don't even support it. I would never leave $50,000 in cash in an account for more than a few days because it could be earning me money in an investment.

        And only SMS based multi-factor solutions typically require a site having to know your phone number.

        I've run into this issue where there are some (well-known) sites that you cannot sign up for without providing a mobile number, despite it having nothing to do with the site. For example, just signing up for a free email account on outlook.com. For the past year or so, Twitter has been letting people sign up without a mobile number, and then freezing those accounts after a day or two until they add a mobile number. (And believe it or not, there are still some people who don't have a mobile number!) It's both absurd and transparent.

        Tildes' is TOTP based, BTW.

        Tildes has 2FA? Where can I set that up? Thanks for the info!

        3 votes
        1. cfabbro
          Link Parent
          Fair enough. Although I think you're still mistaken about why a lot of major sites push for you giving over your mobile number. AFAIK in the case of Google, Facebook and Twitter, it's used as a...

          I never said that. My point was that they won't switch from SMS-based multi-factor authentication because it also allows them to sell your phone number.

          Fair enough. Although I think you're still mistaken about why a lot of major sites push for you giving over your mobile number. AFAIK in the case of Google, Facebook and Twitter, it's used as a means to help them reduce fake accounts, which is a serious issue for them these days.

          Also, your bank F'n sucks and that is a horrible policy! :P Mine offers 2FA for all business customers, and even for non-business it will use 2FA confirmation by default for any "unusual activity" (which I have only had trigger a few times over the years). Sure, it's SMS-based, which isn't great... but at least it's there as an additional security layer.

          4 votes
        2. joplin
          Link Parent
          Turns out it's at the very bottom of the settings page. I have turned it on!

          Tildes has 2FA? Where can I set that up?

          Turns out it's at the very bottom of the settings page. I have turned it on!

          3 votes
  2. [3]
    suspended
    Link
    Thanks for bringing this to our attention. I had no idea that something like this was going on.

    Thanks for bringing this to our attention. I had no idea that something like this was going on.

    5 votes
    1. [2]
      Keegan
      Link Parent
      Yup I knew about the bribing and impersonation, but this is new to me. It's shocking that remote desktop scams are still so viable.

      Yup I knew about the bribing and impersonation, but this is new to me. It's shocking that remote desktop scams are still so viable.

      2 votes
      1. 2zla
        Link Parent
        I had a feeling this was “a thing”. But lack of access control being the cause was really not what I expected. It sounds like carelessness on behalf of the telecom providers mentioned in the...

        I had a feeling this was “a thing”. But lack of access control being the cause was really not what I expected. It sounds like carelessness on behalf of the telecom providers mentioned in the article, rather than skilled methodical break ins. Dare I say this might be more of a “left the door open” than a “break in”?

        2 votes