Email or username:

Password:

Forgot your password?
SwiftOnSecurity

PUBLIC SERVICE ANNOUNCEMENT:

There is an increase of account takeovers due to insiders at telco firms simply giving control to people paying them/compromised support staff accounts. Do a check on systems where this single factor would permit an account compromise. And change the configuration. These are opportunistic trawling attacks. This is becoming more common as attackers replicate the success.

The attacker uses other channels (like people search websites) to enumerate and guess the phone number attached to an online account and then checks against the telco they have control over.

The insider only briefly temporarily forwards the victim number to a 3rd party then switches it back to normal once they’re in. This is how they stay quiet since most victims will not have leverage or telemetry to understand how they got hacked.

It was their cell phone provider.

Make it so account recovery systems require multiple factors and remove telephony-based recovery for VIP accounts entirely.
Go check your systems now. Go try to access all your stuff like you forgot your password.

I am very serious. This is based on private knowledge but is compelled by the compromise of the SEC. This is common now.

58 comments
Mark Gardner

@SwiftOnSecurity This sounds like the nightmare scenario for phone-based #2FA and account recovery that we’ve been warning people about for years

SwiftOnSecurity

AS DEFENSES INCREASE, other avenues of attack are unlocked as being cost-effective and needed. Suddenly your uniquely strong defense is the norm and defeating it is too.

The point is staying ahead of the curve. We are now at the stage where attackers invest in durable telco compromise to allow attackers in.

You MUST respond.

SwiftOnSecurity

There was a time you could defeat almost all email account compromise by just… turning off legacy authentication in Exchange. You became a ghost. That’s how all attacker tools worked.
Now they have upgraded to account for modern authentication.
YOU CANNOT STOP improving. You are aging quickly.

Tony Yarusso

@SwiftOnSecurity Can we just reinstall Humanity instead of dealing with all the malware on this instance?

Becky

@SwiftOnSecurity aging? HA! I’m dessicating. Practically just grumpy carbon isotopes

DELETED

@SwiftOnSecurity

Could I ask you for a bit more explanation?

If a crook goes to my bank's website, types in my email address, and clicks "forgot password," then even if the crook is able to intercept the one-time authentication code that's texted to my phone, they still won't be able to get into my bank account, unless they're first able to get into my email account to get my "reset password" link, right?

Adora (She/Her) :flag_transgender:

@barney @SwiftOnSecurity

But basically what swift is describing is both:

that a lot of services let you use your phone as a full login method if everything else fails without additional auth by default (example Gmail. Pretend you forgot your password and try it)

Also your password may leak, be stolen or reused from somewhere compromised and you expect the 2fa to protect against that (example bank)

Plus like your example that verifies email, if they get into your email because it allows single factor, isn't that the same thing?

@barney @SwiftOnSecurity

But basically what swift is describing is both:

that a lot of services let you use your phone as a full login method if everything else fails without additional auth by default (example Gmail. Pretend you forgot your password and try it)

Also your password may leak, be stolen or reused from somewhere compromised and you expect the 2fa to protect against that (example bank)

Rich Felker

@SwiftOnSecurity I can defeat all Exchange email account compromise by just... not using Exchange. 😂

░▒▓ Logis ▓▒░ :donor:

@SwiftOnSecurity I was sim hijacked a few years ago. Within 10minutes they got into my email and pivoted to coinbase. And the only thing that saved me was that account was non SMS 2 factor

Fishd

@L0G1S @SwiftOnSecurity Given the wide availability of alternative 2fa methods, it's hard to see firms that only offer SMS as anything other than complacent or complicit.

Andrew Feeney

@L0G1S @SwiftOnSecurity I hear a lot about Sim hijacking in the states but less so in Australia. This is anecdotal of course. Does anyone know if it’s just as easy to do in Australia?

🔗 David Sommerseth

@andrewfeeney @L0G1S I dunno about the approach @SwiftOnSecurity describes.

But the IMSI catchers are "affordable" these days.

arstechnica.com/information-te

With an IMSI catcher you can also snitch up SMSes. And the SS7 signalling system typically used between telco companies to enable communication between phone subscribers regardless of the network they are connected to is riddled with security issues.

Basically consider all phone network communication to be broken by default. And make use of proper #E2EE on top of that network instead. E2EE gives you a protection which does not depend on your communication channel itself to be secure.

@andrewfeeney @L0G1S I dunno about the approach @SwiftOnSecurity describes.

But the IMSI catchers are "affordable" these days.

arstechnica.com/information-te

With an IMSI catcher you can also snitch up SMSes. And the SS7 signalling system typically used between telco companies to enable communication between phone subscribers regardless of the network they are connected to is riddled with security issues.

Infoseepage #StopGazaGenocide

@L0G1S @SwiftOnSecurity I really, really prefer non-sms based 2fa. Once they've got your phone and email, most services will allow attackers to do password resets without anything else. They're the twin keys of the castle and in most cases you only need one or the other. I've seen so many people get owned top to bottom because of this shit. Hardware tokens all the way.

Shadow D. Wolf :therian:🏳️‍🌈

@SwiftOnSecurity So, in other words, stop using SMS-based 2FA, and start using Google Authenticator, or equivalent.

badeline :verified_trans:

@SDWolf @SwiftOnSecurity Better yet, physical security keys (although that may be overkill)!

The Doctor

@SDWolf @SwiftOnSecurity Now if I could get any of the banks I requirements l regularly deal with to even offer 2FA...

Shadow D. Wolf :therian:🏳️‍🌈

@drwho @SwiftOnSecurity My credit union has offered several 2FA options for about a decade, including phone (call or SMS), e-mail, or they'll even mail you an EnTrust token. But, they didn't add Google Authenticator-style 6-digit OTP support until a couple months ago.

The Doctor

@SDWolf @SwiftOnSecurity I've been trying to convince three of them to implement 2FA since the Before Times. No luck yet.

LisPi
@SwiftOnSecurity And yet, some attacks remain implausible.

TOTP is still safe, as are backup recovery codes.

SMS or phone-based authentication was always built on shifting sands and never should've been trusted.
Michael Fisher

@SwiftOnSecurity Is having a sufficiently strong PIN set up with our mobile carrier account’s sign-on a sufficient deterrent to unauthorized SIM jacking attacks?

𝕃𝕦𝕔𝕒𝕤 𝔸𝕥𝕜𝕚𝕟𝕤

@SwiftOnSecurity Pretty sure the SEC just had a scheduled tweet that published before it should have lol, if that's what your post subtly references. But, they blame it on "hackers" so they're not guilty of accidentally manipulating the market.

Everything you stated is correct and I appreciate the PSA.

Jonathan Kamens

@SwiftOnSecurity I'm just going to pretend that as a Google Fi customer I'm safe because it's impossible for hackers to reach a human being at Google to compromise.

vandorb12

@jik @SwiftOnSecurity as a past Fi customer, it was really hard just to hit up their support without calling on your Fi phone. They had stuff locked down more than the general telcos do, like an auth code push to the Fi app. Annoying when I needed the support quickly when my phone had issues, but welcomed in hindsight.

Jay Thoden van Velzen ☁️​🛡️​:lolsob:

@SwiftOnSecurity ffn hell, a new vendor risk management threat many will not be prepared for...

maybe this is the business case hardware MFA keys have been waiting for?

vandorb12

@jaythvv @SwiftOnSecurity they've always been waiting in the shadows. Lurking. Waiting. Ever so patiently. They're the ultimate super auth ninjas.

vpz

@jaythvv @SwiftOnSecurity I wish we could even get OTP. Many places only offer SMS, and therefore users can’t do anything about cell phone attacks. In the US even many banks don’t have good MFA.

Matt Waters

@vpz @jaythvv @SwiftOnSecurity Why I use the Advanced Protection for Google with their password store. I think password + SMS is enough for some money transactions (new Zelle recipients on new devices may require more verification). But at least the password is randomly generated.

LA Legault 🇨🇦

@SwiftOnSecurity

So I understand the seriousness and the urgency but could you run that down again for us layman?

Ciggy Bringer of Smoke

@LALegault @SwiftOnSecurity

paid off baddies at cell/phone companies are rerouting 2 factor authentication requests to primary baddies and nobody is any the wiser to how it happens. Once in, primary baddies are using old accounts to launch more potential attacks.

So use 2 factor authentication that doesnt rely on phone, and double or triple up on other methods for accounts that can reactivate other accounts.

I think I got the gist of it.

Edit: I am being too specific - this is for all user accounts. But my job revolves around the Active Directory/Azure framework where I can activate and deactivate accounts if I so pleased.

@LALegault @SwiftOnSecurity

paid off baddies at cell/phone companies are rerouting 2 factor authentication requests to primary baddies and nobody is any the wiser to how it happens. Once in, primary baddies are using old accounts to launch more potential attacks.

So use 2 factor authentication that doesnt rely on phone, and double or triple up on other methods for accounts that can reactivate other accounts.

Kevin Mirsky :donor:

@SwiftOnSecurity Ugh, I'm trying to think of effective mitigation for services that FORCE phone number based recovery, and coming up dry. I've encountered several services like this and desperately wish there was a solution.

J. "Henry" Waugh

@kevinmirsky ironically?

Bringing back those stupid security questions... if they actually put it into the password recovery workflow before 2FA, and you put in nonsense answers they can't guess (as I always do)

If you meant you as a user, I think our only defense is trying to prevent them from connecting the recovery phone number to the account based on our telephony setup

@SwiftOnSecurity seems to mention VoIP and cell specifically, even though I don't presume it's exclusive to them

Armando 🎃👻💀

@SwiftOnSecurity for T-Mobile USA users: enable the free Takeover Protection add-on in your T-Mobile account. While they don't specify what exact measures that activates, it has to be more secure than the default that allows a call to customer service to do anything the attacker wants.

As always, make sure you have a strong password, a PIN, and randomly generated security answers stored in your trusted password manager.

Johannes Hentschel

@SwiftOnSecurity
Does your message concern all providers in all countries? What are concrete steps everyone should take?

Ciggy Bringer of Smoke

@SwiftOnSecurity

I use 2 Factor Crows that go to and fro Redmon direct, tyvm.

mox

@SwiftOnSecurity What's recommended instead of telephony? 2FA is ubiquitous because everyone gets texts on their phones.

Shaunkoh

@SwiftOnSecurity does this mean that phone number based 2FA isn’t secure anymore? Would app based 2FA be better?

J. "Henry" Waugh

@Shaunkoh @SwiftOnSecurity my reading: yes*, yes

* = if the 2FA is the *only* requirement to reset your password, unlike e.g. knowing non-public information about you before you are allowed to use 2FA to authenticate on the reset password screen. But a determined hacker might be able to get that too

Christian Stadelmann

@Shaunkoh @SwiftOnSecurity at least it rules out direct attacks through careless mobile phone providers and weaknesses in 2G…5G, yes.

I would consider app based 2FA safer, but not safe enough for critical purposes. Your smartphone is probably connected to your PC in some way (same local network, same Apple/Google/whatever account, same messenger app(s), some synchronization solution, maybe a common backup solution, …), so those are not fully independent. In other words, if an attacker controls one of them, it is easier to gain control over the other.

@Shaunkoh @SwiftOnSecurity at least it rules out direct attacks through careless mobile phone providers and weaknesses in 2G…5G, yes.

I would consider app based 2FA safer, but not safe enough for critical purposes. Your smartphone is probably connected to your PC in some way (same local network, same Apple/Google/whatever account, same messenger app(s), some synchronization solution, maybe a common backup solution, …), so those are not fully independent. In other words, if an attacker controls one...

David

@SwiftOnSecurity the thing that sucks most about this is that many legacy financial system players, including essentially all banks, treat SMS or phone call-based 2FA as implicitly trustworthy and there's no way to tell them to stop using it for your account(s).

Christian Stadelmann

@freeagent @SwiftOnSecurity In Germany, many large (=legacy in your words, I guess) banks have deprecated and removed SMS a while ago. Instead, they offer 2FA either through their own (proprietary) apps or through hardware (bank card + proprietary reader device such as this one: shop.reiner-sct.com/tan-genera )

The Turtle

@SwiftOnSecurity be old, crotchety and never answer your phone.

And never, for any reason, give real information to a "free" social media site. Piss in the information pool at every possible opportunity. Fuck Zuck.

Melon Husk can eat shit.

LinkedIn can eat Melon Husk's shit.

Mmmmmm... tasty!

Jimmy Hoke

@SwiftOnSecurity Insiders at telcos should be the final nail in the coffin for SMS 2FA. It just isn’t safe.

SpaceLifeForm

@SwiftOnSecurity

I am pretty sure this is why X said that SEC did not have MFA activated "at the time".

XauriEL Zwaan

@SwiftOnSecurity ah, so letting phone companies bully and manipulate us into making phone numbers sometimes the *only* available form of 2FA may have backfired? Astounding

zl2tod

@SwiftOnSecurity
2FA is the opposite of compartmentation, one of the basic principles of security.
It's good for governments, corporations, and attackers, not so much for customers.

lucas

@SwiftOnSecurity The downside of paying someone fuck all is it only takes a little bit more than fuck all to buy them off.

In other words: raising wages in the states would be a net benefit to (national|personal|business) security.

pasta la vida

@SwiftOnSecurity you ever wish you worked for Okta and could just... turn on false SMS verification for all users... just to catch this behavior? (as a massive network telescope)

"sure, SMS is on, want to try it?"

and it might actually text the user a real code, but emails them / alerts their SOC going "uh... remember when you turned on 'fake 2fa'? someone's swapped your number"

Go Up