AS DEFENSES INCREASE, other avenues of attack are unlocked as being cost-effective and needed. Suddenly your uniquely strong defense is the norm and defeating it is too.

The point is staying ahead of the curve. We are now at the stage where attackers invest in durable telco compromise to allow attackers in.

You MUST respond.

@SwiftOnSecurity Is having a sufficiently strong PIN set up with our mobile carrier account’s sign-on a sufficient deterrent to unauthorized SIM jacking attacks?

@SwiftOnSecurity Pretty sure the SEC just had a scheduled tweet that published before it should have lol, if that's what your post subtly references. But, they blame it on "hackers" so they're not guilty of accidentally manipulating the market.

Everything you stated is correct and I appreciate the PSA.

@SwiftOnSecurity I'm just going to pretend that as a Google Fi customer I'm safe because it's impossible for hackers to reach a human being at Google to compromise.

@SwiftOnSecurity ffn hell, a new vendor risk management threat many will not be prepared for...

maybe this is the business case hardware MFA keys have been waiting for?

@SwiftOnSecurity

So I understand the seriousness and the urgency but could you run that down again for us layman?

@SwiftOnSecurity Ugh, I'm trying to think of effective mitigation for services that FORCE phone number based recovery, and coming up dry. I've encountered several services like this and desperately wish there was a solution.

@SwiftOnSecurity for T-Mobile USA users: enable the free Takeover Protection add-on in your T-Mobile account. While they don't specify what exact measures that activates, it has to be more secure than the default that allows a call to customer service to do anything the attacker wants.

As always, make sure you have a strong password, a PIN, and randomly generated security answers stored in your trusted password manager.

@SwiftOnSecurity
Does your message concern all providers in all countries? What are concrete steps everyone should take?

@SwiftOnSecurity

I use 2 Factor Crows that go to and fro Redmon direct, tyvm.

@SwiftOnSecurity What's recommended instead of telephony? 2FA is ubiquitous because everyone gets texts on their phones.

@SwiftOnSecurity does this mean that phone number based 2FA isn’t secure anymore? Would app based 2FA be better?

@SwiftOnSecurity the thing that sucks most about this is that many legacy financial system players, including essentially all banks, treat SMS or phone call-based 2FA as implicitly trustworthy and there's no way to tell them to stop using it for your account(s).

@SwiftOnSecurity be old, crotchety and never answer your phone.

And never, for any reason, give real information to a "free" social media site. Piss in the information pool at every possible opportunity. Fuck Zuck.

Melon Husk can eat shit.

LinkedIn can eat Melon Husk's shit.

Mmmmmm... tasty!

@SwiftOnSecurity Insiders at telcos should be the final nail in the coffin for SMS 2FA. It just isn’t safe.

@SwiftOnSecurity

I am pretty sure this is why X said that SEC did not have MFA activated "at the time".

@SwiftOnSecurity ah, so letting phone companies bully and manipulate us into making phone numbers sometimes the *only* available form of 2FA may have backfired? Astounding

@SwiftOnSecurity
2FA is the opposite of compartmentation, one of the basic principles of security.
It's good for governments, corporations, and attackers, not so much for customers.

@SwiftOnSecurity Wow.

@SwiftOnSecurity The downside of paying someone fuck all is it only takes a little bit more than fuck all to buy them off.

In other words: raising wages in the states would be a net benefit to (national|personal|business) security.

@SwiftOnSecurity you ever wish you worked for Okta and could just... turn on false SMS verification for all users... just to catch this behavior? (as a massive network telescope)

"sure, SMS is on, want to try it?"

and it might actually text the user a real code, but emails them / alerts their SOC going "uh... remember when you turned on 'fake 2fa'? someone's swapped your number"