Email or username:

Password:

Forgot your password?
SwiftOnSecurity's posts Post Back to profile
Top-level
░▒▓ Logis ▓▒░ :donor:

@SwiftOnSecurity I was sim hijacked a few years ago. Within 10minutes they got into my email and pivoted to coinbase. And the only thing that saved me was that account was non SMS 2 factor

11 January at 4:06 | Wall-to-wall | Open on infosec.exchange
4 comments
Fishd

@L0G1S @SwiftOnSecurity Given the wide availability of alternative 2fa methods, it's hard to see firms that only offer SMS as anything other than complacent or complicit.

11 January at 8:36 | Open on infosec.exchange
Andrew Feeney

@L0G1S @SwiftOnSecurity I hear a lot about Sim hijacking in the states but less so in Australia. This is anecdotal of course. Does anyone know if it’s just as easy to do in Australia?

11 January at 8:41 | Open on phpc.social
🔗 David Sommerseth

@andrewfeeney @L0G1S I dunno about the approach @SwiftOnSecurity describes.

But the IMSI catchers are "affordable" these days.

arstechnica.com/information-te

With an IMSI catcher you can also snitch up SMSes. And the SS7 signalling system typically used between telco companies to enable communication between phone subscribers regardless of the network they are connected to is riddled with security issues.

Basically consider all phone network communication to be broken by default. And make use of proper #E2EE on top of that network instead. E2EE gives you a protection which does not depend on your communication channel itself to be secure.

@andrewfeeney @L0G1S I dunno about the approach @SwiftOnSecurity describes.

But the IMSI catchers are "affordable" these days.

arstechnica.com/information-te

With an IMSI catcher you can also snitch up SMSes. And the SS7 signalling system typically used between telco companies to enable communication between phone subscribers regardless of the network they are connected to is riddled with security issues.

11 January at 8:49 | Open on infosec.exchange
Infoseepage #StopGazaGenocide

@L0G1S @SwiftOnSecurity I really, really prefer non-sms based 2fa. Once they've got your phone and email, most services will allow attackers to do password resets without anything else. They're the twin keys of the castle and in most cases you only need one or the other. I've seen so many people get owned top to bottom because of this shit. Hardware tokens all the way.

11 January at 8:59 | Open on mastodon.social
Go Up