Why one shouldn't depend on SMS two-factor authentication.
Really disappointing that online services still push the dependency on SMS two-factor authentication even though the vulnerabilities from this form of authentication has been well documented.
Not have TFA at all.
Yes this is also a good option, if you remember your password and treat your passwords as disposable.
Great advice from the Department of Defence. For consumers, there's applications like Google Authenticator/Service's own authentication token software or hardware devices like Yubikey/Ledger Nano S.
Yeah, this is always the option that I take if it's offered.
I also like how some services eg. CommBank send their TFA as an application notification if you have it enabled.
It's really annoying that WestPac only have this type of TFA and not something like Google Authenticator.
Looks like you can get a SecurID from Westpac. At least less hackable than SMS.
https://www.westpac.com.au/security/how-we-protect-you/westp…
I'm not clicking those links, give me a summary of the contents.
I don't visit the Ozbarg forum to go to other sites.
‘These people are professionals’: Mobile porting a potential gold mine for fraudsters
LISA got a surprising text from her mobile provider. Then came the Netbank notifications. And then her phone completely lost service.
ON MONDAY morning at 11.02am Sydney woman Lisa Johnston answered the phone with the same greeting she always does.
“Hello, Lisa speaking,” she said. But the caller immediately hung up. It was a bit strange, but she got on with her busy day.
At 6.59pm that night she got a text message from Optus, telling her that her mobile number had been ported across to a different carrier, or more accurately stolen by someone wanting to ransack her bank account.
The message urged her to call the company if she didn’t request for the number to be ported out.
“I couldn’t even contact them through my mobile because I’d lost service,” she told news.com.au. “I called literally two minutes (later), as soon as it happened.”
But the damage was done and she quickly received notifications from her Netbank app confirming transactions she didn’t make.
“Pretty much immediately I had $1000 taken out of my Netbank account and another $180 through BPay to buy a Telstra prepaid card or something,” she said.
Ms Johnston, 34, owns a marketing agency in Drummoyne, Sydney, called Chatter Brand Experience and has a number of business accounts used for clients and staff. She had to freeze all of them, as well as her own personal bank accounts to prevent further theft.
“I have 120 staff I have to pay. This week is our main pay run and I’ve frozen all my bank accounts,” she lamented.
She spent all Monday night on the phone trying to stem the damage done to her business and get her mobile number back, which had been moved across to Vodafone.
It can take surprisingly little information to port-out a mobile number to a different carrier. Ms Johnston was told by an Optus staff member that it only requires someone’s name, address and date of birth to move a number across.
Many victims report having had their mail stolen, an easy way for fraudsters to get the details they need like names and account numbers.
Given that important personal accounts like email and banking apps often rely on two-factor authentication for security, which involves receiving a text message code to log into the account, pinching someone’s mobile phone number can give criminals serious access to your digital life.
It’s a typical tactic for fraudsters to port-out the number at the close of business hours, particularly on a Friday afternoon making it more difficult for victims to contact the necessary customer services and halt the process, giving the fraudster time to exploit their window of opportunity.
“These people are professionals,” Ms Johnston said, remarking on what felt like a clinical takeover of her accounts by criminals.
“I am furious with Optus and Vodafone for not doing more thorough security checks, as the money that was taken is to pay my mortgage for the month.”
On Tuesday morning she went into the Optus store and was told it would take four days to get her number back. She then went across the road to a Vodafone store and a staff member told her that a woman had stolen her identity, but they couldn’t tell her who.
“Everyone just blames everyone,” Ms Johnston said. “Optus blames Vodafone. CommBank blames Optus. At the end of the day it is just a massive inconvenience and I don’t want anyone else to have to go through this.”
HAPPENING ‘MORE THAN WE KNOW’
Despite it being somewhat of a blind spot for telcos, they’ve been slow to act and introduce tougher default measures to mitigate against the threat of illegal porting.
Dr Terry Goldsworthy is a former detective inspector for the Queensland police who now works as an assistant professor at Bond University. He began researching the prevalence of illegal porting early last year but says reliable data is almost non existent.
“No one seems to be collecting the data,” he told news.com.au in August. At least no one who is willing to share.”
Last year he delivered a talk on the topic of unauthorised mobile porting at the International Conference on Cybercrime and Computer Forensics in which he made the suggestion that there has been a regulatory failure in Australia when it comes to dealing with the issue.
At the conference “I ran into a police source and he said they’re getting hundreds of them (porting complaints), mostly referred to them by the banks,” he said.
He believes the problem is much greater than telcos are willing to admit.
In April last year the NSW police created a phone porting category for complaints, however if they do get reported to police or consumer bodies most cases typically get filed as instances of generic fraud.
“The actual offence numbers are getting diluted,” Dr Goldworthy said, because the complaints aren’t going to a single body.
“I’m sure it’s happening more than we know.”
‘THE THREAT LEVEL IS CHANGING’
Ms Johnston’s story certainly isn’t unique.
The same thing happened to Sydney woman Deborah Brodie and ABC journalist Tracey Holmes last year.
Sydney woman Katie Fletcher, 30, had her Telstra number illegally ported an astonishing four times in the span of 18 months before switching carriers. After stealing her number, hackers were able to gain access to her e-mails and from there collect personal details of her contacts and begin hacking their accounts, causing friends to have thousands pilfered from their bank accounts.
Judging by online discussions, fraudulent porting of mobile numbers is a criminal tactic that’s been going on for some time. But the telcos say their security measures are up to regulatory standard.
When contacted by news.com.au about Ms Johnston’s case, Optus said “it follows industry agreed processes to validate the porting of numbers.”
“The protection of customers’ information is a critical priority for Optus and we apologise for our customer’s experience,” a spokesperson said, adding “this type of fraud is usually precipitated by identity theft.”
Optus called the issue “complex” and said it was “working directly with the customer to have them ported back to Optus as soon as possible.”
Most consumers opt for electronic mail these days, limiting the chance for thieves to pinch their mail and get the information they need to then steal someone’s mobile number, but often the necessary details can be found on social media.
Speaking to news.com.au in June about the prevalence of unauthorised porting, a Telstra spokesperson said: “We recognise the threat level is changing given the increased availability of individual’s personal information (eg, date of birth) on social media and other open platforms. In order to meet this challenge, we are working to strengthen our identification and verification procedures even further.”
Telstra said it was implementing a new process to notify customers about requests to port their number and establish a dedicated support team to manage customers who become victims of suspected fraud.
However nearly 11 months on, at the time of publication, it could not provide any concrete examples of changes it had made.
tl;dr don't use SMS TFA
tl;dr don't use SMS TFA
I think that should be, if SMS 2FA is the only option available, definitely use it if the only alternative is no 2FA whatsoever.
But if you can use more secure options like app-based 2FA, use that over SMS 2FA.
So if you enter a password, then you receive an SMS, is that still problematic?
The issue is many sites allow you to reset your password via SMS authentication, so the answer to your question is yes.
Ah. Fair enough. Thanks for the reply :)
I thought to port your mobile number you also required a form of ID such as a drivers licence or Medicare card.
Nope
To port a prepaid number, the date of birth on each account must match.
To port a postpaid number, the account number is all that is technically required.
Of course, in order to sign up for either a prepaid or a postpaid service which is the first step before the port, you do require ID. But once the service is live, then you can request a port without Id (beyond proving that you own the service to which you are porting the number).
What solution do you propose instead?