$60M/yr is a lot of texts. like a lot. SMS services like twilio basic tier cost is ~$0.0075 per text. it’s basically texting everyone in the world once. or, put another way it’s texting every possible ten digit phone number every other year.
lol billionaire brain basically
I mean that is pretty apt seeing as all he has ever done in life is take credit for the work of others.
People shouldn’t use SMS 2FA and it would be cool if Dumblenuts would brainwash his sycophants into using an authenticator app but lolElmo I’m sure will find a way to convince people that MFA is some woke pedophile thing instead.
As with Trump instead of “debunking” all his bullshit just always assume he’s lying. You’ll save a ton of time and irritation and almost always be right anyway.
Is SMS 2FA worse than single FA?
No, I’d say SMS 2FA is significantly better than traditional 1FA (username/pass), but significantly worse than authenticator-based or FIDO key, etc.
Might use like a cool mil of that and work on bringing that number down.
Based on this other companies have moved away from sms 2FA and to the other more secure measures. But they did it over months and even years.
Twitter just pulls the rug halfway. Apparently they are rolling out 2FA changes in march. Regardless twitter insists on taking the worst road possible for every change.
It is unclear what will happen if users do not disable SMS two-factor by the new deadline. The in-app message to users implies that people who still have SMS two-factor turned on when the change officially happens on March 20 will be locked out of their accounts.
As of 6 months ago (things change fast), most SMS hacks happen to T-mobile customers through one of two methods:
Hacker walks into T-mobile store or calls customer service, claims to have lost phone, T-mobile employee (who may be paid off) switches phone number to a new phone. (This method also happens with AT&T sometimes. Verizon seems pretty solid.)
“Runner” walks into T-mobile store, grabs ipad from manager’s hand, runs out. Runner hands off iPad to hacker who has a list of phone numbers to SIM swap, from other hackers that he’s coordinating with. They have about 10 minutes to do all the damage they can before the ipad is de-activated by T-mobile corporate security.
In both cases it’s really only worth doing this to steal crypto, or possibly for a super desirable twitter handle like @bob.
There was a way a hacker could fill out and fax in a paper form, pretending to be a 3rd party texting service, and just take over the text function only on a SIM. But that was over a year ago and there was a lot of hullabaloo, so I assume that hole has now been plugged.
We have a PIN on our AT&T account, they won’t let us do jack shit without supplying it.
A lot of security people seem to think super-strong unique passwords are better than SMS 2FA. The problem is password reset. Once you give a site your mobile number and verify it, you’re vulnerable to SIM swap and there’s nothing you can do about it, except maybe switch to Verizon.
There are ways around the PIN if you have enough information and/or paid off insiders.
So, I’ll break it down to you based on carrier. So, T-Mobile at the moment costs you about $5,000 per swap. If they’re a fraud victim, then it costs you $7,500. A fraud victim has special protections on their account, but they’re still bypassable. Verizon is going to cost you upwards of probably $50,000. Verizon is extremely well secured, but it’s still possible if you have the right equipment. Like, you need a branch manager login which is a very high position. So, you need to be able to pay off that Verizon manager a lot, and you can’t hack them. You can’t – it appears, right now. I could be wrong. Maybe we’ll find new findings. But they pretty – you literally just need a insider. You can’t rat him or anything. For AT&T, I think that people are starting to decrease their prices down to $4,000, $2,000…$2,000 to $3,000 because their opus tool is not too secure.
He sued AT&T for $200 million, claiming the person who talked with him on the phone said his phone number is secure and cannot be SIM-swapped, yet it was. He wants AT&T to admit that they are the biggest reason why his money was stolen. However, the judge dismissed the case.
T-mobile has endless horror stories of people with PINs and specific “DO NOT SWAP” instructions on their accounts, still getting swapped. I went down a rabbit hole on this stuff after it happened to my friend who had his bank account and coinbase drained. Florida (shocker) seems to be a hotspot for in-store shenanigans.
But again, unless you have a bunch of crypto on a major exchange like Coinbase, most likely nobody is going to that trouble to target you.
Super strong unique passwords and SMS 2FA aren’t mutually exclusive. You definitely should have a complex, long, and unique passphrase for all services. And then on top of that, strong 2FA method >>> weak 2FA method >>>>>>>>> no additional factor, imo.
The password is irrelevant if the 2FA is SIM-swapped. If SMS 2FA is allowed for password reset, it literally opens a new hole that wasn’t there before.
Somehow those darn hackers figured out my mom’s super secure password system of using same base password plus the site name. My mom would clearly be better off with 2FA. Others using true strong unique passwords might not.
What’s annoying is when banks allow no other method but SMS 2FA.
You’d have to be able to accurately measure the risk of being victimized by a SIM swap attack vs. the more traditional accidental disclosure of credentials via phishing, keyloggers, social engineering, etc. to really figure that out.
Either way, if you are remotely concerned you shouldn’t be using sms 2fa anyhow and I think we would both agree there and would advise someone to select a financial institution with better security principles if that is the only option available.
This is why apple, google and Microsoft are working on passwordless pass keys.
Eventually when they get the standards set, we will start seeing a transformation.
One thing I learned the hard way is a sudden phone number change is really annoying with sms 2FA
Looks like Twitter added a new feature:
https://twitter.com/nycsouthpaw/status/1627841300883030016
The message doesn’t link to anything, so not sure how that message is supposed to help you “find out more.”
Here is the tweet at issue if you want to see what happens if you like it - https://twitter.com/BradMunchen/status/1627663915705593862
In browser I could bring it up and like it without any warning.