Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
The Almighty Buck Privacy Security

PayPal and Venmo Are Letting SIM Swappers Hijack Accounts (vice.com) 42

An anonymous reader quotes a report from Motherboard: Several major apps and websites, such as Paypal and Venmo have a flaw that lets hackers easily take over users' accounts once they have taken control of the victim's phone number. Earlier this year, researchers at Princeton University found 17 major companies, among them Amazon, Paypal, Venmo, Blizzard, Adobe, eBay, Snapchat, and Yahoo, allowed users to reset their passwords via text message sent to a phone number associated with their accounts. This means that if a hacker takes control of a victim's cellphone number via a common and tragically easy to perform hack known as SIM swapping, they can then hack into the victim's online accounts with these apps and websites.

Last week, two months after their initial outreach to the companies to report this flaw in their authentication mechanisms, the Princeton researchers checked again to see if the companies had fixed the problem. Some, including Adobe, Blizzard, Ebay, Microsoft, and Snapchat, have plugged the hole. Others have yet to do it. Paypal and Venmo, given that they are apps that allow users to exchange money and are linked to bank accounts or credit cards, may be the most glaring examples. Motherboard verified this week that it's possible to reset passwords on Paypal and Venmo via text message.
Fear not, there is a solution. "The easiest way to make it impossible for SIM swappers to take over your accounts after they hijack your number is to unlink your phone number with those accounts, and use a VoIP number -- such as Google Voice, Skype, or another -- instead," reports Motherboard. "Google Voice numbers, given that they're not actually linked to a real SIM card, are much harder to hijack."
This discussion has been archived. No new comments can be posted.

PayPal and Venmo Are Letting SIM Swappers Hijack Accounts

Comments Filter:
  • I didn't think that voip numbers would be a good way to receive SMS messages. That might imply that SMS can, when properly set up by the user, be a best of both worlds form of 2FA.

  • I try to maintain two e-mail accounts for banking vesrus not banking. I put the non-banking one on my phone and I also let my computer memorize passwords. But I do not put the banking e-mail on my phone nore do I let my computer memorize the passwords.

    But this is REALLY hard. the problem is that you wind up not carefully monitoring the banking one because of the manual log in.

    I wish that banks would let you enter two e-mail addresses. One for "password resets" and "things that move your money", and one

    • My second gripe is that with voip you often don't get text. And sites don't offer password reset by phone call.

      Additionally if you do set up a voip on your phone then you are back to the same problem even if you use a voice password reset: If you granted the voip apps the ability to due notifications on the home screen then when the evil doer requests the passwrd reset the damn phone rings and lets them reset it.

  • by sinij ( 911942 ) on Monday April 06, 2020 @02:15PM (#59914384)
    Phone number was never suitable as the definitive method of authentication. At best, it is a weak second factor.
  • All these companies insisting on a cell number. The California Department of Motor Vehicles requires one to create an online account. It's just stupid.

    • by PPH ( 736903 )

      All these companies insisting on a cell number

      They insist on a phone number. Which, unless they actually try to use at that time to complete an SMS based transaction, they have no way of knowing that it isn't a plain old land line.

  • What about a Google Voice number makes it harder to associate a SIM with? It seems like with number portability it should work about the same where you could add a SIM that number was assigned to?

    • by xwin ( 848234 )
      They do not have a live person that you can call and convince to transfer you number to another SIM.
      • by PPH ( 736903 )

        Call forwarding hacks? These will even work on POTS lines, where the service calls you back and reads a one-time code to be used to complete a transaction.

      • by gweihir ( 88907 )

        They do not have a live person that you can call and convince to transfer you number to another SIM.

        Ah, so the security advantage of Google is due to worse customer service? Makes some sense, worse service is worse service for the attackers too.

  • by OverlordQ ( 264228 ) on Monday April 06, 2020 @02:21PM (#59914408) Journal

    That is all.

    • What is? (Score:4, Interesting)

      by rsilvergun ( 571051 ) on Monday April 06, 2020 @05:13PM (#59915130)
      Serious question, what is? I guess you could have apps, but having tried Google Authenticator it's a pain to use and a nightmare when you switch phones.
      • The three categories of factors are something you know (a password), something you are (typically biometrics like fingerprints, retina scan, etc.), and something you have (a piece of hardware that can generate codes or keys without any kind of connection to anything else).

        SMS only kind of falls into the third category, for the reason described in the article - the factor isn't really your phone because of the ease with which someone can make the factor a different phone without your knowing about it.
    • by gweihir ( 88907 )

      Well, it is a weak one. As long as you limit it to that, it is fine. As soon as everything rests on it, it is decidedly not. Also, it must not go to the same device as the service it is used as 2nf factor for.

    • The big problem here is that with PayPal's setup, once you can get the SMS you don't need the password. You can use the SMS to resrt the password. So the SMS becomes the ONLY factor, not the second factor.

      I'm security professional by trade. Starting with strong passphrases first, depending on the security needs of the system I'm fine with also requiring SMS as the SECOND factor in many cases. Not as the one and only factor. Consider Slashdot login for example. If logging into Slashdot required your passwo

  • Peepaws let muggers mug them.

    I'm sorry but nobody 'lets' anybody do something.

    • by sinij ( 911942 )
      Sure, the technically accurate term is criminal negligence. Like bank leaving the doors and bank vault wide open overnight, every night.
  • by Sebby ( 238625 ) on Monday April 06, 2020 @02:26PM (#59914424)

    among them Amazon, Paypal, Venmo, Blizzard, Adobe, eBay, Snapchat, and Yahoo

    Yes, Yahoo is another one that insists on not implementing software/hardware tokens, instead trying to push you to use their crappy Yahoo Mail mobile app for 'safe' authentication (which I refuse to install).

    PSA: use twofactorauth.org [twofactorauth.org] to see which services provide proper auth support and where to look up the instructions for enabling it for each service (where available).

  • Fear not, there is a solution. "The easiest way to make it impossible for SIM swappers to take over your accounts after they hijack your number is to unlink your phone number with those accounts, and use a VoIP number -- such as Google Voice, Skype, or another -- instead," reports Motherboard.

    Better solution is to not give out your (mobile) phone number.

    • by Sebby ( 238625 )

      Better solution is to not give out your (mobile) phone number.

      I agree, but some shitty services **cough**Yahoo**cough** don't offer hardware/software tokens, nor do they accept VoIP numbers that support SMS. So you're either stuck providing another (mobile) number, or installing their own crappy apps to do any other type of auth.

      • I agree, but some shitty services **cough**Yahoo**cough** don't offer hardware/software tokens . . .

        So why then are you using Yahoo?

        • by Sebby ( 238625 )

          So why then are you using Yahoo?

          Because I've had an email with them since, like, 1999 (or whenever they were 'new' I guess - well before anything beyond basic password authentication existed), and still get email through it (legacy thing, basically). But I'm seriously looking at just dropping it (just a lot of pain to get done, that's all).

  • choose carefully (Score:4, Insightful)

    by hdyoung ( 5182939 ) on Monday April 06, 2020 @02:50PM (#59914516)
    If only we could set up a series of financial institutions that are explicitly designed to safely, reliably and easily handle money and financial transfers. They could do their business over the phone and internet, but also have a series of physical locations in order to reach most of the population.

    Even better, we'll require them, by law, to implement multiple layers of security that'll make it extremely difficult for people to steal money from others. The laws can be structured such that if the institutions implement poor security, they're responsible for covering the financial losses of individuals. Perhaps, up to around $150,000 or so. This way, all the lower and middle class people are totally safe. And the institutions have an incentive to take security seriously.

    We can call these institutions "banks". If only someone would set up something like this, our society would be so much better off.

    Nah, that's a pipe dream. Let's all use the most recent app-of-the-month or under-regulated internet company to handle our money. That should be fine.
  • There appears to be no way to convince them to let me use it even though my Google Fi phone works great for SMS, phone calls, etc.

  • Thanks for reminding me!

  • by DontBeAMoran ( 4843879 ) on Monday April 06, 2020 @03:15PM (#59914628)

    Stop using phone/SMS/text as a security system. Even if they were 100% secure, phone companies have help desk employees that will be duped and that's how you lose security.

  • If you want to enable 2-Factor on your ebay or PayPal account, you have to enter the second factor EVERY time you login. There is no option to remember your device. For some people, I suspect that this was enough of an inconvenience to disable 2-Factor.
  • At least that seems to be what the article suggests. Or is the idea to have VoIP go to a desktop computer while you use an app for access? Something is broken here...

  • Iâ(TM)m already seeing strong pushback at work against using phone numbers for 2FA. I expect that it is only a matter of time before the industry stops considering phone numbers as acceptable for 2FA at all.

    At this point using a phone number as your second factor is bound to get someone sued for negligence before long. As memooserves that already happened with some of the bitcoin wallet heists.

  • You can do this with Instacart Shopper. In my case, I had a former user's phone number.

    A while back, I wanted a new phone number with a local area code and whatnot. I went to my phone store and got a new SIM & phone number.
    Later, I decided that I wanted to make some extra money. I downloaded Instacart Shopper. I was told I already had an account.

    I told myself, "Let's login to my account, then." I logged in. The ability to receive a text message counted as a password.

    I was greeted with a photo, e-mail,

  • Email is safer if you have a properly setup email service with real 2FA like a security key or TOTP. For many of these sites using SMS, not even enabling 2FA and just using email based password resets is the safest route.

"When it comes to humility, I'm the greatest." -- Bullwinkle Moose

Working...