PayPal and Venmo Are Letting SIM Swappers Hijack Accounts (vice.com) 42
An anonymous reader quotes a report from Motherboard: Several major apps and websites, such as Paypal and Venmo have a flaw that lets hackers easily take over users' accounts once they have taken control of the victim's phone number. Earlier this year, researchers at Princeton University found 17 major companies, among them Amazon, Paypal, Venmo, Blizzard, Adobe, eBay, Snapchat, and Yahoo, allowed users to reset their passwords via text message sent to a phone number associated with their accounts. This means that if a hacker takes control of a victim's cellphone number via a common and tragically easy to perform hack known as SIM swapping, they can then hack into the victim's online accounts with these apps and websites.
Last week, two months after their initial outreach to the companies to report this flaw in their authentication mechanisms, the Princeton researchers checked again to see if the companies had fixed the problem. Some, including Adobe, Blizzard, Ebay, Microsoft, and Snapchat, have plugged the hole. Others have yet to do it. Paypal and Venmo, given that they are apps that allow users to exchange money and are linked to bank accounts or credit cards, may be the most glaring examples. Motherboard verified this week that it's possible to reset passwords on Paypal and Venmo via text message. Fear not, there is a solution. "The easiest way to make it impossible for SIM swappers to take over your accounts after they hijack your number is to unlink your phone number with those accounts, and use a VoIP number -- such as Google Voice, Skype, or another -- instead," reports Motherboard. "Google Voice numbers, given that they're not actually linked to a real SIM card, are much harder to hijack."
Last week, two months after their initial outreach to the companies to report this flaw in their authentication mechanisms, the Princeton researchers checked again to see if the companies had fixed the problem. Some, including Adobe, Blizzard, Ebay, Microsoft, and Snapchat, have plugged the hole. Others have yet to do it. Paypal and Venmo, given that they are apps that allow users to exchange money and are linked to bank accounts or credit cards, may be the most glaring examples. Motherboard verified this week that it's possible to reset passwords on Paypal and Venmo via text message. Fear not, there is a solution. "The easiest way to make it impossible for SIM swappers to take over your accounts after they hijack your number is to unlink your phone number with those accounts, and use a VoIP number -- such as Google Voice, Skype, or another -- instead," reports Motherboard. "Google Voice numbers, given that they're not actually linked to a real SIM card, are much harder to hijack."
Interesting idea (Score:1)
I didn't think that voip numbers would be a good way to receive SMS messages. That might imply that SMS can, when properly set up by the user, be a best of both worlds form of 2FA.
(((Google))) is always the correct answer, goyim. (Score:5, Informative)
Isn't it odd how (((Google))) is always the correct answer to every problem which bedevils society?
For instance, after decades of swearing up and down that (((they))) would never ever ever ever surrender your user data, suddenly the prim & proper & correct course of action is for (((Google))) to release ALL of your user data to EVERY government in the world [slashdot.org].
A cynical goyische heifer might start wondering whether (((Google))) manufactures the crises AND the solutions to the crises AND the media propaganda designed to lure the goyische cattle into adopting the solutions.
But I imagine most goysiche heifers will simply hang their heads & shrug their great big bovine shoulders & dutifully join the line heading into the kosher slaughterhouse.
Venmo doesn't let you use GVoice numbers, schmucks (Score:1)
Venmo won't let me use my Google Voice (ringcentral) number at all.
Re: (Score:3)
Can confirm - ran into the same problem when I set up Venmo.
Even more irritating is that while I have a Paypal security key (generates a token), I cannot disable text message authentication.
My gripe with passwrod resets (Score:2)
I try to maintain two e-mail accounts for banking vesrus not banking. I put the non-banking one on my phone and I also let my computer memorize passwords. But I do not put the banking e-mail on my phone nore do I let my computer memorize the passwords.
But this is REALLY hard. the problem is that you wind up not carefully monitoring the banking one because of the manual log in.
I wish that banks would let you enter two e-mail addresses. One for "password resets" and "things that move your money", and one
Re:My gripe with Voip solutions (Score:2)
My second gripe is that with voip you often don't get text. And sites don't offer password reset by phone call.
Additionally if you do set up a voip on your phone then you are back to the same problem even if you use a voice password reset: If you granted the voip apps the ability to due notifications on the home screen then when the evil doer requests the passwrd reset the damn phone rings and lets them reset it.
Re: (Score:2)
Setup a Mint account. You can't touch your money but the oAUTH link will let you see every transaction and monitor your purchases/deposits.
Re: (Score:2)
Can you explain oAUTH
Leaving the key under the doormat (Score:3)
I get nagged every time by Paypal for cell number (Score:3)
All these companies insisting on a cell number. The California Department of Motor Vehicles requires one to create an online account. It's just stupid.
Re: (Score:3)
All these companies insisting on a cell number
They insist on a phone number. Which, unless they actually try to use at that time to complete an SMS based transaction, they have no way of knowing that it isn't a plain old land line.
Why are they harder to hijack? (Score:2)
What about a Google Voice number makes it harder to associate a SIM with? It seems like with number portability it should work about the same where you could add a SIM that number was assigned to?
Re: (Score:2)
Re: (Score:3)
Call forwarding hacks? These will even work on POTS lines, where the service calls you back and reads a one-time code to be used to complete a transaction.
Re: (Score:3)
They do not have a live person that you can call and convince to transfer you number to another SIM.
Ah, so the security advantage of Google is due to worse customer service? Makes some sense, worse service is worse service for the attackers too.
SMS is not valid 2FA ~nt~ (Score:4, Insightful)
That is all.
What is? (Score:4, Interesting)
Re: (Score:3)
SMS only kind of falls into the third category, for the reason described in the article - the factor isn't really your phone because of the ease with which someone can make the factor a different phone without your knowing about it.
So is there a solution? (Score:3)
Re: (Score:3)
Well, it is a weak one. As long as you limit it to that, it is fine. As soon as everything rests on it, it is decidedly not. Also, it must not go to the same device as the service it is used as 2nf factor for.
It's really bad as the only factor (PayPal etc). (Score:3)
The big problem here is that with PayPal's setup, once you can get the SMS you don't need the password. You can use the SMS to resrt the password. So the SMS becomes the ONLY factor, not the second factor.
I'm security professional by trade. Starting with strong passphrases first, depending on the security needs of the system I'm fine with also requiring SMS as the SECOND factor in many cases. Not as the one and only factor. Consider Slashdot login for example. If logging into Slashdot required your passwo
Banks let robbers rob them (Score:1)
Peepaws let muggers mug them.
I'm sorry but nobody 'lets' anybody do something.
Re: (Score:2)
Yahoo too (Score:3)
among them Amazon, Paypal, Venmo, Blizzard, Adobe, eBay, Snapchat, and Yahoo
Yes, Yahoo is another one that insists on not implementing software/hardware tokens, instead trying to push you to use their crappy Yahoo Mail mobile app for 'safe' authentication (which I refuse to install).
PSA: use twofactorauth.org [twofactorauth.org] to see which services provide proper auth support and where to look up the instructions for enabling it for each service (where available).
Better Solution (Score:2)
Fear not, there is a solution. "The easiest way to make it impossible for SIM swappers to take over your accounts after they hijack your number is to unlink your phone number with those accounts, and use a VoIP number -- such as Google Voice, Skype, or another -- instead," reports Motherboard.
Better solution is to not give out your (mobile) phone number.
Re: (Score:2)
Better solution is to not give out your (mobile) phone number.
I agree, but some shitty services **cough**Yahoo**cough** don't offer hardware/software tokens, nor do they accept VoIP numbers that support SMS. So you're either stuck providing another (mobile) number, or installing their own crappy apps to do any other type of auth.
Re: (Score:2)
I agree, but some shitty services **cough**Yahoo**cough** don't offer hardware/software tokens . . .
So why then are you using Yahoo?
Re: (Score:2)
So why then are you using Yahoo?
Because I've had an email with them since, like, 1999 (or whenever they were 'new' I guess - well before anything beyond basic password authentication existed), and still get email through it (legacy thing, basically). But I'm seriously looking at just dropping it (just a lot of pain to get done, that's all).
choose carefully (Score:4, Insightful)
Even better, we'll require them, by law, to implement multiple layers of security that'll make it extremely difficult for people to steal money from others. The laws can be structured such that if the institutions implement poor security, they're responsible for covering the financial losses of individuals. Perhaps, up to around $150,000 or so. This way, all the lower and middle class people are totally safe. And the institutions have an incentive to take security seriously.
We can call these institutions "banks". If only someone would set up something like this, our society would be so much better off.
Nah, that's a pipe dream. Let's all use the most recent app-of-the-month or under-regulated internet company to handle our money. That should be fine.
Venmo won't let me sign up with my Google Fi # (Score:2)
There appears to be no way to convince them to let me use it even though my Google Fi phone works great for SMS, phone calls, etc.
Just closed my Paypal acct. (Score:1)
Thanks for reminding me!
SMS authentication? (Score:4, Insightful)
Stop using phone/SMS/text as a security system. Even if they were 100% secure, phone companies have help desk employees that will be duped and that's how you lose security.
PayPal and ebay need to update their 2-Factor (Score:2)
So the fix for a weak 2nd factor is no 2nd factor? (Score:1)
At least that seems to be what the article suggests. Or is the idea to have VoIP go to a desktop computer while you use an app for access? Something is broken here...
Need to stop using phones for 2FA (Score:3)
Iâ(TM)m already seeing strong pushback at work against using phone numbers for 2FA. I expect that it is only a matter of time before the industry stops considering phone numbers as acceptable for 2FA at all.
At this point using a phone number as your second factor is bound to get someone sued for negligence before long. As memooserves that already happened with some of the bitcoin wallet heists.
Instacart Shopper (Score:2)
You can do this with Instacart Shopper. In my case, I had a former user's phone number.
A while back, I wanted a new phone number with a local area code and whatnot. I went to my phone store and got a new SIM & phone number.
Later, I decided that I wanted to make some extra money. I downloaded Instacart Shopper. I was told I already had an account.
I told myself, "Let's login to my account, then." I logged in. The ability to receive a text message counted as a password.
I was greeted with a photo, e-mail,
Email (Score:2)