Just an Idea about Hacking.

[Magikarpdrowned]

As the title says, this is just a theory that I had, so suggestions as to whether this would work or not are definitely appreciated. Anyways, I was wondering, now that we all know that Poodlecorp uses social engineering to gain access to people's SIM cards (their key to 2 factor authentication) what is stopping someone from using a service like Textnow for their 2 Factor Authentication. That would make your phone number and messages not bound to your sim card, but rather they would be linked to an account with a username and password, something that is a lot harder to social engineer a hack for. As long as your Textnow account was protected with a very strong password, and possibly two factor authentication for that account in the form of e-mail (again password protected with yet another very complicated password) then I see no way for the Poodlecorp style of attack to work. Any suggestions?

[Skiiwee29]

7 minutes ago, Magikarpdrowned said:

As the title says, this is just a theory that I had, so suggestions as to whether this would work or not are definitely appreciated. Anyways, I was wondering, now that we all know that Poodlecorp uses social engineering to gain access to people's SIM cards (their key to 2 factor authentication) what is stopping someone from using a service like Textnow for their 2 Factor Authentication. That would make your phone number and messages not bound to your sim card, but rather they would be linked to an account with a username and password, something that is a lot harder to social engineer a hack for. As long as your Textnow account was protected with a very strong password, and possibly two factor authentication for that account in the form of e-mail (again password protected with yet another very complicated password) then I see no way for the Poodlecorp style of attack to work. Any suggestions?

It would likely work for a short time. Much like anything, nothing is 100% hack proof. Most of all hacks are actually due to user error and not from someone being a good hacker. 

[Magikarpdrowned]

1 minute ago, legacy99 said:

It would likely work for a short time. Much like anything, nothing is 100% hack proof. Most of all hacks are actually due to user error and not from someone being a good hacker. 

That's my point. By removing humans from the equation (T-Mobile service reps) you are leaving Poodlecorp with no choice but to try and crack a password. And I would be damned if they went as far as to brute force a max character limit password made up to be as random and hard to guess as possible. I'm not saying it would be 100% hack proof either, I'm just saying it would drastically reduce the speed at which they could hack accounts, rendering them a lesser threat.

[DrM]

or google voice. that works too. the main reason people dont use it is either because they dont know about that, or its not bundled with their phone. that extra step of inconveince (i tried to spell this 5 times, i give up) deters a lot of people. of course, its just a workaround and not addressing the major issue here, being the way cell companies handdle your data. using an account also introduces another weakness, since people can break in a lot easier when they get even one of your passwords (the FAP video said 50% or so of people reuse passwords)

[Skiiwee29]

3 minutes ago, Magikarpdrowned said:

That's my point. By removing humans from the equation (T-Mobile service reps) you are leaving Poodlecorp with no choice but to try and crack a password. And I would be damned if they went as far as to brute force a max character limit password made up to be as random and hard to guess as possible. I'm not saying it would be 100% hack proof either, I'm just saying it would drastically reduce the speed at which they could hack accounts, rendering them a lesser threat.

Well if a large carrier is going to actually fall for the ploy, then they have shifty security practices and, in Linus's case, he should sue the crap out of them. In todays world, this hacking non sense is to main stream for people to remain oblivious to it. Especially if they work in a tech field such as a cell carrier. 

[Magikarpdrowned]

1 minute ago, legacy99 said:

Well if a large carrier is going to actually fall for the ploy, then they have shifty security practices and, in Linus's case, he should sue the crap out of them. In todays world, this hacking non sense is to main stream for people to remain oblivious to it. Especially if they work in a tech field such as a cell carrier. 

 

[Magikarpdrowned]

3 minutes ago, DrM said:

or google voice. that works too. the main reason people dont use it is either because they dont know about that, or its not bundled with their phone. that extra step of inconveince (i tried to spell this 5 times, i give up) deters a lot of people. of course, its just a workaround and not addressing the major issue here, being the way cell companies handdle your data. using an account also introduces another weakness, since people can break in a lot easier when they get even one of your passwords (the FAP video said 50% or so of people reuse passwords)

Yes, my point is I'm sure the big youtubers (if willing to adopt this idea) would be willing to come up with a couple of REALLY strong passwords. Hell, I'd advise they use a random password generator. The point isn't that it's a fix for everyone, because it isn't. It relies on people having common sense. If they don't have that, they are already on track to getting their bank credentials stolen.

[DrM]

2 minutes ago, Magikarpdrowned said:

Yes, my point is I'm sure the big youtubers (if willing to adopt this idea) would be willing to come up with a couple of REALLY strong passwords. Hell, I'd advise they use a random password generator. The point isn't that it's a fix for everyone, because it isn't. It relies on people having common sense. If they don't have that, they are already on track to getting their bank credentials stolen.

yeah, that would make for a good workaround for the people who are knowlegable enough, but still doesnt address the core issue of the carrier being a vulnerablilty. it may just be youtubers being targeted now, but this could easily affect everyone who uses two factor authentication

[Magikarpdrowned]

6 minutes ago, DrM said:

yeah, that would make for a good workaround for the people who are knowlegable enough, but still doesnt address the core issue of the carrier being a vulnerablilty. it may just be youtubers being targeted now, but this could easily affect everyone who uses two factor authentication

I mean, it's a start. I think this isn't a permanent solution by any stretch of the imagination, but it could lead to one.

[BlueChinchillaEatingDorito]

Would love to see how they are managing to get telecos to transfer sim cards that easily. And it's not just T-Mobile, Bell Mobility has also been guilty.

[BHS4K]

That's exactly what GradeAUnderA states in this video,  and to add to the topic think if you use a long distance phone number it would be harder for hackers to crack.

 

[Magikarpdrowned]

9 hours ago, BHS4K said:

That's exactly what GradeAUnderA states in this video,  and to add to the topic think if you use a long distance phone number it would be harder for hackers to crack.

 

Oh, damn. I never watched this video (I honestly can't stand him anymore) but agreed about using a long distance phone number.