hackernews client

I Hacked My Friend's Phone to Show How Easy It Is [video]

51 pointsposted 16 hours ago

by marvinborner

(youtube.com)

12 Comments

threesevenths

an hour ago

If you’re looking for privacy don’t bring a two way radio gps tracker with you everywhere you go.

gastonmorixe

12 hours ago

Therefore, by adding multiple ways to log in/recover an account, each additional one lowers the safety?

Also, worse: does this mean that by just having one bad 2FA/recovery method like SMS along with more secure ones like TOTP/RFC 6238 or hardware keys, the overall security level is as low/bad as the worst method undermining the rest? Why do companies still allow or even encourage multiple methods (and SMS)?

I love the convenience of SMS sometimes, but if it doesn't add any security at all, just a sense of fake security that they won't even need an IMEI from me, just my phone number, jeez. This should be solved or forbidden by major institutions and services.

lisper

11 hours ago

Like everything in computer security, it's complicated, and there are tradeoffs.

First, intercepting SMS is not that easy. It's "easy" for someone who knows what they are doing and is willing to expend some resources, but it's not a casual attack that can be mounted by a script kiddie. It's a lot easier to steal your phone number using a social engineering attack. The easiest one to execute is to impersonate you somehow and get your number transferred to a "new" phone. That one got me a few years ago. Very scary.

Second, in order to exploit an SMS attack you have to be able to link the number to e.g. a bank account. One mitigation for this is to use different and non-obvious user IDs for critical accounts.

Third, despite its weaknesses, SMS 2FA is better than no 2FA at all. Even if breaking SMS is "easy" it's still an additional cost for a prospective hacker. You don't have to outrun the bear.

But it is good to be aware that SMS 2FA is weak. It's better than nothing, but for things that are really mission-critical you should seek alternatives.

brianmiddleton

9 hours ago

I just got an email from my credit union that they're "transitioning from email passcode delivery to more secure methods such as phone calls and text messages". I need to send them this video.

That credit union is awful for many other reasons, so I don't keep much in that account, but I wonder why banking in the US is so bad at security. I don't think I have a single bank or credit card online account that allows for TOTP. It's all SMS or phone call, with one bank allowing for app push notifications.

Is there a compliance check box that requires SMS over something with at least some security?

Our_Benefactors

44 minutes ago

> Is there a compliance check box that requires SMS over something with at least some security?

Yes - it ticks the box for 2FA.

absqueued

an hour ago

Can we keep the original video title when posting?

Zren

14 hours ago

Feels like SS7 was deliberately left vulnerable from requests within the country for tracking purposes. A lot of the security seems to be done with firewalls within the walled garden so it's easier for the five eyes to track cell phones live without giving direct access to the databases.

That said, the real world example Veratasium used was chilling.

Having LinusTechTips as a 2nd example (whos showing off his new apple phone) was a nice counter too. I'm pretty sure LTT uses multi factor+user auth though so I'm guessing that sms 2fa email was an alt email for personal use.

Gonna have to watch that 2014 presentation on ss7 it seems.

cromka