Ok, so, how does a paranoid individual protect themselves from this attack?
Aside from "don't link your phone to these accounts" which isn't always possible as many banks in Canada only recently added SMS based 2FA.
Some ideas:
- separate phone for 2FA. This seems quite annoying in practice.
- a daily twilio script that SMS's your number as an indication that you've still got it. Easy to implement, but also easy to ignore and would only indicate after the fact that you lost your account.
In Sweden you now require hardware identity verification which can only be issued by a bank or similar authority. (It also work similar to Venmo but without the fees)
I'd love love love if government Id card could be used as U2F via NFC.
Also, in Lithuania (and many other countries) 2FA is hardware locked to your SIM card - can't really get new one without showing your Id in a shop (the shop doesn't really use the chip on Id tho).
BankID is really nice,
I think when I move back to Aus I will feel like I've gone back in time.
I don't know about Canada but I feel like if you tried to implement this in Australia there'd be a lot of paranoia over a system like BankID with regards to privacy or gatekeeping
Fastmail once offered as part of their mail service a list of random numbers you could print out and then use as a second factor, one at a time, when you logged in.
I really miss that feature, and wish more online services supported something like it.
Maybe you could use VOIP numbers for 2FA? Many VOIP providers (i.e. voip.ms) can forward SMS to e-mail, SIP client, callback URL or an other phone number. There's a cost, but I guess it's minimal, all considerations done.
Your second scenario is like a dead man's switch. It's interesting, as it could prompt you with a daily challenge that only you can answer. But I don't see how it could be implemented in a normal person's life?
I guess then the risk is whether or not the VOIP provider is more secure than my phone provider? I need to think that one through.
With the second scenario I was just thinking that, if I personally didn't receive the text on a given morning, I would know that my number has been ported and I would begin to freak out and try to race the attacker.
I think it's more of a "security by obscurity" thing than anything, but if the number is really unknown except for you and the 2fa provider, that would probably be "good enough".
This episode of Reply All involves one of the hosts pissing off a group of SIM swappers, and him trying to go through the process of making himself safe. TL;DR -- It's really hard to do successfully.
Aside from "don't link your phone to these accounts" which isn't always possible as many banks in Canada only recently added SMS based 2FA.
Some ideas:
- separate phone for 2FA. This seems quite annoying in practice.
- a daily twilio script that SMS's your number as an indication that you've still got it. Easy to implement, but also easy to ignore and would only indicate after the fact that you lost your account.