Walk into a store and provide a government ID and the original SIM card. If customer doesn’t have the sim/phone, send a recovery code to the billing address on file in lieu of the SIM card.
> Walk into a store and provide a government ID and the original SIM card.
This is how it works in Poland since September 2019, after some recent SIM-swap attacks. You can swap SIM or get a replacement if stolen only at store showing government ID. It is free of charge with Orange and not always free with T-mobile.
But this has some downsides in real life.
1) I had to walk my 88 yo Mom to the store to swap SIM card.
2) Every clerk at every shop can do that so for a determined criminal it is possible to bribe or threaten one.
3) Virtual operators (MVNOs) usually do not have physical locations and there is a dozen of them.
The problem is that the ID is still checked by the clerk. They could be bribed or tricked by a fake ID.
A recovery code snail-mailed/e-mailed to the account holder when they first open the account is the correct way to go, and if they can't provide it they need to go through a lengthy process where many factors are used to authenticate them (verify their physical address, verify their ID, ask to confirm last call records, billing details, etc).
The clerk has to use some kind of online system to connect the new sim to the customers phone number. The system would obviously require the clerk to authenticate himself and could require him to enter the passport number or other document ID he checked to verify the customers identity.
If later it turns out this was a sim swapping attack you can verify if the clerk entered a valid document ID. He can’t do that without having been presented a proper document, so you can tell if he checked.
Its just convenience over security. Lot of things can be done but then the extra burden that companies have to go through. Think about that people don't use app based authentication because it's inconvenient even though it matters to them. How can you expect carriers to do it
I wasn't sure how would you solve the problem of verifying the ID card without showing the previously recorded number to the clerk. But simply requiring to every time just punch in the ID (and maybe scan the whole card to check the photo later) could work - if the system only returns a big OK or BAD signal.
Currently here, in Hungary, the clerks just photocopy the IDs though. And there was a big scandal a few years ago (in connection to the ISIL/ISIS attacks in EU) about some groups obtaining hundreds of thousands of SIMs for just a few names.
On your second point, a determined criminal could always deploy rubber-hose cryptanalysis on a 2-factor authentication scheme, but it's still a significant improvement.
If you make the carrier liable for damages in case of fraud, there would be process to mitigate the risk from one bad actor. Like the bank requires a manager approval for certain high risk transactions like international wires.
Too long of a moon shot. Generally the T&C are limited to actual loss, like you lost your internet for 2 days so they'll reimburse you for 2 days of bill but not if you lost a business deal. Similarly in case of airline if you missed your game. they're not responsible for the game tickets
Before you go abroad you could notify your bank. Then in period you declared you are abroad they should lower expectation from "in person and ID" to phone call and other means of verification. After that period you are automatically back to normal security.
That is for example how my debit card works. If I want to use it abroad I have to turn that feature on for whatever time I am abroad.
In Europe you have a telephone PIN codes, you have number generators on the app. There are lots of ways to authenticate yourself. IN Europe you no longer need to tell them whether you're abroad or not; I guess the ML algo's that monitor for fraud are so much better than before that this isn't needed.
Losing a bank card isn't as critical as losing a phone # so companies have to act quickly. Think about it - Can you live without your bank card for few days vs living without your #
I think we just need to be prepared for these sorts of things. Travel with cash, your debit card, and one or two credit cards. If you can afford it, have a backup SIM (Twilio sells SIM cards for about $3 and the cost to keep them activated is $1/mo, and nothing more if you don't use it [0]). Use a Twilio or Google Voice number that you don't use for anything else for 2FA or account recovery for services that require a phone number (some providers reject these numbers, but many will accept them).
[0] Full disclosure: I work at Twilio and built the first version of the wireless product, so I'm a bit biased.
Cool. What store? Do all services that provide accounts need physical stores now? How do you ensure the store endpoints are trustworthy, and actually checking said IDs and SIMs?
Use backup verification codes and a recovery email address.
Also, remember the date when you created your Google account. The best way to find that date may be to look at the first email you received in the account.
What you can do with email is move the problem to your most secure account or to an account that you know how to recover under essentially all circumstances.
As I mentioned before that it's just convenience. SMS based authentication is flawed and is also prone to SS7 Attacks but people just do it because it's simple. Nothing in the world is hack proof
Yes, like my mobile service is provided by a German supermarket chain that has outsourced the operation to somebody else, who run it as a virtual network over somebody else's cell network. The nearest of these supermarkets is hundreds of kilometres away, and the checkout operators are unlikely to be of much help.
Problem with a government photo ID, There's no way to verify its authentic besides a visual inspection. I consider them as secure as SMS 2FA. For $200 and someone could get passable ID with your name on it.
That's the key problem that US needs to solve - the businesses don't really have a solid gov't ID system to fall back on. In most of Europe (UK seems to be more like USA as far as I understand) passing on a counterfeit ID to a mobile shop is harder (and more rare) than paying with counterfeit money, the IDs can be checked, employees are required to verify online if that ID has been reported lost or stolen, etc.
I mean, in Europe if criminals want to get a bunch of stuff on credit from some place with a disposable identity, they generally recruit poor/homeless people with real IDs, because that is simpler/cheaper/safer than trying to do it with counterfeit IDs.
SMS hijacking, just as the core identity theft issue is so much rare elsewhere - it demonstrates that it's a solvable issue if the USA wanted to solve it. (in some sense the discussion on identity theft reminds me of https://www.theonion.com/no-way-to-prevent-this-says-only-na...) However, the straightforward way to do that would require a proper single centralized (i.e. federal) gov't ID issued to almost all people, which seems to be anathema in USA.
>In most of Europe (UK seems to be more like USA as far as I understand) passing on a counterfeit ID to a mobile shop is harder (and more rare) than paying with counterfeit money, the IDs can be checked, employees are required to verify online if that ID has been reported lost or stolen, etc.
Can you detail which "most" of Europe you are talking about?
In Italy, while obviously you have to produce an ID card, there is no way that it can be checked online by "an employer", only Police (and Carabinieri) can do those checks, and of course ony for Italian issued ID's, moreover in some other businesses besides SIM card selling where the ID is needed (as an example hotels, AirBnB's and similar, car or tools renting, etc.) the actual employee never had a formal, official training to recognize forged ID's so everything is demanded to the single employee common sense and experience/knowledge (often zero or next to zero).
Particularly with "foreign" or "uncommon" pieces of ID's even if Italian (besides the "normal" ID cards and passports there are a number of other documents that have ID value) it is extremely difficult to understand if it is forged.
In UK AFAIK there is no national ID card, so you are limited to passport and/or (if valid for the scope) the driver license.
Plus Italy's national ID is laughably insecure. It's a laminated piece of paper. I remember when I was growing up I had an Italian friend in the UK who went out to a bar for her actual 18th birthday. When they asked for ID, she showed it to them and they kicked us out because they thought it was fake. It was not.
No, it isn't (anymore), not everywhere, but in spots.
For the record - for a period it was laminated, and then it was forbidden to laminate it (as forgeries were somewhat simpler with the laminated one, though I don't know the details).
Old ID card (paper, large, duration - theorical - 5 years, then extended to 10 years, practically indestructible, i.e. they actually lasted the 5 or 10 years):
New ID card (electronic, credit card size, with chip[1], duration - theorical - 10 years, usually illegible after 2 or 3 years in a wallet unless you use a protective cover):
And whether you get the one or the other may depend on the city (comune) as most will use all the empty paper documents they have in storage before starting issuing the new electronic format.
[1] for which noone or nearly noone has a reader BTW, the whole stuff is somehow experimental, even now that we have an app (Android only):
You can get a federal ID. It's called a passport card. It costs $65.
The US also has the REAL ID[0] standard that requires IDs to meet minimum standards in order to be accepted by the federal government.
If carriers just required a REAL ID compliant ID in order to get a new SIM, and actually checked it via the chip or magnetic strip, I think we'd be good.
You can get a federal ID. It's called a passport card. It costs $65.
Which is usually a really crappy idea when you want to save a few bucks compared to a real passport.
They're umpteen stories of heartbreak and hurt, by people not being allowed to board an international flight, or a cruise which stops at destinations not covered by a passport card.
They're also those that thought it's a great idea to get them for their kids.
With the same consequence. A passport card does not allow you to fly internationally. Not even to Mexico or Canada.
I'm not saying use it for international travel, I'm saying use it as an ID? Literally any American citizen can get an ID card for $65 that is accepted everywhere someone asks you for ID.
If we started taking things a bit more seriously, we could also get that fee down by subsidizing it.
I have a counterpoint from my experience in France.
A few years back I have lost my phone and went to get a new SIM. The attendant in the shop only had a quick look over my ID card. He didn't scan it nor did he enter the ID number in the computer to check anything. I think he only verified that the name was the same as the one on file and the photo looked like me.
The same happens at the post office when you go to collect a parcel / registered mail.
On the other hand, in almost every bar I've been, staff would do a quick check with a pen on every 50 € note they would get, and those notes are fairly common (two cocktails in a random bar in Paris can often cost more than 20 €). I don't know how effective that is in actually detecting counterfeit bills, but there's clearly more effort that what the other clerk did.
The pen contains a chemical that interacts with the paper that's always used to make these bank notes. Specifically it blackens the starch found in wood pulp, and the paper in your laser printer, photocopier, etcetera uses wood pulp because that's cheap. Bank notes use a higher quality paper and so they aren't turned black.
This forces crooks to use more expensive and traceable high quality papers for their counterfeit notes or they'll get rejected in stores and bars.
Having IDs that actually look up to anything at all is a relatively modern idea. When I was born if you suspected a passport in my country of being bogus it'd probably take a bunch of clerks several hours of physically looking through filing cabinets to check.
And where we build systems that can check often people don't. The UK government built a system which lets a driver prove to the government who they are and then get a token value back which they can give to anyone - that token can be exchanged for viewing the government records for that driver. So e.g. hire firms could insist on this token to see you're not disqualified and actually have the entitlements your physical driving license says you have.
They don't. Some of them will let you give them this token reluctantly but all prefer you give them a print out, which obviously you could just fake.
I'm in retail in the UK at the moment. For doing credit, the main way we use is by drivers license. I plug the details into a form at the till and check the face. It does an online check with the DVLA.
I’m not in the US, but the only ID card without a chip that I can think of here is a European driving license, which is just a plastic credit-card-sized thing that is often used as informal verification eg to collect a parcel.
$200 and greater risk of getting caught -- that's still a step forward. Right now it only takes sitting at home spending a few cents to call customer service and social engineering them.
This is not true everywhere. There are Aadhar cards in India where you can confirm your identity with biometrics at any store using government-provided equipment that many stores have.
Does the bar code act as a key to lookup a record in a central database, or does it just encode "I am 21, trust me" without any cryptographic signature?
Unless it's the former it's as good as a standard paper ID as far as forgeries go. If anything, having it machine-readable decreases security as it means the person inspecting it spends less time looking at it and just scans it in a machine.
A sim transfer/ account recovery process should come
with a transition period of multiple days during which SMSs with warnings are sent to the original sim card.
On top of that, one could think of:
A passphrase to authenticate a number transfer to another sim.
I've implemented something like this at Dontport. There are few work arounds but again security isn't something that's on top of traditional carrier because it's a problem with a small set of people
Apps like Google authenticator, or more conveniently, a Google voice number. The Google voice solution works well since it can't be Sim swapped, and can be accessed via email (admittedly, a potential downside).
Well first of all using a password manager should be the last resort recovery strategy. Unlike device based 2FA a password manager allows you to make an unlimited number of backups.
After that 2FA should always be device specific. If you want to do 2FA with your phone then the 2FA challenge should not get sent via an identifier like a phone number that may change owners. Instead you should download a 2FA app that generates a private/public key pair where the public key is linked to your account. That way the only thing you need to do is wipe your phone remotely if it gets lost.
What about setting up two mobile phone numbers for recipients of the recovery code: 123 sent to phone #1 and 456 sent to phone #2? (Phone #1 is yours and phone #2 is your elected trusted partner’s)
Doesn't have to be SO. It can be a trusted friend who knows in advance that you may voice call them in a password recovery scenario (voice calls not via text).
Edit: regarding the "lack of availability" at the point of wanting to reset the password: the urgency of resetting passwords should be considered a lesser inconvenience than the risk of having lost control of your account through insecure 2FA.
(I am simply supporting my original brain storming thought through ... I am not married to this idea in any way or form. Just a thought.)
