Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


boosacnoodle

742 posts

Ultimate Geek


#270303 3-May-2020 12:54
Send private message

I saw this article on stuff which got me thinking - what can we do to prevent number porting fraud? Ultimately my gut feeling is an SMS alone should not be enough to reset a password online, let alone one that gives you full access to a bank account. Unfortunately, ANZ, SBS and Westpac (asks for a security question first) all allow your password to be reset over SMS with fairly minimal checks involved.

 

So what checks are done before your number is ported out? Only two things are checked before your number is ported. These are:

 

  • Losing carrier, i.e. the old provider
  • Phone number;
  • Depending on the account type: 

     

    • Prepaid mobiles - SIM number
    • Postpay mobiles - account number

Without physically having the SIM card on-hand, in which case all bets are off anyway, it is relatively difficult to find the SIM number. I'm not aware of any provider that emails it or shows it in their online portal. However, for postpay customers, assuming your email or physical mail is compromised in some way it's quite likely that a hacker could find your bill which likely has your account number on it. Accordingly, if the hacker has access to your bill & you're on postpay - your number can now be ported out.

 

Some ideas to stop this: (Ordering from (IMO) best to worst)

 

     

  1. Amend the porting process so that once the port is accepted by both carriers a txt message is sent to the number with a unique link to an online portal to confirm the port. Enable does this when you switch UFB providers and it works really because it also lets you specify the date you'd like it to happen

     

    • Pros: Requires you to have physical access to the number to port it = significantly more secure, wouldn't require any changes on the carriers side, doesn't rely on any one carrier to securely implement it, i.e. no carrier weaknesses.
    • Cons: Slightly delays the porting process

  2. Require a unique security code for porting - similar to UDAI used for .nz domains.

     

    • Cons: Could be a pain to securely store & transmit the information to the customer, i.e. if their online portal account got compromised

  3. "Porting lock" on your account - similar to that used on .com domains & on credit files where any port would be automatically rejected unless you changed the flag on your account

     

    • Cons: Could be a pain to securely store & transmit the information to the customer, i.e. if their online portal account got compromised

  4. Require the SIM number for postpay, as it is currently for prepay

 

What do you think?


Create new topic
BlinkyBill
1443 posts

Uber Geek
Inactive user


  #2475755 3-May-2020 13:03
Send private message

I don’t know about the others, but for ANZ you can only change your password if you know your password; and there is an opt-in 2FA-style verification step (which everyone with a registered phone should use). Hacking in using the ‘I can’t log in’ feature requires you to enter additional details, and again, the 2FA-style option exists for verification, which is not optional.

 

so you cannot reset an ANZ password using just an SMS.


 
 
 

Free kids accounts - trade shares and funds (NZ, US) with Sharesies (affiliate link).
chevrolux
4962 posts

Uber Geek
Inactive user


  #2475867 3-May-2020 15:11
Send private message

It's fairly irrelevant here in NZ now that, I'm pretty sure, all our mobile carriers require you be in a store to swap sims. They won't do it over the phone.


networkn
Networkn
30813 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #2475870 3-May-2020 15:14
Send private message

You should NEVER use SMS as a 2FA method.




tardtasticx
3057 posts

Uber Geek


  #2475876 3-May-2020 15:39
Send private message

chevrolux:

 

It's fairly irrelevant here in NZ now that, I'm pretty sure, all our mobile carriers require you be in a store to swap sims. They won't do it over the phone.

 

 

Yeh but the problem is that doesn't apply for porting numbers, there's no verification other than providing somewhat easily obtainable information (SIM# or Account#, and the losing service provider name). If you have those details you can take the number to any carrier in NZ no questions asked, and it's entirely automated.

 

SIM swaps between the same carrier can be easily controlled by each carrier implementing their own rules (like visits to stores), but it's inconsistent such as the case with Skinny who I believe don't have any rules like a store visit being required and the SIM swap can be done online.


Andib
1312 posts

Uber Geek

ID Verified
Trusted

  #2475879 3-May-2020 15:58
Send private message

networkn:

 

You should NEVER use SMS as a 2FA method.

 

 

 

 

I disagree with this statement,  yes SMS 2FA is one of the worst of the MFA options BUT... it’s a hell of a lot better than no MFA at all. Having to fraudulently sim swap/port a number is too much effort for most people looking for easy targets.

 

 

 

I do wish banks would support more modern MFA options.





Signing up for Frank Energy? Use my referral and we both get $50 credit.


BlinkyBill
1443 posts

Uber Geek
Inactive user


  #2475880 3-May-2020 15:59
Send private message

networkn:

 

You should NEVER use SMS as a 2FA method.

 

 

Why not? If you changed your password (something you know you did) and the service provider verifies to your cellphone (something you told them you have), what’s wrong with that? 


richms
26756 posts

Uber Geek

Trusted
Subscriber

  #2475889 3-May-2020 16:16
Send private message

BlinkyBill:

 

networkn:

 

You should NEVER use SMS as a 2FA method.

 

 

Why not? If you changed your password (something you know you did) and the service provider verifies to your cellphone (something you told them you have), what’s wrong with that? 

 

 

Because as that article demonstrates, you may not have your phone anymore and not know it for some time.

 

Also the sms codes are at the risk of an app on the phone sending them off to the scammers and hiding them from the phones owner. It is not a secure medium at all and there are much better systems. Using a phone number for authentication is basically outsourcing it to a company that TBH is not really that good at it.

 

I have a specific 2 factor phone that I dont use for anything else. The annoying thing is so many places do not allow for mulitple phone numbers to be provided. Or if they do its a "home" and a "mobile" which have limits on what formats can be entered and even if you can put a mobile in as the home, they will not SMS to it. Also they will not 2 factor or even notify you about things over any other medium because its "not secure" - I would trust the security of most messanging apps more than SMS.





Richard rich.ms



boosacnoodle

742 posts

Ultimate Geek


  #2475891 3-May-2020 16:18
Send private message

networkn:

 

You should NEVER use SMS as a 2FA method.

 

 

I'd agree but unfortunately a lot of banks require a mobile phone number on the account now. That same number is also often used for 2FA with little choice. I wish banks would introduce TOTP but I can't think of any. The only two that have something non-SMS based that occur to me are BNZ (NetGuard = card with digits on it) and Rabobank (a wee-calculator like-device you put a PIN into for OTP).

 

chevrolux:

 

It's fairly irrelevant here in NZ now that, I'm pretty sure, all our mobile carriers require you be in a store to swap sims. They won't do it over the phone.

 

 

All it takes is one staff member to make a mistake or a "mistake". Unfortunately its happened numerous times already here in NZ before and very widely overseas. After all, policy is not infallible. In any case, what happened here wasn't a SIM swap but rather a fraudulent port out. Unfortunately there is very little protection for this kind of attack.

 

You also may not be aware as it hasn't really been publicised that widely (probably for PR reasons I'd imagine) but I am aware of a number of cases involving the larger carriers in NZ that have paid out settlements over failings with regards to the SIM swap policy not being followed which subsequently caused serious financial harm to the involved customers. These were not small numbers either - I'm taking six $ digits.


mudguard
1804 posts

Uber Geek


  #2475914 3-May-2020 17:12
Send private message

What I don't understand about the number porting, is how are they getting any of the customer's bank details?


Create new topic





News and reviews »

One New Zealand Extends 3G Switch-off Date
Posted 11-Apr-2024 08:56


Amazon Echo Hub Review
Posted 10-Apr-2024 18:57


Epson Launches New Versatile A4 Desktop Scanners
Posted 10-Apr-2024 15:31


Motorola Mobility Launches New Android Phones in New Zealand
Posted 10-Apr-2024 14:59


Logitech G Unveils the PRO X 60 Gaming Keyboard
Posted 9-Apr-2024 19:01


Logitech Unveils Signature Slim Keyboard and Combo
Posted 9-Apr-2024 13:33


ExpressVPN Launches Aircove Go Portable Router With Built-in VPN
Posted 26-Mar-2024 21:25


Shure MoveMic Review
Posted 25-Mar-2024 12:47


reMarkable 2 Launches at JB Hi-Fi New Zealand
Posted 20-Mar-2024 08:36


Samsung Galaxy S24 Ultra review
Posted 19-Mar-2024 11:37


Google Nest Wifi Pro Review
Posted 16-Mar-2024 11:28


Samsung Galaxy A55 5G and Galaxy A35 5G
Posted 12-Mar-2024 12:41


Cricut EasyPress Mini Zen Blue launches at Spotlight New Zealand
Posted 12-Mar-2024 12:32


Logitech Introduces MX Brio Webcam
Posted 12-Mar-2024 12:24


HP Unveils Broadest Consumer Portfolio of AI-Enhanced Laptops
Posted 3-Mar-2024 18:09









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







Backblaze unlimited backup