Ultranomad wrote:
This is why I don’t link my phone number to online services unless it’s impossible to avoid (and even then I try to use a different number, not the one I always have with me)
Exactly. Unless there is absolutely no work-around, I never use my phone number for any authentication process. For the few where I have no choice I use one that’s not my main number.
I don’t use my phone for accessing any financial services… if you lose it, it can be booted into the re-flash menu, rooted and everything can be extracted (that’s basically how the police do it) which is why apps like google pay / apple pay stop working (maybe not immediately) on rooted devices.
Also, the key to using 2FA to your advantage is to not use it for logins to banal stuff like FB, which frankly doesn’t matter if somebody hacks. Use it only where it is important: your bank, paypal, and such. And use a different email address for each of these; that blocks the password recovery exploit.
A laptop can be made much more secure.
You can encrypt most Android phones so that extraction of data after the phone has been shut down is pretty much impossible (unless you freeze the RAM prior to shutdown, desolder it and extract the keys).
Encrypt your Android phone now if you haven’t done so.
Damn, smart guy. What to do about it? Involves lots of re/de-registering work in any case.
That’s why you have scripting languages =)
Can be automated with PHP and some cURL requests.
I meant for me as consumer… log on to n amount of sites and change phone number/email etc..
I may well be missing something but the ability to get somebody’s phone number doesn’t give you the ability to intercept the sms message sent to him containing the 2FA login code.
As the link I posted alludes to, that can be done but is complicated unless you can get inside the GSM system.
There are ways to transfer the number to a new SIM card, e.g. by phoning up your phone company and saying the phone has been lost and could they please issue a new SIM. Anybody can do that, if the phone company is dumb enough to mail the new SIM to an address supplied by the attacker. This happened to me recently but the phone company wouldn’t send it to another address. I noticed that my phone stopped working so I called the company and they acknowledged that somebody had started off this well known fraud. But if I had not been using the phone for some time and the phone company was one of the dumb ones…?
If you ever find your phone has gone dead, it is very likely that somebody has done this to you (reported your phone stolen and is trying to get a SIM card with your number mailed to them).
The whole idea of 2FA is that receiving somebody else’s sms is difficult. Otherwise, you could hack stuff belonging to all the people whose numbers you know.
If your enemy is someone inside the GSM system, they will get you anyway even if you use a second SIM for the 2FA purposes, unless that SIM is a PAYG one bought for cash, etc. But someone inside the system will still get you then unless you use it in a second phone which was also bought for cash, etc…
The easiest scam is to “borrow” the phone (unlocked, or be able to unlock it). I know a guy whose GF, suspecting he was being a “bad boy”, borrowed his phone while he was sleeping, and got some logins from it 
