SMS Database Leak Exposed 2FA Login Codes

(Josh Centers) #1

Originally published at:

An unsecured server has resulted in tens of millions of SMS messages being exposed, and along with it password reset links, two-factor authentication codes, shipping notifications, and more.

(Gerrie Shults) #2

Isn’t this out of my control? What can I do to get people like a Medical Group who uses online checkin to use something better than SMS?

(Al Varnell) #3

Some, but clearly not all such organizations allow you to opt-out of SMS, but you are correct that some still don’t. The only thing you can do is lodge a formal complaint with them, citing this latest compromise as one such vulnerability, and there is more than one.

(David Brostoff) #4

What do you use as an alternative?

(Richard Rettke) #5

PayPal is yet another that still is using SMS. I was surprised when I set up 2FA with them today.

(Richard Rettke) #6

Authy & 1Password both support a much more secure form of 2FA.

(David Brostoff) #7

Thanks for the tip – I guess this brings up another question though:

If you are already using 1Password (with a strong master password, etc.), is there any advantage in 2FA?

(Richard Rettke) #8

This explains the “Why” much better than I could ever hope to. In addition, you’ll find sites that require you to use 2FA. For example, to use Apple Application Specific Passwords, you must first be using 2FA or Apple will not allow you to setup ASP’s.

Check out this explanation of Why 2FA.

(Gerrie Shults) #9

OK. Thanks.

(Dennis Fazio) #10

Excuse my ignorance, but I’m wondering if this is a bit alarmist? I see where tens of millions of reset codes and links, shipping notices, etc. were revealed, but aren’t 99.999% of those obsolete and useless? Except for perhaps a small handful that occurred in the last 10 minutes, reset codes become obsolete once they’re used. Don’t they also time out if not used?

Credit card numbers, SSNs, bank account numbers, etc. are serious problems, and certainly the fact that such a breach even occurred is worrisome and I agree this adds to the unfortunate train of breaches victimizing us. But help me understand the real damage of this particular one? Do I really need to worry that much about this particular information being in the wild?

(Richard Rettke) #11

Most likely what you say is correct, but I would be more concerned that the culprit now, has access to my phone numbers, names, the companies they deal with, etc. Which opens up a whole new can of worms.

(Alan Forkosh) #12

Here is the form of a text of a 2-factor authorization message I received from PayPal at my cell number:

PayPal: Your security code is: nnnnnnn. Your code expires in 5 minutes. Please don’t reply.

It seems to be that the only non-noise that could be recovered is the cell number. the security cod, and the sender (PayPal). However, after 5 minutes at most, the security code is meaningless. So it strikes me that all an attacker gets is that a cell number can receive a text and is associated with a PalPal account. While that could be useful if you had other associations for the cell number, it is otherwise pretty useless.

So I think the security implications here are limited.

(blm) #13

That’s plenty. In many cases it’s fairly easy for someone to steal your phone number by transferring it to a new phone. Once that happens, they can go to PayPal, do a forgot password, which sends a security code to your (now their) phone, and use that code to set a new password and log in to your PayPal account, where they can send themselves money from anything you’ve got connected to your PayPal account (credit & debit cards, bank accounts). Maybe you’re using a carrier that actually takes security seriously (are there any?) and won’t just transfer your number because someone asks, and maybe you don’t have any payment method that would let someone steal a lot of money connected to your PayPal account, so this may not affect you personally, but in general, it’s a pretty severe breach (because of other’s poor security practices admittedly, but still…) Brian

(Alan Forkosh) #14

Note that this strategy requires some additional information (a tie between the cell phone number and Paypal login email). Nowhere does the message itself point to that.

(Doug Miller) #15

Perhaps a single PayPal 2fa message doesn’t point to it, but this was a breach of millions of messages that were searchable. Search for the same phone number and perhaps you’ll find other messages that show an email address, which is the user name for most PayPal accounts. And from that you can try to gain access to the account. And we know that cell phone numbers are vulnerable to sim hacking.