A few months ago I took 3 of my 4 kids to a birthday party at a minigolf course. I played some holes with my youngest I had taken with me, and then left the two older ones at the birthday party with the understanding that their mother would pick them up (as we had discussed earlier)
After leaving the party with my youngest, I went to the grocery store, and then on home. When I got home my wife was gone, which I expected since she was picking up the older kids from the party.
Throughout this afternoon I had not been checking my phone in an attempt to be a bit less connected on the weekends.
About half an hour later my wife comes home totally freaked out and frazzled.
Apparently after I had left, someone went into a T-Mobile store and somehow convinced the associate that my number was theirs. I had received a couple of texts from T-Mobile with a pin number where the store associate had attempted to do something, but I was not aware of them until later.
Once this person had my number, they called my bank, reset my online password, and transferred all of our money from various accounts into one of my checking accounts. The bank then put a hold on everything (thank god).
My wife happened to have been paying bills online while this was happening, and saw it all go down. Her first thought was to call me, then when I didn't answer to call the mom throwing the birthday party.
Birthday party mom told my wife I had left, so my wife assumed that myself and our 3 year old were being mugged or something. The police were involved and she spent a good amount of time freaking out trying to find me.
All in all I had a pretty good afternoon :P
For real tho, it was a freaking mess. Took weeks to get our accounts safe, and we try to avoid using phone numbers for 2fa now.
>someone went into a T-Mobile store and somehow convinced the associate that my number was theirs.
I had to regain access to an employee's phone a few months ago. T-mobile gave me account control after providing them a phone number that phone had dialed "recently". I am disappointed, but not shocked.
In Singapore they give us a physical token. We have to enter the 2Fa we receive into it to receive a third code to enter into the website. Well I guess it's 3Fa. It is a bit of a hassle but better safe than sorry.
Yea, my wife uses a physical token generator now, and I use the app which is bound to my phone. Someone would have to physically have my phone (and unlock it) in order to access my bank now.
Are you sure your bank wouldn't allow someone to disable it over the phone like they allowed someone to change your password? People lose cell phones just as they forget passwords, so there is surely a way for customer support to deal with it.
Banks over here only reset those tokens with instructions sent to your known address. You can only change that address with a working token or showing government issued ID (which everyone around here has and is also required to open an account in the first place). At worst you need to send a copy by mail but going to a branch or post office or a video chat are more common.
Banks can always ask you to go into a branch for more important things like that. They do that in the UK. If you're not in the country, you can write a letter on paper and have the local police or lawyer confirm your identity. I've done that before. It's a nightmare but it eventually works.
In such cases the bank would offer to send new tokens by physical mail to the registered address or receive them in a branch with proper ID.
I recall a case where an important customer was stuck abroad with everything stolen; they were sent replacement tokens and cards to be received at the embassy, which could properly ID them.
Why can a bank have such a robust procedure for replacing tokens, and be trusted to follow it, but not have a similarly robust procedure for handling password resets?
They definitely can, but some of them don't, especially in USA for various reasons.
I mean, any bank with proper procedures doesn't really have the concept of "online password" that's sufficient to do anything and makes 2FA mandatory; I believe in EU now it would be forbidden for a bank to have simply a username-password authentication.
I think it's worth noting that while physical token is needed for adding new payees and changing transaction limits, it is not necessary for online purchases, which only requires sms verification (at least for DBS).
I think it's a fine approach balancing security and convenience.
"Apparently after I had left, someone went into a T-Mobile store and somehow convinced the associate that my number was theirs."
How that can happen? When I visit my cell provider's store, nobody is going to talk about any account details while you haven't provided a government issued ID to prove that you are an account holder. Sure, it's not 100% bulletproof method, but if somebody went a great lengths to counterfeit my ID, phone number is the least of my worries then. I assume, this happened in USA, so is ID check so unpopular there or it's easily circumvented somehow?
Yes, ID check is easily circumvented. People are the weakest link. The store reps are not government officials or police officers, nor do they scan ids. They may be convinced not to check your if, accept an id that isn't your drivers license, or anything else.
The point is that by using an SMS as 2fa, is placing much of your security in underpaid cell phone store workers.
"The store reps are not government officials or police officers, nor do they scan ids."
Neither they are here (in EU), but nobody is going to talk to you unless you provide an ID anyway. Asking for ID doesn't seem too hard, even for non-trained personnel. You don't have to be a detective to match name/code on ID with the name/code on account.
Having access to potentially thousands of dollars from cleaning up victim's accounts is an incentive to go and obtain a fake ID. Do the store clerks scan and verify that the ID is genuine somehow (check against a database, look at the photo) or do they just look at it in passing and give it back.
From an EU perspective, obtaining a fake ID isn't that likely - counterfeiting anything certainly is possible, but it's hard and expensive (harder than counterfeiting money), risky (being caught with a fake means jail time, it's a more severe crime than theft and there's no "take-backsies" if they don't like the ID) so fraud with fake IDs is extremely rare.
It may happen with certain large scale scams involving organized crime, but not for small amounts; it simply doesn't show up in practice. What does happen is use of real IDs that are stolen (or bought from homeless people), but most places that have some risks have access to registries where they can verify if the ID has been reported as stolen.
Sure, but the excuse is then, "I had everything stolen! My phone, my wallet, etc. I just need to get my phone back so I can pay my rent and get an Uber to the DMV to get my new license." Then if the clerk says, "Sorry can't help you until you have an ID," you freak out and start yelling and the manager comes over and says, "I'm so sorry sir, let's get this worked out," and does whatever you ask him to.
Not happening in EU - since in such a case the company not verifying the ID tend to get liability for losses, all companies have policies where such managers are prohibited to do so; they would be risking their own money (and job) for giving you stuff without proper authorisation.
I mean, as soon word would get out that some company allows that, they'd be exploited for free stuff in large amounts; all of the obvious loopholes have been tried and plugged in the last couple decades. USA has the problems only because they treat it as "stolen identity" instead of "someone defrauded a company with fake ID", and don't have proper universal IDs and try to make do with a mishmash of driver licences, names, addresses, SSNs, etc.
> someone went into a T-Mobile store and somehow convinced the associate that my number was theirs.
The fact that the T-Mobile employees can get hold of your mobile phone number is disturbing and a red flag for using your phone number for sensitive stuff (such as money). You should always assume malice from unknown actors.
I don't know where OP is from, but over here(Poland) you need two forms of ID(Passport/national ID/driving licence) if you want the T-Mobile clerk to do anything for you in-store. I got quite annoyed once because I needed a new sim-card for my company phone, but despite having two forms of ID confirming that I am the company owner, they also wanted to see the incorporation papers saying so.
I think the point of the grandparent is that the T-Mobile clerk has the power to register a new SIM card for your account. That makes them an extremely weak link (easy to blackmail, corrupt, etc.).
Without meaning to pick on T-Mobile, the stories I'm hearing here, including yours, lead me to believe that T-Mobile is liable for damages. As in, they didn't take reasonable precautions to safeguard your account, and you suffered financial damages as a result.
I am generally of the philosophy that you should trust no one to do the right thing, but these cases seem to be overlooking the obvious that the phone companies are fucking up on security.
Large companies like cell providers have concentrated benefits and their customers have diffuse costs. They force a large contract on you (because they have an oligopoly and you have only ~4 or fewer realistic choices) and that contract almost always contains a "no class action" and a "forced arbitration" clause. While those clauses exist, we are at the mercy of cell providers. Potentially very large customers (large companies and governments) might be able to demand changes in the contract, but it's unlikely to automatically filter down to the individual consumer.
I'm starting to worry about similar weak process security on the part of the IRS and Social Security. You can theoretically opt out of using a cell phone, but it's far harder to opt out of government programs that are forced on you with the threat of state force.
After leaving the party with my youngest, I went to the grocery store, and then on home. When I got home my wife was gone, which I expected since she was picking up the older kids from the party.
Throughout this afternoon I had not been checking my phone in an attempt to be a bit less connected on the weekends.
About half an hour later my wife comes home totally freaked out and frazzled.
Apparently after I had left, someone went into a T-Mobile store and somehow convinced the associate that my number was theirs. I had received a couple of texts from T-Mobile with a pin number where the store associate had attempted to do something, but I was not aware of them until later.
Once this person had my number, they called my bank, reset my online password, and transferred all of our money from various accounts into one of my checking accounts. The bank then put a hold on everything (thank god).
My wife happened to have been paying bills online while this was happening, and saw it all go down. Her first thought was to call me, then when I didn't answer to call the mom throwing the birthday party.
Birthday party mom told my wife I had left, so my wife assumed that myself and our 3 year old were being mugged or something. The police were involved and she spent a good amount of time freaking out trying to find me.
All in all I had a pretty good afternoon :P
For real tho, it was a freaking mess. Took weeks to get our accounts safe, and we try to avoid using phone numbers for 2fa now.