A funny thing happened on the way back from Oahu…


On the way back from a trip to Oahu, we missed our flight. The number of non-stop, non-insane flights heading back from the Hawaiian islands to San Francisco is an incredibly small number, around four per day. Redirecting us same-day meant going into OAK instead SFO and an expensive cab ride to get from OAK to Downtown SF. The change fee for my wife and myself was pretty obscene as well, on the order of $360 each.

The expenses, as it turned out, had only begun. Tired, half sick, and with my body stinging with numerous welts from a bad interaction with the coral reef in the days prior, I managed to leave my iPhone in the back of a random cab.

The cab driver, like most in the Bay Area decided to pull the usual shady stunt with Square, asking me not to use the in-cab device and requesting that I use his iPhone and Square reader for the near $80 charge back to my house. This is pretty common — the driver leaves with far more money than normal because the transaction isn’t recorded by the cab company he’s working for. The unfortunate part is that it removes all of the identifying information that usually comes on a Taxi charge receipt — the taxi number, the timestamp, and the cab company name.

After discovering that I’d lost my phone, I started to switch into forensics mode. Where was the phone? The standard “find my iphone” on iCloud is pretty useless on a dead device, and all Square gave me was the name of the person who drove the cab. I could wait days for someone to plug it in, but I was in the deep throws of smartphone withdrawal.

Did you know it’s possible to be a merchant on square, take people’s credit cards, and never give out your personal information to your customers? This seems ripe for exploitation.

Square’s customer support offered to pass along my information to the merchant, who might call me, maybe, in a million years, if he found my phone. After a day or so, I decided to get a new phone from the Apple store. The cheapest deal at the time was to transfer from AT&T to Verizon, and pay nearly nothing for a new device. At the end, I get a new phone and I can stop giving money to AT&T.

Let’s talk about account security.

I store nearly all of my passwords (except a couple I am forced to memorize) in 1Password, sync’d via Dropbox and encrypted with AES. My phone is used as a second-factor (2FA) token for any website that supports it (there should be more) like Ebay/Paybal, Dropbox, Digital Ocean, GitHub, and many others. Without my phone or laptop, I wasn’t going to be able to access my 1PW account

To transfer an account you need three things: The person’s last four digits of their SSN, their previous account number, and their phone number.

The last four digits of someone’s SSN are readily available if you look hard enough. One is instantly reminded of the Gizmodo hack here, where partial bits of information from Amazon and Apple were used to completely own a user.

We were able to get my old AT&T account number from AT&T by calling a few times and finding a person who was willing to give up the account number with only my phone number and last four digits of my SSN (facepalm.) The first customer service person declined. The next call yielded the account number.

After obtaining my account number, the Apple store required my phone number (which we already had.) From there, Apple was able to transfer the account from AT&T to Verizon, and all of my 2FA protection became meaningless.

Logins on Google Apps could now be transferred to SMS instead of 2FA. Owning my phone number meant I no longer had the protection of 2FA.

Sure, you had to have my password (which I suppose you could phish from me, if I wasn’t paying attention) but the ease of transfer certainly was frightening. The only time the question of my identity came up was when Verizion wanted to do a credit check for signing up for service. Only then was I asked for a valid ID.

I’m going to assume that Apple store employees are not well trained in detecting fake IDs. My good doormen friends over at the DNA Lounge can spot them a mile away, but a 20-something at the local Apple store?

No way.

tl;dr:

  1. 2FA is useless when you can ask the remote site to send you an SMS in lieu of the authenticator application and you can hijack the control channel (SMS)
  2. It is too easy to take over someone’s phone number. Even if you’re not replacing a phone like I was, if someone controls the communications channel (i.e. a state-sponsored actor or government telecom) they can easily obtain the 2nd factor over SMS.