Tell HN: SMS-based two-factor authentication is not secure
601 by Zolt | 278 comments on Hacker News.
SMS-based Two-Factor Authentication is not Secure. I’ve read this before but brushed it off. It wouldn’t happen to me. It did. I am with Boost Mobile. On Sunday night I received a text message that my PIN was changed. Within minutes I confirmed this to be true on my PC. I used the Boost application on my phone to change the PIN and received a confirmation text. A few minute later I received a text message welcoming me to Metro PCS. A few minute later I received emails to my business email that my account security information was deleted from my person email account. They used SMS authentication to my mobile number, that they now have control of to gain access. A few minutes later I received an email there was an account recovery attempt on my coinbase.com account. It took less than 30 minutes for these events to transpire. I've spent about 15 hours trying to get my phone number and my email address back to my control. I've accumulated a list of eight other people in the Boost Mobile Reddit.com forum where the exact same thing happened to them. I filed a police report and filed a report with the FCC. I received a response from the FCC that they have started the inquiry and contacted Boost. I finally did get my cell phone number ported back to Boost. I have not gained control of my Microsoft email address. I didn’t realize I could only have messages of 2,000 characters. So I will wrap this up. When account settings were changed, Coinbase gave me a link to lock my account, Microsoft gave me a link to log in to my account, which I no longer have control of. Unlike competitors, which allow pins from 6 to 15 characters and for accounts to be administrative locked, Boost offers none of these options. The last Boost operator suggested I pick a more secure PIN. I am calculating my losses and documenting all interactions.