undefined | Better HN

0 pointsvngzs4y ago0 comments

I agree. From Coinbase's perspective, they ought to defend their infrastructure against fraud, whether that is a direct attack on the users, an attack on the users' telcos, or insider activity directly.

From the telco's perspective, they have a responsibility to stop SMS and SIM fraud, and our regulations have failed to properly hold them accountable in this domain.

I would add that the users have some responsibility for losing their emails/passwords, but my initial framing insufficiently demands responsibility for the service providers in this instance. The service providers should be expected to take all reasonable steps to prevent fraud on their platforms, and that should include extra scrutiny of SMS-based authentication mechanisms (e.g., identity verification). This is why Coinbase paid them back, accepting some responsibility for the fraud.

0 comments

sangnoir4y ago

I fully agree that users are not absolved of all responsibilities or vigilance (e.g. over passwords/devices). I think the legal framework has to be overhauled to clarify the culpability of all parties involved, rather than the current "Sucks to be you" attitude towards consumers, who are the least powerful, and have the least agency in these issues.

miohtama4y ago

Telcos have no responsibility to stop SIM fraud. Telcos have communicated the last 30 years SMS is not secure (travels as plain text) and should not be used for 2FA. If companies have ignored this advise then it is on them.

tdeck4y ago

SIM swapping also allows you to intercept voice calls, which are encrypted and supposed to be secure. The idea that telcos have no responsibility to stop people from taking over the telephone number that customers pay for is completely absurd. Moreover, often the SIM swapping is done by employees of the Telco itself using company infrastructure.

miohtama4y ago

No you are not correct. The whole underlying mobile phone network infrastructure is based on (failed) trust and is not secure. Though it is slowly being replaced.

https://www.theguardian.com/technology/2016/apr/19/ss7-hack-...

https://www.firstpoint-mg.com/blog/ss7-attack-guide/

1 more reply

nroets4y ago

The incumbent telcos would love a regulatory framework where they must store address info and other personal data of their clients: Clients would then be much less likely to switch.

International tourists will also be less likely to get a local SIM card and then pay exorbitant roaming charges.

(Here in South Africa, clients must provide proof of their residential address. Some telcos even insist on verifying the thumbprints of their clients)

1 more reply

b1124y ago

And the elephant in the room is... the real purpose, for many corps eg Google, others, is to identify you, track you more accurately.

And your mobile phone number is invaluable here.

dropnerd4y ago

coinbase does kyc. it already knows who you are

why sms? because everyone has it. we're not in a otp/u2f only world yet. sms 2fa is better than no 2fa

j / k navigate · click thread line to collapse

0 pointsvngzs4y ago0 comments

From the telco's perspective, they have a responsibility to stop SMS and SIM fraud, and our regulations have failed to properly hold them accountable in this domain.

0 comments

sangnoir4y ago

miohtama4y ago

tdeck4y ago

miohtama4y ago

No you are not correct. The whole underlying mobile phone network infrastructure is based on (failed) trust and is not secure. Though it is slowly being replaced.

https://www.theguardian.com/technology/2016/apr/19/ss7-hack-...

https://www.firstpoint-mg.com/blog/ss7-attack-guide/

1 more reply

nroets4y ago

The incumbent telcos would love a regulatory framework where they must store address info and other personal data of their clients: Clients would then be much less likely to switch.

International tourists will also be less likely to get a local SIM card and then pay exorbitant roaming charges.

(Here in South Africa, clients must provide proof of their residential address. Some telcos even insist on verifying the thumbprints of their clients)

1 more reply

b1124y ago

And the elephant in the room is... the real purpose, for many corps eg Google, others, is to identify you, track you more accurately.

And your mobile phone number is invaluable here.

dropnerd4y ago

coinbase does kyc. it already knows who you are

why sms? because everyone has it. we're not in a otp/u2f only world yet. sms 2fa is better than no 2fa

j / k navigate · click thread line to collapse