• Home
  • Domains
  • Internet & Tech
  • Security & Privacy
  • Google & Search
  • Editorial Praise
  • Contact

Strategic Revenue - Domain and Internet News

Internet news authored by John Colascione

Register Domain Names

  • Isn’t Print Dead?
  • Killer Acquisition
  • New gTLD Death
  • Online Censorship
  • Semantic Indexing
  • You’re A Loser
You are here: Home / Domain Names / Think Your Domains Are Safe by Using Two Factor Authentication? Think Again

Think Your Domains Are Safe by Using Two Factor Authentication? Think Again

October 22, 2019 By John Colascione 3 Comments

*** Here Is A List Of Some Of The Best Domain Name Resources Available ***

Register Domain Names

PALM BEACH, FL – Sometimes I read stories that really make me think (and worry). For those who have great domains under management, you might feel super-safe by using “two factor authentications”, where your mobile device is used to verify each login you make to your registry account by sending you a text message for confirmation.

Two Factor Authentication
Two Factor Authentication (2FA) What is two factor authentication (2FA)?

I’ve often thought how horrible it might be if someone got control of my mobile device and was able to use it to verify an account change such as a password update or confirmation for logging in. The same goes for your bank accounts. What if someone could somehow intercept your text messages?

In most cases your cash in bank accounts is protected by Federal Deposit Insurance Corporation (FDIC) [Banks] or the National Credit Union Insurance Fund (NCUSIF) [Credit Unions].

Who is insuring your domains?

The experience of such a device takeover is what happened to Seth Shapiro, who happens to be a technology consultant that advises businesses on such things as digital innovation and strategy.

Shapiro is suing wireless service giant AT&T (Seth Shapiro v, AT&T Mobility, LLC) for allegedly (and maliciously) transferring his cell phone service to another device by facilitating a SIM card swap where Shapiro lost $1.8 million, some of which was in the form of digital coins or cryptocurrency. 

The suit alleges:

On at least four occasions between May 16, 2018 and May 18, 2019, AT&T employees obtained unauthorized access to Mr. Shapiro’s AT&T wireless account, viewed his confidential and proprietary personal information, and transferred control over Mr. Shapiro’s AT&T wireless number from Mr. Shapiro’s phone to a phone controlled by third-party hackers in exchange for money.

The suit also alleges that not only was AT&T responsible for his loss, but that his account compromise was maliciously carried out by the carriers’ employees who were allegedly in on the heist based on information obtained from chat messages:

At the end of the chat, a group member brags that they “made 1.3 [million]” and they begin plotting about how to route the stolen cryptocurrency through various accounts and currencies in order to cover their trail. They also brag about plans to “buy some Gucci” or a “dream car” with the money they stole from Mr. Shapiro.

Shapiro is not the only victim who uses AT&T that has experienced this “digital identity theft” method known as “SIM swapping,” where criminals steal phone numbers to log into accounts.

Back in July of this year AT&T failed to win a dismissal in a $24 million SIM-Swap lawsuit brought by Michael Terpin (Terpin v AT&T Mobility) when a judge decided the suit could move forward. Recently Terpin wrote an open letter to the the FCC Chairman laying out the need for additional oversight and regulation with more than 50 victims of SIM swapping.

I am not alone, of course. The REACT Task Force has taken on hundreds of cases (including new ones every month I refer to them; since I announced my lawsuit, I have been contacted by more than 50 individuals who experienced similar hacks, with losses in a few instances of more than $10 million).

The letter recommended the following actions:

  • Mandate that all US mobile carriers cover their PINS and passwords, so that users must punch them in instead of reading them aloud to a retail clerk or call center employee. Banks, hotel chains and airlines cover their passwords. The vital data and access protected by these four- to six-digit PINS is too valuable to trust the screening out of potential criminals from tens of thousands of employees and agents. Let the technology do the work and protect all consumers.
  • Inform all US mobile carrier customers that they can opt-in to carrier high-security plans (all carriers have these, but they don’t inform customers at the time of purchase, as they do with insurance against damaged devices). These high-security plans must include a “no port” option, whereby a consumer can specify that his phone cannot be ported without going through the fraud department. This would be similar to how credit card companies protect their consumers.
John Colascione
John Colascione

About The Author: John Colascione is Chief Executive Officer of Internet Marketing Services Inc. He specializes in Website Monetization, is a Google AdWords Certified Professional, authored a ‘how to’ book called ”Mastering Your Website‘, and is a key player in several Internet related businesses through his search engine strategy brand Searchen Networks®

Filed Under: Domain Names, Internet & Tech, Privacy Issues, Security Issues Tagged With: AT&T, AT&T Mobility, Authentication, Crypto, Crypto-currencies, Crypto-currency, Cryptocurrencies, Cryptocurrency, Digital Innovation, Domains, FDIC, Identity Theft, Login, Login Credentials, Mobile, Mobile Communications, Mobile Device, Mobile Devices, Mobile Phones, Mobility, NCUSIF, Seth Shapiro, SIM Card, SIM Card Swapping, SIM Cards, SIM Swapping, Strategy, Technology, Technology Consultant, Two Factor, Unauthorized, Unauthorized Access, Wireless

*** Here Is A List Of Some Of The Best Domain Name Resources Available ***

Register Domain Names

Comments

  1. Andrew Allemann says

    October 22, 2019 at 9:20 pm

    This is why you shouldn’t use SMS-based two-factor. Use app-based or physical security key.

    Reply
  2. Robert Lee says

    October 22, 2019 at 10:22 pm

    Vulnerabilities in the SS7 network and sim swap attacks alone can not account for the increase in ATO for accounts that require password + OTP/SMS to Sign-In.

    OTP is defeated by Man-in-the-Middle, social engineering, malware, & phishing, if the bad actor is able to intercept the credentials (password and OTP) that the user is attempting to communicate to the authentication service. If the bad actor knows the OTP, even if they don’t have the phone (or SIM card), they can pass the OTP challenge.

    With this understanding, the OTP is more correctly thought of as a dynamic knowledge factor than a possession factor. Knowledge + knowledge should not be considered MFA, 2FA etc.

    Reply
  3. Robert Lee says

    October 22, 2019 at 10:25 pm

    Said plainly, OTP from an app (TOTP) or physical token is just as vulnerable to social engineering, phishing, MitM, etc as OTP/SMS.

    Certificate based authentication protected with a local biometric or local pin code is a much stronger authentication method. Thankfully WebAuthN is now an official standard. By this time next year I expect many more sites to reduce reliance on Passwords and One Time Passwords, and replace them with WebAuthN.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search This Site

by: John Colascione

John Colascione

Logo
John Colascione is Chief Executive of Internet Marketing Services Inc. He specializes in Website Monetization, authored a book called Mastering Your Website, and is a key player in several Internet businesses through his brand SEARCHEN®

The Published Reporter

The Published Reporter

Fellow Me

Twitter

In The News

  • DNJournal: New Book From Veteran Domainer
  • From Brandable to Exact-Match Geo Domain
  • InnovateLI: Two Deals, One Very Interesting Digital
  • Internet Commerce Association: John Colascione
  • NamesCon: Featured Attendee: John Colascione
  • Long Island Media Inc, SmartCEO, Future 50
  • Speakers, Name Summit, John Colascione
  • Speakers, Real Estate Summit, John Colascione
  • 24 Leading Domain Experts Analyze 2017

Popular Stories

New gTLD? Not So Fast; History Suggests New ‘Right of the Dots’ Could = Total Failure

Could Domain Investing Industry End with Legal Provision for Domain “Hoarding”

Does the Domain Industry Suffer From Own Versions of Trumpted “Fake News” Stories?

Websites and Domain Names to Become Insignificant within 20 Years or Less

List of 300+ Cryptocurrency Domain Name Sales and Sale Prices [All Time] (NameBio)

Quotes to Follow

quote icon The domain name is equivalent to Gold. It is the only packaged item which is globally tax-free, portable, with value that is universal across different cultures. quote icon – Frank Schilling

quote icon Domains have and will continue to go up in value faster than any other commodity ever known to man. quote icon – Rick Schwartz

quote icon  Google knows you, your friends, your likes, what entertains you, where you are in the world at any given time. Google will soon predict your next action, your next thought, based on a collaboration of thoughts past. quote icon – John Colascione

Like These Headlines?

Enter your email address:

Delivered by FeedBurner

T.L.D. Brokerage

Domain Brokers

Domain Reseller

Leaving Cash On The Table? Join The Best Domain Reseller Program (discounts + revenue)

Recent SEDO Weekly Sales List Includes “LLL.org” Domain Name Sale for $35,000

PALM BEACH, FL – According to the latest SEDO.com weekly domain sales report, the three letter “LLL” web address "FTP.org" just sold for $35,000.00. Other recent sales of “LLL.org” … [Read More...]

GOOG To Follow FB With Restrictions On Housing, Employment, and Credit Ads

WEST PALM BEACH, FL - Usually Google is a leader in all things advertising, however, a recent update to policy by GOOG (NASDAQ) will have it following Facebook (FB) where the ad giant will implement … [Read More...]

Data Breach: Unauthorized Party Accessed DoorDash Customer Information

SAN FRANCISCO, CA - According to recent reports, a new data security incident has surfaced. DoorDash, a popular food delivery app, detected suspicious activity from the computer network of a … [Read More...]

Domaining blog recommended by Domaining.com
Copyright © 2010-2021 StrategicRevenue.com - Property of Internet Marketing Services Inc.   FeedBurner: RSS   RSS
By using this site you agree to our Terms of Service and Privacy Policy. If you do not agree, please exit the service.