>I'm curious if you could break a similar system that assumed that receipt of an outgoing call made to the customer's phone number was validation of identity.
That would certainly defeat the caller-ID spoofers. "Please hang up now. We will call you right back ...". Receiving a call from the bank's automated service out of the blue would also alert you to the fact that hackers are attempting entry via spoofing. Or are phone-phishing for whatever details the automated system requires in order to proceed.
Google now offers two-factor authentication for its accounts. You sign in with your username and password. Then Google texts a random code to your phone, which you enter into a third dialog. That way, the bad guys have to steal your phone in addition to your password.
> Then Google texts a random code to your phone, which you enter into a third dialog. That way, the bad guys have to steal your phone in addition to your password.
Nope, they just need access to your phone account at the carrier.
In the case of an AT&T business account, it's just your EIN from the IRS and the billing address of the company.
Then they just pop the "replacement" SIM from AT&T in their burner and receive the text message.
Sure, it's harder than just stealing a password. But don't think it requires stealing your phone. It's just one more account that needs hacking.
You'd need to get the encryption keys to burn that SIM if it should work. You can't extract those from most SIMs(Then again if steal the original SIM, you don't need to clone it).
The other option is to hack the network node where it's stored, which should be a very different place than the main account data - it's normally a lot harder than stealing a phone.
You misunderstand me. I am talking about walking into an ATT store and having them issue a "replacement" SIM for the account. No SIM hacking necessary.
It is fraud, however. But so is lying to a bank IVR.
That would certainly defeat the caller-ID spoofers. "Please hang up now. We will call you right back ...". Receiving a call from the bank's automated service out of the blue would also alert you to the fact that hackers are attempting entry via spoofing. Or are phone-phishing for whatever details the automated system requires in order to proceed.
Google now offers two-factor authentication for its accounts. You sign in with your username and password. Then Google texts a random code to your phone, which you enter into a third dialog. That way, the bad guys have to steal your phone in addition to your password.
Google two-step: http://www.youtube.com/watch?v=zMabEyrtPRg