SS7 is vulnerable to attack. However, the types off attacks on the video don’t affect Signal as it requires a pin. (Make sure you set your pin to something strong and secure)
It’s 30 minutes. Anyone have a quick summary?
Mobile networks are awful and are very easy to spy on.
But the video is worth every minute.
I don’t particularly like Linus, but he was bearable in this video. As someone who assumed this was a SIM swap, I was genuinely as confused as he was playing it up when he was able to place calls but not receive them. That was really interesting.
when I read comments like these it makes me realize that maybe all the money flowing to OpenAI isn’t folly and there really are people out there trying to tl;dr their own lives
What feels alien to me is the idea that experiencing a creative work is itself a means to an end.
I prefer to digest text too, but still would choose to taste a meal than read a typed up printout of the flavors it contains.
SS7 protocol for 2G and 3G is vulnerable to man in the middle attack, easy to spy on people with. They use a walled garden approach al the primary defence mechanism and you can gain access through in for the low low price of couple of thousands of USD.
Couple of exploits are intercepting or monitoring calls and texts and triangulating position by checking what cell towers are in range.
I’ve never had a cellular provider for this reason among others. Here is NBTV’s video with some alternatives to directly having a SIM card, which I combine with MySudo to get phone numbers as well.
Silent.link is also worth considering. I think it also works for people in the EU.
What’s your experience with using mysudo/voip numbers in terms of services accepting them (e.g. Google)? And socially, can you do regular calls with these numbers? Any audio delays?
(copied my comment for the top context comment but the other person hasn’t answered yet, wanted to get some info on these kinds of services first hand)
Haven’t used it [silent.link] myself. All I know is that all (or some) plans they offer include only incomming-calls, not outgoing. But good point you make about delays. That’s important. Haven’t thought about that myself.
I’m not too versed in it myself yet. You were asking about these services in general, right? Since you wrote “voip numbers”. I’ll keep tabs on your other comment then
I found it confusing. Did he explain how the IMSI number is obtained?
Towards the end he said there was a special “interrogation” command that would reveal the IMSI but that loophole is now closed.
He says nothing about the PIN, so I don’t think that is what protects Signal as OP writes. It simply doesn’t rely on SS7.
You only type your PIN into Signal about once a month.
PSA: if your financial institution/government/<other website> is using SMS codes (aka PSTN MFA) for multi-factor authentication they are practically worthless against a determined attacker who can use SIM swap or an SS7 attack to obtain the code. Basically you are secured by a single factor, your password. If your password is compromised it may be sold via black hat marketplaces and purchased by an attacker who would then likely attempt to break that second factor.
The best way to protect yourself is to use a unique password; a password manager especially helps with this. Sometimes institutions will offer “Authenticator” (TOTP) as a second factor, or PassKey authentication, both secure alternatives to SMS codes.
Here in Aus I’m working with Electronic Frontiers Australia to try and force some change within government and financial institutions (via the financial regulator). Most banks here use SMS codes and occasionally offer a proprietary app. One of the well-known international banks, ING Bank, even uses a 4 pin code to login to their online banking portal. 😖
Unfortunately SMS codes are a legacy left from old technology and a lack of understanding or resourcing by organisations that implement it. Authenticator/TOTP tokens have been around for 16 years (and standardised for 13 years), and PassKeys are relatively newer. There is a learning curve but at the very least every organisation should at least provide either TOTP or PassKeys as an option for security-minded users.
