While this sucks, my phone is in so many data breaches at this point it doesn’t matter.
The spam-to-ham ratio on my phone number is now far worse than any other channel for me. The traditional phone network is at risk of going the way of the fax machine if we don’t do something about the spam problem like we did with email.
If I’m on a call, even with family, it’s now almost exclusively on FaceTime/zoom/meet/etc. I can’t remember the last time I talked on the traditional phone network or received a legitimate call. Which isn’t great because those aforementioned platforms are all proprietary walled gardens with terrible incentives — once they capture the market fully they will eventually dump ads all over your calls. Don’t believe me? Just look at what Gmail did to monetize the lock-in on your inbox.
> I can’t remember the last time I talked on the traditional phone network or received a legitimate call
Doctors and dentists.
Most of the calls I get are spam, but then the MOST important calls I get are from doctors, labs, and dentists. I do as much as possible online of course, but not all of these professionals have good online systems and phone calls are often required.
Sometimes you know what number they're going to be calling from ahead of time, but often you don't... especially if you're in a large medical network that has different offices for different specialists, etc. It's a really sad situation if you get sick and you're trying not to miss these important calls, especially when it's a long wait for a specialist and then you miss their call when they get to your name on the waiting list.
This will literally cost some people their lives and legislators need to act on making spoof calls impossible -- there's no reason why anyone should be allowed to spoof a number that they can't receive calls at.
I recently had to help my father organize his medical visits.
Dealing with his healthcare providers was a bit of a pain, but it was way worse because he has stopped answering calls, primarily because of the call spam rate. I think because he owns his own business, he never fails to hand out his contact info when he is shopping, and he owns his own business (so his contact info is published by the city).
His phone provider has a feature to opt into spam filtering, his phone has another, and I downloaded a spam list filtering app for him. I disabled the ringer for numbers not in his contact list. I did similar actions to reduce spam in his text messages.
This was a good triage, but the damage is already done to his psyche. He doesn’t answer the phone anymore.
> I can’t remember the last time I talked on the traditional phone network or received a legitimate call
Social services are another example. Many services are county-administered and thus don't have a centralized online platform. As always our most vulnerable populations suffer the most from techno-greed. Not the families of software engineers who built the system.
> I can’t remember the last time I talked on the traditional phone network or received a legitimate call
I think a whole lot more people still make regular phone calls than the ones who don't. Anyone who runs a business for example is usually on the phone ALL the time.
It's high time someone disrupted the damn desk phone network of these hospitals. It's definitely not a technical hurdle in 2024. All calls go on the data network. You route your calls out of the main router and any call that gets routed in such manner will have the ID of the router. Tag the router id to the hospital or hotel and be done with.
Is it not this simple ? With dual SIMs any phone can serve 2 lines so employees officially switch to the hospital e-sim within the hospital premises.
My dentist texts me. My doctor uses MyChart, so I get notifications. Neither one calls me on the phone.
Even if they do want to call, they all have to support deaf people using TTYs, and phones all support RTT (TTY to cell). There's no need to take voice calls from legitimate businesses in the US.
Easy trick: Every time you get a spam call, answer it. Talk to them until _they_ hang up. String them along. Put them on speakerphone and keep working. Feed them fake credit card numbers (there are generators out there that create numbers that checksum correctly, so they type them into whatever they're using to bill numbers. Hopefully this helps flag them as a bad actor to the processors, idk).
It sounds like a lot of work, but when I started doing this about two years ago it took about two weeks for the calls to just... stop. Now I get a spam call maybe once a month. It's glorious.
My theory is this is the only route to get put on the _real_ do-not-call lists - the ones that spam companies in India have labelled "unprofitable numbers.txt". Seems like once you're on those, you're good.
Every minute they're listening to you use them for rubber-duck debugging is a minute they're not scamming Granny out of her 401k. Be prepared to get called bad names in foreign languages. Bonus points if you learn some phrases in their language to really get under their skin.
How convenient for the data collecting companies that so generously sponsor the new & free services, that our democratically controlled communication infrastructure looses in value.
Advertising is a cancer on modern society. It will metastasize to any new communications medium, public or private, and destroy it from within. People will switch to new medium that offer less spam, but advertisers quickly follow to strip-mine the new channel. A cycle of life, so to speak.
Is our communication infrastructure democratically controlled? At least in the US, we may have federal regulators but isn't the infrastructure still owned by a few massive telecoms corporations?
"Our democratically controlled communication infrastructure" honestly deserves to be deprecated and replaced with some kind of federated voice system that comes out of the IETF instead of the telcos. What kind of antediluvian nonsense doesn't use end-to-end encryption in 2024?
> If I’m on a call, even with family, it’s now almost exclusively on FaceTime/zoom/meet/etc.
I really don't get that. I don't get these, on neither of my phones (I've got two numbers). When it rings, it's virtually always friends or family. Sometimes the bank/insurance/doctor. Very exceptionally do I get a commercial or scam call.
I think it's not an argument good enough to excuse to excuse Authy here: "my phone already leaked, so what's one more leak!?".
> Which isn’t great because those aforementioned platforms are all proprietary walled gardens with terrible incentives
Oh I fully agree. I'm using Telegram for chat but zero FaceTime/meet/WhatsApp here. People want to call me, they usually phone me. Once in a rare while Telegram.
i'm jealous of you. I recently had a day where I got 25 phone calls. 23 were spam. Turning on iOS "ignore unrecognize phone numbers" has been amazing (i assume android has the same feature)
I have 5+ spam calls every day. Looking at my call history it’s been that way as far back as it lets me scroll.
Blocking doesn’t make a ton of difference, as it’s almost always a different number.
I don’t understand what they are calling for either. I’ve answered a few and most of the time it’s a dead line when I answer. Just silence.
Definitely. I'm American and I've lived in the Netherlands for the past three years. The difference is night and day.
Whenever I visit, I switch to my US SIM card and am immediately bombarded with spam texts (mostly from political parties) and scam calls. In my experience, Android is pretty good at marking calls and texts as "potential scams," but they're still there. In the Netherlands, I've gotten a few scam attempts via WhatsApp. Other than that, I think I've received one phone call soliciting donations to the Red Cross, and nothing else.
America doesn’t have privacy laws that prevent robot spam. Repercussions for violating the SPAM Act are not prosecuted very often.
Personally, the only “spam” I get is flagged by the cellular provider and 99% of the time the calls are silenced. Not really an issue for me. The only people that “call” me are in my contacts list anyways. Everyone else can leave a VM or text message.
> While this sucks, my phone is in so many data breaches at this point it doesn’t matter.
Yes, and this is the slope that we keep sliding down with these data breaches not being taken seriously. First it was your name and email. Now phone numbers. What's the next bit of our private info that we'll normalize leaking?
Currently, any password from more than 6 months ago, names of all my acquaintances, photos of all my paystubs over the last 6yrs (thank you Equifax and dishonest HR platforms), .... Astounding amounts of misconduct are normalized. They're just not widely known yet.
This is why I have my own mail server and domain. Full control over mail, and access to features that you pay for (ie, unlimited e-mail aliases, control over mailbox size). No more worrying about “google decided to shut your free account down for whatever reason. Bye bye decades of emails and loss to services that use email based OTP or magic link login.
My phone number is from a different area code than I currently live in and I know no one from that area anymore. I can filter out 80% of spam just by ignoring calls from that area.
I wind-up using the phone because so many organizations malevolently misfeature they websites - doing what you want to (pay basic bill or whatever) is hard but upselling and new features, those you can do instantly.
Anyone who has kids has to answer the phone from strangers routinely. School staff and camp counselors are routinely using their own cell phones these days to communicate with parents.
Doing it the opposite way - tying all outbound school/camp calls to a single callerID - risks blending the important with the automated reminders. LAUSD abuses their automated calling system to the extent that my wife and I have both screened calls from the front office involving an injured child, more than once.
The real issue here is getting to the root cause, which is carriers and their intermediary aggregators having incentives to carry large volumes of spam.
In a number of markets, operators have increased the cost of SMS messages to deter spam, only to find a massive increase in traffic pumping fraud that mysteriously appears in the system of trusted intermediaries. Everyone's making a goddamn fortune off it, and no one actually cares to fix it.
> I can’t remember the last time I talked on the traditional phone network or received a legitimate call
Doctors, dentists, moving companies, home improvement contractors, recruiters, etc. These are some of the most important phone calls I've received in recent memory.
I don't know what world you live in, but I religiously block phone numbers after just one spam call. And I usually don't give out my phone number. (I'm much happier giving out email addresses since I have an infinite supply of addresses.) I never get enough spam calls that I feel like the phone system is going the way of the fax machine.
I used to get a couple of cold calls per year for surveys, but I got unlisted via GDPR requests and now its down to zero.
Companies do try collecting your phone number, but then I answer NO to the obligatory "do you want the latest offers" question (in the EU, this is opt-in not opt-out). And it doesn't matter if my phone number leaks.
This is similar to my email address use. I used to get emails from recruiters, but after a couple of replies informing them that whatever profile they have is illegal, with my email address not being public, asking them to delete it, the emails stopped. I still get spam, but it's mostly fraud and US companies. Fastmail's spam filters are good enough, BTW.
My phone number works just fine, and the phone network is valuable given the better signal 2G can have, or the fact that not everyone is on the app du jour. And I find it odd when people call me on WhatsApp.
I frequently see US folks criticising GDPR, so I'm guessing this is one of those "the US mind can't comprehend" moments.
>And I find it odd when people call me on WhatsApp.
Given that you're European, do you not have any friends/family outside your country, in neighboring EU countries? Wouldn't they have to pay high per-minute rates to call you?
Everything you mentioned is the beauty of the EU privacy laws (so far), however there is another negative externality you haven't planned for maybe.
Giving your phone number out to all these services also means that it can be used as a single identifier to track you and your behavior across all those services.
Very similar here... same for my primary gmail address... the most annoying thing is the "credit monitoring" that comes with a few of my credit cards is all but worthless... I get constant notices that my "email is compromised" but absolutely no detail on how/where/what exactly is compromised, with is like saying, your email is public.
While I do get a few regular phone calls a week, they're all in my contacts and I don't answer if the number isn't... at least 2/3 the time if I decide to answer as I'm expecting an out of band call, it's spam. On the flip side, I am wanting to setup for "your code is XXXXXX" as a verification on a personal website I'm working on to allow for public users. I know it doesn't add too much, but it's enough to reduce the noise. I'm not even sure what more hoops I need to jump through with Twilio to get to send said messages. I'm not a company, and not sending any kind of marketing campaign.
> The telephone companies make money based on minutes of usage.
I don't see how that could be correct. Once you pay your monthly fee, the fewer minutes you tie up the company's resources the better for them. That's true too for pay-ahead plans.
IMO The problem with data breaches is not the phone number being exposed, it's the other data around it that one can combine with other breaches to make full profiles of a person's comings and goings, their location/purchase history, their associations and preferences, etc.
This is very valuable data to have, not only for advertisers, but also criminals and other bad actors.
Also, the fact that nobody ever questions the authenticity of leaked data should be VERY alarming. Imagine what power someone can hold over someone with manipulated leak data.
Doesn’t even have to be manipulated just incorrect. I share a rather uncommon name with at least two others within five years of my age. I get emails intended for either of them almost daily. One holds political views completely opposite my own. The other is rebuilding his life after a couple years in prison.
I would rather not have my own life intertwined with either of them but undoubtedly it already is to some degree.
I make and receive regular phone calls all the time. However I only answer those that are from numbers I have in my address book. I do the same with text messages, I have my default view set to "Known Senders" so I'm not even really aware of others. If I'm expecting an unknown sender message, such as a TFA code, it's easy enough to just look in "Unknown Senders" for it.
I feel the same way. I get far too many “hey!” Or “Hello?” “What’s up?” messages on my phone that never say another thing. Any family/friend of mine knows me well enough to try more than once to get my attention via messages, and 99% of them should probably be in my contact list already and I’ll hear the beep.
I’ve found some success is curbing spam calls with the “Silence Unknown Callers” feature in iPhone.
However this presents a few challenges. Mainly missing calls from delivery agents, who's number is obviously not in my iPhone contacts
I’ve been impressed with my iPhone and/or carrier (AT&T in the US) for tagging incoming calls as spam or telemarketing. The phone does still ring but I know not to answer it.
The solution to phone spam is voicemail transcription. Every call goes to voicemail, I get the transcription in a minute or two, and can call back if I want to.
I think that is intentional, AFAIK phone communication is more protected than other types so allowing spam to continue unabated is in the governments interest. Outsourcing the harassment to 3rd parties, similar to how prison torture is outsourced to the inmates. The government could fix these things but would rather not.
I think we just don't have very much competition in telecommunications so things never get fixed. Why bother? It's easier to extract rent off largely the same offerings as the rest of your market (difficult to understand pricing tiers that function as a congestion tax more than a transaction, often region-specific monopolies or duopolies, indistinguishable quality of service) and bring home large profits, market efficiency damned.
The phone network we once knew is useless in terms of answering or bothering with any calls or text from those not in your contacts. If you do .. you do so at your own risk!
Took a while, but this commenter is finally correct:
> Why does Authy require I provide my cell phone number and email address? Why do I have to have a user account? This is completely ridiculous. I do not need nor want cloud syncing or backup. You are making Authy a potential target for attacks by associating a user to cloud stored 2FA information.
I use Authy _because_ it provides cloud sync. At the time, Google Authenticator didn't have it, and when I had to change phones it was a real hassle. Imagine if the phone had been stolen, no way to access the account normally to get a new QR, you'd have to "recover" every account.
I have been transferring Google Authenticator from phone to phone for years though? Going back to at least 2016, and that was 8 years ago. In 2020 I copied it from Android to iOS even by doing an export I had no idea was there.
The entire use case for Authy is the cloud backup and syncing across devices. If you don’t want that, use any of the other free and more open 2FA apps.
Then make it an independent email+password thing, so in case of a leak, something as critical and personal as a phone number doesn't get involved in the stolen data.
(I know the irony of this in particular being Authy, but nevertheless phone numbers should NOT be risked to be exposed anyhow)
Twilio has an incentive to make "the spirit of 2FA" worse, because SMS-only is how they make money. Either OTP 2FA will be more complicated and adopted less, or they'll own the entire space, like in Sendgrid's case.
Not to go too off-topic, but that post from 2015 has a response from 2019, how is that even possible? I thought HN auto locked posts after x number of days / years.
I don't want to go through the trouble of creating a throwaway to test it, but having worked in webdev long enough makes me believe it's possible that restriction is only on the frontend and some well placed curl may sidestep it
You can't pick and choose "Not a real scotsman"
since 99% of users will be on bigcorp 2FA
that does it in most ass-backwards way possible.
2FA as mobile apps locked to hardware is not
going to go away without 2FA being replaced by something else.
And they wonder in random organizations and businesses that I am not willing to give all my personal details right away on first contact despite their 'utmost importance' of handling my data very securely, all this just to be informed about their product. And they seems to be offended with a "but we did it so for many years now" on my refusal and saying goodbye if they try to insist this "company policy".
Unluckily sooo many give zero or negative fáck among their potential and existing customers. This includes businesses providing medical services sending all the clien't data and medical results in clear text email and even declaring for their own convenience that "The property and copyright or other intellectual property rights in the contents of any document or images provided to you shall remain our property", for your ultrasound results. Your medical results are their property for those use their services. So they do as they plase with their data, not your data, not your concern if it is protected or not. And people go there and rate this service 4.8 on google, insane. Of course no-one really reads TOC, not even for sensitive medical services. People do not learn.
British Gas has taken to removing their bank account details from their invoices so that you have to set up an online account with them and then set up a Direct Debit (permission to take arbitrary amounts of money from your UK bank account).
Twilio requires Authy for 2fa for sendgrid and maybe even twilio itself instead of supporting more standardized 2fa that’d allow 1pass to be used. This is all the more frustrating because I was forced to use Authy to protect an account instead of my regular tooling and they still managed to screw it up. Twilio, take a hint and stop forcing people to use your custom thing
I just hate that some apps/services require 2FA. My 32 random characters which are unique to each service are secure enough. Adding another service on top just increases risk (as shown here; Authy was never going to do anything to protect me, but it has now leaked info about me.)
My recollection is that someone reversed their algorithm and they used almost TOTP which hurts me even more because that implies that they knew about the standard and still chose violence
There's this small web portal in Poland that for years provides a simple free email service (and an instant messenger with same login) with occasional "messages from our sponsors" in your inbox - you had to tick your "interests" during registration. In time banners started to appear and that was still fine because the Web was still a pretty innocent place and tracking was years ahead of us. At some point inbox was getting flooded with spam; either one you had to have or outside the service because the domain was popular and probably addresses were scrapped from the associated instant messenger. Then, banners started to be aware of inbox content and sponsored messages included tracking - milking your habits and activity become a thing.
Fast forward to some 10 years ago the service offers a premium plan where you can turn off banners around inbox, the permanent banners that pretend to be emails at the top of the list. Of course paying turns off only these banners and sponsored messages and every other spam will pile up. There's a built-in filtering option but since people started to using it to get rid of these mandatory messages - it stopped working at all. And any filter entry is a dummy one. At this point it's more an ads and spam gallery with an optional email service. Instant messenger was killed off in 2016 as people preferred global networks, and so were small but popular discussions forums turned off.
Around same time portal was bought by what for year was a bigger competition to them (not the only one ofc). The idea that both portals should use a single login appears. So people saw messages at login saying that you should transfer your account to this unified platform because it's more secure and there are some "benefits". Later, a darkpattern message was displayed saying that the unified login service will be the only way to use all services including email. And this unified login comes with company's own 2FA mobile app which you can't replace with a generic generator of any kind. Aaand in the end, nothing really happens. The darkpattern messages disappear and you can still log into the email with same plain password you used for years. The 2FA becomes suddenly optional but "recommended". People complaining in Appstore reviews about login issues and fact that no generic generator works are suggested to talk with support where apparently something can be arranged.
What my hot guesses are is that the company believed that domestic service popularity combined with mandatory 2FA app that does collect a lot of additional unnecessary information will provide a steady source of money for this service. People accustomed for years to an attractive short local domain won't force themselves to move elsewhere. But that didn't work as planned and honestly, I don't know how they managed to survive till today.
I did created few addresses there but over the years I managed to move elsewhere; what was once cool and fast and plausible become obnoxious to use.
If you remember poczta o2 you surely remember tlen emoticon: [10ton] - that's the best way to sum up what happen to this portal and service.
This doesn’t surprise me. I found an information exposure vuln on the user registration endpoint a while ago (given a phone number of an authy user who had previously registered via another customer, retrieve all other numbers/devices/timestamps, email addresses and other info for that user).
> Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint
I use Authy’s iOS app to generate 2FA tokens for a few accounts. I cannot remember ever entering my phone number into it, or establishing an Authy account of any kind. Is there some other way they would have acquired my phone number?
I’m trying see if the issue is some unanticipated issue with the iOS client app itself, or if it is only affecting people who created online accounts with Authy to sync their 2FA credentials across devices.
> I cannot remember ever entering my phone number into it, or establishing an Authy account of any kind. Is there some other way they would have acquired my phone number?
Entering your phone number was mandatory. This was what turned me away [1] from Authy to Duo Mobile on my Apple devices.
Authy is both a SaaS and a consumer-facing authenticator app.
When companies integrate Authy into their system, they can use it for SMS OTP (also deliverable by phone call + TTS iirc) as well as regular TOTP, Authy's proprietary TOTP, and others.
Your phone number would only be at risk if you used a service which used Authy for SMS 2FA
The consumer app also wants your phone number... It prompts you to "backup" your codes, so that they're not gone if you reinstall the app or switch devices
you probably gave them your phone number at some point if youve got authy on multiple devices.
/Edit: just checked on a clean install. It prompts for a phone number instantly and won't let you scan codes without creating an account. Not sure when that happened, as I haven't really used it in years.
Cloudflare should probably deprecate their Authy provider, considering they support other more secure MFA options (hardware and virtual WebAuthN). I believe Wise (ex TransferWise) and Plastiq also use Authy natively for SMS OTP server side, but provide no mechanism to disable SMS 2FA (boo).
Nothing in the iOS Settings app for Authy, but tapping the little gear icon in the app UI shows my phone number and email! I guess I did enter them at some point and forgot. Thanks.
> Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests
How do I avoid such problems in my own app? Force authentication for all requests with row-level security? Rate limiting?
Any testing frameworks that would catch this? Something like "given endpoint /user/phone-number-validate make sure only <user> can access it".
One step we have taken is to build an auth system that requires you as the developer to explicitly specify the security of an endpoint using a decorator. If no decorator is provided, then the endpoint is completely locked down even to admins (effectively disabled).
If an endpoint is decorated with something that is considered dangerous (i.e. public access), that triggers additional review steps. In addition, the authentication forbids certain combinations of decorators and access patterns.
It's not perfect, but it has saved us a few times from securing endpoints incorrectly in code.
.NET web apps / APIs have an option where you can require authorization on all controllers (and their actions) by default. If you need an anonymous controller/action, you can use the `[AllowAnonymous]` attribute on it.
It's a common problem. On a previous job, I'd found one unauthenticated endpoint just because I want to add some integration tests on it and my tests failed! After that, I'd created a script which lists all endpoints and curl each one with invalid credentials and expecting them to return 401.
1. build a single endpoint handler that handles auth, then looks up the endpoint on the path.
2. Never create direct endpoints, just register endpoints in the system that the auth endpoint works under.
You know table driven tests?
Use table driven endpoints. It works and makes things so much simpler and secure.
> 1. build a single endpoint handler that handles auth, then looks up the endpoint on the path. 2. Never create direct endpoints, just register endpoints in the system that the auth endpoint works under.
Mh, I'm probably comparing apples to oranges and such.
But the last 2-3 times I setup a config management, I made sure to configure the local firewalls as deny-all by default, except for some necessities, like SSH access. And then you provide some convenient way to poke the necessary holes into the firewall to make stuff work. Then you add reviews and/or linting to make sure no one just goes "everything is public to everyone".
This way things are secure by default. No access - no security issues. And you have to make a decision to allow access to something. Given decent developers, this results in a pretty good minimum-privilege setup. And if you fuck up... in this day and age, it's better to hotfix too little access over losing all of your data imo.
SSM for life. Fun fact, one can also register non-AWS assets as SSM targets, so I could imagine a world in which it makes sense to create an AWS account, wire up federated auth, just to dispense with the hoopjumpery of SSH attack surface and Internet exposure
The break-glass is always a consideration, so it's no panacea but I still hope one day the other clouds adopt the SSM protocol same as they did with S3Api
I believe a lot of folks have had good experiences with Wireguard and similar, but thus far I haven't had hand-to-hand combat with it to comment. We use Teleport for its more fine-grained access and auditing, but I've had enough onoz with it to not recommend it in the same way as SSM
Holy shit why is this even a question?? You. Write. Tests.
You build into your testing framework/library a mechanism that will craft sessions across your range of authentication-levels - unauthenticated (no-session), authenticated but unauthorized, etc. You mandate new endpoints must have permissions test in code review.
Simple, straight forward, and absolutely the bare minimum of competency for any endpoint returning personal data.
And then someone forgets to test that one thing for that one endpoint and no one notices ("mandate in code review" is not going to be fool-proof), or lines get crossed and they test the wrong thing.
This kind of arrogance is exactly how these mistakes get made.
It's sad how awful Twilio's engineering has become. I used it super early on and it was amazing, and while they had hiccups, they were never major and they were growing pains.
Today they have incidents almost every week, and now data breaches.
Also having an investor base that demands removing as much equity compensation as possible. (Whilst, IMO, not being aggressive enough to cut executive compensation)
But it's no surprise that when you ask management/executives "who needs to be laid off", the answer is not that many managers/executives...
I do think Kho is the right person for the job though, and Aidan was surprisingly smart too, so I my[1] bet is that they'll get there.
Readit News
The spam-to-ham ratio on my phone number is now far worse than any other channel for me. The traditional phone network is at risk of going the way of the fax machine if we don’t do something about the spam problem like we did with email.
If I’m on a call, even with family, it’s now almost exclusively on FaceTime/zoom/meet/etc. I can’t remember the last time I talked on the traditional phone network or received a legitimate call. Which isn’t great because those aforementioned platforms are all proprietary walled gardens with terrible incentives — once they capture the market fully they will eventually dump ads all over your calls. Don’t believe me? Just look at what Gmail did to monetize the lock-in on your inbox.
Doctors and dentists.
Most of the calls I get are spam, but then the MOST important calls I get are from doctors, labs, and dentists. I do as much as possible online of course, but not all of these professionals have good online systems and phone calls are often required.
Sometimes you know what number they're going to be calling from ahead of time, but often you don't... especially if you're in a large medical network that has different offices for different specialists, etc. It's a really sad situation if you get sick and you're trying not to miss these important calls, especially when it's a long wait for a specialist and then you miss their call when they get to your name on the waiting list.
This will literally cost some people their lives and legislators need to act on making spoof calls impossible -- there's no reason why anyone should be allowed to spoof a number that they can't receive calls at.
Dealing with his healthcare providers was a bit of a pain, but it was way worse because he has stopped answering calls, primarily because of the call spam rate. I think because he owns his own business, he never fails to hand out his contact info when he is shopping, and he owns his own business (so his contact info is published by the city).
His phone provider has a feature to opt into spam filtering, his phone has another, and I downloaded a spam list filtering app for him. I disabled the ringer for numbers not in his contact list. I did similar actions to reduce spam in his text messages.
This was a good triage, but the damage is already done to his psyche. He doesn’t answer the phone anymore.
Social services are another example. Many services are county-administered and thus don't have a centralized online platform. As always our most vulnerable populations suffer the most from techno-greed. Not the families of software engineers who built the system.
I think a whole lot more people still make regular phone calls than the ones who don't. Anyone who runs a business for example is usually on the phone ALL the time.
Is it not this simple ? With dual SIMs any phone can serve 2 lines so employees officially switch to the hospital e-sim within the hospital premises.
Even if they do want to call, they all have to support deaf people using TTYs, and phones all support RTT (TTY to cell). There's no need to take voice calls from legitimate businesses in the US.
The number in my main phone changes every 90 days.
My phone is out of state due to my previous address, and 95% of spam i get is spoofed to that old town or the surrounding area.
No doctors office/etc calls me from that area. It works pretty nice
It sounds like a lot of work, but when I started doing this about two years ago it took about two weeks for the calls to just... stop. Now I get a spam call maybe once a month. It's glorious.
My theory is this is the only route to get put on the _real_ do-not-call lists - the ones that spam companies in India have labelled "unprofitable numbers.txt". Seems like once you're on those, you're good.
Every minute they're listening to you use them for rubber-duck debugging is a minute they're not scamming Granny out of her 401k. Be prepared to get called bad names in foreign languages. Bonus points if you learn some phrases in their language to really get under their skin.
I started doing this as well.
I mimic the Jolly Roger call service and they usually hang up in less than a minute.
Ex…
- Act like you can’t hear them
- Ask them to restart what they were saying
- Start a conversation with a fictional person in the background
It’s fun and makes getting spam calls enjoyable.
https://jollyrogertelephone.com/
I really don't get that. I don't get these, on neither of my phones (I've got two numbers). When it rings, it's virtually always friends or family. Sometimes the bank/insurance/doctor. Very exceptionally do I get a commercial or scam call.
I think it's not an argument good enough to excuse to excuse Authy here: "my phone already leaked, so what's one more leak!?".
> Which isn’t great because those aforementioned platforms are all proprietary walled gardens with terrible incentives
Oh I fully agree. I'm using Telegram for chat but zero FaceTime/meet/WhatsApp here. People want to call me, they usually phone me. Once in a rare while Telegram.
I don’t understand what they are calling for either. I’ve answered a few and most of the time it’s a dead line when I answer. Just silence.
Whenever I visit, I switch to my US SIM card and am immediately bombarded with spam texts (mostly from political parties) and scam calls. In my experience, Android is pretty good at marking calls and texts as "potential scams," but they're still there. In the Netherlands, I've gotten a few scam attempts via WhatsApp. Other than that, I think I've received one phone call soliciting donations to the Red Cross, and nothing else.
Personally, the only “spam” I get is flagged by the cellular provider and 99% of the time the calls are silenced. Not really an issue for me. The only people that “call” me are in my contacts list anyways. Everyone else can leave a VM or text message.
Luckily at the moment, there's still a delay after you answer the call as (I assume) you're being connected to a human. How long will this last....?
Currently, when I don't hear a voice within 1s or so, I hang up. A legitimate caller will (hopefully) call back pretty quick.
They target the US, and to some extent the UK, Gulf countries like UAE where English is the de facto language.
Deleted Comment
Yes, and this is the slope that we keep sliding down with these data breaches not being taken seriously. First it was your name and email. Now phone numbers. What's the next bit of our private info that we'll normalize leaking?
This is why I have my own mail server and domain. Full control over mail, and access to features that you pay for (ie, unlimited e-mail aliases, control over mailbox size). No more worrying about “google decided to shut your free account down for whatever reason. Bye bye decades of emails and loss to services that use email based OTP or magic link login.
I wind-up using the phone because so many organizations malevolently misfeature they websites - doing what you want to (pay basic bill or whatever) is hard but upselling and new features, those you can do instantly.
Doing it the opposite way - tying all outbound school/camp calls to a single callerID - risks blending the important with the automated reminders. LAUSD abuses their automated calling system to the extent that my wife and I have both screened calls from the front office involving an injured child, more than once.
The real issue here is getting to the root cause, which is carriers and their intermediary aggregators having incentives to carry large volumes of spam.
In a number of markets, operators have increased the cost of SMS messages to deter spam, only to find a massive increase in traffic pumping fraud that mysteriously appears in the system of trusted intermediaries. Everyone's making a goddamn fortune off it, and no one actually cares to fix it.
Doctors, dentists, moving companies, home improvement contractors, recruiters, etc. These are some of the most important phone calls I've received in recent memory.
I don't know what world you live in, but I religiously block phone numbers after just one spam call. And I usually don't give out my phone number. (I'm much happier giving out email addresses since I have an infinite supply of addresses.) I never get enough spam calls that I feel like the phone system is going the way of the fax machine.
I used to get a couple of cold calls per year for surveys, but I got unlisted via GDPR requests and now its down to zero.
Companies do try collecting your phone number, but then I answer NO to the obligatory "do you want the latest offers" question (in the EU, this is opt-in not opt-out). And it doesn't matter if my phone number leaks.
This is similar to my email address use. I used to get emails from recruiters, but after a couple of replies informing them that whatever profile they have is illegal, with my email address not being public, asking them to delete it, the emails stopped. I still get spam, but it's mostly fraud and US companies. Fastmail's spam filters are good enough, BTW.
My phone number works just fine, and the phone network is valuable given the better signal 2G can have, or the fact that not everyone is on the app du jour. And I find it odd when people call me on WhatsApp.
I frequently see US folks criticising GDPR, so I'm guessing this is one of those "the US mind can't comprehend" moments.
Given that you're European, do you not have any friends/family outside your country, in neighboring EU countries? Wouldn't they have to pay high per-minute rates to call you?
Giving your phone number out to all these services also means that it can be used as a single identifier to track you and your behavior across all those services.
I'm not sure that GDPR is helping us a lot there.
While I do get a few regular phone calls a week, they're all in my contacts and I don't answer if the number isn't... at least 2/3 the time if I decide to answer as I'm expecting an out of band call, it's spam. On the flip side, I am wanting to setup for "your code is XXXXXX" as a verification on a personal website I'm working on to allow for public users. I know it doesn't add too much, but it's enough to reduce the noise. I'm not even sure what more hoops I need to jump through with Twilio to get to send said messages. I'm not a company, and not sending any kind of marketing campaign.
Spam callers are likely the most lucrative customer of the telephone network for the telephone companies.
I don't see how that could be correct. Once you pay your monthly fee, the fewer minutes you tie up the company's resources the better for them. That's true too for pay-ahead plans.
This is very valuable data to have, not only for advertisers, but also criminals and other bad actors.
Also, the fact that nobody ever questions the authenticity of leaked data should be VERY alarming. Imagine what power someone can hold over someone with manipulated leak data.
I would rather not have my own life intertwined with either of them but undoubtedly it already is to some degree.
I still don't recommend to do that and just toss those that demand your phone number away. Get a business phone if your work demands it.
Which will definitely end up in some data breach at some point.
Yes, I'm exaggerating. No, it's not by much.
Deleted Comment
> Why does Authy require I provide my cell phone number and email address? Why do I have to have a user account? This is completely ridiculous. I do not need nor want cloud syncing or backup. You are making Authy a potential target for attacks by associating a user to cloud stored 2FA information.
> This is not in the spirit of 2FA.
https://news.ycombinator.com/item?id=9100560
https://1password.community/discussion/116314/sendgrid-requi...
(I know the irony of this in particular being Authy, but nevertheless phone numbers should NOT be risked to be exposed anyhow)
Deleted Comment
Deleted Comment
Deleted Comment
Unluckily sooo many give zero or negative fáck among their potential and existing customers. This includes businesses providing medical services sending all the clien't data and medical results in clear text email and even declaring for their own convenience that "The property and copyright or other intellectual property rights in the contents of any document or images provided to you shall remain our property", for your ultrasound results. Your medical results are their property for those use their services. So they do as they plase with their data, not your data, not your concern if it is protected or not. And people go there and rate this service 4.8 on google, insane. Of course no-one really reads TOC, not even for sensitive medical services. People do not learn.
My recollection is that someone reversed their algorithm and they used almost TOTP which hurts me even more because that implies that they knew about the standard and still chose violence
There's this small web portal in Poland that for years provides a simple free email service (and an instant messenger with same login) with occasional "messages from our sponsors" in your inbox - you had to tick your "interests" during registration. In time banners started to appear and that was still fine because the Web was still a pretty innocent place and tracking was years ahead of us. At some point inbox was getting flooded with spam; either one you had to have or outside the service because the domain was popular and probably addresses were scrapped from the associated instant messenger. Then, banners started to be aware of inbox content and sponsored messages included tracking - milking your habits and activity become a thing.
Fast forward to some 10 years ago the service offers a premium plan where you can turn off banners around inbox, the permanent banners that pretend to be emails at the top of the list. Of course paying turns off only these banners and sponsored messages and every other spam will pile up. There's a built-in filtering option but since people started to using it to get rid of these mandatory messages - it stopped working at all. And any filter entry is a dummy one. At this point it's more an ads and spam gallery with an optional email service. Instant messenger was killed off in 2016 as people preferred global networks, and so were small but popular discussions forums turned off.
Around same time portal was bought by what for year was a bigger competition to them (not the only one ofc). The idea that both portals should use a single login appears. So people saw messages at login saying that you should transfer your account to this unified platform because it's more secure and there are some "benefits". Later, a darkpattern message was displayed saying that the unified login service will be the only way to use all services including email. And this unified login comes with company's own 2FA mobile app which you can't replace with a generic generator of any kind. Aaand in the end, nothing really happens. The darkpattern messages disappear and you can still log into the email with same plain password you used for years. The 2FA becomes suddenly optional but "recommended". People complaining in Appstore reviews about login issues and fact that no generic generator works are suggested to talk with support where apparently something can be arranged.
What my hot guesses are is that the company believed that domestic service popularity combined with mandatory 2FA app that does collect a lot of additional unnecessary information will provide a steady source of money for this service. People accustomed for years to an attractive short local domain won't force themselves to move elsewhere. But that didn't work as planned and honestly, I don't know how they managed to survive till today.
I did created few addresses there but over the years I managed to move elsewhere; what was once cool and fast and plausible become obnoxious to use.
If you remember poczta o2 you surely remember tlen emoticon: [10ton] - that's the best way to sum up what happen to this portal and service.
It took them two years to fix it.
Isn’t it what you are describing?
Definitely some similarities though, I’d love to see some concrete technical information on it.
I’m trying see if the issue is some unanticipated issue with the iOS client app itself, or if it is only affecting people who created online accounts with Authy to sync their 2FA credentials across devices.
Entering your phone number was mandatory. This was what turned me away [1] from Authy to Duo Mobile on my Apple devices.
https://news.ycombinator.com/item?id=33244324
When companies integrate Authy into their system, they can use it for SMS OTP (also deliverable by phone call + TTS iirc) as well as regular TOTP, Authy's proprietary TOTP, and others.
Your phone number would only be at risk if you used a service which used Authy for SMS 2FA
you probably gave them your phone number at some point if youve got authy on multiple devices.
/Edit: just checked on a clean install. It prompts for a phone number instantly and won't let you scan codes without creating an account. Not sure when that happened, as I haven't really used it in years.
Deleted Comment
https://news.ycombinator.com/item?id=20936222
https://authy.com/guides/cloudflare/
How do I avoid such problems in my own app? Force authentication for all requests with row-level security? Rate limiting?
Any testing frameworks that would catch this? Something like "given endpoint /user/phone-number-validate make sure only <user> can access it".
If an endpoint is decorated with something that is considered dangerous (i.e. public access), that triggers additional review steps. In addition, the authentication forbids certain combinations of decorators and access patterns.
It's not perfect, but it has saved us a few times from securing endpoints incorrectly in code.
> that triggers additional review steps
Is this done by some sort of a linter running in CI?
1. build a single endpoint handler that handles auth, then looks up the endpoint on the path. 2. Never create direct endpoints, just register endpoints in the system that the auth endpoint works under.
You know table driven tests?
Use table driven endpoints. It works and makes things so much simpler and secure.
So like, an authn/authz middleware ?
But the last 2-3 times I setup a config management, I made sure to configure the local firewalls as deny-all by default, except for some necessities, like SSH access. And then you provide some convenient way to poke the necessary holes into the firewall to make stuff work. Then you add reviews and/or linting to make sure no one just goes "everything is public to everyone".
This way things are secure by default. No access - no security issues. And you have to make a decision to allow access to something. Given decent developers, this results in a pretty good minimum-privilege setup. And if you fuck up... in this day and age, it's better to hotfix too little access over losing all of your data imo.
SSM for life. Fun fact, one can also register non-AWS assets as SSM targets, so I could imagine a world in which it makes sense to create an AWS account, wire up federated auth, just to dispense with the hoopjumpery of SSH attack surface and Internet exposure
The break-glass is always a consideration, so it's no panacea but I still hope one day the other clouds adopt the SSM protocol same as they did with S3Api
I believe a lot of folks have had good experiences with Wireguard and similar, but thus far I haven't had hand-to-hand combat with it to comment. We use Teleport for its more fine-grained access and auditing, but I've had enough onoz with it to not recommend it in the same way as SSM
1. Everyone tests authenticated user can do the right thing.
2. Can <wrong|expired> authenticated user access the data?
3. Can an unauthenticated user access data?
If there’s a testing framework that does this scaffolding automatically, I’d love to hear it.
You build into your testing framework/library a mechanism that will craft sessions across your range of authentication-levels - unauthenticated (no-session), authenticated but unauthorized, etc. You mandate new endpoints must have permissions test in code review.
Simple, straight forward, and absolutely the bare minimum of competency for any endpoint returning personal data.
This kind of arrogance is exactly how these mistakes get made.
Today they have incidents almost every week, and now data breaches.
Also having an investor base that demands removing as much equity compensation as possible. (Whilst, IMO, not being aggressive enough to cut executive compensation)
But it's no surprise that when you ask management/executives "who needs to be laid off", the answer is not that many managers/executives...
I do think Kho is the right person for the job though, and Aidan was surprisingly smart too, so I my[1] bet is that they'll get there.
[1]: I'm long twilio btw.