Sonic.net

Recently I've been alarmed by several cases in which attackers impersonated someone, claimed to Verizon or T-mobile that they lost their phone, and then got a new SIM card with the victim's phone number. Once attackers steal a phone number, it is apparently easy to initiate password recovery at many sites and steal money, either by initiating payments or redirecting direct-deposit payments. Here's an egregious example where someone lost Bitcoin because of a stolen Verizon number: https://medium.com/@CodyBrown/how-to-lo ... 75fb8d0bac

Now that I know my cell numbers are worthless for security, I'm thinking of relying on my home number, but I don't know if it's any better. Sadly, a number of sites exclusively offer SMS/voice calls as 2FA. Does sonic do anything to protect customers' phone numbers from fraudulent porting activity? Or is there anything I can do to increase the security of my sonic phone number?

On a related note, any hope of getting a Google authenticator/TOTP option to protect our member profiles?

You can't seriously compare number porting to issuing a new SIM...

danielg4 wrote:You can't seriously compare number porting to issuing a new SIM...

That's exactly what I'm asking someone to do. Is stealing a phone number by porting it significantly harder than getting a new SIM issued, and if so what are the safeguards so I can assess the risk?

One issue is that people may know when I'm out of town, so calling me on my landline to warn me that I'm about to lose my number may not be helpful. The member tools also do not seem to be particularly secure (no 2FA, don't know if old email address gets a warning if someone forwards to new email address). Often number porting just requires giving an account number to the new provider, and in Sonic's case the account numbers are pretty easy to find. In short, I'm inclined to think number porting is a big vulnerability, but would be glad to hear something to the contrary from someone at Sonic.

To initiate a number port out from Sonic you need to provide three bits of data: The phone number, the full name of the person who owns the number (in this case you) and the address we have associated with the phone number (your address). Sonic does not have account numbers.

Regarding TOTP - we do have that available. You can set it up (and utilize Google Authenticator for your code generator) in Member Tools. You'll want to log in and then navigate to Account -> Member Information.

amayfield wrote:To initiate a number port out from Sonic you need to provide three bits of data: The phone number, the full name of the person who owns the number (in this case you) and the address we have associated with the phone number (your address). Sonic does not have account numbers.

Regarding TOTP - we do have that available. You can set it up (and utilize Google Authenticator for your code generator) in Member Tools. You'll want to log in and then navigate to Account -> Member Information.

Sadly, all the information required to port my number from Sonic is easily accessible to anyone who knows my name using sites like nuwber.com. They don't even need to know my phone number and address, which are a matter of public record. I wish there were some way to block an unauthorized number port, but it sounds like fraudulently porting a Sonic number is even easier than a SIM swap scam.

Thanks for the TOTP link, though. I was looking for this under password, when it was actually under Member Information.

amayfield wrote:To initiate a number port out from Sonic ...

Does Sonic verify the port request with the member or account notes?

amayfield wrote:Regarding TOTP - we do have that available. ... You'll want to log in and then navigate to Account -> Member Information.

Once enabled, do all logins/authentications require the second factor? Or just web-based? (As opposed to IMAP/POP3/SMTP, OpenVPN, etc.)

virtualmike wrote:Does Sonic verify the port request with the member or account notes?

We verify the information with the user over the phone.

virtualmike wrote:Once enabled, do all logins/authentications require the second factor? Or just web-based? (As opposed to IMAP/POP3/SMTP, OpenVPN, etc.)

This only applies to Membertools.

It sure sounds to me like Sonic is taking precautions to avoid fraudulent ports!

Thanks for the tip on Member Tools. I'm off to add TOTP to my account.