British celebrity food writer Jack Monroe had her cell phone number hijacked and, after that, the hackers were able to receive her two factor authentication and access her bank and payment accounts.
She was already doing more than a lot of people do security wise – she was using two factor authentication. BUT, the two factor authentication method was for the bank to send her a text message.
The attack is called SIM Jacking and it works like this. The attacker calls the cell company and convinces an employee that the attacker is the phone owner. Then the attacker says that he or she bought a new phone and needs to move her number to a new phone. The cell phone company employee asks a couple of simple security questions and when the hacker uses either publicly available information sources or data from previous breaches, answers the questions and poof, the hacker now owns the victim’s phone number.
Alternatively, as we recently saw with AT&T, the attacker can just pay off the employees to knowingly break the law and move the number to a phone controlled by the hacker.
In Jack’s case, once this was done, the hacker could now ask the bank to do a password reset and since the attacker now owns Jack’s phone number, the attacker gets the two factor code and the bank gives the attacker access to Jack’s bank account.
In Jack’s case, that cost her 5,000 British Pounds.
The phone company has given her back her phone number but the bank says that it will take a while to get her money back. I’m not sure what they think she should do in the mean time.
In terms of recommendations, if you can use a two factor authenticator app on your phone such as Microsoft authenticator, Google authenticator, Facebook authenticator or Authy instead of a text message, that will defeat this attack because it is not dependent on your phone number.
If you are not using any two factor authentication on your online banking and other financial services accounts, turn that on now.
And, if you have not registered for online accounts for your banking or brokerage accounts because you think it is too risky – it is more risky to not do it, because then there is nothing to stop a hacker from registering for an online account in your name.
The more interesting part is this. Some folks in England are slightly upset and are suggesting that the Information Commissioner’s Office needs to investigate whether the phone companies violated GDPR by not protecting consumer’s information. Assuming the ICO does investigate and it does not like what it finds, it can fine the phone provider up to 4% of their annual global revenue. While these investigations take time, it would definitely be interesting.
The only reason why these SIM Jacking attacks work is because the phone companies do not want to make it difficult for the customers by making the security effective. When I forgot my Sprint login, I had to go into a Sprint store and show them a government issued ID. While this is not perfect, it is probably harder and riskier than most hackers want to deal with. But also less convenient.
It might also be inconvenient to be fined a few hundred million dollars as Marriott and British Airways recently learned when the same British ICO fined them for violating GDPR and in their case, it wasn’t even willful as it is here. This may be the only way to get carriers to get serious about security.
But stay tuned; this is far from over. Source: BBC