There is a great piece on ZDNet today about a writer who’s phone number was stolen (not the phone, the number) using a SIM swap attack. In this case, the phone company was T-Mobile and all the hacker had to do is call them, given them a bit of the victim’s information (like secret stuff such as the last 4 of your Social) and T-Mobile was happy to give the hacker this writer’s phone number. T-Mobile doesn’t want you to be angry with them so they are willing to sacrifice your security and privacy instead.
Once he or she had the number, he was able to reset the writer’s twitter and google passwords. The writer had set up two factor authentication to be more secure, but once the phone number moved to the hacker’s phone, the text message he was using for the second factor went to the hacker’s new phone:
TIP: Use authenticator apps like Google or Facebook Authenticator instead of text messages because then stealing your phone number won’t give the bad guys the second factor information.
T-Mobile put a message on the writer’s phone saying the phone number had been transferred and to call 611 if he didn’t do it, but since the phone had no service, that wasn’t possible. Smart thinking T-Mobile.
The writer was able to call T-Mobile from another phone on the account and get the phone number restored, but that didn’t get his online accounts recovered.
TIP: Time is of the essence. The sooner you detect the problem and the sooner you get your carrier involved in fixing it, the less damage the bad guy can do.
Now the writer had to go through the brain damaging process of recovering access to his accounts. He used Twitter for work (that’s a problem in itself) and had about 10,000 followers. The hacker whittled that down to about 3,000. He also had years of history about stories there, along with collaboration with sources and other writers.
He did get his accounts back eventually, but there was a lot of damage done. For example, all of the labels on his GMail messages are gone, so he has to reconstruct all of that. Among other issues.
Oh, yeah, Twitter would only talk to his registered GMail email and since that was hijacked, he could not get them to do anything until he got Google to restore his access to his account.
The hacker compromised his Google Fi account and since he didn’t have access yet to his GMail, they won’t talk to him. That account, he thinks and all the data in it, may be lost forever.
TIP: Read the rest of his article for more suggestions on protecting yourself.
So if you are a person who uses online accounts and stores “important” stuff there, consider this. There is no guarantee that you will be able to get to your online account tomorrow or retrieve any of the data that is there. If that is a concern, you need to take action.
Almost all services offer a way to backup your data. It is not the cloud provider’s responsibility to protect your data unless it says so in writing in your agreement.
TIP: Read your agreement with your provider and see what it is liable for. Also see what damages you can collect. Often the damages are meaningless (like they will refund your payments made in the last 12 months – for a free service).
TIP: Google, one service a lot of people use, has a free service called TAKEOUT. It has nothing to do with home delivery of Asian food. It is available at Takeout.google.com . Takeout allows you to select which of the hundreds of Google services you want to download your data from and it will give you different options for each service. This is great for Google users. Each service is different.
TIP: Set yourself a reminder to backup any critical personal online data as frequently as is important to you. For example, if you only backup your data monthly, then you may lose a month’s worth of email, photos or whatever. Backup at least as frequently as the amount of data you are willing to lose.
TIP: If you download your data, back it up. I suggest multiple copies of the data is important and then store it securely. Flash drives are VERY cheap. And fail occasionally, hence the reason for multiple copies. Put it in a safe deposit box; Give it to your kid who lives in another city. Whatever, but it does you do good if you can’t get to it.