Tag Archives: SIM Swap

Is $100 Million Enough of a Reason to Improve Security?

SIM swap attacks is a hacking technique where hackers socially engineer cell phone providers to steal a victim’s phone number. That means that hackers get the victim’s text messages and phone calls.

While two factor authentication is not used by the majority of people, when it is used, the most common form of two factor is text messages. That means that if a hacker can hijack your phone number, he or she will get those text messages and, in combination with a stolen password, can compromise your your bank account.

In this case, law enforcement in England, Scotland, Malta and Belgium, assisted by Europol, The US, and Canada, arrested ten kids (ages 18 to 26) for hijacking US celebrities phones in order to compromise their Bitcoin accounts.

Celebrities often have bad security because, well, they are celebrities and they don’t have to ….

Of course, now that their net worth is $100,000,000 lighter they might want to reconsider that theory.

For you and me, $100 is about my limit; maybe less.

There plenty of alternatives to text messaging for your second factor from the fancy end with RSA hardware tokens, to the plain version of software tokens. With any of them, unless the hacker physically steals your phone while it is unlocked, any of these alternatives are better than text messages.

Now the next thing is to get providers to stop allowing you to do a password reset by sending you an email or a text message for the same reason.

Security or convenience, pick one. Credit: The Record

Stealing Your Phone NUMBER is Profitable

Hackers have figured out that stealing people’s phone numbers is easier and more profitable than stealing their phone (in part because they don’t have to be anywhere near you or your phone in order to steal the number).

Recently I wrote about a bitcoin investor (AKA speculator) who is suing AT&T for $240 million because the let someone steal his cell phone number.  Once he did that, he was able to reset the password for his bitcoin wallet and sell $23 million of his Bitcoin.

While this is a major international issue, authorities in California have arrested a 19 year old who was stealing phone numbers to empty people’s bank accounts and other fun stuff.

This is the third reported arrest this month, which while good, won’t even make a tiny dent in the problem.

This guy is charged with stealing over $1 million in virtual currency and using it to purchase luxury items like a McLaren for $200,000.

So what can you do?

Most people discover the problem when their phone loses service.  Note that if you are connected to WiFi, that will continue to work even if you phone number is ported, but you won’t be able to make or receive calls or send or receive texts.  Anything that works with data like Whatsapp or Signal or web browsing will continue to work after your number is stolen.  If that happens, contact your carrier immediately.

Assuming your carrier allows for this, set up a password on your account.  The password should be required if a hacker tries to steal your number.  In the case of the guy that is suing AT&T they didn’t ask the hacker for it – that dramatically weakens the phone company’s defense.

In the AT&T case, they are saying that they are not required to follow their own procedures.  I suspect that a jury is not likely to agree with that theory when a customer is damaged as a result.

If you have a high risk account like a bank account, brokerage account or Bitcoin account, you need to protect that account with two factor authentication and DO NOT use text messages as the second factor because if someone steals your phone NUMBER they will be getting those text messages, not you.  Use one of the many authenticator apps like Google Authenticator or Microsoft Authenticator.  In that case, someone would need to steal the physical phone and hack the screen lock to empty your bank account.  That would be much harder.

If you can get a high risk provider to disable to easy for hackers to use password reset function (just click here and we will send you a text, then you can reset your password – simple for you but also simple for a hacker) – then do that too.

Many times the providers call center or store people are not very well trained on security, so you may have to be persistent, but remember, it is your money that you are protecting.

Information for this post came from Krebs on Security .