Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
Interesting Hack
Old 05-04-2019, 06:51 AM   #1
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
RonBoyd's Avatar
 
Join Date: Dec 2007
Location: Denver, Colorado
Posts: 5,639
Interesting Hack

Yesterday, DW was unable to make any calls on her cell phone. A "No SIM card" error message was showing at the top of the screen. I, first, rebooted the phone... no joy. I, then, removed the card and put it back in and rebooted. Still no change. So I said this needs to be handled by AT&T. So we went to what we thought was the local AT&T store. (See below) Anyway, they were not qualified (or approved?) to resolve the issue. They sent us to a "Corporate" AT&T location.

What had happened was someone had added a new line to our account with a new iPhone -- switching the DW's CIM card to the new line. After an hour of an impressive amount of security checks to prove our identities, they agreed to remove this transaction.

When I got home, I had received an eMail from AT&T while we were gone. This eMail thanked us for our purchase and our new bill would change from $184 a month (3-lines & DirecTV NOW) to $424.

I, of course, checked this morning and my account has been restored to the original billing amount.

Anyway, no one at AT&T could explain how that was done. Someone was able to by-pass all of the security checks (and again, it was impressive) and make the changes to our account.

Pseudo AT&T stores: We had gone to this AT&T outlet for many years and didn't know that it was only an "authorized" dealer called Connect. They did have a small sign on the door with that name but the AT&T signs were much bigger and, of course, the Façade only showed AT&T. There is, of course, nothing wrong with that -- since it was invisible to us in the past -- but it was quite inconvenient to go 15 mile out of our way during rush hour traffic when a problem occurred.
__________________

__________________
"It's tough to make predictions, especially when it involves the future." ~Attributed to many
"In theory, there is no difference between theory and practice. But, in practice, there is." ~(perhaps by) Yogi Berra
"Those who have knowledge, don't predict. Those who predict, don't have knowledge."~ Lau tzu
RonBoyd is offline   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 05-04-2019, 06:55 AM   #2
Moderator Emeritus
braumeister's Avatar
 
Join Date: Feb 2010
Location: Flyover country
Posts: 13,200
Here is how it's done:
SIM Hijacking Explained

And here is something you can do to help prevent it:
How to add a PIN to your smartphone account to prevent SIM hijacking
__________________

__________________
I thought growing old would take longer.
braumeister is offline   Reply With Quote
Old 05-04-2019, 07:08 AM   #3
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
RonBoyd's Avatar
 
Join Date: Dec 2007
Location: Denver, Colorado
Posts: 5,639
Quote:
Originally Posted by braumeister View Post
Here is how it's done:
SIM Hijacking Explained
Thank you. Quite informative.

Quote:
Originally Posted by braumeister View Post
And here is something you can do to help prevent it:
How to add a PIN to your smartphone account to prevent SIM hijacking
AT&T requires a PIN number in addition to a password. I tell you the security checks were impressive even including scanning the bar code on our driver's licenses. I am told this procedure is required of all AT&T personnel before any changes to an account can be made. (I do know that neither store could access our account without that information. They could get to the billing data without that security, however.)
__________________
"It's tough to make predictions, especially when it involves the future." ~Attributed to many
"In theory, there is no difference between theory and practice. But, in practice, there is." ~(perhaps by) Yogi Berra
"Those who have knowledge, don't predict. Those who predict, don't have knowledge."~ Lau tzu
RonBoyd is offline   Reply With Quote
Old 05-04-2019, 08:00 AM   #4
Thinks s/he gets paid by the post
 
Join Date: Jun 2017
Location: Western NC
Posts: 1,391
Quote:
Originally Posted by RonBoyd View Post
Thank you. Quite informative.

AT&T requires a PIN number in addition to a password. I tell you the security checks were impressive even including scanning the bar code on our driver's licenses. I am told this procedure is required of all AT&T personnel before any changes to an account can be made. (I do know that neither store could access our account without that information. They could get to the billing data without that security, however.)
Could it be someone opened a new line for a customer in another store transposed/mis-typed digits and so mistakenly added that new line to your account?
ncbill is offline   Reply With Quote
Old 05-04-2019, 08:41 AM   #5
Full time employment: Posting here.
bjorn2bwild's Avatar
 
Join Date: Mar 2013
Location: Western US
Posts: 890
I read an account where the SIM hijackers used a complicit inside contact, usually overseas.

This made the second layer pin security useless as well.


OK, I found it ----


https://www.nbcsandiego.com/news/nat...509097961.html
bjorn2bwild is offline   Reply With Quote
Old 05-04-2019, 10:03 AM   #6
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
RonBoyd's Avatar
 
Join Date: Dec 2007
Location: Denver, Colorado
Posts: 5,639
Quote:
Originally Posted by bjorn2bwild View Post
I read an account where the SIM hijackers used a complicit inside contact, usually overseas.

This made the second layer pin security useless as well.

OK, I found it ----

https://www.nbcsandiego.com/news/nat...509097961.html
Wow! That is certainly scary. There is no real defense for the individual.

I will have to say that AT&T is, at least, trying. They, for example, sent me a follow-up eMail stating that in order to change the Passcode (PIN Number) that we set up (changed actually) during the process can only be changed with the assistance of an AT& Employee.

Furthermore, at the AT&T store, once we got the AT&T Fraud department on the phone, they would only talk to the in-store employee after a serious questioning. They asked him a lengthy series of questions starting with his Employee ID number and several other questions that I suspect included at least one code-of-the-day word -- perhaps both a color and a number. Well, there were answers that didn't make sense to me listening to only his side of the conversation. (This also explains why he was not that initially eager to help. Once we started the process, however, he went full in.)

What could I do personally to prevent this type of hacking? Very scary indeed.
__________________
"It's tough to make predictions, especially when it involves the future." ~Attributed to many
"In theory, there is no difference between theory and practice. But, in practice, there is." ~(perhaps by) Yogi Berra
"Those who have knowledge, don't predict. Those who predict, don't have knowledge."~ Lau tzu
RonBoyd is offline   Reply With Quote
Old 05-04-2019, 10:31 AM   #7
Full time employment: Posting here.
bjorn2bwild's Avatar
 
Join Date: Mar 2013
Location: Western US
Posts: 890
Quote:
Originally Posted by RonBoyd View Post
What could I do personally to prevent this type of hacking? Very scary indeed.

With the insider hack, I don't think there is anything the individual can do to prevent it. It's up to the carriers.
I use email for 2FA when possible.
bjorn2bwild is offline   Reply With Quote
Old 05-04-2019, 11:37 AM   #8
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
RonBoyd's Avatar
 
Join Date: Dec 2007
Location: Denver, Colorado
Posts: 5,639
Quote:
Originally Posted by bjorn2bwild View Post
With the insider hack, I don't think there is anything the individual can do to prevent it. It's up to the carriers.
I use email for 2FA when possible.
Most of my important accounts, if not all, already require Multi-factor Authorization and I (up to now <chuckle>) have felt pretty comfortable in that.

In any event, AT&T goes way beyond that in requiring speaking with a live person while make any changes to ones data.

My comfort level has gone down considerably.
__________________
"It's tough to make predictions, especially when it involves the future." ~Attributed to many
"In theory, there is no difference between theory and practice. But, in practice, there is." ~(perhaps by) Yogi Berra
"Those who have knowledge, don't predict. Those who predict, don't have knowledge."~ Lau tzu
RonBoyd is offline   Reply With Quote
Old 05-04-2019, 05:25 PM   #9
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
audreyh1's Avatar
 
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 22,533
Quote:
Originally Posted by RonBoyd View Post
Yesterday, DW was unable to make any calls on her cell phone. A "No SIM card" error message was showing at the top of the screen. I, first, rebooted the phone... no joy. I, then, removed the card and put it back in and rebooted. Still no change. So I said this needs to be handled by AT&T. So we went to what we thought was the local AT&T store. (See below) Anyway, they were not qualified (or approved?) to resolve the issue. They sent us to a "Corporate" AT&T location.

What had happened was someone had added a new line to our account with a new iPhone -- switching the DW's CIM card to the new line. After an hour of an impressive amount of security checks to prove our identities, they agreed to remove this transaction.

When I got home, I had received an eMail from AT&T while we were gone. This eMail thanked us for our purchase and our new bill would change from $184 a month (3-lines & DirecTV NOW) to $424.

I, of course, checked this morning and my account has been restored to the original billing amount.

Anyway, no one at AT&T could explain how that was done. Someone was able to by-pass all of the security checks (and again, it was impressive) and make the changes to our account.

Pseudo AT&T stores: We had gone to this AT&T outlet for many years and didn't know that it was only an "authorized" dealer called Connect. They did have a small sign on the door with that name but the AT&T signs were much bigger and, of course, the Façade only showed AT&T. There is, of course, nothing wrong with that -- since it was invisible to us in the past -- but it was quite inconvenient to go 15 mile out of our way during rush hour traffic when a problem occurred.
Certainly if I got that error I would immediately think that someone had fraudulently swiped my number onto a new phone.

DH had a problem with his phone intermittently complaining about the SIM not being activated and not seeing a signal. He called in and they walked him through some kind of communications reset. Phone was fixed. I was worried he’d had his number stolen but the problem was intermittent.
__________________
Retired since summer 1999.
audreyh1 is offline   Reply With Quote
Old 05-05-2019, 05:45 AM   #10
Full time employment: Posting here.
 
Join Date: Mar 2012
Posts: 952
Thanks - interesting info. We're with MetroPCS (now part of T-Mobile), and as part of original account activation we were required to create a PIN.
njhowie is online now   Reply With Quote
Old 05-05-2019, 06:17 AM   #11
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
RonBoyd's Avatar
 
Join Date: Dec 2007
Location: Denver, Colorado
Posts: 5,639
Here is another article:

https://www.consumerreports.org/digi...uthentication/ (may be behind a pay wall)

Quote:
With this method, your smartphone acts as a security key.

If you choose to use a mobile app, such as Google Authenticator, you must scan a QR code presented by the site you wish to visit into the app. Once you do that, the app will continually generate the numerical codes required for log-in.

You also have the option to print out an image of the QR code for safekeeping. If you lose your phone, you just scan the code into a new one.

Google Authenticator is available for Android and iOS phones, but you need to have a Google account to set it up. And you have to sign up for Google 2-Step Verification before you can use it.

Instead of installing an app, you can also set up a push-based system such as Google Prompt, which sends notifications to all the phones signed into your Google account when a new log-in is detected. The notifications include location information for the log-in attempt.

You then have the choice of approving or denying the attempt.


Though consumers may be less aware of this option, people who work at Google, Facebook, Twitter, and cybersecurity companies have been quick to embrace it.

Instead of entering a code into your computer to verify your identity, you insert a physical key.

In some cases, the key and computer are linked via Bluetooth. In fact, cellular phones that run versions of the Android operating system dating back to 7.0 (Nougat) can now act as a Bluetooth-connected key.
__________________
"It's tough to make predictions, especially when it involves the future." ~Attributed to many
"In theory, there is no difference between theory and practice. But, in practice, there is." ~(perhaps by) Yogi Berra
"Those who have knowledge, don't predict. Those who predict, don't have knowledge."~ Lau tzu
RonBoyd is offline   Reply With Quote
Old 05-05-2019, 07:03 AM   #12
Moderator Emeritus
braumeister's Avatar
 
Join Date: Feb 2010
Location: Flyover country
Posts: 13,200
Quote:
Originally Posted by RonBoyd View Post
Quote:
In some cases, the key and computer are linked via Bluetooth. In fact, cellular phones that run versions of the Android operating system dating back to 7.0 (Nougat) can now act as a Bluetooth-connected key.
That sort of thing is getting more common. As long as I'm wearing my Apple Watch, my laptop unlocks when I wake it up. Very convenient to not worry about typing in the password.

As for phones, when I created my T-Mobile account a couple of years ago I set up an 8-digit PIN that is required when porting my phone number. That's pretty good security.
__________________

__________________
I thought growing old would take longer.
braumeister is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Yahoo hack MichaelB Other topics 56 05-19-2017 04:22 PM
9volt battery hack maddythebeagle Other topics 3 11-07-2007 08:22 AM
Hack? One zoned to two zoned A/C Sam Other topics 3 07-13-2007 02:42 PM
Ticker Factory hack :) HobbyDave Other topics 3 05-02-2007 07:26 PM
URL Problem Possible Hack Outtahere Forum Admin 21 05-17-2006 10:43 PM

» Quick Links

 
All times are GMT -6. The time now is 12:30 AM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2019, vBulletin Solutions, Inc.