How do you protect ? (devices, 2FA, etc.)

[wanaberetiree]

https://www.cnn.com/2020/03/13/tech/sim-hack-million-dollars/index.html

 

[wanaberetiree]

I guess re-phrasing would be - can you protect from this ?

 

[Oz investor]

well i do some weird things

i NEVER store passwords on any electronic devices ,
second i rarely ever use my phone for financial transactions

third i use a different user name ( and of course password ) for every account

and if i don't NEED the phone where i am going i leave it at home locked up

and of course i rarely have large amounts of cash in the bank ( i like it working for me )

although currently i have some cash reserves looking for a market sell-down in the next 3 months

 

[CoolRich59]

well i do some weird things

i rarely ever use my phone for financial transactions

This.

I have an iPhone, but don’t use it for any “financial” transactions - I don’t have my bank or brokerage apps installed.

Sure, it’s not as convenient, but it’s much more secure.

 

[Closet_Gamer]

Wow. Didn't think of this. Yikes.

My short term suspicion: using a 3rd party authentication tool like MSFT Authenticator should avoid this where it can be used.

I'm also fairly certain ATT and his currency exchanges will take it on the chin for this. They selected the security protocols that were breached. So long as he didn't do anything untoward to make this possible, it will get settled.

But...wow...brutal.

 

[Aerides]

OP, for those of us who are loathe to click links, care to elaborate on what you think we should protect from - in your own words please?

 

[The Cosmic Avenger]

T-Mobile lets you set up a SIM PIN that's required for any changes, although I don't think it's required, which it should be. I set it up as soon as they announced they were adding that feature years ago.

 

[wanaberetiree]

This.

I have an iPhone, but don’t use it for any “financial” transactions - I don’t have my bank or brokerage apps installed.

Sure, it’s not as convenient, but it’s much more secure.

This is not about "“financial” transactions" it's about using a phone for login verification

 

[wanaberetiree]

T-Mobile lets you set up a SIM PIN that's required for any changes, although I don't think it's required, which it should be. I set it up as soon as they announced they were adding that feature years ago.

How would it help in the case described ? Or would it at all ?

 

[gauss]

I use Google Voice for my text messaging and SMS 2FA.

There is no SIM associated with the phone number so it's much more resilient to this type of attack.

If you like to keep your normal text messaging with your phone provider, you could always just set up the Google Voice for the 2fa only.

Gauss

 

[pjigar]

This.

I have an iPhone, but don’t use it for any “financial” transactions - I don’t have my bank or brokerage apps installed.

Sure, it’s not as convenient, but it’s much more secure.

SIM hack is usually pulled off using your personal data (DOB, Name, Address, SSN, etc.) from one of gaziilion data breaches (available for sale on dark web) so nothing you do matters. Sometimes they can password hack into your cell phone account (again using leaked password from dark web). So always use a very long and unique passwords everywhere especially on your cell phone account. Other than unique strong passwords only other thing you can do is remove online access for EVERY financial account you have. In other words, live in the Looniville.


The onus for such SIM hack is on the service providers. They should have better security processes when someone wants to order new phone or SIM. Like what Sprint does is better than most providers. But I would like an option so a security pin is mailed to you on your address along with another security pin sent to your existing phone.


FWIW I was in process of SIM high jack using password hack but we caught it in time just by pure luck.


In fact, password hack is very widely used for all kinds of frauds. I once was password hacked into my reward points account. They first change the e-mail and phone number in your account so all the notifications goes to them. And THEN they change the password. Smart. Again hackers study the systems and figure out a way to get around the security processes. The processes can be made so much better but there is always a price which comes at a cost of convenience. We are all so used to having everything at our finger tips and that's why hackers win.


Long unique passwords is the single most important thing you can do as an end user. Unfortunately people can't remember hundreds of long unique passwords and hence the password hacks are so prevalent. I use password manager (BitWarden) to store all the long unique passwords. Make sure your password manager supports two-factor authentication. The second factor should be a physical token generator (e.g. Ubikey). Don't use your cell phone as a second factor token generator otherwise you are back to square one. I would love to see three-factor password manager but I have not found any to the date.


By the way, three factors mean:
1. Something you know (e.g. password)
2. Something you have (e.g. ubikey, cell phone, tc.)
3. Something you are (e.g. finger print, iris scan, face scan, etc.)

 

[CoolRich59]

This is not about "“financial” transactions" it's about using a phone for login verification

OK. Thanks for the clarification.

 

[Major Tom]

OP, for those of us who are loathe to click links, care to elaborate on what you think we should protect from - in your own words please?

+1. Unless the guidelines have been changed, the posting of "naked" links is not encouraged here. Call me old-fashioned and stodgy, but if it's interesting enough to post here, I think it's worthy of the time taken to write a brief description.

 

[braumeister]

Yes, despite a polite request, the OP doesn't seem inclined to oblige. Many of us simply refuse to click on those naked links without a good reason, so it seems pointless to start a discussion with one.

 

[explanade]

I use Google Voice for my text messaging and SMS 2FA.

There is no SIM associated with the phone number so it's much more resilient to this type of attack.

If you like to keep your normal text messaging with your phone provider, you could always just set up the Google Voice for the 2fa only.

Gauss

The weak point in using SMS for 2FA is that telephone company employees with the power to change your SIM number are either gullible or corrupt enough to make this change, leaving whatever the number you used for 2FA vulnerable.

But the thieves have to also know where your accounts are, in addition to guessing that you used your cell phone number for 2FA.

Once they commandeer your number, they can reset all your passwords so only they can control it.

Google Voice numbers are less corruptible but not sure if they're completely impervious to being stolen.

For one, there is no easy way to contact Google to have your GV numbers changed and passwords changed.


But be aware that many places will reject GV numbers for 2FA. Even for one-time e codes to authenticate you, they will demand that you use a real phone number.


The stories of people being victimized by SIM hacking appear to be mostly people who had crypto currency wallets. So they protected huge sums of money with a phone number as 2FA and because crypto currency can't be tracked, once gone, you're SOL.

 

[The Cosmic Avenger]

T-Mobile lets you set up a SIM PIN that's required for any changes, although I don't think it's required, which it should be. I set it up as soon as they announced they were adding that feature years ago.

How would it help in the case described ? Or would it at all ?

It's basically like 2-factor authentication for SIM changes. So to reissue a SIM card or transfer the number to a different SIM, it would require an additional PIN that you create and add to the account, separate from your other account credentials. They did this specifically because transferring a mobile number can open the door wide for identity theft.

 

[explanade]

This.

I have an iPhone, but don’t use it for any “financial” transactions - I don’t have my bank or brokerage apps installed.

Sure, it’s not as convenient, but it’s much more secure.

Do you use Two Factor Authentication or 2FA on any of your bank or brokerage web sites?

You should use 2FA but 2FA could be vulnerable to SIM hacking.

So if you do your banking on a computer, you could be affected.

 

[wanaberetiree]

I did some testing today.

Logged into T-Mobile account and … after two step verification, of cause, was able to change my primary email to a new account ! What’s interesting that I got no notifications about the change and no PIN challenge (I was hoping it’d be used, but alas)

!!!

Now Schwab, wanted to see if I can prevent ability to link a new bank account. The answer is no, even if the account’s title does not math you can link a new account. You can limit amount of a single transfer, but then in case of fraud multiple transfers can be used instead.

Simple thing like - disable ability to link any external account is not available!

So all in all, we have to care of our accounts ourselves.

Scary things

 

[rk911]

thanks to the OP for passing this along. i didn't know i could lock our account. years ago that was called "slamming". i locked our account and have passed the article on to others.

 

[CoolRich59]

Do you use Two Factor Authentication or 2FA on any of your bank or brokerage web sites?

You should use 2FA but 2FA could be vulnerable to SIM hacking.

So if you do your banking on a computer, you could be affected.

Yes. Any account I have that offers 2FA I have it enabled.

I also use a password manager and each account has a long random password, most of them are a 24 digit combinations of letters, numbers and symbols. My password to the password manager is 20 digits and not written down.

Of course, if the password manager site is breached, things could get ugly.

As an aside, I know a fellow who "air gaps" his laptop. I asked him how he accomplishes that. He told me he disconnects his laptop from the internet every night. I said "Uhhh, I don't think ..." But, he brusquely cut me off and said he knows what he's doing, so I left it alone.

 

[The Cosmic Avenger]

Yes. Any account I have that offers 2FA I have it enabled.

I also use a password manager and each account has a long random password, most of them are a 24 digit combinations of letters, numbers and symbols. My password to the password manager is 20 digits and not written down.

Of course, if the password manager site is breached, things could get ugly.

As an aside, I know a fellow who "air gaps" his laptop. I asked him how he accomplishes that. He told me he disconnects his laptop from the internet every night. I said "Uhhh, I don't think ..." But, he brusquely cut me off and said he knows what he's doing, so I left it alone.

indeed! I've been in secure facilities that are air gapped, have no line of sight to the outside, and block radio signals. His definition of "air gap" would be laughed right out of the secure room!

 

[rk911]

indeed! I've been in secure facilities that are air gapped, have no line of sight to the outside, and block radio signals. His definition of "air gap" would be laughed right out of the secure room!

well, he’s likely either shutting down the router or the pc at night or maybe he’s pulling the ethernet cable out of the pc. not “air gapped” but if it ain’t online.... ‘course that doesn’t account for the hours the PC is online or if he leaves the wifi up with the PC asleep or... methinks he’s whistling thru the graveyard.

 

[dixonge]

1. SIM pin - possibly single most effective protection
2. Use an authentication app (Authy, Google Authenticator, etc.) for 2FA, not SMS
3. Use 2FA on any financial, phone or email account.



I've gone the extra mile of using my domain name email with Fastmail. If they hack my Fastmail account, I can redirect the domain name traffic using Cloudflare. If they hack my Cloudflare account, I'm kinda screwed, but that's true for any domain hosting account. I also use a separate email address for every account, as well as randomly generated passwords.



Physical phone is protected from theft by biometrics, and I just remembered to change my 6-digit passcode so that it's not my birthday LOL

 

[Aerides]

OP, for those of us who are loathe to click links, care to elaborate on what you think we should protect from - in your own words please?

+1. Unless the guidelines have been changed, the posting of "naked" links is not encouraged here. Call me old-fashioned and stodgy, but if it's interesting enough to post here, I think it's worthy of the time taken to write a brief description.

Yes, despite a polite request, the OP doesn't seem inclined to oblige. Many of us simply refuse to click on those naked links without a good reason, so it seems pointless to start a discussion with one.

Yup, it's forum protocol to frame a thread in a way that any link is a supplement, but not required reading. In this case since there were already several replies, and an active conversation, I thought the OP would clarify by my in-thread request, rather than disrupt the thread engagement.

Since this appears to be related to 2FA, I'll add that to the title. That will at least help others determine whether to click the thread, let alone the links.

 

[qwerty3656]

So if I don't know my current SIM pin, I would need a new SIM card to set up my own pin, right?