Weekly Tech News from Helpful Dave!
For this week I
wanted to talk about the latest way criminals can steal your
information.
It has something to
do with your cellphone, but guess what? It’s not your fault! You
didn’t download a bad app, or go to a bad website, or get phished
via an e-mail. As a matter of fact if you have Two Factor
Authentication setup via text message this attack actually allows
criminals to bypass that too! Here’s where the kicker is, the
person(s) responsible for giving away your personal information is
actually your Carrier!
This article is
going to have Tech Terms which are SIM Cards and Two Factor
Authentication. If you don’t know what those are here is a primer:
—Tech Terms—
SIM card: The SIM
card is how your mobile phone carrier (Verizon, T-Mobile, etc) knows
where to direct all of your phone calls and text messages. Its
normally a small physical card that is placed into your phone.
Two Factor
Authentication: When you receive a text message or e-mail with a code
to verify who you are when you try to login to certain websites or
apps.
—Back to the
News—
Recently a study was done by researchers at Princeton University and they used Verizon Wireless, T-Mobile, AT&T, Trafcone US, and US Mobile to learn how easy it would be to get them to send someone else’s SIM card to a would be criminal.
The attack works by
tricking your cell phone carrier into sending the criminal a
“replacement” SIM card that you never lost! Once a criminal gets
your SIM card they can make and receive phone calls and texts with
your number!
So here’s one way
that it works:
The criminal first
calls your cell phone carrier
Criminal: Yes, I need another SIM card.
Carrier: Okay I need your PIN number please.
Criminal: (Provides the wrong PIN number).
Carrier: That’s not correct.
Criminal: I’m so sorry I must’ve forgotten.
Carrier: No problem we can authenticate another way, can I please have….
Here’s where it
gets tricky. Here’s a small list of what some providers ask for.
1. Full Name and
Address: This information is easy to get. Someone can either find a
nice house, walk up and grab a bill from the mailbox and now they
have the full information. If they are in luck they can even grab
your cell phone bill from the box as well. If they don’t know your
carrier right away, they can just call all of them one at a time to
see which one of them is correct.
2. Recent Numbers
Dialed: Your carrier will ask the criminal for the last two numbers
dialed or received in your phone log. This one people think is a bit
trickier because how would the criminal know the last two numbers in
my phone? Well its simple! They can call you and leave a message and
if you call them back now they have the last two numbers!
How about this one
as well, you are at large social gathering at a bar, restaurant, or
maybe someone’s house that you know. Someone walks up to you and
says “I lost my phone, can you do me a favor and call it?” All
they need to do is have you do that twice and they have the last two
numbers as well!
The most important thing to remember is your carrier doesn’t have a
way of denying service to these criminals who continue to call. They
might not have all the right information the first time they call up,
but sometimes your provider actually gives up some of that
information on the call! The criminal simply has to be persistent
enough to continue calling and they can unfortunately sometimes find
a way in!
How can you keep
yourself safe? Here are Helpful Dave’s Tips!
DON’T: Use Two Factor TEXT based Authentication. Once a criminal has your SIM card they will be be able to receive text messages intended for you!
INSTEAD: Use an App Based Mobile Authenticator like Last Pass (http://www.lastpass.com), Google Authenticator, or Authy. An App Based Mobile Authenticator as the name suggests is actually an App installed on your phone. So even if a Criminal gets your SIM card they still can’t get access to your Two Factor codes because they are installed on your phone!
Our personal
recommendation is Last Pass as it offers many more tools that include
secure password storage, and an automatic password generator so you
never have to think of a password again.
Here is a link to
the study from Princeton:
https://www.issms2fasecure.com/assets/sim_swaps-01-10-2020.pdf
I hope this article proved informative and helpful to everyone! If anyone has any questions or has a news tip and want me to do a dive into it feel free to suggest in the comments below! If you want to stay up to date on Helpful Tech News please stay tuned for more!
If you liked the
article and want to support us please use our affiliate link for Last
Pass as we earn a commission if you sign up:
https://lastpass.wo8g.net/mmnzX