The Skeleton Key to Your Life.
October is National Cyber Security Awareness Month, and has been observed every year since 2003. In honor of #NCSAM, I will be publishing 10 episodes in the first season of “The Cyber Chronicles.” I hope you enjoy and benefit.
Your phone is Grand Central Station for confirming your identity. You can show the DMV your Confirmation of Insurance on the screen of your mobile. You confirm attempted logins to corporate resources via Microsoft or Google Authenticator on your phone. You receive Verification Codes for logins galore … on your phone. Needless to say, if your phone landed in the hands of someone unscrupulous, it could be a disaster.
What if your phone was in your hand, but no longer viewed by the rest of the world as being yours? This nightmare is not imaginary. In fact, a Salt Lake City couple told the story of their recent experience to a journalist working for VICE.
According to that reporter, Rachel and Adam Ostlund were minding their own business one evening last September when Rachel received a strange text (see the image below) and suddenly lost all connectivity to the cell network.
Puzzled, Rachel logged into her email via computer and noticed that many of her passwords were being changed. Long minutes later, Adam answered his phone only to realize he was talking to one of the hackers behind the hijacking of Rachel’s phone number.
The Ostlunds had fallen victim to an increasingly common scam called SIM Jacking or SIM Swapping. Cell phone providers call it a “port out scam.” Unfortunately, Rachel was the owner of a highly sought after, short and sweet Instagram handle, which hackers can sell for thousands of dollars.
None of the security measures Rachel had taken to secure the several accounts compromised, made any difference once the hackers seized control of her phone number.
Your phone has become the skeleton key to your life; the confirmation of your identity for dozens of accounts.
If you forgot the password to your personal email how would Google, Microsoft, or Yahoo contact you? Whether via call, text, or email, it would almost certainly be via your phone. What if you forgot the password to your bank account?
While it is good that an increasing number of organizations are moving to implement multi-factor authentication, the problem with using our phones as the central hub of confirmation is that they are remarkably vulnerable to comprise by external parties.
In June of this year the largest consumer marketing database in the world was exposed online, containing records on 230 million consumers. To put that into perspective, there are 240 million adults in the United States.
While the database did not contain social security or credit card numbers, it did have highly detailed information with entries on more than 400 variables, including address, phone number, religion, smoking status, number, age and sex of children, preference for plus-sized clothing, cat or dog-owner, etc.
If that kind of information is available online, how difficult would it be for someone to impersonate you to a customer service rep over the phone?
The technique behind SIM Jacking is incredibly simple. The scammer calls customer service asking to port their number over to a new SIM card. Only a trivial social engineering effort is required to “confirm” their identity as you, and you suddenly lose access to the cell network, and to your digital life.
The Mobile providers are aware of this trend, but reluctant to provide statistics on its frequency, though at least one provider has informed its customers of an “industry-wide” threat.
According to the VICE reporter, Rachel and Adam called the police, who seemed puzzled and said there was nothing they could do. The Ostlunds did manage to get Rachel’s number back by calling T-Mobile, and were able to reset and regain control of all her accounts except for Instagram.
Preventing SIM swapping is relatively simple and absolutely necessary. Call your cell phone provider and set an account PIN or password that must be provided verbally before any changes are made. Then never use that PIN or password anywhere else for anything else.
For more information check out the following links:
https://www.digitaltrends.com/mobile/sim-swap-fraud-explained/ [digitaltrends.com] (with instructions for safeguarding yourself)
https://www.wired.com/story/sim-swap-attack-defend-phone/ [wired.com] (another, more recent article on protecting yourself)
Note: The story of Adam and Rachel Ostlund was originally told in an article for VICE and contains NSFW language, used by the hackers.