SS7 SMS Attacks, a Throwback to the Phreaking of the 70s 
0
Dan Gavin
SS7 SMS Attacks, a Throwback to the Phreaking of the 70s 

This article will be hard for you to read. Not in the way all my other articles are hard to read. This one will be emotionally hard. And let me give you the call to action right now (in the government we call it the Bottom Line Up Front (BLUF)).  

The BLUF is this. You will need to do two things. First, you will need to log into all your bank, other financial accounts, and your email accounts. Set the security to Multi Factor Authentication turned on and make sure you ARE NOT using SMS or text message for delivery of the One Time Passcode. The second thing you will need to do if you are in a relationship where you do not trust your partner, is to either reset your phone to factory settings, or dispose of the phone and buy a new one. Then ensure they NEVER have access to your phone unlocked. Ever.  

Now, the reason for all this. The technical parts that follow are necessarily grossly oversimplified. In 1975, the telecommunications industry developed a security protocol to reduce the impact of “phreaking”. Phreaking was a way to trick the telecom network into allowing long distance calls for free. The protocol was not secure. It hasn’t really been updated. And it is all over your cell phone. It’s called SS7. By abusing it, anyone can intercept your phone connection from anywhere in the world and access your text messages and phone calls, without installing any malware. And you will never know.  

So, if you use text messages (SMS) for that One Time Passcode from your bank, all an attacker needs are your phone number, username, and password.  They can render you penniless. Your financial accounts and your email accounts are probably the most important part of your digital life. Treat their logins with the utmost care. 

That’s the first part. The second is this. If you are now, or have ever been, in an abusive or otherwise untrustworthy relationship what follows might sound familiar. Bob, (names have been changed for privacy) met Jane, the girl of his dreams. He thought it was cute when Jane insisted that they share their phone PIN codes. The cuteness ended there. Eventually Jane began to insist on more and more control over Bob’s life. Without reciprocating. Eventually, Bob found all the contacts in his phone had been deleted. All the female contacts. And Jane had changed her PIN. 

It’s just a PIN code. You don’t have anything to hide is your initial thought. But this sweet new addition to your life may have a dark side. This adorable partner could (with as little as $175) install spyware on your phone. Or buy a phone for you with the spyware already installed. The spyware literally gives them access to everything. Including both cameras and the microphone.  

People make a huge fuss over the need to keep Social Security Numbers (SSN) private. But did you ever think the secrecy of your phone number would be more important than your SSN? When it comes to your phone number, in the words of Gandalf, “Keep it secret. Keep it safe.” Fortunately, unlike your SSN, you can get a new phone number. 

In addition to factory resetting the phone, setting up non-SMS-based MFA for your online accounts, you should SERIOUSLY consider using the Signal app for all your communications. For the SS7 hack, it will help by encrypting all your communications (voice and video calls, and text messages) so eavesdroppers can’t eavesdrop. 

There are many more details. I’m more than happy to chat about it if you want to email me. Just no phone calls.  

Six ways to harden your digital profile 
0
Dan Gavin
Six ways to harden your digital profile 

“Kevin” was very frugal. He flossed daily, washed his hands often, wore deodorant, and never ate at McDonalds. He always came to a complete stop, separated his recyclables, ate more veggies than meat, and turned off the lights when he left the room. He also used a credit card responsibly; always paying it off every month. He had another card he used rarely and paid off just as quickly so his debt-to-credit ratio would benefit his credit score.  

One day Kevin’s 12-year-old clunker broke down for the last time. He needed a new car. The excitement was actually kind of cool. He researched the options and decided to go for sporty rather than practical this time. The test drive was thrilling. The smell of “new car” instead of “old tube socks filled with fries and candy” was a surprise. A welcome one. But right around the corner was another surprise. A very unwelcome one. Kevin’s credit score. Even though Kevin was ultra responsible in other areas of life, he was not used to checking his credit records regularly. He wasn’t even aware this was a thing. Someone had stolen his identity – and ruined it. 

I have bad news. There is a very high probability your personal information (not just your name and address) is on the dark web. Your social security number, your birth date, your address. Most of what an online criminal will need to steal your identity.  I mention this because 2.9 billion records were recently hacked from National Public Data consisting of these items.   

You’re probably so tired of hearing this. You might even think, “what’s the use?” While this news is dire, it is actually worse than you think. With the exposed personal data (like SSN) combined with other information easily accessible on social media profiles, a criminal can build a detailed profile of a victim. Armed with the data, the criminal can port a cell phone number to a phone they control, intercept the one-time code sent from the victim’s bank account and wipe out the victim’s life savings. They can drain other investment accounts, open new lines of credit, purchase property on credit, etc. Anything you can do with your personal information; a criminal can do just as easily. 

This is going to take some time. Really you can significantly strengthen your digital life within less than 2 hours. While this is not intended to be a technical tutorial, and we cannot give legal advice here, you can do the following: 

  1. Use a password manager like Bitwarden 
  1. Enable 2 factor authentication on all your critical accounts (banking, investment, email social media, cell phone provider) 
  1. Create a free login and freeze your credit reporting account at Experian, Equifax, and Transunion. 
  1. Use good credential hygiene as we have always advocated here. 
  1. Remember, if you get an email, text message or phone call requesting you to unfreeze your credit and you didn’t initiate it, it’s probably a scam 
  1. If you receive a contact you did not initiate AND the person claims you are in trouble in any way AND it makes you feel anxious AT ALL, it’s probably a scam. Stop the communication and contact the purporting organization using a known-good number.  

Moving forward the world is going to be less trustworthy. You need to adopt a posture of zero trust. Be suspicious of everyone and everything. It could save you. 

The original article was posted to the Sierra Vista Herald and can be found here.

Locals At Risk Due to Data Breaches – How to Protect Yourselves 
0
Dan Gavin
Locals At Risk Due to Data Breaches – How to Protect Yourselves 

A data breach that occurred in 2021 could be affecting readers today.  On the dark web, a hacker named ShinyHunters is attempting to sell personal data of 73 million people who were customers of AT&T.  After initially denying the data was theirs, AT&T confirmed that the data appears to be from 2019 and impacts approximately 7.6 million current AT&T account holders and 65.4 million former account holders.   The data includes names, address, phone numbers and for some, even social security numbers (SSN) and birth dates.   Additionally, the security pass codes for 7.6 million accounts were also leaked.   If you were a DirectTV customer, your data may be included.   The subscriber base at the end of 2019 was almost 202 million subscribers, so it appears to be a partial data dump. 

At this point you may be thinking, “Big deal, that was 5 years ago. What use could that information be for hackers?”  Good question.  There is a treasure trove of data that hackers can use that may impact you.  First, hackers could have access to your current account if your security passcode has not changed since then.  AT&T is aware of this and are reaching out to these customers.  Hackers can use phishing and other social engineering techniques claiming to be AT&T support.  If you get an email or SMS text from someone claiming to be an AT&T representative, we recommend that you go “out of band” instead of replying or clicking the link.  Go to AT&T’s website that you know is valid. Contact them through the methods provided on their website.   

One of the biggest dangers of this breach was the stolen SSN and birth date information.  Along with your name and address, hackers can apply for credit cards in your name and run up debt in your name.   Hackers can use your SSN to access your bank accounts.  They could pose as you with the bank’s customer support performing fraudulent transactions and transferring funds.   Using your SSN, a hacker can access your credit reports and subsequently apply for a loan for themselves in your name.  There’s more, but you get the point. 

Vigilance is the optimal option.  We recommend setting up multi-factor authentication on all accounts that offer the option.  Your bank and your credit cards definitely have this available.  It is a little more work to access your account but more than worth the effort. Most accounts use a username and password for access.  Multi-factor authentication uses a second method to verify that the user is authorized.  This may come in the form of a code sent via email or text or using an application like DUO or Authenticator.  Monitor your credit card and bank accounts regularly.  Report suspicious activity right away.  Consider using credit monitoring services. 

Of course, good cyber hygiene with your passwords is always recommended.  Do NOT reuse the same password on multiple sites.  That makes it very simple for hackers to try that password on other accounts. If your information was part of a breach, change your passwords.  To see if your email address has been involved in a breach, visit this site, https://haveibeenpwned.com, and enter your email address.  This provides a list of breaches the account was involved.   

If the AT&T hack is too old to have you concerned, Circle K was hacked in January of this year.  Loyalty data and partial credit card information was revealed. 

Don’t think that you are not a big enough target.  Hackers go for the low hanging fruit. If it’s too easy to pass up, they will not.  The old adage, “an ounce of prevention is worth a pound of cure,” rings very true in the cyber world.   

You can view the original article from the Sierra Vista Herald here.

Copyright © 2024 CyberEye Call us at: ‪(520)224-8981