قالب وردپرس درنا توس
Home https://server7.kproxy.com/servlet/redirect.srv/sruj/smyrwpoii/p2/ Technology https://server7.kproxy.com/servlet/redirect.srv/sruj/smyrwpoii/p2/ How to cell phone hack is ruining lives

How to cell phone hack is ruining lives

"This is still very raw (I haven't even told my family yet)," Coonce wrote in an anguished medium post. "On a Monday night in June, Matthew Miller's daughter woke up to say that his Twitter account had been hacked." . He had no cell phone service; Within a few days Miller solved his Gmail and Twitter account and $ 25,000 from his family bank account.

A Miller's case, the attacks deactivated all his Google services, deleted all his tweets, and blocked most of his 1

0K followers. Once he got his phone number back from the hacker, T-Mobile let the hacker steal it a second time. "I've been considering changing my bank account number, social security number, and other accounts that are critical to living and working in the US," Miller wrote in a post. "I am also free of cloud services so my strategy at the moment is … writing my passwords on paper and leaving everything else off the cloud."

Both men were victims of SIM swap attacks, where someone uses pieces of personal information to find your cellular service provider for transfer (port) your number and associated phone account to a device in the attacker's possession. With control of your phone number and account, they proceed to break into all connected accounts, usually beginning with email. The attacker changes info in your accounts so you can't get them back, sets up email forwarding in case you regain control of your email, and goes through all your cloud-stored documents looking for things of value.

It is a uniquely personal and invasive attack. Thanks to Coonce and Miller, we now know and lot more about how these attacks are done and how terrible the destruction is. In Miller's case, we learned how unhelpful T-Mobile, Google, and Twitter were – with both Twitter and Google, Miller was stuck in filling out online account recovery forms and sending them off into an abyss or automated response. And for that wondering, Miller used two-factor (text / SMS) as an extra layer of security for his accounts. But with his phone out of his hands, it didn't matter.

 1155556290 "data-caption =" phone hacker "data-credit =" Diy13 via Getty Images "data-credit-link-back =" "data-directory-provider =" "data-local-id =" local-1-6003025-1561741963260 "data-media-id =" 6f09f5cd-5241-4d8d-bec6-447f3d26b60b "data-original-url =" https: //s.yimg.com/os/creatr-uploaded-images/2019-06/e8bd6a20-99c7-11e9-af9f-dc1dfd62ca45 "data-title =" 1155556290 "src =" https://o.aolcdn.com/ images / gizmo? resize = 2000% 2C2000% 2Cshrink & image_uri = https% 3A% 2F% 2Fs.yimg.com% 2Fos% 2Fcreatr-uploaded-images% 2F2019-06% 2Fe8bd6a20-99c7-11e9-af9f-dc1dfd62ca45 & client = a1acac3e1b3290917d92 & signature = f74f7c2668ffdc43fb0275901a38c900d24020c8 " /> </p><div><script async src=

Miller eventually recovered his accounts, but only because he is specially connected to both companies who helped him out, as well as delivering his platforms. tech journalist

That is both sobering and problemati c, as few regular users have this kind of privilege and access. Like you probably are right now, I'm wondering what kind of hell everyone else would be in. Engadget reached out to both Twitter and Google for comment. We did not receive a response from Twitter by time of publication.

According to Google, victims of account hijacking should fill out this claim form. The company also posted information to mitigate SIM-swap attacks and hijacks in this letter October 2018 post about (the 2018) updates to Google's Security Checkup process and sign-in security. Google also indicates that SIM swapping will not compromise on a Google account that is protected by two-step verification

Furthermore, the company said a non-SMS two-factor method (like a YubiKey) was an option only if the attacker knows the victim's password. Google recommends Google Prompt or Google Authenticator, with physical keys as the strongest form of two-factor. Google also said that SIM swap attacks are rare and confined to specific targets, and that most people do not need two-factor stronger than SMS (text-based).

Needless to say, Google's email was a confusing response to the details we learned in the SIM swap attack and account hijacks experienced by Coonce and Miller. And I, for one, believe that saying most people are fine with SMS as their two-factor, that most people shouldn't worry about SIM-swap attacks, is too conservative to feel like safe advice.

Especially when we consider the context of two important things. First, we are hearing about SIM swaps more than ever and only from high-profile techies – we don't hear about what's happening to regular people. And secondly, there was a big breach which probably made an attack typically a high-effort, targeted attack, into much easier way to grab cash and steal accounts.

That T-Mobile data breach was actually a big deal [19659014] Coonce uses AT&T, while Miller uses T-Mobile and Google Fi. The SIM porting process for both networks has terrifyingly minimal security, both companies had customer pins exposed for an unknown amount of time in 2018, and T-Mobile suffered a fairly recent breach of all the info anyone needs to do a SIM swap attack.

According to AT&T documentation, all that is required for transfer is the information one could find on a recent cell phone bill: Account number, name of the account holder, billing address, and "pin or password if applicable" – noting that the minimum billing info is all that's required if someone "can't remember" their pin or password. It is the same for a T-Mobile transfer, just info on a bill, though they do not state if a password or pin is required at all.

In August 2018, T-Mobile was hacked and the billing information of 2.5 million customers were chairs. The company reassured press by stating no financial data was compromised – but I'll bet that wasn't the point. It was all that juicy billing information, with which attackers get way, way more by SIM porting and stealing people's phone numbers and accounts.

The day after T-Mobile's breach news, and researcher discovered that all T-Mobile and AT&T customer account PINs had been sitting there for an unknown amount of time exposed by website flaws.

Obviously, the SIM porting processes at both companies should have been made way more secure a long time ago – about the time we started to live our entire lives through our phones. But it became even more urgent for T-Mobile to do so after their massive breach. Yet they didn't, and we are here.

SOS – Save our SIMS

 SIM card character holding crowbar "data caption =" SIM card character holding crowbar isolated on white background. 3d illustration "data-credit =" data via Getty Images "data-credit-link-back =" "data-dam-provider =" Getty Creative "data-local-id =" local-22-8973876-1561742250355 "data- media id = "d6a93cab-92e1-3273-9c3d-7bacf192244f" data-original-url = "https://s.yimg.com/os/creatr-images/2019-06/93a231a0-99c8-11e9-b5db- 8b49015f9287 "data-title =" SIM card holding crowbar "src =" https://o.aolcdn.com/images/dims?crop=5200%2C3900%2C0%2C0&quality=85&format=jpg&resize=1600%2C1200&image_uri=https% 3A% 2F% 2Fs.yimg.com% 2Fos% 2Fcreatr-images% 2F2019-06% 2F93a231a0-99c8-11e9-b5db-8b49015f9287 & client = a1acac3e1b3290917d92 & signature = ae9efebceb58b1d24ebce5a81a9f2155ba71b179 "/> </p>
<p> It would be really great if there was a security trick or technique I could offer or recommend for people to prevent their SIMs from being ported (swapped, stolen). Like "here's this extra, annoying security you can add to your SIM account." The truth is, cell carrier companies port It's done much, if anything, to increase SIM security. </p>
<p> In January 2018, before <i> that </i> breach, T-Mobile quietly published a post about unauthorized SIM porting in which it recommends that customers add a secondary password to their accounts, which the company calls " validation. "However, nothing about port validation is mentioned on T-Mobile's SIM transfer information page, where a link could seriously raise customer awareness about this very serious threat. </p><div><script async src=

On AT & T's" Prevent Porting to Protect Your Identity "page, little is available outside "don't share your phone number" and "keep your inbox clean." AT & T's only security step on offer is "Add all 'extra security measures to your AT&T Wireless accounts." the "extra security measures" only make it so someone has to provide your pin when signing in online, getting secondary online access, or when in-person in a retail store.

Yeah, we're scratching our heads, too. To be clear, AT & T's extra security measures are not anything extra, they just extend pin requirements to online and in-person account management. Like T-Mobile, no information about unauthorized SIM card security or extra security measures is on AT & T's customer information page on SIM transfers.

It's bad. And it will not change until an executive at T-Mobile or AT&T experiences the stomach-plummeting terror of having their Gmail account tasks (along with Google Photos, Google Drive, Calendar, Contacts) and any number of their other accounts raided – Like with Miller and Coonce, their Coinbase accounts, and financial accounts drained.

Security mistakes were made

We can, however, learn from the security mistakes Coonce and Miller made their SIMs and connected accounts. Both are in their write-ups that they are not security nerds, and they have some lazy things with general account security that they deeply regret. Coonce wrote, "Given my naive security practices, I probably deserved to get hacked – I get it. It doesn't hurt any less (…)" In a heartfelt, raw plea concluding his writeup, Coonce tells readers, "I ur you to learn from these mistakes."

So it's pretty easy for attackers to steal our SIMs (port our phone numbers with the associated account on a phone they control). Especially if you're on AT&T or T-Mobile and haven't changed your pin since all customer pins were found in late 2018. That means the security mistakes Coonce and Miller are referring to about securing our SIMs, their mistakes were in how their other accounts were – secured –

If we can't protect our SIMs, we need to secure what they would give a stranger access to.

One way both could have prevented The attackers from getting around two-factor are if they used instead a physical USB security key, such as a YubiKey or Google's Titan, with accounts that are compatible with these keys. Yes, they can be used when you are in a hurry, even if somewhat conveniently on your keychain with your house keys. Yet if someone can intercept your text message without knowing it, it is worth noting your email account and having your bank balance drained so some jerkface can buy bitcoin.

Coonce and Miller regretted having so much personal information about themselves floating around online, though it's difficult to see how anyone can prevent breach data from being around. Coonce emphasized that people should use an offline password manager (such as LastPass or 1Password) to create and securely store complicated passwords. This should be done instead of letting operating systems, browsers, or your Google Account save your passwords.

Miller in particular he had not used the "log in with your Facebook / Google / etc account" buttons on apps and websites. "In the past I would just click the Facebook, Google, or Twitter button to setup an account or login," he wrote. "I'm done doing and gift up convenience for better security."

Images: Diy13 via Getty Images (Hacker with phone); Talaj via Getty Images (SIM with crowbar)

Source link