Account security - Hackers gain access to mobile and then break havoc

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
User avatar
oldcomputerguy
Posts: 3130
Joined: Sun Nov 22, 2015 6:50 am
Location: In the middle of five acres of woods

Re: Account security - Hackers gain access to mobile and then break havoc

Post by oldcomputerguy » Thu Oct 19, 2017 5:58 pm

mptfan wrote:
Thu Oct 19, 2017 3:15 pm
oldcomputerguy wrote:
Thu Oct 19, 2017 12:36 pm
For Fidelity customers, here's another option (that I just discovered yesterday): In the "Alerts" section you can set up a schedule to have Fidelity email you your current balances daily. It becomes trivially easy to keep an eye on your account to make sure nobody has emptied it, and it doesn't even require logging in.
How does that help? Let's say you find out that your account has been emptied when you get your daily alert, isn't it too late at that point?
Possibly. But as I understand it, to have any chance at all to get something back, you should move as fast as possible to notify the fund company. And I believe some even spell out a requirement that you notify them within so many days, or they will disclaim any liability.

You're right in that such a notification doesn't prevent such an attack. But I'm not aware of anything that is guaranteed to do so. I'll take all the measures Ii can to safeguard myself, though, including keeping tabs on the status of my holdings. This is at least better than having to log into the account daily.
It’s taken me a lot of years, but I’ve come around to this: If you’re dumb, surround yourself with smart people. And if you’re smart, surround yourself with smart people who disagree with you.

mptfan
Posts: 4573
Joined: Mon Mar 05, 2007 9:58 am

Re: Account security - Hackers gain access to mobile and then break havoc

Post by mptfan » Thu Oct 19, 2017 6:38 pm

oldcomputerguy wrote:
Thu Oct 19, 2017 5:58 pm
You're right in that such a notification doesn't prevent such an attack. But I'm not aware of anything that is guaranteed to do so. I'll take all the measures Ii can to safeguard myself, though, including keeping tabs on the status of my holdings. This is at least better than having to log into the account daily.
Agreed.

User avatar
Hyperborea
Posts: 688
Joined: Sat Apr 15, 2017 10:31 am
Location: In Limbo

Re: Account security - Hackers gain access to mobile and then break havoc

Post by Hyperborea » Thu Oct 19, 2017 6:41 pm

oldcomputerguy wrote:
Thu Oct 19, 2017 5:58 pm
mptfan wrote:
Thu Oct 19, 2017 3:15 pm
oldcomputerguy wrote:
Thu Oct 19, 2017 12:36 pm
For Fidelity customers, here's another option (that I just discovered yesterday): In the "Alerts" section you can set up a schedule to have Fidelity email you your current balances daily. It becomes trivially easy to keep an eye on your account to make sure nobody has emptied it, and it doesn't even require logging in.
How does that help? Let's say you find out that your account has been emptied when you get your daily alert, isn't it too late at that point?
Possibly. But as I understand it, to have any chance at all to get something back, you should move as fast as possible to notify the fund company. And I believe some even spell out a requirement that you notify them within so many days, or they will disclaim any liability.

You're right in that such a notification doesn't prevent such an attack. But I'm not aware of anything that is guaranteed to do so. I'll take all the measures Ii can to safeguard myself, though, including keeping tabs on the status of my holdings. This is at least better than having to log into the account daily.
The biggest benefit is having the alerts turned on for changes to address, email, phone, or attached accounts. Those take time and will block the transfer of assets out of the account for a period of time. If you get an alert about those then you have a window of time to contact the brokerage and stop the process. If they don't change an attached account they can't get a payout unless they have also breached one of my bank accounts.

It's important to set up accounts such that there is never a pull possible from the more secure account by a less secure account. My brokerage accounts are the most secure and the only way for money to get out is to push it from within the brokerage. If somebody breaches one of my bank accounts then they can't access the brokerage where the bulk of my assets reside.
"Plans are worthless, but planning is everything." - Dwight D. Eisenhower

mptfan
Posts: 4573
Joined: Mon Mar 05, 2007 9:58 am

Re: Account security - Hackers gain access to mobile and then break havoc

Post by mptfan » Thu Oct 19, 2017 6:44 pm

Hyperborea wrote:
Thu Oct 19, 2017 6:41 pm
It's important to set up accounts such that there is never a pull possible from the more secure account by a less secure account. My brokerage accounts are the most secure and the only way for money to get out is to push it from within the brokerage. If somebody breaches one of my bank accounts then they can't access the brokerage where the bulk of my assets reside.
How did you set that up?

Katietsu
Posts: 1506
Joined: Sun Sep 22, 2013 1:48 am

Re: Account security - Hackers gain access to mobile and then break havoc

Post by Katietsu » Thu Oct 19, 2017 6:51 pm

Yankuba wrote:
Thu Oct 19, 2017 9:09 am
I put a PIN on my Verizon account - I was under the impression that when you request service on your account in person or over the phone you have to provide the PIN and/or identification.

My phone died this weekend. I went into the local Verizon store, handed over my drivers license and bought a new phone. I told the representative I have a PIN on the account and he looked at me like I had two heads. My number went from the old phone to the new phone without any problems.
Did you have the old phone with you? In that case you probably just physically moved the SIM card. I know that I have not been able to port between companies without the PIN.

User avatar
Hyperborea
Posts: 688
Joined: Sat Apr 15, 2017 10:31 am
Location: In Limbo

Re: Account security - Hackers gain access to mobile and then break havoc

Post by Hyperborea » Thu Oct 19, 2017 7:06 pm

mptfan wrote:
Thu Oct 19, 2017 6:44 pm
Hyperborea wrote:
Thu Oct 19, 2017 6:41 pm
It's important to set up accounts such that there is never a pull possible from the more secure account by a less secure account. My brokerage accounts are the most secure and the only way for money to get out is to push it from within the brokerage. If somebody breaches one of my bank accounts then they can't access the brokerage where the bulk of my assets reside.
How did you set that up?
Only set up transfer to or from the brokerage account from within the brokerage. Never tell the bank account about the brokerage account and don't set up a way to transfer to or from the brokerage account from within the bank account. Even if the brokerage has a checking account I would still not allow other accounts to transfer into or out of that only from within the brokerage checking account. That way the only way to initiate a transfer in or out of the brokerage is from within the brokerage account.

Brokerages seem to have better security than most banks. Also, if the brokerage account is breached then most of the brokerages have some sort of guarantee to reimburse you. If somebody breaches your bank account, transfers the money from your brokerage into the bank account, and from there to who knows where then likely neither the bank nor the brokerage account will reimburse you.

If you set up your accounts in tiers or levels with one level only being able to reach down but not up you can keep tighter security of the top tiers and possibly prevent a complete security failure.
"Plans are worthless, but planning is everything." - Dwight D. Eisenhower

2015
Posts: 1705
Joined: Mon Feb 10, 2014 2:32 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by 2015 » Thu Oct 19, 2017 8:18 pm

mptfan wrote:
Thu Oct 19, 2017 10:12 am
ThereAreNoGurus wrote:
Sat Sep 23, 2017 1:19 pm
I use gmail with google Authenticator (Authy is another choice). It seems quite unlikely your account will be hacked with it and I don't think google is stupid enough to remove 2FA from your gmail when the rep sees 2FA is established. So even if your password were reset, hackers could not log in.
That's not necessarily true. Even if you have 2FA set up on your Google account using the google authenticator app, it is likely that there are also other ways that you (or someone pretending to be you) can get an authentication code to access your gmail and change your password, and that may include getting a code sent by SMS text.

Try this...type myaccount.google.com into your browser and go the security checkup section and then review your 2 step verification settings (you will have to enter your google password again to review the settings). You will then see a list of ways that you can get your verification code, the google authenticator app method will likely be listed, along with the google prompt method (if you set that up)...this is important...do you also see the option of sending an SMS message to your phone number?? If so, that means if you (or someone pretending to be you) tried to change your password, they can claim that they don't have access to the authenticator app, and they will be given the option of "select another method" or some similar message to allow them to get the code by SMS and bypass your google aunthenticator app completely.

So, someone who knows your email address and hacks your phone number can now take over your gmail account and lock you out. Now all of your financial account notifications by either email or text go to the hacker and not you.
This is true only if you haven't removed your phone number as an access option. I have posted elsewhere (twice now) a methodology to add Yubikey, authenticator app, and access codes to a gmail account, after which the phone number can be removed. I just completed this process this week on a gmail dedicated strictly to my financial account notifications.

mptfan
Posts: 4573
Joined: Mon Mar 05, 2007 9:58 am

Re: Account security - Hackers gain access to mobile and then break havoc

Post by mptfan » Thu Oct 19, 2017 10:16 pm

2015 wrote:
Thu Oct 19, 2017 8:18 pm
This is true only if you haven't removed your phone number as an access option. I have posted elsewhere (twice now) a methodology to add Yubikey, authenticator app, and access codes to a gmail account, after which the phone number can be removed. I just completed this process this week on a gmail dedicated strictly to my financial account notifications.
You are right. I only use one gmail account and I removed the phone number option.

learning_head
Posts: 836
Joined: Sat Apr 10, 2010 6:02 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by learning_head » Thu Feb 01, 2018 1:03 am

This is an older thread but I am happy to have found this tidbit on an earlier page...
AntsOnTheMarch wrote:
Mon Sep 18, 2017 4:34 pm
Yankuba wrote:
Mon Sep 18, 2017 3:05 pm
https://www.theverge.com/2017/9/18/1632 ... rd-bitcoin

"This is why you shouldn’t use texts for two-factor authentication"
Comment from the article:
The big problem with this article is that it conflates two unrelated issues.
The main issue it’s describing, and the research it references, having nothing to do with Two Factor Auth. Disabling 2FA does not protect you from these, and only makes you less secure.

The real problem here is single factor SMS-based account recovery. In fact, any single-factor account recovery is a problem, and turns all 2FA mechanisms into 1FA mechanisms. Single factor SMS account recovery is what you have to disable to protect yourself from the attack described in this article. As I described to Russell, on Google, removing a phone from 2FA (or disabling 2FA) does NOT remove your phone # as an account recovery mechanism. Similarly, removing the account recovery # doesn’t removed the 2FA #. That is a good thing. For most people, setting up 2FA with password + SMS is plenty secure, and they should do this. They should also remove the SMS account recovery option or enable a 2FA recovery mechanism (SMS + secret question at a minimum, SMS + e-mail and other options exist).

2FA with SMS is always vastly more secure than just using a password. It’s a no-brainer in terms security wins, it works for most people regardless of device or platform, and is a great option which undeniably increases your security over just a password. If you want something even more secure than that, then there are alternatives for your second factor, which are great. But they’re also unnecessary/overkill for the vast majority of users, and the difference between good password + SMS and good password + app, for example, is really only relevant if you have an actual reason to be concerned about highly targeted, nation-state-level attackers.

But if you have single-factor SMS account recovery enabled, you don’t really have 2FA at all. That’s the big problem which needs attention. It’s a shame the opportunity to get attention on that was missed here.
Thanks for posting this, AntsOnTheMarch! This makes the topic so much more clear to me and I thought this was very much worth repeating!

I setup my gmail accounts to enable SMS for 2-FA login and disable phone option for recovery. Microsoft does not seem to make this distinction in outlook, so I can't do the same there.

AntsOnTheMarch
Posts: 610
Joined: Mon May 29, 2017 5:47 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by AntsOnTheMarch » Thu Feb 01, 2018 4:01 am

learning_head wrote:
Thu Feb 01, 2018 1:03 am
This is an older thread but I am happy to have found this tidbit on an earlier page...
AntsOnTheMarch wrote:
Mon Sep 18, 2017 4:34 pm
Yankuba wrote:
Mon Sep 18, 2017 3:05 pm
https://www.theverge.com/2017/9/18/1632 ... rd-bitcoin

"This is why you shouldn’t use texts for two-factor authentication"
Comment from the article:
The big problem with this article is that it conflates two unrelated issues.
The main issue it’s describing, and the research it references, having nothing to do with Two Factor Auth. Disabling 2FA does not protect you from these, and only makes you less secure.

The real problem here is single factor SMS-based account recovery. In fact, any single-factor account recovery is a problem, and turns all 2FA mechanisms into 1FA mechanisms. Single factor SMS account recovery is what you have to disable to protect yourself from the attack described in this article. As I described to Russell, on Google, removing a phone from 2FA (or disabling 2FA) does NOT remove your phone # as an account recovery mechanism. Similarly, removing the account recovery # doesn’t removed the 2FA #. That is a good thing. For most people, setting up 2FA with password + SMS is plenty secure, and they should do this. They should also remove the SMS account recovery option or enable a 2FA recovery mechanism (SMS + secret question at a minimum, SMS + e-mail and other options exist).

2FA with SMS is always vastly more secure than just using a password. It’s a no-brainer in terms security wins, it works for most people regardless of device or platform, and is a great option which undeniably increases your security over just a password. If you want something even more secure than that, then there are alternatives for your second factor, which are great. But they’re also unnecessary/overkill for the vast majority of users, and the difference between good password + SMS and good password + app, for example, is really only relevant if you have an actual reason to be concerned about highly targeted, nation-state-level attackers.

But if you have single-factor SMS account recovery enabled, you don’t really have 2FA at all. That’s the big problem which needs attention. It’s a shame the opportunity to get attention on that was missed here.
Thanks for posting this, AntsOnTheMarch! This makes the topic so much more clear to me and I thought this was very much worth repeating!

I setup my gmail accounts to enable SMS for 2-FA login and disable phone option for recovery. Microsoft does not seem to make this distinction in outlook, so I can't do the same there.
:thumbsup

Post Reply