Account security - Hackers gain access to mobile and then break havoc

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
User avatar
ray.james
Posts: 975
Joined: Tue Jul 19, 2011 4:08 am

Account security - Hackers gain access to mobile and then break havoc

Post by ray.james » Thu Sep 14, 2017 2:26 pm

Found this on Reddit this morning.

https://www.reddit.com/r/personalfinanc ... aypal_and/

Hackers essentially gained access to the mobile number and then went on resetting every possible account. I think they might have a combination of birth day and last 4 digits of SSN to begin with. Except for SSN, birthday, address, mobile numbers and lot others can be social engineerd. This is indeed scary and given the number of hacks that are happening, it is hard to escape something like this.

An excerpt from the top comment
This is the solution to your problem. The criminals managed to get control of your wife number from her service provider. That's the reason her SIM is not working anymore. Having her number they can reset every password through SMS reset codes.
You need to get hold of her number again.
Question/Discussion/thoughts:
How do you plan your security and what do you think people have to change that they take for granted.
- separate email not disclosed anywhere for financial information
- choose second factor authentication to be email/sms/snail mail different for each accounts? I kinda think phone is a weak link.
- purge sensitive details from email/ after information is sought?
- share your best known methods.
When in doubt, http://www.bogleheads.org/forum/viewtopic.php?f=1&t=79939

Yankuba
Posts: 65
Joined: Wed Dec 07, 2016 10:45 am

Re: Account security - Hackers gain access to mobile and then break havoc

Post by Yankuba » Thu Sep 14, 2017 3:06 pm

This is scary. I just took my mobile number off my email account and used my work email address as the alternate.

lazydavid
Posts: 1578
Joined: Wed Apr 06, 2016 1:37 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by lazydavid » Thu Sep 14, 2017 3:13 pm

For services that allow TOTP (Time-Based One-Time Passcode), ALWAYS choose that option instead of SMS or email. They will show you a QR code one time, you take a picture of it using an authenticator app on your phone--there are tons of these, from Google, MS, etc--and from then forward your phone generates the passcodes locally, which change every 30 seconds. The service never needs to deliver a code to you for your second factor, so the transmission medium cannot be hijacked. You can import an unlimited number of accounts into a single app. Here's Google Authenticator with three accounts:

Image

Yankuba
Posts: 65
Joined: Wed Dec 07, 2016 10:45 am

Re: Account security - Hackers gain access to mobile and then break havoc

Post by Yankuba » Thu Sep 14, 2017 3:16 pm

Some reasons SMS two factor authentication is problematic:

https://www.wired.com/2016/06/hey-stop- ... ntication/

User avatar
Pajamas
Posts: 5412
Joined: Sun Jun 03, 2012 6:32 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by Pajamas » Thu Sep 14, 2017 4:11 pm

You can take reasonable precautions to prevent something like this from happening, but criminals will always be one step ahead.

Tallis
Posts: 62
Joined: Tue Mar 29, 2016 7:23 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by Tallis » Thu Sep 14, 2017 4:21 pm

Last month the New York Times had an article on phone hijacking, focusing on people having the cryptocurrency hoards stolen.

https://www.nytimes.com/2017/08/21/busi ... ml?mcubz=0

I'm not sure what I should do, since I do use 2-factor logins, and my cheap mobile phone company, Tracfone, has terrible customer service.

likegarden
Posts: 2593
Joined: Mon Feb 26, 2007 5:33 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by likegarden » Thu Sep 14, 2017 5:37 pm

We are probably very different to most here in using phones. we do not have Smart phones. We use Tracfone cell phone only in emergencies, and have a hardwired phone. We do not do financial transactions (Vanguard, credit card company, bank) on computers where we also surf the internet and do Email. We have a laptop for the only purpose of doing financial interface. As the PC, also the laptop has Webroot and Malwarebytes, and files are backed up. You need to separate financials from other internet use.

User avatar
F150HD
Posts: 1485
Joined: Fri Sep 18, 2015 7:49 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by F150HD » Thu Sep 14, 2017 6:11 pm

I posted about this in a few threads last week and each person responded like I was making it up and it wasn't an issue to them.

Good luck.

User avatar
ray.james
Posts: 975
Joined: Tue Jul 19, 2011 4:08 am

Re: Account security - Hackers gain access to mobile and then break havoc

Post by ray.james » Fri Sep 15, 2017 12:22 am

F150HD wrote:
Thu Sep 14, 2017 6:11 pm
I posted about this in a few threads last week and each person responded like I was making it up and it wasn't an issue to them.

Good luck.
I saw your post in credit freeze thread. To me this sounds like something that can be executed much easier than bank hacking. Pretty scary. I am creating a new emails for personal, spam, financial as separate and trying to keep my exposure in check. Not sure what else can be done!
When in doubt, http://www.bogleheads.org/forum/viewtopic.php?f=1&t=79939

mouses
Posts: 3295
Joined: Sat Oct 24, 2015 12:24 am

Re: Account security - Hackers gain access to mobile and then break havoc

Post by mouses » Fri Sep 15, 2017 1:00 am

likegarden wrote:
Thu Sep 14, 2017 5:37 pm
We are probably very different to most here in using phones. we do not have Smart phones. We use Tracfone cell phone only in emergencies, and have a hardwired phone.
Verizon is ripping out hardwired phones in my area. This is such a bad thing for numerous reasons. The public utilities commission is useless about this.

Gardener246
Posts: 56
Joined: Wed Dec 17, 2014 3:42 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by Gardener246 » Fri Sep 15, 2017 1:20 am

I really wish I could get my Vanguard emails and notifications to stop broadcasting 'Flagship' everywhere!

objectivefunction
Posts: 127
Joined: Wed May 04, 2016 10:20 am

Re: Account security - Hackers gain access to mobile and then break havoc

Post by objectivefunction » Fri Sep 15, 2017 6:03 am

I agree that TOTP is much better than SMS. I does not require an Internet or cell connection.

My concern was always that I'd have my phone setup with all these accounts, and then either loose it or forget to migrate them to a new phone or something.

I ended up getting a Yubikey NEO, which allows me to store the keys on the Yubikey. I thought it was great because I could install an app on my phone and scan the Yubikey with NFC. The keys never leave the Yubikey, and if I drop my phone in the toilet I can still scan the codes on my wife's phone, or on my computer by plugging it into the USB port. I just need to not drop the Yubikey in the toilet! I keep the Yubikey on my keyring with my other keys.

Unfortunately I ended up with a phone that doesn't support NFC, but I can still scan the Yubikey on my computer.

Another option, which doesn't seem to be as widely supported as I'd like is a U2F device. Yubikey sells one (the NEO also includes U2F support), and other companies sell them, but not all browsers and websites support them. I think the U2F device is more user friendly than the NEO, but needs to get more support.

I think these hardware devices are the future, but if they are not an option, TOTP should be used in favor of SMS, even if it is not ideal.

User avatar
midareff
Posts: 5563
Joined: Mon Nov 29, 2010 10:43 am
Location: Biscayne Bay, South Florida

Re: Account security - Hackers gain access to mobile and then break havoc

Post by midareff » Fri Sep 15, 2017 6:37 am

Well OK, I get emails from banks, credit cards, Vanguard and Fidelity to name a few. If they hack my phone, which does not have LastPass on it, and has LastPass restricted to my home computer with a very long strong alpha numeric upper and lower case password, what do they do next? BTW, the phone is international call blocked. Do they run my minutes chatting with their mommy?

Xpe
Posts: 134
Joined: Wed Sep 17, 2014 7:24 am

Re: Account security - Hackers gain access to mobile and then break havoc

Post by Xpe » Fri Sep 15, 2017 7:36 am

midareff wrote:
Fri Sep 15, 2017 6:37 am
Well OK, I get emails from banks, credit cards, Vanguard and Fidelity to name a few. If they hack my phone, which does not have LastPass on it, and has LastPass restricted to my home computer with a very long strong alpha numeric upper and lower case password, what do they do next? BTW, the phone is international call blocked. Do they run my minutes chatting with their mommy?
Once they have your phone, they can reset your email password and lock you out (most/many people have their phone set as a recovery option for their email).

Once they have your phone and your email, they can reset your bank passwords, your brokerage passwords, etc. Add in that they could now very well already have your name address dob ssn employer info due to the Equifax breach...

Now they have access to all your accounts, and you have no way of getting it back. Imagine they add new security features to your account. What if your secret questions were "What was your high school name?" and "Whats your mother's maiden name?" and your answers were the actual answers to those questions, well, the hacker can find those out easily. So he calls in, verifies his (your) identity by answering the questions, and then he tells the operator "You know, I'm pretty worried about security recently, I'd like to change the answers to my security questions so that they're less obvious to an attacker". So then when you call in, after you realized you've been hacked, you can't authenticate because you dont know the answers to the security questions anymore, Vanguard tells you "sorry you have to fill out this form and mail it in" which takes weeks to arrive and be processed, and by the time it's done, your account is already empty...

User avatar
midareff
Posts: 5563
Joined: Mon Nov 29, 2010 10:43 am
Location: Biscayne Bay, South Florida

Re: Account security - Hackers gain access to mobile and then break havoc

Post by midareff » Fri Sep 15, 2017 10:35 am

Xpe wrote:
Fri Sep 15, 2017 7:36 am
midareff wrote:
Fri Sep 15, 2017 6:37 am
Well OK, I get emails from banks, credit cards, Vanguard and Fidelity to name a few. If they hack my phone, which does not have LastPass on it, and has LastPass restricted to my home computer with a very long strong alpha numeric upper and lower case password, what do they do next? BTW, the phone is international call blocked. Do they run my minutes chatting with their mommy?
Once they have your phone, they can reset your email password and lock you out (most/many people have their phone set as a recovery option for their email).

Once they have your phone and your email, they can reset your bank passwords, your brokerage passwords, etc. Add in that they could now very well already have your name address dob ssn employer info due to the Equifax breach...

and exactly how will they do that without my bank passwords? ... or any of the bank specific security question answers?

Now they have access to all your accounts, and you have no way of getting it back. Imagine they add new security features to your account. What if your secret questions were "What was your high school name?" and "Whats your mother's maiden name?" and your answers were the actual answers to those questions, well, the hacker can find those out easily. So he calls in, verifies his (your) identity by answering the questions, and then he tells the operator "You know, I'm pretty worried about security recently, I'd like to change the answers to my security questions so that they're less obvious to an attacker". So then when you call in, after you realized you've been hacked, you can't authenticate because you dont know the answers to the security questions anymore, Vanguard tells you "sorry you have to fill out this form and mail it in" which takes weeks to arrive and be processed, and by the time it's done, your account is already empty...

My point is they have NO access to any of my accounts by having my email address without additional information they don't have.

User avatar
midareff
Posts: 5563
Joined: Mon Nov 29, 2010 10:43 am
Location: Biscayne Bay, South Florida

Re: Account security - Hackers gain access to mobile and then break havoc

Post by midareff » Fri Sep 15, 2017 10:38 am

midareff wrote:
Fri Sep 15, 2017 10:35 am
Xpe wrote:
Fri Sep 15, 2017 7:36 am
midareff wrote:
Fri Sep 15, 2017 6:37 am
Well OK, I get emails from banks, credit cards, Vanguard and Fidelity to name a few. If they hack my phone, which does not have LastPass on it, and has LastPass restricted to my home computer with a very long strong alpha numeric upper and lower case password, what do they do next? BTW, the phone is international call blocked. Do they run my minutes chatting with their mommy?
Once they have your phone, they can reset your email password and lock you out (most/many people have their phone set as a recovery option for their email).

Once they have your phone and your email, they can reset your bank passwords, your brokerage passwords, etc. Add in that they could now very well already have your name address dob ssn employer info due to the Equifax breach...

and exactly how will they do that without my bank passwords? ... or any of the bank specific security question answers?

Now they have access to all your accounts, and you have no way of getting it back. Imagine they add new security features to your account. What if your secret questions were "What was your high school name?" and "Whats your mother's maiden name?" and your answers were the actual answers to those questions, well, the hacker can find those out easily. So he calls in, verifies his (your) identity by answering the questions, and then he tells the operator "You know, I'm pretty worried about security recently, I'd like to change the answers to my security questions so that they're less obvious to an attacker". So then when you call in, after you realized you've been hacked, you can't authenticate because you dont know the answers to the security questions anymore, Vanguard tells you "sorry you have to fill out this form and mail it in" which takes weeks to arrive and be processed, and by the time it's done, your account is already empty...

My point is they have NO access to any of my accounts by having my email address without additional information they don't have. and my phone isn't set to be a recovery option for anything.

lotusflower
Posts: 145
Joined: Thu Oct 24, 2013 12:32 am

Re: Account security - Hackers gain access to mobile and then break havoc

Post by lotusflower » Fri Sep 15, 2017 11:04 am

midareff wrote:
Fri Sep 15, 2017 10:35 am
Xpe wrote:
Fri Sep 15, 2017 7:36 am
midareff wrote:
Fri Sep 15, 2017 6:37 am
Well OK, I get emails from banks, credit cards, Vanguard and Fidelity to name a few. If they hack my phone, which does not have LastPass on it, and has LastPass restricted to my home computer with a very long strong alpha numeric upper and lower case password, what do they do next? BTW, the phone is international call blocked. Do they run my minutes chatting with their mommy?
Once they have your phone, they can reset your email password and lock you out (most/many people have their phone set as a recovery option for their email).

Once they have your phone and your email, they can reset your bank passwords, your brokerage passwords, etc. Add in that they could now very well already have your name address dob ssn employer info due to the Equifax breach...

and exactly how will they do that without my bank passwords? ... or any of the bank specific security question answers?

Now they have access to all your accounts, and you have no way of getting it back. Imagine they add new security features to your account. What if your secret questions were "What was your high school name?" and "Whats your mother's maiden name?" and your answers were the actual answers to those questions, well, the hacker can find those out easily. So he calls in, verifies his (your) identity by answering the questions, and then he tells the operator "You know, I'm pretty worried about security recently, I'd like to change the answers to my security questions so that they're less obvious to an attacker". So then when you call in, after you realized you've been hacked, you can't authenticate because you dont know the answers to the security questions anymore, Vanguard tells you "sorry you have to fill out this form and mail it in" which takes weeks to arrive and be processed, and by the time it's done, your account is already empty...

My point is they have NO access to any of my accounts by having my email address without additional information they don't have.
Don't forget Social Engineering, aka "dialing for dummies". There's maybe a 1% chance they can fool a telephone representative, most of whom are poorly paid and in a job with high turnover, into letting them into your account without the complete set of whatever security tokens they are supposed to provide. So fine, they will call 300 times. It's totally worth the time investment for them to do that. Sure the big banks' security teams know about this vulnerability, but Equifax knew about the possibility of a data breach too.

I'm personally not too terrified, but the need for vigilance is acute. It's ridiculous to think that any particular situation, including a credit freeze, is totally secure.

J G Bankerton
Posts: 41
Joined: Thu Sep 14, 2017 3:30 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by J G Bankerton » Fri Sep 15, 2017 11:15 am

Tallis wrote:
Thu Sep 14, 2017 4:21 pm
Last month the New York Times had an article on phone hijacking, focusing on people having the cryptocurrency hoards stolen.

https://www.nytimes.com/2017/08/21/busi ... ml?mcubz=0

I'm not sure what I should do, since I do use 2-factor logins, and my cheap mobile phone company, Tracfone, has terrible customer service.
Tracfone phone numbers show as the wholesale carrier. Calling AT&T or Verizon to port the number will not work and they will not give a detailed explanation.

User avatar
midareff
Posts: 5563
Joined: Mon Nov 29, 2010 10:43 am
Location: Biscayne Bay, South Florida

Re: Account security - Hackers gain access to mobile and then break havoc

Post by midareff » Fri Sep 15, 2017 11:20 am

lotusflower wrote:
Fri Sep 15, 2017 11:04 am
midareff wrote:
Fri Sep 15, 2017 10:35 am
Xpe wrote:
Fri Sep 15, 2017 7:36 am
midareff wrote:
Fri Sep 15, 2017 6:37 am
Well OK, I get emails from banks, credit cards, Vanguard and Fidelity to name a few. If they hack my phone, which does not have LastPass on it, and has LastPass restricted to my home computer with a very long strong alpha numeric upper and lower case password, what do they do next? BTW, the phone is international call blocked. Do they run my minutes chatting with their mommy?
Once they have your phone, they can reset your email password and lock you out (most/many people have their phone set as a recovery option for their email).

Once they have your phone and your email, they can reset your bank passwords, your brokerage passwords, etc. Add in that they could now very well already have your name address dob ssn employer info due to the Equifax breach...

and exactly how will they do that without my bank passwords? ... or any of the bank specific security question answers?

Now they have access to all your accounts, and you have no way of getting it back. Imagine they add new security features to your account. What if your secret questions were "What was your high school name?" and "Whats your mother's maiden name?" and your answers were the actual answers to those questions, well, the hacker can find those out easily. So he calls in, verifies his (your) identity by answering the questions, and then he tells the operator "You know, I'm pretty worried about security recently, I'd like to change the answers to my security questions so that they're less obvious to an attacker". So then when you call in, after you realized you've been hacked, you can't authenticate because you dont know the answers to the security questions anymore, Vanguard tells you "sorry you have to fill out this form and mail it in" which takes weeks to arrive and be processed, and by the time it's done, your account is already empty...

My point is they have NO access to any of my accounts by having my email address without additional information they don't have.
Don't forget Social Engineering, aka "dialing for dummies". There's maybe a 1% chance they can fool a telephone representative, most of whom are poorly paid and in a job with high turnover, into letting them into your account without the complete set of whatever security tokens they are supposed to provide. So fine, they will call 300 times. It's totally worth the time investment for them to do that. Sure the big banks' security teams know about this vulnerability, but Equifax knew about the possibility of a data breach too.

I'm personally not too terrified, but the need for vigilance is acute. It's ridiculous to think that any particular situation, including a credit freeze, is totally secure.
I think you are fooling yourself. Frankly, where I bank and where I invest they lock accounts when you don't know this stuff the first time around. As I have posted before, all accounts that deal with $$ have very long strong passwords which are in LastPass. LastPass has no mobile access allowed and is restricted to only the USA and only my home computer. Computer is in a secure condo with hallway cameras, gated access, key control elevators, 24hr concierge and so forth. As far as a credit freeze.... it's fraud and I'm covered for fraud. It's their issue.

2015
Posts: 1540
Joined: Mon Feb 10, 2014 2:32 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by 2015 » Fri Sep 15, 2017 11:55 am

Question: In the case of Vanguard, if you have it set up with voice verification, how is it possible a hacker, assuming they have your phone, etc., can gain access to your account through social engineering?

Rupert
Posts: 3099
Joined: Fri Aug 17, 2012 12:01 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by Rupert » Fri Sep 15, 2017 12:26 pm

Xpe wrote:
Fri Sep 15, 2017 7:36 am
midareff wrote:
Fri Sep 15, 2017 6:37 am
Well OK, I get emails from banks, credit cards, Vanguard and Fidelity to name a few. If they hack my phone, which does not have LastPass on it, and has LastPass restricted to my home computer with a very long strong alpha numeric upper and lower case password, what do they do next? BTW, the phone is international call blocked. Do they run my minutes chatting with their mommy?
Once they have your phone, they can reset your email password and lock you out (most/many people have their phone set as a recovery option for their email).

Once they have your phone and your email, they can reset your bank passwords, your brokerage passwords, etc. Add in that they could now very well already have your name address dob ssn employer info due to the Equifax breach...

Now they have access to all your accounts, and you have no way of getting it back. Imagine they add new security features to your account. What if your secret questions were "What was your high school name?" and "Whats your mother's maiden name?" and your answers were the actual answers to those questions, well, the hacker can find those out easily. So he calls in, verifies his (your) identity by answering the questions, and then he tells the operator "You know, I'm pretty worried about security recently, I'd like to change the answers to my security questions so that they're less obvious to an attacker". So then when you call in, after you realized you've been hacked, you can't authenticate because you dont know the answers to the security questions anymore, Vanguard tells you "sorry you have to fill out this form and mail it in" which takes weeks to arrive and be processed, and by the time it's done, your account is already empty...
Set up a special email account solely for use with financial accounts. Never access that email account from your phone, and never give that email address out to any person or company other than your bank, credit card companies, etc. I actually only access my financial email account using an Internet browser that I never use for any other purpose. If someone stole my phone, they'd get a lot of pictures of my children (which are backed up elsewhere), they could read the New York Times for free, and they could play Scrabble. That's about it.

User avatar
ray.james
Posts: 975
Joined: Tue Jul 19, 2011 4:08 am

Re: Account security - Hackers gain access to mobile and then break havoc

Post by ray.james » Fri Sep 15, 2017 12:35 pm

midareff wrote:
Fri Sep 15, 2017 11:20 am

I think you are fooling yourself. Frankly, where I bank and where I invest they lock accounts when you don't know this stuff the first time around. As I have posted before, all accounts that deal with $$ have very long strong passwords which are in LastPass. LastPass has no mobile access allowed and is restricted to only the USA and only my home computer. Computer is in a secure condo with hallway cameras, gated access, key control elevators, 24hr concierge and so forth. As far as a credit freeze.... it's fraud and I'm covered for fraud. It's their issue.
The whole point of this thread is not with login password security. This hack is slightly different. They are using access to phone to break 2 factor authentication and reset password. Walk through how you reset bank password with email or SMS. Now some/most banks use questions like best friend, school, mothers maiden as next step which are being social engineered

Also note that when you call bank/other accounts, they know your phone number and use that as partial authentication. These hackers have access to last 4 digits of SSN/DOB/Address from hack databases bought on darknet/social engineered for the last 2.

1) Migrate sim to their phone as night begins. Use last 4 digits SSN, address on billing,DOB .
2) reset gmail/other password. Now they have phone where reset code is sent. If the end user uses email then talk to google customer care and use above info. Since they are calling from customers true phone number and have basic info this is easy.
3) Bingo, walk through email, figure out all financial accounts, balances if present. Now... reset each password and try to move money.
4) 7am, we see the phone which is dead with no service and have no idea until we login on computer!

edit: Read the attached thread. They have to beg bank manager to freeze as he thought actual customers are fake since they are not calling from their actual phone number. They have to take DL, physical SSN to prove.
When in doubt, http://www.bogleheads.org/forum/viewtopic.php?f=1&t=79939

User avatar
ray.james
Posts: 975
Joined: Tue Jul 19, 2011 4:08 am

Re: Account security - Hackers gain access to mobile and then break havoc

Post by ray.james » Fri Sep 15, 2017 12:43 pm

lazydavid wrote:
Thu Sep 14, 2017 3:13 pm
For services that allow TOTP (Time-Based One-Time Passcode), ALWAYS choose that option instead of SMS or email. They will show you a QR code one time, you take a picture of it using an authenticator app on your phone--there are tons of these, from Google, MS, etc--and from then forward your phone generates the passcodes locally, which change every 30 seconds. The service never needs to deliver a code to you for your second factor, so the transmission medium cannot be hijacked. You can import an unlimited number of accounts into a single app. Here's Google Authenticator with three accounts:
This is interesting. How is the access to app authenticated. Does the QR code needs changing every time or is just stores encrypted by the app and generates a new code every time. (Similar to VPN duo security?)
When in doubt, http://www.bogleheads.org/forum/viewtopic.php?f=1&t=79939

User avatar
Hyperborea
Posts: 624
Joined: Sat Apr 15, 2017 10:31 am
Location: In Limbo

Re: Account security - Hackers gain access to mobile and then break havoc

Post by Hyperborea » Fri Sep 15, 2017 12:50 pm

ray.james wrote:
Fri Sep 15, 2017 12:43 pm
lazydavid wrote:
Thu Sep 14, 2017 3:13 pm
For services that allow TOTP (Time-Based One-Time Passcode), ALWAYS choose that option instead of SMS or email. They will show you a QR code one time, you take a picture of it using an authenticator app on your phone--there are tons of these, from Google, MS, etc--and from then forward your phone generates the passcodes locally, which change every 30 seconds. The service never needs to deliver a code to you for your second factor, so the transmission medium cannot be hijacked. You can import an unlimited number of accounts into a single app. Here's Google Authenticator with three accounts:
This is interesting. How is the access to app authenticated. Does the QR code needs changing every time or is just stores encrypted by the app and generates a new code every time. (Similar to VPN duo security?)
Access is authenticated by you being able to unlock and run it on your phone. Yes, the app stores a seed that it got from the QR and then based on time generates a unique code that you enter into the site. The site does the same thing and you should both have the same code or you don't get in. Somebody steals your phone but they don't have the password. Somebody steals your password but they don't have the phone. Very unlikely to have both.

It is based on open algorithms detailed in RFCs. There are quite a number of other implementations and you could one of those instead. https://en.wikipedia.org/wiki/Google_Authenticator
"Plans are worthless, but planning is everything." - Dwight D. Eisenhower

lazydavid
Posts: 1578
Joined: Wed Apr 06, 2016 1:37 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by lazydavid » Fri Sep 15, 2017 1:13 pm

ray.james wrote:
Fri Sep 15, 2017 12:43 pm
This is interesting. How is the access to app authenticated. Does the QR code needs changing every time or is just stores encrypted by the app and generates a new code every time. (Similar to VPN duo security?)
Access to the app is not authenticated--that's your responsibility. You need to control physical access to your phone and maintain strong authentication to prevent casual access (ie, picking it up in a bar). But the ability to authenticate to your account with a second factor is maintained exclusively on the device, and will work effectively forever, even if you put the device in airplane mode and never take it out. The QR code represents a "seed" number, which is put through a PRNG (Pseudo-random number generator), which is deterministic and will always result in one specific number at one specific time. The provider retains a copy of the seed, so by running that seed through the same algorithm, they will generate the same number at the same time as you do. If you provide the correct number for that specific time, you are authenticated.

Xpe
Posts: 134
Joined: Wed Sep 17, 2014 7:24 am

Re: Account security - Hackers gain access to mobile and then break havoc

Post by Xpe » Fri Sep 15, 2017 1:46 pm

ray.james wrote:
Fri Sep 15, 2017 12:35 pm
The whole point of this thread is not with login password security. This hack is slightly different. They are using access to phone to break 2 factor authentication and reset password. Walk through how you reset bank password with email or SMS. Now some/most banks use questions like best friend, school, mothers maiden as next step which are being social engineered

Also note that when you call bank/other accounts, they know your phone number and use that as partial authentication. These hackers have access to last 4 digits of SSN/DOB/Address from hack databases bought on darknet/social engineered for the last 2.

1) Migrate sim to their phone as night begins. Use last 4 digits SSN, address on billing,DOB .
2) reset gmail/other password. Now they have phone where reset code is sent. If the end user uses email then talk to google customer care and use above info. Since they are calling from customers true phone number and have basic info this is easy.
3) Bingo, walk through email, figure out all financial accounts, balances if present. Now... reset each password and try to move money.
4) 7am, we see the phone which is dead with no service and have no idea until we login on computer!
This. It has nothing to do with how complex your password is, or how securely you've protected that password. If hacker gets control of your phone number, then depending on how your email is set up, they can get access to that as well. If they have access to both your email + phone + equifax data (name address dob employers ssn accountNumbers etc), then it's very likely they're going to be able to access most people's accounts.

You can prevent this by implementing additional security features, for example:
Setting false answers for your security questions: "What was your high school name? 238fjkl49sj"
Adding PIN codes where available (verizon for example lets you set a pin code and they wont even talk to you if you dont enter it)
Enhanced Security Codes (vanguard for example lets you set an alpha numeric code that you have to provide if you're calling in)

It's not enough to just say 'oh i have strong passwords and I keep them protected' anymore, not after the equifax breach.

User avatar
midareff
Posts: 5563
Joined: Mon Nov 29, 2010 10:43 am
Location: Biscayne Bay, South Florida

Re: Account security - Hackers gain access to mobile and then break havoc

Post by midareff » Fri Sep 15, 2017 2:16 pm

and exactly who bears the responsibility (legally) for the fraudulent breach? Let's assume they can't breach your questions security codes with correct answers.

Xpe
Posts: 134
Joined: Wed Sep 17, 2014 7:24 am

Re: Account security - Hackers gain access to mobile and then break havoc

Post by Xpe » Fri Sep 15, 2017 2:38 pm

midareff wrote:
Fri Sep 15, 2017 2:16 pm
and exactly who bears the responsibility (legally) for the fraudulent breach? Let's assume they can't breach your questions security codes with correct answers.
That's the million dollar (literally for many of the people here) question. It's not one I ever want answered for me via first-person experience.

My guess is it will be a long battle involving lawyers and unlikely will result in you getting your money back, but i don't rightfully know. I do know if Vanguard gets hacked, they'll reimburse you. But if you become vulnerable because an unrelated service gets hacked, I don't think they'll be as generous.

All I'm saying, is in light of the equifax breach and this phone hack, I'm on full alert. All my accounts have every security precaution enabled now, and I get alerts any time anything changes. I think anyone who has any significant savings would be insane not to.

User avatar
midareff
Posts: 5563
Joined: Mon Nov 29, 2010 10:43 am
Location: Biscayne Bay, South Florida

Re: Account security - Hackers gain access to mobile and then break havoc

Post by midareff » Fri Sep 15, 2017 5:46 pm

Xpe wrote:
Fri Sep 15, 2017 2:38 pm
midareff wrote:
Fri Sep 15, 2017 2:16 pm
and exactly who bears the responsibility (legally) for the fraudulent breach? Let's assume they can't breach your questions security codes with correct answers.
That's the million dollar (literally for many of the people here) question. It's not one I ever want answered for me via first-person experience.

My guess is it will be a long battle involving lawyers and unlikely will result in you getting your money back, but i don't rightfully know. I do know if Vanguard gets hacked, they'll reimburse you. But if you become vulnerable because an unrelated service gets hacked, I don't think they'll be as generous.

All I'm saying, is in light of the equifax breach and this phone hack, I'm on full alert. All my accounts have every security precaution enabled now, and I get alerts any time anything changes. I think anyone who has any significant savings would be insane not to.
IMHO.. Vanguard, Fidelity, any insured bank or equivalent credit union, or credit card company, will be the ultimate victim of the fraud.

btenny
Posts: 4436
Joined: Sun Oct 07, 2007 6:47 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by btenny » Fri Sep 15, 2017 7:13 pm

Please explain to me how this stealing of my phone number and my email account leads to a Id theft of my bank accounts or investment accounts? Just because they can receive my calls and my email does not give them the account user ids or account passwords at my bank or brokerage. So they can call the clerks at my bank and my brokerage. I guess they find those in my email list. How do they social engineer the release of the account user Ids? So what if they have my SSN # and maybe my mother maiden name how does that get them the account IDs? They do not know my other account security questions unless that stuff is posted on the Facebook pages. So again how do they get the clerk to reset the bank or brokerage passwords? So how are they going to steal anything?

Please advise.
Last edited by btenny on Fri Sep 15, 2017 7:41 pm, edited 1 time in total.

Ndop
Posts: 34
Joined: Sun Jun 11, 2017 9:13 am

Phone services most/least likely to get hijacked

Post by Ndop » Fri Sep 15, 2017 7:26 pm

[Thread merged into here, see below (next page). --admin LadyGeek]

In light of the Equifax breach that possibly exposed all American adults' sensitive info, I'm trying to increase security for my accounts. Some websites have a two factor authentication (2FA) option, but phone hijacking can defeat 2FA that involves a telephone call or text message. I know there are more secure forms of 2FA, but not all websites offer those. So for some websites, I have to use a phone number for 2FA. I'm curious, how would you rank or compare the security of different phone services?

Personal smartphone
Corporate smartphone
Landline
Voip line
Basic flip phone
Google voice number
Another option I didn't think of

Nate79
Posts: 2574
Joined: Thu Aug 11, 2016 6:24 pm
Location: Portland, OR

Re: Phone services most/least likely to get hijacked

Post by Nate79 » Fri Sep 15, 2017 7:36 pm

poordad wrote:
Fri Sep 15, 2017 7:26 pm
In light of the Equifax breach that possibly exposed all American adults' sensitive info, I'm trying to increase security for my accounts. Some websites have a two factor authentication (2FA) option, but phone hijacking can defeat 2FA that involves a telephone call or text message. I know there are more secure forms of 2FA, but not all websites offer those. So for some websites, I have to use a phone number for 2FA. I'm curious, how would you rank or compare the security of different phone services?

Personal smartphone
Corporate smartphone
Landline
Voip line
Basic flip phone
Google voice number
Another option I didn't think of
From my understanding the highjacking is by breaking into the account at the cell phone CARRIER and stealing the cell phone number. The type of cell phone isn't important to this.

User avatar
ray.james
Posts: 975
Joined: Tue Jul 19, 2011 4:08 am

Re: Account security - Hackers gain access to mobile and then break havoc

Post by ray.james » Fri Sep 15, 2017 7:36 pm

btenny wrote:
Fri Sep 15, 2017 7:13 pm
They do not know my other account security questions unless that stuff is posted on the Facebook pages.

Please advise.
If that were the case, you are much more secure. Do note, they have access to emails and changed your email reset questions too in addition to mobileaccess. From emails they can check what cars/previous address/high schools and social engineer some more data. In the linked hack, the way they drained money is using paypal/venmo account. The paypal password was reset and is used to buy a lot of itunes/other gift cards and drained the CC. A second thread on reddit showed a lot of gift cards on ebay shipped.
Also, do note, a lot of people might not even have the security questions enabled which came into existence in the last 10 years. 2 -factor authentication is more like last 5 years thing.

Specific to banks, most will ask for debit card number/some full account number along with SSN to continue. So it is not very easy to do this online.
When in doubt, http://www.bogleheads.org/forum/viewtopic.php?f=1&t=79939

btenny
Posts: 4436
Joined: Sun Oct 07, 2007 6:47 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by btenny » Fri Sep 15, 2017 7:48 pm

Yes I see they might charge stuff to Amazon and ebay and maybe some other web site stuff that they find from my email history. But even those require social engineering and phone calls to reset the passwords. So it is not easy and the $$ risk is not that large IMO.

I see this Equifax data loss as easy pickings to do all kinds of IRS early filings and similar stuff. But I do not see it as total chaos in other areas.

Good Luck.

theplayer11
Posts: 363
Joined: Tue Jul 22, 2014 8:55 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by theplayer11 » Fri Sep 15, 2017 7:58 pm

this thread scared me enough to change receiving a code before log in from a text to a home phone call.
Seems like a simple enough change in case a thief gained access to my cell phone and someone had enough other info to do damage.
I also locked mobile device access that I really didn't use or need.

J G Bankerton
Posts: 41
Joined: Thu Sep 14, 2017 3:30 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by J G Bankerton » Fri Sep 15, 2017 9:01 pm

theplayer11 wrote:
Fri Sep 15, 2017 7:58 pm
this thread scared me enough to change receiving a code before log in from a text to a home phone call.
I use my home landline, if I'm out I forward it to my prepaid cell. It works for a voice delivered code.

forkhorn
Posts: 129
Joined: Fri Mar 14, 2014 9:00 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by forkhorn » Fri Sep 15, 2017 9:36 pm

Would creating a new email address that is not posted anywhere or used for anything but financial accounts work to thwart this threat? Of course it would be with a different service than the normal email address so it would not be linked in any way. That seems reasonably easy to do.

forkhorn
Posts: 129
Joined: Fri Mar 14, 2014 9:00 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by forkhorn » Fri Sep 15, 2017 9:40 pm

Rupert wrote:
Fri Sep 15, 2017 12:26 pm

Set up a special email account solely for use with financial accounts. Never access that email account from your phone, and never give that email address out to any person or company other than your bank, credit card companies, etc. I actually only access my financial email account using an Internet browser that I never use for any other purpose. If someone stole my phone, they'd get a lot of pictures of my children (which are backed up elsewhere), they could read the New York Times for free, and they could play Scrabble. That's about it.
I just saw Rupert's post saying what I just posted. Any other thoughts on this? It seems much easier than some of the other ideas tossed around here. Is there a flaw in the logic?

User avatar
F150HD
Posts: 1485
Joined: Fri Sep 18, 2015 7:49 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by F150HD » Fri Sep 15, 2017 9:41 pm

theplayer11 wrote:
Fri Sep 15, 2017 7:58 pm
this thread scared me enough to change receiving a code before log in from a text to a home phone call.
if a hacker ported your # to their phone and one of your account holders called your #, the hacker would just pretend to be 'you' as they would be answering your phone. :?:

theplayer11
Posts: 363
Joined: Tue Jul 22, 2014 8:55 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by theplayer11 » Fri Sep 15, 2017 9:46 pm

F150HD wrote:
Fri Sep 15, 2017 9:41 pm
theplayer11 wrote:
Fri Sep 15, 2017 7:58 pm
this thread scared me enough to change receiving a code before log in from a text to a home phone call.
if a hacker ported your # to their phone and one of your account holders called your #, the hacker would just pretend to be 'you' as they would be answering your phone. :?:
code now comes to landline phone

User avatar
F150HD
Posts: 1485
Joined: Fri Sep 18, 2015 7:49 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by F150HD » Fri Sep 15, 2017 9:58 pm

theplayer11 wrote:
Fri Sep 15, 2017 9:46 pm
F150HD wrote:
Fri Sep 15, 2017 9:41 pm
theplayer11 wrote:
Fri Sep 15, 2017 7:58 pm
this thread scared me enough to change receiving a code before log in from a text to a home phone call.
if a hacker ported your # to their phone and one of your account holders called your #, the hacker would just pretend to be 'you' as they would be answering your phone. :?:
code now comes to landline phone
assuming one doesn't have fiber, a homes Network Interface Device is on the outside of the home accessible to nearly anyone with a Phillips screwdriver.

theplayer11
Posts: 363
Joined: Tue Jul 22, 2014 8:55 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by theplayer11 » Fri Sep 15, 2017 10:04 pm

F150HD wrote:
Fri Sep 15, 2017 9:58 pm
theplayer11 wrote:
Fri Sep 15, 2017 9:46 pm
F150HD wrote:
Fri Sep 15, 2017 9:41 pm
theplayer11 wrote:
Fri Sep 15, 2017 7:58 pm
this thread scared me enough to change receiving a code before log in from a text to a home phone call.
if a hacker ported your # to their phone and one of your account holders called your #, the hacker would just pretend to be 'you' as they would be answering your phone. :?:
code now comes to landline phone
assuming one doesn't have fiber, a homes Network Interface Device is on the outside of the home accessible to nearly anyone with a Phillips screwdriver.
let anyone try to step foot on my property...

azurekep
Posts: 1179
Joined: Tue Jun 16, 2015 7:16 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by azurekep » Fri Sep 15, 2017 10:39 pm

This is how hackers hack you using simple social engineering
https://www.youtube.com/watch?v=lc7scxvKQOo

The above video came from a link in the OP. The female phisher was pretending not to remember her email address, and the cell phone CSR gave it to her. I wonder if the rep would have had second thoughts if the email addy the woman was claiming to forget was something like this:

Code: Select all

ilikeporn@yahoo.com 
or
mycellphonecarriersucks@outlook.com
I'd like to think the rep would pause for a moment and reconsider whether this was the actual customer. :)

Could make a case for using those type of email addresses.

jalbert
Posts: 3089
Joined: Fri Apr 10, 2015 12:29 am

Re: Account security - Hackers gain access to mobile and then break havoc

Post by jalbert » Fri Sep 15, 2017 11:25 pm

Segregating email into separate mailboxes so password resets generate email that doesn't go to your phone is one strategy that is helpful. The financial account email needs to go to a secure platform, and you need to check it regularly so you know if there is malicious activity trying to reset the password etc. Also the financial institutions will use it for announcements.
Risk is not a guarantor of return.

Jcraz13
Posts: 169
Joined: Thu Feb 05, 2015 10:17 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by Jcraz13 » Fri Sep 15, 2017 11:33 pm

Maybe I am naive- wouldn't having the two factor security at Vanguard set to a phone call , not mobile text, to a landline or office phone landline solve most issues if your mobile number was stolen? Then the criminal could not do anything since the call had to be to a secure landline inside home or office ?

lotusflower
Posts: 145
Joined: Thu Oct 24, 2013 12:32 am

Re: Account security - Hackers gain access to mobile and then break havoc

Post by lotusflower » Sat Sep 16, 2017 2:11 am

btenny wrote:
Fri Sep 15, 2017 7:13 pm
Please explain to me how this stealing of my phone number and my email account leads to a Id theft of my bank accounts or investment accounts? Just because they can receive my calls and my email does not give them the account user ids or account passwords at my bank or brokerage. So they can call the clerks at my bank and my brokerage. I guess they find those in my email list. How do they social engineer the release of the account user Ids? So what if they have my SSN # and maybe my mother maiden name how does that get them the account IDs? They do not know my other account security questions unless that stuff is posted on the Facebook pages. So again how do they get the clerk to reset the bank or brokerage passwords? So how are they going to steal anything?

Please advise.
"Hello Bank of the Bourgeousie? My name is Btenny and DW and I are on vacation in HCOL City, and all of our luggage including my laptop and my cell phone was stolen from our rental car. I kept all my account numbers in a spreadsheet file on the laptop, and I'm embarrassed to say that I didn't back it up properly. I did get a new cell phone and I borrowed a laptop, but now we're of cash. Can you help me get access to my accounts so that our holiday isn't completely ruined? ... Oh thanks so much, you've been so incredibly helpful."

Well maybe it will work and maybe it won't. Might depend on your bank and a bunch of other things not under your control. I mean, lots of modern security practices are good, way better than the past. I don't think you have to lose a lot of sleep over this if your security is reasonably good. But nothing is hack-proof because there are always humans in the loop to exploit. I've never heard a security expert be as casual about the risks as some of the overconfident responses on this thread.

keystone
Posts: 494
Joined: Tue Aug 28, 2012 12:34 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by keystone » Sat Sep 16, 2017 7:34 am

Someone please correct me if I am wrong, but the hacker would not only need to port your number, but they would also need to know what email address is associated with the mobile number? In other words, just porting the number would not be enough to gain control of someone's email? I'm not saying they would not be able to obtain both, but just trying to think this through.

User avatar
TheTimeLord
Posts: 5088
Joined: Fri Jul 26, 2013 2:05 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by TheTimeLord » Sat Sep 16, 2017 7:45 am

jalbert wrote:
Fri Sep 15, 2017 11:25 pm
Segregating email into separate mailboxes so password resets generate email that doesn't go to your phone is one strategy that is helpful. The financial account email needs to go to a secure platform, and you need to check it regularly so you know if there is malicious activity trying to reset the password etc. Also the financial institutions will use it for announcements.
Help me here on this concern, we are discussing hijacking phone numbers not stealing physical devices. SMS is tied to phone numbers but how is email? Email is tied to a provider whose app you may have loaded on your physical phone but I am not getting the the connection between a hijacked phone number and the email that you access through your phone (as well as your laptop, desktop or tablet).

That said I do think it is a good practice to segregate your finances to a separate email address and provider from your personal email.
IMHO, Investing should be about living the life you want, not avoiding the life you fear. | Run, You Clever Boy! [9085]

lazydavid
Posts: 1578
Joined: Wed Apr 06, 2016 1:37 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by lazydavid » Sat Sep 16, 2017 7:55 am

btenny wrote:
Fri Sep 15, 2017 7:13 pm
How do they social engineer the release of the account user Ids? So what if they have my SSN # and maybe my mother maiden name how does that get them the account IDs?
They don't have to social engineer, just click the "forgot your username?" link. Each bank varies, but mine asks for name, DOB, SS#, and then provides the username. A username is NOT confidential information, and should not be considered as such.

Xpe
Posts: 134
Joined: Wed Sep 17, 2014 7:24 am

Re: Account security - Hackers gain access to mobile and then break havoc

Post by Xpe » Sat Sep 16, 2017 8:52 am

TheTimeLord wrote:
Sat Sep 16, 2017 7:45 am
jalbert wrote:
Fri Sep 15, 2017 11:25 pm
Segregating email into separate mailboxes so password resets generate email that doesn't go to your phone is one strategy that is helpful. The financial account email needs to go to a secure platform, and you need to check it regularly so you know if there is malicious activity trying to reset the password etc. Also the financial institutions will use it for announcements.
Help me here on this concern, we are discussing hijacking phone numbers not stealing physical devices. SMS is tied to phone numbers but how is email? Email is tied to a provider whose app you may have loaded on your physical phone but I am not getting the the connection between a hijacked phone number and the email that you access through your phone (as well as your laptop, desktop or tablet).

That said I do think it is a good practice to segregate your finances to a separate email address and provider from your personal email.
They can probably get your email address from your cell phone carrier. After their call with the carrier where they get them to reset the SIM, they can say something innocuous like "hey can you please email me a confirmation once this has been completed? great, thanks, and just to make sure you're sending it to the right email address, which one do you have on file?" Or they can search for your name and might get lucky maybe you have a blog or some other account that they could derive your email address from.

I don't want my position to be overstated. I don't think everyone can have their accounts compromised in this manner. It requires a series of unfortunate events, for anyone. But this equifax breach has given bad actors SO much ammunition, everyone is now 100x more susceptible, and we need to act like it.

Post Reply