Man’s life savings stolen from hijacked cellphone number

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Silence Dogood
Posts: 956
Joined: Tue Feb 01, 2011 9:22 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Silence Dogood » Sun Apr 28, 2019 8:05 pm

SpaethCo wrote:
Sun Apr 28, 2019 4:38 pm
Silence Dogood wrote:
Sun Apr 28, 2019 10:09 am
Two-factor authentication, even using SMS, is still significantly more secure than not using two-factor authentication at all.
I’m sad to say, this isn’t necessarily true.

2FA is the second authentication factor, so the important question is: how did the attacker get the password? The rise of 2FA (Google authenticator / SMS style) was based on the premise that people were picking simple passwords and re-using them everywhere, and that’s how passwords were primarily being compromised. More recent research has shown that the primary method of password theft is actually phishing, and unfortunately Google Auth / SMS / Authy 2FA is fully phish-able.

The best security protection these days is using a URL matching password manager (any password manager that does autofill), and using U2F tokens where they are accepted. Other forms of 2FA are just passwords, and those passwords can be stolen in real-time with minimal effort.

Simply stated: If you are typing in passwords to online sites using your keyboard or copy/paste, you are highly vulnerable.
I agree that using a password manager is best practice.

But I stand by my statement that using two-factor authentication, even SMS, is still significantly more secure than not using two-factor authentication at all.

Another important practice: never click on any link to log in to any account.

User avatar
telemark
Posts: 2460
Joined: Sat Aug 11, 2012 6:35 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by telemark » Sun Apr 28, 2019 8:19 pm

SpaethCo wrote:
Sun Apr 28, 2019 4:38 pm
Silence Dogood wrote:
Sun Apr 28, 2019 10:09 am
Two-factor authentication, even using SMS, is still significantly more secure than not using two-factor authentication at all.
Im sad to say, this isnt necessarily true.

2FA is the second authentication factor, so the important question is: how did the attacker get the password? ...
The article mentions password resets repeatedly (without saying if one was used in this incident). Two-factor authentication is supposed to be something you have and something you know, but when it's used for password resets it turns into only something you have, that can be taken without your knowledge.

User avatar
pokebowl
Posts: 281
Joined: Sat Dec 17, 2016 7:22 pm
Location: The Orion Spur of the Milky Way galaxy.

Re: Man’s life savings stolen from hijacked cellphone number

Post by pokebowl » Sun Apr 28, 2019 8:58 pm

Dottie57 wrote:
Sun Apr 28, 2019 9:16 am


I never use my phone for financial transactions. Never. I have two home iPads which I use for financial transactions via web page. No passwords stored.

I think I will be getting a yubikey to add more security.
Well thats great news for those targeting you, it is much easier to steal money this way when no phone is established for 2FA versus someone who has a phone already in use which needs to be spoofed. :beer

On a less sarcastic note. A means to help mitigate this threat via Vanguard is:

1. Go to your account maintenance - select "Computer access restrictions" and select "Restrict unrecognized computers, browsers, or mobile devices from accessing my accounts."

This will lock your ability to use Vanguard web services to only your current computing device. Should you change browsers, change your operating system, or wipe your session cookies, you will have to contact CSR to regain access.

2. Enable the Vanguard "Your voice is your password service". Vanguard will make you repeat a slightly silly phrase when you contact said CSR to regain access and confirm your identity.

Does not matter if someone spoofs your phone in this case for 2FA, as they will not be able to authicate via web or a CSR.
Nullius in verba.

User avatar
StevieG72
Posts: 933
Joined: Wed Feb 05, 2014 9:00 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by StevieG72 » Sun Apr 28, 2019 10:31 pm

crake wrote:
Sun Apr 28, 2019 2:53 pm
ram wrote:
Sun Apr 28, 2019 2:47 pm
I am getting a yubikey for my Vanguard account. I never use a cell phone for logging on to financial accounts and typically use only 2 computers one at home and one at work.
Which Yubikey is recommended.
Is this one ok.
https://www.amazon.com/Yubico-Security- ... way&sr=8-6
Unfortunately, yubikey provides little additional security on Vanguard because text based 2fa can not be disabled. If multiple factors are enabled for the second factor you are only as safe as the weakest link.

Vanguard should fix this.
+1

Wish Vangaurd would fix this!
Fools think their own way is right, but the wise listen to others.

lazydavid
Posts: 2352
Joined: Wed Apr 06, 2016 1:37 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by lazydavid » Mon Apr 29, 2019 7:57 am

Dottie57 wrote:
Sun Apr 28, 2019 9:16 am
midareff wrote:
Sun Apr 28, 2019 8:29 am
Maybe I'm too old fashioned. Home computers are for financial transactions. Cell phones are for calls and email and contain no financial information.


I never use my phone for financial transactions. Never. I have two home iPads which I use for financial transactions via web page. No passwords stored.

I think I will be getting a yubikey to add more security.
staythecourse wrote:
Sun Apr 28, 2019 9:20 am
Agreed. It seems pretty obvious that this was the next step in cyberfraud when you start using your smartphone for financial stuff.
Again, smartphones have absolutely nothing to do with this type of fraud. It can be perpetrated against a victim who only has a flip phone.
Last edited by lazydavid on Mon Apr 29, 2019 8:03 am, edited 1 time in total.

lazydavid
Posts: 2352
Joined: Wed Apr 06, 2016 1:37 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by lazydavid » Mon Apr 29, 2019 8:02 am

blackholescion wrote:
Sun Apr 28, 2019 12:10 pm
If someone does a sim swap, they don’t have access to your email. In fact the only way they would is with access to your physical device. However, smartphones are encrypted so the only way for them to even get in is to bypass your password/pin and they only get 10 tries. See things like the San Bernardino iPhone case for why that kind of effort is complex and problematic.
So much misinformation in this thread it's mind-boggling. First, the sim swap being discussed here does NOT require physical access to your device. They just call your carrier and say that "you" got a new phone and need to move your number. Voila, their phone is now your phone.

But even in the event that physical access was required (ie the attack was actually swapping the physical SIM into a different phone), how exactly would a password lock prevent them from sticking a paperclip into the little hole and taking your SIM card out?

User avatar
ResearchMed
Posts: 8942
Joined: Fri Dec 26, 2008 11:25 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by ResearchMed » Mon Apr 29, 2019 8:30 am

Silence Dogood wrote:
Sun Apr 28, 2019 8:05 pm
SpaethCo wrote:
Sun Apr 28, 2019 4:38 pm
Silence Dogood wrote:
Sun Apr 28, 2019 10:09 am
Two-factor authentication, even using SMS, is still significantly more secure than not using two-factor authentication at all.
I’m sad to say, this isn’t necessarily true.

2FA is the second authentication factor, so the important question is: how did the attacker get the password? The rise of 2FA (Google authenticator / SMS style) was based on the premise that people were picking simple passwords and re-using them everywhere, and that’s how passwords were primarily being compromised. More recent research has shown that the primary method of password theft is actually phishing, and unfortunately Google Auth / SMS / Authy 2FA is fully phish-able.

The best security protection these days is using a URL matching password manager (any password manager that does autofill), and using U2F tokens where they are accepted. Other forms of 2FA are just passwords, and those passwords can be stolen in real-time with minimal effort.

Simply stated: If you are typing in passwords to online sites using your keyboard or copy/paste, you are highly vulnerable.
I agree that using a password manager is best practice.

But I stand by my statement that using two-factor authentication, even SMS, is still significantly more secure than not using two-factor authentication at all.

Another important practice: never click on any link to log in to any account.
[emphasis added]

You mean like when Vanguard sends an email telling you to log in using the link in the email for <whatever purpose du jour>?

:annoyed

RM
This signature is a placebo. You are in the control group.

staythecourse
Posts: 6993
Joined: Mon Jan 03, 2011 9:40 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by staythecourse » Mon Apr 29, 2019 9:17 am

lazydavid wrote:
Mon Apr 29, 2019 7:57 am
Dottie57 wrote:
Sun Apr 28, 2019 9:16 am
midareff wrote:
Sun Apr 28, 2019 8:29 am
Maybe I'm too old fashioned. Home computers are for financial transactions. Cell phones are for calls and email and contain no financial information.


I never use my phone for financial transactions. Never. I have two home iPads which I use for financial transactions via web page. No passwords stored.

I think I will be getting a yubikey to add more security.
staythecourse wrote:
Sun Apr 28, 2019 9:20 am
Agreed. It seems pretty obvious that this was the next step in cyberfraud when you start using your smartphone for financial stuff.
Again, smartphones have absolutely nothing to do with this type of fraud. It can be perpetrated against a victim who only has a flip phone.
You do realize folks could be having a tangent conversation don't you? Guess not.

Cybercrime I can bet is MUCH more frequent in the area of worry I talked about then the article (which is more sensational journalism). Since EVERYTHING is being driven to apps there is going to be an ever increasing issue of hacking financial accounts. That was what my comment was pertaining to above.

Good luck.
"The stock market [fluctuation], therefore, is noise. A giant distraction from the business of investing.” | -Jack Bogle

chambers136
Posts: 228
Joined: Tue Feb 28, 2017 9:49 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by chambers136 » Mon Apr 29, 2019 9:34 am

It looks like the bluetooth vulnerability has been fixed through updates for many phones
https://www.forbes.com/sites/thomasbrew ... 51e0de7d73

User avatar
CyberBob
Posts: 3248
Joined: Tue Feb 20, 2007 2:53 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by CyberBob » Mon Apr 29, 2019 9:54 am

lazydavid wrote:
Mon Apr 29, 2019 8:02 am
But even in the event that physical access was required (ie the attack was actually swapping the physical SIM into a different phone), how exactly would a password lock prevent them from sticking a paperclip into the little hole and taking your SIM card out?
You can also PIN lock the physical SIM card itself, so moving it to a different device wouldn’t help.

On iPhones, for example, it’s under Settings>Cellular>SIM PIN
Android is similar.

Gadget
Posts: 234
Joined: Fri Mar 17, 2017 1:38 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Gadget » Mon Apr 29, 2019 10:31 am

CyberBob wrote:
Mon Apr 29, 2019 9:54 am
lazydavid wrote:
Mon Apr 29, 2019 8:02 am
But even in the event that physical access was required (ie the attack was actually swapping the physical SIM into a different phone), how exactly would a password lock prevent them from sticking a paperclip into the little hole and taking your SIM card out?
You can also PIN lock the physical SIM card itself, so moving it to a different device wouldn’t help.

On iPhones, for example, it’s under Settings>Cellular>SIM PIN
Android is similar.
Does this protect you? I haven't seen this recommended before. I thought this only occurred when a carrier wanted to lock your sim out from the possibility of swapping to another carrier. Does it also make it so someone can't clone your sim?

Your phone is presumably locked and encrypted if it gets stolen. But I'm curious if locking the sim would prevent the sim cloning I hear about.

TravelGeek
Posts: 3035
Joined: Sat Oct 25, 2014 3:23 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by TravelGeek » Mon Apr 29, 2019 10:36 am

staythecourse wrote:
Mon Apr 29, 2019 9:17 am
Since EVERYTHING is being driven to apps there is going to be an ever increasing issue of hacking financial accounts. That was what my comment was pertaining to above.
Can you elaborate on this? What is the connection between increasing use of apps and an ever increasing issue of hacking financial accounts?

HawkeyePierce
Posts: 327
Joined: Tue Mar 05, 2019 10:29 pm
Location: New Zealand

Re: Man’s life savings stolen from hijacked cellphone number

Post by HawkeyePierce » Mon Apr 29, 2019 10:52 am

staythecourse wrote:
Mon Apr 29, 2019 9:17 am
lazydavid wrote:
Mon Apr 29, 2019 7:57 am
Dottie57 wrote:
Sun Apr 28, 2019 9:16 am
midareff wrote:
Sun Apr 28, 2019 8:29 am
Maybe I'm too old fashioned. Home computers are for financial transactions. Cell phones are for calls and email and contain no financial information.


I never use my phone for financial transactions. Never. I have two home iPads which I use for financial transactions via web page. No passwords stored.

I think I will be getting a yubikey to add more security.
staythecourse wrote:
Sun Apr 28, 2019 9:20 am
Agreed. It seems pretty obvious that this was the next step in cyberfraud when you start using your smartphone for financial stuff.
Again, smartphones have absolutely nothing to do with this type of fraud. It can be perpetrated against a victim who only has a flip phone.
You do realize folks could be having a tangent conversation don't you? Guess not.

Cybercrime I can bet is MUCH more frequent in the area of worry I talked about then the article (which is more sensational journalism). Since EVERYTHING is being driven to apps there is going to be an ever increasing issue of hacking financial accounts. That was what my comment was pertaining to above.

Good luck.
Why would apps be less secure than websites? I would argue the opposite.

- Less vulnerable to phishing attacks
- Less likely to have a keylogger installed (I would say you can be certain there are no keyloggers on an iPhone)

I can't speak to Android, but iOS is a remarkably secure platform. There is no additional risk in using financial apps on your iPhone compared to a financial institution's website.

'67Bosox
Posts: 39
Joined: Sat Apr 28, 2018 7:48 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by '67Bosox » Mon Apr 29, 2019 11:31 am

"1. Go to your account maintenance - select "Computer access restrictions" and select "Restrict unrecognized computers, browsers, or mobile devices from accessing my accounts."

This will lock your ability to use Vanguard web services to only your current computing device. Should you change browsers, change your operating system, or wipe your session cookies, you will have to contact CSR to regain access."
But when I go to this page at my vanguard online account, it says that the OTHER choice, is the "recommended one", the one that says I can be allowed "to access my account from Unrecognized or new computers, browsers or mobile devices".
Does anyone know, why does Vanguard recommend this other setting?
thanks

Tetramolta
Posts: 10
Joined: Fri Dec 14, 2018 8:47 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Tetramolta » Mon Apr 29, 2019 11:54 am

midareff wrote:
Sun Apr 28, 2019 8:29 am
Maybe I'm too old fashioned. Home computers are for financial transactions. Cell phones are for calls and email and contain no financial information.
I think so. I trust my phone's security much more than my home computer. But I think the issue is more using a phone number as a security method, rather than the actual device being secure or not. If a company is verifying your identity using your phone number, which is vulnerable to being swapped to another phone, that's a serious concern. I can't say I've heard of this happening much.

Dottie57
Posts: 6379
Joined: Thu May 19, 2016 5:43 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Dottie57 » Mon Apr 29, 2019 12:06 pm

pokebowl wrote:
Sun Apr 28, 2019 8:58 pm
Dottie57 wrote:
Sun Apr 28, 2019 9:16 am


I never use my phone for financial transactions. Never. I have two home iPads which I use for financial transactions via web page. No passwords stored.

I think I will be getting a yubikey to add more security.
Well thats great news for those targeting you, it is much easier to steal money this way when no phone is established for 2FA versus someone who has a phone already in use which needs to be spoofed. :beer

On a less sarcastic note. A means to help mitigate this threat via Vanguard is:

1. Go to your account maintenance - select "Computer access restrictions" and select "Restrict unrecognized computers, browsers, or mobile devices from accessing my accounts."

This will lock your ability to use Vanguard web services to only your current computing device. Should you change browsers, change your operating system, or wipe your session cookies, you will have to contact CSR to regain access.

2. Enable the Vanguard "Your voice is your password service". Vanguard will make you repeat a slightly silly phrase when you contact said CSR to regain access and confirm your identity.

Does not matter if someone spoofs your phone in this case for 2FA, as they will not be able to authicate via web or a CSR.
Sarcasm isn’t pretty

If you read carefully I did not say there is not any 2fa in use. A code is sent to my landline.

There are still options which don’t require SMS or cell phone. This is at brokerage and bank.

Call_Me_Op
Posts: 7308
Joined: Mon Sep 07, 2009 2:57 pm
Location: Milky Way

Re: Man’s life savings stolen from hijacked cellphone number

Post by Call_Me_Op » Mon Apr 29, 2019 12:11 pm

Cycle wrote:
Sun Apr 28, 2019 9:23 am
note to self, don't keep 90% of net worth in cash (or electronic equivalent)
Would this have mattered? Can't the crook convert securities to cash by selling?
Best regards, -Op | | "In the middle of difficulty lies opportunity." Einstein

staythecourse
Posts: 6993
Joined: Mon Jan 03, 2011 9:40 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by staythecourse » Mon Apr 29, 2019 12:35 pm

HawkeyePierce wrote:
Mon Apr 29, 2019 10:52 am
staythecourse wrote:
Mon Apr 29, 2019 9:17 am
lazydavid wrote:
Mon Apr 29, 2019 7:57 am
Dottie57 wrote:
Sun Apr 28, 2019 9:16 am
midareff wrote:
Sun Apr 28, 2019 8:29 am
Maybe I'm too old fashioned. Home computers are for financial transactions. Cell phones are for calls and email and contain no financial information.


I never use my phone for financial transactions. Never. I have two home iPads which I use for financial transactions via web page. No passwords stored.

I think I will be getting a yubikey to add more security.
staythecourse wrote:
Sun Apr 28, 2019 9:20 am
Agreed. It seems pretty obvious that this was the next step in cyberfraud when you start using your smartphone for financial stuff.
Again, smartphones have absolutely nothing to do with this type of fraud. It can be perpetrated against a victim who only has a flip phone.
You do realize folks could be having a tangent conversation don't you? Guess not.

Cybercrime I can bet is MUCH more frequent in the area of worry I talked about then the article (which is more sensational journalism). Since EVERYTHING is being driven to apps there is going to be an ever increasing issue of hacking financial accounts. That was what my comment was pertaining to above.

Good luck.
Why would apps be less secure than websites? I would argue the opposite.

- Less vulnerable to phishing attacks
- Less likely to have a keylogger installed (I would say you can be certain there are no keyloggers on an iPhone)

I can't speak to Android, but iOS is a remarkably secure platform. There is no additional risk in using financial apps on your iPhone compared to a financial institution's website.
Correction. I should have just said using the internet and not the word "apps" on a mobile device.

Good luck.
"The stock market [fluctuation], therefore, is noise. A giant distraction from the business of investing.” | -Jack Bogle

User avatar
Random Musings
Posts: 5389
Joined: Thu Feb 22, 2007 4:24 pm
Location: Pennsylvania

Re: Man’s life savings stolen from hijacked cellphone number

Post by Random Musings » Mon Apr 29, 2019 1:36 pm

Crypto appears to be the modern day version of a bearer bond.

Finders (or stealers) keepers, losers weepers.

Plus bearer bonds have been used to evade taxes and for money laundering as well.

RM
I figure the odds be fifty-fifty I just might have something to say. FZ

iamblessed
Posts: 158
Joined: Sat Jun 09, 2018 11:52 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by iamblessed » Mon Apr 29, 2019 2:05 pm

Could you set up a brokerage that you would do everything by voice? I am guessing their would be a fee.

User avatar
WingsFan4Life
Posts: 45
Joined: Fri Jul 18, 2014 6:54 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by WingsFan4Life » Mon Apr 29, 2019 3:09 pm

btenny wrote:
Sun Apr 28, 2019 6:42 pm
Here is how the blue tooth attack works and how I saw it done.

I was standing outdoors in line of people on the San Francisco pier behind ATT stadium waiting for a ferry. Many of us were talking and many were using their phones so they were logged on. The bad guy was strolling around near us. His I-pad phone was scanning for blue tooth connections so he could steal data. His software app would sync up with a phone and ask for data. If your phone was set up to auto sync he would then download the phone settings and sim data and phone browser history and bookmarks and any passwords and all the phone data with out touching me or my phone. He would then read that data set and look for your name and bank names and your banking and investing account numbers. Remember these are smart thieves. If you had that data on your phone he was only a few easy steps from stealing your money. All he needed was your home address and social security number. With your name and phone number it is very likely he can go to the dark web and buy your SS number. Then he calls your bank and has your account password reset via a phone call and text sent to his phone instead of your phone. Then he steals your money. See the attach script below.

https://drfone.wondershare.com/phone-cl ... tml#part_1

The only protection that I see is to not have sensitive data like financial account names or numbers on your phone. So beware looking up account balances via the web using your phone or using that email account to send or receive password resets and related data. Then remember to periodically delete data like above if you have to do some of these tasks. Maybe do this history delete when you back up your phone... Ya I know no one ever backs up their phone or not often. :oops: :oops:

Good Luck.
My understanding of Bluetooth is that you need to manually "pair" devices the first time, so I'm not sure how someone would be able to do what you're describing.

jkrm
Posts: 73
Joined: Wed Oct 08, 2008 8:20 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by jkrm » Mon Apr 29, 2019 3:34 pm

Triple digit golfer wrote:
Sun Apr 28, 2019 12:18 pm
To those with Vanguard accounts, what security measures do you take?
I use a strong, unique password generated by 1Password, a Yubikey, and have set up my landline number for the backup 2FA, which avoids the possibility of a SIM swap (I *knew* there was a reason we kept that old fashioned landline).

ncbill
Posts: 509
Joined: Sun Jul 06, 2008 4:03 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by ncbill » Mon Apr 29, 2019 3:42 pm

WingsFan4Life wrote:
Mon Apr 29, 2019 3:09 pm
btenny wrote:
Sun Apr 28, 2019 6:42 pm
Here is how the blue tooth attack works and how I saw it done.

I was standing outdoors in line of people on the San Francisco pier behind ATT stadium waiting for a ferry. Many of us were talking and many were using their phones so they were logged on. The bad guy was strolling around near us. His I-pad phone was scanning for blue tooth connections so he could steal data. His software app would sync up with a phone and ask for data. If your phone was set up to auto sync he would then download the phone settings and sim data and phone browser history and bookmarks and any passwords and all the phone data with out touching me or my phone. He would then read that data set and look for your name and bank names and your banking and investing account numbers. Remember these are smart thieves. If you had that data on your phone he was only a few easy steps from stealing your money. All he needed was your home address and social security number. With your name and phone number it is very likely he can go to the dark web and buy your SS number. Then he calls your bank and has your account password reset via a phone call and text sent to his phone instead of your phone. Then he steals your money. See the attach script below.

https://drfone.wondershare.com/phone-cl ... tml#part_1

The only protection that I see is to not have sensitive data like financial account names or numbers on your phone. So beware looking up account balances via the web using your phone or using that email account to send or receive password resets and related data. Then remember to periodically delete data like above if you have to do some of these tasks. Maybe do this history delete when you back up your phone... Ya I know no one ever backs up their phone or not often. :oops: :oops:

Good Luck.
My understanding of Bluetooth is that you need to manually "pair" devices the first time, so I'm not sure how someone would be able to do what you're describing.
That post also assumes accessing everything via an insecure browser (where all data is stored as plain text?) instead of via apps (the financial apps I use don't even offer to save passwords)

retiredjg
Posts: 36804
Joined: Thu Jan 10, 2008 12:56 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by retiredjg » Mon Apr 29, 2019 3:48 pm

Two people have mentioned using a landline for 2 factor authentication. How does that work? A robot voice leaves a voice mail?

EddyB
Posts: 811
Joined: Fri May 24, 2013 3:43 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by EddyB » Mon Apr 29, 2019 3:49 pm

retiredjg wrote:
Mon Apr 29, 2019 3:48 pm
Two people have mentioned using a landline for 2 factor authentication. How does that work? A robot voice leaves a voice mail?
With Vanguard, Ms. Robot doesn't say the code unless you first press a button.

Silence Dogood
Posts: 956
Joined: Tue Feb 01, 2011 9:22 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Silence Dogood » Mon Apr 29, 2019 4:31 pm

ResearchMed wrote:
Mon Apr 29, 2019 8:30 am
Silence Dogood wrote:
Sun Apr 28, 2019 8:05 pm

Another important practice: never click on any link to log in to any account.
[emphasis added]

You mean like when Vanguard sends an email telling you to log in using the link in the email for <whatever purpose du jour>?

:annoyed

RM
Yes, I mean exactly like that! :annoyed

Vanguard (and other financial institutions) should end this practice this immediately.

In fact, I think it would be a good idea for financial institutions to instead include a reminder in their email that they don't provide links in order to prevent phishing.

User avatar
catalina355
Posts: 190
Joined: Sun Jun 10, 2018 6:46 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by catalina355 » Mon Apr 29, 2019 4:40 pm

Dottie57 wrote:
Sun Apr 28, 2019 9:16 am
midareff wrote:
Sun Apr 28, 2019 8:29 am
Maybe I'm too old fashioned. Home computers are for financial transactions. Cell phones are for calls and email and contain no financial information.


I never use my phone for financial transactions. Never. I have two home iPads which I use for financial transactions via web page. No passwords stored.

I think I will be getting a yubikey to add more security.
SIM swap has nothing to do with using a phone for financial transactions.

Silence Dogood
Posts: 956
Joined: Tue Feb 01, 2011 9:22 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Silence Dogood » Mon Apr 29, 2019 4:42 pm

'67Bosox wrote:
Mon Apr 29, 2019 11:31 am
But when I go to this page at my vanguard online account, it says that the OTHER choice, is the "recommended one", the one that says I can be allowed "to access my account from Unrecognized or new computers, browsers or mobile devices".
Does anyone know, why does Vanguard recommend this other setting?
thanks
The simple explanation is that Vanguard does not want people to restrict unrecognized devices without fully understanding what that entails.

Can you imagine the number of angry calls Vanguard would get if people select this option without much thought, and then a few months later try to access their account (from a different device) but can't? Call volume would skyrocket and there would be lots of complaints.

(For what it's worth, I think this is a great security feature and I highly recommend using it.)

btenny
Posts: 5088
Joined: Sun Oct 07, 2007 6:47 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by btenny » Mon Apr 29, 2019 5:28 pm

A special app on the Ipad allows it to auto pair via blue tooth. I have no idea how it works in any detail. I just know what I witnessed and read and was told by several security people. Plus I know that blue tooth is how lots of phones are cloned and the number stolen when you travel in Europe. That cell number and SIM stealing scam is just being extended now to add stealing all your phone data...

http://fortune.com/2018/07/27/bluetooth ... kers-data/
https://www.theinquirer.net/inquirer/ne ... ims-device

Good Luck.

HawkeyePierce
Posts: 327
Joined: Tue Mar 05, 2019 10:29 pm
Location: New Zealand

Re: Man’s life savings stolen from hijacked cellphone number

Post by HawkeyePierce » Mon Apr 29, 2019 5:35 pm

btenny wrote:
Mon Apr 29, 2019 5:28 pm
A special app on the Ipad allows it to auto pair via blue tooth. I have no idea how it works in any detail. I just know what I witnessed and read and was told by several security people. Plus I know that blue tooth is how lots of phones are cloned and the number stolen when you travel in Europe. That cell number and SIM stealing scam is just being extended now to add stealing all your phone data...

http://fortune.com/2018/07/27/bluetooth ... kers-data/
https://www.theinquirer.net/inquirer/ne ... ims-device

Good Luck.
There's no evidence these attacks have been used in the wild and Apple patched those vulnerabilities *years* ago.

ikowik
Posts: 129
Joined: Tue Dec 23, 2014 6:52 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by ikowik » Mon Apr 29, 2019 5:44 pm

I admit not reading through all posts on this thread, so what I say may have already been posted.

One of the ways a scammer is thought to get access to someone's cellphone number (and hence 2FA messages) is by calling the cellphone service provider and claim they have bought a new phone and want to move the number to the new phone.
I have noticed that cellphone providers have rather primitive checks to identity of the caller.. "what is the last four of you Social Security" etc; Many service providers will add a password code to the account in addition to allow any transaction, but seem to keep this hidden. So call you cellphone provider and add a passphrase to authenticate identity when making any transactions over the phone.
Of course this does not cover plain stupidity or laxness of the customer service representative, but adds an extra layer of security hopefully.

User avatar
tadamsmar
Posts: 8337
Joined: Mon May 07, 2007 12:33 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by tadamsmar » Mon Apr 29, 2019 6:11 pm

Boston Barry wrote:
Sun Apr 28, 2019 9:37 am
From a legal standpoint, wouldn’t the carrier be liable for the amount of stolen money if the carrier employee performed an unauthorized SIM swap which led to the theft?
Not clear. Michael Terpin is suing AT&T over a SIM swap. But the AT&T terms and conditions which all users agree to specified arbitration. I don't think the matter has been decided.

mrmass
Posts: 216
Joined: Thu Jul 26, 2018 6:35 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by mrmass » Mon Apr 29, 2019 6:16 pm

Having your phone on a business plan "might" mitigate some risk against a SIM swap.

I handle our corporate phone plan. We have 40ish phones on this plan, and if a person that's on our plan leaves the company, I have to aid in the facilitation of transferring that number to their new plan.

User avatar
BogleFanGal
Posts: 324
Joined: Mon Mar 20, 2017 6:59 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by BogleFanGal » Mon Apr 29, 2019 6:21 pm

Silence Dogood wrote:
Mon Apr 29, 2019 4:42 pm
'67Bosox wrote:
Mon Apr 29, 2019 11:31 am
But when I go to this page at my vanguard online account, it says that the OTHER choice, is the "recommended one", the one that says I can be allowed "to access my account from Unrecognized or new computers, browsers or mobile devices".
Does anyone know, why does Vanguard recommend this other setting?
thanks
The simple explanation is that Vanguard does not want people to restrict unrecognized devices without fully understanding what that entails.

Can you imagine the number of angry calls Vanguard would get if people select this option without much thought, and then a few months later try to access their account (from a different device) but can't? Call volume would skyrocket and there would be lots of complaints.
Wouldn't you be locked out on the "recognized" device every time you cleared browsing data or did a disk cleanup? That would be a bit of a pain, to have to call in each time to the CSR...but I guess if the security was that much stronger, maybe worth it?

Broken Man 1999
Posts: 2745
Joined: Wed Apr 08, 2015 11:31 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by Broken Man 1999 » Mon Apr 29, 2019 6:25 pm

retiredjg wrote:
Mon Apr 29, 2019 3:48 pm
Two people have mentioned using a landline for 2 factor authentication. How does that work? A robot voice leaves a voice mail?
You receive a call automatically with a code to input. Works fine, I've tested it before. I only get one if I am on an unrecognized PC. I don't use a cell phone to sign on to my Vanguard accounts.

Broken Man 1999
“If I cannot drink Bourbon and smoke cigars in Heaven than I shall not go. " -Mark Twain

User avatar
Cycle
Posts: 1320
Joined: Sun May 28, 2017 7:57 pm
Location: Minneapolis

Re: Man’s life savings stolen from hijacked cellphone number

Post by Cycle » Mon Apr 29, 2019 7:07 pm

Call_Me_Op wrote:
Mon Apr 29, 2019 12:11 pm
Cycle wrote:
Sun Apr 28, 2019 9:23 am
note to self, don't keep 90% of net worth in cash (or electronic equivalent)
Would this have mattered? Can't the crook convert securities to cash by selling?
There's a settlement period. You'd receive emails from vanguard that stuff was changing with your account, like someone turned off email notifications or whatever. You'd be able to intervene.
Never look back unless you are planning to go that way

RudyS
Posts: 1528
Joined: Tue Oct 27, 2015 10:11 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by RudyS » Mon Apr 29, 2019 9:18 pm

midareff wrote:
Sun Apr 28, 2019 8:29 am
Maybe I'm too old fashioned. Home computers are for financial transactions. Cell phones are for calls and email and contain no financial information.
Agree! I'm not only old-fashioned, but actually old! That's been my practice for a long time.

Dottie57
Posts: 6379
Joined: Thu May 19, 2016 5:43 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Dottie57 » Mon Apr 29, 2019 9:26 pm

catalina355 wrote:
Mon Apr 29, 2019 4:40 pm
Dottie57 wrote:
Sun Apr 28, 2019 9:16 am
midareff wrote:
Sun Apr 28, 2019 8:29 am
Maybe I'm too old fashioned. Home computers are for financial transactions. Cell phones are for calls and email and contain no financial information.


I never use my phone for financial transactions. Never. I have two home iPads which I use for financial transactions via web page. No passwords stored.

I think I will be getting a yubikey to add more security.
SIM swap has nothing to do with using a phone for financial transactions.
Yet phone appears to have been used in gaining access to the account. A SIM. is used for cell network access - yes?

I will do transactions in the privacy of my home on something that doesn’t leave my home. You can do whatever you want.

SpaethCo
Posts: 157
Joined: Thu Jan 14, 2016 12:58 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by SpaethCo » Tue Apr 30, 2019 2:16 am

Landline phone service is vulnerable to this same attack — it just takes longer. If someone has enough information to call a cell carrier and initiate a SIM swap (device swap), they almost certainly have enough information to submit a number port request to transfer your number to a VoIP carrier where the calls can be sent anywhere in the world. The only difference is that while device swaps can happen within a couple minutes, regular number portability takes a few days. (but is completely transparent to you until your phone line goes dead)

It’s been mentioned a few times in this thread, but it keeps getting lost in the noise about devices and secondary authentication factors. Here’s how this exploit starts out in the overwhelming majority of cases:

You go to the attacker’s website, and you give them your username and password directly.

The common advice is to never click links in emails, but of course there are emails where you *have* to click the link as part of regular functions. (Password resets, email validation, etc) Between phishing emails and registering slightly misspelled versions of domain names (ie, vamguard.com) - eventually they find people who aren’t paying close attention and enter their credentials in a completely normal looking page.

That’s why typing your password manually is a poor security choice. Computers are really good at matching patterns, and an auto-fill password manager will only put in your credentials if the site matches exactly. People, on the other hand, are easily fooled, and that’s why there is a never ending supply of articles like the one that started this topic.

lazydavid
Posts: 2352
Joined: Wed Apr 06, 2016 1:37 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by lazydavid » Tue Apr 30, 2019 5:49 am

Dottie57 wrote:
Mon Apr 29, 2019 9:26 pm
Yet phone appears to have been used in gaining access to the account. A SIM. is used for cell network access - yes?

I will do transactions in the privacy of my home on something that doesn’t leave my home. You can do whatever you want.
Do I take this to mean you don't have multifactor authentication enabled on your account? Then you are indeed not vulnerable to this attack. But that's not a good thing, because this attack is totally unnecessary to take over your account. It is only needed to get past a victim's MFA.

User avatar
catalina355
Posts: 190
Joined: Sun Jun 10, 2018 6:46 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by catalina355 » Tue Apr 30, 2019 6:43 am

Dottie57 wrote:
Mon Apr 29, 2019 9:26 pm
catalina355 wrote:
Mon Apr 29, 2019 4:40 pm
Dottie57 wrote:
Sun Apr 28, 2019 9:16 am
midareff wrote:
Sun Apr 28, 2019 8:29 am
Maybe I'm too old fashioned. Home computers are for financial transactions. Cell phones are for calls and email and contain no financial information.


I never use my phone for financial transactions. Never. I have two home iPads which I use for financial transactions via web page. No passwords stored.

I think I will be getting a yubikey to add more security.
SIM swap has nothing to do with using a phone for financial transactions.
Yet phone appears to have been used in gaining access to the account. A SIM. is used for cell network access - yes?

I will do transactions in the privacy of my home on something that doesn’t leave my home. You can do whatever you want.
I’m doing so you are making it easier for the bad guys because you appear not to be using two factor authentication. A SIM swap is only undertaken to defeat two factor authentication.

Call_Me_Op
Posts: 7308
Joined: Mon Sep 07, 2009 2:57 pm
Location: Milky Way

Re: Man’s life savings stolen from hijacked cellphone number

Post by Call_Me_Op » Tue Apr 30, 2019 7:09 am

SpaethCo wrote:
Tue Apr 30, 2019 2:16 am
Landline phone service is vulnerable to this same attack — it just takes longer.
But there is no financial information stored on a landline phone. So if could only be used for 2FA. It would provide no other information.
Best regards, -Op | | "In the middle of difficulty lies opportunity." Einstein

lazydavid
Posts: 2352
Joined: Wed Apr 06, 2016 1:37 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by lazydavid » Tue Apr 30, 2019 7:16 am

Call_Me_Op wrote:
Tue Apr 30, 2019 7:09 am
But there is no financial information stored on a landline phone. So if could only be used for 2FA. It would provide no other information.
And that's all that it is in this attack. To be clear--the bad guys in this incident did NOT get control of any data on the phone. They just took over the phone number and received the text messages to pass the 2FA. The attack would have been just as effective against an old Nokia candybar phone, if any still worked.

Call_Me_Op
Posts: 7308
Joined: Mon Sep 07, 2009 2:57 pm
Location: Milky Way

Re: Man’s life savings stolen from hijacked cellphone number

Post by Call_Me_Op » Tue Apr 30, 2019 7:21 am

lazydavid wrote:
Tue Apr 30, 2019 7:16 am
Call_Me_Op wrote:
Tue Apr 30, 2019 7:09 am
But there is no financial information stored on a landline phone. So if could only be used for 2FA. It would provide no other information.
And that's all that it is in this attack. To be clear--the bad guys in this incident did NOT get control of any data on the phone. They just took over the phone number and received the text messages to pass the 2FA. The attack would have been just as effective against an old Nokia candybar phone, if any still worked.
It would seem to me that if a phone company employee fraudulently or erroneously allowed the number or SIM transfer, the phone company would be on the hook (pun intended).
Best regards, -Op | | "In the middle of difficulty lies opportunity." Einstein

User avatar
catalina355
Posts: 190
Joined: Sun Jun 10, 2018 6:46 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by catalina355 » Tue Apr 30, 2019 7:36 am

Call_Me_Op wrote:
Tue Apr 30, 2019 7:21 am
lazydavid wrote:
Tue Apr 30, 2019 7:16 am
Call_Me_Op wrote:
Tue Apr 30, 2019 7:09 am
But there is no financial information stored on a landline phone. So if could only be used for 2FA. It would provide no other information.
And that's all that it is in this attack. To be clear--the bad guys in this incident did NOT get control of any data on the phone. They just took over the phone number and received the text messages to pass the 2FA. The attack would have been just as effective against an old Nokia candybar phone, if any still worked.
It would seem to me that if a phone company employee fraudulently or erroneously allowed the number or SIM transfer, the phone company would be on the hook (pun intended).
This is not the first SIM attack and the phone companies have not been held responsible.

User avatar
tadamsmar
Posts: 8337
Joined: Mon May 07, 2007 12:33 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by tadamsmar » Tue Apr 30, 2019 7:57 am

Call_Me_Op wrote:
Tue Apr 30, 2019 7:21 am
lazydavid wrote:
Tue Apr 30, 2019 7:16 am
Call_Me_Op wrote:
Tue Apr 30, 2019 7:09 am
But there is no financial information stored on a landline phone. So if could only be used for 2FA. It would provide no other information.
And that's all that it is in this attack. To be clear--the bad guys in this incident did NOT get control of any data on the phone. They just took over the phone number and received the text messages to pass the 2FA. The attack would have been just as effective against an old Nokia candybar phone, if any still worked.
It would seem to me that if a phone company employee fraudulently or erroneously allowed the number or SIM transfer, the phone company would be on the hook (pun intended).
There is a guy suing AT&T over 20 million in losses. But apparently the terms and conditions of using the cell phone require an arbitration process so the suit may go nowhere.

I don’t think cells were sold to be a secure method for identity verification. But I suppose there might be a level of gross negligence that would make the phone company liable.

Some countries have a system where the banks can quickly check for a recent sim swap. But the US seems to be behind on this.

SimonJester
Posts: 1912
Joined: Tue Aug 16, 2011 12:39 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by SimonJester » Tue Apr 30, 2019 8:15 am

Recently I went to a security conference, one speaker was talking about the numerous security vulnerabilities in the various telco carriers networks. The telco carriers are taking upwards of 25+ years to patch well known security vulnerabilities. Using ANY phone number as your 2nd piece of your 2FA is not good, as you really do not HAVE your phone number. Some of the things he was saying were a real eye opener and would almost have you stop carying a cell phone.

For some carriers you can add a porting PIN to your account so you cannot port your number without that pin. It still relys on the customer service rep to follow the procedure and not port without that PIN.

At the end of the day I rely on my financial institution's fraud guarantees to make me whole again. Does everyone remember back to the posting here where a man's father had his retirement account drained... I believe he eventually was able to recover the funds...
"They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." - Benjamin Franklin

EddyB
Posts: 811
Joined: Fri May 24, 2013 3:43 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by EddyB » Tue Apr 30, 2019 8:31 am

SimonJester wrote:
Tue Apr 30, 2019 8:15 am
Recently I went to a security conference, one speaker was talking about the numerous security vulnerabilities in the various telco carriers networks. The telco carriers are taking upwards of 25+ years to patch well known security vulnerabilities. Using ANY phone number as your 2nd piece of your 2FA is not good, as you really do not HAVE your phone number. Some of the things he was saying were a real eye opener and would almost have you stop carying a cell phone.

For some carriers you can add a porting PIN to your account so you cannot port your number without that pin. It still relys on the customer service rep to follow the procedure and not port without that PIN.

At the end of the day I rely on my financial institution's fraud guarantees to make me whole again. Does everyone remember back to the posting here where a man's father had his retirement account drained... I believe he eventually was able to recover the funds...
How does something like Google Voice fit into those concerns? I ask because it’s not what I would have thought of as a “telco carrier.”

lazydavid
Posts: 2352
Joined: Wed Apr 06, 2016 1:37 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by lazydavid » Tue Apr 30, 2019 8:37 am

EddyB wrote:
Tue Apr 30, 2019 8:31 am
How does something like Google Voice fit into those concerns? I ask because it’s not what I would have thought of as a “telco carrier.”
The way Google has GV set up, it's impossible to transfer a number out without already having complete control of your Google account. And for most people if that's the case, you're already in pretty bad shape--not to mention that would then be no need to port your number, since they can just read your text messages on the web. Additionally, if the number was originally from GV (and not ported in from another carrier), you have to pay a $3 fee with a credit card that's in your name. So another hurdle for the bad guys.

SimonJester
Posts: 1912
Joined: Tue Aug 16, 2011 12:39 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by SimonJester » Tue Apr 30, 2019 8:49 am

lazydavid wrote:
Tue Apr 30, 2019 8:37 am
EddyB wrote:
Tue Apr 30, 2019 8:31 am
How does something like Google Voice fit into those concerns? I ask because it’s not what I would have thought of as a “telco carrier.”
The way Google has GV set up, it's impossible to transfer a number out without already having complete control of your Google account. And for most people if that's the case, you're already in pretty bad shape--not to mention that would then be no need to port your number, since they can just read your text messages on the web. Additionally, if the number was originally from GV (and not ported in from another carrier), you have to pay a $3 fee with a credit card that's in your name. So another hurdle for the bad guys.
Mostly sort of correct. Here is the thing in these scams, the scammer is NOT going to your current carrier to port your number. They are going to a third rate scummy cell carrier who submits a porting request to your current provider along with your current information to allow the port. IN GV case they actually make you "unlock" your number inside GV to port.

However a scummy third rate carrier can also goto NPAC directly with the port request and bypass your old carrier: See bolded part below
If the scummy cell carrier bypasses the first three steps and immediately goes steps 4,5 & 7 your number is ported out from under you. The carriers have wised up to this attack in the past few years but essentially this is how the port fraud has been done.


The new service provider notifies the old service provider of the requested port.
The old service provider is asked to validate the subscriber's information.
The old service provider confirms the subscriber's information and notifies the new service provider.
The new service provider notifies the NPAC of the requested port.
The NPAC creates a pending port and sends a notification to the old service provider.
Optionally, the old service provider notifies the NPAC that it concurs with the port.
The new service provider notifies the NPAC to activate the port.
The pending port is activated in the NPAC and broadcast to the telecommunications industry network within milli-seconds.
"They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." - Benjamin Franklin

Post Reply