[Cellphone SIM card hijacking - Security concerns and mitigation techniques]

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
shelanman
Posts: 595
Joined: Tue Feb 27, 2007 8:35 pm

Re: You get hacked, lost a lot of money. What can you do?

Post by shelanman »

sd323232 wrote: Sun Nov 03, 2019 1:40 am i use google authenticator, it is much more secure than text verification
How did you set up Vanguard to use Google Authenticator?
donfairplay
Posts: 217
Joined: Mon Oct 06, 2008 8:16 pm

Re: You get hacked, lost a lot of money. What can you do?

Post by donfairplay »

Why is it the bank's responsibility to protect you from a simjack? It's not the bank's/brokerage's fault if you log in on a Windows XP system that hasn't had security updates for years, likewise its not the bank's fault if your cell carrier coughs up your account to a fraudster.

If this is a gmail account, lock down your email with Google Advanced Protection. 2 yubikeys are the only way in, nobody else can get in (including you if you lose access to both yubikeys, it will take at least a week and good luck with google customer service, there really isn't any). Otherwise you can set up your own email server/website but I really hope you patch it regularly to protect against the latest and greatest zero-day.

You can't do anything about your Vanguard account even if you set up yubikeys, the fall back is SMS 2FA, because Vanguard doesn't really have branches or offices you can walk up to.
Momus
Posts: 1023
Joined: Tue Feb 21, 2012 9:23 pm

Re: You get hacked, lost a lot of money. What can you do?

Post by Momus »

donfairplay wrote: Sun Nov 03, 2019 2:22 am Why is it the bank's responsibility to protect you from a simjack? It's not the bank's/brokerage's fault if you log in on a Windows XP system that hasn't had security updates for years, likewise its not the bank's fault if your cell carrier coughs up your account to a fraudster.
Anyone can call your carrier with some great acting skill + last 4 of your social security # + your personal info, which is basically available for pennies in darknet, they can sim swap your number. Do you really believe you can protect yourself 100% with the latest security updates only?

Social hacking IS a thing.
https://www.youtube.com/watch?v=lc7scxvKQOo

[Comment removed by moderator oldcomputerguy]
User avatar
22twain
Posts: 2553
Joined: Thu May 10, 2012 5:42 pm

Re: You get hacked, lost a lot of money. What can you do?

Post by 22twain »

Momus wrote: Sun Nov 03, 2019 1:27 amHow do you defend from 2 FA (cell phone) hack? Seem like this scam is pretty common since the equifax social security hack.
What statistics have you seen about this, as opposed to individual anecdotal stories?
Help save endangered words! When you write "princiPLE", make sure you don't really mean "princiPAL"!
Momus
Posts: 1023
Joined: Tue Feb 21, 2012 9:23 pm

Re: You get hacked, lost a lot of money. What can you do?

Post by Momus »

22twain wrote: Sun Nov 03, 2019 2:32 am
Momus wrote: Sun Nov 03, 2019 1:27 amHow do you defend from 2 FA (cell phone) hack? Seem like this scam is pretty common since the equifax social security hack.
What statistics have you seen about this, as opposed to individual anecdotal stories?
I see enough to know that this can happen to me too since I use my real name for personal branding.
donfairplay
Posts: 217
Joined: Mon Oct 06, 2008 8:16 pm

Re: You get hacked, lost a lot of money. What can you do?

Post by donfairplay »

Momus wrote: Sun Nov 03, 2019 2:30 am
donfairplay wrote: Sun Nov 03, 2019 2:22 am Why is it the bank's responsibility to protect you from a simjack? It's not the bank's/brokerage's fault if you log in on a Windows XP system that hasn't had security updates for years, likewise its not the bank's fault if your cell carrier coughs up your account to a fraudster.
Anyone can call your carrier with some great acting skill + last 4 of your social security # + your personal info, which is basically available for pennies in darknet, they can sim swap your number. Do you really believe you can protect yourself 100% with the latest security updates only?

Social hacking IS a thing.
https://www.youtube.com/watch?v=lc7scxvKQOo

Such a naive thought.
I'm saying it isn't the bank's responsibility to protect you from something that is your personal responsibility, which is protecting passwords/computers/cell phone numbers/emails.

The bank's and brokerage's terms and conditions all say this. You'll just end up in arbitration or having to sue like the guy suing AT&T over a simjack that lost him millions in bitcoin.

I know about the common ways of simjacking. If your email is commonly known, or even if its a gmail account, consider setting up Google Advanced Protection. It's open to everyone.
Northern Flicker
Posts: 6497
Joined: Fri Apr 10, 2015 12:29 am

Re: You get hacked, lost a lot of money. What can you do?

Post by Northern Flicker »

I’m not an attorney, but this is my understanding.

Deposit accounts at banks and credit unions are protected against wire fraud conducted by electronic access by Federal Reserve Regulation E, which limits consumer liability to $50/incident. With non-banking institutions, I think the protection is based on the Uniform Commercial Code, which is weaker protection.

If a broker is legally on the hook for a cyberattack loss but goes out of business or becomes insolvent as a result of the attack and/or other issues, there probably would be some help from SIPC but I’m not familiar with how that might (or might not) play out.
All they need is your name, social security number to switch your sim card rendering your phone dead...
That appears no longer to be true with some carriers. For instance, with Sprint, to do a sim swap remotely, or if you are in, say a Verizon store trying to port your phone number to a new Verizon phone, Sprint will send a 2FA code to the old phone as part of authenticating the request to port the phone number or swap the service to a new SIM. Other major carriers may have similar procedures.

An institution that uses text codes for 2FA shares culpability with a cell phone company that allows a fraudulent sim swap by virtue of using a weak 2FA channel. Secure and robust authentication protocols have been known since the late 1970’s, and refined over the years. We just often choose not to use them.
Risk is not a guarantor of return.
ARoseByAnyOtherName
Posts: 1000
Joined: Wed Apr 26, 2017 12:03 am

Re: You get hacked, lost a lot of money. What can you do?

Post by ARoseByAnyOtherName »

Momus wrote: Sun Nov 03, 2019 1:27 am How do you defend from 2 FA (cell phone) hack? Seem like this scam is pretty common since the equifax social security hack.
The best defense: for all financial and otherwise highly sensitive accounts, use a completely separate Gmail email account and Google Voice phone number, both created using the same Google account. Then, enroll that Google account in the Advanced Protection program (which requires the use of hardware security keys to gain access to the account.)

That way if your primary cell phone number is SIM swapped or otherwise compromised, the attacker may attempt to gain access to these accounts but it will be difficult if not impossible for them to do so. Your sensitive accounts are not tied in any way to your primary number, and Google Voice numbers cannot be SIM swapped.

I’ve written more about this and other security best practices here:
viewtopic.php?f=11&t=288310&p=4702423#p4702423
gtd98765
Posts: 657
Joined: Sun Jan 08, 2017 4:15 am

Re: You get hacked, lost a lot of money. What can you do?

Post by gtd98765 »

The Vanguard fall back to SMS multi-factor authentication is a definite weakness. However, you can enable voice verification on your Vanguard account to make a social engineering attack harder. It only takes a few minutes on the phone.

https://investor.vanguard.com/account-c ... rification
arf30
Posts: 738
Joined: Sat Dec 28, 2013 11:55 am

Re: You get hacked, lost a lot of money. What can you do?

Post by arf30 »

- For websites where SMS 2FA can't be disabled (Vanguard, Chase, etc) use a Google Voice number

- For your Google account and other websites where you can remove SMS 2FA, disable SMS 2FA and use authenticator+backup codes or hardware tokens like Yubikey

- On your mobile phone, make sure SIM PIN is enabled. This will encrypt your SIM and prevent thieves from swapping your SIM card into another phone in the event your phone is stolen.

- Call your mobile provider and require a PIN code to make changes to your account (this won't stop compromised employees)

- Make sure your computers are encrypted and have passwords

- Make sure mobile devices including tablets have screen locks

- Use a password manager like Google Chrome, Apple, or LastPass and ensure that every site has a different, randomly generated password.
MikeG62
Posts: 3101
Joined: Tue Nov 15, 2016 3:20 pm
Location: New Jersey

Re: You get hacked, lost a lot of money. What can you do?

Post by MikeG62 »

Momus wrote: Sun Nov 03, 2019 1:27 am
...How do you defend from 2 FA (cell phone) hack? Seem like this scam is pretty common since the equifax social security hack.
I do have a PIN with Verizon which must be given anytime I need to access to my account to make any changes. So a good first line of defense there.

If they somehow got around that, I guess what I'd do as soon as my phone stopped working (as soon as the porting over was complete) would be to immediately contact all financial institutions I deal with and lock-down my accounts to any transactions until such time as I could remedy the situation.

This is scary stuff no doubt.
Real Knowledge Comes Only From Experience
User avatar
LadyGeek
Site Admin
Posts: 66350
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: Man’s life savings stolen from hijacked cellphone number

Post by LadyGeek »

I merged Momus' thread into a similar discussion. The combined thread is in the Personal Consumer Issues forum (SIM card hijack).
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
Broken Man 1999
Posts: 5027
Joined: Wed Apr 08, 2015 11:31 am
Location: West coast of Florida, inland on high ground!

Re: Man’s life savings stolen from hijacked cellphone number

Post by Broken Man 1999 »

Could one use a burner phone to receive SMS for 2FA?

Broken Man 1999

ETA: Upon further review of my Vanguard accounts, I don't receive SMS messages, but rather a call on my landline. I must have changed it a while back. :oops:
Last edited by Broken Man 1999 on Sun Nov 03, 2019 11:07 am, edited 1 time in total.
“If I cannot drink Bourbon and smoke cigars in Heaven then I shall not go. " -Mark Twain
mhalley
Posts: 8420
Joined: Tue Nov 20, 2007 6:02 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by mhalley »

Sure, but it would be succeptible to the Sim swap also. I suppose a phone that wasn't associated with your name might be a little safer.
Broken Man 1999
Posts: 5027
Joined: Wed Apr 08, 2015 11:31 am
Location: West coast of Florida, inland on high ground!

Re: Man’s life savings stolen from hijacked cellphone number

Post by Broken Man 1999 »

My thought was to use the burner number for texts from financial institutions for 2FA, also receiving various institution activity alerts and absolutely nothing else. Ideally the phone number would only be resident in the financial institutions. And, the burner phone would live a life of complete anonymity, tucked away somewhere in my house. Eh, before long I'll be constructing my tinfoil hat. :shock:

The only financial thing either of us have done via a cell phone was depositing a check in the credit union a time or two. I even remove the CU app after each use from my cell phone.

I am reluctant to get further in bed with Google. I noticed they just bought Fitbit. What a treasure trove of data that buy might bring.

Broken Man 1999
“If I cannot drink Bourbon and smoke cigars in Heaven then I shall not go. " -Mark Twain
Northern Flicker
Posts: 6497
Joined: Fri Apr 10, 2015 12:29 am

Re: You get hacked, lost a lot of money. What can you do?

Post by Northern Flicker »

arf30 wrote: Sun Nov 03, 2019 8:18 am - For websites where SMS 2FA can't be disabled (Vanguard, Chase, etc) use a Google Voice number

- For your Google account and other websites where you can remove SMS 2FA, disable SMS 2FA and use authenticator+backup codes or hardware tokens like Yubikey

- On your mobile phone, make sure SIM PIN is enabled. This will encrypt your SIM and prevent thieves from swapping your SIM card into another phone in the event your phone is stolen.

- Call your mobile provider and require a PIN code to make changes to your account (this won't stop compromised employees)

- Make sure your computers are encrypted and have passwords

- Make sure mobile devices including tablets have screen locks

- Use a password manager like Google Chrome, Apple, or LastPass and ensure that every site has a different, randomly generated password.
Some important points:

1. If you use 2FA with SMS or emailed codes, you should never type in your password for a financial account on the same device as you receive the 2FA. Avoiding that means that two devices need to be compromised by the same attacker at the same time for your account to be compromised. If you login to a financial account with your phone and receive 2FA on your phone, only your phone needs to be compromised.

2. On a related note, don’t type the password for a password safe or open a password safe in the same device you use to receive 2FA codes.

3. Encrypting a device is important for devices that can be lost or stolen. The encryption requires a strong key to be effective. A 4-6 digit pin on an iPhone is not a strong key. The pin is used to generate a key that encrypts the encryption key stored on the phone. For AES-256 encryption for instance keys should be 16-32 characters. That’s how long your phone pin should be. You can use a fingerprint and only type in the long password occasionally. Likewise for Android— you may need to explicitly encrypt an Android device.

Encrypting the device protects against someone removing persistent memory hardware and reading it with a different device. Removable SD cards are an easy target, but disk drives and/or memory soldered on the motherboard can also be removed. The concern would be say that someone finds a lost device or steals a device and sells it to professional cyberthieves on an auction site.

Hardware tokens like Yubikeys or RSA tokens are much better than text codes if the option is available, particularly when text codes are not a fallback.
Last edited by Northern Flicker on Sun Nov 03, 2019 6:56 pm, edited 1 time in total.
Risk is not a guarantor of return.
User avatar
Gray
Posts: 788
Joined: Sat Apr 16, 2011 5:33 am
Location: Virginia

Re: Man’s life savings stolen from hijacked cellphone number

Post by Gray »

I use the LastPass Authenticator, with a PIN, and backed up to LastPass, with a strong master password. Cell phone numbers as a second factor aren’t advisable.
Momus
Posts: 1023
Joined: Tue Feb 21, 2012 9:23 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Momus »

Gray wrote: Sun Nov 03, 2019 4:05 pm I use the LastPass Authenticator, with a PIN, and backed up to LastPass, with a strong master password. Cell phone numbers as a second factor aren’t advisable.
Vanguard has no other options to verify your security code. 2FA via text is the only option.
Momus
Posts: 1023
Joined: Tue Feb 21, 2012 9:23 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Momus »

mhalley wrote: Sun Nov 03, 2019 11:05 am Sure, but it would be succeptible to the Sim swap also. I suppose a phone that wasn't associated with your name might be a little safer.
Broken Man 1999 wrote: Sun Nov 03, 2019 11:34 am My thought was to use the burner number for texts from financial institutions for 2FA, also receiving various institution activity alerts and absolutely nothing else. Ideally the phone number would only be resident in the financial institutions. And, the burner phone would live a life of complete anonymity, tucked away somewhere in my house. Eh, before long I'll be constructing my tinfoil hat. :shock:

The only financial thing either of us have done via a cell phone was depositing a check in the credit union a time or two. I even remove the CU app after each use from my cell phone.

I am reluctant to get further in bed with Google. I noticed they just bought Fitbit. What a treasure trove of data that buy might bring.

Broken Man 1999
Yes, it looks like my only options is to get a burner phone + a cheap phone plan. Fake name and all.
Momus
Posts: 1023
Joined: Tue Feb 21, 2012 9:23 pm

Re: You get hacked, lost a lot of money. What can you do?

Post by Momus »

arf30 wrote: Sun Nov 03, 2019 8:18 am - For websites where SMS 2FA can't be disabled (Vanguard, Chase, etc) use a Google Voice number
- For your Google account and other websites where you can remove SMS 2FA, disable SMS 2FA and use authenticator+backup codes or hardware tokens like Yubikey
- On your mobile phone, make sure SIM PIN is enabled. This will encrypt your SIM and prevent thieves from swapping your SIM card into another phone in the event your phone is stolen.
- Call your mobile provider and require a PIN code to make changes to your account (this won't stop compromised employees)
This is good. I will follow what you do there, probably save me $20-30/yr buying a new burner phone :sharebeer
evancox10
Posts: 111
Joined: Tue Jun 28, 2011 11:25 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by evancox10 »

Call_Me_Op wrote: Mon Apr 29, 2019 12:11 pm
Cycle wrote: Sun Apr 28, 2019 9:23 am note to self, don't keep 90% of net worth in cash (or electronic equivalent)
Would this have mattered? Can't the crook convert securities to cash by selling?
I think the difference is that crypto is like (paper) cash in the sense that it is equivalent to a bearer bond: control and/or possession of the asset by definition means you own it. This is not at all the case for assets at a financial institution. Someone who is able to log in to your account at Vangurd does not take immediate ownership of all your assets, they first have to convince Vanguard to hand them over, and even then a transaction in progress can be unwound.
Silence Dogood
Posts: 1429
Joined: Tue Feb 01, 2011 9:22 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Silence Dogood »

New article in the Wall Street Journal:

WSJ: He Thought His Phone Was Secure; Then He Lost $24 Million to Hackers
Here is the really scary part: Mr. Terpin had been SIM-swapped seven months earlier. He got lucky and didn’t lose any money that time, but had taken serious steps to prevent it from happening again. He had consulted with security professionals. He had gone to an AT&T store and added a security feature to his account that required a secret six-digit PIN to make any changes. He removed text-message authentication where he could, replacing it with Google Authenticator.

Mr. Terpin believes employees at an AT&T authorized dealer handed hackers control of his phone number, and those hackers found a way into his digital wallets by breaking into accounts of his that couldn’t be protected by Authenticator.

“On a scale of 1 to 10, I’d say my security protections were a 9.8 or higher,” he said. “But these hackers, all they do is they sit around in a basement and figure out ways of hacking people.”
ncbill
Posts: 870
Joined: Sun Jul 06, 2008 4:03 pm
Location: Western NC

Re: Man’s life savings stolen from hijacked cellphone number

Post by ncbill »

Silence Dogood wrote: Sat Nov 09, 2019 9:34 am New article in the Wall Street Journal:

WSJ: He Thought His Phone Was Secure; Then He Lost $24 Million to Hackers
Here is the really scary part: Mr. Terpin had been SIM-swapped seven months earlier. He got lucky and didn’t lose any money that time, but had taken serious steps to prevent it from happening again. He had consulted with security professionals. He had gone to an AT&T store and added a security feature to his account that required a secret six-digit PIN to make any changes. He removed text-message authentication where he could, replacing it with Google Authenticator.

Mr. Terpin believes employees at an AT&T authorized dealer handed hackers control of his phone number, and those hackers found a way into his digital wallets by breaking into accounts of his that couldn’t be protected by Authenticator.

“On a scale of 1 to 10, I’d say my security protections were a 9.8 or higher,” he said. “But these hackers, all they do is they sit around in a basement and figure out ways of hacking people.”
Let's be blunt...$24 million in crypto-currency should be in cold storage, not in a online-accessible wallet.
cbeck
Posts: 290
Joined: Sun Jun 24, 2012 1:28 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by cbeck »

Just by the way, I hope everyone has set up a telephone password as an extra authentication step for conversations with Vanguard.
protagonist
Posts: 6689
Joined: Sun Dec 26, 2010 12:47 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by protagonist »

cdu7 wrote: Sun Apr 28, 2019 8:05 am https://www.nbcbayarea.com/news/local/M ... 97961.html

Really scary stuff, the scammers used an AT&T call center workers to pull off a theft of over a million in life savings. Happened in minutes. Apparently the SIM card transfer is very common.
The reason it is NOT scary is because this isolated incident was newsworthy. Out of 327 million Americans, how many do you think this has happened to? Way less than the number hit by lightning I would guess.
The media knows that fear sells. You don't need to buy.
SpaethCo
Posts: 235
Joined: Thu Jan 14, 2016 12:58 am
Location: Minneapolis

Re: Man’s life savings stolen from hijacked cellphone number

Post by SpaethCo »

“On a scale of 1 to 10, I’d say my security protections were a 9.8 or higher,” he said. “But these hackers, all they do is they sit around in a basement and figure out ways of hacking people.”
This is the quote I have the biggest issue with.

If you can do an account recovery via SMS on *ANY* of your accounts, your security protections aren't anywhere close to 10. People spend so much time focusing on 2FA, but the biggest risk factor is that "I forgot my password" button which makes any additional protections beyond a high entropy password mostly moot.
EZ James
Posts: 110
Joined: Wed Oct 03, 2012 2:46 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by EZ James »

:oops: I just asked Tracfone via online chat for their default SIM PIN. The agent did not know what I was talking about and suggested 1-1-1 might work :-( 🤢
EZ James
Posts: 110
Joined: Wed Oct 03, 2012 2:46 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by EZ James »

Correction: She suggested 1-1-1-1 which is equally risky and probably worthless.
yogesh
Posts: 491
Joined: Thu Oct 11, 2012 6:20 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by yogesh »

Like Vanguard, Fidelity has 2FA, Money Transfer Lockdown and Voice Recognition features available in addition to the daily limits.
These should be default ON especially for brokerages.
Emergency: FDIC | Taxable: VTMFX | Retirement: TR2040
AlphaLess
Posts: 2679
Joined: Fri Sep 29, 2017 11:38 pm
Location: Kentucky

Re: You get hacked, lost a lot of money. What can you do?

Post by AlphaLess »

ARoseByAnyOtherName wrote: Sun Nov 03, 2019 7:02 am
Momus wrote: Sun Nov 03, 2019 1:27 am How do you defend from 2 FA (cell phone) hack? Seem like this scam is pretty common since the equifax social security hack.
The best defense: for all financial and otherwise highly sensitive accounts, use a completely separate Gmail email account and Google Voice phone number, both created using the same Google account. Then, enroll that Google account in the Advanced Protection program (which requires the use of hardware security keys to gain access to the account.)

That way if your primary cell phone number is SIM swapped or otherwise compromised, the attacker may attempt to gain access to these accounts but it will be difficult if not impossible for them to do so. Your sensitive accounts are not tied in any way to your primary number, and Google Voice numbers cannot be SIM swapped.

I’ve written more about this and other security best practices here:
viewtopic.php?f=11&t=288310&p=4702423#p4702423
I would like to point out that using Google Voice number for 2FA is *HIGHLY* insecure.
"A Republic, if you can keep it". Benjamin Franklin. 1787. | Party affiliation: Vanguard. Religion: low-cost investing.
AlphaLess
Posts: 2679
Joined: Fri Sep 29, 2017 11:38 pm
Location: Kentucky

Re: Man’s life savings stolen from hijacked cellphone number

Post by AlphaLess »

SpaethCo wrote: Mon Nov 11, 2019 10:43 pm
“On a scale of 1 to 10, I’d say my security protections were a 9.8 or higher,” he said. “But these hackers, all they do is they sit around in a basement and figure out ways of hacking people.”
This is the quote I have the biggest issue with.

If you can do an account recovery via SMS on *ANY* of your accounts, your security protections aren't anywhere close to 10. People spend so much time focusing on 2FA, but the biggest risk factor is that "I forgot my password" button which makes any additional protections beyond a high entropy password mostly moot.
Yup. Pretty much.

Unless it uses something like Google Authenticator or a system like that, it is not secure.
"A Republic, if you can keep it". Benjamin Franklin. 1787. | Party affiliation: Vanguard. Religion: low-cost investing.
AlphaLess
Posts: 2679
Joined: Fri Sep 29, 2017 11:38 pm
Location: Kentucky

Re: Man’s life savings stolen from hijacked cellphone number

Post by AlphaLess »

ncbill wrote: Mon Nov 11, 2019 9:46 am
Silence Dogood wrote: Sat Nov 09, 2019 9:34 am New article in the Wall Street Journal:

WSJ: He Thought His Phone Was Secure; Then He Lost $24 Million to Hackers
Here is the really scary part: Mr. Terpin had been SIM-swapped seven months earlier. He got lucky and didn’t lose any money that time, but had taken serious steps to prevent it from happening again. He had consulted with security professionals. He had gone to an AT&T store and added a security feature to his account that required a secret six-digit PIN to make any changes. He removed text-message authentication where he could, replacing it with Google Authenticator.

Mr. Terpin believes employees at an AT&T authorized dealer handed hackers control of his phone number, and those hackers found a way into his digital wallets by breaking into accounts of his that couldn’t be protected by Authenticator.

“On a scale of 1 to 10, I’d say my security protections were a 9.8 or higher,” he said. “But these hackers, all they do is they sit around in a basement and figure out ways of hacking people.”
Let's be blunt...$24 million in crypto-currency should be in cold storage, not in a online-accessible wallet.
Yup. Also, don't go around telling everyone you have $24M in crap-coins.
"A Republic, if you can keep it". Benjamin Franklin. 1787. | Party affiliation: Vanguard. Religion: low-cost investing.
AlphaLess
Posts: 2679
Joined: Fri Sep 29, 2017 11:38 pm
Location: Kentucky

Re: Man’s life savings stolen from hijacked cellphone number

Post by AlphaLess »

cbeck wrote: Mon Nov 11, 2019 5:25 pm Just by the way, I hope everyone has set up a telephone password as an extra authentication step for conversations with Vanguard.
What are the best practices for securing Vanguard accounts?

I feel like Vanguard's krappy 2FA using a text message code is really, really bad.
"A Republic, if you can keep it". Benjamin Franklin. 1787. | Party affiliation: Vanguard. Religion: low-cost investing.
ARoseByAnyOtherName
Posts: 1000
Joined: Wed Apr 26, 2017 12:03 am

Re: You get hacked, lost a lot of money. What can you do?

Post by ARoseByAnyOtherName »

AlphaLess wrote: Tue Nov 12, 2019 2:29 am
ARoseByAnyOtherName wrote: Sun Nov 03, 2019 7:02 am
Momus wrote: Sun Nov 03, 2019 1:27 am How do you defend from 2 FA (cell phone) hack? Seem like this scam is pretty common since the equifax social security hack.
The best defense: for all financial and otherwise highly sensitive accounts, use a completely separate Gmail email account and Google Voice phone number, both created using the same Google account. Then, enroll that Google account in the Advanced Protection program (which requires the use of hardware security keys to gain access to the account.)

That way if your primary cell phone number is SIM swapped or otherwise compromised, the attacker may attempt to gain access to these accounts but it will be difficult if not impossible for them to do so. Your sensitive accounts are not tied in any way to your primary number, and Google Voice numbers cannot be SIM swapped.

I’ve written more about this and other security best practices here:
viewtopic.php?f=11&t=288310&p=4702423#p4702423
I would like to point out that using Google Voice number for 2FA is *HIGHLY* insecure.
Why do you think it’s insecure? Be specific.
typical.investor
Posts: 2289
Joined: Mon Jun 11, 2018 3:17 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by typical.investor »

AlphaLess wrote: Tue Nov 12, 2019 2:32 am
cbeck wrote: Mon Nov 11, 2019 5:25 pm Just by the way, I hope everyone has set up a telephone password as an extra authentication step for conversations with Vanguard.
What are the best practices for securing Vanguard accounts?

I feel like Vanguard's krappy 2FA using a text message code is really, really bad.
I don’t use 2FA at Vanguard, so I presume the six digit “Vanguard Security Code” I received was fake. The SMS short code that the message came from was for a company selling home security products.

The SMS had a HELP option. I wonder if that was to try and steal info. The SMS short code would have to have been hacked though, otherwise I’d seemingly be responding to the home security company that owns it per short code lookup info.

Curious....
HawkeyePierce
Posts: 1486
Joined: Tue Mar 05, 2019 10:29 pm
Location: Colorado

Re: Man’s life savings stolen from hijacked cellphone number

Post by HawkeyePierce »

typical.investor wrote: Tue Nov 12, 2019 7:24 am
AlphaLess wrote: Tue Nov 12, 2019 2:32 am
cbeck wrote: Mon Nov 11, 2019 5:25 pm Just by the way, I hope everyone has set up a telephone password as an extra authentication step for conversations with Vanguard.
What are the best practices for securing Vanguard accounts?

I feel like Vanguard's krappy 2FA using a text message code is really, really bad.
I don’t use 2FA at Vanguard, so I presume the six digit “Vanguard Security Code” I received was fake. The SMS short code that the message came from was for a company selling home security products.

The SMS had a HELP option. I wonder if that was to try and steal info. The SMS short code would have to have been hacked though, otherwise I’d seemingly be responding to the home security company that owns it per short code lookup info.

Curious....
FYI SMS shortcodes are not unique to a given company. I've received legitimate SMS alerts for Vanguard, Amex Schwab and TDA all from the same shortcode.

Chances are they've all outsourced to the same vendor.
D57102
Posts: 37
Joined: Mon Jan 23, 2012 5:35 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by D57102 »

I am curious.

Is there any insurance which covers this type of loss?

Sometimes, I am worried because our asset seems to exist just in computer. If somebody hacks and steal it, can we get any money back?
AlphaLess
Posts: 2679
Joined: Fri Sep 29, 2017 11:38 pm
Location: Kentucky

Re: You get hacked, lost a lot of money. What can you do?

Post by AlphaLess »

ARoseByAnyOtherName wrote: Tue Nov 12, 2019 6:12 am
AlphaLess wrote: Tue Nov 12, 2019 2:29 am
ARoseByAnyOtherName wrote: Sun Nov 03, 2019 7:02 am
Momus wrote: Sun Nov 03, 2019 1:27 am How do you defend from 2 FA (cell phone) hack? Seem like this scam is pretty common since the equifax social security hack.
The best defense: for all financial and otherwise highly sensitive accounts, use a completely separate Gmail email account and Google Voice phone number, both created using the same Google account. Then, enroll that Google account in the Advanced Protection program (which requires the use of hardware security keys to gain access to the account.)

That way if your primary cell phone number is SIM swapped or otherwise compromised, the attacker may attempt to gain access to these accounts but it will be difficult if not impossible for them to do so. Your sensitive accounts are not tied in any way to your primary number, and Google Voice numbers cannot be SIM swapped.

I’ve written more about this and other security best practices here:
viewtopic.php?f=11&t=288310&p=4702423#p4702423
I would like to point out that using Google Voice number for 2FA is *HIGHLY* insecure.
Why do you think it’s insecure? Be specific.
https://authy.com/blog/do-not-use-your- ... ntication/
"A Republic, if you can keep it". Benjamin Franklin. 1787. | Party affiliation: Vanguard. Religion: low-cost investing.
AlphaLess
Posts: 2679
Joined: Fri Sep 29, 2017 11:38 pm
Location: Kentucky

Re: Man’s life savings stolen from hijacked cellphone number

Post by AlphaLess »

D57102 wrote: Tue Nov 12, 2019 10:02 am I am curious.

Is there any insurance which covers this type of loss?

Sometimes, I am worried because our asset seems to exist just in computer. If somebody hacks and steal it, can we get any money back?
Probably. Worth looking into this.
"A Republic, if you can keep it". Benjamin Franklin. 1787. | Party affiliation: Vanguard. Religion: low-cost investing.
mptfan
Posts: 6205
Joined: Mon Mar 05, 2007 9:58 am

Re: You get hacked, lost a lot of money. What can you do?

Post by mptfan »

AlphaLess wrote: Tue Nov 12, 2019 10:02 am
ARoseByAnyOtherName wrote: Tue Nov 12, 2019 6:12 am
AlphaLess wrote: Tue Nov 12, 2019 2:29 am
ARoseByAnyOtherName wrote: Sun Nov 03, 2019 7:02 am
Momus wrote: Sun Nov 03, 2019 1:27 am How do you defend from 2 FA (cell phone) hack? Seem like this scam is pretty common since the equifax social security hack.
The best defense: for all financial and otherwise highly sensitive accounts, use a completely separate Gmail email account and Google Voice phone number, both created using the same Google account. Then, enroll that Google account in the Advanced Protection program (which requires the use of hardware security keys to gain access to the account.)

That way if your primary cell phone number is SIM swapped or otherwise compromised, the attacker may attempt to gain access to these accounts but it will be difficult if not impossible for them to do so. Your sensitive accounts are not tied in any way to your primary number, and Google Voice numbers cannot be SIM swapped.

I’ve written more about this and other security best practices here:
viewtopic.php?f=11&t=288310&p=4702423#p4702423
I would like to point out that using Google Voice number for 2FA is *HIGHLY* insecure.
Why do you think it’s insecure? Be specific.
https://authy.com/blog/do-not-use-your- ... ntication/
I do not necessarily agree with the conclusion of that article. It's true if you do not use 2 factor authentication to protect your Google account, but if you do, then using Google voice is very secure. The author of the article glosses over this important distinction with the following sentence...

"Simple. First the attacker compromises the user e-mail."

Um, that's not so simple if the user has a strong password and uses 2 factor authentication because the attacker would have to know the password AND have access to the second factor in order to compromise the user email. That's very hard to do, especially if the user does not use a phone number or SMS texts as one of the second factors. As others point out, if you enroll your account in advanced protection, it would be impossible to access the acount without a physical yubikey, so the account would be completely protected.
Last edited by mptfan on Tue Nov 12, 2019 4:18 pm, edited 2 times in total.
HawkeyePierce
Posts: 1486
Joined: Tue Mar 05, 2019 10:29 pm
Location: Colorado

Re: You get hacked, lost a lot of money. What can you do?

Post by HawkeyePierce »

AlphaLess wrote: Tue Nov 12, 2019 10:02 am
ARoseByAnyOtherName wrote: Tue Nov 12, 2019 6:12 am
AlphaLess wrote: Tue Nov 12, 2019 2:29 am
ARoseByAnyOtherName wrote: Sun Nov 03, 2019 7:02 am
Momus wrote: Sun Nov 03, 2019 1:27 am How do you defend from 2 FA (cell phone) hack? Seem like this scam is pretty common since the equifax social security hack.
The best defense: for all financial and otherwise highly sensitive accounts, use a completely separate Gmail email account and Google Voice phone number, both created using the same Google account. Then, enroll that Google account in the Advanced Protection program (which requires the use of hardware security keys to gain access to the account.)

That way if your primary cell phone number is SIM swapped or otherwise compromised, the attacker may attempt to gain access to these accounts but it will be difficult if not impossible for them to do so. Your sensitive accounts are not tied in any way to your primary number, and Google Voice numbers cannot be SIM swapped.

I’ve written more about this and other security best practices here:
viewtopic.php?f=11&t=288310&p=4702423#p4702423
I would like to point out that using Google Voice number for 2FA is *HIGHLY* insecure.
Why do you think it’s insecure? Be specific.
https://authy.com/blog/do-not-use-your- ... ntication/
Lock down your Google account using a unique password and Yubikeys. Don't allow third-party apps access to Gmail. Problem solved.

(Gonna have to talk to my friend at Twilio about that article, it's conclusion is bogus)
ARoseByAnyOtherName
Posts: 1000
Joined: Wed Apr 26, 2017 12:03 am

Re: You get hacked, lost a lot of money. What can you do?

Post by ARoseByAnyOtherName »

AlphaLess wrote: Tue Nov 12, 2019 10:02 am
ARoseByAnyOtherName wrote: Tue Nov 12, 2019 6:12 am
AlphaLess wrote: Tue Nov 12, 2019 2:29 am
ARoseByAnyOtherName wrote: Sun Nov 03, 2019 7:02 am
Momus wrote: Sun Nov 03, 2019 1:27 am How do you defend from 2 FA (cell phone) hack? Seem like this scam is pretty common since the equifax social security hack.
The best defense: for all financial and otherwise highly sensitive accounts, use a completely separate Gmail email account and Google Voice phone number, both created using the same Google account. Then, enroll that Google account in the Advanced Protection program (which requires the use of hardware security keys to gain access to the account.)

That way if your primary cell phone number is SIM swapped or otherwise compromised, the attacker may attempt to gain access to these accounts but it will be difficult if not impossible for them to do so. Your sensitive accounts are not tied in any way to your primary number, and Google Voice numbers cannot be SIM swapped.

I’ve written more about this and other security best practices here:
viewtopic.php?f=11&t=288310&p=4702423#p4702423
I would like to point out that using Google Voice number for 2FA is *HIGHLY* insecure.
Why do you think it’s insecure? Be specific.
https://authy.com/blog/do-not-use-your- ... ntication/
As I said above you should use Google Voice via a Google account that’s enrolled in Advanced Protection. Advanced Protection requires the use of hardware security keys to access the account, including Google Voice, which effectively eliminates phishing attacks.

So, the only evidence you presented does not apply at all to my recommendation. Using a Google Voice number for 2FA is absolutely not insecure. In fact it is one of the best ways to protect yourself if you have to deal with 2FA via SMS.
User avatar
AAA
Posts: 1387
Joined: Sat Jan 12, 2008 8:56 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by AAA »

midareff wrote: Sun Apr 28, 2019 8:29 am Maybe I'm too old fashioned. Home computers are for financial transactions. Cell phones are for calls and email and contain no financial information.
My thoughts exactly, but I don't even do email on them although I realize for some it is necessary.
Last edited by AAA on Wed Nov 27, 2019 8:37 pm, edited 2 times in total.
User avatar
AAA
Posts: 1387
Joined: Sat Jan 12, 2008 8:56 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by AAA »

cancel
rascott
Posts: 2347
Joined: Wed Apr 15, 2015 10:53 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by rascott »

protagonist wrote: Mon Nov 11, 2019 10:35 pm
cdu7 wrote: Sun Apr 28, 2019 8:05 am https://www.nbcbayarea.com/news/local/M ... 97961.html

Really scary stuff, the scammers used an AT&T call center workers to pull off a theft of over a million in life savings. Happened in minutes. Apparently the SIM card transfer is very common.
The reason it is NOT scary is because this isolated incident was newsworthy. Out of 327 million Americans, how many do you think this has happened to? Way less than the number hit by lightning I would guess.
The media knows that fear sells. You don't need to buy.


I personally know someone that had their SIM swapped and an online brokerage account cleaned out very recently.

This is obviously a growing issue to be aware of
H-Town
Posts: 2868
Joined: Sun Feb 26, 2017 2:08 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by H-Town »

rascott wrote: Tue Dec 03, 2019 4:25 pm
protagonist wrote: Mon Nov 11, 2019 10:35 pm
cdu7 wrote: Sun Apr 28, 2019 8:05 am https://www.nbcbayarea.com/news/local/M ... 97961.html

Really scary stuff, the scammers used an AT&T call center workers to pull off a theft of over a million in life savings. Happened in minutes. Apparently the SIM card transfer is very common.
The reason it is NOT scary is because this isolated incident was newsworthy. Out of 327 million Americans, how many do you think this has happened to? Way less than the number hit by lightning I would guess.
The media knows that fear sells. You don't need to buy.


I personally know someone that had their SIM swapped and an online brokerage account cleaned out very recently.

This is obviously a growing issue to be aware of
That person wouldn't check his or her email at all? Or at least log in and keep an eye on the activities? Once the hackers got in using 2-factor, they would need to add a bank to ACH out. And the bank would need to have the exact same name for the account name. Then it would need to have 2-3 business days for ACH verification. In addition, some brokerage house only allows ACH out to the bank account that the money was originally transferred from.

It's hard to imagine that the hacker would be able to pull it off in a day, without any knowledge whatsoever. I think many of the successful hacks involved the hackers know their victims in real life.
protagonist
Posts: 6689
Joined: Sun Dec 26, 2010 12:47 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by protagonist »

That said, it does make me a bit nervous that a huge portion of my life savings is uninsured (at Fidelity brokerage). Given the other things that are possible with technology, it seems like just a matter of time before some brilliant hacker manages to get into a brokerage's computers and wipe out peoples' accounts.

Then again, after the Cuban missile crisis I stopped doing my homework in grade school for a year or so because I was pretty much convinced that I would never make it into middle age anyway due to Armageddon (bomb? chem/bio attack?). Remarkably, it hasn't happened after all these years, nor has a major cyberterrorist attack crippled our infrastructure or caused a major market crash. So I've either become much more sanguine , or at least when it comes to matters over which I have little control I am much more accepting of risk (as are all of us stock market investors trusting of large institutions, really).

My approach....take obvious simple precautions and don't worry too much....the chips will fall as they may either way.
rascott
Posts: 2347
Joined: Wed Apr 15, 2015 10:53 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by rascott »

H-Town wrote: Tue Dec 03, 2019 4:40 pm
rascott wrote: Tue Dec 03, 2019 4:25 pm
protagonist wrote: Mon Nov 11, 2019 10:35 pm
cdu7 wrote: Sun Apr 28, 2019 8:05 am https://www.nbcbayarea.com/news/local/M ... 97961.html

Really scary stuff, the scammers used an AT&T call center workers to pull off a theft of over a million in life savings. Happened in minutes. Apparently the SIM card transfer is very common.
The reason it is NOT scary is because this isolated incident was newsworthy. Out of 327 million Americans, how many do you think this has happened to? Way less than the number hit by lightning I would guess.
The media knows that fear sells. You don't need to buy.


I personally know someone that had their SIM swapped and an online brokerage account cleaned out very recently.

This is obviously a growing issue to be aware of
That person wouldn't check his or her email at all? Or at least log in and keep an eye on the activities? Once the hackers got in using 2-factor, they would need to add a bank to ACH out. And the bank would need to have the exact same name for the account name. Then it would need to have 2-3 business days for ACH verification. In addition, some brokerage house only allows ACH out to the bank account that the money was originally transferred from.

It's hard to imagine that the hacker would be able to pull it off in a day, without any knowledge whatsoever. I think many of the successful hacks involved the hackers know their victims in real life.

What's stopping someone from initiating an outgoing wire instead of ACH?
H-Town
Posts: 2868
Joined: Sun Feb 26, 2017 2:08 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by H-Town »

rascott wrote: Tue Dec 03, 2019 7:00 pm What's stopping someone from initiating an outgoing wire instead of ACH?
Would it still take time for the brokerage firm to verify the wire information? Can you really enter the wire info into Vanguard website, click Submit, and job well done?
SCSurf
Posts: 17
Joined: Fri Apr 28, 2017 9:04 am

Re: [Cellphone SIM card hijacking - Security concerns and mitigation techniques]

Post by SCSurf »

Would someone with a background in cybersecurity be willing to write a page for the Bogleheads Wiki to address what the current best practices are for securing retirement and brokerage accounts. I see many different opinions in this thread and wanted something simple to understand and follow for someone without much background in cybersecurity. Maybe even keep it up to date with current threats.
Post Reply