Man’s life savings stolen from hijacked cellphone number

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
User avatar
catalina355
Posts: 250
Joined: Sun Jun 10, 2018 6:46 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by catalina355 » Tue Apr 30, 2019 9:29 am

lazydavid wrote:
Mon Apr 29, 2019 8:02 am
blackholescion wrote:
Sun Apr 28, 2019 12:10 pm
If someone does a sim swap, they don’t have access to your email. In fact the only way they would is with access to your physical device. However, smartphones are encrypted so the only way for them to even get in is to bypass your password/pin and they only get 10 tries. See things like the San Bernardino iPhone case for why that kind of effort is complex and problematic.
So much misinformation in this thread it's mind-boggling. First, the sim swap being discussed here does NOT require physical access to your device. They just call your carrier and say that "you" got a new phone and need to move your number. Voila, their phone is now your phone.

But even in the event that physical access was required (ie the attack was actually swapping the physical SIM into a different phone), how exactly would a password lock prevent them from sticking a paperclip into the little hole and taking your SIM card out?
Simple. Use a SIM password (aka PIN).

lazydavid
Posts: 2424
Joined: Wed Apr 06, 2016 1:37 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by lazydavid » Tue Apr 30, 2019 9:31 am

catalina355 wrote:
Tue Apr 30, 2019 9:29 am
Simple. Use a SIM password (aka PIN).
Which can be unlocked using a PUK from the carrier, bypassing your PIN. Again, that's beside the point, because physical access to the phone is not required for these attacks. It can be done from the other side of the world while your phone is powered off and stored in a safe.

User avatar
catalina355
Posts: 250
Joined: Sun Jun 10, 2018 6:46 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by catalina355 » Tue Apr 30, 2019 9:33 am

lazydavid wrote:
Tue Apr 30, 2019 9:31 am
catalina355 wrote:
Tue Apr 30, 2019 9:29 am
Simple. Use a SIM password (aka PIN).
Which can be unlocked using a PUK from the carrier, bypassing your PIN. Again, that's beside the point, because physical access to the phone is not required for these attacks. It can be done from the other side of the world while your phone is powered off and stored in a safe.
I'm well aware that the SIM swap does not require physical access to a phone. I was replying to your point.

Yes the SIM can be unlocked using a PUK from the carrier. This is another hurdle for the bad guy.

User avatar
tadamsmar
Posts: 8446
Joined: Mon May 07, 2007 12:33 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by tadamsmar » Tue Apr 30, 2019 9:46 am

SimonJester wrote:
Tue Apr 30, 2019 8:15 am
Recently I went to a security conference, one speaker was talking about the numerous security vulnerabilities in the various telco carriers networks. The telco carriers are taking upwards of 25+ years to patch well known security vulnerabilities. Using ANY phone number as your 2nd piece of your 2FA is not good, as you really do not HAVE your phone number. Some of the things he was saying were a real eye opener and would almost have you stop carying a cell phone.

For some carriers you can add a porting PIN to your account so you cannot port your number without that pin. It still relys on the customer service rep to follow the procedure and not port without that PIN.

At the end of the day I rely on my financial institution's fraud guarantees to make me whole again. Does everyone remember back to the posting here where a man's father had his retirement account drained... I believe he eventually was able to recover the funds...
This is the posting:

viewtopic.php?f=2&t=228799

He recovered the funds, but no one ever found a guarantee from the company (Transamerica). You can't find anything like a guarantee for most mutual fund companies. Here's Vanguard's online fraud policy:

https://personal.vanguard.com/us/help/S ... ontent.jsp

Also, it's not 2fa when the cell is used to verify your identity for password recovery.

Dottie57
Posts: 6721
Joined: Thu May 19, 2016 5:43 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Dottie57 » Tue Apr 30, 2019 10:07 am

catalina355 wrote:
Tue Apr 30, 2019 6:43 am
Dottie57 wrote:
Mon Apr 29, 2019 9:26 pm
catalina355 wrote:
Mon Apr 29, 2019 4:40 pm
Dottie57 wrote:
Sun Apr 28, 2019 9:16 am
midareff wrote:
Sun Apr 28, 2019 8:29 am
Maybe I'm too old fashioned. Home computers are for financial transactions. Cell phones are for calls and email and contain no financial information.


I never use my phone for financial transactions. Never. I have two home iPads which I use for financial transactions via web page. No passwords stored.

I think I will be getting a yubikey to add more security.

SIM swap has nothing to do with using a phone for financial transactions.
Yet phone appears to have been used in gaining access to the account. A SIM. is used for cell network access - yes?

I will do transactions in the privacy of my home on something that doesn’t leave my home. You can do whatever you want.
I’m doing so you are making it easier for the bad guys because you appear not to be using two factor authentication. A SIM swap is only undertaken to defeat two factor authentication.
I receive a code from brokerage via landline. I have alerts set up.

Dottie57
Posts: 6721
Joined: Thu May 19, 2016 5:43 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Dottie57 » Tue Apr 30, 2019 10:08 am

lazydavid wrote:
Tue Apr 30, 2019 5:49 am
Dottie57 wrote:
Mon Apr 29, 2019 9:26 pm
Yet phone appears to have been used in gaining access to the account. A SIM. is used for cell network access - yes?

I will do transactions in the privacy of my home on something that doesn’t leave my home. You can do whatever you want.
Do I take this to mean you don't have multifactor authentication enabled on your account? Then you are indeed not vulnerable to this attack. But that's not a good thing, because this attack is totally unnecessary to take over your account. It is only needed to get past a victim's MFA.
I receive a code from brokerage via landline. I have alerts set up.

BanditKing
Posts: 610
Joined: Tue Oct 29, 2013 11:11 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by BanditKing » Tue Apr 30, 2019 10:15 am

Adding a random anecdote. Recently transferred a portion of the my ROTH from Vanguard to M1 as part of the Hedgefundie adventure. Provided M1 with a portion of my statement and indicated which position I wanted move, that was fine.

However, it then just ... happened. Never received any confirmation request from vanguard, or even a notification that it occurred until I noticed my balance dropped by $X. Never technically "signed" anything, so it was add done predicated on an email and a PDF attachment.

Since I knew it was going to happen, no surprise on my part (save how long the process took - we can put a man on the moon but it takes 2 weeks to transfer some money?) Slightly disconcerting, though, that there was no request for verification from Vanguard, though. I'm signed up for email and text with them, as well as 2FA, so a call or even a text message with "we received a transfer request, please give us a call or log in to confirm."

*shrug* Again, just an observation.

Silence Dogood
Posts: 1054
Joined: Tue Feb 01, 2011 9:22 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Silence Dogood » Tue Apr 30, 2019 11:17 am

BogleFanGal wrote:
Mon Apr 29, 2019 6:21 pm
Silence Dogood wrote:
Mon Apr 29, 2019 4:42 pm
'67Bosox wrote:
Mon Apr 29, 2019 11:31 am
But when I go to this page at my vanguard online account, it says that the OTHER choice, is the "recommended one", the one that says I can be allowed "to access my account from Unrecognized or new computers, browsers or mobile devices".
Does anyone know, why does Vanguard recommend this other setting?
thanks
The simple explanation is that Vanguard does not want people to restrict unrecognized devices without fully understanding what that entails.

Can you imagine the number of angry calls Vanguard would get if people select this option without much thought, and then a few months later try to access their account (from a different device) but can't? Call volume would skyrocket and there would be lots of complaints.
Wouldn't you be locked out on the "recognized" device every time you cleared browsing data or did a disk cleanup? That would be a bit of a pain, to have to call in each time to the CSR...but I guess if the security was that much stronger, maybe worth it?
It's okay to clear browsing and search history, cache, offline website data, etc. - as long as you don't clear cookies and site preferences.

I have my browser settings set to automatically clear all this data (browsing history, cache, etc.) every time I close my browser. I also block trackers and third-party cookies.

As I mentioned in an earlier post, I use a Firefox add-on called "Cookie AutoDelete" that automatically deletes my browser's cookies, but also allows me to "whitelist" specific websites (so that cookies from those specific websites are not deleted).

This has worked well for me.

Silence Dogood
Posts: 1054
Joined: Tue Feb 01, 2011 9:22 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Silence Dogood » Tue Apr 30, 2019 11:25 am

The phone system was never intended to be used as a means of verifying identification.

The phone system has never been particularly secure.

This is why we should all be urging our financial institutions to replace SMS two-factor authentication with software token based two-factor authentication (apps like "Authy" and "Google Authenticator").

HawkeyePierce
Posts: 633
Joined: Tue Mar 05, 2019 10:29 pm
Location: Colorado

Re: Man’s life savings stolen from hijacked cellphone number

Post by HawkeyePierce » Tue Apr 30, 2019 11:53 am

Silence Dogood wrote:
Tue Apr 30, 2019 11:25 am
The phone system was never intended to be used as a means of verifying identification.

The phone system has never been particularly secure.

This is why we should all be urging our financial institutions to replace SMS two-factor authentication with software token based two-factor authentication (apps like "Authy" and "Google Authenticator").
App-based 2FA is an improvement over SMS but still leaves the user vulnerable to phishing. What we need is across-the-board support for Yubikeys.

Google completely eliminated employee account takeovers when they required their entire workforce to start using physical security keys: https://krebsonsecurity.com/2018/07/goo ... -phishing/

Silence Dogood
Posts: 1054
Joined: Tue Feb 01, 2011 9:22 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Silence Dogood » Tue Apr 30, 2019 4:18 pm

HawkeyePierce wrote:
Tue Apr 30, 2019 11:53 am
Silence Dogood wrote:
Tue Apr 30, 2019 11:25 am
The phone system was never intended to be used as a means of verifying identification.

The phone system has never been particularly secure.

This is why we should all be urging our financial institutions to replace SMS two-factor authentication with software token based two-factor authentication (apps like "Authy" and "Google Authenticator").
App-based 2FA is an improvement over SMS but still leaves the user vulnerable to phishing. What we need is across-the-board support for Yubikeys.

Google completely eliminated employee account takeovers when they required their entire workforce to start using physical security keys: https://krebsonsecurity.com/2018/07/goo ... -phishing/
App-based two-factor authentication is significantly more secure than SMS-based two-factor authentication. App-based two-factor authentication is not vulnerable to SIM swaps or (more advanced) having the code intercepted during transmission. Also, the code changes every 30 seconds, rather than being valid for several minutes (usually at least 10 minutes) as is the case with SMS.

The only realistic vulnerabilities that I can think of with app-based two-factor authentication is (1) phishing and (2) if someone gets physical control over your device (which is hopefully locked with a password/fingerprint and encrypted).

More importantly, 77% of all Americans already own a smartphone*. So app-based two-factor authentication doesn't require people to buy a new device.

Of course, I think physical security keys should be offered as an option to those of us who want even more security.

*12% of Americans don't use the internet at all.

SpaethCo
Posts: 165
Joined: Thu Jan 14, 2016 12:58 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by SpaethCo » Tue Apr 30, 2019 6:05 pm

Silence Dogood wrote:
Tue Apr 30, 2019 4:18 pm
The only realistic vulnerabilities that I can think of with app-based two-factor authentication is (1) phishing and (2) if someone gets physical control over your device (which is hopefully locked with a password/fingerprint and encrypted).
I can’s stress enough how the vulnerability to (1) depletes the value of app-based 2FA.

https://www.pcmag.com/news/367026/googl ... are-on-the

H-Town
Posts: 1963
Joined: Sun Feb 26, 2017 2:08 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by H-Town » Tue Apr 30, 2019 6:33 pm

You can't fix paranoia...

It's extremely difficult for a hacker to get your investment money. It must take some degree of negligence on your part to give the hacker a fighting chance.

1) It's a good chance that whoever stole the money from you knows you well. It might be someone who is close to you. You should not advertise your wealth, except to your spouse. Don't make yourself a target.

2) Keep your computer and phone clean of virus. Routinely change password and keep password safe. Don't write password down. Don't use the same password for everything.

3) Don't fall for phishing emails. Educate yourself so that you know it's a phishing email when you see one. Don't give out any information on the phone if you don't know the person you're talking to well enough.

4) Most of financial institutions have mechanism in place that you cannot ACH money out to an account that does not have the same name. For wire transfer, they require medallion signature. Only do business with those institutions.

5) Routinely log-in to your accounts to review activities and monitor your emails sent from your financial institutions. Do it weekly at the very least.

Silence Dogood
Posts: 1054
Joined: Tue Feb 01, 2011 9:22 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Silence Dogood » Tue Apr 30, 2019 6:49 pm

SpaethCo wrote:
Tue Apr 30, 2019 6:05 pm
Silence Dogood wrote:
Tue Apr 30, 2019 4:18 pm
The only realistic vulnerabilities that I can think of with app-based two-factor authentication is (1) phishing and (2) if someone gets physical control over your device (which is hopefully locked with a password/fingerprint and encrypted).
I can’s stress enough how the vulnerability to (1) depletes the value of app-based 2FA.

https://www.pcmag.com/news/367026/googl ... are-on-the
I am in complete agreement with you.

However, we are living in a society in which the most common password is "password."

Is it realistic to expect everyone to purchase a physical security key? Hopefully someday - but this will take a while.

A good first step will be to urge financial institutions to implement app-based two-factor authentication as a replacement for SMS-based two-factor authentication (which should be disbanded completely). Financial institutions could do this by the end of this year if they really wanted to.

And yes, physical security keys should be an option as well!

User avatar
ResearchMed
Posts: 9176
Joined: Fri Dec 26, 2008 11:25 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by ResearchMed » Tue Apr 30, 2019 6:56 pm

Silence Dogood wrote:
Tue Apr 30, 2019 6:49 pm
SpaethCo wrote:
Tue Apr 30, 2019 6:05 pm
Silence Dogood wrote:
Tue Apr 30, 2019 4:18 pm
The only realistic vulnerabilities that I can think of with app-based two-factor authentication is (1) phishing and (2) if someone gets physical control over your device (which is hopefully locked with a password/fingerprint and encrypted).
I can’s stress enough how the vulnerability to (1) depletes the value of app-based 2FA.

https://www.pcmag.com/news/367026/googl ... are-on-the
I am in complete agreement with you.

However, we are living in a society in which the most common password is "password."

Is it realistic to expect everyone to purchase a physical security key? Hopefully someday - but this will take a while.

A good first step will be to urge financial institutions to implement app-based two-factor authentication as a replacement for SMS-based two-factor authentication (which should be disbanded completely). Financial institutions could do this by the end of this year if they really wanted to.

And yes, physical security keys should be an option as well!
Is this really true, in this day and age, that the most common password is "password" (or even that it is common, even if not 'most' common)?

RM
This signature is a placebo. You are in the control group.

SpaethCo
Posts: 165
Joined: Thu Jan 14, 2016 12:58 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by SpaethCo » Tue Apr 30, 2019 7:05 pm

ResearchMed wrote:
Tue Apr 30, 2019 6:56 pm
Is this really true, in this day and age, that the most common password is "password" (or even that it is common, even if not 'most' common)?
Thanks to all the data breaches, we know just how bad people are with passwords.

https://www.troyhunt.com/86-of-password ... tatistics/

User avatar
LadyGeek
Site Admin
Posts: 56424
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: Man’s life savings stolen from hijacked cellphone number

Post by LadyGeek » Tue Apr 30, 2019 7:06 pm

Here you go: List of the most common passwords

In 2018, "123456" beat "password" for the #1 spot.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

mhalley
Posts: 7359
Joined: Tue Nov 20, 2007 6:02 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by mhalley » Tue Apr 30, 2019 7:10 pm

I think 123456 is no 1, password is no 2. I made all of mine password123456 to make it REALLY hard to hack.

User avatar
ResearchMed
Posts: 9176
Joined: Fri Dec 26, 2008 11:25 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by ResearchMed » Tue Apr 30, 2019 7:17 pm

LadyGeek wrote:
Tue Apr 30, 2019 7:06 pm
Here you go: List of the most common passwords

In 2018, "123456" beat "password" for the #1 spot.
Thanks.

That was a real eye-opener!

:shock:

RM
This signature is a placebo. You are in the control group.

User avatar
LadyGeek
Site Admin
Posts: 56424
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: Man’s life savings stolen from hijacked cellphone number

Post by LadyGeek » Tue Apr 30, 2019 7:24 pm

"123456" won't work on this forum, we have the minimum password length set to 9. Why? Because everyone is used to a length of 8, so we go one more to make you think about it.

The forum software also has a built-in password strength indicator to help you select a good password. For those unfamiliar with choosing good passwords, it's a great first step.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

Topic Author
cdu7
Posts: 299
Joined: Thu Feb 02, 2017 2:34 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by cdu7 » Tue Apr 30, 2019 7:45 pm

I made this thread hoping to feel safer after reading all the replies. Ironically I now feel more paranoid than ever.

Finridge
Posts: 629
Joined: Mon May 16, 2011 7:27 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Finridge » Wed May 01, 2019 1:28 am

H-Town wrote:
Tue Apr 30, 2019 6:33 pm
You can't fix paranoia...

It's extremely difficult for a hacker to get your investment money. It must take some degree of negligence on your part to give the hacker a fighting chance.

1) It's a good chance that whoever stole the money from you knows you well. It might be someone who is close to you. You should not advertise your wealth, except to your spouse. Don't make yourself a target.

2) Keep your computer and phone clean of virus. Routinely change password and keep password safe. Don't write password down. Don't use the same password for everything.

3) Don't fall for phishing emails. Educate yourself so that you know it's a phishing email when you see one. Don't give out any information on the phone if you don't know the person you're talking to well enough.

4) Most of financial institutions have mechanism in place that you cannot ACH money out to an account that does not have the same name. For wire transfer, they require medallion signature. Only do business with those institutions.

5) Routinely log-in to your accounts to review activities and monitor your emails sent from your financial institutions. Do it weekly at the very least.

This is a good list. I'd add:

3(a) - Assume *every* email that appears to be from your bank or investment firm is a phishing email, and never click on any of the links.

6. Always use 2FA (two factor authorization) if it is an option

User avatar
tadamsmar
Posts: 8446
Joined: Mon May 07, 2007 12:33 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by tadamsmar » Thu May 02, 2019 8:38 pm

H-Town wrote:
Tue Apr 30, 2019 6:33 pm
You can't fix paranoia...

It's extremely difficult for a hacker to get your investment money. It must take some degree of negligence on your part to give the hacker a fighting chance.

1) It's a good chance that whoever stole the money from you knows you well. It might be someone who is close to you. You should not advertise your wealth, except to your spouse. Don't make yourself a target.

2) Keep your computer and phone clean of virus. Routinely change password and keep password safe. Don't write password down. Don't use the same password for everything.

3) Don't fall for phishing emails. Educate yourself so that you know it's a phishing email when you see one. Don't give out any information on the phone if you don't know the person you're talking to well enough.

4) Most of financial institutions have mechanism in place that you cannot ACH money out to an account that does not have the same name. For wire transfer, they require medallion signature. Only do business with those institutions.

5) Routinely log-in to your accounts to review activities and monitor your emails sent from your financial institutions. Do it weekly at the very least.
Perhaps it’s better (as a starting point) to go to your fiduciary’s website and see what they require from you and what they offer (and fail to offer) in return. For instance:
https://personal.vanguard.com/us/help/S ... ontent.jsp

fulltilt
Posts: 222
Joined: Thu Dec 01, 2011 2:23 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by fulltilt » Fri May 03, 2019 1:16 pm

gtd98765 wrote:
Sun Apr 28, 2019 8:45 am
cdu7 wrote:
Sun Apr 28, 2019 8:05 am
https://www.nbcbayarea.com/news/local/M ... 97961.html

Really scary stuff, the scammers used an AT&T call center workers to pull off a theft of over a million in life savings. Happened in minutes. Apparently the SIM card transfer is very common.
I doubt it is really very common. I bet most people targeted for SIM swaps are well-known and wealthy, and probably involved in cryptocurrency trading. When these attacks do happen they make news, which is why we know about them. But not common.

Read about the availability heuristic: https://en.wikipedia.org/wiki/Availability_heuristic which causes us to overestimate the commonality of newsworthy events.
I personally know two people that have had their phone numbers stolen and i don't know very many people. Neither of them are well-known or wealthy.

typical.investor
Posts: 1093
Joined: Mon Jun 11, 2018 3:17 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by typical.investor » Fri May 03, 2019 3:41 pm

SpaethCo wrote:
Tue Apr 30, 2019 6:05 pm
Silence Dogood wrote:
Tue Apr 30, 2019 4:18 pm
The only realistic vulnerabilities that I can think of with app-based two-factor authentication is (1) phishing and (2) if someone gets physical control over your device (which is hopefully locked with a password/fingerprint and encrypted).
I can’s stress enough how the vulnerability to (1) depletes the value of app-based 2FA.

https://www.pcmag.com/news/367026/googl ... are-on-the
Yubikey can be vulnerable to phishing too.

https://www.google.com/amp/s/www.wired. ... webusb/amp

SpaethCo
Posts: 165
Joined: Thu Jan 14, 2016 12:58 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by SpaethCo » Fri May 03, 2019 3:58 pm

typical.investor wrote:
Fri May 03, 2019 3:41 pm
Yubikey can be vulnerable to phishing too.

https://www.google.com/amp/s/www.wired. ... webusb/amp
WebUSB does require the user to allow access via a prompt, although it's not especially descriptive or helpful.

Example: https://developers.google.com/web/updat ... hooser.png

It looks completely different than how standard U2F authentication works though, so an end-user has reasonable clues that something is up.

gtd98765
Posts: 377
Joined: Sun Jan 08, 2017 4:15 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by gtd98765 » Fri May 03, 2019 7:08 pm

typical.investor wrote:
Fri May 03, 2019 3:41 pm
[
Yubikey can be vulnerable to phishing too.

https://www.google.com/amp/s/www.wired. ... webusb/amp
That vulnerability has been closed for some time:
With the May 29, 2018 release of Chrome 67, Google fixed the WebUSB vulnerability and the issue could no longer affect any (Yubico or other) U2F authenticators. To read the detailed report of the WebUSB issue in Chrome, please visit our Security Advisories page for full analysis.
(https://www.yubico.com/2018/06/webusb-a ... isclosure/)

typical.investor
Posts: 1093
Joined: Mon Jun 11, 2018 3:17 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by typical.investor » Fri May 03, 2019 7:43 pm

I think it comes down to the institution having a guarantee.

What if you lose your Yubikey? Your account might be locked until you call in or use whatever backup login method they have. So that method is vulnerable too.

Also, on Github, anyone can download some code to emulate a YubiKey on an Arduino, a tiny computer similar to a Raspberry Pi. It’s been shown these can seem legitimate to servers.

So now all someone needs is a good 3D printer set up, and instead of an inside contact at a telco, get an inside contact at Amazon or whoever is distributing the key and swap in their fake.

YubiKeys given away for free? They are out there.

At the end of the day, I wouldn’t hold assets anyplace without a guarantee.

gtd98765
Posts: 377
Joined: Sun Jan 08, 2017 4:15 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by gtd98765 » Fri May 03, 2019 8:53 pm

typical.investor wrote:
Fri May 03, 2019 7:43 pm

Also, on Github, anyone can download some code to emulate a YubiKey on an Arduino, a tiny computer similar to a Raspberry Pi. It’s been shown these can seem legitimate to servers.

So now all someone needs is a good 3D printer set up, and instead of an inside contact at a telco, get an inside contact at Amazon or whoever is distributing the key and swap in their fake.

YubiKeys given away for free? They are out there.

At the end of the day, I wouldn’t hold assets anyplace without a guarantee.
Since each Yubikey generates a unique code, it is irrelevant that a Yubikey might be emulated, because it would not be my Yubikey with my unique code. So an emulated Yubikey is irrelevant for hacking in to my financial accounts since a hacker does not know the unique code my Yubikey generates among the trillions of possibilities.

I do not think it helps anybody to discourage people from using improved security measures to protect their accounts, or to spread fear, uncertainty, and doubt about the best practical technology available today. As krebsonsecurity has pointed out, Google claims that its 100K+ employees have had ZERO accounts compromised since Google mandated the use of security keys a couple of years ago. Google is certainly a target-rich environment, and you can bet the world's best hackers are trying to break in somewhere.

typical.investor
Posts: 1093
Joined: Mon Jun 11, 2018 3:17 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by typical.investor » Fri May 03, 2019 9:27 pm

gtd98765 wrote:
Fri May 03, 2019 8:53 pm
typical.investor wrote:
Fri May 03, 2019 7:43 pm

Also, on Github, anyone can download some code to emulate a YubiKey on an Arduino, a tiny computer similar to a Raspberry Pi. It’s been shown these can seem legitimate to servers.

So now all someone needs is a good 3D printer set up, and instead of an inside contact at a telco, get an inside contact at Amazon or whoever is distributing the key and swap in their fake.

YubiKeys given away for free? They are out there.

At the end of the day, I wouldn’t hold assets anyplace without a guarantee.
Since each Yubikey generates a unique code, it is irrelevant that a Yubikey might be emulated, because it would not be my Yubikey with my unique code. So an emulated Yubikey is irrelevant for hacking in to my financial accounts since a hacker does not know the unique code my Yubikey generates among the trillions of possibilities.
I think you missed how such an attack would take place:
in practice, a hacker might make a batch of DoobieKeys and then hand them out to attendees at a crypto-party; gatherings where people meet to learn about encryption and security. When the victims go and link their fake YubiKey to their Gmail, for example, the attacker also has a copy of their two-factor token.
And if you personally lose your Yubikey, I assume you will be getting a new one. And if you cheap out and use a freely distributed one that's been compromised ...
gtd98765 wrote:
Fri May 03, 2019 8:53 pm
I do not think it helps anybody to discourage people from using improved security measures to protect their accounts, or to spread fear, uncertainty, and doubt about the best practical technology available today.
I'm not discouraging anyone from using improved security practices. What I am saying is that if you have a choice of custodians and one has a guarantee (perhaps backed SIPC or FDIC guarantees in case the custodian is forced into bankruptcy) for loss **, that you should choose the more protected one and not rely on Yubikey or RSA tokens or 2FA being safe.

I have no moral problem calling Yubikey into questions whether or not it is the "best practical technology available today". This simple fact is that they are vulnerable. See https://www.yubico.com/support/security-advisories

As for people using freely distributed Yubikeys - particularly at a crypto conference, I would be particularly careful knowing the exchange may not compensate you for unauthorized transfers.

It's not FUD, it's reality. By the way, I found the github with the code to fake yubikey access. Haven't and won't use it of course, but I note it's still being developed. Show me a developer who writes code they don't intend to use. For what purpose we don't really know of course.

I have an RSA dongle and custodian guarantee at my main broker. If Yubikey were available for my bank (which uses mobile code 2fa) I would use it.

** Guarantees like "Schwab will cover 100% of any losses in any of your Schwab accounts due to unauthorized activity" are separate from SIPC which only covers cases of bankruptcy.

User avatar
tadamsmar
Posts: 8446
Joined: Mon May 07, 2007 12:33 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by tadamsmar » Sat May 04, 2019 8:53 am

typical.investor wrote:
Fri May 03, 2019 9:27 pm
** Guarantees like "Schwab will cover 100% of any losses in any of your Schwab accounts due to unauthorized activity" are separate from SIPC which only covers cases of bankruptcy.
The Schwab guarantee looks good, there are circumstances where it will not cover losses:

1. "Gross negligence". The term is not defined so it might be good to avoid anything that has the smell of negligence (like using Window 7 after 1/14/2020) unless Schwab says otherwise. And take all the additional steps that they recommend: https://www.schwab.com/public/schwab/nn ... schwabsafe

2. Failure to report unauthorized transactions as "quickly as possible". Schwab does not make it easy to figure out how quick: " Different transactions have different reporting deadlines. More details are available in your account agreements, statements and trade confirmations."

https://www.schwab.com/public/schwab/nn ... antee.html

User avatar
elpollo
Posts: 19
Joined: Sun Jun 23, 2019 12:10 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by elpollo » Mon Jul 01, 2019 12:49 pm

blackholescion wrote:
Sun Apr 28, 2019 12:25 pm
Triple digit golfer wrote:
Sun Apr 28, 2019 12:18 pm
To those with Vanguard accounts, what security measures do you take?
The only possible ones. Text based 2FA but not to a google voice number and generated password of max allowed length (20 characters). I also have a generated username so that it’s not obvious like first and last name. Both unique to vanguard.
try a yubikey, even the cheap $20 one has U2F which works in Chrome
https://www.yubico.com/products/security-key/
with NFC for crazy people using their phones

SMS are well-known to be exploit-able by the right advesary, tokens less so, but not perfect.

Dont forget your password recovery process and how one logs in to the recovery email address (which ideally would not be one's main address)

One sad thing and unlikely to change, is when they get to the final step they will use Easily guessable or availabe(hint don't put or allow your geneology to be uploaded if you can) Credit Bureau questions
Discussions should be conducted without fondness for dispute or desire for victory. - Benjamin Franklin

protagonist
Posts: 5910
Joined: Sun Dec 26, 2010 12:47 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by protagonist » Mon Jul 01, 2019 2:09 pm

cdu7 wrote:
Sun Apr 28, 2019 8:05 am
https://www.nbcbayarea.com/news/local/M ... 97961.html

Really scary stuff, the scammers used an AT&T call center workers to pull off a theft of over a million in life savings. Happened in minutes. Apparently the SIM card transfer is very common.
I wouldn't be too scared. There are over 330 million Americans. This incident was clearly odd enough to be newsworthy. The chance of it happening to you is probably a lot less than the chance of you getting hit by lightning, and most definitely less than the chance of you getting killed in an auto accident. My guess is that you would rather lose a million dollars than get killed in an auto accident, though my guess is also that you probably drive a car and cross the street on foot, and don't worry too much about that.

Perceived risk can often differ wildly from actual risk, especially unfamiliar risk. An Amazon tribesperson would probably be as terrified in Times Square as a New Yorker would be in the jungle at night.
Last edited by protagonist on Tue Jul 02, 2019 9:16 am, edited 3 times in total.

blackholescion
Posts: 126
Joined: Fri Mar 22, 2019 6:41 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by blackholescion » Mon Jul 01, 2019 2:47 pm

elpollo wrote:
Mon Jul 01, 2019 12:49 pm
blackholescion wrote:
Sun Apr 28, 2019 12:25 pm
Triple digit golfer wrote:
Sun Apr 28, 2019 12:18 pm
To those with Vanguard accounts, what security measures do you take?
The only possible ones. Text based 2FA but not to a google voice number and generated password of max allowed length (20 characters). I also have a generated username so that it’s not obvious like first and last name. Both unique to vanguard.
try a yubikey, even the cheap $20 one has U2F which works in Chrome
https://www.yubico.com/products/security-key/
with NFC for crazy people using their phones

SMS are well-known to be exploit-able by the right advesary, tokens less so, but not perfect.

Dont forget your password recovery process and how one logs in to the recovery email address (which ideally would not be one's main address)

One sad thing and unlikely to change, is when they get to the final step they will use Easily guessable or availabe(hint don't put or allow your geneology to be uploaded if you can) Credit Bureau questions
Yubikey still has sms fallback though at vanguard. Therefore seems pointless.

I generate all my security questions as well if a site requires it and it has my financial info.

User avatar
elpollo
Posts: 19
Joined: Sun Jun 23, 2019 12:10 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by elpollo » Mon Jul 01, 2019 7:13 pm

as I understand it , it may not protect against "sim swap" but it might protect against SS7 sniffing (if one needn't use the SMS to login)

else, get a VOIP that will accept SMS

most sites don't allow one to generate your recovery questions, though you can make up random answers and write them somewhere, which is what I do

VG somewhat surprisingly has a history of being slow, for better or worse, remember not so long ago when they'd only accept like 8 digit passwords, and had no 2FA at all (course they'll tell you they have many methods you don't know about)
Discussions should be conducted without fondness for dispute or desire for victory. - Benjamin Franklin

arf30
Posts: 542
Joined: Sat Dec 28, 2013 11:55 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by arf30 » Mon Jul 01, 2019 7:36 pm

I've read that Google Voice isn't recommended for 2FA as Google reserves the right to change or revoke your number at any time, whereas the phone company is prevented from doing that by law (not that I recommend SMS for 2FA).

Rwsawbones
Posts: 101
Joined: Fri Jan 20, 2017 11:21 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Rwsawbones » Mon Jul 01, 2019 9:06 pm

Most of my assets are at FIDO. Profit sharing and IRA plans require paperwork to do withdrawals. Non tax deferred plans have stops on them to prevent moving money from FIDO. The iPad on which this is written has no email function. It has FIDO and BofA and It does have stored passwords which require my fingerprint to apply The VIP access is on my cell phone. Neither FIDO nor my BofA apps nor of course associated password are on the cell phone. Since it requires both of these devices and my fingerprint to get into FIDO and then will be unable to remove cash from FIDO I feel safe (though pride goes before the fall).

BofA which has relatively small deposits has 2 factor protection in that fingerprint or password along with user ID are followed by questions to which I am the only one to know the answer

Am I safe or am I kidding myself.

carolinaman
Posts: 3776
Joined: Wed Dec 28, 2011 9:56 am
Location: North Carolina

Re: Man’s life savings stolen from hijacked cellphone number

Post by carolinaman » Tue Jul 02, 2019 12:29 pm

midareff wrote:
Sun Apr 28, 2019 8:29 am
Maybe I'm too old fashioned. Home computers are for financial transactions. Cell phones are for calls and email and contain no financial information.
+1. I totally agree.

bgreat
Posts: 73
Joined: Tue Jun 25, 2019 11:48 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by bgreat » Tue Jul 02, 2019 12:51 pm

gtd98765 wrote:
Fri May 03, 2019 8:53 pm
Since each Yubikey generates a unique code, it is irrelevant that a Yubikey might be emulated, because it would not be my Yubikey with my unique code. So an emulated Yubikey is irrelevant for hacking in to my financial accounts since a hacker does not know the unique code my Yubikey generates among the trillions of possibilities.
It's even better than that: modern YubiKeys (e.g. U2F) do a full cryptographic exchange with the server, meaning both key and server are authenticated. If a fake server turns up, it'll have a different certificate, and your Yubikey will therefore generate useless data. Full details are hard to explain here - but the benefit is that a fake server can't trick you, AND it's close to impossible to emulate your Yubikey too.

Silence Dogood
Posts: 1054
Joined: Tue Feb 01, 2011 9:22 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Silence Dogood » Mon Sep 09, 2019 8:01 pm

Silence Dogood wrote:
Tue Apr 30, 2019 6:49 pm
A good first step will be to urge financial institutions to implement app-based two-factor authentication as a replacement for SMS-based two-factor authentication (which should be disbanded completely). Financial institutions could do this by the end of this year if they really wanted to.
Here's another reason why Vanguard should support app-based two-factor authentication.

RudyS
Posts: 1556
Joined: Tue Oct 27, 2015 10:11 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by RudyS » Mon Sep 09, 2019 8:54 pm

midareff wrote:
Sun Apr 28, 2019 8:29 am
Maybe I'm too old fashioned. Home computers are for financial transactions. Cell phones are for calls and email and contain no financial information.
I'm that old-fashioned too. Because I'm that old.

User avatar
midareff
Posts: 6307
Joined: Mon Nov 29, 2010 10:43 am
Location: Biscayne Bay, South Florida

Re: Man’s life savings stolen from hijacked cellphone number

Post by midareff » Tue Sep 10, 2019 7:46 am

RudyS wrote:
Mon Sep 09, 2019 8:54 pm
midareff wrote:
Sun Apr 28, 2019 8:29 am
Maybe I'm too old fashioned. Home computers are for financial transactions. Cell phones are for calls and email and contain no financial information.
I'm that old-fashioned too. Because I'm that old.
It just doesn't seem to make sense to me to have something that you can loose, misplace, get pick-pocketed or wi-fi hacked contain financial data.

lostdog
Posts: 1911
Joined: Thu Feb 04, 2016 2:15 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by lostdog » Tue Sep 10, 2019 9:16 am

Vulcan wrote:
Sun Apr 28, 2019 9:17 am
acegolfer wrote:
Sun Apr 28, 2019 8:23 am
Vulcan wrote:
Sun Apr 28, 2019 8:11 am
cdu7 wrote:
Sun Apr 28, 2019 8:05 am
https://www.nbcbayarea.com/news/local/M ... 97961.html

Really scary stuff, the scammers used an AT&T call center workers to pull off a theft of over a million in life savings. Happened in minutes. Apparently the SIM card transfer is very common.
I use a Google Voice number for 2FA.
Do you use 2 different google accounts, 1 for email and another for google voice?
Same account. I consider my e-mail to be the 2nd factor, and GV-based SMS is just another way to receive an email.

My Google account is the only key to my kingdom, and it is in turn protected by 2FA.
Now you can add their Advanced Protection service.

anon_investor
Posts: 272
Joined: Mon Jun 03, 2019 1:43 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by anon_investor » Tue Sep 10, 2019 9:26 am

Silence Dogood wrote:
Mon Sep 09, 2019 8:01 pm
Silence Dogood wrote:
Tue Apr 30, 2019 6:49 pm
A good first step will be to urge financial institutions to implement app-based two-factor authentication as a replacement for SMS-based two-factor authentication (which should be disbanded completely). Financial institutions could do this by the end of this year if they really wanted to.
Here's another reason why Vanguard should support app-based two-factor authentication.
Yes! I am waiting for Vanguard to support this. I don't like the physical USB key option.

Longdog
Posts: 1335
Joined: Sun Feb 09, 2014 6:56 pm
Location: Philadelphia

Re: Man’s life savings stolen from hijacked cellphone number

Post by Longdog » Tue Sep 10, 2019 9:41 am

Dottie57 wrote:
Sun Apr 28, 2019 9:16 am
midareff wrote:
Sun Apr 28, 2019 8:29 am
Maybe I'm too old fashioned. Home computers are for financial transactions. Cell phones are for calls and email and contain no financial information.


I never use my phone for financial transactions. Never. I have two home iPads which I use for financial transactions via web page. No passwords stored.

I think I will be getting a yubikey to add more security.
The devices you use for transactions do not come into play for this particular hack. If you use the same logins/passwords in multiple places (e.g., if you use the same login/password on a merchant account as you do on a financial account), and if you've enabled two-factor authentication, you could be susceptible.
Steve

Dottie57
Posts: 6721
Joined: Thu May 19, 2016 5:43 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Dottie57 » Tue Sep 10, 2019 11:24 am

Longdog wrote:
Tue Sep 10, 2019 9:41 am
Dottie57 wrote:
Sun Apr 28, 2019 9:16 am
midareff wrote:
Sun Apr 28, 2019 8:29 am
Maybe I'm too old fashioned. Home computers are for financial transactions. Cell phones are for calls and email and contain no financial information.


I never use my phone for financial transactions. Never. I have two home iPads which I use for financial transactions via web page. No passwords stored.

I think I will be getting a yubikey to add more security.
The devices you use for transactions do not come into play for this particular hack. If you use the same logins/passwords in multiple places (e.g., if you use the same login/password on a merchant account as you do on a financial account), and if you've enabled two-factor authentication, you could be susceptible.
I use different logins and password for financial institutions . I Do use a password manager to store info needing security.

User avatar
Vulcan
Posts: 923
Joined: Sat Apr 05, 2014 11:43 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Vulcan » Tue Sep 10, 2019 4:41 pm

lostdog wrote:
Tue Sep 10, 2019 9:16 am
Vulcan wrote:
Sun Apr 28, 2019 9:17 am
My Google account is the only key to my kingdom, and it is in turn protected by 2FA.
Now you can add their Advanced Protection service.
It requires physical security key, of which I am not a fan, personally, for a number of reasons.

Push verification is a lot more convenient and plenty secure for me.
If you torture the data long enough, it will confess to anything. ~Ronald Coase

Post Reply