قالب وردپرس درنا توس
Home / Technology / How a Trivial Mobile Phone Hack Ruins Life

How a Trivial Mobile Phone Hack Ruins Life

"This is still very raw (I have not even told my family)," Coonce wrote in a desperate media post. "I can not stop thinking about the little, simple things I could have done to protect myself this way."

On a Monday night in June, Matthew Miller's daughter woke him and said his Twitter account had been hacked. He had no cell phone service; Within days, Miller lost his Gmail and Twitter account and $ 25,000 from his family account.

In the case of Miller, the attacker disabled all of his Google services, deleting all of his tweets and blocking most of his 1

0K followers. After getting his phone back from the hacker, T-Mobile let the hacker steal it a second time. "I've considered changing my bank account number, social security number, and other accounts that are critical to living and working in the US," Miller wrote in a post. "I'm also crazy about using cloud services, so my strategy right now … is to write my passwords on paper and keep everything else out of the cloud."

Both men were victims of SIM swap attacks in which someone was using personal information to persuade their wireless service provider to transfer their number and associated telephone account to a device owned by the attacker. With control of your phone number and your account, all connected accounts are automatically opened, usually starting with e-mail. The attacker changes the information in your accounts so that you can not get them back, sets up e-mail forwarding if you regain control of your e-mail, and scans all the documents stored in the cloud for valuable things.

uniquely personal and invasive attack. Thanks to Coonce and Miller, we now know much more about how these attacks are carried out and how horrible the destruction is. In Miller's case, we learned how unhelpful T-Mobile, Google, and Twitter were – both on Twitter and on Google, Miller was in hell trapped in filling in online forms for account recovery and sending them into an abyss of automated replies. And for those who wonder, Miller used two-factor (text / SMS) as an additional layer of security for his accounts. But with his phone out of his hands, it did not matter.

 1155556290 "data-caption =" Phone Hacker "data-credit =" Diy13 via Getty Images "data-credit-link-back =" "data-dam-provider =" "data-local-id = "local-1-6003025-1561741963260" data-media-id = "6f09f5cd-5241-4d8d-bec6-447f3d26b60b" data-original-url = "https: //s.yimg.com/os/creatr-uploaded- images / 2019-06 / e8bd6a20-99c7-11e9-af9f-dc1dfd62ca45 "data-title =" 1155556290 "src =" https://o.aolcdn.com/images/ dims? resize = 2000% 2C2000% 2Cshrink & image_uri = https://www.yimg.com/% 2Fos% 2Fcreatr-uploaded-images /> </p>
<p>  Miller has finally regained his accounts, but only because he is special: In In both articles on his experiences, Miller mentions his "well-connected friends" in both companies that helped him, and uses his platforms as a technology journalist. </p>
<p>  This is both sobering and problematic c, because only a few regular users have this kind of permissions and access. As you probably are, I wonder what kind of hell everyone else would be. Engadget has asked both Twitter and Google for a comment. At the time of publication, we did not receive any response from Twitter. </p>
<p>  According to Google, victims of account theft should complete this application form. The Company also released information to minimize SIM swap attacks and hijacks in this October 2018 (2018) Google Security Checkup Process and Login Security updates. Google also said that the SIM exchange will not jeopardize a Google account that is protected by a two-step review. </p><div><script async src=

In addition, the company stated that a non-SMS two-factor method (such as a YubiKey) would only qualify if the attacker knows the victim's password. Google recommends Google Prompt or Google Authenticator with physical keys as the strongest form of two-factor. Google also said that SIM exchange attacks are rare and limited to certain goals, and that most people do not need two factors more than SMS (text-based).

Needless to say, Google's e-mail was a confusing answer The details we learned about Coonce and Miller's SIM swap attacks and account hijacks. For one thing, I think it's too conservative to say that most people are fine if they use SMS as a two-factor, and most people should not worry about SIM swap attacks.

Especially if we look at the context of two important things. First, we hear more than ever about SIM swaps and only high-profile technicians – we do not hear what's happening to ordinary people. And secondly, there was a major security breach that made an attack, which was usually considered a high-volume targeted attack, a much easier way to raise money and steal accounts.

This T-Mobile security breach was actually a big deal. 19659014] Coonce uses AT & T, while Miller uses T-Mobile and Google Fi. The SIM porting process for both networks is highly secure, with both companies uncovering customer pens for an unknown period in 2018, and T-Mobile recently suffered a violation of all information required for a SIM swap attack.

According to AT & T documentation, only the information found on a current mobile phone bill is required for the transfer: account number, name of the account holder, billing address and "PIN or password, if applicable" – and this should be noted Minimal billing information is all that is needed when someone "does not remember" their PIN or password. The same applies to a T-Mobile transfer, just information about an invoice. However, it does not specify if a password or PIN is required.

T-Mobile was hacked in August 2018 and the billing information of 2.5 million customers was stolen. The company assured the press that no financial data was compromised – but I bet that was not the point. It was all this great billing information that could be used by attackers to pay much more by SIM porting and theft of people's phone numbers and accounts.

The day after T-Mobile's news, a researcher discovered that all T-Mobile and AT & T PINs for customer accounts had been there for an unknown time, uncovered by website bugs.

Obviously, the SIM porting processes at both companies would have needed to be made more secure a long time ago – around the time we started living our entire lives on our phones. However, T-Mobile became even more pressing after its massive infringement. They do not have that and here we are.

SOS – Save our SIMS.

  Crowbar for SIM card sign "data-caption =" Crowbar for SIM card sign, isolated on white background. 3D illustration "data-credit =" Talaj on Getty Images "data-credit-link-back =" "data-dam-provider =" Getty Creative "data-local-id =" local-22-8973876-1561742250355 "data - media-id = "d6a93cab-92e1-3273-9c3d-7bacf192244f" data-original-url = "https://s.yimg.com/os/creatr-images/2019-06/93a231a0-99c8-11e9-b5db - 8b49015f9287 "data-title =" crowbar for SIM card characters "src =" https://o.aolcdn.com/images/dims?crop=5200%2C3900%2C0%2C0&quality=85&format=jpg&resize=1600%2C1200&image_uri = https% 3A% 2F% 2Fs.yimg.com% 2Fos% 2Fcreatr-images% 2F2019-06% 2F93a231a0-99c8-11e9-b5db-8b49015f9287 & client = a1acac3e1b3290917d92 & signature = ae9efebceb58b1d0024ce5 or a technique that I offer or recommend to people can be used to prevent their SIM cards from being ported (exchanged, stolen). For example: "Here is this additional, annoying security step you can add to your SIM account." I have not done much to increase the SIM card security. </p>
<p>  In January 2018, prior to <i>T-Mobile tacitly posted a post about unauthorized SIM porting that recommends that customers add a secondary password to their accounts that the company calls "port." Validation. "However, the T-Mobile SIM transmission information page does not mention anything about port validation, as a link could seriously alert customers to this very serious threat. </p><div><script async src=

On the" Prevent porting for identity protection "page of AT & T T is little offered outside of "Do Not Give Up Your Phone Number" and "Keep Your Inbox Clean." AT & T's only additional security step is "Add All Additional Security Measures to Your AT & T Wireless Accounts." If you have this Follow link to find out The "extra security measures" only require someone to provide your PIN when they log in online, get secondary online access, or be in a retail store personally.

Yes, we're scratching ourselves too To put it bluntly, the extra AT & T security measures are nothing special just the PIN requirements for online and personal account management. As with T-Mobile, the AT & T Customer Information page on SIM transmissions does not provide information on unauthorized SIM porting or additional security measures.

It's bad. And that's unlikely to change unless a senior executive at T-Mobile or AT & T finds the horror, his Gmail account (along with Google Photos, Google Drive, Calendar, Contacts) and any number of his other accounts As with Miller and Coonce, their Coinbase accounts and financial accounts have been emptied.

Security mistakes have been made.

However, we can learn from the security flaws that Coonce and Miller made before they lost their SIMs and connected accounts. Both state in their records that they are not safety nerds and admit that they did some lazy things with general account security that they deeply regret. Coonce wrote: "Given my naïve security practices, I probably deserve to be hacked – I understand – it does not hurt any less." "I urge you to learn from these mistakes."

It is therefore quite easy for attackers to steal our SIM cards (transferring our phone numbers with the associated account to a phone they control). Especially if you are on AT & T or T-Mobile and have not changed your PIN, because at the end of 2018 it was discovered that all customer PINs are open. This means that the security flaws that Coonce and Miller refer to are not about securing our SIMs but about their mistakes. How their other accounts were backed up or not.

If we can not protect our SIM cards, we need to make sure they grant access to a stranger.

One way that both men could have prevented Attackers can not cope with two factors if they have instead used a physical USB security key, such as a YubiKey or Google's Titan, with accounts that are compatible with those keys. Yes, if you are in a hurry, they can hurt you in the ass, even if you carry them comfortably with your house keys on the keychain. However, if someone can intercept your text messages without you even knowing it, it's worthwhile not to lose your email account and charge your account balance so a thief can buy Bitcoin dumbly.

Coonce and Miller regretted having so much personal information about themselves but it's hard to see how anyone can prevent security breach data from being shared. Coonce emphasized that users should use an offline password manager (such as LastPass or 1Password) to create complicated passwords and store them securely. This should be done instead of letting your passwords be stored on operating systems, browsers, or your Google Account.

Miller in particular wished he had the handy "Sign in with your Facebook / Google / etc account" button in apps and not web pages. "I used to just click the Facebook, Google, or Twitter button to set up an account or sign up," he wrote. "I'm done with it and have relinquished comfort for safety reasons."

Images: Diy13 via Getty Images (hacker with phone); Talaj via Getty Images (SIM with crowbar)

Source link