Tagged: 2FA Toggle Comment Threads | Keyboard Shortcuts

  • Geebo 8:00 am on March 18, 2024 Permalink | Reply
    Tags: 2FA, , , , ,   

    A cautionary tale of SIM swap scams 

    A cautionary tale of SIM swap scams

    By Greg Collier

    The nightmare of having your entire digital existence commandeered by malicious actors is a chilling reality for one unfortunate family from the Chicago area. What began as a routine day turned into a months-long ordeal of trying to reclaim control over their smartphones and, by extension, their digital lives after falling victim to a SIM swap scam.

    SIM swapping, also known as SIM hijacking or SIM porting, is a type of cyberattack where a malicious actor fraudulently gains control of an individual’s phone number by tricking the victim’s mobile carrier into transferring the number to a SIM card under the attacker’s control. This process involves exploiting vulnerabilities in the carrier’s authentication procedures or social engineering techniques to obtain personal information about the victim, such as their account PIN or other identifying details. The term SIM swapping can be misleading because the attacker doesn’t actually require physical possession of the victim’s SIM card to carry out the attack.

    It all started when the family’s wireless account was hacked, leading to the takeover of not just one, but all five of the family’s smartphones linked to the account. Suddenly, their devices were rendered useless, stripped of cellular service, and locked out of essential apps and services.

    Unauthorized apps were installed on their phones, contact numbers were altered, and passwords to numerous accounts were changed without their consent. The financial toll was staggering, with losses totaling thousands of dollars in stolen funds from various platforms, including investment and cryptocurrency apps.

    It’s suspected that the attackers obtained access to the family’s mobile phone account either by stealing or correctly guessing the account’s PIN. Experts advise regular changes to PINs and caution against using easily guessable information, such as birthdates, as security credentials. Moreover, limiting the dissemination of personal details on social media platforms can help mitigate the risk of identity theft.

    To mitigate the risk of SIM swapping attacks, individuals can take several precautionary measures. Avoid using easily guessable or recycled passwords, and consider using a password manager to securely store and manage your credentials. Whenever possible, use authentication methods beyond SMS-based two-factor authentication (2FA), such as app-based authentication or hardware security keys.

    Again, it’s not recommended to use text messaging to receive your authorization codes. Instead, it’s recommended you use an authenticator app along with a biometric authentication such as a fingerprint scanner. This way, your 2FA information is tied to your device and not your phone number.

     
  • Geebo 8:00 am on March 14, 2024 Permalink | Reply
    Tags: 2FA, , , ,   

    Bank accuses another Zelle scam victim of being a scammer 

    Bank accuses another Zelle scam victim of being a scammer

    By Greg Collier

    A Houston, Texas single mother was recently ensnared by a string of fraudulent transactions conducted via the personal payment app Zelle.

    On December 26, the day after Christmas, the victim received an alert notifying her that an unknown recipient had been added to her Zelle account. Alarmingly, $1,000 had already been withdrawn without her authorization. Thankfully, Chase Bank recognized the fraudulent activity and promptly refunded the money.

    Then in January, the fraudulent transactions started again. In a relentless spree spanning three days, the scam artists persistently hacked into the victim’s Zelle account. They succeeded in withdrawing $1,500 initially, followed by $5,400, and then an additional $1,000, culminating in a total loss of $7,900. Alarmingly, these transactions occurred despite the victim having already reported the fraudulent activity.

    The victim diligently filed reports with the Houston Police Department, the FBI, and the Federal Trade Commission. However, Chase Bank shockingly denied her claims, going as far as to insinuate that she was the perpetrator of the scam. Allegedly, Chase even told the victim, “You probably should just admit that this was you that did this.”

    Once again, despite banks encouraging their customers to utilize Zelle, they frequently fail to support those who fall victim to scams through the app. Regrettably, this scenario isn’t isolated, as there have been numerous instances where the bank accuses the victim of being complicit in the scam. While it’s just anecdotal evidence on our part, the name of that bank always seems to be Chase. There’s an old saying in business that says, “It takes many good deeds to build a good reputation, and only one bad one to lose it.” Accusing customers of being scammers is not the good deed Chase may think it is.

    There is a way to protect yourself from fraudulent Zelle transactions, and that’s by enabling two-factor authentication on your banking app. This means that even if someone obtains your username or password, they won’t be able to access your account and steal money.

    While having any form of two-factor authentication (2FA) is better than none, it’s not advisable to rely on text messaging for receiving authorization codes. Instead, it’s recommended to utilize an authenticator app in conjunction with biometric authentication, such as a fingerprint scanner. This approach ensures that your 2FA data is linked to your device rather than your phone number.

     
  • Geebo 9:00 am on January 26, 2024 Permalink | Reply
    Tags: 2FA, , , , ,   

    Is two-factor authentication to blame for SIM-swapping scam? 

    By Greg Collier

    A SIM-swapping scam, also known as SIM hijacking or SIM card swapping, is a type of fraud in which attackers take control of an individual’s mobile phone number by tricking the mobile carrier into transferring the phone number to a new SIM card. The goal of the scam is to gain access to the victim’s sensitive information, such as personal data, financial accounts, and online accounts tied to the phone number. For this scam to take place, a scammer does not need physical possession of your phone or its SIM card.

    With control of the victim’s phone number and possibly access to their email or other accounts, the attacker can reset passwords, access sensitive information, and potentially engage in identity theft or financial fraud. What makes the SIM-swapping scam so appealing to scammers is the fact that little to no interaction with the victim is required.

    Recently, a woman from Maryland lost $17,000 to a SIM-swapping scam. Someone in California walked into a Verizon store and activated a new phone on a new SIM card using the victim’s phone number and information. Once that transaction took place, the victim’s phone was no longer active. From there, the scammers were able to use the victim’s phone account to access her bank account and empty it of $17,000.

    The news report about the victim’s financial loss makes it a point to show the victim had two-factor authentication enabled on most of her online accounts. Unfortunately, the SIM-swapping scam is specifically designed to circumvent two-factor authentication.

    Two-factor authentication (2FA) is a security process that requires users to provide two different authentication factors to verify their identity before gaining access to an account, system, or application. The purpose of 2FA is to add an extra layer of security beyond just a username and password. Most people who enact 2FA on their accounts use text messaging to receive their one-time 2FA code. If a SIM-swap is enacted on a phone where 2FA codes are bing sent to the phone, the scammers not only have control of your phone account, but can also receive your 2FA authorization codes.

    While any 2FA is better than having none, it’s not recommended to use text messaging to receive your authorization codes. Instead, it’s recommended you use an authenticator app along with a biometric authentication such as a fingerprint scanner. This way, your 2FA information is tied to your device and not your phone number.

    To better protect yourself from a SIM-swapping attack, set a unique personal identification number (PIN) or password with your mobile carrier to add an extra layer of security.

     
  • Geebo 9:00 am on March 7, 2023 Permalink | Reply
    Tags: 2FA, , , , ,   

    Thousands lost in SIM-swapping attack 

    Thousands lost in SIM-swapping attack

    By Greg Collier

    If you own a smartphone, how lost would you be without it? We’re not talking about losing your phone in the couch cushions. We mean, how much would your personal life be at risk if your phone was stolen. For many, their smartphone is the only device they need to conduct their lives. For even more, their entire lives are contained in their smartphone. Bank accounts, email, family photos, and schedules are just a few of things that could be accessed through a stolen smartphone. Now, what if we told you that you can lose all these things from your phone without physically losing the device?

    SIM-swapping is a type of cybercrime where an attacker takes control of a victim’s mobile phone number by tricking the victim’s mobile carrier into transferring the number to a new SIM card. Once the attacker has control of the phone number, they can use it to access the victim’s online accounts, such as email, social media, and financial accounts, which often rely on text messaging for two-factor authentication. Then the attacker can not only access your accounts, but they can lock you out of them as well.

    Recently, a man from Colorado lost $24,500 out of his savings account after his phone received a SIM-swapping attack. The victim received an email from his bank that a large transfer was being made, but by the time he was able to contact his bank, the transfer had already gone through. You can almost imagine the shock on his face when he tried to call his bank, only to find out his phone had no service.

    There are several effective ways to protect yourself from SIM-swapping. One is to use an authenticator app instead of relying on text messages for two-factor authentication. Authenticator apps are linked to a device instead of a phone number, making them more secure. Additionally, it’s important to avoid using accurate information for security questions on online accounts, such as high school mascots or pet names, as this information can often be found on social media. Lastly, you can contact your carrier and request that they disallow any device switches on your account, but keep in mind that to unfreeze your account, you may need to visit a carrier store and present identification.

     
  • Geebo 8:00 am on August 31, 2022 Permalink | Reply
    Tags: 2FA, , , , , , ,   

    Victim loses $40K in bank scam 

    By Greg Collier

    A man from the Central Valley region of California recently lost close to $40,000 in a bank scam. As far as we can tell, Zelle wasn’t even used, which is a rarity these days. The man received a phone call from someone claiming to be from the fraud department at Bank of America. The caller is said to have told the man that there were fraudulent transactions on his account. But before the ‘fraud department’ could help him, they said they needed the man to give them a six-digit code they were sending to him, so he could verify his identity.

    The man gave the caller the code, and we’ll get to the importance of that in just a bit. The caller then told the man that since there was fraudulent activity on his account, they needed to shut down the online banking option on his account. The caller was actually a scammer who drained the man’s account of nearly $40,000 with several transactions.

    The most disturbing part of this scam is that the scammer already had the victim’s personal information. The victim didn’t have to give the caller any information, as the scammer was able to give the man’s personal information to him. The scammer even disabled the notifications the man should have received when the scammer started taking large amounts out of the man’s account.

    So how was the scammer able to access the man’s bank account? The news article doesn’t go into detail about that. However, if we were to hazard a guess, it seems like the scammer already had all the information needed to access the man’s account. The information could have been obtained through any number of data breaches that have happened in the past few years.

    The only thing the scammer really needed to access the account was the authorization code. Many banks require their customers secure their account using a two-factor authentication code. So even if someone tries to log in to a bank account with the username and password, they’ll still need the 2FA code that’s typically sent to the customer’s text messages. Once the scammer was able to obtain that code, they had complete access to the man’s bank account.

    Anytime you receive a phone call from your bank, especially about fraudulent activity, hang up and call the bank back using the number on the back of your debit card. Scammers almost always spoof the number they’re calling from. Also, never give anyone any authorization code over the phone. These codes aren’t just used for banking, either, as many online accounts can be hijacked if someone were to give this number out.

     
  • Geebo 8:00 am on July 26, 2021 Permalink | Reply
    Tags: 2FA, , , , ,   

    Bank scam targets gig economy workers 

    Bank scam targets gig economy workers

    By Greg Collier

    For better or worse, millions of people have turned to work in the gig economy either as their primary income or as a secondary source of revenue. The gig economy is where people work for non-traditional companies as independent contractors. For example, if you drive for Uber or Lyft, or deliver for Grubhub or DoorDash, you’re part of the gig economy. Working as an independent contractor for any one of these types of companies already comes with its own pitfalls. Many say that the companies are already taking advantage of their workers by removing protections that many traditional jobs have. If that wasn’t bad enough, scammers are now targeting gig workers’ bank accounts.

    A DoorDash driver from North Carolina was recently a victim of this scam, where he ended up losing $1,000. While making his rounds, he received a phone call from someone claiming to be from DoorDash. They told him to pull over somewhere safe and then said that the driver’s DoorDash account had been compromised. The scammers were even able to give him details from his own account. The scammers then instructed the man that they were going to send him an authorization code to save his account. All he had to do was tell them the code, which the driver did. When he went to get his payment from his DoorDash account, he discovered that the scammers had directed his payment away from his bank account and into theirs.

    Authorization codes are usually sent to customers of whatever service if they need to make a change to their account. This is part of what’s known as two-factor authentication. If someone is claiming to be a representative of that company, they won’t need an authorization code to make changes or protect your account, as they already have your information. This affects everyone too, not just gig workers, as many of the services we rely on every day require authorization codes to access them.

     
  • Geebo 8:00 am on October 21, 2020 Permalink | Reply
    Tags: 2FA, , , , , ,   

    A Cash App scam that could happen on the street 

    A Cash App scam that could happen on the street

    Most scams that happen on payment apps like Cash App happen online. However, we just came across one that happens on the street.

    The report we found about this scam comes out of Nashville, Tennessee but could happen in any city. In Nashville, the city is known for its music scene so there are a number of street musicians looking to get their name out there. There are also a number of scammers looking to take advantage of those interested in the music scene.

    The scammers will pose as a street musician and will approach a victim. The scammer will ask for the victim’s phone so they can pull up their music video on YouTube. Instead, the scammer accesses one of the victim’s payment apps like Cash App, Venmo, or PayPal and sends the victim’s money to themselves before fleeing the scene.

    While this particular approach may be exclusive to Nashville or any other city with a vibrant music scene, this scam could happen anywhere. You could be approached by someone asking to use your phone for an emergency where instead of calling someone they could be draining one of your payment app accounts.

    There are several ways to protect yourself against a scam like this. First off, it’s generally a good idea to never hand your phone over to someone you don’t know. Secondly, most of the leading payment apps have security features that prevent other people from accessing your account on your phone. Known as two-factor authentication, you can have a PIN set up to open the payment app or you could use your phone’s fingerprint reader to access your account. When these features are enabled, it goes a long way in preventing others from accessing your accounts on your phone.

     
  • Geebo 8:04 am on October 21, 2019 Permalink | Reply
    Tags: 2FA, , , , , ,   

    Smart home camera hacked in baby’s room 

    Smart home camera hacked in baby's room

    A California CEO has written a column for The Mercury News where he relays the tale about how his smart home camera system was hacked. It is quite a rather harrowing tale as the digital vandals used the speaker on the camera in the baby’s room to harass the family’s nanny. The anonymous voice on the other end of the camera was using profanity and even threatened to come take the baby at one point. It wasn’t until all the cameras were disconnected did the harassment stop. The father later found out that this is a fairly common occurrence with internet-connected cameras, specifically the brand that he was using.

    The father then tried contacting the technical support arm of the corporation that manufactures the cameras and was on hold for over an hour. He also received emails that continued to push the idea of two-factor authentication to keep out would-be pranksters. The father was not satisfied with this response and has vowed not to use this brand of camera ever again. His outrage can be understood especially for parents with young children because you can never truly know who is watching your home while you’re unaware. A more sophisticated criminal could use such information gleaned from home cameras to tell when a home may be vulnerable to being robbed.

    [youtube https://www.youtube.com/watch?v=Tgfg4Dv2B2M%5D

    While the camera maker’s customer service may sound a little tone-deaf as far as the father’s mistrust is concerned, their advice about two-factor authentication is not wrong. 2FA, as it’s known, can go a long way in preventing these cameras from being hijacked. Also if you use the same password across multiple services you could be compromising your security greatly by making it easy for hackers to gain access to your devices. In this case, you may want to try some of the more reliable password managers out there. As we have said before, if you don’t take your internet security more seriously, it’s like having the most expensive lock that you just leave the key in.

     
  • Geebo 8:00 am on October 9, 2019 Permalink | Reply
    Tags: 2FA, , , , , ,   

    Twitter leaks phone numbers to advertisers 

    Twitter leaks phone numbers to advertisers

    We’ve mentioned two-factor authentication, or 2FA as it’s known, a few times lately. It’s the security protocol that has two or more layers of authentication that better secures your online accounts. The most common form of 2FA is through text messaging. For example, if you have 2FA enabled, when you sign in to an online account not only would you have to provide your password but you’d also have to provide a code that had been texted to you. While authentication sent through SMS texts isn’t the most secure form of 2FA it is better than nothing. However, thanks to so many platforms using SMS texting for 2FA it has led one platform to issue an apology recently.

    [youtube https://www.youtube.com/watch?v=07mRDyydCNY%5D

    Twitter recently announced phone numbers that users had registered with them for two-factor authentication were used for targeted advertising. The numbers were used to match users to marketing lists provided by advertisers. In some people’s eyes, that goes against everything that 2FA is supposed to stand for. One security expert even compared Twitter’s practice to that of trying to secure a tent against bears by using raw meat.

    Like we said, While SMS text messages are the most common form of 2FA, they’re not the most secure. There are alternatives that you can use that are more secure. There are hardware keys that act as authenticators that can be used on both computers and mobile devices. There are also software alternatives that are free, that create something along the lines of a temporary secondary password that can be used for the second layer of authentication. This way, you won’t have to worry about even more robocalls from advertisers and other bad actors from plaguing your phone.

     
  • Geebo 8:00 am on September 26, 2019 Permalink | Reply
    Tags: 2FA, , , , , ,   

    When a smart home isn’t so smart 

    When a smart home isn't so smart

    Many people think that they are better securing their home by installing smart devices. These devices can range from anything from cameras to door locks and anything in between. These classes of smart devices are known as the internet of things or IoT for short. That means that these devices are connected to the internet so the user can control them from just about anywhere. The major drawback to IoT devices is that they can also be controlled by bad actors if the user isn’t careful.

    A couple in Milwaukee found that the hard way this week when someone was able to take control of some of their smart devices. The couple had a nest camera and thermostat installed. When one of them came home they found that the thermostat was set at 90 degrees. After that, someone started verbally harassing them through the speaker on their security camera. Even after the couple changed all their passwords the abuse continued until the devices were disconnected. The couple lays the blame at Nest, which is owned by Google, but the fault may lie elsewhere.

    [youtube https://www.youtube.com/watch?v=xbk3OdYBLHA%5D

    It’s not hard to hack into IoT devices if the users are using the same password or weak passwords to secure their network and devices. Also, as we discussed with the recent YouTube hack, two-factor authentication (2FA) should also be enabled on these devices. While 2FA has its own flaws, it’s more secure than using an easily guessed password. These devices are designed to help protect your home, but if you’re not using 2FA it’s like having the most expensive lock that you just leave the key in.

     
c
Compose new post
j
Next post/Next comment
k
Previous post/Previous comment
r
Reply
e
Edit
o
Show/Hide comments
t
Go to top
l
Go to login
h
Show/Hide help
shift + esc
Cancel