Tagged: two factor authentication Toggle Comment Threads | Keyboard Shortcuts

  • Geebo 8:00 am on March 18, 2024 Permalink | Reply
    Tags: , , , , , two factor authentication   

    A cautionary tale of SIM swap scams 

    A cautionary tale of SIM swap scams

    By Greg Collier

    The nightmare of having your entire digital existence commandeered by malicious actors is a chilling reality for one unfortunate family from the Chicago area. What began as a routine day turned into a months-long ordeal of trying to reclaim control over their smartphones and, by extension, their digital lives after falling victim to a SIM swap scam.

    SIM swapping, also known as SIM hijacking or SIM porting, is a type of cyberattack where a malicious actor fraudulently gains control of an individual’s phone number by tricking the victim’s mobile carrier into transferring the number to a SIM card under the attacker’s control. This process involves exploiting vulnerabilities in the carrier’s authentication procedures or social engineering techniques to obtain personal information about the victim, such as their account PIN or other identifying details. The term SIM swapping can be misleading because the attacker doesn’t actually require physical possession of the victim’s SIM card to carry out the attack.

    It all started when the family’s wireless account was hacked, leading to the takeover of not just one, but all five of the family’s smartphones linked to the account. Suddenly, their devices were rendered useless, stripped of cellular service, and locked out of essential apps and services.

    Unauthorized apps were installed on their phones, contact numbers were altered, and passwords to numerous accounts were changed without their consent. The financial toll was staggering, with losses totaling thousands of dollars in stolen funds from various platforms, including investment and cryptocurrency apps.

    It’s suspected that the attackers obtained access to the family’s mobile phone account either by stealing or correctly guessing the account’s PIN. Experts advise regular changes to PINs and caution against using easily guessable information, such as birthdates, as security credentials. Moreover, limiting the dissemination of personal details on social media platforms can help mitigate the risk of identity theft.

    To mitigate the risk of SIM swapping attacks, individuals can take several precautionary measures. Avoid using easily guessable or recycled passwords, and consider using a password manager to securely store and manage your credentials. Whenever possible, use authentication methods beyond SMS-based two-factor authentication (2FA), such as app-based authentication or hardware security keys.

    Again, it’s not recommended to use text messaging to receive your authorization codes. Instead, it’s recommended you use an authenticator app along with a biometric authentication such as a fingerprint scanner. This way, your 2FA information is tied to your device and not your phone number.

     
  • Geebo 8:00 am on March 14, 2024 Permalink | Reply
    Tags: , , , two factor authentication,   

    Bank accuses another Zelle scam victim of being a scammer 

    Bank accuses another Zelle scam victim of being a scammer

    By Greg Collier

    A Houston, Texas single mother was recently ensnared by a string of fraudulent transactions conducted via the personal payment app Zelle.

    On December 26, the day after Christmas, the victim received an alert notifying her that an unknown recipient had been added to her Zelle account. Alarmingly, $1,000 had already been withdrawn without her authorization. Thankfully, Chase Bank recognized the fraudulent activity and promptly refunded the money.

    Then in January, the fraudulent transactions started again. In a relentless spree spanning three days, the scam artists persistently hacked into the victim’s Zelle account. They succeeded in withdrawing $1,500 initially, followed by $5,400, and then an additional $1,000, culminating in a total loss of $7,900. Alarmingly, these transactions occurred despite the victim having already reported the fraudulent activity.

    The victim diligently filed reports with the Houston Police Department, the FBI, and the Federal Trade Commission. However, Chase Bank shockingly denied her claims, going as far as to insinuate that she was the perpetrator of the scam. Allegedly, Chase even told the victim, “You probably should just admit that this was you that did this.”

    Once again, despite banks encouraging their customers to utilize Zelle, they frequently fail to support those who fall victim to scams through the app. Regrettably, this scenario isn’t isolated, as there have been numerous instances where the bank accuses the victim of being complicit in the scam. While it’s just anecdotal evidence on our part, the name of that bank always seems to be Chase. There’s an old saying in business that says, “It takes many good deeds to build a good reputation, and only one bad one to lose it.” Accusing customers of being scammers is not the good deed Chase may think it is.

    There is a way to protect yourself from fraudulent Zelle transactions, and that’s by enabling two-factor authentication on your banking app. This means that even if someone obtains your username or password, they won’t be able to access your account and steal money.

    While having any form of two-factor authentication (2FA) is better than none, it’s not advisable to rely on text messaging for receiving authorization codes. Instead, it’s recommended to utilize an authenticator app in conjunction with biometric authentication, such as a fingerprint scanner. This approach ensures that your 2FA data is linked to your device rather than your phone number.

     
  • Geebo 9:00 am on January 26, 2024 Permalink | Reply
    Tags: , , , , , two factor authentication   

    Is two-factor authentication to blame for SIM-swapping scam? 

    By Greg Collier

    A SIM-swapping scam, also known as SIM hijacking or SIM card swapping, is a type of fraud in which attackers take control of an individual’s mobile phone number by tricking the mobile carrier into transferring the phone number to a new SIM card. The goal of the scam is to gain access to the victim’s sensitive information, such as personal data, financial accounts, and online accounts tied to the phone number. For this scam to take place, a scammer does not need physical possession of your phone or its SIM card.

    With control of the victim’s phone number and possibly access to their email or other accounts, the attacker can reset passwords, access sensitive information, and potentially engage in identity theft or financial fraud. What makes the SIM-swapping scam so appealing to scammers is the fact that little to no interaction with the victim is required.

    Recently, a woman from Maryland lost $17,000 to a SIM-swapping scam. Someone in California walked into a Verizon store and activated a new phone on a new SIM card using the victim’s phone number and information. Once that transaction took place, the victim’s phone was no longer active. From there, the scammers were able to use the victim’s phone account to access her bank account and empty it of $17,000.

    The news report about the victim’s financial loss makes it a point to show the victim had two-factor authentication enabled on most of her online accounts. Unfortunately, the SIM-swapping scam is specifically designed to circumvent two-factor authentication.

    Two-factor authentication (2FA) is a security process that requires users to provide two different authentication factors to verify their identity before gaining access to an account, system, or application. The purpose of 2FA is to add an extra layer of security beyond just a username and password. Most people who enact 2FA on their accounts use text messaging to receive their one-time 2FA code. If a SIM-swap is enacted on a phone where 2FA codes are bing sent to the phone, the scammers not only have control of your phone account, but can also receive your 2FA authorization codes.

    While any 2FA is better than having none, it’s not recommended to use text messaging to receive your authorization codes. Instead, it’s recommended you use an authenticator app along with a biometric authentication such as a fingerprint scanner. This way, your 2FA information is tied to your device and not your phone number.

    To better protect yourself from a SIM-swapping attack, set a unique personal identification number (PIN) or password with your mobile carrier to add an extra layer of security.

     
  • Geebo 9:00 am on March 7, 2023 Permalink | Reply
    Tags: , , , , , two factor authentication   

    Thousands lost in SIM-swapping attack 

    Thousands lost in SIM-swapping attack

    By Greg Collier

    If you own a smartphone, how lost would you be without it? We’re not talking about losing your phone in the couch cushions. We mean, how much would your personal life be at risk if your phone was stolen. For many, their smartphone is the only device they need to conduct their lives. For even more, their entire lives are contained in their smartphone. Bank accounts, email, family photos, and schedules are just a few of things that could be accessed through a stolen smartphone. Now, what if we told you that you can lose all these things from your phone without physically losing the device?

    SIM-swapping is a type of cybercrime where an attacker takes control of a victim’s mobile phone number by tricking the victim’s mobile carrier into transferring the number to a new SIM card. Once the attacker has control of the phone number, they can use it to access the victim’s online accounts, such as email, social media, and financial accounts, which often rely on text messaging for two-factor authentication. Then the attacker can not only access your accounts, but they can lock you out of them as well.

    Recently, a man from Colorado lost $24,500 out of his savings account after his phone received a SIM-swapping attack. The victim received an email from his bank that a large transfer was being made, but by the time he was able to contact his bank, the transfer had already gone through. You can almost imagine the shock on his face when he tried to call his bank, only to find out his phone had no service.

    There are several effective ways to protect yourself from SIM-swapping. One is to use an authenticator app instead of relying on text messages for two-factor authentication. Authenticator apps are linked to a device instead of a phone number, making them more secure. Additionally, it’s important to avoid using accurate information for security questions on online accounts, such as high school mascots or pet names, as this information can often be found on social media. Lastly, you can contact your carrier and request that they disallow any device switches on your account, but keep in mind that to unfreeze your account, you may need to visit a carrier store and present identification.

     
  • Geebo 8:00 am on October 18, 2022 Permalink | Reply
    Tags: , , , , two factor authentication,   

    This phone scam could steal your life 

    By Greg Collier

    How much of a panic would you be in if you lost your phone? Can your personal or business email accounts be accessed through your phone? Is your phone locked with a PIN or password? Or is it secured using a fingerprint or facial ID? Do you have banking apps that require a PIN or fingerprint to access? Could any random stranger just pick up your phone and start accessing your money and information? Even if your phone is completely locked down and secure from physical access by outsiders, there’s still a way you can lose all access to your phone without actually losing your phone.

    There is a scam out there that most mobile phones are vulnerable to, and it’s known as SIM-swapping. The name SIM-swapping is a misnomer, since physical access to your phone’s SIM card is not necessary. SIM-swapping works when scammers or identity thieves contact your mobile phone carrier and pose as you. The scammer will use information they’ve found out about you to convince the phone carrier they are you. This is known as social engineering.

    Once the scammer convinces the phone carrier that they’re you, they’ll have the phone company switch your service from your phone to theirs. As soon as that happens, the scammers have direct access to your phone number and text messages. Since most of us who use two-factor authentication have the authorization codes sent to our text messages, the scammers can then access any number of your personal accounts, including your financial accounts.

    This recently happened to a victim from Tennessee. She had received a text message from her carrier indicating a change on her account before her phone service went completely dead. She called her carrier, and another name had been added to the account. By the time she had her service restored, scammers had transferred thousands out of her bank account through the Zelle app.

    There are ways to protect yourself from SIM-swapping. One way is to use an authenticator app instead of using text messages for your two-factor authentication. Authenticator apps are tied to the device instead of being tied to a phone number. Also, when filling out your security questions for online accounts, don’t give the correct answers. Information like your high school mascot or your pet’s name can be discovered on your social media. Lastly, you can contact your carrier and tell them not to allow any device switching on your account. However, to get your account unfrozen, you may have to visit your carrier’s store with your ID.

     
  • Geebo 8:00 am on August 31, 2022 Permalink | Reply
    Tags: , , , , , , , two factor authentication   

    Victim loses $40K in bank scam 

    By Greg Collier

    A man from the Central Valley region of California recently lost close to $40,000 in a bank scam. As far as we can tell, Zelle wasn’t even used, which is a rarity these days. The man received a phone call from someone claiming to be from the fraud department at Bank of America. The caller is said to have told the man that there were fraudulent transactions on his account. But before the ‘fraud department’ could help him, they said they needed the man to give them a six-digit code they were sending to him, so he could verify his identity.

    The man gave the caller the code, and we’ll get to the importance of that in just a bit. The caller then told the man that since there was fraudulent activity on his account, they needed to shut down the online banking option on his account. The caller was actually a scammer who drained the man’s account of nearly $40,000 with several transactions.

    The most disturbing part of this scam is that the scammer already had the victim’s personal information. The victim didn’t have to give the caller any information, as the scammer was able to give the man’s personal information to him. The scammer even disabled the notifications the man should have received when the scammer started taking large amounts out of the man’s account.

    So how was the scammer able to access the man’s bank account? The news article doesn’t go into detail about that. However, if we were to hazard a guess, it seems like the scammer already had all the information needed to access the man’s account. The information could have been obtained through any number of data breaches that have happened in the past few years.

    The only thing the scammer really needed to access the account was the authorization code. Many banks require their customers secure their account using a two-factor authentication code. So even if someone tries to log in to a bank account with the username and password, they’ll still need the 2FA code that’s typically sent to the customer’s text messages. Once the scammer was able to obtain that code, they had complete access to the man’s bank account.

    Anytime you receive a phone call from your bank, especially about fraudulent activity, hang up and call the bank back using the number on the back of your debit card. Scammers almost always spoof the number they’re calling from. Also, never give anyone any authorization code over the phone. These codes aren’t just used for banking, either, as many online accounts can be hijacked if someone were to give this number out.

     
  • Geebo 8:00 am on June 23, 2022 Permalink | Reply
    Tags: , , , , , , two factor authentication   

    Marketplace scam could send angry strangers to your home 

    Marketplace scam could send angry strangers to your home

    By Greg Collier

    Typically, when we discuss scams carried out through Facebook Marketplace, they’re the ones that plague a lot of online marketplace platforms. Of course, there’s the fake check/overpayment scam. Lately, the Google Voice verification scam has been popular on Marketplace. There have also been a number of rental scams, just to name a few. Now, a new scam has been reported that could have unintended consequences for all victims involved.

    According to a report out of Tulsa, Oklahoma, scammers are hijacking the Facebook accounts of their victims through phishing attacks. The report states specifically that the scammers are posing as old friends that you may not have heard from in a while. However, the scammers use the hijacked accounts to place items for sale on Marketplace that didn’t actually exist. While some of the items have been mundane, like furniture, other listings have been advertising purebred puppies.

    As we have seen with previous puppy scams, scammers will often list a fake address to make their scam seem more legitimate. This has led to victims showing up to homes where they think they’re about to get a puppy, only to be turned away in disappointment. While some victims understood the situation, others have become angry at the people living at the address listed, thinking that the residents are part of the scam.

    If scammers are collecting money through apps like Venmo, Cash App, or Zelle, they could be sending their victims to the address of a person with a hijacked Facebook account. This scam could potentially lead to a violent encounter.

    The best way to protect yourself is to keep your Facebook account secure. Consider making your account private to your friends and family only. Use a password that can’t be guessed easily. For that, you can use a password generator service. Even most modern web browsers have a password manager built in. Lastly, you should enable two-factor authentication on your Facebook account. This means there would be a two-step process into signing in to your Facebook account.

    While none of these methods are foolproof, they do go a long way in keeping your digital life secure.

    Video: Stolen Facebook account posts fake ads, sends strangers to woman’s doorstep

     
  • Geebo 8:00 am on June 20, 2022 Permalink | Reply
    Tags: , , , , two factor authentication   

    FBI warns of social media cash scam 

    FBI warns of social media cash scam

    By Greg Collier

    The advent of personal payment apps like Cash App, Venmo, and Zelle has given rise to a new generation of scams. One of the most egregious scams is the cash flipping scam. This is mostly associated with Cash App, although it has appeared on other platforms. Cash flipping is when scammers try to convince their victims that they’ll give the victims a lot of money in exchange for a little money.

    For example, a scammer may promise victims $500 if the victims send the scammers $50 through Cash App. Once the victim sends the money through Cash App, the scammer blocks the victim and keeps their money. The scam is given legitimacy since Cash App itself holds giveaways called #CashAppFridays. Cash App policies give little recourse to victims in scams like this. Payments can often only be refunded if the person who receives the payment cancels the transaction.

    Recently, the Las Vegas office of the FBI has issued a warning about cash flipping scams. They say that scammers are using hijacked social media accounts to approach victims through private messages. Often these hijacked accounts show pictures of people with large amounts of cash to try and make the scam seem on the up and up.

    If the scammers don’t break off contact immediately, they’ll claim Cash app is holding up the transaction. The victim will then be instructed to use a certain email address on their Cash app account to make the transaction go through. This then allows the scammers to hijack the Cash App account itself.

    To avoid this scam, the FBI recommends using two-factor authentication on your payment and social media apps. While this can be an inconvenience to some, it goes a long way in keeping online accounts secure. If the scammers ever request any kind of verification code number, they’re trying to circumvent your two-factor authentication, and that code should never be given out to anyone.

    Lastly, people don’t get rich by giving away money for free. As with most scams, if it sounds too good to be true, it probably is.

     
  • Geebo 8:00 am on July 28, 2021 Permalink | Reply
    Tags: , , , red light camera, , , , TSA PreCheck, two factor authentication   

    Scam Round Up: Red Lights, the TSA, and Google Voice 

    Scam Round Up: Red Lights, the TSA, and Google Voice

    By Greg Collier

    Every so often, we come across scams that may not warrant an entire blog post. So here are three scams that caught our attention this week that be briefly summed up.

    In Renton, Washington, scammers are sending emails to victims claiming that the victim ran a red light and was caught on one of the city’s red light cameras. The email contains a link where you’re supposed to pay your fine but, of course, goes to the scammer instead. What makes this scam effective is that many jurisdictions use a third party online platform to collect some traffic fines. However, you can tell that this is a scam since most, if not all, cities send their red light tickets through the postal mail and not by email. Most states don’t even have your email address connected to your license plate number.

    ***

    If you travel a lot for business or leisure, you may have thought of signing up for TSA PreCheck. This program allows low-risk individuals to pay for a service where they can have an expedited security check when flying. As with a lot of government services, scammers are trying to trick PreCheck seekers into giving up their personal info by creating phony websites that claim they can register you with PreCheck. Again, there is a simple solution to this scam, but not everyone is aware of it. Only websites that have a .gov address can register you for PreCheck. Some of these scam websites may even have a .us address. Anybody can purchase a .us domain name, and it is not under the authority of the US Government. You can apply for TSA PreCheck at the TSA website.

    ***

    Our last scam for today is one we’ve previously discussed and also affects Geebo’s industry. If you’re selling something online, whether it’s with Geebo or someone else, be wary if someone says they want to prove ‘you’re real’. An authorization code will be sent to you and the buyer will ask for that code number. Do not give it to them. They’re trying to set up a Google Voice number that would be tied to your phone number. This way, they could continue scamming people using the Google Voice number, but would be traced back to you. This recently happened to a woman from New Hampshire who was selling her items on Facebook Marketplace.

    ***

    Please keep in mind that even though these scams may not be happening in your area, that doesn’t mean that it soon won’t be.

     
  • Geebo 8:00 am on July 26, 2021 Permalink | Reply
    Tags: , , , , , two factor authentication   

    Bank scam targets gig economy workers 

    Bank scam targets gig economy workers

    By Greg Collier

    For better or worse, millions of people have turned to work in the gig economy either as their primary income or as a secondary source of revenue. The gig economy is where people work for non-traditional companies as independent contractors. For example, if you drive for Uber or Lyft, or deliver for Grubhub or DoorDash, you’re part of the gig economy. Working as an independent contractor for any one of these types of companies already comes with its own pitfalls. Many say that the companies are already taking advantage of their workers by removing protections that many traditional jobs have. If that wasn’t bad enough, scammers are now targeting gig workers’ bank accounts.

    A DoorDash driver from North Carolina was recently a victim of this scam, where he ended up losing $1,000. While making his rounds, he received a phone call from someone claiming to be from DoorDash. They told him to pull over somewhere safe and then said that the driver’s DoorDash account had been compromised. The scammers were even able to give him details from his own account. The scammers then instructed the man that they were going to send him an authorization code to save his account. All he had to do was tell them the code, which the driver did. When he went to get his payment from his DoorDash account, he discovered that the scammers had directed his payment away from his bank account and into theirs.

    Authorization codes are usually sent to customers of whatever service if they need to make a change to their account. This is part of what’s known as two-factor authentication. If someone is claiming to be a representative of that company, they won’t need an authorization code to make changes or protect your account, as they already have your information. This affects everyone too, not just gig workers, as many of the services we rely on every day require authorization codes to access them.

     
c
Compose new post
j
Next post/Next comment
k
Previous post/Previous comment
r
Reply
e
Edit
o
Show/Hide comments
t
Go to top
l
Go to login
h
Show/Hide help
shift + esc
Cancel