I Thought It Couldn’t Happen
A customer’s phone number is hijacked
A customer came to me having suffered something called a SIM swap, where a criminal hijacked their mobile phone number. This not only left them without a mobile; with the criminal using their number, their bank account was hacked and a significant amount taken (which fortunately the bank reimbursed). To execute a SIM swap, the criminal has to ring the phone company and pass themselves off as you, which should mean that they need the relevant passwords and other information. For that reason, I previously considered it a difficult attack to pull off, but I have changed my opinion! We don’t know how it happened, but it is likely that their weak email password was compromised first, which gave the hacker a lot of background information and meant they could use that email address to ‘prove’ their identity. Then all it takes is a tearful performance on the phone – you know: you’re not at home right now, you can’t remember the secret word, your phone has been stolen, your mother is desperately ill in hospital and you must have a phone, so you need a SIM for the replacement you’ve just bought – and the helpful operator hands over your number to an impostor. They call that ‘social engineering’.
What makes it galling is that someone else was scammed, but you are the victim.
The first sign of problems was a text from the phone company saying they were about to transfer the number to a different phone. The customer wanted to ring them and stop that happening, but they couldn’t find a number to ring. By the time they managed it, it was too late.
It was then realised that their Microsoft email wasn’t working because the password had been changed, and rang Microsoft to recover it. I believe they couldn’t remember enough security information to definitively prove who they were, so Microsoft refused to let them change the password for 30 days. That deters criminals, apparently, so long as they are not the patient sort.
Two things are illustrated by this unfortunate tale. If someone has your phone, or just your phone number, they can read any of those one-time codes that websites use when you’re about to change security information or passwords. Secondly, if they have access to your email, they can click the ‘forgotten password’ link on all the sites you do business with to get an email with a link that lets them lock you out while they plunder your savings. This incident could have been a lot worse, but equally, could have been avoided with a little preparation.
The incident sent me hurrying to my phone provider to check it was secure. After a bit of a hunt on O2’s website I found the number to call. “If your device has been lost or stolen, we’re available 24 hours a day to help,” it says. I rang and got a message saying there was no-one in the office. Try after the bank holiday. That was concerning. In the end I used the ‘chat’ facility built into the website and explained what I wanted. A helpful chap asked for the answer to my security question (they don’t tell you what the question is, making it very hard to remember) and embarrassingly, I couldn’t find it anywhere. So he sent a link to my registered email address and I responded to it. But what if my email had been already compromised? I could still be a criminal. I wasn’t happy, but he assured me no-one could initiate a SIM swap without that security step. He pointed me to the right page on the website and I changed the security question/answer, and this time I made a secure note of my choice. Hopefully I am safe from that form of attack. It is not possible to change the security question without responding to a text sent to my phone.
What can we learn from this?
- Make sure all your passwords are secure, and all accounts are protected by two-factor authentication¹, especially email, social and any that risk financial loss (shopping, bank, financial).
- Agree a ‘security question’ or code (may be called something else) that you use to prove who you are when you ring your mobile phone company. Without it, no-one can pretend to be you. See whether you can set this on the company’s website, and if not, give them a ring. But if they won’t do this, I advise you to change phone company.
- You might have lost access to the Internet (and many don’t make it exactly easy to find these numbers on their website anyway), and you will need it quickly, so write down the contact numbers for your mobile, banks and email providers, and keep the list somewhere you will remember.
- Keep all your alternate contact information up to date, especially with Microsoft and email providers.
- Treat any sign that something is wrong with the utmost urgency. Stem the leak before it spreads.
I am following this item up with some posts telling you in simple terms how you can give yourself a security check up and take some basic steps, some very low tech, to protect yourself. Please take a look now and save yourself some heartache.
¹ Two-factor authentication (2FA), also called Two-step verification and Multi-factor authentication (MFA). Refers to having to complete an additional step after entering a password, such as entering a code sent to your phone as text or to your email address, or sometimes entering certain characters from a ‘memorable word’. Ones that require your phone are safer, since the method combines something you know (a password) with something you have (the phone). As the tale on this blog shows, even that is not 100% secure, but it is a lot better than not having 2FA! If 2FA is enabled, 95% of all hacking attacks on small businesses are foiled, and it would have prevented the incident described here.
2FA can also be achieved with a plug-in security device (dongle) or biometrics (e.g. fingerprint reader, facial recognition, retina scanner). MFA would involve, say, a plug-in security device incorporating a fingerprint reader: something you know, something you have and something you are.