Posted on 01/24/2024 8:02:10 PM PST by 11th_VA
WASHINGTON (7News) — 7News is asking a security question that deals with your cell phone. How did a Maryland woman lose $17,000 even though she had two-factor authentication on all her accounts?
It all started when Hussey got an email thanking her for the purchase of a new phone at Verizon. Minutes later her contact information at Bank of America had changed.
The problem? She didn't do either transaction and had two-factor authentication on her accounts.
"And the bottom just kind of dropped out,” added Hussey.
She called Bank of America, but her cell phone was no longer active. An online attempt required a verification code her phone couldn't receive.
Within minutes, her $17,000 was gone.
"Initially, I didn't realize how big of a deal it was. I thought I had handled it on the first day by calling the bank, calling Verizon. Figuring things out,” said Hussey.
Hussey told 7News that Verizon said someone in California walked into one of its stores and purchased a new phone along with a new SIM card and used Hussey's current phone number to activate the new phone.
When the new phone was turned on Hussey's phone went dead.
Hussey used a landline to contact Bank of America, but it was too late. Her $17,000 was gone.
"And I have two-factor identification which ended up biting me in the face when it all came down to it. That was the thing that completely hijacked everything. They had complete control of my phone and there was nothing I could do about it,” said Hussey.
SIM card swapping has been around for the past four years, but security experts told 7News that the scale of this type of scam has recently skyrocketed...
(Excerpt) Read more at wjla.com ...
“how did they know where she banks ?”
Once they got access to the phone, they got access to all the apps she uses. She probably had an app for her bank on the phone as well as many other apps. Many apps store your log-in information and it connects you automatically the next time you use the app. Also, maybe a document with all of her passwords or a password manager.
I’m very vigilant but my wife isn’t. But my head is always spinning with all the accounts, all the log-in credentials, all the authenticator apps to use, my YubiKey, my security questions. A couple years ago, I began switching all my passwords over to very complex passwords created in LastPass or in the Apple OS Security feature. But there is no way to memorize those, so you MUST use a password manager. The one built into the Apple OS appears very good, but you must protect your computer with a tough log-in password.
Every day I reminisce fondly about black desk telephones with tangled cords, paper newspapers arriving at 6 am in the driveway, writing paper checks and keeping cash in my wallet.
I subscribed to IdentifyForce that keeps tabs on your digital presence and provides a million dollar insurance policy against losses like this. I’m not sure if the policy covers SIM Card theft, though.
which is why i have always declined 2 factor for my financial stuff. it is a trap. it is not secure. i hope they (banks, etc.) get off it soon.
“because it’s too tedious”
Generally 2FA is easy. You get a text message. On some computers, that security key number will auto-fill into log-in pages. The problem is that 2FA with phones is not very secure as the article points out.
The best security is to use either an authenticator app or a physical token like a YubiKey. But both are pains the keister.
Almost a year ago, I switched to “virtual credit cards” from Capital One. These are credit card numbers you create that are tied to a single merchant. They cannot be used at any other merchant. You can turn them on and off easily in their app and set expiration dates. All the virtual numbers roll-up to your “real” credit card number so your single statement shows all your purchases from all of your virtual cards. You also get a regular hard physical credit card to use in your wallet at stores. This is a HUGE security feature, especially if you use the virtual cards for auto-pay of monthly bills.
Wouldn't they need her Apple ID (or similar) to re-image her phone apps on the new Phone ?
“The banking system is a security mess.”
I wonder what the real security / fraud losses are at banks, businesses and other financial institutions every year? Reported numbers are $5 to $10 billion per year for banks. Worldwide credit card fraud is reported to be $40 billion.
The institutions have incentives to low-ball the public numbers. It’s probably $100 billion per year.
I have bank apps on my phone as well, but they require a password to sign in. I guess they could change that if they had other info like SS#, birth date, etc
Yes, you are right and that is correct for an Apple iPhone. You need an Apple ID to activate the phone. That’s an excellent additional level of security.
But Android? I don’t know.
Plus damages. $250,000 would send the right message.
If that's true and this story gets out, Apple is likely to be flooded with new iPhone purchases.
OK - That makes me feel better. Plus my Credit Union only allows withdraws of $300 per day max - I like that feature
1. Do Not click on any link in an e-mail message
2. Do Not click on any link in a text message
3. Do Not copy any verification code from an e-mail message
4. Do Not copy any verification code from a text message
5. Learn your Internet browsers’ (plural) settings
6. Set up and use a specific Internet browser dedicated to signing on to financial institutions. Do Not use that Internet browser for any other activity. Example: You tour the Internet, using Chrome or Microsoft Edge. Use Firefox for signing-on to financial institutions.
7. Use a unique username for signing on at each website. Use a password generator to create such usernames; 6 - 8 characters is OK.
8. Use a unique password for signing on at each website. Use at least a 20 character password, created by a password generator.
9. Use a password wallet for storing your username-and-password combinations. Do Not store them in an Internet browser.
10. Always quit your Internet browser after signing-out; and, clear all cookies, cache, and history.
“you MUST use a password manager”
Yes
“if they had other info like SS#, birth date, etc”
There have been so many massive data leaks lately that this info is out there in the aggregated hacker databases.
I just got notice last week that Delta Dental lost its customer database to hackers. I’m sure our SSNs are in there because you provide it to all health care providers.
No bank / credit union apps on my phone.
Phones leak, not secure.
Computers are bad enough. I don’t run windows, that helps.
I sometimes wonder if I am paranoid enough....
Same here. I will not log into any financial or medical account from my smartphone. Same goes for our main email account.
The price of convenience is an increase in risk.
What about this bro?
I never use my debit card, other than at the ATM.
I always pay by credit card. If fraud is committed with my card (it's happened), I'm not on the hook for the amount.
I wonder if anyone has an opinion on these Bittium phones
As a computer scientist, I came to add more weight to what several others have said. The best advice is to use an Authenticator App or a physical security key, like a Yubikey.
The way these “SIM swap” operations work is like this: they somehow obtain your username and password to a particular website. But, the two-factor authentication (2FA) prevents them from logging in as you. So, they research and find out who you are, ultimately obtaining your cell phone number. If they can convince your carrier to transfer your number to a new phone, they can then intercept your texted 2FA codes. There is some speculation that these may even be “inside jobs”, where people get hired at the cell carriers just to help an organized crime-ring to co-opt people’s phone numbers.
An Authenticator App or security key thwarts this whole operation. Whenever possible, do not rely on texting as your 2FA. Security keys are the highest form of protection. I’m a bit shocked at how many financial institutions still do not offer authenticator apps as an option.
Don’t the thieves also need the username and password for any such SIM/2FA to be useful?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.