Posted on 01/24/2024 8:02:10 PM PST by 11th_VA
WASHINGTON (7News) — 7News is asking a security question that deals with your cell phone. How did a Maryland woman lose $17,000 even though she had two-factor authentication on all her accounts?
It all started when Hussey got an email thanking her for the purchase of a new phone at Verizon. Minutes later her contact information at Bank of America had changed.
The problem? She didn't do either transaction and had two-factor authentication on her accounts.
"And the bottom just kind of dropped out,” added Hussey.
She called Bank of America, but her cell phone was no longer active. An online attempt required a verification code her phone couldn't receive.
Within minutes, her $17,000 was gone.
"Initially, I didn't realize how big of a deal it was. I thought I had handled it on the first day by calling the bank, calling Verizon. Figuring things out,” said Hussey.
Hussey told 7News that Verizon said someone in California walked into one of its stores and purchased a new phone along with a new SIM card and used Hussey's current phone number to activate the new phone.
When the new phone was turned on Hussey's phone went dead.
Hussey used a landline to contact Bank of America, but it was too late. Her $17,000 was gone.
"And I have two-factor identification which ended up biting me in the face when it all came down to it. That was the thing that completely hijacked everything. They had complete control of my phone and there was nothing I could do about it,” said Hussey.
SIM card swapping has been around for the past four years, but security experts told 7News that the scale of this type of scam has recently skyrocketed...
(Excerpt) Read more at wjla.com ...
It is from my SS payment.
I use a Verizon account for my wi-fi internet account.
On it I get a notice my bill is due. When I pay it on line I get a “Thank You” notice it has been paid. When I clear these two notices off my Verizon hot spot, I get a third notice my account has been locked and I must call a certain number to get it released.
I simply clear that notice off and have had no problems with Verizon. I consider it to just be another scam.
In the private sector, we have the technology to track down hackers. I’ve seen the FBI hire these private contractors to identify and track down cryptocurrency hackers.
(And no, the FBI doesn’t have the skill to accomplish this level of tracking and security, despite all the stupid disinformation that the FBI sees all, knows all and has a roomful of Einsteins on its staff.)
The task was very complex and time-consuming, but the job got done.
11. STOP USING A CELL PHONE
12. STOP USING ELECTRONIC BANKING
Near the bottom of the linked article is this relevant paragraph:
“The challenge we have is these app developers need a universal identifier, and they’ve just decided that the phone numbers as good as anything. We don’t want national ID cards, and we don’t have any central authentication authority,” says Wisniewski. “They’re struggling to find something they can use to identify you, and sadly they’ve decided on the phone number, which is not incredibly secure.”
I recently had an issue that was similar but not phone related. Ended up having to close my Amazon account.
Best I can determine is that they forced my Amazon password. I received about a 100 requests on my phone that someone was trying to get access to my account.
I was driving and by the time I was able to get off the road they had gained access and added a 3rd party authenticator to my account - likely another email as well. Every time I attempted a change they would get notified and I guess would use their 3rd party authentication to change it again.
I tried multiple times calling Amazon to explain the situation and eventually told them to just close it out. I haven’t really missed it, but I do lament the wish list of books I had built up that I lost.
this is why i trust no one, bank, phone. internet.
13. Do Not use your ISP's app on your mobile device. Example: myAT&T.app. I recommend deleting such app.'s.
14. Disable and Do Not use Bluetooth - so that Bluetooth is OFF for the duration of a connection with the Internet.
15. Get to know the Developer Tools > > Network [tool] of your Internet browser.
- - -
Google's Chrome Internet browser sends information about your computing device and Internet habits, journeys, tours, transactions, visits, etc. . . . back to Google and to "3rd parties." That "feature" of Google software phoning home, is built-in.
In order to have a chance at some security with your mobile device, Do Not use Google software unless you make a significant effort to learn about, how javascript is involved with your Internet activity.
Brave Browser uses the same Chromium engine used by Google in Chrome, but Brave removes the "Google phones home" stuff.
See (the following is 2010 era info):
https://stackoverflow.com/questions/4243055/how-do-browsers-handle-javascript
EXCERPT:
The script sections of a web page are handled by the browser's JavaScript interpreter, which may be an intrinsic part of the browser but usually is a distinct module, sometimes even a completely distinct project (Chrome uses V8; IE uses JScript; Firefox uses SpiderMonkey; etc.).
When the HTML parser reaches a script element, all that the parser does is read and store the text through the ending tag (or retrieve the file referenced via the src attribute). Then, unless the author has used the defer or async attributes, all HTML parsing and rendering comes to a screeching halt and the HTML parser hands the script text off to the JavaScript interpreter.
The JavaScript interpreter interprets the JavaScript code in the context of the window object, and when done returns to the HTML parser, which can then continue parsing and displaying the page.
- - -
Using your Internet browser's Developer Tools > > Network [tool], you can begin to see that there are often various scripts that are read by your Internet browser.
How to Open Developer Tools:
I suggest that you use Microsoft Edge, or Brave Browser, as a learning platform.
- - -
If using MSFT Edge, in a new window, go to a website of a major bank; let's say, Chase:
Now open the MSFT Edge Internet browser's Developer Tools window and select the Network [tab].
Reload the Chase webpage.
In the MSFT Edge Developer Tools > > Network [tool] window, you *may* see a variety of items listing - some end with a " .js " for javascript.
Or, if MSFT Edge is already set to Block javascripts in general, then you might not see much of anything in that Developer Tools window.
- - -
Open another MSFT Edge, new window, and go to:
edge://settings/content/javascript
In that MSFT Edge settings window, somewhere just below the top, ALLOW blocking for all javascripts.
Below that setting, there are two other sections, one is entitled "Block" and the other entitled "Allow"
You are going to play with those, blocking and/or allowing sources of javascripts.
When visiting Chase online, your Internet browser connects with:
experimentation.chase.com
reco.chase.com
secure.chase.com
sites.chase.com
static.chasecdn.com
www.chase.com
and other sources.
For the benefit of your learning, you can test the effect of Allow or Block, for each of those, or combinations thereof.
- - -
Having initially set the general javascript selection to Block.
Reload the Chase webpage . . . and see the result in your browser window, and see the result in your Developer Tools > > Network [tool] window.
Now, in the Allow section of the MSFT Edge Internet browser settings window,
Allow: www.chase.com
And reload the Chase webpage.
You will see more in the MSFT Edge Internet browser window, and see more in the Developer Tools > > Network [tool] window.
Play with the settings, and you will learn how to control which scripts are used by a browser, to render a webpage.
- - -
In general, hackers try to get some kind of a script onto your computing device, that hackers can use to collect information about your device, its credentials, and you. [Bluetooth is an avenue for such troubles.]
Many Internet users prefer convenience . . . instead of their taking the time to learn how to protect.
One of the easy paths for getting a script onto a computing device, is to place a link in an e-mail message or text message . . . and then wait for a user to nibble on the bait.
Some of the trouble, now, is: Banks, that learned back in the early 2000's "phishing expeditions," that links in e-mail messages IS NOT GOOD, have lapsed and returned to including a lot of links in e-mail messages.
And users who prefer convenience, click on those links. And then, some users end up clicking on malicious links in e-mail messages or text messages that are not actually from their bank(s).
- - -
Don’t misunderstand: SMS is better than nothing. It’s just the worst of the most common. Financial institutions are woefully unprepared for modern identity, and it’s only a matter of time before a big one is successfully phished. It’s not “if,” but “when.”
Many of us have been using NoScript or another addon with similar capabilities for over a decade.
I’d like to just tell about my security incident.
Last year, I was having issues accessing my email. I would reset the password, and no matter how complex I made it, in a week or two I’d be locked out again.
Then, on Jan 11, 2023 just before 5pm (normal people leaving work time), I got a text from PayPal that someone had requested a password reset. I called them and they told me there had been no access and my account was secure.
Then, I started getting spam text messages from every app you’ve ever heard of and many you haven’t - plus dozens of phone calls from all over the world. Then I got an e-mail from an e-mail address that actually came from @coinbase.com saying that there was an unauthorized access to my account and that they would call me and provided me the number it was coming from. A minute or so later I got a phone call from that number and they explained that there was an attempt to transfer out my assets, and they needed my two factor code to put in an objection on the blockchain or something like that to prevent the transfer, and it’s like 8 minutes or whatever for the network nodes to verify a transaction, so that’s how long I had or it would be lost. They NEVER asked for my password. I even said I didn’t know if I could trust them because I had gotten spam e-mails from @paypal.com before so I didn’t know if the @coinbase.com e-mail was authentic. They simply explained well they weren’t PayPal so they can’t speak to that. I checked my Coinbase app and I was indeed logged out from it (I had FaceID set up as my code so that wouldn’t let me in). I knew I was being cyberattacked and I didn’t know if I could trust them or not so I gave them the code. Obviously a bad idea in retrospect. I subsequently found out that safari flagged the website I was given as an attack site - but Firefox (which I was using at the time) did not.
Then they had my cell phone deactivated and deleted my e-mail account from under me for good measure.
I was in fear for months that I had spyware or was being continually hacked or something, because I couldn’t figure out how it happened. Months later my dad got a notice from our cable company that they had had a security breach that allowed unauthorized password resets on people’s e-mail. And that’s when I finally figured out how they did it (except the @coinbase.com e-mail, that I still can’t explain). They reset my password, gave themselves access, and saw Coinbase e-mails. So when they were ready to strike and in control of my e-mail they set a password reset request to Coinbase (which I presume is why I was logged out of my account), clicked the password link from an e-mail from Coinbase, and deleted the e-mail from my inbox so I would never see it. And they let it sit. Then, when I had reset my e-mail password and had access again, they struck, needing only the TFA code to complete the password reset, which I gave them, and they had control of my account.
I feel so stupid that I could fall for this - I know you shouldn’t blame the victim but I’m supposed to be smarter than that. And that’s the worst part, I know not to give out that information, but I got emotionally manipulated. They couldn’t have done it without my affirmative help. I filed an FBI report but of course nothing came of it.
So I guess that’s the point of my story. Even if you consider yourself smart you can fall victim. Be wary.
Bump for later
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.