Popular Post Jud Posted November 9, 2019 Popular Post Share Posted November 9, 2019 https://apple.news/A07YTbJ9QS5mfGjStr5KpGg semente and tmtomh 1 1 One never knows, do one? - Fats Waller The fairest thing we can experience is the mysterious. It is the fundamental emotion which stands at the cradle of true art and true science. - Einstein Computer, Audirvana -> optical Ethernet to Fitlet3 -> Fibbr Alpha Optical USB -> iFi NEO iDSD DAC -> Apollon Audio 1ET400A Mini (Purifi based) -> Vandersteen 3A Signature. Link to comment
cjf Posted November 9, 2019 Share Posted November 9, 2019 10 minutes ago, Jud said: https://apple.news/A07YTbJ9QS5mfGjStr5KpGg Article appears to only be viewable to subscribers My Audio System -Last Updated May 20 2021 Link to comment
pkane2001 Posted November 9, 2019 Share Posted November 9, 2019 21 minutes ago, cjf said: Article appears to only be viewable to subscribers Not a new security threat, but still scary how easily this is accomplished, even today: https://www.consumer.ftc.gov/blog/2019/10/sim-swap-scams-how-protect-yourself https://www.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin https://www.vice.com/en_us/article/gyaqnb/hacker-joel-ortiz-sim-swapping-10-years-in-prison https://krebsonsecurity.com/2019/05/nine-charged-in-alleged-sim-swapping-ring/ https://krebsonsecurity.com/2019/01/stole-24-million-but-still-cant-keep-a-friend/ semente 1 -Paul DeltaWave, DISTORT, Earful, PKHarmonic, new: Multitone Analyzer Link to comment
Jud Posted November 9, 2019 Author Share Posted November 9, 2019 38 minutes ago, cjf said: Article appears to only be viewable to subscribers Sorry about that. For those with iPhones, it's a Wall Street Journal article available on Apple News+. It's about a method of hacking through the security of a phone known as "sim-swapping," which doesn't actually involve stealing the SIM in your phone, but rather gaining enough information to hack an email account (surprisingly easy with "lost password" procedures) and thereby stealing your identity (could be a matter of minutes). From there they get into financial accounts - the fellow in the article had $24 million worth of cryptocurrency stolen. Edit: Paul's last link appears to be about this case. Good idea to read up (Krebs has a good site) and find out how to make this more difficult. Two-factor authentication isn't necessarily great, depending on what the second factor is. One never knows, do one? - Fats Waller The fairest thing we can experience is the mysterious. It is the fundamental emotion which stands at the cradle of true art and true science. - Einstein Computer, Audirvana -> optical Ethernet to Fitlet3 -> Fibbr Alpha Optical USB -> iFi NEO iDSD DAC -> Apollon Audio 1ET400A Mini (Purifi based) -> Vandersteen 3A Signature. Link to comment
Popular Post AnotherSpin Posted November 9, 2019 Popular Post Share Posted November 9, 2019 3 hours ago, Jud said: Sorry about that. For those with iPhones, it's a Wall Street Journal article available on Apple News+. It's about a method of hacking through the security of a phone known as "sim-swapping," which doesn't actually involve stealing the SIM in your phone, but rather gaining enough information to hack an email account (surprisingly easy with "lost password" procedures) and thereby stealing your identity (could be a matter of minutes). From there they get into financial accounts - the fellow in the article had $24 million worth of cryptocurrency stolen. Edit: Paul's last link appears to be about this case. Good idea to read up (Krebs has a good site) and find out how to make this more difficult. Two-factor authentication isn't necessarily great, depending on what the second factor is. "...When you ain't got nothing, you got nothing to lose" Sonic77, Jud and christopher3393 1 2 Link to comment
lucretius Posted November 9, 2019 Share Posted November 9, 2019 4 hours ago, Jud said: From there they get into financial accounts - the fellow in the article had $24 million worth of cryptocurrency stolen. I take it that this gentleman had held his crypto on an exchange and also did not have 2FA set. In any case, someone with that much crypto should have known better and should have (a) kept the bulk of it in cold storage, and (b) used 2FA for the amounts held on the exchange. If one really must keep really large amounts on an exchange (to facilitate large trades), then at least spread it around various exchanges. Crypto exchanges have a reputation for going bust and making your crypto and fiat deposits disappear. mQa is dead! Link to comment
Popular Post mansr Posted November 9, 2019 Popular Post Share Posted November 9, 2019 9 hours ago, cjf said: Article appears to only be viewable to subscribers https://www.fullwsj.com/articles/he-thought-his-phone-was-secure-then-he-lost-24-million-to-hackers-11573221600 semente, tmtomh and Jud 1 2 Link to comment
lucretius Posted November 9, 2019 Share Posted November 9, 2019 6 hours ago, lucretius said: I take it that this gentleman had held his crypto on an exchange and also did not have 2FA set. In any case, someone with that much crypto should have known better and should have (a) kept the bulk of it in cold storage, and (b) used 2FA for the amounts held on the exchange. If one really must keep really large amounts on an exchange (to facilitate large trades), then at least spread it around various exchanges. Crypto exchanges have a reputation for going bust and making your crypto and fiat deposits disappear. I should have noted that crypto exchanges use a 2FA that doesn't rely on calling you up on the phone or sending you an email etc. They use Google Authenticator or equivalent. Getting back into a "locked-out" account takes a lot more verification than merely sending an email (and/or providing one's phone number). mQa is dead! Link to comment
Jud Posted November 9, 2019 Author Share Posted November 9, 2019 20 minutes ago, lucretius said: I should have noted that crypto exchanges use a 2FA that doesn't rely on calling you up on the phone or sending you an email etc. They use Google Authenticator or equivalent. Getting back into a "locked-out" account takes a lot more verification than merely sending an email (and/or providing one's phone number). In fact he did have 2FA set, but the 2FA for his Gmail was text messaging to his phone. So once they got enough info to pretend their phone was his, *they* got the text message, got into his Gmail, and bootstrapped enough info to get through the 2FA in his crypto account. pkane2001 1 One never knows, do one? - Fats Waller The fairest thing we can experience is the mysterious. It is the fundamental emotion which stands at the cradle of true art and true science. - Einstein Computer, Audirvana -> optical Ethernet to Fitlet3 -> Fibbr Alpha Optical USB -> iFi NEO iDSD DAC -> Apollon Audio 1ET400A Mini (Purifi based) -> Vandersteen 3A Signature. Link to comment
pkane2001 Posted November 9, 2019 Share Posted November 9, 2019 6 hours ago, lucretius said: I take it that this gentleman had held his crypto on an exchange and also did not have 2FA set. In any case, someone with that much crypto should have known better and should have (a) kept the bulk of it in cold storage, and (b) used 2FA for the amounts held on the exchange. If one really must keep really large amounts on an exchange (to facilitate large trades), then at least spread it around various exchanges. Crypto exchanges have a reputation for going bust and making your crypto and fiat deposits disappear. The problem is not the lack of 2FA but that the second factor is a phone that is easily spoofable by a bad actor. This is true for many, many websites, banks, email providers, social media, etc. What’s worse is that often the phone is all that’s required to reset a password to many accounts. So anyone able to redirect SMS or voice calls to a phone that doesn’t belong to the account owner can gain access to a lot of information and assets, not just cryptocurrency. Social engineering remains the single easiest path to taking over someone’s identity and access. The problem in this case is that the owner of the phone can be very savvy and cautious, and yet it takes just a single underpaid, overworked and unaware store clerk or phone rep to give away the customer’s crown jewels. Jud 1 -Paul DeltaWave, DISTORT, Earful, PKHarmonic, new: Multitone Analyzer Link to comment
lucretius Posted November 9, 2019 Share Posted November 9, 2019 2 minutes ago, Jud said: In fact he did have 2FA set, but the 2FA for his Gmail was text messaging to his phone. So once they got enough info to pretend their phone was his, *they* got the text message, got into his Gmail, and bootstrapped enough info to get through the 2FA in his crypto account. What crypto exchange relies upon text messaging your phone for 2FA -- that's is rather uncommon. mQa is dead! Link to comment
lucretius Posted November 9, 2019 Share Posted November 9, 2019 4 minutes ago, pkane2001 said: he problem is not the lack of 2FA but that the second factor is a phone that is easily spoofable by a bad actor. This is true for many, many websites, banks, email providers, social media, etc. Yes, but it's not true for any crypto exchange that I know -- Google Authenticator is widely used for 2FA (if the account holder bothers to turn it on) in the industry. And when resetting your access to a bank account, normally 2FA isn't all that is used; they make you answer the security questions. mQa is dead! Link to comment
pkane2001 Posted November 9, 2019 Share Posted November 9, 2019 3 minutes ago, lucretius said: Yes, but it's not true for any crypto exchange that I know -- Google Authenticator is widely used for 2FA (if the account holder bothers to turn it on) in the industry. And when resetting your access to a bank account, normally 2FA isn't all that is used; they make you answer the security questions. Having worked for a large financial before, running all their customer facing operations and call centers, I can tell you that’s not even remotely true. Customer reps are easily fooled by good social engineering, no matter how much training or instruction they are provided by their employer. Oh, and secret questions are also one of the worst second factors one can imagine since they are easy to steal, discover or even guess. -Paul DeltaWave, DISTORT, Earful, PKHarmonic, new: Multitone Analyzer Link to comment
lucretius Posted November 9, 2019 Share Posted November 9, 2019 17 minutes ago, pkane2001 said: Having worked for a large financial before, running all their customer facing operations and call centers, I can tell you that’s not even remotely true. Customer reps are easily fooled by good social engineering, no matter how much training or instruction they are provided by their employer. Oh, and secret questions are also one of the worst second factors one can imagine since they are easy to steal, discover or even guess. I don't disagree that customer reps are easily fooled or that secret questions are bad second factors -- but you must know a little something about the account holder other than an email or telephone number to fool them. Here are some of the security procedures at Kraken (coin exchange); 2FA (Google Authenticator and Yubikey) to keep your account secure* No Phone/SMS account recovery, your account stays in your hands Email confirmations for withdrawals with self-serve account lock Configurable account timeout for another layer of protection Customizable, granular API key permissions with range boundaries Global settings time lock for extreme security when you're away PGP signed and encrypted email for secure communication SSL encryption to protect you when browsing Kraken Constant, real-time monitoring for suspicious activity Sensitive data is fully encrypted at rest and in transit *unfortunately, enabling this is optional. mQa is dead! Link to comment
Jud Posted November 9, 2019 Author Share Posted November 9, 2019 27 minutes ago, lucretius said: What crypto exchange relies upon text messaging your phone for 2FA -- that's is rather uncommon. You’re missing a step. The text messaging gets you into email, perhaps some other accounts. There you glean enough information to get you through to the crypto account - for example you use an authenticator on the spoofed phone or answer security questions. One never knows, do one? - Fats Waller The fairest thing we can experience is the mysterious. It is the fundamental emotion which stands at the cradle of true art and true science. - Einstein Computer, Audirvana -> optical Ethernet to Fitlet3 -> Fibbr Alpha Optical USB -> iFi NEO iDSD DAC -> Apollon Audio 1ET400A Mini (Purifi based) -> Vandersteen 3A Signature. Link to comment
lucretius Posted November 9, 2019 Share Posted November 9, 2019 10 minutes ago, Jud said: You’re missing a step. The text messaging gets you into email, perhaps some other accounts. There you glean enough information to get you through to the crypto account - for example you use an authenticator on the spoofed phone or answer security questions. I get that. But you won't find the secret keys to use in Google Authenticator in the email. And the phone hardware isn't spoofed/cloned, only the phone number is spoofed. And normally (I say normally because coin exchanges are mostly unregulated) the information you must provide to reset your account isn't something that you would find in an email. mQa is dead! Link to comment
pkane2001 Posted November 9, 2019 Share Posted November 9, 2019 39 minutes ago, lucretius said: I get that. But you won't find the secret keys to use in Google Authenticator in the email. And the phone hardware isn't spoofed/cloned, only the phone number is spoofed. And normally (I say normally because coin exchanges are mostly unregulated) the information you must provide to reset your account isn't something that you would find in an email. The problem is still a human being on the other side. They are gullible and given half a chance will accommodate the request coming from a perceived distressed or angry customer. I’ve seen this way too many times, no matter what the policy says. As long as the technology/software is available to override your chosen security options and another human has access to it, someone will find a way to exploit this. Jud 1 -Paul DeltaWave, DISTORT, Earful, PKHarmonic, new: Multitone Analyzer Link to comment
Jud Posted November 9, 2019 Author Share Posted November 9, 2019 42 minutes ago, lucretius said: I get that. But you won't find the secret keys to use in Google Authenticator in the email. And the phone hardware isn't spoofed/cloned, only the phone number is spoofed. And normally (I say normally because coin exchanges are mostly unregulated) the information you must provide to reset your account isn't something that you would find in an email. By all indications, I am the owner of the Gmail account - after all, I have passed 2FA. So now “my” Google Authenticator works to open “my” accounts, and if you want answers to security questions I may know those or be able to reset them as well. It’s all bootstrapping from the original identity theft. You don’t go directly from spoofing the phone to being able to use an authenticator, there are steps in between that pwning the email account allow you to do. Please do read some of the linked articles. One never knows, do one? - Fats Waller The fairest thing we can experience is the mysterious. It is the fundamental emotion which stands at the cradle of true art and true science. - Einstein Computer, Audirvana -> optical Ethernet to Fitlet3 -> Fibbr Alpha Optical USB -> iFi NEO iDSD DAC -> Apollon Audio 1ET400A Mini (Purifi based) -> Vandersteen 3A Signature. Link to comment
Popular Post mansr Posted November 9, 2019 Popular Post Share Posted November 9, 2019 3 minutes ago, Jud said: By all indications, I am the owner of the Gmail account - after all, I have passed 2FA. So now “my” Google Authenticator works to open “my” accounts, and if you want answers to security questions I may know those or be able to reset them as well. It’s all bootstrapping from the original identity theft. You don’t go directly from spoofing the phone to being able to use an authenticator, there are steps in between that pwning the email account allow you to do. Google Authenticator is tied to the physical phone hardware. To use it, an attacker would have to steal your phone. Gaining access to your phone number, your Gmail account, your primary school teacher's mother's first pet's maiden name, or anything else besides the actual, physical phone will be of no use. tmtomh and lucretius 1 1 Link to comment
pkane2001 Posted November 9, 2019 Share Posted November 9, 2019 3 minutes ago, mansr said: Google Authenticator is tied to the physical phone hardware. To use it, an attacker would have to steal your phone. Gaining access to your phone number, your Gmail account, your primary school teacher's mother's first pet's maiden name, or anything else besides the actual, physical phone will be of no use. Why go through a locked door when a back door is wide open? Google Authenticator protects the front door. It’s not used for backdoor (employee) access in 99% of the cases. The weak link is the human with administrative access to change your password, remove or change your 2FA settings, or reset your secret questions. -Paul DeltaWave, DISTORT, Earful, PKHarmonic, new: Multitone Analyzer Link to comment
lucretius Posted November 9, 2019 Share Posted November 9, 2019 22 minutes ago, pkane2001 said: Why go through a locked door when a back door is wide open? Google Authenticator protects the front door. It’s not used for backdoor (employee) access in 99% of the cases. The weak link is the human with administrative access to change your password, remove or change your 2FA settings, or reset your secret questions. Agreed, employees are the week link and the risk here will never be completely eliminated but the risk can be somewhat reduced through continued and vigilant training, rules (and sanctions), appropriate tracking, proper segregation (e.g. why not send all requests to reset an account to the compliance team?), and frequent compliance reviews. mQa is dead! Link to comment
Jud Posted November 9, 2019 Author Share Posted November 9, 2019 1 hour ago, mansr said: Google Authenticator is tied to the physical phone hardware. To use it, an attacker would have to steal your phone. Gaining access to your phone number, your Gmail account, your primary school teacher's mother's first pet's maiden name, or anything else besides the actual, physical phone will be of no use. The idea is to get it tied to other hardware through employees you either suborn or convince of your bona fides. One never knows, do one? - Fats Waller The fairest thing we can experience is the mysterious. It is the fundamental emotion which stands at the cradle of true art and true science. - Einstein Computer, Audirvana -> optical Ethernet to Fitlet3 -> Fibbr Alpha Optical USB -> iFi NEO iDSD DAC -> Apollon Audio 1ET400A Mini (Purifi based) -> Vandersteen 3A Signature. Link to comment
lucretius Posted November 9, 2019 Share Posted November 9, 2019 4 minutes ago, Jud said: The idea is to get it tied to other hardware through employees you either suborn or convince of your bona fides. Is this any different than the "back door" that pkane2001 that speaks of? As stated above, the employee risk can be signicficantly reduced (but never eliminated). mQa is dead! Link to comment
mansr Posted November 9, 2019 Share Posted November 9, 2019 36 minutes ago, lucretius said: Agreed, employees are the week link and the risk here will never be completely eliminated but the risk can be somewhat reduced through continued and vigilant training, rules (and sanctions), appropriate tracking, proper segregation (e.g. why not send all requests to reset an account to the compliance team?), and frequent compliance reviews. They could also simply refuse to reset login credentials over the phone. If it required a personal visit with photo ID and perhaps some other documentation, it would make a fraudulent request much harder to pull off. Also, anyone wealthy enough to be worth that trouble to impersonate is probably known by the bank manager, so a fake ID might not be enough. tmtomh 1 Link to comment
tmtomh Posted November 9, 2019 Share Posted November 9, 2019 18 hours ago, cjf said: Article appears to only be viewable to subscribers An additional way to read this (and paywall-blocked articles at many, but not all, other sites): If you're on a Mac, visit the link in Safari and then click on the Reader View - it will bypass the paywall and show you the full article. Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now