It is in our nature to be helpful. We want to believe the best of people. We avoid conflict. These are good characteristics to live by, but unfortunately hackers are excellent at using these traits against us. 

There is a very good example of this making its way through the church community currently. Hackers will research your leadership via your webpage, making a list of pastors, elders, deacons, administrators, as well as a list of past and current events at the church. They will then call the office and be very cordial and ask you how your day is going, how the recent event you just had went, etc. After getting your guard down they will say they are working with pastor/elder so and so on an event they gathered from the website and they need a member directory for part of the project. Most people will think nothing of sending one to them based on the conversation. Once they receive this directory, they will create text messages from the Sr. Pastor that requests members get gift cards or send money to a paypal address for donations. Disgusting right? 

Does this mean we have to harden our hearts and assume everyone is trying to scam us? No. It just means we need to add a little diligence to our trust in people. Trust but verify is the best compromise. When people call, email, text and ask you for anything of a sensitive nature like member or staff personal information, simply ask them to verify who they are. You can do this by calling them back at the number you have on file for them, telling them you need to verify the request by asking the person they claim to be working with, etc. Again, just add a little step of verification. If someone is who they say they are, they should not be offended if you explain you are just trying to protect sensitive information.

Imagine having dinner and giving into the urge to check your cell phone only to see “No Service”. Nothing is working, no internet, no cell service. Strange... Must be bad service in this restaurant. As you drive home, no improvement. You restart your phone, no change.  Stupid phone! Time to call your provider. You sit down at your computer to get the phone number and check your email to see if maybe you forgot to pay your bill or something. Strange, email password isn’t working. Must just be frustrated and forgetting the password. Just focus and call about your phone...  

You call the provider, go through your identity verification and finally ask what’s going on. “You should be using your new Samsung phone, sir. The one you purchased today. We moved your service to that phone, so your old phone no longer has service.” Ummmmm what? How does this happen, aren’t there protections against this?? You tell them this is a mistake and ask them to reverse all the changes.

While you wait you decide to check your crypto account to see how bitcoin is doing today. Wrong password again. You spend the next several hours getting your email password reset, your phone working again, and then resetting password on each of your accounts to get in. The first account you reset is that crypto account. $0 in your portfolio. what in the… This same thing plays out for your airline points account, bank accounts, retirement accounts… everything of value with an online presence has been stolen from you! How does this happen??

Nightmare scenario, right? Welcome to the brave new(ish) world of phone transfer scams. The above was a condensed transcript of a real scenario that happened to one of my longtime friends. I had heard of these type scams for taking over celebrity accounts, or high net worth individuals but this was the first time it happened to someone I knew. Hackers are getting braver, and this attack type is going wider.

So, what even is the attack? It plays out like this:

Through phishing or other means of social engineering a hacker gets access to your email account. Once they are in this account, they now can spend time looking at notices from your other accounts. They can slowly build an inventory of your important accounts and assets based on these notices and create a hit list for later. After enough time has passed and they feel like they have enough information to act they start their assault. First order of business is to lock you out of your email by simply changing that password. Next, they go to your phone provider and request a password reset. This might be a simple process of email verification to the account they now have full access to, or they might have to call in and social engineer a reset. Once they have reset the account and can login, they simply transfer your number to a burner phone they have purchased for this purpose or place an order for a new phone as an upgrade to your existing phone and go pick it up with a fake ID. This is when your existing phone goes offline. This is an alternative method where they brazenly go into the cell phone store with a fake ID and do the phone takeover in person by buying a new phone. 

At this point as far as websites or call centers that use email and text messages for verification are concerned, the hacker is you.  They get all your email, they get every text message that is sent to you. That protection you had to verify its really you by sending a text, so much for that! They can reset passwords, perform text/email verified transactions, call in and social engineer for any number of gains using your phone number as their caller-id.

This is insane right?? How do you stop this? 

Time to create a new and better digital you. Make it harder for someone to assume your digital identity.

• Create unique digital identities for each critical service.

  • Use different email addresses and phone numbers for each of your asset holding accounts.

  • Use a non-SMS form of two factor authentication or use a virtual phone number like google voice if SMS is the only option.

  • Use a password manager and long pass phrases that are unique to each site or service.

• Never store credit card information at vendors sites or use virtual credit cards for purchases where card information is stored.

• Utilize a credit monitoring service with rapid detection and notification capabilities

• Utilize a phone transfer monitoring service

In the next post I will detail how to accomplish this using a small set of tools and about 4-5 hours of your time to rebuild your digital identity.  All this may sound daunting but it’s mostly a lot of upfront work and after setup you won’t find it any harder to use your services, but a hacker certainly will.

Here is a teaser of the tools we will be discussing.

Lifelock

• Credit, Phone, Identity Monitoring and Locking

MyKi

• Password and 2FA management

MySudo

• Shadow Identity Management