Imagine having dinner and giving into the urge to check your cell phone only to see “No Service”. Nothing is working, no internet, no cell service. Strange... Must be bad service in this restaurant. As you drive home, no improvement. You restart your phone, no change. Stupid phone! Time to call your provider. You sit down at your computer to get the phone number and check your email to see if maybe you forgot to pay your bill or something. Strange, email password isn’t working. Must just be frustrated and forgetting the password. Just focus and call about your phone...
You call the provider, go through your identity verification and finally ask what’s going on. “You should be using your new Samsung phone, sir. The one you purchased today. We moved your service to that phone, so your old phone no longer has service.” Ummmmm what? How does this happen, aren’t there protections against this?? You tell them this is a mistake and ask them to reverse all the changes.
While you wait you decide to check your crypto account to see how bitcoin is doing today. Wrong password again. You spend the next several hours getting your email password reset, your phone working again, and then resetting password on each of your accounts to get in. The first account you reset is that crypto account. $0 in your portfolio. what in the… This same thing plays out for your airline points account, bank accounts, retirement accounts… everything of value with an online presence has been stolen from you! How does this happen??
Nightmare scenario, right? Welcome to the brave new(ish) world of phone transfer scams. The above was a condensed transcript of a real scenario that happened to one of my longtime friends. I had heard of these type scams for taking over celebrity accounts, or high net worth individuals but this was the first time it happened to someone I knew. Hackers are getting braver, and this attack type is going wider.
So, what even is the attack? It plays out like this:
Through phishing or other means of social engineering a hacker gets access to your email account. Once they are in this account, they now can spend time looking at notices from your other accounts. They can slowly build an inventory of your important accounts and assets based on these notices and create a hit list for later. After enough time has passed and they feel like they have enough information to act they start their assault. First order of business is to lock you out of your email by simply changing that password. Next, they go to your phone provider and request a password reset. This might be a simple process of email verification to the account they now have full access to, or they might have to call in and social engineer a reset. Once they have reset the account and can login, they simply transfer your number to a burner phone they have purchased for this purpose or place an order for a new phone as an upgrade to your existing phone and go pick it up with a fake ID. This is when your existing phone goes offline. This is an alternative method where they brazenly go into the cell phone store with a fake ID and do the phone takeover in person by buying a new phone.
At this point as far as websites or call centers that use email and text messages for verification are concerned, the hacker is you. They get all your email, they get every text message that is sent to you. That protection you had to verify its really you by sending a text, so much for that! They can reset passwords, perform text/email verified transactions, call in and social engineer for any number of gains using your phone number as their caller-id.
This is insane right?? How do you stop this?
Time to create a new and better digital you. Make it harder for someone to assume your digital identity.
Create unique digital identities for each critical service.
Use different email addresses and phone numbers for each of your asset holding accounts.
Use a non-SMS form of two factor authentication or use a virtual phone number like google voice if SMS is the only option.
Use a password manager and long pass phrases that are unique to each site or service.
Never store credit card information at vendors sites or use virtual credit cards for purchases where card information is stored.
Utilize a credit monitoring service with rapid detection and notification capabilities
Utilize a phone transfer monitoring service
In the next post I will detail how to accomplish this using a small set of tools and about 4-5 hours of your time to rebuild your digital identity. All this may sound daunting but it’s mostly a lot of upfront work and after setup you won’t find it any harder to use your services, but a hacker certainly will.
Here is a teaser of the tools we will be discussing.