A couple who are friends of mine woke up yesterday to find that during the night, starting at midnight, hackers had got into their bank accounts and shifted money out of it to various other accounts in several steps during the night.
This kind of breaking into the security of banks and other businesses is not new. What was new was that the thieves had also at the same time hacked into their cell phone service provider and taken over their phone numbers so that they could not use the phones. What was worse, any text alerts that the banks might have been sending to them about suspicious account activity was going to the thieves. It was a nightmare for them to correct the situation because when they went to the local branch of their bank to report it, they were put through to the fraud office and the people there, in order to verify that they were who they said they were, wanted to send them a confirmatory text which of course they would not get because they no longer had a phone. It took them multiple calls all of yesterday and today to finally get the situation at least partly rectified. Now they have to go through the tedious business of telling all their contacts their new phone numbers.and also tell the businesses they deal with that use two-factor authorization of their new numbers.
I looked online and learned from a reporter who also went through this nightmare scenario that this is a new version of identity theft and has the names ‘port-out hijacking’ or ‘SIM-swapping’.
It’s a less-common form of identity theft. New federal regulations aimed at preventing port-out hijacking are under review, but it’s not clear how far they will go in stopping the crime.
Port-out hijacking goes a step beyond hacking into a store, bank or credit card account. In this case, the thieves take over your phone number. Any calls or texts go to them, not to you.
When your own phone access is lost to a criminal, the very steps you once took to protect your accounts, such as two-factor authentication, can be used against you. It doesn’t help to have a bank send a text to verify a transaction when the phone receiving the text is in the hands of the very person trying to break into your account.
Even if you’re a relatively tech-savvy individual who follows every recommendation on how to protect your tech and identity, it can still happen to you.
…Complaints to the FCC about the crime have doubled, from 275 complaints in 2020 to 550 reports in 2023.
Rachel Tobac, CEO of SocialProof Security, an online security company, says the rate of the crime is likely much higher since most identity thefts are not reported.
She also says two-factor authentication is an outdated way of keeping consumers safe, since it’s possible to find anyone’s phone number, birthday and social security number through any number of public or private databases on the web.
The ability of thieves to obtain your personal information was again made clear Friday when AT&T said the data of nearly all of its customers was downloaded to a third-party platform in a security breach two years ago. Although AT&T claims no personal information was leaked, cybersecurity experts have warned breaches involving telephone companies leave customers vulnerable to SIM swapping.
As of now, switching numbers from one phone to another is easy and can be done online or over the phone. The process takes less than a few hours so long as a criminal has your personal information on hand.
There is only so much that individuals can do to prevent this kind of sophisticated crime. Businesses have to bear much of the responsibility to keep their data secure but they are slow to respond.
FCC rules have recently changed to force companies to do more to protect consumers from this type of scam.
In 2023, the FCC introduced rulemaking that require wireless providers to “adopt secure methods of authenticating a customer before redirecting a customer’s phone number to a new device or provider” among other new rules. Companies could require more information when a customer tries to port over a phone number to another phone — from requiring government identification, voice verification or additional security questions.
The rules were scheduled to take effect on July 8, but the FCC on July 5 granted phone companies a waiver that delays implementation until the White House Office of Management conducts a further review.
The wireless industry had sought the delay, stating among other reasons that companies need more time to comply. CTIA, which lobbies on behalf of the companies, said the new rules will require major changes in technology and procedures both within the wireless companies and in their interactions with phone manufacturers.
But if the FCC rules had been in place, my phone number might have been harder to steal, experts say.
…An AT&T representative told me in an email that “all providers are working to implement the FCC’s new rules on port-outs and SIM swaps.”
I’m still unsure of how this person got access to my accounts, whether through my social security number, phone number or date of birth, or possibly a recording of my voice.
All this new communication technology has undoubtedly made our lives easier. Unfortunately it has also made the lives of criminals easier.
In the UK this SIMjacking is made more difficult for criminals by needing first to get a code from the “losing” network provider which is then used by the new SIM provider to take control of the existing cellular number. If you are legitimately doing it for your own reasons and still have your phone then the process can be quite quick, and your “losing” providers may (should) be sending lots of confirmation messages and warning emails to the current owner.
If you don’t have your existing phone and SIM then the process involves a lot of out-of-band authorisations and extra checks — not quick.
People can still be socially engineered into giving up these “porting authorisation codes”, and a sophisticated fraudster may have suborned other identifying channels like email, so the SIMjack fraud is not entirely defeated.
I think that bank security is in a mess. The whole idea of using devices, which are mainly designed for socialising and entertainment, in order to deal with large amounts of money is insane. Letting banks outsource part of their security checks to wireless providers is nuts. It is cheap and convenient for both banks and their customers but has no other merits.
Most UK banks have apps which you can use on a phone or a tablet. You can authenticate purchases using the app. I use (only) a small tablet for mine and this rarely leaves my house. This is a bit better than using a mobile phone but it’s still stupid.
What is required is dedicated hardware which only does one thing, namely, identify you. Such things exist: hardware security keys. I have one and I use it to protect my Google account and my Paypal account, but I cannot use it to protect my bank account where larger amounts of money need to be protected. This is because no UK bank allows you to use a hardware security key. Last time I checked there were about half a dozen banks in the whole world which did. In some of these cases you had to buy the key yourself and were not offered any customer support from the bank to help you set it up.
This is very easily fixable. Legislate that any money taken fraudulently from a bank account or credit card or whatever has to be reimbursed by said bank, plus a 30% inconvenience fee, within seven days of its removal from the account. Every additional day costs another 30%, no cap. Do that, and the banks would find a fix that would sort it reliably the week before the law came into force and would require all customers to use it. Right now, this fraud costs them almost nothing, so it won’t be fixed.
All they’re about is their own convenience. Credit card fraud was a problem when all you had to do was forge a signature. Then came chip&PIN, and that fraud plummeted. Then, for no reason I’ve ever had adequately explained, they invented contactless, which typically saves, in any given transaction, anything up to ten seconds compared to chip&PIN. Except -- any yahoo who can lift or clone my card can now make multiple transactions fraudulently before I even find out it’s happened. WHY? It’s for this reason that when I get a new card from my bank, I explicitly request one that does NOT do contactless. I don’t expect that option to be around forever.
Only slightly related: yesterday I spoke with a friend who runs a pub. I noted they no longer accept cash. She told me they’d stopped during the pandemic, and just never started again. She went on to say that although there’s a charge for accepting cards, there’s also (to my surprise) a charge for depositing cash AND a charge for getting change for the till -- something they’d have to do 3-4 times per week AND since cost-cutting measures mean their local branch has closed it’s now an hour’s round trip to the nearest branch, during business hours of course. PLUS, since she now no longer handles ANY cash on the premises, her insurance has gone down. As a business, they’ve been priced out of using cash AT ALL. You have to use a phone or card. It’s sinister.
There is polarisation though -- a lot of places nowadays only accept cash. Usually because they’re money laundering fronts for criminal operations, I’m told. Tanning salons used to be the favourite, nowadays it’s vape shops and Turkish barbers for some reason. A bit UK specific perhaps, but anyone in any town in the UK should back this up -- two types of shop I’d never seen before about 2017 are now EVERYWHERE.
Neuromancer, I think, talked about cash being largely a thing of the past, and using it being illegal in certain jurisdictions. That sounded all futury in the eighties. IIRC, it was supposed to be set around the end of this century… I think Gibson was being too conservative in his predictions on that score.
I can see two things being made de facto illegal in my lifetime (i.e. well before the end of this century) -- cash, and ICE cars. There’ll be no law against them per se -- there won’t need to be. The system will simply be rigged so that it will become prohibitively expensive to use them, and democracy and consumer choice be damned.
Yeah, this is really common. I can see both sides of the argument… Even without the associated expenses, cash handling is a massive pain in the arse, especially for a high-transaction-volume business operating out of regular banking hours. Even when bank branches were much more common, the job of taking the cash bag to the night safe after closing time was never exactly a popular one, and of course, having to make change for every transaction is time consuming and error-prone. Another thing most people don’t realise about cash unless they’ve spent a whole shift handling it is just how dirty it is… Like, really filthy.
So yeah, while I very much understand and agree with the concerns that the prospect of a cashless society raises (first time this was really brought home to me I think was in the 1987 Max Headroom episode “Security Systems”, when Edison Carter suddenly finds himself locked out of society because his credit has been cancelled), I can also very much understand the attractions of it from a purely practical perspective for the people behind the tills.
5 years ago our credit card was hacked. The first time the fake card was used multiple times, mostly in grocery stores in our general area, for sums around $100 at a time, until the credit card company suspected something and called us. So we signed up to have them email us whenever the card is used. Shortly afterwards the replacement card was also hacked, though this time the card was used out of state. In any case, we realized immediately what was happening. In both instances we got all the extraneous uses cancelled and repaid to us.
Recently my wife changed phone carriers. Porting the number between the two was lengthy and painful, but perhaps that made it less likely that a bad actor would want to do the same. But losing a phone (or losing control over the one one has physically) can be very difficult. And my work computer wants me to activate 2 factor authentication for login. I keep ignoring that message.
Fraudulent charges were made to my card this summer. It wasn’t sophisticated, but what shocked me was how incompetent the bank was. When I make large purchases, say anything over 1000, they text me for approval. I always thought that seemed like a good idea. When the fraudsters did it in the middle of the night, they texted me while I was asleep, and I never gave approval. They approved the charges anyway, and racked up over 10k in charges before I even woke up. It didn’t cost *me* anything, but it did make me wonder what the point of their approvals was supposed to be.