Hacking mobile numbers — can do more damage than breaking hearts
Just last Thursday (September 5, 2019) Facebook announced that it is launching a dating platform. Apparently the leadership of the notorious social network decided that its irresponsible to leave the lucrative business of the hearts and lust of about 200m singles on the platform an untapped treasure, respectively leave it to Tinder & Co..
Already quite a scratched image in terms of trust, data privacy, security, data leaks, transparency and use of user data….. It seems as if the list is getting rather longer than shorter, in spite of all the efforts of the company to tame the beasts of mis-trust and bad publicity; one thinks to experience a very own production of Goethe’s Zauberlehrling. It does not help that just shortly before that a massive database of Facebook users’ phone numbers have been found online — more than 419 million records. BAM!
Underestimated risks of exposed mobile phone numbers — “SIM-Swapping”
The case reveals a risk that many still underestimate. Most people think of secure passwords and when protecting against hackers. In fact, in can be very dangerous if someone knows a phone number and the name of the owner — a few clicks and cyber criminals can find out Facebook and other profiles with that data combination.
From there its just a matter of minutes and few clicks until digital attacks start, e.g., extortion of ransom, hacking of private accounts, clearing of bank accounts, etc. you name it. A more and more popular method where mobile phone numbers are taken is called “SIM Swapping”. Apparently some of the more famous recent victims are Twitter CEO Jack Dorsey and actress Chloe Moretz. Who is safe if not someone like the CEO of a digital company you may ask?
How does SIM-swapping work? First, criminals outsmart the security measures of telephone providers online or at the customer hotline, and have the victim’s mobile number transferred to a SIM card that belongs to them. Sometimes this takes merely a few clicks and minutes on the online portal of the mobile phone provider. There the attacker simply log-in with the password of the victim. Now they get all messages and calls forwarded to their phone. The Darknet is full of email/ password records that criminals have captured in older hacking attacks on other online services or portals. All that combined it is a super-toxic mix.
You may notice the attack because you don’t have no longer any reception and cannot make calls anymore. At that point it may be already too late. Your bank accounts may be cleared at that point. Since criminals control mobile number now, they can, e.g., intercept the SMS-code that must be entered in online banking with the so-called mTAN procedure, which is intended to protect bank accounts, but basically worthless in SIM-Swapping attacks.
A lot of online services ask for phone numbers and additionally to the password, users can use smartphones as a 2nd security factor when logging in and have OTP (one-time-password) sent by SMS. But if cyber criminals have taken over the mobile phone numbers this 2FA (two-factor authentication) is worthless. And since SMS are sent unencrypted — which makes them also vulnerable against man-in-the-middle attacks — you want to use, e.g., the Microsoft or Google Authenticator App instead right away; the difference is that the code isn’t sent by SMS, but generated by the app instead.
How you can better protect yourself
Although often caused by human error rather than a malicious hack or breach, data exposures represent a massive security problem. Sadly but true — and I don’t want to sound like a politician — it is not a matter of if, but when you fall victim to a hacking attempt.
There are sound and effective methods to safeguard your accounts and profiles against attacks via phone numbers. Same old, same old: use complex and long enough passwords for all online accounts, ideally created randomly. Change passwords regularly, especially when you find out that one of the services you use got compromised. The “Always-Safe Password” function, use of password generators, etc. are topics on its own. And since we are at it — add a VPN for your smartphone, especially when browsing through public WiFi networks alot. And as mentioned above active 2FA via one of the authenticatior apps.
Last but not least — and probably the hardest factor to measure and control — the weakest and strongest link is the human factor, YOU, and your behavior in the real and digital world. The less you share, the more attention you pay, the more careful you are when visiting websites, clicking links, opening attachments, etc. the safer you are. Whenever possible combine security procedures combining the digital and real world. Some telephone providers request users to visit stores when they want to change or swap phone numbers.
At the end — whatever digital dating service you use — the last thing you want when you had your heart captured or broken — is to struggle to get your hacked phone number, stolen money or digital identity back on top of it.
Blind faith in technology to keep you safe, ignorance, or simply not caring much is damn-foolish and dangerous — you wouldn’t get into your car and go blindly on it, would you? You wouldn’t get far for sure.
You may want to limit surprises and the delight of the unknown to dating ;).
