As coordinator of the cybersecurity awareness program here at MRU, I often have colleagues call me with their own personal tales of horror. One of the more recent ones involved a Port-out-scam. Here is a their tale, written in their own words…
Until recently, identity theft was definitely something that we never thought could happen to us. It’s something that we warned our grandparents, our parents and even our security-relaxed friends about. But we were totally safe, or so we thought.
Through this experience our lives have definitely changed forever. We have learned a great deal and are now more aware, and will be more vigilant. It was shocking to discover how easy it might be to lose everything.
Upon landing at the airport in Calgary at 2 AM following a holiday early in January, my boyfriend (for privacy we will call him James) turned his phone on to discover that he had no carrier service. We didn’t think it would be anything serious and joked about something being wrong with his last payment.
The next morning James called Telus and a Customer Service Agent informed him that he had ported his number out to Bell on Tuesday, to which he quickly replied that he had been out of the country, so that was impossible. After some convincing that this action was not taken by James, Telus quickly, and easily, ported the number back from Bell. We knew at this point that something was very wrong. He was also unable to get into his Microsoft Outlook email account; his password was denied.
Once James had his number back, he was able to use his phone (with SMS two-step authentication) to reset his password and get into his email accounts, where we quickly realized the horrifying truth that his identity was compromised. Someone had accessed his email account with his phone number, changed the password, and taken over. James’s email account is connected to everything: PayPal, Amazon, personal & joint banking, investments, taxes, etcetera. I am sure you can imagine the anxiety James and I felt in that moment of realization.
You’re probably thinking that James did something to be a target. He must have been lenient with his security questions, or displayed some weakness with online purchases or social media. We have gone over everything meticulously to try to figure this out, and with the help of many people, our conclusion is that he actually did nothing wrong. All the hackers needed to access his email was his phone number. He is not a prominent person and does not hold a prominent position, so not your typical target according to experts. Further, he is very private and careful, with the strongest security settings on his social media accounts where he is also conscious about everything he posts, and any business he does online shopping with.
Next came the long process of regaining control…. cancelling credit cards, bank accounts, informing all business and friends of the identity theft…setting up security watches on James’ Social Insurance Number through various government services…..hours of waiting on hold, explaining the situation and the frustrating experience of having to convince people of the seriousness of the situation.
We talked to Calgary Police Service (CPS), and while they made some good suggestions of things to change, credit checks to put in place, it was also frustrating that there was nothing they could do. Because no physical property was actually taken there will not be an investigation. We were also informed that we should maintain a close eye on all of James’ accounts for at least six to eight years as we don’t truly know what information the hackers obtained and they may resurface at a later date.
Microsoft Outlook support was useless because the same security measures that should help in this situation caused serious issues. The hackers were able to change the security settings in the account before James got it back. They added their own email addresses and phone numbers as new two-factor authentication security. It is part of the Microsoft Outlook security plan that when changes are made there is a 30-day freeze before further changes can occur. Despite hours speaking with Microsoft Outlook staff at all levels, they refused to close the accounts before the 30-day freeze.
Through all of this we learned that this is called a Port-out Scam. In this case, Telus confirmed to James that his account number was provided to Bell in the port. There was an incredible lack of due-diligence to verify one’s identity in this case. This type of scam has been known to play on the emotions of customer service agents at telecommunications companies and the lack of security measures in place to protect customers.
How does it work? The hacker would have acquired James’s name and phone number from somewhere to start – not difficult given the world we live in. Next they might have called Telus, pretending to be James, claiming they want to make a payment on their account, but they are not at home and didn’t have their account number – can they have it? The customer service agent should refuse, or ask detailed security questions only James can answer, but instead they provide the number. (CPS told us that hackers can also get addresses, email addresses and more this way) Next, armed with everything they need, they simply call another company (Bell in this case) and pretend to be James, saying they want to port their number over from Telus. Just like that the hacker owns your number and now they can get into anything your number is tied to for two-step authentication.
James called Bell to inform them of the theft and that they were used in the process of the theft, and, surprisingly, they brushed him off. Told him it was not their problem. Wanting to understand how this could possibly happen, I called Bell to casually inquire about moving over from my existing carrier and told the customer service agent I wanted to keep my phone number. She was more than happy to assure me it was no problem to keep my number – all I needed was my number, and to ensure my account with my previous carrier was in ‘good standing.’ It was way too easy.
The comical part in this experience is that while it was so easy for the hacker to steal James’s number, in order to cancel his phone number (once he got it back) the Telus Customer Service Agent’s protocol was to hang up and call James back to verify that it was his number, as well as asking for detailed account information and his driver’s licence number. This means that there is protocol that exists, but no assurance that it is followed regularly.
We are sharing this story as we hope that others will learn from this. We want telecommunications companies to start taking security seriously and we want you to be vigilant. Instead of assuming you are taking precautions and you are safe from identity theft, in 2020 it is safer to assume you are a target and take precautions for the day you will be attacked.
Is there a way to use 2FA that will provide security even if you are a victim of a port-out or SiM swap scam? Yes there is. Read How to prevent a two factor authentication compromise to find out.
Siri shortcuts is a terrific time saving feature that Apple introduced as part of iOS12. It allows multiple steps to be executed automatically with a single voice or tap command, bringing us one step closer to the mythical Star Trek computer. With a simple “Good Morning”, Siri can tell you the day’s weather forecast, the traffic report and then play your favorite wake up tunes.
All you have to do is download the Siri Shortcuts app, determine what your cue word or phrase will be and then select your steps. To save you time, the Shortcuts app has a gallery with tons of shortcuts all ready to use. You can also download shortcuts created by a third party. This is where things get dangerous.
Hackers could easily create a shortcut capable of unmentionable horror. How much fun would it be to say “Good morning” and instead of getting the weather report, Siri informs you that your photos have been accessed and unless you pay the ransom, the following ones will be sent to your whole contact list (cue a slide show of you in various stages of undress). Then to add insult to injury, the malware that made all of this happen, is sent to your friends and family. Welcome to the brave new world.
The goods news is you can enjoy this wonderful new feature and avoid the slide show of shame. All you have to do is take a few precautions:
- Only download shortcuts from trusted sources like the Apple store
- Review the permissions that a shortcut asks for before you accept them
- Click the Show actions button before you install a shortcut. Make sure you know what actions it is going to perform before you install it
Fitness Balance & Calories Tracker are two apps that have been removed from the Apple Store for tricking users into approving in-app purchases using Touch ID. How did they do it? Quite cleverly actually.
As part of the initial set up you are asked for a finger print scan to view your personal calorie tracker and diet recommendations. As your fingerprint is being scanned, pop ups appear asking you to approve several payments. Of course because you are having your fingerprint scanned, the payments are marked as approved. Very clever. You would admire the creativity if they weren’t racking up charges on your credit card.
This new attack vector gives us another thing that we need to watch out for when using apps, inappropriate use of Touch ID. Lucky for us if you have been victimized by this scam, all you have to do is contact Apple and ask for a refund.
With the release of IOS 12 it was discovered that by using Siri, you could bypass the lock screen. Unfortunately, the latest security update does not fix that problem. To ensure that your phone stays secure, change your settings to disable Siri when the screen is locked.
To change your settings:
- Open settings.
- Select Siri & search.
- Scroll down to find Allow Siri When Locked.
- Click to disable it.
Armed with nothing more than your phone number, criminals can steal your WhatsApp account. How? By registering your phone number on their phone. Here is how it works.
First the attacker makes a request to have your phone number registered to the WhatsApp application on their phone. When WhatsApp receives the request, they text a verification code to your phone. The scammers make their request in the middle of the night or when you are on a flight so you don’t see the verification code. With the text not answered, WhatsApp offers to read out the code and leave it in a voicemail.
If your cell phone carrier has a default password set up for voicemail and you have not changed it, the criminal simply enters the default password and boom…they can hear the verification code. Once they enter that code, the account gets transferred over to their phone. The attacker then sets up two step verification on the account and you have no way of getting it back.
The moral of the story, set strong and unique password for your voicemail. While you are at it, do that with all your accounts.
If you have an Android phone or an IOS phone that has the Google app on it, Google could be following your every move. Most people are aware that you can turn the Location Services off on your iphone and disable Location reporting on your Android phone. You may even know how to turn off Location History so Google doesn’t store a record of where you have been. What you probably don’t know is, Google has been deceiving you.
AP News has found that when you turn off those services, it only disables the viewable timeline. However every time you open Google Maps, get some weather updates or use Chrome for a search, it tracks you and stores time-stamped location data from your devices.
Fortunately, there is a way to truly turn off the location tracking. Google buried it deep within their account settings. To keep nosy Google from tracking you in any way:
- Open the Google app on your mobile device.
- Click the Settings icon in the upper left hand corner.
- Select Manage your Google Account.
- Select Personal info & privacy.
- Select Activity Controls.
- Select Web & App Activity.
- Click the slider to disable Web & app activity. It should turn gray.
Windows users have heard about the tech support scam that informs them their computer has a virus and they need to call a 1-800 number to unlock it. Creative criminals are now using the same tactic with iphone users. They have seeded several porn sites with malware. After your visit, a large dialog box appears on your phone informing you that your phone has been locked because you visited an illegal porn site. It all looks very official as it correctly displays the model of your phone and the URL of the porn site. It then gives you a hyperlink to a number to call to get your phone unlocked.
In reality, your phone isn’t locked at all. If you call the number you get connected to a hacker who then attempts to get information and money from you. Although this scam leverages a visit to a porn site, a similar scam can be set up with any type of website. It can also target any kind of phone. It may be iphone users that are currently targeted, but it won’t take long for this scam to show up on Android phones as well.
Never call a number that shows up in an alert or notification on your phone. Never click on security warning links either. If you do connect to a call center and start to feel uncomfortable, hang up. Apple will never lock your phone and then ask you to call a number to get it unlocked. Come to think of it, neither will Google or Android.
Two step verification keeps criminals from accessing your account if your password is compromised. It is a great way to add an added level of security to your accounts. However, enterprising criminals have found a way around it.
How did they do it? Is there some back door that they found? Have they created a new brute force hack technique? Nope. They just ask for the verification code. Low tech social engineering strikes again.
Here is how it works. They send you a text that looks like it comes from Google notifying you of a password reset. If you don’t want your password reset, you are instructed to text the word STOP. Once you do, you are asked to text 822 back to be sent a verification code to stop the password reset. Once you receive the verification code, they ask you to text them the code back to confirm that you don’t want the password reset. Pretty clever huh?
Of course what is happening is they are trying to get into your account but can’t because they don’t have the verification code. By playing the stop the password reset game they are hoping to catch you off guard so you just sent them the code.
For the record, no one will ask you if you don’t want to do something with your account. As soon as someone asks you for confirmation to NOT do something, you know the jig is up. This is just another reminder that we have to read our texts and emails carefully and question anything that seems odd. The criminals count on you to react without thinking. Stop them in their tracks, think before you react.
If you have been using MyFitnessPal from Under Armour, change your password immediately. On March 25 Under Armour learned that usernames, email addresses and hashed passwords were taken from about 150 million user accounts.
The good news is the passwords were hashed or scrambled and will need to be decoded before they can be used. The bad new is, the thieves may use phishing emails to acquire your password directly instead of doing the hard work of decoding it. Change your password directly in the app or through their website instead of using a link in an email.
If you use your MyFitnessPal password for other apps or websites, make sure you change those passwords as well.
What are they?
New vulnerabilities called Meltdown and Spectre have been found in computer processors built after 2009 that allow a program to steal data from your computer system’s memory without your permission or knowledge. It affects everything that has a computer processor including your computer, tablet, phone and IoT (Internet of things such as a smart thermostat).
Why should I be concerned?
These vulnerabilities have the potential to allow hackers to covertly fetch sensitive information such as passwords from system memory allowing access to your online banking, social networking accounts and the like. To make matters worse, the attack can be made via your browser.
How is the problem fixed?
As these vulnerabilities are in the main processing chip on the computer, the ultimate fix will be to change the processor codes, the firmware or the chip itself. However, the problem can be mitigated by modifying how the software interacts with the processor. As a result, software and hardware vendors are currently developing patches for these vulnerabilities.
What is IT Services doing about it?
We are following our standard processes to manage the patches for these vulnerabilities.
What do I have to do?
You do not need to update your workstation, it will be done by the MRU patch management process. Your regular updates include all required patches. If you have a Mount Royal laptop or device and you aren’t sure that it is getting updated, please visit the IT Service Desk.
Install updates for all your personal portable devices and home machines as soon as they become available. Make sure that your browser is updated as well. Please note that not all anti-virus programs are compatible with Microsoft’s latest updates. If your machine has incompatible anti-virus software, the Microsoft updates will not be uploaded and your machine will be left vulnerable. Check your anti-virus program’s website to see if it is compatible.
Make sure you visit official/trusted websites to get your updates or use the update feature from within your software. We do not recommend clicking on links and opening attachments in emails claiming to have a link to the latest updates or patches. Criminals may take this opportunity to send out fake security patch or update emails with malicious links to try and trick you into downloading their malware.
For more details on the vulnerabilities, check out the sources for this article: