For many, the security of your online life relies on the security of your phone and phone number.
I’ve recently been speaking about the security of mobile phone numbers, and how losing your number can result in serious identity theft and account compromise.
Email providers, online stores, social media sites and others need to make it easy for us to ‘get back in’ when we forget our passwords, or lose access to our accounts. A common solution to resetting your password is to verify you through another email address, or by sending you a text message.
Phone number porting attack
Related: ABC Local Radio Interview - Louise Saunders interviewing Nikolai about mobile phone number porting scams (Feb 2017)
With phone number porting scams, the bad guys go in to a mobile phone shop or online, and they ‘buy a new phone’ or sim. The scammer tells their provider “hey, I want to port my old number across”. Surprisingly, usually all they need is: account name, date of birth and account number! If they know these things about you, it’s not hard to impersonate you as far as the phone company is concerned!
In Australia, the carrier is required (by law) to release your phone number pretty quickly. If the attacker managed to convince their carrier that they are you, they’ll soon have complete control over your mobile number.
Into Facebook with just a mobile phone
For those who have never done it, here’s a walk through of how easy it is to recover a Facebook account if you have control of a mobile phone. Keep in mind, never do I enter any detail other than the phone number.
Click on the “Forgotten Account” link under the Facebook login. Enter the phone number in to the box:
Now select the phone number as the recovery method.
Here’s the SMS with a ‘password reset code’.
Enter the reset code in to the password recovery page and then enter a new password!
Done in one minute!
So if your phone is ported you’re in big trouble. But just losing access to your phone for 10 minutes can be enough. Does your phone display notifications on the lock screen? If so, your attacker just needs to see your screen to reset your passwords.
Other sites are also guilty of weak SMS account reset
Password recovery via SMS is common for many service providers. Even the Australian Government uses SMS to reset logins. They adds one extra layer (a secret question) - but how much have you shared on social media, can someone guess the answer by searching your history?
Using your mobile phone is indeed convenient for password recovery, but it’s not secure. Even the USA’s National Institute of Standards and Technology (NIST) has declared using SMS for “two factor” authentication a security risk!
Standards body warned SMS 2FA is insecure and nobody listened
What should you do?
It’s difficult! We need to be able to recover lost passwords, but your security is weakened if you provide your phone number to a site that uses SMS to send unlock or 2-factor authentication codes.
Less is best when it comes to what information you put out there. Personally I rarely share my phone number. But that’s not always an option; vigilance is necessary.
Don’t leave your phone laying around, don’t put your date of birth on your social media accounts. Limit what you share and keep an eye out for anything suspicious. Have a plan, think for yourself:
“How should I react if something suspicious happens to my mobile phone, or if my account has been stolen? What do I need to protect, who do I notify?”
68
READY.