First they hijacked my T-Mobile service, then they stole my Google and Twitter accounts and charged my bank with a $25,000 Bitcoin purchase. I'm stuck in my own personal Black Mirror episode. Why will no one help me?
One question from outside US redditor: don't you guys in the US have some kind of physical 2FA required for bank transactions ? In my country, even with my bank password, any transaction needs a confirmation with a pin code number that is on a card. They provide you one number, and you enter the associated number from the card, so, I can't imagine anyone stealing money from a bank account unless physical access to the card is granted. You don't have anything like that in US?
We pay for Google Drive, Google Fi, and Google Play Movies so I was hoping there would be some level of customer service for paying customers. There are no phone numbers available for customers who pay for services or those who only use free services.
This has been my experience with Google and Microsoft. It's not just big companies though, I had a very bad experience getting a Blue Yeti replaced under warranty: I had to make an account and communicate with them in a forum they hosted to get anything sorted out and it took them days to respond. For some companies customer service is worse today than it was when internet service wasn't ubiquitous.
From the article and followup it seems the fault lies with carriers for making it too easy for someone to do that. Not verify enough info, etc. Because enough OSINT exists on many people to easily fool first tier support. Also seems to indicate Google Fi itself is less vulnerable to this particular attack because the port codes are generated upon initiation of cancellation of service. Whether that's true is open to interpretation, but I'll be watching this one closely.
Moral of the story: deactivate SMS 2FA on any and every service that allows you to do so
AND FUCK PAYPAL for requiring SMS 2FA to be enabled. You can Symantec VIP Access with it but it's not officially supported anymore. ...Really bugs me that my money is less well protected than this reddit account.
You are right about PayPal and SMS 2FA, but even if they are doing it wrong because of this, if you get money stolen because PayPal, you are also doing it wrong.
NEVER EVER link your PayPal account to your bank account or credit card. Use prepaid or rechargeable debit cards to link to your PayPal.
My linked card is a rechargeable one, in which I have about... 10$. When I want to buy something that costs 135$ I first login into my bank account, recharge 135$ to my debit card, and then I buy whatever. Same goes for online credit card shopping. Never use your "full" credit card, only use rechargeable debit ones. Your credit card should never go into the internet.
Most I can be stolen if my PayPal account is breached is 10$...
Well, I suppose it deppends on how much you buy online, and how many steps it takes you to replenish the card.
In my case:
1. Grab phone (I always carry it with me).
2. Open bank app. Identify with fingerprint
3. Select debit card. Press on "recharge"
4. Input amount. Press ok.
Total time about 30 seconds, top. It's true that to make it more fast, I chose to disable physical card 2FA for this specific operation, so my bank don't asks me the code each time I recharge the card (it still asks me for any other operation), so maximum recharge amount is caped to 500$. I know this compromises a little my security, but if someone has breaked into my bank account and can replenish my virtual card without 2FA, then I have bigger problems that 500$...
TBH, +30 secgonds to make a purchase doesn't seem too much in my eyes for all the extra security you get... but again, people usully use easy to break passwords and reuse them in several accounts because they think password managers are a hassle, so...
That is a nice way to go about it.
Unfortunately, not all banks offer virtual cards, though, which would mean that one would need to either buy physical prepaid cards - which adds an unreasonable level of difficulty to making a purchase - or use a third party virtual card service. which kinda just moves the problem somewhere else.
Oh, dude I totally agree with you about that - I would 100% recommended such a strategy for anyone able to do so implement such safeguards for their financial data (especially for sites that don't seem to take "best practices" seriously).
It's frickin' crazy to me just how under-utilized virtual cards are.
I feel like if we stopped using the word “cloud” and started using the term “someone else’s computer” that people would be far less likely to make this kind of mistake. “Cloud” is a term that’s too far detached from ownership or responsibility and the net effect is that people seem to assume that cloud services are safer or more secure than they actually are.
They might think that storing plaintext passwords on Google Drive is okay because it’s “in the cloud” and therefore it’s safe and nobody else will see it, whereas that delusion mostly disappears when you remind people that those computers actually belong to real humans somewhere and are therefore fallible, or that it’s just as easy for someone who knows your password to get to as it is for you.
With all of this conversation indicating how difficult it is to move Google Authenticator codes to a new phone (because you cannot back them up and restore on a new phone easily), this makes me wonder is it really even safe to put Google Authenticator on your main phone? Your main phone is at risk to get lost or stolen, and even if the thief does not get your codes, suddenly losing access to many of your logins would be catastrophic to many people. Maybe the better solution is to keep Google Authenticator on old phone and just not take that with you as you travel outside the home?
"...I had backed up a ton of personal information on Google Drive. This included tax returns, account passwords for my wife in case I died..."
No wonder all of this dude's stuff got hacked. He later revealed that he had his BANK ACCOUNT LOGIN saved on Google Drive, which is how the hacker stole $25,000 from him. All because the hacker social engineered some T-Mobile rep into changing the SIM card for his phone number.
Are any of them better? It saddens me to know the best security these days is probably obscurity. The guy was a well known blogger. I feel sick knowing this can happen and it hasnt even happened to me.
Doesn't matter what they had on hand. T-Mobile should have locked the SIM the FIRST time he called them and told them that it was fraudulently transferred. T-mobile being T-Mobile, they allowed the SIM to be transferred A SECOND time, and ONLY when a friend at T-Mobile took action did they FINALLY lock the SIM.
As for Google and Twitter, he has a 99.9% chance of just being SOL.
I've had a number of acquaintances get SIM swapped this year and the one thing they all had in common is that they had iPhone XSes. I wonder if there's something in how the eSIM function in the XS works that makes it particularly vulnerable to fraud.
I read this article yesterday, but it seems like this could have all been prevented if he had setup a Pin code on his T-Mo account. Without that, anyone trying to do this would be thwarted since they would not have the Pin code. All T-Mo users should definitely have this setup on their accounts and have the Pin code saved securely somewhere.
What I don't get is Why TMobile allows for a SIM to be soft-changed/Transferred? A SIM card is and should be hardware (the physical SIM card) code. If you need to change SIMs then visit a physical store/physically change the SIM.
By phone, all that should be allowed is the registration and reporting of lost SIM, stolen phone/cancellation of SIM.
If it can be soft-changed then what's the point of having a SIM card.
You didn't seem to read the article. He did setup 2FA, but the 2FA he did use was only relying on text codes over SMS. So a thief "stole" his phone number and moved it to a new SIM, thus receiving those 2FA codes instead of the author. Then likely reset his Google/Twitter password using only the phone number as authentication.
While there are certainly things he could have done better, this is a really good horror story of relying only on SMS as your methods of 2FA.
SMS and email are by far the most common 2FA. Most sites with 2FA don't support Authenticator.
I have a plethora of accounts with financial institutions, and I can't think of a single one that supports Authenticator outside of crypto.
SMS and e-mail themselves can be hacked, that's exactly what happened here. You want something that you have, be it a fingerprint, other device, PIN to a device (not the account, the literal phone/tablet/computer), security key, etc.
The Nest accounts being hacked, and SMS not being a good 2FA, is a big reason that they're transitioning to Google accounts.
I agree that it's crappy that I can get Authenticator for a Ubisoft account but not my bank. So frustrating. With Gmail, which is the backup for password resets, it can require Authenticator when signed on from a new device.
It's all bullshit, though. It's not his fault that some asshole has decided to ruin his life. We shouldn't even be having this discussion, which is the worst part.
I think this is the entire intended takeaway of this article. That he was doing it wrong.
He is not writing to active and informed users on r/google. Clearly there are ways to be safe. He is suggesting that, like hundreds of millions of people in the world right now who naively use Google, Twitter, Facebook... as they are advertised, could be at risk for identity theft and it can be A LOT worse than just a quick customer support phone call to remedy. Aside from this guys tweets that he cherishes so much, you can lose real money, most of it to be honest, and not be able to get it back for a year or more.
So yes, I agree, but the sentiment should not be, "that guy is an idiot" but "we need to find a way to make sure people are aware of this as we, future generations especially, are becoming more and more cloud based in life."
Man I *TOTALLY* agree with you. I'm glad that he put his story out there for people to see that it's not just a scary idea, it actually happens.
I'm sorry that it came across like victim blaming. I was just trying to make sure that 2FA wasn't viewed as irrelevant and ineffective, because it's neither when used effectively. This guy shouldn't have had to write this article in the first place.
>how fucking easy it is for someone to employ social engineering to compromise your digital life:
So basically, you're fine ***if you don't act like a fucking moron.***
I've learned that "hackers use social engineering" is a way of sounding smart and push the blame of not taking the basic responsibility you should have when dealing with computers off of yourself.
>They called Time Warner Cable and Comcast, pretending to be my girlfriend, and figured out whether or not I had an account with either of the companies. (I don’t.) They called the local utility company to see if I had an account there. (I do, but it's not under my name.) They found my Social Security number on a special-purpose search engine, and took a survey of my social media activities. In total, their dossier on me added up to 13 pages.
You are fine if you and ***everybody else who is paid minimum wage*** never make a dumb mistake ever. That means you are ducked.
For a “mobile tech reviewer,” this guy’s an idiot. He didn’t do a single thing right with his online presence and security, relying on Chrome(!) browser to store passwords, to using all of google’s services throughout. In the end, he still hadn’t learned anything as he continued to use google services and took to writing his passwords on paper. So stupid.
And to those here who drone on about using sms as your 2fa, read this idiot’s story.
Essentially someone called into their phone company and said I own [phone number] and I want it changed to a new SIM card that they own.
Another way to do this is where scammers who do this port the number to a different telephone company.
Then, once the scammer has the number activated on the new company's network, they use it to bypass two factor authentication for your bank or other accounts.
Generally for this, they need a bit of information about you - enough to convince your phone company that they're you.
Put a security code/PIN on your cell phone account if you use 2FA.
Don't give out your normal number online. (I hand out my Google Voice number instead.)
Don't use the same passwords for everything.
Use app-based authentication were possible.
For your google account, use two factor. I use two factor everywhere I can, but some places still send an email or a text message. Because of that, the gmail account is one of my most secured accounts.
is there any real worry, in using a password vault, that the whole deal gets hacked at once?
I hadn't messed with these before but it is becoming so encouraged lately I am trying it. But now I get the feeling that Firefox is saving my passwords, Dashlane is saving them. Chrome is saving them. If I want to switch from Dashlane to KeyPass then THEY also have this master list.... Suddenly I feel less safe than when I started.
i dont save any of my password on any of the online/offline password service. i only save unimportant(those that i dont care even if i lost it) accounts/info on password managers.
i have a simple password protect word file(basic security) which is on an encrypted file container that i created using veracrypt(second better security). both passwords are different.
this file is on my macbook which is encrypted as well. I have a backup of my files to external storage which is backed up to a large encrypted file container. so even if people got my external drive or macbook they wont get to my info without the additional password.
I only login to my google account on my macbook(which has a lock), my phone(locked again), chromebook and my work pc. I do not login to any other place unless its absolutely necessary.
same goes to all of my accounts, i only login using any of this four device. i log out of my account after use even on my phone unless it provide finger print authentication
I am glad that when I ask a question about my security I get my spelling corrected ;) Thanks.
But I will read between the lines, and assume you are suggesting that it might be a better idea to use a software based password manager instead of something based/stored in the cloud. Then just use good security on my devices so a person cannot physically access this software? That does sound a bit better. i will maybe start shifting in that direction.
Seems worth nothing though that I have to imagine, like myself, the intended goal here is to be able to get to these passwords while on the go, on mobile, on different computers and browsers. So without an option for sync or a mobile app (back to cloud based, I know) I am not sure it will be a popular choice.
Don't use same password for everything and don't put your bank login info online. He probably posted to much personal info on Twitter over those 13 years he mentioned and that's how the hacker could foul T-Mobile.
Can't be sure but he does not sound very smart from what I read so it might be a possibility.
Find out your Jedi name and share it with the world. First name is your first car make, then the closest named street to where you grew up, last is your mother's original last name. Post now and see what your friends names are. /s
One question from outside US redditor: don't you guys in the US have some kind of physical 2FA required for bank transactions ?
In my country, even with my bank password, any transaction needs a confirmation with a pin code number that is on a card. They provide you one number, and you enter the associated number from the card, so, I can't imagine anyone stealing money from a bank account unless physical access to the card is granted.