How hard is it for hackers to get to your bank account (or anything else)? Not hard at all. But wait, you will say, 2FA protects my account. What you have with most banks and other services is called Step-Up Verification (SUV). And while it's better than no 2FA, it was cracked many years ago due to the technique known as "SIM swapping." You have seen headlines in the past. Twitter's CEO Jack Dorsey's Twitter account was taken over at least twice using this technique. Companies spend very little time baking security into their software. That is a fact.
Let me show five easy steps. Step one - I know at least a dozen ways to get your password or reset it if necessary. Step two - I log in with your credentials to every bank's website until I find the match. Many services will inject SUV into this process, and you will commonly see a screen saying, "we sent a code to XXX-XXX-1234; please enter it here". Now I know the last four digits of your phone number associated with this account. Step three - I use Spokeo or one of a few dozen services to get a full number for your mobile device. Once I know the number, I can look up the mobile operator. Step four - I call your mobile operator and claim that I lost a phone, bought a new one, and need to activate a new SIM. ALL mobile operators will go through a series of Knowledge-Based Answers (KBA) that can be deciphered from your social media profiles, Spokeo, or similar services. And there is always a social engineering route. Watch this (https://www.youtube.com/watch?v=lc7scxvKQOo) and similar videos on YouTube. If I am successful, my burner phone with a brand new SIM card will now have your phone number. What will happen to your phone? It will say in tiny font on the top, "no service ." Until you realize you are not receiving calls or messages, you most likely won't even notice it.
Step five - while you are figuring out what happened to your phone, I am siphoning money from your bank account and resetting your password and SUV.
THIS PROBLEM IS REAL, and you should care. Many of you are agents with substantial bank accounts. What can you do?
- Check all online services that are important to your life and can cause significant or irreversible damage for the availability of stronger two-factor authentication. Application (i.e., Google Authenticator, Authy, many password managers have their own) is better. The app will generate a code when you phone offline or on wireless. The FIDO hardware key is the best.
- All (at least US) mobile operators offer PIN protection. Someone will need this PIN to port (move) or update your phone number or SIM. It can be established online or by calling customer service
For the longest time, we have treated our phones as commodity communication devices without realizing how deeply it impacts our lives. Do yourself a favor - go through the tabletop exercise this weekend. Check your critical online services, go through all applications on your phone, and walk through the scenario you lost your phone. Find the loopholes. Create resiliency and backups for your life.
------------------------------
Genady Vishnevetsky
Chief Info Security Officer
Stewart Title Guaranty Company
Houston TX
------------------------------