Other Two step verification and SIM jackers that empty bank accounts

[Branaghan]

This article sums up the problem:

SIM-Jackers Can Empty Your Bank Account with a Single Phone Call

The mobile phone fraud scam has jumped up in popularity over the past couple of years, and there's very little to stop you from becoming a victim.

www.vice.com

Another one: https://www.thesun.co.uk/money/10670069/sim-jacking-fraud-rising/

I was discussing the other day about the methods used by thieves to gain control of these devices and empty bank accounts and reached a few conclusions about some fatal mistakes people do with their devices.

I wanted to raise some points, to be more specific about the two step verification, which I don't use at all.

Before I discuss that I want to say I always have 2 phone numbers.

Main number is in the iPhone, but it's never registered as a means of password recovery for any bank account, email (including Apple ID) and online store. So no sensitive data is sent to it.

I own a second phone number. This one, however, it's the opposite of #1. It's where I register ALL of them. It is PIN protected: https://blackcloak.io/how-to-protect-your-phone-number-from-being-stolen/

And it's never used. In fact I bought a very cheap phone that doesn't even have internet access. I put number #2 in there and if I wanted to receive a SMS code or use somehow, then I turn the phone on again.

It will not cost me anything, I mean, only if I want to make some phone calls. So pre-paid. (Even so we need every X months to spend anything again, otherwise the number will be gone for good).

Of course even if it's PIN protected if someone steals your iPhone unlocked it will be futile. He will be able to receive SMS codes anyway. The PIN is required only after restart or if they move the number to another SIM card.

So it makes total sense to put #2 in a drawer, a controled environment, and of course the cheap phone turned off. Never to use on a daily basis. This cheap phone can't even lock itself after some period of inactivity...

The same thing I can say about emails.

I decided to create a new account where all this data is also sent when I need to recover it. So Amazon, eBay, all banks... are registered to it.

Thing is, this email is never logged in my Apple device.

Apple's EMAIL app is not password or Touch ID protected. So anyone can read my emails if the device is unlocked. Outlook for iOS uses TouchID, still I am not fond of it, so I rather use a strong password that measures 100% in here:

Password Checker - Evaluate pass strength, dictionary attack

Test your password strength against two basic types of cracking methods - the brute-force attack and the dictionary attack.

password-checker.online-domain-tools.com

Something with upper/ lowercase letters and numbers. Not just numbers, which may even be spotted as you type them on the street. And FaceID certainly the worst of the lot.

This new (GMAIL) account does not rely on a phone number for password recovery. I decided to remove from Google (they allow that).

Instead I created a 2nd email for recovery. And I told the 2nd email to use the 1st for recovery.

New emails #1 and #2 are never logged in any device. If I want to access them I need to insert the password again, in a browser.

That's not all: if my current email address has any data that can help the thieves to access my bank accounts (such as my ID number, where I live, birth date, etc.) it needs to go, too. You either comb through all your many messages and get rid of this or don't leave logged 24/7.

Now, the reasons why I don't use 2 step: https://support.apple.com/en-us/HT201487

- I find very unlikely that someone doesn't lose his recovery key. A lot more than forgetting 1 of 2 (or 3) strong passwords.

- If this is not available then a * trusted device * is used to send a code.

Problem is, I believe most people use their own iPhones for receiving these codes. Even if they use from a friend, they both can get robbed at the same time. Or they may lose access to it.

The third possibility is of course sending a SMS code to a trusted phone number.

That won't help you if the phone is stolen.

You get my point?

Besides all I said, some apps like IFOOD really need to hide our data, they are not password protected even for that. If someone gain access to your phone they will clearly use all this to do what that article said: pretend they are you and steal all you have.

A few more things I learned this week:

SCREEN TIME:

Use parental controls on your child's iPhone or iPad - Apple Support

With Screen Time, you can turn on Content & Privacy Restrictions to manage content, apps, and settings on your child's device. You can also restrict explicit content, purchases and downloads, and changes to privacy settings.

support.apple.com

- 4 digit password that may prevent these:

* Passcode Changes: Prevent changes to your passcode
* Account Changes: Prevent account changes in Accounts & Passwords (this also hides your current email address used as Apple ID)

* Location Services: Lock the settings to allow apps and websites to use location (useful when "FIND MY IPHONE" is enabled, to prevent this tool to be disabled)

GUIDED ACCESS:

Use Guided Access with iPhone, iPad, and iPod touch - Apple Support (CA)

Guided Access limits your device to a single app and lets you control which features are available. You can turn on Guided Access when you let a child use your device, or when accidental gestures might distract you.

support.apple.com

*********

 

[smcgrath12]

Before I discuss that I want to say I always have 2 phone numbers.

Main number is in the iPhone, but it's never registered as a means of password recovery for any bank account, email (including Apple ID) and online store. So no sensitive data is sent to it.

-- The problem you might run into with your method is that lot of vendors automatically use the phone number on the account as also your 2nd factor for 2FA (I am using the term 2FA liberally here). Some make it even worse. They will also use the account phone number for recovery purposes as well and there is no way to opt out of it. For these situations, you will need to completely remove your main number from your profile at these vendors. Not a big problem, but you will never be around to take calls initiated from them to you as you won't have your 2nd phone with you or if your 2nd phone is switched off most of the time.

The bigger problem is you will now have no way to log into these vendors on the road in an emergency if they force you to only use SMS for 2FA. You will be handicapping yourself, but it is definitely secure.

I decided to create a new account where all this data is also sent when I need to recover it. So Amazon, eBay, all banks... are registered to it.

Same problem like phone numbers. So, if say, Amazon has this (you call it 1st email) as your account email, you will have to constantly & regularly log into this 1st email using a device other than your iPhone to make sure you don't miss anything important and time sensitive. Again, it is secure but might find that this gets old real quick for vendors you use regularly.

Instead I created a 2nd email for recovery. And I told the 2nd email to use the 1st for recovery.

Did you mean to say, "I told the 1st email to use the 2nd as its recovery method"?

A few more things I learned this week:

SCREEN TIME:

Use parental controls on your child's iPhone or iPad - Apple Support

With Screen Time, you can turn on Content & Privacy Restrictions to manage content, apps, and settings on your child's device. You can also restrict explicit content, purchases and downloads, and changes to privacy settings.

support.apple.com

- 4 digit password that may prevent these:

* Passcode Changes: Prevent changes to your passcode
* Account Changes: Prevent account changes in Accounts & Passwords (this also hides your current email address used as Apple ID)

* Location Services: Lock the settings to allow apps and websites to use location (useful when "FIND MY IPHONE" is enabled, to prevent this tool to be disabled)

*********

Screen time restrictions are an under appreciated feature of iOS. I use them to secure a few things. The design could improve though. For example, once you lock "Account Changes", you can't see when your last iCloud backup was done without unlocking it first. Apple should ideally lock the ability to modify certain things with restrictions, but allow information to be freely available outside of locks with tweaks for sensitive read only information (eg. locking down the details of credit cards on your account)

Also, if you are plagued with junk calls and you have enabled the "Silence unknown callers" feature, you really want to lock down your contacts. That feature works with your existing contacts and you don't want that out in the wild. Spammers spoof phone numbers to call you and if your contacts are not tightly controlled, a sophisticated spammer could spoof their caller id to one of your contact numbers and bypass this iOS feature of silencing calls.

 

[Branaghan]

-- The problem you might run into with your method is that lot of vendors automatically use the phone number on the account as also your 2nd factor for 2FA (I am using the term 2FA liberally here). Some make it even worse. They will also use the account phone number for recovery purposes as well and there is no way to opt out of it. For these situations, you will need to completely remove your main number from your profile at these vendors. Not a big problem, but you will never be around to take calls initiated from them to you as you won't have your 2nd phone with you or if your 2nd phone is switched off most of the time.

The bigger problem is you will now have no way to log into these vendors on the road in an emergency if they force you to only use SMS for 2FA. You will be handicapping yourself, but it is definitely secure.


Same problem like phone numbers. So, if say, Amazon has this (you call it 1st email) as your account email, you will have to constantly & regularly log into this 1st email using a device other than your iPhone to make sure you don't miss anything important and time sensitive. Again, it is secure but might find that this gets old real quick for vendors you use regularly.

Did you mean to say, "I told the 1st email to use the 2nd as its recovery method"?

Screen time restrictions are an under appreciated feature of iOS. I use them to secure a few things. The design could improve though. For example, once you lock "Account Changes", you can't see when your last iCloud backup was done without unlocking it first. Apple should ideally lock the ability to modify certain things with restrictions, but allow information to be freely available outside of locks with tweaks for sensitive read only information (eg. locking down the details of credit cards on your account)

Also, if you are plagued with junk calls and you have enabled the "Silence unknown callers" feature, you really want to lock down your contacts. That feature works with your existing contacts and you don't want that out in the wild. Spammers spoof phone numbers to call you and if your contacts are not tightly controlled, a sophisticated spammer could spoof their caller id to one of your contact numbers and bypass this iOS feature of silencing calls.

This is what I did, concerning email accounts (I'll explain further):

Let's assume my email has always been:

john@gmail.com

This is what I've been using for ALL bank accounts (they refer to this email for retrieving password, sending bills, etc.), Amazon, eBay, Apple ID, etc.

So all my sensitive data (including ID number, birthdate, full name, where I live, etc. is there).

- I created 2 new emails. I am going to call them:

johnrecovery@gmail.com

johndisco@gmail.com

I told:

johnrecovery@gmail.com to use johndisco@gmail.com as a recovery email.

And:

johndisco@gmail.com to use johnrecovery@gmail.com as a recovery email.

I also told both johndisco/recovery to remove the cell phone configured inside the Google account (you can always do that). As explained here it takes a week for this to be fully removed once you do (so don't bother checking before): https://support.google.com/accounts/answer/3463280?hl=en&co=GENIE.Platform=Desktop

Then this is what I did next:

Changed all my bank apps and several services to always refer to johnrecovery@gmail.com.

So now my Apple ID is also johnrecovery@gmail.com.

If I don't know what my Apple ID password is, this is what Apple is going to ask me to do:

The email sent from Apple to reset the password will go to:

johndisco@gmail.com.

So if I don't know the password from email #1 (johnrecovery) then I need to remember from email #2. If I don't know #2 then #1.

There is no cellphone involved.

Besides all that I also need to remember the answer to the 3 security questions. Ebay also uses this method to retrieve the password. In my case I put answers that make no sense, so instead of replying "What was the name of your first teacher?" with a name that a relative or anyone near to me would know, I informed Apple a word that has no relation with this:

What was the name of your first teacher?
A: Wind

- The next thing I did was to write all the login/password/security questions and answers, etc. in a TXT file. Then saved as a PDF password protected, then created multiple OFFLINE copies. In case I forgot one password I can always go there and check what it was.

Another issue with email accounts is the so called "inactivity period". Google (as far as I know) it's the only (free) service that does not get rid of the inactive that after YEARS. A few others remove the account after, say, 1 year not being used. What Google is doing now is removing the contents (so after 2 years the emails would be erased, or Google Drive archives deleted), yet not the account.

Even if you don't visit #1 (johnrecovery@gmail.com) regularly there's no danger of this account being erased and tomorrow someone taking control of that username.

With phone numbers after a few months the account is frozen and no SMS messages are received. After a while if you don't contact the provider then the number is gone for good and another customer may get it.

When you buy a new number you put a few $ to make some calls, then after the credits expire you let it only receiving calls for MONTHS.

What I said before was that you can't use your main phone number as a means of recovery because it will always be with you wherever you go, and it won't matter if it's PIN protected. Why?

Because the thief may get access to the PUK codes to undo the PIN protection:

PUK Code | How to find it and unlock your phone - Uswitch

Here's how to unlock your phone and get your PAC code.

www.uswitch.com

The way he does this is pretending to be you, if he gets your data which of course is totally exposed if he happens to steal an unlocked phone with the email logged 24/7, or other sensitive data in apps like IFOOD, which don't hide it;

This is what I call hiding:

ID number:
************

In case you want to reveal the number you already know you need to input the password again.

The PIN password is useful only if he puts your number into HIS PHONE (switching to bypass the iPhone lock), or if the iPhone is restarted. If he got your phone unlocked while you were distracted then no PIN 4 digit password will be asked.

Many services need to change the way they work. Some always ask to send a digit-code to your registered email when you try to log into them again (I think STEAM does this). If I am telling to never leave the email which is going to be a target LOGGED 24/7, then needing to go back again and again will be a bore.

Forcing the use of 2FA or sending SMS codes with no recourse such as answering security questions or email recovery is a mistake in my opinion.

It makes total sense to buy a 2nd number, put on a US$ 20 cheap device, and always leave that cell phone turned off. You might even hide the SIM card and only reinsert when you need (that won't be good because it's always a hassle to do this and then take it off). To make things easier it's precisely why I suggested isolating this new phone number.

Turning the US$ 20 cheap phone off is to prevent another person to receive the SMS codes if the phone is already unlocked. Change the default PIN password from your provider, too, if you decide to use it.

2FA is not going to work with Apple devices because chances are:

1- You will lose the recovery key;
2- Then Apple will ask to send a code to a trusted device. What if you lost it or if the trusted device was also stolen?
3- Next thing Apple will do is send a SMS code to a trusted number.

3) will work, however it can't be your current/always used number. And if I am explaining that after a few months the number will be locked by the ISP due to lack of use and if not demanded back by the owner then cleared for a new customer, then you can't rely on this, too.

You may risk losing access to the Apple ID forever.

I am not going to lose access because all I have to remember is 1 of 2 (or 1 of 3) passwords.