Life is Too Complicated, Series III, 43rd edition

Last evening, my wife found a new series (I think on Netflix) called Vice. It began with a female reporter interviewing ISIS members. I did’t pay much attention, but I caught enough to be appalled.. The next item was about something I never heard of, called “SIM swapping”. That got my full attention. Apparently, someone who has hacked your mobile account credentials (which they say can be obtained for a $100 bribe from an unscrupulous mobile phone company employee), a hacker can call the company saying they are you and request a new sim card for YOUR phone number. They can then use it as second factor access to your accounts with most anybody. As if there isn’t enough to worry about. This is a big enough problem that AT&T Wireless is being sued for  over $200 million over this issue. Their defense is that they are not in the security business. It’s not their fault you use your phone to identify yourself.

The program interviewed several victims whose entire life savings disappeared – without recourse in most cases, as it is near impossible to catch these guys. They even interviewed one still-functioning perp, whose identity was electronically masked, and he was quite proud of himself for being able to “make” so much money. An articulate monster, he assiduously avoided the word “steal”. The victims were shown addressing one of the rare perps who had been caught (only because he bragged about his feats on social media) in court after his sentencing to 10 years in prison (of which they expected him to serve 4) and explained that he would be out at age 24 and they were pretty sure he had over $4 million hidden in cryptocurrency which they couldn’t find. I found myself saying to my wife that were I that victim, I might be telling the guy he could reliably expect me to make my presence known to him immediately upon his release… We call this justice today: steal someone’s life savings, make $4 million in exchange for 4 years minimum security incarceration.

So, I quickly go online to learn how to protect myself. I already have two-factor authentication with my mobile carrier. I called them. Nothing more I can do but “practice good e-hygiene”, which I already do, religiously. Then I discovered hardware identity authentication, like Yubikey. Next complication: the device fits either USB-A or USB-C, not both. I have two computers, one with each. So, it seems I will need to buy two devices. I haven’t yet figured out how to use it with my phone – or even if I need to.

Sometimes I think life was not more difficult when people awakened to roosters, scratched a living out of the ground and collapsed onto a straw mattress when the sun went down. I keep expecting to see an obituary: “died of an overdose of usernames and passwords.”

10+
avataravataravataravataravataravataravataravataravataravatar

Author: civil westman

Driven to achieve outward and visible things, I became a pilot, a doctor and a lawyer. Eventually, I noticed the world had still not beat a path to my door with raves. Now, as a septuagenarian I still work anesthesia part-time, fly my flight simulator to keep my brain sparking and try to elude that nagging, intrusive reminder that my clock is running out. Before it does, I am trying, earnestly, to find a theory of everything - to have even a brief "God's-eye" view of it all before the "peace which passeth all understanding."

9 thoughts on “Life is Too Complicated, Series III, 43rd edition”

  1. civil westman:
    This is a big enough problem that AT&T Wireless is being sued for  over $200 million over this issue. Their defense is that they are not in the security business. It’s not their fault you use your phone to identify yourself.

    Any citation to the case?

    I found these

    https://www.courtlistener.com/docket/7663410/michael-terpin-v-at-and-t-inc/?filed_after=&filed_before=&entry_gte=&entry_lte=&order_by=desc

    https://www.courtlistener.com/docket/16348884/seth-shapiro-v-att-mobility-llc/?filed_after=&filed_before=&entry_gte=&entry_lte=&order_by=desc

    It’s outrageous.

    2+
    avataravatar
  2. Someone once impersonated me and ordered an insurance replacement phone from AT&T. I only found out 2 weeks later when I got a survey email asking about my experience.

    I never got a prior email asking about it, confirming it, etc. Or a call.

    And when I contacted them, they would not tell me where they sent the phone, citing “customer privacy”.

    AT&T must somehow be in on the scam.

    They need to be punished severely. Not just financially. They need to find FBI swat teams kicking their doors down at 6 am.

    9+
    avataravataravataravataravataravataravataravataravatar
  3. ctlaw:

    civil westman:
    This is a big enough problem that AT&T Wireless is being sued for  over $200 million over this issue. Their defense is that they are not in the security business. It’s not their fault you use your phone to identify yourself.

    Any citation to the case?

    I found these

    https://www.courtlistener.com/docket/7663410/michael-terpin-v-at-and-t-inc/?filed_after=&filed_before=&entry_gte=&entry_lte=&order_by=desc

    https://www.courtlistener.com/docket/16348884/seth-shapiro-v-att-mobility-llc/?filed_after=&filed_before=&entry_gte=&entry_lte=&order_by=desc

    It’s outrageous.

    I don’t remember names, just that the victim claims to have lost $21.?? million in crypto currency and was suing for 10 times that amount. Around $210 – 220 million. Is the outrage directed at the perps or the theory that AT&T is asserted to have liability exposure?

    Addendum: I wrote the above before seeing your second comment. I now understand.

    2+
    avataravatar
  4. ctlaw:
    Someone once impersonated me and ordered an insurance replacement phone from AT&T. I only found out 2 weeks later when I got a survey email asking about my experience.

    I never got a prior email asking about it, confirming it, etc. Or a call.

    And when I contacted them, they would not tell me where they sent the phone, citing “customer privacy”.

    AT&T must somehow be in on the scam.

    They need to be punished severely. Not just financially. They need to find FBI swat teams kicking their doors down at 6 am.

    I agree and suggest 4am!

    3+
    avataravataravatar
  5. John Walker:

    civil westman:
    Next complication: the device fits either USB-A or USB-C, not both. I have two computers, one with each.

    There are USB A/C adaptors and cables.  Most devices work plugged into them.  Here is an example of one.  They are readily available from many sources.

    https://www.arp.ch/fr/adaptateur-usb-2-0-a-f-c-m-0-35-m-83933-5273615

    Thanks, John. Incidentally, all this ‘free’ time is allowing me to start to clean out several loaded, disorganized storage areas of my house. I have a substantial pile of wires and connectors accumulated from beginning around 1987. With wire fur ball approaches a cubic meter in volume. As I look at the various adapters and divverse cables, I am trying to add up the cost. It is not insubstantial. I wonder if there is a market for such old stuff. I really have a lot and in great variety.

    1+
    avatar
  6. The answer is do not use your phone for anything but occasional browsing, maybe a Kindle app, taking pictures, ONE email account, a secure one like Gmail, and obviously as a phone.

    NEVER NEVER, (did I say NEVER?), use it for credit card info, Amazon log-in, or PayPal. (I don’t. I use my home computer and religiously use antivirus and anti malware.)

    So fine, your phone is locked, DUH, that can be beaten and if your phone was stolen or lost. Good luck stopping things before they get out of hand.

    3+
    avataravataravatar
  7. Gerard:
    The answer is do not use your phone for anything but occasional browsing, maybe a Kindle app, taking pictures, ONE email account, a secure one like Gmail, and obviously as a phone.

    NEVER NEVER, (did I say NEVER?), use it for credit card info, Amazon log-in, or PayPal. (I don’t. I use my home computer and religiously use antivirus and anti malware.)

    So fine, your phone is locked, DUH, that can be beaten and if your phone was stolen or lost. Good luck stopping things before they get out of hand.

    The problem isn’t data on the phone, it’s the fact that a user has set up login authentication via SMS.  Normally if someone tries to log in to your server-based account, they fail because the server sends your phone a message and you don’t approve the login.  BUT, if they fake your SIM card, then they receive the SMS message and can approve their login.

    SMS is a cheap and easy way to utilize unused packet space in GSM phone networks, but it’s a really bad thing to use for security.  It’s like putting your stuff in Fort Knox and then leaving the Fort Knox key under the doormat.

    I use a device similar to this:

    https://www.amazon.com/Yubico-Security-Key-USB-Authentication/dp/B07M8YBWQZ

    and also an authentication app like this:

    https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en_US

    The phone company is guilty of lots of stupid things, but not for the fact that people are using an insecure product (and one that was never intended to be secure) for security-critical  things.

    Although this whole explanation goes to Civil Westman’s observation about the world being so damned complicated.

    1+
    avatar

Leave a Reply