Last evening, my wife found a new series (I think on Netflix) called Vice. It began with a female reporter interviewing ISIS members. I did’t pay much attention, but I caught enough to be appalled.. The next item was about something I never heard of, called “SIM swapping”. That got my full attention. Apparently, someone who has hacked your mobile account credentials (which they say can be obtained for a $100 bribe from an unscrupulous mobile phone company employee), a hacker can call the company saying they are you and request a new sim card for YOUR phone number. They can then use it as second factor access to your accounts with most anybody. As if there isn’t enough to worry about. This is a big enough problem that AT&T Wireless is being sued for over $200 million over this issue. Their defense is that they are not in the security business. It’s not their fault you use your phone to identify yourself.
The program interviewed several victims whose entire life savings disappeared – without recourse in most cases, as it is near impossible to catch these guys. They even interviewed one still-functioning perp, whose identity was electronically masked, and he was quite proud of himself for being able to “make” so much money. An articulate monster, he assiduously avoided the word “steal”. The victims were shown addressing one of the rare perps who had been caught (only because he bragged about his feats on social media) in court after his sentencing to 10 years in prison (of which they expected him to serve 4) and explained that he would be out at age 24 and they were pretty sure he had over $4 million hidden in cryptocurrency which they couldn’t find. I found myself saying to my wife that were I that victim, I might be telling the guy he could reliably expect me to make my presence known to him immediately upon his release… We call this justice today: steal someone’s life savings, make $4 million in exchange for 4 years minimum security incarceration.
So, I quickly go online to learn how to protect myself. I already have two-factor authentication with my mobile carrier. I called them. Nothing more I can do but “practice good e-hygiene”, which I already do, religiously. Then I discovered hardware identity authentication, like Yubikey. Next complication: the device fits either USB-A or USB-C, not both. I have two computers, one with each. So, it seems I will need to buy two devices. I haven’t yet figured out how to use it with my phone – or even if I need to.
Sometimes I think life was not more difficult when people awakened to roosters, scratched a living out of the ground and collapsed onto a straw mattress when the sun went down. I keep expecting to see an obituary: “died of an overdose of usernames and passwords.”