3 Minutes to Financial Ruin
Financial Armageddon
This past week I found myself subject to a SIM Jacking attack. A reasonably sophisticated attempt to wrestle control of someone’s life, typically for money, although in some cases it can be for high-value digital assets (like a Twitter handle back in 2012). But even in those cases it typically falls back to money. Based on what happened I suspect a data breach that revealed enough information about me to provide a target for attacking my bank account. They had to have some specific details about me but given the widespread number of breaches (See Troy Hunt’s HaviBeenPwned Website has a recent list that is >170 pages long. The Equifax breach was especially significant in 2017 releasing some 605 million detailed sensitive financial records and certainly, my bank has had breaches in the past. My cellphone number and taking control of it were central to this attack. Something that should have never happened but thanks to either a complicit and involved Verizon employee or human failure to follow security protocol the attacker was able to take control of my number and initiate an attack on my bank account. What followed was 42 minutes of sheer hell as I attempted to stop the attack and prevent my bank account from being breached and my money being stolen from my account.
It was just 3 minutes that separated me from disaster or securing my accounts and restoring control of my life and finances
Read on to hear how this attack took place and what I had to do to prevent a financial disaster.
The Anatomy of a SIM Jacking
SIM Jacking or SIM Swapping (also known as port-out scam, SIM splitting, Smishing and simjacking, SIM swapping) is a type of account takeover fraud that generally targets a weakness in two-factor authentication and two-step verification in which the second factor or step is a text message (SMS) or call placed to a mobile telephone. By taking control of someone’s cell phone you can take control of a large number of that individual’s accounts through their cell phone number.
You can read the details of these attacks in this piece and this piece in Wired: How to Protect Yourself Against a SIM Swap Attack by Brian Barrett (@brbarrett). Of his suggestions to improve your security better two-factor authentication (2FA) and an alternative phone number are useful but the former is outside of your control when the institutions in question insist on imposing 2FA with your cellphone number
The problem is on the rise prior to 2020 for the preceding years the total fraud loss was ‘just’ $12 Million. In 2021 the FBI says that victims lost $68 million to this SIM-card-based scam. Suffice it to say, much like many of the other security threats and issues, if you have not been attacked or breached, I’d respond and say “Yet”.
The best way to protect yourself is to understand how this attack works and create as many barriers to prevent someone from taking your cellphone number and if they do prevent this loss from causing any additional breaches. Unfortunately, as you will see, some of this is outside of your control as it is tied to corporate systems and their security methods. In some cases, the only choice available for 2FA is to use your phone number. Where that is the only choice it is probably best to use it as this is better than not using 2FA authentication for your security. But if the choice exists to use another ‘token’ – for example an authenticator app then use that in preference
Brief Summary
It may have only have been 13 minutes to the moon but it took less than that to take over my cellphone number and break into my bank account!
At 10:53 someone attempted to purchase a phone and transfer my mobile phone number under their control. Despite having two-factor authentication that required I approve any access to my account (which I did not) this person was able to buy a phone on my account and take control of my phone number which they did
Verizon Text Message Requesting Approval to Access My Account
At 11:13, 20 minutes later they took control of my phone number
At 11:20, 7 minutes later they started attacking my bank by requesting my bank UserID
At 11:22, 2 minutes later they reset my banking password
At 11:37, a long 15 minutes after that, finally I manage to get my cellphone number suspended locking the fraudster out
From start to finish this attack took less than 42 minutes and it was only over because I was able to counteract the attempts
A Man Walked into a Store
Someone walked into a store in Connecticut and at 10:53 this morning bought a new Samsung Galaxy Phone on my account and got an eSIM (electronic SIM Card, a Digital version of the physical SIM card that connects your phone and number to the wireless system) for my mobile number
Despite the fact that I did not authorize the transaction when Verizon contacted me via text the agent in the store “Leticia” at the Verizon store in Westfarms Mall in Farmington connectivity overrode the security and authorized this purchase ($600) and authorized the issuing of a new SIM for my mobile phone number and then charged this fraud to my Verizon account
The Fraudster then took control of my mobile number and used it to attack my bank account using the text message security to obtain my Bank UserID and using the text code as security from my mobile phone number to reset the password at 11:22 and get into my account.
After a lot of attempts through various channels, I was able to disable my cell phone number and suspend service to the fraudster’s phone at 11:37 locking him out of any further attempts to hack into my accounts. I then spent the remainder of the day repairing all the damage and making sure there was no hanging access
Below you will find a detailed timeline of events
Detailed Timeline
| Time | Channel | Message | Notes |
| 10:53 | Text Message | Verizon Text Message Requesting Approval to Access My Account, Verizon Msg: There is a request to access your account at a Verizon store in Farmington, CT. Confirm or deny here: https://<SpecialURL> Remember that Verizon will never call to ask you for this link. In fact, I never got to this text message till 11:04 when I tried to access the link to deny the request | The first sign of trouble when I receive a notification by text message to my mobile phone from a store in Farmington, CT to access my account |
| 11:04 | Browser | Verizon Wireless @ https://login.verizonwireless.com/accessma… which opened a page showing that the request expired and stating my Account had not been accessed, | |
| 11:07 | 3 e-mail messages arrive in my inbox telling me my receipt is ready with links to the 3 receipts | ||
| 11:07 | Text Message | Verizon sends me the first of 2 identical messages welcoming me to my new device and offering help and support to get it set up | |
| 11:09 | Browser | I click the links for the receipts and see that someone has purchased a brand new Samsung S20 128Gb Phone in Cloud Navy. | |
| 11:13 | DISASTER | The Fraudster has activated his phone with my phone number and I have lost mobile telephone service and text messages | I have lost access to my phone number. All calls and text messages are now arriving at the fraudster’s phone |
| 11:16 | Twitter Public | I tweet out a request to Verizon | |
| 11:18 | Twitter Public | Verizon support responded saying they would be more than happy to help and asking me to DM | |
| 11:20 | I receive a notification from my bank that my user ID has been looked up | The Fraudster is able to do that because the bank insists on using your phone number and text messaging as security the fraudster was able to do that easily | |
| 11:22 | I receive a notification from my bank that my online banking password has been reset. | This was possible for the fraudster as he had taken control of my mobile phone number which the bank insists on using as my second factor | |
| 11:22 | Twitter DM | I send details of the SIM Jacking to @VerizonSupport by Direct Message | |
| 11:24 | Twitter DM | Becky from the Social Media team at @VerizonSupport responds with a stock message | The note contained a link to click on that takes you to a ‘secure chat’ where you are asked to provide |
| 11:25 | Mobile Phone Voicemail Received | I hear this VM after I regain control of my phone: “to get started say or enter the last four digits of your ATM debit card or the last four digits of your Social Security number” | That Voicemail shows he had accessed the Bank website and was attempting to reset my password. The Voicemail states: |
| 11:26 | Twitter DM | I click on the link to open the secure chat: “Please confirm your full name and the phone number associated with your account below” |
Wow, more failure in security, not exactly secure information! |
| 11:27 | Verizon SC | I provided this information in the Verizon ‘Secure Chat’ | |
| 11:27 | Twitter DM | Becky replies on Twitter saying “Awesome! Just a moment, while I access your account, alright? I appreciate you.” |
|
| 11:29 | Verizon SC | I tell Verizon “This is Urgent” but there is no response in the chat so I revert back to the Twitter Direct message thread | I do that followed by additional requests asking them to suspend my mobile line which has been hijacked and all messages and phone calls are now going to the perpetrator’s account |
| 11:30 | Twitter DM | I emphasize the urgent nature of this asking them to suspend the account and saying that I would attend a store locally to resolve this issue | |
| 11:34 | Twitter DM | Verizon sends a duplicate of the stock message 108 words long with a slightly different URL | Now I have 2 secure chat windows open with Verizon – both appear to update when I type in either one but it’s very confusing |
| 11:37 | SUCCESS | My cellphone number has been suspended and the fraudster is now locked out of my phone number | |
| 11:41 | Verizon SC | I am back in Verizon ‘Secure Chat’ and state “I’m in the Chat’ but responses are slow | |
| 11:50 | Verizon SC | Becky tells me she is working on it | |
| 11:52 | Twitter DM | Verizon sends a duplicate of the stock message 108 words long with a slightly different URL | |
| 11:57 | Twitter DM | I ask if they are going to respond | I give up on this channel. |
Legend
Text Message – Text messages sent and received to my phone
Browser – Any interaction carried out in a web browser
e-mail – e-mails received by my mail client
Twitter Public – Public message posted on Twitter that anyone can read
Twitter DM – Twitter Direct Message, private messaging between two accounts on Twitter
Verizon SC – Verizon’s Secure Chat – a unique web page link that opens up a chat window between you and Verizon
Mobile Phone Voicemail Received – Mobile phone voicemail that was received after control of my number was restored
The Aftermath
Once I was certain that my phone number was suspended I started the process of making sure all my accounts were secure and nothing had been changed. I reached out to family members as they were potentially at the most risk of receiving a weird text message that would appear as if it came direct from me perhaps lulling them into a false sense of security and potentially exposing them to fraud.
On that front, I had little to worry about. I’ve always tried to approach parenting with the view that I won’t always be there to answer the question or concern. I took some of my children to DefCon some years back and they returned enlightened to alternative perspectives. This further amplified the message I have given which is to always be alert to possible scams. The old truism holds
“If something looks to good to be true then it probably is”
When it comes to security some artful approaches can seem inconsequential there is always some angle and you have to be careful at all times. The family rapidly jumped in and made me very proud
- They rapidly assembled a text message group with everyone but me (✅ – check, including me, would potentially leak information to the fraudster through his access to my text messages)
- A quick exchange of messages and information checking on what everyone knew and updating everyone (✅ – check, lack of information is a big risk here as someone could be duped if they are not up to speed)
- Super suspicious of text messages they received and until they could confirm the veracity of the messages and identify they came from me there was no response (✅ – check, no point in providing additional information to someone attempting to attack your identity or accounts)
One family member was out of communication for a few hours. When they resurfaced online there were 42 messages waiting for them to catch up on 😀
I then assembled a number of documents to take with me to prove my identity and headed to the nearest Verizon Store – thankfully I was greeted by Brian Viera, a store manager for that location and he immediately understood the severity of the problem and then spent the 2 hours with me reversing all the damage done by this fraudster.
It was notable that to repossess my phone number he had to briefly activate the eSIM version in the fraudster’s phone and then replace my new SIM card. Thankfully his fingers were lightning fast but the time felt like an eternity as there was some risk associated with that move. You do have to wonder why the systems are designed this way, especially given that SIM Jacking is not a rare activity and has been going on for at least 4 years. According to Brian Krebs, this technique has been focused on Cryptocurrency hacks, but it would seem that the net has widened and now anyone’s bank account is at risk
Incremental Steps
Some small steps for you to consider in protecting your personal life, identity, and online accounts
- Be alert, be very alert to potential fraud – many people see this as someone else’s problem or challenge, right up until they are attacked, at which time it is too late. The general trend for this crime is a big upward trend and the attack surface dramatically increased with our increased dependence on technology and in particular a single device which makes that a big target
- Don’t buy a Samsung S20 128Gb Phone in Cloud Navy (DEV ID:353173657172043, SIM ID:89148000008680188186), this device is now a paperweight and useless so I am posting the Device ID and SIM ID just in case someone is smart enough to do a search when this ends up for sale on one of the many possible channels
- Use two-factor authentication using a second factor other than your phone number where possible. If you have no other choice than to use your phone number then remember this account and perhaps list it for additional scrutiny and security. If you can change to another organization that provides the same service and uses an alternative to your phone number, consider doing that
- Consider assembling a list of accounts at special risk and put together a plan of how to handle potential attacks
I am sure there are more things and so far every night has been filled with dreams and thoughts on how to combat this and prevent a future incidence as well as a few nightmares of real-world consequences and long-term impact. I am always interested in new and alternative ideas, especially as I don’t feel anymore secure than I did in the days prior to being targetted for this level of attack
Additional Comments
It has been a harrowing few days and certainly a highly stressful 42 minutes especially and I’ve tried to capture as much detail as possible to share in the hope that it helps others. You will find some suggestions of things you could do and especially some things that need to change at the corporate level.
Corporate Security Postures that are Weak
There is a lot of frustration on my part that I am forced into a poor security posture because of dated requirements from institutions that continue to refuse to accept the risks associated with mobile phone and text messaging-based two-factor authentication. It is better than nothing – but honestly, neither is acceptable anymore. We have solid alternatives to two-factor authentication with code generation stored and reproduced in freely available apps. Google Authenticator was one of the originals but now there are more alternatives, as you will see below, and many that are better IMHO.
Verizon and my Bank both have outdated policies and leave little choice for me to secure my account with a proper 2FA system. Making these organizations responsible for losses would be a great start and making the process of successfully filing a dispute easy is essential. Money talks and when it becomes a financial responsibility these organizations will be forced by their shareholders to take the appropriate steps
Use an authenticator on your phone – my preferred option is ‘Authy‘ – it’s free, and unlike others, you can back up your accounts (this is important because every time you change phones you need to reload all the accounts which are very time-consuming if done manually). I also recommend a password manager. Unfortunately, LastPass used to be my preferred recommendation but some time back they moved to press people into paying for the application and have disabled functionality to try and encourage you to buy yet another subscription. So my preferred system, KeePass is a free, open-source, lightweight, and easy-to-use password manager. It comes with the added benefit of storing nothing outside of your own network. Getting it to work in your browsers and on your phone requires more effort and perhaps a bit of technical expertise but there are a number of reasonable add-ons like Keepasium for the iPhone which does at least come with an outright purchase license for the iPhone software
But oftentimes corporate organizations preclude the installation of any software on their laptops or PCs. In the hospital, this can be difficult to handle in the case of multi-use(r) publically available devices that are shared. There are a number of 2FA solutions that are essential and while they come with a cost, I am willing to bet the cost is a whole lot less than the cost of a data breach and the public loss of trust. Don’t expect your doctors, clinicians, or staff to use complex passwords if you don’t provide a way to use them easily at any station to gain authorized access to systems that are required to carry out their roles. If I am moving from room to room and terminal to terminal and required to type in a password that is complex, 16 characters or more, and requires some obscure variation of characters mix I’m going to pick
Thisismypassword1234!
over
x&dPsmZ$%m168eZ@
I’m not going to reveal other online accounts that are stuck in the dark ages in their security posture here, but rest assured it’s common knowledge in the hacking circles and contributes to their targeting systems and approaches.
As for confirming purchases by Text Message
Verizon Message Welcoming Me and my New Device
Verizon Msg: Get started using your new device with 30 days of personalized 24/7 setup and support. Connect with an expert now at https://govzw.com…
If you have that system then allowing it to be overridden except with exceptional oversight and multi-person authentication (no not two-factor, two-person authorization – think nuclear launch and the two keys!) would be a minimum. If someone wants to suggest that is too much effort because it takes place so frequently then there is a problem with the original authentication process. If your staff is having to override the security frequently fix that! Why might that be the case – well in the case of Verizon’s links their websites and pages contain some code and tracking that will fall foul of many of the ad blockers and tools that people like me use. I am unable to authorize any of these links and open a Verizon page at my home because my network is locked down preventing malicious traffic. Why you might ask – well in an average month my home network is under attack around 200-500 times. I keep track of this constantly and review logs, change and update settings on a regular basis and remain on high alert concerned I may have missed something or failed in some way to update to catch some recent bug and/or vulnerability. What do you see on your home network? Unless you are looking, probably nothing but rest assured your network is receiving a similar level of attack and unless you are confident that your network infrastructure is up to date and trust the vendor to secure you, you and all your devices and users are at risk.
Social Security is not “Security”
Unfortunately, years of abuse of the social security number system have created a morass of challenges with the reliance on a number that was created in 1936 for the sole purpose of tracking the earnings histories of U.S. workers, for use in determining Social Security benefit entitlement and computing benefit levels. But lacking any other suitable options this has become the default option for the identification of individuals as a unique identifier and worse still as a second factor for multiple use cases of securing information and access.
I’ve talked about this many times and had lots of guests talking about this. Please stop! Stop using Social Security numbers as security. Please stop using Social Security Numbers as Patient ID numbers or as security tokens in healthcare.
Emergency Procedures
I’m not sure they even exist. I certainly was not aware of them and searching online revealed nothing helpful on how to expedite contact with any of the parties that had the ability to halt this attack. I needed contact points that would be responsive. I tried multiple and was able to reach someone but it was high stress and very frustrating to find myself on hold on a Verizon call while I watched my online personal life being methodically attacked and hijacked. I recall some credit card companies have call numbers that specifically highlight if you believe you have been the victim of fraud offering a fast path to talking to someone who should be in a position to help
The online experience was woeful
I reached out on Twitter directly to Verizon at 11:16
https://twitter.com/drnic1/status/1578403784044298243?s=20&t=8u6P_Q6L6w8gRFmZHJJ0UQ
The response 2 minutes later was hopeful
Good morning! I'm delighted to hear from you today! Thanks for contacting us, regarding your SIM. I'll be more than happy to look into this for you. Please DM us for assistance!
*Becky
— Verizon Support (@VerizonSupport) October 7, 2022
But what followed was an exercise in frustration. I replied in the Twitter Direct Messaging function which is a secure chat between two accounts and for the purposes of resolving this would be more than sufficient IMO but at 11:24 I receive a stock response in this channel asking me to go to yet another channel. The message is 108 words long. That might not seem like a lot but in a crisis and under a high level of stress succinct and focused communications are essential. The message was filled with legalese and irrelevant information that no doubt the employees are required to use but make for a confusing and difficult-to-understand message.
As Eric Johnson (@ProfEricJohnson) points out in his excellent book ‘Elements of Choice‘ presenting too much information, especially in times of crisis or stress can prevent information exchange and negatively affect outcomes. He talks about fluency, choice architecture, plausible paths, and the importance of personalized communication or defaults. Given the urgency in this case that was something certainly not happening with the process
I have to click on this link to open up yet another browser window for Verizon’s version of “secure chat” and be asked to provide personal information to validate my identity. Why can we not use Twitter DM for communication? That channel has already been opened and activated. I know it is not end-to-end secure but if that’s imperative, go straight to that option vs an intermediary step.
FYI Verizon – the personal information you are asking for is trivial given this attack. They “verified” me with my full name and phone number associated with the account!
Had that proceeded to an actual response and suspension of the account it would have been worthwhile but by 11:57 when I gave up on this channel I had been sent 5 identical stock messages asking me to open up Secure Chat. I kept typing in the chat but received no response so went back to Twitter. That sequence repeated and ended with me saying in the Twitter DM:
What is the point of this – we keep going back and forward to this secure chat I respond and then you disappear and have no response
As for the bank – again similar problem. Any information available for fraud is all after the event. Nothing to be found to contact someone at the bank to halt a theft in progress. If someone breaks into a bank and tries to steal the money they have emergency systems connected to the police and security systems designed to initiate a rapid response. Based on the most recent FBI Statistics there are ~4-5 bank robberies per day (total of 1,724 for 2021). But identity theft is occurring at a rate of 1.4 Million separate incidents in 2021. That equates to almost 4,000 a day (up by more than 300% for the 2019-2020 years) but there is no system for reporting them in the same expedited manner yet this seems to be a bigger problem.
Time factors
As you can see from the timeline there was a relatively short time between the start of the attack at 10:53, the time I lost my phone and text messages at 11:13 (20 mins), and the attack on my bank account at 11:20 (27 mins). Had I not been able to respond this all could have taken place and I could have found my accounts drained and who knows what else? It is also notable that 20 minutes in my alerts from all the online corporate security systems that insist on using your phone number as 2FA were no longer visible to me as my phone was now disconnected and all these alerts would be going to the fraudster’s phone. So I had 20 minutes to identify there was an attack in progress and start combatting it. If you were not paying attention to your phone and any text message for more than 20 minutes you would have lost the insight that your online life was under attack.
That’s troubling as we are besieged by distraction and it’s frying our brains. YOu may need to work out a better filter that blocks all of that distraction traffic but still allows security issues to break through.
Investigation and Consequences
I can’t say I have any confidence that there will be consequences for any of the people involved. The loss was prevented and in what can only be described as an extraordinarily frustrating call with my Bank after the fact I got nowhere trying to find out more about the attack and what happened on the bank’s end. In relaying the details to their security department all I got was they “could not see any wires or transfers made“. I tried repeatedly to ask what had happened behind the scenes in their system to know how far this fraudster had gotten but the individual I spoke with just kept repeating “they didn’t get far” but would not provide me with any details beyond his perception that no fraud had been committed. As far as they were concerned this case was closed!
The Verizon fraud department was equally frustrating. I’d tried calling earlier in the day after I had suspended my account but was left listening to hold music for so long that I gave up and headed to the Verizon store in the hope it would be easier and faster there. We spent a full hour, most of it on hold in the store waiting for the fraud department to answer. When I asked the store manager if this was normal he informed me the fraud department is “very small“. When we did finally get connected and reported the details I’m told it might be 2-3 billing cycles before the charges are reversed so I’m on the hook for $600 of charges until then!
I’m also not hopeful that they will ever share with me why or how the 2FA security that they impose was overridden by this employee nor will I ever have any confidence that this won’t happen again. When I asked about preventing this in the future I was told that all of this detail was entered into the notes and when someone tries this again, the Verizon store employee is supposed to read through the notes before proceeding. Do I have confidence that this will happen – no. Do I have confidence that these notes would prevent the same thing from happening again – No.
How about a different security posture? How about freezing my account so no changes can be made without some very specific extra steps? Extra work for me anytime I have to deal with Verizon but at least some additional barriers?
Their security process was trivially bypassed. I received the message and have a screenshot that laughably states that my account was not accessed:
Even though that was the message that proved not to be true as the Verizon employee “Leticia” who works at Westfarms Mall, Verizon store in Farmington CT had overridden this security control. This individual was either complicit in the fraud or was duped into bypassing the security and manually overriding the requirement to receive approval from the authorized account holder. To do this, at a minimum, the fraudster should be presenting identification with my name on it. Without details from Verizon on what was presented, I won’t know but if that’s the case then this was very targeted since the fraudster had to have an ID card with my name and his photo. And if that’s the case I certainly want to know if there is someone walking around with a photo ID that has my name and their photo on it.
Either way, your life and in particular your privacy and security are in the hands of an employee working in a Mall store for Verizon. It can be easy to discount the importance of this but as I have said in previous posts, “Humans are the Weakest Link in Security” and can provide the easiest vector for any attack. This was all it took to start a process of attacking my life and my financial accounts. If the individual is assessing the veracity of a driver’s License are they equipped to do so?
Irony
It was ironic I received notification from the Equifax Breach settlement to inform me my claim had been approved on Sunday, October 9, 2022, two days after my life and accounts had been attacked. The email was asking how I would like to receive my payment. Needless to say with everything that happened it felt like another scam or phishing attempt but was not in this case!
It will be difficult if not impossible to tell the source of the data used by this fraudster but this is certainly one of the places the data may have come from
Technical Notes
Just in case you own a Mac and want to dive into your browser history, getting date and time stamps is not quite a click away. So I share my research in case that helps anyone as well.
Doing a deep dive takes some work as not all the information is in one place and some of it is buried in some pretty obscure places. For example, your Safari browser history is stored but only shows the history by day and provides no time stamps. But GiYF (Google is your friend) and a quick search took me to the Apple Stack Exchange forum and this post: See website visit time in Safari history that included a SQL query that extracted the data from the Safari SQL database of browser history. I needed to get a copy of the file (on Mac OsX v12 Monterey in the folder /username/Library/Caches/Metadata/Safari/History/)
And then execute this query
sqlite3 ~/Library/Safari/History.db ‘SELECT datetime(history_visits.visit_time+978307200, “unixepoch”, “localtime”), history_visits.title || ” @ ” || substr(history_items.URL,1,max(length(history_items.URL)*(instr(history_items.URL,”&”)=0),instr(history_items.URL,”&”))) as Info FROM history_visits INNER JOIN history_items ON history_items.id = history_visits.history_item where history_visits.visit_time>(julianday(“2022-10-07 10:30”)*86400-211845068000) ORDER BY visit_time ASC LIMIT 200;’
Comments
Comments are closed.
Pingback: