#and by digits i mean my cred card number | Explore Tumblr posts and blogs

hpsfacebook-blog · 6 years ago

Text

How I Recovered a Hacked Facebook Page

You always hear about people's Facebook accounts getting hacked, and often see the consequences of it (constant event invites to random sales with dodgy links). However after working around social media for so long I always thought I'd seen it all, and wouldn't be fooled like so many others before me. So when I got hacked and had a Facebook page with 25k followers stolen from me, I was left feeling like a true sucker. But I got it back, and actually found a friend in a guy who had taken me to hell and back, from a country I'd never even heard of. It starts fairly typical of any hack story you'll find on Yahoo! Answers or on the Facebook community boards. I woke up very early on Wednesday morning to check my pride and joy, a Facebook page I'd organically grown to 25k followers in the space of 2 months. However, I was on alert as I discovered the following message in my inbox, posted by "Facebook Pages": "Dear Facebook user, After reviewing your page activity, it was determined that you were in violation of our Terms of Service. Your account might be permanently suspended. If you think this is a mistake, please verify your account on the link below. This would indicate that your Page does not have a violation on our Terms of Service. We will immediately review your account activity, and we will notify you again via email. Verify your account at the link below: =============================== **insert dodgy link here** =============================== Thanks for being part of Facebook Community. " I gave this a quick skim and believed it to be legit, partly because I was half asleep, and partly because I definitely had infringed copyright laws with a few of my posts. Looking back I should have noticed the grammatical errors or checked the profile that the message came from (which was a blatant fake) but nonetheless I clicked through to the link, which took me through to the page below. Facebook phishing Without thinking twice about it I entered my details, which directed me back to Facebook's help page. I then messaged the phony "Facebook Pages" profile from my page to tell them that it was done, and that I was waiting to be reviewed. Feeling like I'd sorted the issue, I left the page and got ready for work, promising to check out how the review had gone before I left for the day. After getting ready I went to log into my Facebook account but was having no luck. I tried my details again only to notice that it wasn't my password that was incorrect, but my email address. In fact, it was saying that my email address was not registered with any Facebook account. I was perplexed but tried again, this time logging in with the email Facebook provides on default ([email protected]). This got me in, and it was at this point that I knew there were some serious issues. Facebook had informed me that somebody in another region had tried to access my page. They'd done more than that.. this hacker had actually got complete access to my account, and proceeded to change the email address to a spammy looking Gmail account. Not only this, they'd posted porn images on a bunch of local pages from my account, sent several friend requests and, to my dismay, removed my admin status from my beloved Facebook page. I was freaking out majorly, and for a number of reasons. My page was a big deal, but the account was also linked to my credit card and PayPal accounts, not to mention the probability of getting temporarily banned for posting porn everywhere. I messaged the page a few times and got ignored, posted to the wall and got banned, and after not hearing from Facebook support I'd pretty much conceded defeat. However before I gave up I thought I'd talk in a language we all understand: Tom: I'll pay you for the page back. Just name your price and I'll pay it. Hacker: $1000 Success! No way was I prepared to pay that kind of money, but at least the hacker had recognised me. I just had to keep him talking, get him to understand what he'd put me through: Tom: Sure, just send me your PayPal details. USD yeah? Hacker: You can send me via westerunion or moneygram Just the fact that they said 'me' seemed to change the conversation. This wasn't a robot, there was real human being behind this, probably somebody who could be reasoned with. Tom: Would you consider being a nice guy and just giving it back? I worked very hard on the page Tom: You're from Europe yes? What good is this page to you? No response for 12 hours, it was time to bait him: Tom: Just send me your details and we'll make the arrangement. Money gram please Hacker: okey Hacker: i will send you details just in case Hacker: you are a nice guy too but man i need some monney even if you don`t send me 1000$..at least 300$ talk to you later Tom: Don't we all need money. I was going to sell this page soon anyways. Hacker: Can I trust you? Tom: Trust me in what way? Hacker: I actually post stuff on pages I get. But this seems that you really give much time on it. Hacker: When can you send me the money? Tom: I could do it immediately. But how can I ensure you'll give me ownership back? Hacker: You will have my word. First I make you editor. Add me and I'll make you editor right now. Next thing I see a friend request pop up from a name I won't mention, but could barely pronounce. The display picture was of a pretty girl looking away from the camera. Considering their last status update was back in 2012 I concluded this was fake. Hacker (now using fake profile): When should I post on your page? I will only post once a day Tom: What's your site? Let me have a look at your content Once he sent through his site I knew that I was dealing with a pro hacker, but an amateur online marketer. It was poorly designed, had spelling and grammatical errors everywhere, and the fact that the visitor counter he'd installed was still in double digits was proof that it wasn't doing too well. He gave me back editor controls of my Facebook page (I could post but not do much else), which was a start, but I continued to go in with a soft approach: Tom: Can you make a comedy post?(it's a comedy fan page) Then we post that one first, and slowly just post all kinds of stuff Hacker: I thought you had money:P. Lol. Tom: What do you mean? Here is more information in regards to hack online fb 100% gratis have a look at the website. Hacker: I mean, I don't really have the life you have. Tom: Where are you from? Hacker: Kosovo Tom: Ah Pardon my ignorance, but I'd never heard of Kosovo before. I've barely travelled outside of Australia, and have never been to Europe. I quickly read up on it on Wikipedia to discover Kosovo's brief history - it had only been a country as of 2008, when it had unilaterally declared independence from Serbia. According to Wikipedia Kosovo was known to be "Extremely vulnerable to organised crime and thus to money laundering", so everything was starting to make sense. Hacker: just send me 200$ i will give this page to you I sensed that there was somewhat of a power shift taking place. The site he showed me was struggling, which was why he had proceeded to hack other pages.. in a way to grab some quick traffic. Tom: Hey listen but, if you start posting on this page you'll currently get no interaction, nobody will click man the base is too small, you might get 10 clicks tops a post. Hacker: This isn't the first page I use for posting. I know what I'm doing on this Tom: Man I own my own content site, similar to yours. There's a reason I haven't posted yet.. the base is too small it'll just destroy the page. Hacker: oh Tom: If we grow this page we can make money. Off affiliate deals and off your website's AdSense Tom: I'll split it with you. Just let me continue to grow the page From this point on the subject matter of the conversation completely changed. He asked one more time for money, but it became more an opportunity for him to pick my brain, to learn more about growing a website. I showed him blogs of mine and gave him advice on what he can do for his page. In the space of about 10 minutes this clever, manipulative hacker became like a kindergartener on his first day of school, soaking into his brain everything I was throwing at him. Tom: Do you ever get content ideas from reddit? Hacker: Whats reddit Tom: Omg really? Man, this will help you more than any money I could give you. Hacker: I will not even think of removing you from your fan page or something Hacker: I just learnd something. And that's good. Hacker: Btw thanks for sharing We went on about content strategies, SEO, etc for a while, but I had a few more questions to ask him. This was so fascinating to me, I'd never been hacked, let alone got the chance to communicate with a hacker. Tom: How many pages have you hacked? Hacker: Hundreds man. Tom: What's the largest Hacker: 600k Hacker: But don't say hacked lol sounds stupid Tom: What's your actual name? Hacker: Elvir Elvir was opening up, and he proceeded to tell me more about himself. He's a 22 year old economics student, trying to make money of websites in his spare time. He still had a.blogspot domain which he wanted to change but he couldn't afford a domain, and he wasn't getting enough traffic to generate AdSense revenue. We continued talking for the next 2 days sporadically. He'd ask me various questions around online marketing, while I was trying to get to know more about him. At this point I thought it was time to see if I'd completely reimbursed him. Tom: hey can you make me admin? i need to add my account so i can post vid again. Hacker: I make you admin now. (and he did) Hacker: But I really need that help from you Once I got admin status back I quickly deleted him off the page, changed all my login details and made a new account to manage the page (just in case he could get back in). Despite this however we still talk a few times a week, usually when he wants advice on how to write a headline, or how he should fix his page design. I actually even sent him over some money for a domain on a $15 prepaid credit card, which he was thrilled about. I know that most situations don't end as positively as this - it sounds like nearly everybody who has their Facebook page hacked virtually loses it for good, and Facebook doesn't try to help out in the slightest. But it made me learn that there's still a human element, a vulnerability if you will, in everyone. What started out as one of my scariest online experiences actually turned into something of fascination, and my experiences with Elvir in Kosovo sure went a way into affirming that's there a little bit of good (and evil) in all of us.

0 notes

shirlleycoyle · 5 years ago

Text

Hackers Dissect ‘Mr. Robot’ Season 4 Episode 5: ‘Method Not Allowed’

Episode 5 of Mr. Robot’s final season was riveting. We discussed [SPOILERS, obvs] burning evidence, fake ideas, physical security, social engineering, firmware updates, lockpicking, 3D fingerprints, and more. (The chat transcript has been edited for brevity, clarity, and chronology.)

This week’s team of experts includes:

Emma Best: a former hacker and current journalist and transparency advocate with a specialty in counterintelligence and national security.

Bill Budington: a long-time activist, security trainer, and a Senior Staff Technologist at the Electronic Frontier Foundation.

Jason Hernandez: Solutions Architect for Bishop Fox, an offensive security firm. He also does research into surveillance technology and has presented work on aerial surveillance.

Harlo Holmes: Director of Digital Security at Freedom of the Press Foundation.

Trammell Hudson: a security researcher who likes to take things apart.

Trammell: That episode was so [ＡＥＳＴＨＥＴＩＣ]. I loved that it started with "We don't have to talk," then had ZERO dialogue, and ended with "It's time we talked". It felt like the bold stylistic decisions the show was making back in the earlier seasons.

Emma: Agreed, the aesthetics were very good. It's one of those episodes I'll enjoy watching a breakdown of by film buffs on YouTube. I know there was a lot I didn't get.

Trammell: So many film references and tropes… also looking forward to the film buff analysis.

Burning evidence

Yael: I like how they played “Ode to Joy” right when Darlene found Elliot. I also like how it started out with Elliot trying to "burn the evidence" but, like, burning doesn't always destroy forensic evidence.

Emma: Under the circumstances, it was nearly the best they could do. I would've tried to keep the doors secured shut but broken any side and rear windows (leaving the front windshield intact if possible). That guarantees airflow and maximizes convection, raising the temperature. We're dealing with digital data, and physical damage to the medium helps, but the data can be reconstructed out of heavily damaged materials in ways that it couldn't a few years ago.

Yael: They zoomed in on an automated license plate reader (ALPR), though. ALPRs don't just take license plate images, they also capture photos of drivers and passengers, too.

The Crime Scene

Trammell: Did Dom do anything on the scene, or was it all implied that she handled it by her being there?

Emma: I think she was just looking around and trying to get info.

Yael: Yeah, Janice tells Dom to use her FBI credentials to intercept intel and ID the body… but can you do that? I thought the FBI only had jurisdiction to investigate state crimes if it involved interstate travelers, serial killers, etc.

Trammell: "You give me any of that 'juris-my-dick-tion' crap…"

Emma: She said in a Signal message that she didn't get access on the scene, and that was why she went the other route.

Yael: Her donut phone hack was pretty clever. But I was wondering, why is Dom writing down the license plate numbers of Dark Army vans near the end of the episode? Isn’t it a bit late for that?

Emma: I'm also not sure why the FUOU markings were crossed out on the document Dom looked at. That's something you'd see if it were downgraded or approved for public release, but that wasn't the impression I got with it, especially since there was a color picture attached. You don't usually get that in FOIA releases or leaked documents, lol.

Trammell: Yeah, that clearly wasn't a real FOIA since it didn't █████████ █████(b)(4) and hadn't been photocopied at least ██████ (c)(1) times.

Meeting Location

Yael: Price getting a “bill” that’s a note and then getting the dry cleaner address from a trombone player and then another address in his dry cleaning was pretty clever. I’ve seen people set up two meeting locations (you meet at the first to get the address for the second) but I’ve never seen something like that IRL.

Emma: Pierce chasing the meeting info was a fairly realistic example of when people (or their trusted minions) have to put in the legwork of setting something like that up.

Trammell: Although what's the point of sending Price on an item quest?

Yael: I think to avoid someone else finding out where they're meeting.

Emma: It's also counter-surveillance. Making numerous stops makes it easy to compare anyone showing up at multiple points, and the travel distance provides more opportunities to watch for them. "Running errands" can be a great way to ID a tail. Do it long enough and you can even ID a team working in tandem.

Getting Creds

Yael: I like how Darlene used an AlphaCard Pilot ID card printer for her fake ID, and that Elliot was scouting Virtual Realty’s security, which was conveniently described on its website.

Bill: But…. just because she printed the ID doesn't mean it's valid. By the way, Darlene's fake ID is for "Dolores Haze", who is a character in the novel Lolita by Vladimir Nabokov.

Trammell: Darlene has been using the Dolores Haze moniker since season 1, and it’s how she is listed in Eliott's Signal contacts.

Yael: Darlene’s socially engineered costume was pretty effective, as well as “dropping her purse.”

Bill: Then Elliot comes in with his mad dash to the access control station.

Yael: …and then Darlene "forgetting" her phone was a nice touch.

Trammell: The guard watching Die Hard is more evidence that Diehard is a Christmas movie.

Harlo: The guard at Virtual Realty did all he could do, but they still got pwned. For a Common Access Card, it's recommended to have a photo printed (for the human to verify) and a chip (for machines). Darlene's fake ID was definitely going to fail on the machine-readable side, thus it falls down to the human to verify. But, what can you do when someone inserts the matching photo ID into the employee database?

The Building

Harlo: It’s interesting to think about co-tenancy as a vulnerability.

Trammell: That’s a good point. At many colocation centers that I have visited there is a guard to let people into the server room, but all of the tenants have private cages with locks that the guards explicitly do not have access to.

Harlo: My question about tenancy has to do with the unique ability for attackers to pivot from one point of access to another [eg. gain entry to the gym but wind up in the server room]. That is sooooo 2010s—actually, not uniquely 2010s, even though we have coworking spaces that make that simpler.

Trammell: To update that for 2019 you could probably pull off a coworking space attack against someone with a Macbook and an Apple Watch. Wait for them to go to the restroom or get another coffee and you can probably unlock their machine with the watch’s Bluetooth while they are still close enough.

Harlo: I guess the main problem here is that the company that manages the building has complete access to everything its tenants are leasing. I wouldn't think it super wise for building management to have access to the server floor, but they did, and that's how Elliot and Darlene got in!

Jason: Yeah, I think the physical security would fail most audits.

Harlo: IT ALWAYS DOES.

Jason: The physical access controls at Virtual Realty are just not up to what I'd expect for even a cutrate colocation provider.

Yael: 20/20 hindsight, but I feel like the guard had bad peripheral vision, and he was super slow.

Trammell: He moved at the speed of the plot.

Darlene’s Disguise

Jason: The guard didn't ask why she was there on Christmas day.

Harlo: True. He wanted to be nice. Also, they took advantage of the partner's smoke break or whatever. That's why you have a buddy system, to help you double-check your judgement.

Jason: She's not dressed like anybody who is coming in to work on a server on Christmas day.

Yael: What would her costume have to be?

Jason: More casual. Or some kind of work uniform, if one exists.

Trammell: Seems like a random server maintainer costume for a visit on Christmas day would be whatever she happens to be wearing when she got the call to deal with maintaining the server.

Yael: I feel like women can't always get away with the jeans and hoodie look, though. There are double standards about what people give you shade for wearing.

Jason: Agreed that there are double standards, but there should be some kind of a consistent narrative about why she's coming into the building on Christmas day, ideally designed to exploit the security staff's likely expectations. I think she would have been better off coming into the building in the yoga outfit, saying she's on call and she got paged out of yoga. She could say a hard drive died on a production server and she's new so she got stuck with being on-call over the holidays.

Trammell: I'm not sure I've ever had the ground floor desk ever ask me why I'm coming into the office on a Sunday or after midnight or anything. That's really not their job.

Yael: Would she bring her badge to yoga?

Jason: If she's on call, she better.

Harlo: Darlene's first look provides excellent contrast with her second look: basic Barbie yoga gear. Pretty lucky, if you ask me.

Yael: Well, she also was able to think quickly, too. She’s so good at social engineering.

The Heist

Yael: Elliot got through that combo lock wirelessly with his laptop pretty quickly.

Trammell: That seemed unrealistic. There are hacks against some electronic locks, but most require some sort of connection, and likely some detailed recon to know what models are in use. The camera maintenance panel login was admin/admin. That is 100% realistic.

Yael: So, Elliot updated the firmware, which somehow made the elevator cam turn off… Does it just turn off when the firmware is upgrading? And there’s really no way for anybody to cancel it?

Jason: Firmware updates often overwrite really critical components of memory and disruptions to the process can leave devices in an unusable state, i.e. making it a brick. Software to update firmware usually tries to protect users from this, so there's typically not an easy or safe way to stop an update. Seemed clever to black out cameras with a firmware update.

Trammell: The firmware update running serially (0/152) and taking down the entire system is 100% realistic.

Yael: What does running serially mean?

Trammell: One at a time. So rather than saying "All cameras! Update your firmware!" it says "Camera 1! Update!" and waits for it to finish, then says "Camera 2! Your turn!"

Yael: I guess they should just prevent getting pwned by keeping their firmware updated.

Harlo: Or maybe it explains why they never update.

Emma: Darlene staring at the elevator camera like a total goober was painful to watch.

Yael: Maybe she assumed they'd erase the tape.

Emma: You can't count on wiping the footage, and staring at the camera waiting for it to go out is a dead giveaway that you were involved, while giving them a direct look at your face.

Trammell: It certainly made the break-in easier to have the Kraftwerks makerspace and chemlab in the same building. (And their slogan "Do. Make. Live." is similar to NYC Resistor's "Learn. Share. Make.")

Bill: Regarding the 3D printed fingerprint mold, a 3D printed fingerprint got past Samsung’s Galaxy S10 fingerprint sensor earlier this year. We see the fingerprint is crafted into a .gcode file. "A GCODE file contains commands in G-Code, which is a language used to describe how a 3D printer should print a job."

Yael: Elliot is really good at picking locks. I thought they did a good job of showing how when Darlene and Elliot had some access they could use it to get more access. So, uh, smart move of Elliot to cut the power when the guard goes in to investigate but I think he should’ve shown Darlene the clock much sooner. Also, in my 20/20 hindsight backseat hacking, I think they should've disabled all the security guards’ elevator access.

Trammell: PLC hacking was a nice touch. Although as with many things in the show, Eliott's ability to break into every system without any recon is a bit unrealistic. Why doesn't Darlene just say hi to the guard? She works for the company in server maintenance. That seems like she should be the one in the cage. Eliott could hide somewhere.

The Escape

Yael: I liked how Elliot and Darlene ended up having two wildly different escape strategies. Elliot bought some time with the zip line on the one door but then had to attack and run into traffic, while Darlene just posed as a gym-goer.

Emma: Darlene hiding and then changing her coat and walking out was a good move, but she should've been stopped. Regardless of chasing Elliot out, the police should have kept the building sealed and questioned anyone coming out—or at least checked their ID. But at least she changed her coat. If Elliot had had enough sense, he would do that instead of plowing into civilians and making a scene after he was out of the cops' line of sight.

Yael: Yeah, I think Elliot should take off his hoodie when running from the cops. Not that there was time or that it would've helped.

Trammell: After he ran through the couple and tripped over the pram, did anyone else expect Eliott to run through a pane of glass that two workers are carrying across the sidewalk?

Harlo: Yes.

Emma: I noticed tipping over the carriage full of cans. Definitely a moment of panic before it became clear that it wasn't a baby in there. (Yes, I know it's not real….)

Trammell: It was full of cans!

youtube

Trammell: A question I asked last week: if this operation is going down TONIGHT, why are they being so careful to cover all their tracks? It seems like they need to be burning the bridges at both ends at this point.

Emma: Because they still need it to take some time to find them.

Hackers Dissect ‘Mr. Robot’ Season 4 Episode 5: ‘Method Not Allowed’ syndicated from https://triviaqaweb.wordpress.com/feed/

0 notes

amberdscott2 · 6 years ago

Text

Hanging Up on Mobile in the Name of Security

An entrepreneur and virtual currency investor is suing AT&T for $224 million, claiming the wireless provider was negligent when it failed to prevent thieves from hijacking his mobile account and stealing millions of dollars in cryptocurrencies. Increasingly frequent, high-profile attacks like these are prompting some experts to say the surest way to safeguard one’s online accounts may be to disconnect them from the mobile providers entirely.

The claims come in a lawsuit filed this week in Los Angeles on behalf of Michael Terpin, who co-founded the first angel investor group for bitcoin enthusiasts in 2013. Terpin alleges that crooks stole almost $24 million worth of cryptocurrency after fraudulently executing a “SIM swap” on his mobile phone account at AT&T in early 2018.

A SIM card is the tiny, removable chip in a mobile device that allows it to connect to the provider’s network. Customers can legitimately request a SIM swap when their existing SIM card has been damaged, or when they are switching to a different phone that requires a SIM card of another size.

But SIM swaps are frequently abused by scam artists who trick mobile providers into tying a target’s service to a new SIM card and mobile phone that the attackers control. Unauthorized SIM swaps often are perpetrated by fraudsters who have already stolen or phished a target’s password, as many banks and online services rely on text messages to send users a one-time code that needs to be entered in addition to a password for online authentication.

Terpin alleges that on January 7, 2018, someone requested an unauthorized SIM swap on his AT&T account, causing his phone to go dead and sending all incoming texts and phone calls to a device the attackers controlled. Armed with that access, the intruders were able to reset credentials tied to his cryptocurrency accounts and siphon nearly $24 million worth of digital currencies.

According to Terpin, this was the second time in six months someone had hacked his AT&T number. On June 11, 2017, Terpin’s phone went dead. He soon learned his AT&T password had been changed remotely after 11 attempts in AT&T stores had failed. At the time, AT&T suggested Terpin take advantage of the company’s “extra security” feature — a customer-specified six-digit PIN which is required before any account changes can be made.

Terpin claims an investigation by AT&T into the 2018 breach found that an employee at an AT&T store in Norwich, Conn. somehow executed the SIM swap on his account without having to enter his “extra security” PIN, and that AT&T knew or should have known that employees could bypass its customer security measures.

Terpin is suing AT&T for his $24 million worth of cryptocurrencies, plus $200 million in punitive damages. A copy of his complaint is here (PDF).

AT&T declined to comment on specific claims in the lawsuit, saying only in a statement that, “We dispute these allegations and look forward to presenting our case in court.”

AN ‘IDENTITY CRISIS’?

Mobile phone companies are a major weak point in authentication because so many companies have now built their entire procedure for authenticating customers on a process that involves sending a one-time code to the customer via SMS or automated phone call.

In some cases, thieves executing SIM swaps have already phished or otherwise stolen a target’s bank or email password. But many major social media platforms — such as Instagram — allow users to reset their passwords using nothing more than text-based (SMS) authentication, meaning thieves can hijack those accounts just by having control over the target’s mobile phone number.

Allison Nixon is director of security research at Flashpoint, a security company in New York City that has been closely tracking the murky underworld of communities that teach people how to hijack phone numbers assigned to customer accounts at all of the major mobile providers.

Nixon calls the current SIM-jacking craze “a major identity crisis” for cybersecurity on multiple levels.

“Phone numbers were never originally intended as an identity document, they were designed as a way to contact people,” Nixon said. “But because of all these other companies are building in security measures, a phone number has become an identity document.”

In essence, mobile phone companies have become “critical infrastructure” for security precisely because so much is riding on who controls a given mobile number. At the same time, so little is needed to undo weak security controls put in place to prevent abuse.

“The infrastructure wasn’t designed to withstand the kind of attacks happening now,” Nixon said. “The protocols need to be changed, and there are probably laws affecting the telecom companies that need to be reviewed in light of how these companies have evolved.”

Unfortunately, with the major mobile providers so closely tied to your security, there is no way you can remove the most vulnerable chunks of this infrastructure — the mobile store employees who can be paid or otherwise bamboozled into helping these attacks succeed.

No way, that is, unless you completely disconnect your mobile phone number from any sort of SMS-based authentication you currently use, and replace it with Internet-based telephone services that do not offer “helpful” customer support — such as Google Voice.

Google Voice lets users choose a phone number that gets tied to their Google account, and any calls or messages to that number will be forwarded to your mobile number. But unlike phone numbers issued by the major mobile providers, Google Voice numbers can’t be stolen unless someone also hacks your Google password — in which case you likely have much bigger problems.

With Google Voice, there is no customer service person who can be conned over the phone into helping out. There is no retail-store employee who will sell access to your SIM information for a paltry $80 payday. In this view of security, customer service becomes a customer disservice.

Mind you, this isn’t my advice. The above statement summarizes the arguments allegedly made by one of the most accomplished SIM swap thieves in the game today. On July 12, 2018, police in California arrested Joel Ortiz, a 20-year-old college student from Boston who’s accused of using SIM swaps to steal more than $5 million in cryptocurrencies from 40 victims.

Ortiz allegedly had help from a number of unnamed accomplices who collectively targeted high-profile and wealthy people in the cryptocurrency space. In one of three brazen attacks at a bitcoin conference this year, Ortiz allegedly used his SIM swapping skills to steal more than $1.5 million from a cryptocurrency entrepreneur, including nearly $1 million the victim had crowdfunded.

A July 2018 posting from the “OG” Instagram account “0”, allegedly an account hijacked by Joel Ortiz (pictured holding an armload of Dom Perignon champagne).

Ortiz reportedly was a core member of OGUsers[dot]com, a forum that’s grown wildly popular among criminals engaging in SIM swaps to steal cryptocurrency and hijack high-value social media accounts. OG is short for “original gangster,” and it refers to a type of “street cred” for possession of social media account names that are relatively short (between one and six characters). On ogusers[dot]com, Ortiz allegedly picked the username “j”. Short usernames are considered more valuable because they confer on the account holder the appearance of an early adopter on most social networks.

Discussions on the Ogusers forum indicate Ortiz allegedly is the current occupant of perhaps the most OG username on Twitter — an account represented by the number zero “0”. The alias displayed on that twitter profile is “j0”. He also apparently controls the Instagram account by the same number, as well as the Instagram account “t”, which lists its alias as “Joel.”

Shown below is a cached snippet from an Ogusers forum posting by “j” (allegedly Ortiz), advising people to remove their mobile phone number from all important multi-factor authentication options, and to replace it with something like Google Voice.

Ogusers SIM swapper “j” advises forum members on how not to become victims of SIM swapping. Click to enlarge.

WHAT CAN YOU DO?

All four major wireless carriers — AT&T, Sprint, T-Mobile and Verizon — let customers add security against SIM swaps and related schemes by setting a PIN that needs to be provided over the phone or in person at a store before account changes should be made. But these security features can be bypassed by incompetent or corrupt mobile store employees.

Mobile store employees who can be bought or tricked into conducting SIM swaps are known as “plugs” in the Ogusers community, and without them SIM swapping schemes become much more difficult.

Last week, KrebsOnSecurity broke the news that police in Florida had arrested a 25-year-old man who’s accused of being part of a group of at least nine individuals who routinely conducted fraudulent SIM swaps on high-value targets. Investigators in that case say they have surveillance logs that show the group discussed working directly with mobile store employees to complete the phone number heists.

In May I wrote about a 27-year-old Boston man who had his three-letter Instagram account name stolen after thieves hijacked his number at T-Mobile. Much like Mr. Terpin, the victim in that case had already taken T-Mobile’s advice and placed a PIN on his account that was supposed to prevent the transfer of his mobile number. T-Mobile ultimately acknowledged that the heist had been carried out by a rogue T-Mobile store employee.

So consider establishing a Google Voice account if you don’t already have one. In setting up a new number, Google requires you to provide a number capable of receiving text messages. Once your Google Voice number is linked to your mobile, the device at the mobile number you gave to Google should notify you instantly if anyone calls or messages the Google number (this assumes your phone has a Wi-Fi or mobile connection to the Internet).

After you’ve done that, take stock of every major account you can think of, replacing your mobile phone number with your Google Voice number in every case it is listed in your profile.

Here’s where it gets tricky. If you’re all-in for taking the anti-SIM-hacking advice allegedly offered by Mr. Ortiz, once you’ve changed all of your multi-factor authentication options from your mobile number to your Google Voice number, you then have to remove that mobile number you supplied to Google from your Google Voice account. After that, you can still manage calls/messages to and from your Google Voice number using the Google Voice mobile app.

And notice what else Ortiz advises in the screen shot above to secure one’s Gmail and other Google accounts: Using a physical security key (where possible) to replace passwords. This post from a few weeks back explains what security keys are, how they can help harden your security posture, and how to use them. If Google’s own internal security processes count for anything, the company recently told this author that none of its 85,000 employees had been successfully phished for their work credentials since January 2017, when Google began requiring all employees to use physical security keys in place of one-time passwords sent to a mobile device.

Standard disclaimer: If the only two-factor authentication offered by a company you use is based on sending a one-time code via SMS or automated phone call, this is still better than relying on simply a password alone. But one-time codes generated by a mobile phone app such as Authy or Google Authenticator are more secure than SMS-based options because they are not directly vulnerable to SIM-swapping attacks.

The web site twofactorauth.org breaks down online service providers by the types of secondary authentication offered (SMS, call, app-based one-time codes, security keys). Take a moment soon to review this important resource and harden your security posture wherever possible.

from Amber Scott Technology News https://krebsonsecurity.com/2018/08/hanging-up-on-mobile-in-the-name-of-security/

0 notes

jennifersnyderca90 · 6 years ago

Text

Hanging Up on Mobile in the Name of Security

Terpin is suing AT&T for his $24 million worth of cryptocurrencies, plus $200 million in punitive damages. A copy of his complaint is here (PDF).

AT&T declined to comment on specific claims in the lawsuit, saying only in a statement that, “We dispute these allegations and look forward to presenting our case in court.”

AN ‘IDENTITY CRISIS’?

Nixon calls the current SIM-jacking craze “a major identity crisis” for cybersecurity on multiple levels.

A July 2018 posting from the “OG” Instagram account “0”, allegedly an account hijacked by Joel Ortiz (pictured holding an armload of Dom Perignon champagne).

Ogusers SIM swapper “j” advises forum members on how not to become victims of SIM swapping. Click to enlarge.

WHAT CAN YOU DO?

Mobile store employees who can be bought or tricked into conducting SIM swaps are known as “plugs” in the Ogusers community, and without them SIM swapping schemes become much more difficult.

After you’ve done that, take stock of every major account you can think of, replacing your mobile phone number with your Google Voice number in every case it is listed in your profile.

from https://krebsonsecurity.com/2018/08/hanging-up-on-mobile-in-the-name-of-security/

0 notes

nedsvallesny · 6 years ago

Text

Hanging Up on Mobile in the Name of Security

Terpin is suing AT&T for his $24 million worth of cryptocurrencies, plus $200 million in punitive damages. A copy of his complaint is here (PDF).

AT&T declined to comment on specific claims in the lawsuit, saying only in a statement that, “We dispute these allegations and look forward to presenting our case in court.”

AN ‘IDENTITY CRISIS’?

Nixon calls the current SIM-jacking craze “a major identity crisis” for cybersecurity on multiple levels.

A July 2018 posting from the “OG” Instagram account “0”, allegedly an account hijacked by Joel Ortiz (pictured holding an armload of Dom Perignon champagne).

Ogusers SIM swapper “j” advises forum members on how not to become victims of SIM swapping. Click to enlarge.

WHAT CAN YOU DO?

Mobile store employees who can be bought or tricked into conducting SIM swaps are known as “plugs” in the Ogusers community, and without them SIM swapping schemes become much more difficult.

After you’ve done that, take stock of every major account you can think of, replacing your mobile phone number with your Google Voice number in every case it is listed in your profile.

from Technology News https://krebsonsecurity.com/2018/08/hanging-up-on-mobile-in-the-name-of-security/

0 notes

temzkun · 7 years ago

Text

The 3.5mm jack and me.

So last year a bunch of phones got released without a headphone jack. Probably the most notable of these, though not the first, is the iPhone 7. A lot of people made fun of it back then and complained loudly about how ridiculous and unfair to was to consumers. Slowly over time those complaints got softer as more devices did the same. Sure we still complain but there is feeling that we’ve resigned ourselves to this future. in that time I've found that I ended up convincing myself that I was “fine” without it.

Before I go on though it would probably be a good idea to provide a little context first. I love music. And I love a good audio experience. I may not be able to spend a lot on equipment but I do what I can to upgrade my listening experience. I’m picky. And only mildly obsessed with FLAC. ehem.

Right now though, when it comes to what phone I plan on owning next, I honestly couldn’t care less about all that. I’m looking at a phone without a 3.5mm jack.

Audio Fidelity

Given the title you just read this you might find this next bit to be an odd way to start this section but given how much it affects everything else I'm going to say, it’s better to get it out of the way early.

Convenience.

OK, now that I've gotten that out of the way, wired is better for sound quality. Now I wish I could just leave it at that but as with a lot of things it’s not really that straight forward. It can be considerably better but whether it is or not will depend a lot on three things.

Starting with the source, which in this case is the audio file/stream. Is the format lossless? what is the bitrate? Without a high quality source of audio to start with, nothing else matters.

Once you clear that you need a decent DAC (Digital-to-Analog Converter) that can actually take advantage of a high quality source and convert it into something to push through your headphones.

Finally you actually need a good pair of earphones or headphones to turn that sweet analog signal into honey for your ears. If your missing one of those three things it’s hard to say much better of an audio experience you’re truly getting over Bluetooth.

Wired doesn’t automatically mean that you get a better experience. For the geeks, nerds, techies, or audiophiles that’s pretty well known but to the average consumer it’s not really something they are tuned to looking out for and putting the effort into ensuring they have. And not having any of the above still doesn’t exempt you from having to deal with cables. Oh cables (more on that later).

There is no doubt that for the time being, assuming you’ve ticked all the right boxes wired is a superior listening experience when it comes to quality. However, there is nothing stopping me from thoroughly enjoying myself while listening to music with wireless earphones/headphones. End of the day when it really comes down to it and I want that prefect audio experience, I can still have it at home. Where I can truly appreciate it without distractions.

Convenience and Ubiquity

Which brings us here. I seem to be trading in the ability to have great sound everywhere and limiting it mostly if not only to an at home experience. But what am I gaining as a result?

So part of the reason I got the phone that I currently have in the first place is that it did actually did come with a decent DAC built it. It’s an HTC 10 by the way. I already had everything else I needed so, this would be perfect for me to experience great audio on the go right? Not so much. I rarely find myself taking advantage of the built in DAC despite those giant lossless files taking up space on my SD card. Part of that comes down to cables (now is later).

Cables get snagged on things. They get tangled unless your really good about using cable ties and/or how you store them. You have to be conscious of how you remove your phone and put it back into your pocket so as to not make the cable coil up. Tucking the wire under your clothing could mean lifting your t-shirt when you want to use your phone. In the case of earphones the cable as a result of it’s one weight or some other factor pulls the buds out of your ears or simply makes the fitting lose/uncomfortable.

I’d rather not have to allocate mental bandwidth to all that when I'm on the go or working out. Wireless provides me with that ease of use. Quite frankly when it comes to situations where I’m playing music or media in general from my phone I’m really not being that keen on audio fidelity. Working out, doing chores, errands about town, in the car, sharing a track with someone. The audio quality is “good enough” and... that’s fine.

Glossing over any cred I've likely lost as an audiophile after that statement, there one thing that gives wired and advantage over wireless when it comes to convenience. They’re everywhere and all the same. I should really clarify at this point that though I have up until now used “wired” to refer to a listening experience through a 3.5mm jack, USB type-C headphones are wired too.

Back for now, to the 3.5mm jack being the same everywhere. For the most part I’m sure it is, especially with the phones that still have it. I doubt the number of pins on the jack is much of an issue these days so any phone you plug your headphones to should just work. It’s likely the same if you have an AUX jack in your car. With Hi-Fi systems or some headphones you may need a 3.5mm to 6.3mm adapter, or the opposite, to get things hooked up. Not unlike having to use a dongle. However type-c dongles aren’t as likely to work nor are they as cheap if lost. Those last two pairings seem less likely anyway.

This isn’t currently a major issue for me but I can definitely think of a bunch of situations where I would find it handy to have a 3.5mm jack. Chances are that, as with many things, it will only be when I don’t have one that I’ll really feel it.

Once I have lost it, the only option I’ll have for a wired experience is USB type-c headphones or the previously mentioned dongles. Both of which present a problem because of their seeming lack of compatibility across manufacturers. We can always hope that this will be fixed in the future with proper standards but it shouldn’t be a problem in the first place. Especially when there is no alternative for those that own single port phones right now. Some of whom can’t get official USB type-c accessories from their device manufacturer.

Having just a USB type-C port and nothing else on a phone can be inconvenient too. You can’t charge your phone and listen with wired headphones at the same time without a dongle for example. Oddly enough on my phone, which currently does have a headphone jack I still can’t do this practically when I need to. It’s part the reason I use Bluetooth as much as I do.

With my previous phone, a Nexus 5x, I had no problem doing this. Plug in my power bank, hook up my earphones, drop the phone in a pocket and I’m good to go. I can’t do this with my HTC 10 though. The 3.5mm jack and the Type-C port are on opposite sides of the phone. This increases the effective footprint of the devices more so than if they were both on the same side. This makes it harder to fit in a pocket, as well as find suitable space for it in a car and creates a messier cable situation in my opinion. It also makes it less manageable to deal with pressure on the cables forcing them to bend near the jack pin which could damage them over time. So although it’s something I can do I prefer not, of the way my device is designed.

The Real Reasons.

With all that I’ve said so far it probably sounds like I’m making an argument for why it may not matter that much if the 3.5mm jack ends up gone from all phones in the future. But there are a huge variety of situations where I would and still do use it. Regardless of whether I need to use it or not. Because when it comes down to it the issue here is choice. I love having the option to use it when I want and it’s an incredibly useful to have when other option are impractical or expensive.

The reality is there is no real reason for the 3.5mm jack to be gone from what we’ve see so far. Better bluetooth isn’t a reason to remove it. USB Type-C isn’t a reason to remove it either. It’s been proven that water resistance is can be done with it still there. We’ve seen phones like the S8 and Note 8 crammed with tech and still have the jack. A phone like the Vivo X5Max are thinner than an iPhone or a Pixel 2 or even a Moto Z and still has a 3.5mm jack.

Somewhat reminds me of when OnePlus released the 2 without NFC. In that case they argued that usage was low but for me that instantly was a deal breaker. People complained and now OnePlus has had NFC in all their flagships since.

The 3.5mm jack doesn’t seem to be coming back though. Which is sad and disappointing. It’s frustrating cause the removal seems entirely arbitrary and totally unnecessary.

So why am I set on a device that doesn’t have the 3.5mm jack. Nothing else seems to fit my need as far as the software as well as the hardware configuration that I’m looking for. Though I supposed I can forget about anything new and just get an original Pixel or Pixel XL instead. Still pretty good and the plus side is it would be cheaper now.

#android #phones #tech #3.5mm #jack #earphones #headphones #rant #pixel #google #iphone #apple #thoughts

0 notes