Securing your SMS.
Ray [REDACTED]: [00:00:00] SMS was never really designed to be a secure protocol that everything would hinge upon.
Dave Bittner: [00:00:06] Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [00:00:24] Hi, Dave.
Dave Bittner: [00:00:25] We've got some interesting stories to share this week. And later in the show, we're joined by a gentleman who goes by the name Ray [REDACTED] online. He's a well-known and respected cybersecurity researcher and consultant, and he's going to bring us up to date on SIM hijacking and everything you need to know to protect yourself from that.
Dave Bittner: [00:00:42] But before we get to all that, a word from our sponsors at KnowBe4. Step right up and take a chance. Yes, you, there. Give it a try and win one for your little friend, there. Which were the most plausible subject lines in phishing emails? Don't be shy. Were they, A, my late husband wished to share his oil fortune with you, or, B, please read - important message from HR? Or, C, a delivery attempt was made, or, D, take me to your leader? Stay with us, and we'll have the answer later. And it will come to you courtesy of our sponsors at KnowBe4, the security awareness experts who enable your employees to make smarter security decisions.
Dave Bittner: [00:01:29] And we are back. Joe, I'm going to kick things off for us this week. This is a story from the folks over at Sophos - so their Naked Security blog. This is written by John E. Dunn. And the title of the article is "Scammers Use Bogus Search Results to Fool Voice Assistants." Now, let me ask you a question. So let's say you need to get in touch with the gas and electric company.
Joe Carrigan: [00:01:52] OK.
Dave Bittner: [00:01:52] And you need to find their phone number.
Joe Carrigan: [00:01:54] Yes.
Dave Bittner: [00:01:54] How would you go about doing that?
Joe Carrigan: [00:01:55] I would Google BG and E's phone number, customer service number.
Dave Bittner: [00:01:58] That's Baltimore Gas and Electric.
Joe Carrigan: [00:02:00] That's correct.
Dave Bittner: [00:02:00] Right. So you would Google them. And then what?
Joe Carrigan: [00:02:03] Because I've been through this wringer before...
Joe Carrigan: [00:02:06] I'd make sure that the first link isn't an ad
Dave Bittner: [00:02:09] (Laughter).
Joe Carrigan: [00:02:09] And I click on the phone number that it calls.
Dave Bittner: [00:02:11] So this is an interesting twist on that scam. So let me back up a little bit and explain what that scam is. What will happen is, quite often, scammers will buy an ad on a search engine for a commonly used organization that you might call for customer service. For example, your gas and electric company...
Joe Carrigan: [00:02:30] Right.
Dave Bittner: [00:02:30] ...Your internet provider, your phone company - all those sorts of things.
Joe Carrigan: [00:02:33] Yep.
Dave Bittner: [00:02:34] So when you do what you just described, which is do a search for customer service, the first thing that'll pop up...
Joe Carrigan: [00:02:40] Is an ad.
Dave Bittner: [00:02:41] ...Is an ad.
Joe Carrigan: [00:02:41] That somebody paid for.
Dave Bittner: [00:02:42] That pretends to be that company...
Joe Carrigan: [00:02:44] Correct.
Dave Bittner: [00:02:45] ...And has a phone number that takes you to the scammers.
Joe Carrigan: [00:02:48] Yes.
Dave Bittner: [00:02:48] And the scammers will then lead you down the path of fooling you into believing that they are whoever you're calling - in this case, the gas and electric company. But when it comes time to take care of any sort of payment, you're going to be handing over your payment information to them. So this article over on Sophos is an interesting twist on that. It turns out that a lot of people are using their smart voice assistants - your Apple Siri, your Amazon Alexa, Microsoft Cortana - and they will use that assistant, and they'll say, please, call customer service for the gas and electric company.
Joe Carrigan: [00:03:23] And that assistant will go to the first result that comes up, right?
Dave Bittner: [00:03:26] Precisely. And the assistant doesn't have the ability to analyze and discern that there might be something funny about the link or something about the phone number. It just calls the first number that pops up via the search. And in some cases, that directly connects you to...
Joe Carrigan: [00:03:45] A scammer.
Dave Bittner: [00:03:46] ...The scammers. So what the folks over at Sophos are saying is, don't use your voice assistants...
Joe Carrigan: [00:03:53] (Laughter).
Dave Bittner: [00:03:53] ...When it comes time to call these fake accounts.
Joe Carrigan: [00:03:56] Right. I think that these companies have some guilt to bear here.
Dave Bittner: [00:04:00] OK.
Joe Carrigan: [00:04:00] Because have you ever tried to find, like, a customer service number for Verizon on their webpage, or Comcast on their webpage, or Amazon? You ever tried to find a customer service number for Amazon?
Dave Bittner: [00:04:09] Amazon's the granddaddy of them all when it comes to...
Joe Carrigan: [00:04:13] Yeah. It's impossible to find their customer service number.
Dave Bittner: [00:04:15] Yeah.
Joe Carrigan: [00:04:16] And I think that alone is a large contributing factor to this problem.
Dave Bittner: [00:04:21] I agree. And I find it interesting - actually, I was actually thinking about this in the last week, that I think it's a bad thing that as consumers we've allowed it to get to this point, that these companies make it hard or sometimes impossible to get a real human on the phone.
Joe Carrigan: [00:04:35] Yes.
Dave Bittner: [00:04:36] And we've just accepted that, in the modern world of online electronic purchasing and so on and so forth, that we're OK with that. An automated system would be fine...
Joe Carrigan: [00:04:46] Right.
Dave Bittner: [00:04:46] ...For some things.
Joe Carrigan: [00:04:46] Sure.
Dave Bittner: [00:04:47] But for other things, if you really have a problem, it's nice to talk to a real human.
Joe Carrigan: [00:04:52] Yeah. When I'm calling these customer service organizations, I have a question that I haven't been able to find the answer to on the internet. So I need a human who knows the answer.
Dave Bittner: [00:05:01] It's (laughter) - it's your last resort.
Joe Carrigan: [00:05:02] It's my last resort, absolutely.
Dave Bittner: [00:05:03] (Laughter).
Joe Carrigan: [00:05:05] I don't like dealing with people. I really don't like talking on the phone. Combine those two things together, and you already have me in a situation where I need to get ahold of somebody...
Dave Bittner: [00:05:12] Right.
Joe Carrigan: [00:05:13] And now you're going to prevent that from happening.
Dave Bittner: [00:05:14] You're already irritated...
Joe Carrigan: [00:05:16] I am.
Dave Bittner: [00:05:16] ...By having to do that...
Joe Carrigan: [00:05:18] (Laughter).
Dave Bittner: [00:05:18] ...At all. In this article, they talk about how, obviously, the search engines are doing their best to try to prevent these scam phone numbers from bubbling to the top. But, like all these sorts of things, it's basically a whack-a-mole game.
Joe Carrigan: [00:05:31] Exactly. Yeah. It's - you'll kick one out of the results, another one will pop up.
Dave Bittner: [00:05:36] Mmm hmm. So the advice here is to always manually check these on the web.
Joe Carrigan: [00:05:41] Yep.
Dave Bittner: [00:05:41] Don't rely on your voice assistant. I would also say don't rely on the search engine. In other words, if I wanted the phone number for my gas and electric company, I think the safest thing to do would be to go to their website.
Joe Carrigan: [00:05:55] Right.
Dave Bittner: [00:05:55] Actually, the safest thing to do would be to pull out your bill that they mailed you.
Joe Carrigan: [00:05:59] Right (laughter).
Dave Bittner: [00:06:00] But the next-safest thing would be to go to their actual website, find the number on their website and call that number, rather than relying on the number that the search engine gives you.
Joe Carrigan: [00:06:11] Yeah. I'll tell you, I'm probably not going to do that. I'm probably going to Google the number and then scroll down until I can find it, knowing that the first couple of numbers or ads, or scams or something.
Dave Bittner: [00:06:20] Yeah.
Joe Carrigan: [00:06:20] It's an unfortunate state that we live in, Dave.
Dave Bittner: [00:06:23] (Laughter) It's good, as well. It gives us the opportunity to have this show, right?
Joe Carrigan: [00:06:29] Yes. (Laughter) We'd be out of jobs...
Dave Bittner: [00:06:30] That's right. Exactly.
Joe Carrigan: [00:06:30] ...If this wasn't the case (laughter).
Dave Bittner: [00:06:31] Right. All right. Well, we'll have a link in the show notes to this story again. It's the Naked Security blog over from the good folks at Sophos. So do check that out. That is my story this week. Joe, what do you have for us?
Joe Carrigan: [00:06:43] Do you like video games, Dave?
Dave Bittner: [00:06:45] I do like video games. I can't say I have as much time to play them as I used to, but I do enjoy video games.
Joe Carrigan: [00:06:51] Yes. Do you know what Steam is? Are you familiar with Steam?
Dave Bittner: [00:06:53] Mmm hmm. Yup.
Joe Carrigan: [00:06:53] So Steam is a company - or actually, a product, rather - a storefront from a company called Valve. And Valve is the game company that came up with the fantastic game Half-Life.
Dave Bittner: [00:07:02] OK.
Joe Carrigan: [00:07:03] And a couple of years ago - many years ago - they said, we're going to have a Steam game client where you can go out into our store, and you can buy the games. This is how Valve decided they were going to reduce piracy of their games, is that now, in order to play the game, you'd have to have a Steam account, and that would validate your copy of the game. But the flip side for the customer is, it's really, really convenient. So every time I rebuild my computer, which has happened a number of times since I've been a Steam customer, all I have to do is install the Steam client, log in, and there are all my games. They're right there.
Dave Bittner: [00:07:32] So it's kind of - it's single sign-on for your games.
Joe Carrigan: [00:07:34] Exactly.
Dave Bittner: [00:07:35] OK.
Joe Carrigan: [00:07:35] And it's great. Now, I'm not a hardcore gamer. I only have about 40 games that I've purchased over the past seven to 10 years, and I don't play all of them. There are a few that I play more than anything else. But Steam has two features that I don't use very much but a lot of people do use.
Dave Bittner: [00:07:50] OK.
Joe Carrigan: [00:07:51] And the first feature is, they have a social platform feature. And this lets you have friends and send your friends messages. So I can see when my friends are playing, like, maybe Counterstrike, or something, and maybe get in and play with my friends. It's a great...
Dave Bittner: [00:08:04] I see.
Joe Carrigan: [00:08:04] ...Great feature. I can also receive messages. We can coordinate times, and do that. But then they have this other capability, called, the Steam Inventory. And I had to look this up because I don't use this feature of Steam. But, from the Steam site, without a game server, the game client can communicate directly to the Steam service to retrieve users' inventory contents, consume and exchange items, and receive new items granted as an effective play time. Here's the key - users can also purchase items directly from the items store or trade and exchange markets in the Steam community. So users can trade and exchange game items in their Steam inventory.
Dave Bittner: [00:08:43] So let's say I'm playing some game where there's a highly coveted gun...
Joe Carrigan: [00:08:48] Right.
Dave Bittner: [00:08:48] ...Or something like that. And I have acquired that. I could sell that to you?
Joe Carrigan: [00:08:53] Yep. And I might actually pay you real money for that.
Dave Bittner: [00:08:56] OK.
Joe Carrigan: [00:08:56] Now, I will never pay you real money for that because I just don't see the value in this. I don't see why you would trade items like this. It does not appeal to me as a gamer. It seems kind of like cheating, and I want to play the game and enjoy the experience. Right?
Dave Bittner: [00:09:08] Yeah.
Joe Carrigan: [00:09:09] But other people will do this, and that's fine.
Dave Bittner: [00:09:11] Sure.
Joe Carrigan: [00:09:11] I don't have a problem with that. But now that we have the background information, Lawrence Abrams over at Bleeping Computer has this story on this scam. And we'll put a link in the show notes. But here's how it works. It starts with the victim getting a message on that social platform.
Dave Bittner: [00:09:24] Right.
Joe Carrigan: [00:09:25] And it says, there's somebody giving away free games, here's the link. And the link is steamsafe[.]fun. That's the URL. Right? And that's actually the URL you go to. So if the user clicks on this link, that webpage finds a malicious server that's in its network that's up because these malicious servers are constantly getting taken down. But this steamsafe[.]fun probably doesn't do any malicious activity other than routing the users. So it's still up. It's still a good domain. But if you click on that, you wind up at a webpage that kind of looks like Steam but says - it's, like, birthday codes, or something - but it says in the middle of the page, try your luck, spin to see if you win a free game. And then it even says below that, you can only spin once a day. Right?
Dave Bittner: [00:10:07] Mmm hmm.
Joe Carrigan: [00:10:07] So they create the illusion of scarcity.
Dave Bittner: [00:10:09] Mmm.
Joe Carrigan: [00:10:10] If you spin, you win.
Dave Bittner: [00:10:12] Right.
Joe Carrigan: [00:10:12] It picks a game that says, here, you win. And it shows you something like a game unlock key, a code that you have to enter to unlock the game. And it says, hey, you won. Why don't you go to Steam to collect your winnings? And then it presents you with a login page. Now, the login page is, of course, fake.
Dave Bittner: [00:10:27] But it looks just like Steam's?
Joe Carrigan: [00:10:28] It looks exactly like Steam. Lawrence has these pictures in here, and I've used Steam, you know, of course. I've talked about that. But it looks the same. Not only that, but if you have two-factor authentication set up on this, it will prompt you for the two-factor code that it either mailed you or that is on your phone. Right? So it circumvents the two-factor authentication through social engineering.
Dave Bittner: [00:10:53] Right.
Joe Carrigan: [00:10:53] Really good web impersonation.
Dave Bittner: [00:10:55] So what happens then? They take all your stuff?
Joe Carrigan: [00:10:57] Well, what they do is, they log into your account, they immediately change your password. They change your email address. They change your phone number. And now you're effectively locked out of your account. It's been stolen. Now, if this happens to you, thankfully, you can open what's called an account recovery support ticket with Steam and you can get your account back with your games and everything.
Joe Carrigan: [00:11:18] However, if the attackers go into your inventory and then they trade away or give away the stuff that's in your inventory, that stuff is gone, and Steam will not replace it. Their policy is, we're not going to replace items that have been traded away because we don't really know if these items have been traded away, or if you actually gave them away or this is some kind of ruse. So we really can't just create new items and give you these items because that actually lowers the value of these items. So imagine a scenario where you say, here, Joe, take this gun that you were talking about. And I take the gun, and then I give it to somebody else, who then gives it back to you. Right?
Dave Bittner: [00:11:53] Mmm hmm.
Joe Carrigan: [00:11:53] And then I claim, hey, my gun was stolen. And then Steam says, well, here's another gun. Right? So now you and I both have the gun.
Dave Bittner: [00:12:00] Right.
Joe Carrigan: [00:12:00] Well, Steam doesn't let that happen. Valve, who owns Steam, says, that's against our policies. If you lose the gun, the gun is gone.
Dave Bittner: [00:12:06] Yeah, seems reasonable.
Joe Carrigan: [00:12:06] Now, these things all have - yeah, it does seem reasonable. These all have monetary value. And I think that's how these scammers are monetizing this scam. But they're targeting gamers, of which I am one. I take it personally.
Dave Bittner: [00:12:19] Joe, it is time to move on to our Catch of the Day.
0:12:22:(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [00:12:25] Joe, our Catch of the Day this week comes from a listener named Melhem (ph). I think I'm pronouncing that right. I apologize in advance if I have not. Melhem writes, hello, I'm a fan of your podcast, the CyberWire and "Hacking Humans." Attached is a phishing email I received recently. Two things I noticed - it's written in good English, and the Google filters are so smart to flag it as a spam, although it contains no links, which is kind of interesting.
Joe Carrigan: [00:12:52] It is.
Dave Bittner: [00:12:52] The top of the message here that Melhem sent along, it says this message seems dangerous. So it's a standard Google warning that you get in Gmail saying, beware.
Joe Carrigan: [00:13:02] Right.
Dave Bittner: [00:13:02] We're flagging this, that it's probably up to no good.
Joe Carrigan: [00:13:05] Yep.
Dave Bittner: [00:13:05] And it is in very good, better-than-average English from what we get with these.
Joe Carrigan: [00:13:11] Right.
Dave Bittner: [00:13:11] So it goes like this - hello there. I got your contact from an online directory, and I have a proposition that may be of interest to you. I have a friend whose father is a former minister in the South African government. During the period when her father was a minister, her dad used his office to amass lots of wealth through kickbacks from oil and aviation contracts. He's currently facing problems with the current administration, and all of his assets have been seized locally. He's also been restricted from travelling abroad. Fortunately for him, he has a high-value asset in Europe that has not been seized yet, and he wants this asset moved and secured ASAP. He prefers for it to be invested into projects that can yield high returns.
Dave Bittner: [00:13:52] His daughter, who is my friend, has asked me to help her look for a reputable businessman who can accommodate and invest this fund discreetly on behalf of the family. I am contacting you on the basis that you would be willing to help us. Of course, you will also be generously rewarded for your efforts, so it will be definitely worthy of your time. Please let me know if you are interested so that I can give you more details. Regards, Robert Matare (ph). Yeah.
Joe Carrigan: [00:14:17] What do you think the endgame is here, Dave?
Dave Bittner: [00:14:19] I think it's the - called the treasure box scam.
Joe Carrigan: [00:14:22] Yeah.
Dave Bittner: [00:14:23] It's a variation of that. This one pops up a lot. Someone has some money they need to move, and they need your help moving it.
Joe Carrigan: [00:14:30] Right.
Dave Bittner: [00:14:31] And there is no money, of course. You have to pay - who knows. I think this is the first step of just seeing if we got a live one.
Joe Carrigan: [00:14:39] Right. Yep.
Dave Bittner: [00:14:40] Just reach - you know, if you - if they get a response...
Joe Carrigan: [00:14:42] Yeah, then...
Dave Bittner: [00:14:43] ...Who knows where this will go?
Joe Carrigan: [00:14:44] Right. That is definitely the case - almost certain. First off, there's no links in here for anything else to happen. They're looking for you to reply, and then they're yelling phish on, right?
Dave Bittner: [00:14:52] Yeah. It's remarkable to me - several things about this. They say, I got your contact from an online directory. That's random.
Joe Carrigan: [00:14:58] Right.
Dave Bittner: [00:14:58] So they didn't really reach out to me.
Joe Carrigan: [00:15:00] Right.
Dave Bittner: [00:15:01] I mean, OK (laughter).
Joe Carrigan: [00:15:02] They spun the wheel, and I won.
Dave Bittner: [00:15:03] I guess. But then also, talking about this dad who used his office to amass lots of wealth through kickbacks.
Joe Carrigan: [00:15:10] Right.
Dave Bittner: [00:15:10] So he's a crook, yeah (laughter).
Joe Carrigan: [00:15:11] So you want to help a crooked government official hide his money?
Dave Bittner: [00:15:14] Exactly. Right. Again, playing on people's greed.
Joe Carrigan: [00:15:17] Yes.
Dave Bittner: [00:15:17] As we've talked about before, maybe that's part of it, and maybe that's part of the filtering process.
Joe Carrigan: [00:15:21] Right.
Dave Bittner: [00:15:21] That they're looking for someone who's willing to - who has that moral flexibility to go along with some people who've already announced that they're crooks.
Joe Carrigan: [00:15:30] Right. They're greedy, and they're looking for someone who's greedy and gullible.
Dave Bittner: [00:15:34] All right. Well, that is our Catch of the Day. Coming up next, we are joined by Ray [REDACTED]. That is the name he goes by online. And he's going to tell us all about SIM hijacking and share what he knows about ways to protect yourself from that.
Dave Bittner: [00:15:48] But first, a word from our sponsors at KnowBe4. And what about the biggest, tastiest piece of phish bait out there? If you said, A, my late husband wished to share his oil fortune with you, you've just swallowed a Nigerian prince scam. But most people don't. If you chose door B, please read important message from HR. Well, you're getting warmer, but that one was only No. 10 on the list. But pat yourself on the back if you picked C, a delivery attempt was made. That one, according to the experts at KnowBe4, was the No. 1 come-on for spam email in the first quarter of 2018. What's that? You picked D, take me to your leader? No, sorry. That's what space aliens say. But it's unlikely you'll need that one unless you're doing "The Day the Earth Stood Still" at a local dinner theater. If you want to stay on top of phishing's twists and turns, the new-school security awareness training from our sponsors at KnowBe4 can help. That's knowbe4.com/phishtest.
Dave Bittner: [00:16:58] And we are back. Joe, I recently had the pleasure of speaking once again with Ray [REDACTED]. That's the name he goes by online. It's a very popular Twitter account. You - it's worth checking out. And he is very well known in the cybersecurity world as a researcher, a consultant - works with many companies around the world. But today we're talking to him about SIM hijacking and getting his take on that. Here's my conversation with Ray [REDACTED].
Ray [REDACTED]: [00:17:24] SIM hijacking, or sometimes called SIM swapping, refers to a type of social engineering attack where an adversary convinces a carrier to port your telephone number to their SIM so that they can then impersonate you for other purposes. In many, many cases, adversaries have figured out that if they can grab control of your cellular communications, specifically your SMS - that short messaging service on your cellular provider - in many cases, that's used for password resets on services such as Gmail and Hotmail in order to pretend like they lost their password and they want that reset.
Dave Bittner: [00:18:01] And this is something where I can't just go out and copy a SIM on my own like I can copy a file on an SD card, or something like that. They're more sophisticated than that.
Ray [REDACTED]: [00:18:12] When people use the term SIM hacking, when they actually say SIM hacking, sometimes, erroneously, they use that term to refer to SIM hijacking because SIM hijacking is not cloning your actual SIM. It's actually convincing your cellular provider to port your phone number to a new or different SIM. So it is a social engineering-based attack, and it ultimately usually involves someone either going into a store to pretend they're Dave Bittner, or perhaps calling into a contact center pretending that they're you and convincing the carrier, I've lost my cellphone, I have a different cellphone or a different SIM now, can you port my number to this new one?
Dave Bittner: [00:18:48] They're fairly successful at this. They've come up with ways that they can do this reliably?
Ray [REDACTED]: [00:18:53] Well, in North America, it's quite rampant. I mean, interestingly enough, we don't see this problem nearly as much in Europe because the process of porting takes several days. But in North America, our cellular porting procedures are relatively efficient, so it becomes an attack surface that's, you know, relatively common.
Dave Bittner: [00:19:12] Now, how did this come to your attention? How did you get involved in doing research on this?
Ray [REDACTED]: [00:19:17] Well, you know, Dave, I actually kind of come from two different worlds in the cybersecurity realm. My day job, basically, is helping companies connect and protect their data all over the world, specifically multinational corporations. But I also do a lot of speaking and research in the crypto asset community. That's the cryptocurrency world, the bitcoin world, et cetera.
Ray [REDACTED]: [00:19:37] And what's kind of interesting about the overlap of those two is that in the crypto asset world, this is an extremely common spear-phishing type of an attack, meaning, if someone knows that someone holds crypto assets - for example, if they're constantly talking about it on Twitter or if they've got a podcast about it - it's very, very common for them to become a target for SIM hijacking because ultimately the goal of the attacker is to get ahold of those bitcoins or get ahold of those crypto assets. It's a lot harder for the victim to recover financial losses when there's been this type of an attack propagated on them.
Dave Bittner: [00:20:14] Can you give us some firsthand examples?
Ray [REDACTED]: [00:20:16] First and foremost, you know, I think you've had Rachel Tobac on your show quite often. And one of the big pieces of advice that she gives is that if you really want to learn about social engineering, periodically try to social engineer your own accounts. Like, call your gas company. See how hard it is for them to give you up, you know, the data about yourself, you know, without giving them, necessarily, a lot of information. And I actually do that myself every year, on several different cellular providers, and I'm always surprised at how easy it is to get a new SIM assigned. The cellular providers in North America have procedures to prevent this, and they have some things that you can do to make it more difficult. But it's typically not very difficult to get somebody else to take sympathy on you, so to speak, and to try to help you out with this.
Ray [REDACTED]: [00:20:59] If you think about the normal, you know, mechanism that somebody has lost their cellphone, I mean, it is a state of complete panic, usually, if you've lost your phone before because our lives are so connected to it. And so when they're contacting a cellular provider and saying, I lost my cellphone, you know, I can't get ahold of anybody, I can't do anything, et cetera, that's a moment of desperation. And most people in contact centers are there to try to relieve that desperation. So it is surprisingly easy to get a port done over the phone, or especially in person, with even the most minimal amount of identification.
Dave Bittner: [00:21:32] Now, who's being targeted here? If I'm a, you know, just your average Joe out and about, minding my own business, going about my life, am I likely to have someone come after me in this way?
Ray [REDACTED]: [00:21:44] Well, there certainly are cases of that. And I know that back in Episode 51, you and Joe were talking about this Google report that talked about how SMS two-factor authentication, you know, thwarted over 90% of the automated attacks on trying to grab ahold of accounts.
Ray [REDACTED]: [00:22:00] But in my experience, and in the real world, if someone knows that you are a Gmail user or a Hotmail user and they have some basic information about you - probably via OSINT, or open source intelligence, they've gathered on LinkedIn or wherever else - it is very possible that they will attempt an attack like this because they know that there's a good chance that having your SIM ported to them will allow them to do a reset on your master mail account. And for many people, that's where they keep their banking credentials. That's where they keep their, you know, certainly crypto asset credentials and just about everything else.
Ray [REDACTED]: [00:22:36] It's that if I have access to your Gmail, I might have access to password resets for a ton of accounts, some of which you may not even know. And it's actually somewhat worse because a lot of people will use Chrome as their password manager. And if you have access to someone's master Gmail account or their master Google account, in some cases, you also have access to all of their Chrome passwords, as well.
Dave Bittner: [00:22:59] So what are your recommendations for protecting yourself against this?
Ray [REDACTED]: [00:23:03] Well, so first and foremost, I mean, I know there's been a raging debate in the infosec community about, is SMS multi-factor authentication better than nothing? And I'll tell you definitively, 100%, it's absolutely better than nothing. There's no reason to abandon any type of multi-factor out there. However, you do want to think about, is there a way to protect myself on my main Gmail account, for example, from somebody that has access to my phone or to my SIM from being able to do resets? And there are several steps that you can take in order to do that. One of the more obscure tricks that a lot of folks do is they really don't use their primary cellphone number for those resets. You can get a Google Voice number for free. You could get a TextNow account for either free or very minimal and use that only for those SMS resets.
Ray [REDACTED]: [00:23:55] But the idea is, is you want to separate it so that there's more steps necessary before somebody gets access to your full account. OK. Another one is, obviously, is using a password manager. I know you have recommended that for a very, very long time. I would go further than that and say do not use your browser as your password manager because if your browser is synced to a cloud service, then once they get access to that cloud service, they may have access to all your passwords.
Dave Bittner: [00:24:21] Now, is there a way that I could call up my cellular provider and say, basically, you know, I want to put some sort of two-factor on my SIM itself?
Ray [REDACTED]: [00:24:29] Absolutely. So there are different means that every carrier provides. And some of these are a little bit confusing because, for example, you can put a PIN on your SIM itself, which locks that SIM from being accessed by somebody who has physical access to it. But that's not the same as putting a PIN on the porting of that SIM. So, basically, you're putting a password on the disc itself but not on the data that, you know, could be accessed via that disc.
Ray [REDACTED]: [00:24:59] But in addition, all four of the major carriers in North America have different procedures for you to provide a secondary layer of porting protection in order to prevent this type of service from happening. The problem with that is - and it sounds perfect, right? I'll put a totally different PIN, you know, for porting purposes. The problem is is that in that state of panic, so many people forget that they even put a PIN on their porting that in my experience it may be something that can be overridden with some basic social engineering. So you should absolutely do that because it makes it more difficult for an adversary to actually port you away.
Ray [REDACTED]: [00:25:37] You can also add notes to your account that I do not want my SIM ported without showing you my passport or my state driver's license, for example, rather than a water bill or, God forbid, a yearbook photo or something like that. You can put notes in there, too. But at the end of the day, the real answer to preventing this type of an attack is to separate your primary password managers and your email accounts from simple SMS resets. In addition to that, I will tell you that some of the folks out there are still using knowledge-based authentication, which is, what was the name of your high school? What street did you grow up on? And as I know we've covered many, many times on this podcast, that just simply is not a good layer of security because most of that stuff is readily accessible, you know, for someone who knows how to use Google.
Dave Bittner: [00:26:22] I guess in addition to making your SIM as secure as possible, you want to make it so that if someone does do a SIM swap on you, it's really not going to have that much effect.
Ray [REDACTED]: [00:26:32] Correct. And you would know it relatively quickly because suddenly your phone would start acting weird. You might start getting emails that say password resets have happened. You might even be locked out of your email itself, right? But at the end of the day, if you know for a fact that somebody who does have access to your primary cellphone number porting doesn't have access to the vast amounts of data that you don't want them to get to, it's a lot easier to mitigate the damage and to respond.
Dave Bittner: [00:26:57] Is there any reason why people shouldn't move away from SMS as a second authenticator? Should we move towards things like Google Authenticator or YubiKey, those sorts of things?
Ray [REDACTED]: [00:27:07] Well, certainly, you know, one of the reasons why so many of us no longer refer to it as two-factor authentication is because multi-factor authentication in many cases is a much better descriptor for not just using two-factors but using multi-factors. For example, you know, with Gmail, you know, you can set up your Gmail so that it only asks you for that YubiKey if it looks like you're coming from an unknown IP address, right? You can also use OTP-based programs such as Authy or Google Authenticator. And they're certainly better than simply using SMS. SMS was never really designed to be a secure protocol that everything would hinge upon. But, again, the point is not to scare people out of using multi-factor at all; instead to say there may be more intelligent ways to do it.
Dave Bittner: [00:27:50] Joe, what do you think? Lots of good information.
Joe Carrigan: [00:27:52] Everything Ray was talking about was one of the reasons that we say SMS is the least secure form of two-factor or multi-factor authentication.
Dave Bittner: [00:28:00] But way better than nothing.
Joe Carrigan: [00:28:01] Way better than nothing. Right. It was never intended to be a secure means of communication.
Dave Bittner: [00:28:04] Interesting how, you know, much of it hinges on social engineering, that ability to play on the sympathy of the person at the support center...
Joe Carrigan: [00:28:16] Correct. Yeah.
Dave Bittner: [00:28:17] ...To switch that over.
Joe Carrigan: [00:28:18] And that's how this works. You call them up in a panic or maybe you play babies crying in the background and you say, I can't get things to work. People want to help. That's what we've talked about on this show before is that people, by their nature, are good, and they want to help. That, in effect, lets people take advantage of that situation. And you wind up with this social engineering attack that can absolutely destroy your security. I find it interesting that people who have cryptocurrency and talk about it - I mean, first off, if I had cryptocurrency, I wouldn't talk about it online.
Dave Bittner: [00:28:44] Yeah. But I guess if you run "Joe's Cryptocurrency Podcast..."
Joe Carrigan: [00:28:47] Right. Exactly. Then Joe's going to become a target.
Dave Bittner: [00:28:50] Yeah.
Joe Carrigan: [00:28:50] And, again, knowledge-based authentication is pretty much no good at all because if you do enough research, you do a people search on me, you'll find the street that I grew up on.
Dave Bittner: [00:28:59] Our thanks to Ray [REDACTED] for joining us; always a pleasure to speak with him. Do check him out online. He's got a very active Twitter account, does a lot of good things for the security community. And that is our show.
Dave Bittner: [00:29:12] Of course, we want to thank our sponsors at KnowBe4. They are the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can find at knowbe4.com/phishtest. Think of KnowBe4 for your security training. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: [00:29:35] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where their co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik. Technical editor is Chris Russell. Our staff writer is Tim Nodar. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [00:29:54] And I'm Joe Carrigan.
Dave Bittner: [00:29:55] Thanks for listening.