Friday, September 15, 2017

I was a victim of the Equifax data breach - and then things got interesting


I was one of the victims of the recent Equifax data breach, which compromised my credit card numbers.  Someone tried to use one of them, but fortunately the transaction raised some security flags at the issuing bank, which contacted me to confirm the transaction was mine.  As soon as they knew it wasn't, they canceled my card and reissued it with a new number.  Needless to say, this was inconvenient and frustrating - and it put me on my guard.

A few days later, my cellphone carrier's customer service department left a voice message on my phone, thanking me for my call and wanting to know whether their customer service had been satisfactory.  Would I please return their call and complete a short survey?  That was all very well . . . except that I hadn't called them!  I immediately got hold of their local office, and asked them what was going on.  It turned out someone had called them, saying that they'd lost their (my) phone, and had bought a new device.  Would they please switch my phone number to the new device?  The caller wasn't able to provide the account PIN that I'd (fortunately) set up, so the representative to whom he spoke didn't comply with his request, instead advising him to call back when he could remember or locate the PIN.

I asked the local customer service people for more information.  It turns out that this is an increasingly popular fraud technique.  If scammers can get hold of your financial information (as they did mine), but find that every important account is protected by mobile phone two-factor authentication (as mine are), they'll try to switch your phone number to their device.  If they succeed, they can strip your assets in no time.  The New York Times reports:

In a growing number of online attacks, hackers have been calling up Verizon, T-Mobile U.S., Sprint and AT&T and asking them to transfer control of a victim’s phone number to a device under the control of the hackers.

Once they get control of the phone number, they can reset the passwords on every account that uses the phone number as a security backup — as services like Google, Twitter and Facebook suggest.

. . .

A wide array of people have complained about being successfully targeted by this sort of attack, including a Black Lives Matter activist and the chief technologist of the Federal Trade Commission. The commission’s own data shows that the number of so-called phone hijackings has been rising. In January 2013, there were 1,038 such incidents reported; by January 2016, that number had increased to 2,658.

. . .

Mobile phone carriers have said they are taking steps to head off the attacks by making it possible to add more complex personal identification numbers, or PINs, to accounts, among other steps.

But these measures have not been enough to stop the spread and success of the culprits.

. . .

Adam Pokornicky, a managing partner at Cryptochain Capital, asked Verizon to put extra security measures on his account after he learned that an attacker had called in 13 times trying to move his number to a new phone.

But just a day later, he said, the attacker persuaded a different Verizon agent to change Mr. Pokornicky’s number without requiring the new PIN.

There's more at the link.

I've no idea why the fraudster(s) concerned would have tried to hack my phone account in that way.  I'm no financial fat-cat with lots of money in the bank.  It may be linked to the hacking of my credit card account;  that particular card had a relatively high credit limit, so the hacker(s) may have wanted to use it to buy something expensive.  At any rate, the fact that I'd set up a PIN on my phone account prevented them from having the number transferred - this time, at least.  I've added a security note to my file with the service provider, asking them not to permit any remote request to transfer the number to a new device.  That may be inconvenient for me in the event of an emergency, but I hope it'll add another layer of security to my arrangements.

Karl Denninger waxes vitriolic at the phone companies for allowing this to continue.

See, it typically doesn't take one such attempt, because most [cellphone company] agents will follow protocol and refuse without you in some way verifying who you actually are -- such as by using a PIN number you put on the account, and which the thief doesn't know.

So why is it that these guys get dozens or even hundreds of bites at the apple?

See, that's the problem, and it's an intentional problem.  In other words the cell companies could trivially log the number of bad attempts -- when you call into the company asking them to do something and don't know the password their call management software could increment a counter and after some reasonable number of failed tries in some period of time, say three, it would then require you to go to a physical store and present positive identification.

. . .

One or two wrong responses is one thing -- yes, people forget, or they use a couple of different PINs and they get the wrong one the first or second time.

Thirteen times?  No, that's quite obviously attempted fraud and not only did Verizon not lock his account against those repeated attempts after a rational number of failures to authenticate they didn't call him either nor did they follow their own rules despite being warned in advance that his account was under attack!

There's utterly no reason to allow this sort of horse**** to go on, but just like all the other scams of the day utterly nobody at the telcos will be held accountable for what amounts to being an accessory before the fact to grand theft ... Firms that intentionally ignore repeated hack attacks on a customer's account and not only fail to stop them they also fail to notify the customer that they're under attack need to be held financially and criminally responsible for the harm that ensues.

Again, more at the link.  It's hard to disagree with him.

Friends, the Equifax data breach is very serious indeed - but it's only the latest in a long series of such breaches.  Our personal and financial information is no longer secure, and we need to take strong measures to protect ourselves as best we can.  I urge you to use Equifax's inquiry Web page to find out whether your information was compromised, and if so, to make use of the free credit monitoring service Equifax is offering to all affected consumers.  Also, I strongly suggest that you use two-factor authentication on all your financial accounts, and contact your cellphone service provider to ensure that you've implemented all the security measures available to you, to prevent this sort of thing happening to you.

Peter

14 comments:

Irish said...

Thanks for the info Peter. I have also signed up for monitoring.

Did you see the info about the woman that was in charge of security?

This is going to get interesting:

https://www.hollywoodlanews.com/equifax-chief-security-officer/

Things are getting scrubbed off the internet as the days go by.

Check out her credentials.

Anonymous said...

At this point I don't think I'd use Equifax for anything; do you really think their monitoring will be any better than their security? And, as the following link suggests, SSNs and other identifying info don't change, and thieves only have to wait a year to start using them (assuming Equifax's monitoring actually works.) The fact that Equifax waited at least 6 weeks to divulge critical information it is said to have already known is enough to lose my trust for the foreseeable future.

https://www.bloomberg.com/view/articles/2017-09-11/equifax-bungles-the-details-over-and-over-again

Blocking your credit info through all 3 credit reporting agencies is probably a better way to go. You can find detailed instructions for all 3 at Clark Howard's website:

http://clark.com/personal-finance-credit/credit-freeze-and-thaw-guide/

Good luck,

Goatroper

Anonymous said...

I have been told that buried in the agreement with Equifax is a section giving up the right to sue them for damages.

Bibliotheca Servare said...

Yep. They (presumably in an attempt to lower their risk of being lynched) recently added a section that allows you to decline that part of the contract...but only if you send a physical letter within the first *30 days* after applying for the year of "free" (automatically renewed at full price, unless you deliberately opt out...because they care, don'tcha know? /sarcasm) protection. Email is not an option. This fellow has a pretty good summary of the whole issue: (starts at 3:02 into the vid, you can skip to there...oh, and he talks pretty fast [per my parents...I didn't notice, heh] but there are links to his sources in the description box)
https://youtu.be/aS6z0bEpVpM

DaveS said...

Perhaps very similar to the information posted above by Anonynous, here's a very good article about credit freezes and why credit monitoring is rather ineffectual. https://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-embrace-the-security-freeze/

Borepatch said...

+100 on DaveS.

I won't say that Credit Monitoring is useless, but it isn't very helpful. You should put a freeze on your credit, which will stop those attacks.

Jonathan H said...

I notice that all of your references to getting control of phone numbers are for the Big 4 phone companies; is it only happening there, or is it also happening at smaller operators?
I used to be on Verizon and am now with a smaller operator - I've found their phone service VERY difficult to use and rather time consuming; I wonder if that is why they are focusing on large companies with easier-to-get-to-a-person-to-fool systems.
Additionally, I have been dismayed by the number of people who post personal contact info online, mostly on social media, but also on blogs, LinkedIn, and other publicly accessible sites - given that type of info, control of a phone number (and knowing who it belongs to in the first place) is more useful than somebody whose info is harder to find (like mine is).

Aargh, the days we live in ...

Jeff Weimer said...

I was affected by the OPM data breach a few years ago, and have credit monitoring *gratis* as a result.

I haven't had anything pop up from the Equifax breach yet, although I'm likely affected. Perhaps that's because I don't have much overhead on my credit accounts. I'm not proud of getting so far in debt, but I'm working my way out.

Anonymous said...

I checked and Equifax said my info was possibly exposed. If they try to open any accounts with my info the company is gonna die laughing once they see my credit score.

Not my first rodeo with ID theft. I had my SSN and info stolen back in the very early 90s when it was pretty unheard of. Navigated that mess pre-internet which was lots of sending registered letters, trips to notaries, police reports locally and across the country and hours on the phone. Since then I've had to change debit cards that were breached once a year at least.

In dealing with my own situation and assisting many others it's clear that the CC and other parties aren't interested in ending the fraud. On multiple occasions I gave CC companies and relevant LE agencies all the pertinent info to go make a case against the perpetrators and they just had no interest in pursuing the case. I'd done the actual investigative leg work and had names, addresses, point where the breach occurred, places where merch was sent etc but the police, prosecutors and companies weren't interested. At all.

Steve Sky said...

1) The problem with using the Equifax web verification site is that it gives random results, or reports you're exposed if you enter a random number like '123456'.
link

2) As other people have noted, by signing up with Equifax credit monitoring, you give up your right to sue, and agree to binding arbitration.
link

3) Security researcher Brian Krebs has several postings on this, and states that the best thing you can do to protect yourself is to "freeze" your credit & only "unfreeze" it when you require it for business. Doing this prevents the problem of "after the fact" notification when someone has used your ID in a fraudulent manner.

deb harvey said...

jeff weimer,
we are deep in also.. medicine...
trying to get out.
God bless you!

Post Alley Crackpot said...

You have a single phone number that's tied to everything?

What happened to defence in depth?

Here's how to do this with phones:
1. Use multiple phone numbers
2. Use voice over IP forwarding so you can direct incoming calls to any of them at any time
3. Use prepaid mobile services always -- buy a new prepaid SIM in every country when you travel
4. Never give anyone outside your most trusted circle your primary mobile number
5. Do not use SMS for two-factor authentication (read Borepatch for recent SS7 hacks in Germany)
6. Always call people outside your most trusted circle using voice over IP in a way that presents the calling party ID you want
7. Use a separate work number always and be vigilant about using it specifically for that purpose only
8. Implement advanced call filtering or simply route all calls from unknown callers to voicemail (or busy signals for known scammers)
9. Dump all unknown calls to your mobile phones without answering them
10. Have a voicemail greeting that contains no positive words, such as "yes" or "please", in order to minimise the risk of voice replay attacks with your own voice: "leave a message after the tone"
11. Have a backup phone and voice over IP setup nobody knows about, including your most trusted circle, that you can switch to during a full targeted identity compromise
12. Use tin foil hats (example in link) if you are concerned about scans of your phones that are offline

Putting it into practice:
1. Mobile phones: one primary, one spare, one backup, all with active cheap mobile service that doesn't expire or is relatively cheap to maintain over a year (e.g., T-Mobile USA, Petro-Canada Mobility, EE UK, etc.)
2. Voice over IP lines: one primary number, one work number, one number you give out only to financial institutions and another only to government institutions, plus any inward access (DISA) lines you need
3. Voicemail: voice over IP forwarding of voicemail to E-mail with a copy sent to an account nobody else knows about
4. The most trusted circle: they get the one primary number and the one active mobile, and that's all they get
5. Using voice over IP: use a service that only does prepaid billing so if your account gets hacked, they only get that money, and then get a softphone like Zoiper for Android and learn how to use it
6. Travel: when travelling, set up trip-specific numbers in those countries and then get rid of them when the trip is done
7. The general rule: if anyone new you meet needs a general purpose number to call you, give them the primary voice over IP number or a temporary number you have for that purpose, and establish trust over time

This makes it very easy to sort out who should be calling on a specific line -- vetting callers is one of the highest priorities.

I'll offer some specific advice in my next comment.

Post Alley Crackpot said...

Here's what to say to "wrong numbers" that are right numbers: "I'm sorry, there's nobody here by that name". You can always make up a sufficiently believable pretext if you make a mistake, and the default is that any would-be attacker simply doesn't get any farther with you.

As for what I do personally, I operate on the assumption that most call attempts now from unknown callers are some kind of effort to scam me or to extract information from me, and so I simply dump 95% of calls entirely. "Wrong numbers" are sometimes not wrong numbers, but are instead cloaked ways of getting you to reveal information about yourself.

For instance:
"I just got a call from 303-555-9191 which is your number ... who are you and why are you calling me?"

Use a CNAM lookup service: you may already be leaking calling party name (CNAM) ID information on any US numbers. These are usually cheap to use in small volumes and are cheaper yet in large volumes. Some even give out free trial accounts that are suitable for checking out your own numbers.

A would-be attacker could get some of your information and then try to fill in the gaps with CNAM. Having failed at this, the attacker simply calls you and fakes information about your having called him. The truth is that the landline and mobile operators have an accurate list of calls, even if the calls are not billed, and so there's nothing to defend against.

My favourite way of dealing with this:
"I don't know who the hell you are, you just called a fax number in a data center that has been unused for months."

And then promptly block this caller ... or if you've already been paying attention, you wouldn't have answered this call in the first place.

Otherwise, welcome to The Wonderful World of Op-Sec.

Unknown said...

This has become a common cold calling technique, to call and ask for [random name], and seamlessly flow into "well, maybe you can help me" followed by the pitch.

I believe it's mainly a way to limit legal exposure from violating do-not-call lists.

The first couple of times I encountered this, I was actually polite (firm about not providing my name, any words that could be taken as positive, or donating to their cause, but nice about it).
Now, I'm not.
Mostly, I don't answer.
But some have gotten really good at spoofing numbers, and there are a couple of switchboards that I get important information from on a regular basis. (Medical facilities are big believers in Op-Sec.)
In which case, I'll have fun with them if I have the time and am in the mood for it. (Impassioned rants about the dirty so-and-so they're supposedly calling are a favorite of mine. But playing slightly deaf and creatively mishearing what they say is also fun.) It's a lot more effective at getting the calls to stop than blocking spoofed numbers.