SIM hijacking — or SIM swapping — is an attack where a fraudster contacts your cell phone provider and convinces them to switch your account to a phone that they control. Since your smartphone often serves as a security measure or backup verification system, this allows the fraudster to take over other accounts of yours. Sometimes this involves people inside the phone companies.
Phone companies have added security measures since this attack became popular and public, but a new study (news article) shows that the measures aren’t helping:
We examined the authentication procedures used by five pre-paid wireless carriers when a customer attempted to change their SIM card. These procedures are an important line of defense against attackers who seek to hijack victims’ phone numbers by posing as the victim and calling the carrier to request that service be transferred to a SIM card the attacker possesses. We found that all five carriers used insecure authentication challenges that could be easily subverted by attackers.We also found that attackers generally only needed to target the most vulnerable authentication challenges, because the rest could be bypassed.
It’s a classic security vs. usability trade-off. The phone companies want to provide easy customer service for their legitimate customers, and that system is what’s being exploited by the SIM hijackers. Companies could make the fraud harder, but it would necessarily also make it harder for legitimate customers to modify their accounts.
Powered by WPeMatico
infossl
January 21, 2020
academicpapers, authentication, cellphones, fraud, Security technology, simcards, smartphones, usability
Read more >
A malicious Chrome extension surreptitiously steals Ethereum keys and passwords:
According to Denley, the extension is dangerous to users in two ways. First, any funds (ETH coins and ERC0-based tokens) managed directly inside the extension are at risk.
Denley says that the extension sends the private keys of all wallets created or managed through its interface to a third-party website located at erc20wallet[.]tk.
Second, the extension also actively injects malicious JavaScript code when users navigate to five well-known and popular cryptocurrency management platforms. This code steals login credentials and private keys, data that it’s sent to the same erc20wallet[.]tk third-party website.
Another example of how blockchain requires many single points of trust in order to be secure.
Powered by WPeMatico
infossl
January 3, 2020
blockchain, chrome, cryptocurrency, fraud, keys, passwords, Security technology, theft
Read more >
The New Yorker has published the long and interesting story of the cybersecurity firm Tiversa.
Watching “60 Minutes,” Boback saw a remarkable new business angle. Here was a multibillion-dollar industry with a near-existential problem and no clear solution. He did not know it then, but, as he turned the opportunity over in his mind, he was setting in motion a sequence of events that would earn him millions of dollars, friendships with business élites, prime-time media attention, and respect in Congress. It would also place him at the center of one of the strangest stories in the brief history of cybersecurity; he would be mired in lawsuits, countersuits, and counter-countersuits, which would gather into a vortex of litigation so ominous that one friend compared it to the Bermuda Triangle. He would be accused of fraud, of extortion, and of manipulating the federal government into harming companies that did not do business with him. Congress would investigate him. So would the F.B.I.
Powered by WPeMatico
infossl
December 3, 2019
courts, cybersecurity, fbi, fraud, ftc, Security technology
Read more >
This is a fascinating article about a bait-and-switch Airbnb fraud. The article focuses on one particular group of scammers and how they operate, using the fact that Airbnb as a company doesn’t do much to combat fraud on its platform. But I am more interested in how the fraudsters essentially hacked the complex sociotechnical system that is Airbnb.
The whole article is worth reading.
Powered by WPeMatico
infossl
November 6, 2019
fraud, hotels, Security technology
Read more >
This article discusses an e-commerce fraud technique in the UK. Because the Royal Mail only tracks packages to the postcode — and not to the address – it’s possible to commit a variety of different frauds. Tracking systems that rely on signature are not similarly vulnerable.
Powered by WPeMatico
infossl
September 25, 2019
fraud, mail, Security technology, tracking
Read more >
This seems to be an identity theft first:
Criminals used artificial intelligence-based software to impersonate a chief executive’s voice and demand a fraudulent transfer of €220,000 ($243,000) in March in what cybercrime experts described as an unusual case of artificial intelligence being used in hacking.
Another news article.
Powered by WPeMatico
infossl
September 12, 2019
artificialintelligence, cybercrime, fraud, identitytheft, impersonation, Security technology
Read more >
Interesting analysis of the possibility, feasibility, and efficacy of deliberately fake scientific research, something I had previously speculated about.
Powered by WPeMatico
infossl
August 27, 2019
disinformation, fakenews, fraud, russia, Security technology
Read more >
Interesting article on people using banks of smartphones to commit ad fraud for profit.
No one knows how prevalent ad fraud is on the Internet. I believe it is surprisingly high — here’s an article that places losses between $6.5 and $19 billion annually — and something companies like Google and Facebook would prefer remain unresearched.
Powered by WPeMatico
infossl
August 6, 2019
facebook, fraud, google, Security technology, smartphones
Read more >
Reuters has a long article on the Chinese government APT attack called Cloud Hopper. It was much bigger than originally reported.
The hacking campaign, known as “Cloud Hopper,” was the subject of a U.S. indictment in December that accused two Chinese nationals of identity theft and fraud. Prosecutors described an elaborate operation that victimized multiple Western companies but stopped short of naming them. A Reuters report at the time identified two: Hewlett Packard Enterprise and IBM.
Yet the campaign ensnared at least six more major technology firms, touching five of the world’s 10 biggest tech service providers.
Also compromised by Cloud Hopper, Reuters has found: Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corporation and DXC Technology. HPE spun-off its services arm in a merger with Computer Sciences Corporation in 2017 to create DXC.
Waves of hacking victims emanate from those six plus HPE and IBM: their clients. Ericsson, which competes with Chinese firms in the strategically critical mobile telecoms business, is one. Others include travel reservation system Sabre, the American leader in managing plane bookings, and the largest shipbuilder for the U.S. Navy, Huntington Ingalls Industries, which builds America’s nuclear submarines at a Virginia shipyard.
Powered by WPeMatico
infossl
July 10, 2019
advancedpersistentthreats, china, fraud, hacking, ibm, intelligence, malware, Security technology, theft
Read more >
ProPublica is reporting on companies that pretend to recover data locked up by ransomware, but just secretly pay the hackers and then mark up the cost to the victims.
Powered by WPeMatico
infossl
July 8, 2019
fraud, hacking, ransomware, Security technology
Read more >
