Of course, scammers can work from home... :mad:

The wife has gotten several phone calls recently from "Apple", telling her that her Apple account(s) are compromised and being used to download and distribute porn, and for various other nefarious activities-- and they need her permission to access her phone, Apple and Google accounts in order to "fix the problem". Uh huh.

Fortunately she's not falling for that nonsense, but I have to wonder how many do?

---Personally--- this is exactly why I absolutely positively and emphatically REFUSE to "add my mobile account"- or the wife's- pertaining to ANY financial institutions or transactions whatsoever to ANY of our mobile phones. Likewise with "clouds". None of our financial info, and definitely no passwords are stored in our phones or on any cloud. The only stored passwords on our phones (that I'm aware of anyway) are the login numbers.

All saved passwords, banking, etc, is done via PC. If we need to know an account or loan balance, can't be done by phone.

Anyway, this 'your account is being used to distribute pornography' scam is a good one as far as getting some folks to drop their guard. Be aware...

So what are you using for two-factor authentication which a number of entities now pretty much require if you won't use your mobile phone? (that's actually secure as long as you have a pin code on your wireless phone number as it's rare ... although certainly possible ... for a carrier to screw up and allow a number transfer to someone wanting to steal the number to get into other accounts) I'm just curious about your thoughts about this and have no issue with your personal preference.

Give these couple episodes a listen
https://gimletmedia.com/shows/reply-all/6nh3wk/102-long-distance

https://gimletmedia.com/shows/reply-all/49ho5a/130-the-snapchat-thief

Second one is pretty scary. Speaks to two factor authentification being basically useless.

Fortunately she's not falling for that nonsense, but I have to wonder how many do?

Many, many more than one would believe. This seemingly mindless behavior echos back to the old Helpdesk Conversation joke ending in:

Helpdesk: "Do you still have the box your computer came in?"
User: "Yes."
Helpdesk: "Good. Box up your computer and return it because you are way too stupid to own a computer."

We have many folks who are now adults who have been raised that online access is some sort of right free of any personal responsibility. Surf carefully and have fun.

So what are you using for two-factor authentication which a number of entities now pretty much require if you won't use your mobile phone? (that's actually secure as long as you have a pin code on your wireless phone number as it's rare ... although certainly possible ... for a carrier to screw up and allow a number transfer to someone wanting to steal the number to get into other accounts) I'm just curious about your thoughts about this and have no issue with your personal preference.

Jim are you referring to having a pin to access your phone even to answer a call?

Jim are you referring to having a pin to access your phone even to answer a call?

No. It's a PIN you put on your wireless account so that the phone numbers cannot be transferred out without the correct PIN being provided. Most of the folks who have their wireless numbers taken for two-factor hacks on financial accounts have it happen because their wireless account isn't secured from number porting.

For example, let's say you have your account with Carrier A. You decide to move your business to Carrier B because the price is better for the level of service you want and you're out of contractual obligation to stay with Carrier A. If there is a PIN on porting for your account, you will be asked to provide that PIN before any action will be taken to allow your number to be ported. If you can't provide the pin, the number cannot be transferred. Without that PIN...it's gone. That's what thieves take advantage of. Bank account numbers are easy to come by and many folks don't have great passwords or use passwords too long. But most financial accounts are also secured with two-factor authentication these days and that generally involves sending a text to your wireless number if you want to do something like completely withdraw your funds and transfer them elsewhere. The text is automatic. So if the thief has your wireless number and your wireless number isn't secured at your carrier with a PIN, they first transfer the number to a burner SIM. Your phone stops working. By the time you've noticed it, your money is gone from your financial institution because the thief was able to get the two factor code while logging into your account with a compromised password and then transfer the money out. ALWAYS have your wireless account secured by a PIN for number portability!

Lucky me, I still use a flip phone. It does everything I need, hello and good bye. Don't even have texting on it.

Many, many more than one would believe. This seemingly mindless behavior echos back to the old Helpdesk Conversation joke ending in:

Helpdesk: "Do you still have the box your computer came in?"
User: "Yes."
Helpdesk: "Good. Box up your computer and return it because you are way too stupid to own a computer."

We have many folks who are now adults who have been raised that online access is some sort of right free of any personal responsibility. Surf carefully and have fun.

When I got my first PC computer that is exactly what the tech told me to do. I ended up doing that as the computer was defective. I ended up with a different brand that worked.

So what are you using for two-factor authentication which a number of entities now pretty much require if you won't use your mobile phone?
The only 2-factor authorizations I've run into is with my bank and credit union. Neither requires a mobile phone, their robot will just call me on my land line.

Here's my credit union's message, the bank's is pretty much the same--

428517

Ah, yes...some systems do allow a voice call to a "landline" for folks who still have them.

Some will send you an email also.

Some will send you an email also.
True, but email is potentially less secure than a phone call because it's easier to have a "monkey in the middle" compromise on security, not to mention so many folks have very poor password habits. I'm much more comfortable with two-factor that involves my wireless number.

Jim, is what you discribed a SIM attack. I read a story the other day about someone who noticed his phone wasn't working one day and ended up losing a million dollars. His life savings from an IRA. The story literally scared me to the point I'm tempted to remove all financial account information from my and my wife's phone. Would that solve the problem? I don't believe my carrier has any PIN code protection you mention.

Mike, the article was in fact about a mobile number take-over, although in that specific case, the carrier screwed up, too, according to the article. The person who got wacked likely wasn't without fault, too, because the bad person still needed to be able to log into the financial account which means the account name/password must have been compromised, too. If you are on a major carrier, should be able to have a PIN placed to protect you from unauthorized porting of your number. I had that with ATT and have it now with T-Mobile. And to your specific question...without the two-factor authentication, if your login information for the financial account is compromised, then the nefarious person doesn't even need to do the mobile number takeover...they just take the money and run. The whole purpose for two-factor authentication (something you know ...UN/PW and something you have ... mobile phone in your possession) is to insure that compromise of the former is backed up by something a person has to physically have present. Protect your wireless number/account and the latter works as intended. The one thing that would be more secure is a one-time password generator (many corporations use this) that is time synced where when you go to log in, you have to have a registered device in-hand to generate the code.

Thank you for the explanation Jim.

Jim, is what you discribed a SIM attack. I read a story the other day about someone who noticed his phone wasn't working one day and ended up losing a million dollars. His life savings from an IRA. The story literally scared me to the point I'm tempted to remove all financial account information from my and my wife's phone. Would that solve the problem? I don't believe my carrier has any PIN code protection you mention.

Do yourself a favor and listen to those two podcasts I posted. The snapchat thief speaks specifically to the issue of someones ability to sim swap and potentially gain access to any and every login and password you have on your phone. The iron clad resolutions to protecting against this fully are mind blowingly difficult like a different email and password for EVERY saved account, never linking your banking to your phone, and so on.

I recently swapped phones and use to have EVERYTHING on my phone. When I setup the new phone I purposely did not connect all the accounts and copy over everything to the new phone but kept the old phone, with no sim, and have access to all the accounts, app logins and so on on the old phone (via wifi only). If anything like a sim swap ever were to happen the critical accounts would not be accessible.

The scary part is large balance accounts that are not FDIC protected or protected by other means. Even with FDIC its a nightmare but at least you'll get your funds back. The balances above 250k.. yeek.