Scammers aren't taking a virus holiday

**Kev Williams** · 03-21-2020, 1:16 PM

Of course, scammers can work from home...

The wife has gotten several phone calls recently from "Apple", telling her that her Apple account(s) are compromised and being used to download and distribute porn, and for various other nefarious activities-- and they need her permission to access her phone, Apple and Google accounts in order to "fix the problem". Uh huh.

Fortunately she's not falling for that nonsense, but I have to wonder how many do?

---Personally--- this is exactly why I absolutely positively and emphatically REFUSE to "add my mobile account"- or the wife's- pertaining to ANY financial institutions or transactions whatsoever to ANY of our mobile phones. Likewise with "clouds". None of our financial info, and definitely no passwords are stored in our phones or on any cloud. The only stored passwords on our phones (that I'm aware of anyway) are the login numbers.

All saved passwords, banking, etc, is done via PC. If we need to know an account or loan balance, can't be done by phone.

Anyway, this 'your account is being used to distribute pornography' scam is a good one as far as getting some folks to drop their guard. Be aware...

**Jim Becker** · 03-21-2020, 2:11 PM

So what are you using for two-factor authentication which a number of entities now pretty much require if you won't use your mobile phone? (that's actually secure as long as you have a pin code on your wireless phone number as it's rare ... although certainly possible ... for a carrier to screw up and allow a number transfer to someone wanting to steal the number to get into other accounts) I'm just curious about your thoughts about this and have no issue with your personal preference.

**Mark Bolton** · 03-21-2020, 3:00 PM

Give these couple episodes a listen
https://gimletmedia.com/shows/reply-...-long-distance

https://gimletmedia.com/shows/reply-...snapchat-thief

Second one is pretty scary. Speaks to two factor authentification being basically useless.

**glenn bradley** · 03-21-2020, 3:04 PM

Originally Posted by Kev Williams

Fortunately she's not falling for that nonsense, but I have to wonder how many do?

Many, many more than one would believe. This seemingly mindless behavior echos back to the old Helpdesk Conversation joke ending in:

Helpdesk: "Do you still have the box your computer came in?"
User: "Yes."
Helpdesk: "Good. Box up your computer and return it because you are way too stupid to own a computer."

We have many folks who are now adults who have been raised that online access is some sort of right free of any personal responsibility. Surf carefully and have fun.

**George Bokros** · 03-21-2020, 3:13 PM

Originally Posted by Jim Becker

So what are you using for two-factor authentication which a number of entities now pretty much require if you won't use your mobile phone? (that's actually secure as long as you have a pin code on your wireless phone number as it's rare ... although certainly possible ... for a carrier to screw up and allow a number transfer to someone wanting to steal the number to get into other accounts) I'm just curious about your thoughts about this and have no issue with your personal preference.

Jim are you referring to having a pin to access your phone even to answer a call?

**Jim Becker** · 03-21-2020, 3:44 PM

Originally Posted by George Bokros

Jim are you referring to having a pin to access your phone even to answer a call?

No. It's a PIN you put on your wireless account so that the phone numbers cannot be transferred out without the correct PIN being provided. Most of the folks who have their wireless numbers taken for two-factor hacks on financial accounts have it happen because their wireless account isn't secured from number porting.

For example, let's say you have your account with Carrier A. You decide to move your business to Carrier B because the price is better for the level of service you want and you're out of contractual obligation to stay with Carrier A. If there is a PIN on porting for your account, you will be asked to provide that PIN before any action will be taken to allow your number to be ported. If you can't provide the pin, the number cannot be transferred. Without that PIN...it's gone. That's what thieves take advantage of. Bank account numbers are easy to come by and many folks don't have great passwords or use passwords too long. But most financial accounts are also secured with two-factor authentication these days and that generally involves sending a text to your wireless number if you want to do something like completely withdraw your funds and transfer them elsewhere. The text is automatic. So if the thief has your wireless number and your wireless number isn't secured at your carrier with a PIN, they first transfer the number to a burner SIM. Your phone stops working. By the time you've noticed it, your money is gone from your financial institution because the thief was able to get the two factor code while logging into your account with a compromised password and then transfer the money out. ALWAYS have your wireless account secured by a PIN for number portability!

**Bruce Wrenn** · 03-21-2020, 3:59 PM

Lucky me, I still use a flip phone. It does everything I need, hello and good bye. Don't even have texting on it.

**Jerome Stanek** · 03-21-2020, 5:35 PM

Originally Posted by glenn bradley

Many, many more than one would believe. This seemingly mindless behavior echos back to the old Helpdesk Conversation joke ending in:

Helpdesk: "Do you still have the box your computer came in?"
User: "Yes."
Helpdesk: "Good. Box up your computer and return it because you are way too stupid to own a computer."

We have many folks who are now adults who have been raised that online access is some sort of right free of any personal responsibility. Surf carefully and have fun.

When I got my first PC computer that is exactly what the tech told me to do. I ended up doing that as the computer was defective. I ended up with a different brand that worked.

**Kev Williams** · 03-21-2020, 8:39 PM

Originally Posted by Jim Becker

So what are you using for two-factor authentication which a number of entities now pretty much require if you won't use your mobile phone?

The only 2-factor authorizations I've run into is with my bank and credit union. Neither requires a mobile phone, their robot will just call me on my land line.

Here's my credit union's message, the bank's is pretty much the same--

sac.jpg

**Jim Becker** · 03-22-2020, 9:07 AM

Ah, yes...some systems do allow a voice call to a "landline" for folks who still have them.

**George Bokros** · 03-22-2020, 9:24 AM

Some will send you an email also.

**Jim Becker** · 03-22-2020, 12:55 PM

Originally Posted by George Bokros

Some will send you an email also.

True, but email is potentially less secure than a phone call because it's easier to have a "monkey in the middle" compromise on security, not to mention so many folks have very poor password habits. I'm much more comfortable with two-factor that involves my wireless number.

**Michael Weber** · 03-22-2020, 1:23 PM

Jim, is what you discribed a SIM attack. I read a story the other day about someone who noticed his phone wasn't working one day and ended up losing a million dollars. His life savings from an IRA. The story literally scared me to the point I'm tempted to remove all financial account information from my and my wife's phone. Would that solve the problem? I don't believe my carrier has any PIN code protection you mention.

**Jim Becker** · 03-22-2020, 5:08 PM

Mike, the article was in fact about a mobile number take-over, although in that specific case, the carrier screwed up, too, according to the article. The person who got wacked likely wasn't without fault, too, because the bad person still needed to be able to log into the financial account which means the account name/password must have been compromised, too. If you are on a major carrier, should be able to have a PIN placed to protect you from unauthorized porting of your number. I had that with ATT and have it now with T-Mobile. And to your specific question...without the two-factor authentication, if your login information for the financial account is compromised, then the nefarious person doesn't even need to do the mobile number takeover...they just take the money and run. The whole purpose for two-factor authentication (something you know ...UN/PW and something you have ... mobile phone in your possession) is to insure that compromise of the former is backed up by something a person has to physically have present. Protect your wireless number/account and the latter works as intended. The one thing that would be more secure is a one-time password generator (many corporations use this) that is time synced where when you go to log in, you have to have a registered device in-hand to generate the code.

**Michael Weber** · 03-22-2020, 8:16 PM

Thank you for the explanation Jim.

Thread: Scammers aren't taking a virus holiday

Thread Tools

Rate This Thread

Display

Scammers aren't taking a virus holiday

Posting Permissions