Phone Hack and Protection.

If you have a cell phone and use the internet; including social media platforms, and various other websites on a daily basis. Then you are susceptible to attacks from hackers or having your money stolen, having sensitive information exposed and being blackmailed.

With just your cell phone number and a little bit of what’s called “social engineering.” A maliciously intentioned person can break into most accounts(social media and many more) that your phone number is linked with.

And they have pretty much achieved that, stealing from people, blackmailing people with all sorts of sensitive information, taking over social media accounts of individuals or organizations and embarrassing their targets, or getting access to private documents such as tax returns and passport numbers.

They usually start by getting hold of some readily available information about you like your address, number, birthday or last four digits of your Social Security Number. This info readily at hand and an equally impressive convincing of the telco customer service reps; who would innocently gives them access to your account, and they go on to have your phone number forwarded to their phone or cloned to the hacker’s device.

Then the phone hijacker simply requests for a new password on your account and uses the phone number he has obtained access to, successfully reset your password by claiming “forgot the password”   and therefore you are locked out until they are done with your account. That easy!

I can describe several other ways that hackers have done this in recent months to holders of information of monetary value such as  cryptocurrencies like bitcoin and Ether, but this crime can be perpetrated on anyone, but especially on those who uses web services like Gmail, iCloud, Facebook, online banking, PayPal, Dropbox and e.t.c without the right level of protection.

As you can read in the news, the telcos are behind the curve in procedures on preventing phone hijackings, so you’ll have to take the responsibility of securing your cell number from the long-reaching hands of phone hackers.

Additionally, a large number of companies from financial institutions to email providers use this passcode-by-text security method, which is also no stranger to loopholes. Called two-factor authentication via SMS, it requires a password, which in authentication theory is one factor, something you know and sends a code to you via text message, with the phone being a second factor, something you have. You enter the code and gain access to your account.

But when your phone number is used for password recovery and reset, they don’t even need to enter the first factor to have the codes sent to them. With just one factor security  (the code), they create a new password for themselves and now can do whatever they please on your account.

The fact that your phone number is used for security but the telcos are not safeguarding them has opened up a large enough hole for hackers, who have so far made off with millions of dollars’ worth of cryptocurrency. But they could just as easily perpetrate these crimes against anyone with a cell phone which uses any of the above services.

Here are tips on how to protect your phone number and your web accounts such as your email, online financial institutions and more.

key steps to ensure Your Phone Number  is not  Hijacked

1. Institute a passcode on the account.

This is the first precaution. However, as it has become clear, that hacker could find a customer service rep who forgets to ask or lets other information such as address and last four of your Social slip, then your number is still susceptible. Add a passcode to your account, but don’t rest easy after that. It is helpful, but when dealing with a diligent hacker, just that is very unlikely to deter them.

2. Use a mobile-carrier-specific email address to access that account.

Up till now, most likely, your phone number and your email address have been the gateway to all your other accounts. You need to stop that sooner than later. If you follow several of the steps I outline in this story (unless you go with Google Voice), you’ll end up with at least three to four email addresses. That way if your primary email address gets compromised, it can’t be used to steal your phone number. And if your phone number gets hijacked somehow, it won’t endanger your email or any of the other sensitive accounts.

If you port your main number to Google Voice, you should still separate your main email address from that used for your other sensitive accounts, and hackers can't get into your other accounts even if one is compromised.

3. separate your online access from your wireless account.

Yes, this is annoying, as much as u can imagine, you’ll be forced to go into the store or call to make changes. But on the bright side, it is one less way a hijacker can creep into your account with.

4.  Also, you can reach out to your carrier service about an id verification process. Such as choosing what kind of verification process would be required to make changes on your account; id verification and

A hacker can still pretend to be you sadly, as the Federal Trade Commission chief technologist discovered when she had her number hijacked by someone with a fake ID using her name and the hacker’s photo. But, still, it'd prove one more issue to overcome.

5.  Use Google Voice.

At the moment, it appears you cannot institute a “port” freeze on your number at other carriers, at least according to the Federal Communications Commission. (The major telcos and other industry organizations declined interviews.)

The only service that I am aware of that enables a “port freeze” is Google Voice. (If you are aware of others, please let me know.) When you sign up for a Google Voice number, the default is that the number is “locked” to you, as described in this blog post by Jesse Powell, the chief executive officer of cryptocurrency exchange Kraken.

If you don’t want the hassle of changing phone numbers, you can forward your existing number (let’s say the last four digits are 1234) to Google Voice to receive calls and texts there. You’ll then have to sign up for a new line with your carrier for service, but you can mask your outgoing calls and texts to appear to be coming from the 1234 number. Just be sure not ever to give out or use the actual phone number that is on your wireless account and only to give out the 1234 number that is with Google Voice.

If you are a Google Fi subscriber and want to port to another carrier, the service requires you to notify it first, which then gives you a “port out” account number and password to provide to your new carrier. (I’m not sure what happens if a hijacker attempts to port it as "portings" are typically initiated at the new carrier, but have reached out to Google and will update when I find out.)

Steps to protect all your accounts

1. Create “high entropy” passwords.

Use a password manager that creates long and random passwords for you, or makea couple of rules for yourself that will guide you to create your own random passwords.

Brett McDowell, executive director of the FIDO (Fast Identity Online) Alliance, a group of 250 companies worldwide working on industry standards for stronger authentication, says, “Most people think ‘have a strong password’ means, choose a password that people can’t guess in the seven or eight attempts before you get logged out. No no no. That’s not the only reason.” If the company’s database gets hacked (which you should expect), even if the passwords in it are encrypted, the hacker will have unlimited tries to crack your password. “The encryption process that’s used is harder to crack if the original password has higher entropy, than when it does have less,” says McDowell.

A way to go about this, is if you’re not using a password manager, is to create a high-entropy password of random numbers, upper and lower case letters and special characters. then come up with a formular that will guide you while createing subsequent passcodes.

So it's important you come up with a solid password for your various website, or better still create a formula for setting passwords so that you will not forget them.

2. Adopt suitable answers for website security questions and avoid to use the same across all sites.

When hackers take a company’s database, they don’t just get the passwords. They also obtain the answers to security questions. Plus, as Chris Hadnagy, chief human hacker of Social-Engineer, pointed out in my article on the phone hijackings, they don’t even need to hack anything to get this information. You probably put a lot of it out on social media yourself.

However, if your answers differ slightly from site to site, that makes it harder for the hacker to get access to any other site. You could use a similar rule to the email one to create unique answers for each site.

3. Do NOT connect your main phone number, the one you protected via the steps above (unless it is managed by Google Voice), to any sensitive accounts.

If you’ve ported your main number to Google Voice and secured that email account, then this likely isn’t necessary since your number is pretty safe from being hijacked. However, if your main number is still at a telco and not managed by Google Voice, then you’ll want to divorce your phone number from all sensitive accounts completely.

Create a brand new Gmail email account. Do not connect it to any of your existing email accounts. (When signing up for a new Gmail, you don’t need to enter a phone number or current email, although there are fields for you to do so. Leave them blank.) Once you’ve created the new island-unto-itself email address, create a new Google Voice number. I would even select a random area code to secure it further.

Secure this email account with a long, high-entropy password and one of the two methods outlined below, a one-time passcode generator such as Google Authenticator or a FIDO security key.

Then, enter this phone number for any of your online banks or any other sensitive account such as Facebook, Twitter, Dropbox, Evernote, Slack, etc., that have you enter a phone number either for 2FA via SMS or password recovery.

That way, if your regular phone number is hijacked, the hacker can’t get into any of these accounts and reset the password. But you must secure that email address. Otherwise, that Google Voice number can be compromised, and then the whole point of this process becomes moot.

4. Use one-time passcode generating apps.

Passwords can easily be stolen through phishing attacks in which the hacker poses as a legitimate service and asks the user to enter their password on a website doctored to look like that company’s website or via keyloggers. The target is however unwittingly persuaded to download malware onto their computer that then records every keystroke, giving away the passwords to the hacker.

For that reason, time-based one-time passcode (TOTP) generators such as Google Authenticator, which is installed on any of your devices with the app generating new codes every 30-90 seconds, can be a substantial additional second factor. The only way you can enter the correct temporary code is if you have the device that created it. Many services, including Google, Facebook, Twitter, Dropbox, Evernote and others offer this option for security in addition to the password and as a more secure choice than 2FA via SMS.

However, McDowell notes that these are increasingly compromised because they still operate on the same “shared secret” model as passwords. “I still have to give that secret away to use it,” he says. “I still have to type that number into some application, and if I’ve been tricked into typing it into the wrong application, I’ve just given that code to someone else. The thinking used to be, well, so what because it expires quickly, but the attackers are sophisticated. They’re capable of carrying out real-time automated attacks, and  collect that code and get into your account while you sit there looking at an error message wondering, what  had gone wrong?”

A Google executive, revealed at the Cloud Identity Summit in 2015, “A phisher can pretty successfully phish for an OTP just about as easily as they can a password."

5. Use a security key.

These devices, which are relatively inexpensive, operate on a new FIDO industry standard protocol called universal second factor, or U2F. Again, it starts with the first factor, your password (what you know). The second factor is a what-you-have factor: a physical security key device such as a Yubikey. Some of these devices are USB ones that are inserted into a USB port, and others are Bluetooth or NFC-enabled, so you simply hold it near the login screen.

Such a device uses something called public key cryptography where the public key and private key differ. The private key is on your device, and it never goes to the server. It always stays on your device, but when you want to sign in, the server sends a challenge to the device, which in turn challenges the user. You simply have to touch it so that the service knows a human is present and not a bot trying to attack the account, accomplishing the same purpose as CAPTCHA tests online.

It is “not vulnerable to social engineering, never gives away the secret,” says McDowell. “Not only do you not give the private key away, but malware can’t get the private key off the device, so with FIDO authentication with these security keys, I have to physically steal your security key device, in order to compromise your authentication credentials. I can’t do it remotely. I can’t trick you into doing it for me, can’t trick you into getting me into your account.”

6. Use a device that uses biometric authentication.

The public key cryptography method can also be designed for a passwordless experience, set to what’s called the FIDO UAF (universal authentication framework) standard, which requires multiple authentication factors, typically a what-you-have (a device with the private key) and a what-you-are authentication factor such as fingerprint or iris or voice scan via biometric sensors.

This, however, doesn’t require the private key to be placed on a separate device as it was done in the past. The what-you-have factor is your computer or tablet or mobile phone itself, so when you log in this way, it seems to you that there’s only one gesture required, swiping your fingerprint or looking at the camera.

“I touch something, I look at something, maybe I talk to it, it couldn’t be easier from a usability perspective, and it’s an "un-phishable," not attackable remotely, an unscalable attack,” says McDowell. “To attack a FIDO credential, in the case of multiple credentials, I have to steal your phone then compromise your biometric sensor.” Although this can actually be done, it’s a difficult, time-consuming process (and also probably not very profitable since it’s expensive and labor-intensive and can’t be done at scale), and McDowell says, “in the meantime, you’ve just reported a stolen phone, and it’s de-provisioned on the server side, and they can’t get in anyway.” This seems to be the most secure yet, and hackers are yet to decipher the easiest way to get through this.

A few of the new generation devices out in the market now use this FIDO UAF method, including Samsung Galaxy S6 and S7, S6 and S7 Edge, Note 5 and Note Edge, And although FIDO is not built into Apple devices, TouchID is open to third-party applications, so iOS apps can employ FIDO authentication. For instance, Bank of America offers FIDO on Apple and Android devices.

In conclusion, these steps may hit you as time-consuming, they can save you tremendous hassle, headache and potential losses of having your phone hijacked, your email account compromised, or your financial accounts and other sensitive information hacked.

If you ever had to make use of professional for your phone hacks and other hack related issues, you definitely have to visit WWW.DARKWEBSOLUTIONS.CO on how to hack and prevent your phone from been hacked, damage control too.


Popular Posts