Until yesterday afternoon, I felt pretty good about my cyber security. Sure, some of my personal details have been leaked before in massive, widespread data breaches ( T-Mobile hack, anyone?), but I practice safety and caution in using the internet. I don’t visit questionable sites. I don’t pirate movies or other media. I use an ad blocker and allow Safari to make up secure passwords for each of my accounts. I’ve enabled two-factor authentication wherever I can and don’t click on emails or attachments from people I don’t know. I follow the rules.
But on Tuesday afternoon, all those rules went out the window. All my careful planning and securing went for naught. And it all happened because a smooth-talking cyber criminal took advantage of a weakness in T-Mobile’s user authentication protocol. Here’s what happened.
3:25 pm -- I get a phone call from a number that isn’t in my contacts. This doesn’t seem that unusual since I’ve recently relocated. I answer it, and there’s silence on the other side. I assume it’s a wrong number and go on with my life.
3:38 pm -- I get a text message from T-Mobile saying my account PIN number has been changed and to call their customer service number if I didn’t change it. Hmmm…. fishy.
I dial the number, but as I’m doing so, my connection is suddenly lost and I have no service.
I power my device on and off. Still no service.
My gut tells me this is not good...
3:43 pm -- I grab my husband’s phone and call T-Mobile to report the PIN change wasn’t me. After taking my name and phone number, the representative asks if I would like to change the PIN again. All that’s required is to name one phone number in my recent calls log…
Are you catching on yet?
By calling me and hanging up, these attackers basically planted their phone number in my phone log and T-Mobile’s database. Now they simply had to call T-Mobile posing as me, share the phone number they called me from (probably also stolen) and BAM! PIN gets reset. And once you own a PIN number for an account, it doesn’t take much effort to call T-Mobile again and ask them to port their (my) phone number over to a new SIM card.
3:48 pm -- This is where things really get fun. As I am on the phone with T-Mobile trying to get service restored, I decide to check my (several) email accounts, just to make sure nothing fishy is happening. But, of course, there is … my Gmail account indicates that there have been changes to both my Yahoo and USAA accounts.
I am now feeling physically ill and it’s not even 4 p.m. yet …
3:50 pm -- Still on the phone with T-Mobile, following their stupid directions to “check the SIM card is inserted correctly,” blah blah, I decide to test my Yahoo account to see what it takes to change a password. Apparently, nothing more than the phone number on the account. They use it to send you a reset code.
FML…
So now they have access to my nearly never-used Yahoo account. And since I rarely check it, I’ve forgotten that I must have set that account up as a secondary or backup email account with USAA in case I couldn’t access my primary Gmail account. And since I send my junk messages (including USAA newsletters) to this address, this is probably how they figured out I had a USAA account.
So, of course, they decide to take a shot at hacking USAA. All that is needed to acquire a “forgotten” username and reset the password is a social security number (likely obtained from T-Mobile hack), email address, and that sacred phone number. So, of course, they were in like Flynn in under 10. Thankfully, my Gmail account was not compromised, so I was able to regain access to my Yahoo and USAA accounts.
4:03 pm -- My phone service has been restored and I’m beginning to relax.
4:08 pm -- The same damn thing happens again!!! First the text from T-Mobile, then service gone... aaaannnd Yahoo and USAA hacked again,
*sigh *
At this point my brain is a bit fried, but I suddenly realize the smart thing to do here would be to get my damn phone number off those accounts. I’m torn between whether it’s more urgent to contact USAA to secure my accounts or T-Mobile to get my phone number back.
I decide USAA is more important and spend the next hour removing phone numbers, changing usernames, passwords, downloading a security app that is unique to my phone and generates a new password for every log in, which expires every thirty seconds …
Is anyone else feeling exhausted?
5:11 pm -- I am now ready to tackle T-Mobile again. I share my whole drawn-out story and they suggest I change my phone number before returning service to my phone, so this doesn’t keep happening. Well, that’s all fine and dandy but there’s one big problem. That phone number is the one I use for two-factor authentication on several other email and internet accounts. If I get a new number before the old one is turned back on, I am forever locked out of all those accounts.
This cannot be happening...
6:10 pm -- I finally convince T-Mobile to place a big red flag on my account that says not to allow anyone to change my PIN number for any reason for the next week. During that time I'll scour my accounts for that phone number, change two-factor authentication settings, backup all contacts and so forth. I seriously hope they pay attention to those notes, or I’ll be back to square one again.
But even scarier is this: I can change my number and that will take care of my immediate problem, but what residual problems might follow? What other accounts might I have forgotten about? What other ways might someone leverage that old number to do more bad things to me or other people?
Why User Authentication Protocols Need To Change
My tale is a cautionary one, no doubt, but it is also meant to serve as a call to action. As companies gather and store more and more sensitive data about their customers, greater measures must be taken to secure that information.
But despite the great responsibility that falls upon them, some of the largest data holders in the world – in this case, cell phone companies – lack the strict user authentication protocols needed to maintain the security of that information. Simply put, these companies are doing a piss-poor job of ensuring customers are actually who they say they are. The methods they employ to “verify” a customer’s identity are poorly planned, rely on easily accessible knowledge about a person and in some cases seem completely dependent on the customer service representative’s own judgment as to whether an individual is legit or not. While the problem is not a simple one to solve, it is, nonetheless, one that deserves attention.
It’s wrong that something so dear as our cell phone numbers, which link access to so many, many things, from contacts to banking account log-ins, can be stolen by a simple social engineering hack.
In my case, I was fortunate. Only two accounts were briefly compromised. Apparently, I’ve managed to sandbox my internet accounts enough that their schemes couldn’t go any further. But not everyone is so lucky.
At BSides security conference in Las Vegas in August, Dartmouth College computer science graduate student Vineetha Paruchuri (@pvineetha) presented her thesis research on this exact problem. She explained that many companies, including all the major U.S. mobile phone providers, suffer from a lack of strict protocols for authenticating customers. This makes customer service personnel extremely vulnerable to attackers who know just what the representative needs to hear to gain trust. And gaining trust isn’t even a difficult thing to do, says Paruchuri.
“Because of the lack of effective authentication protocols, anyone who figures out these loopholes can take control of victims' accounts. We don't need the smooth talking deceptive social engineer anymore. They're not doing anything that the protocol doesn't permit them to."
In her presentation, Paruchuri outlined several recent hacks on high-profile individuals, which occurred due to simple social engineering tricks that take advantage of weak authentication protocols.
“We need to engineer these systems better,” Paruchuri told iDigitalTimes. "When you analyze enough of these cases, you can see that this boils down to an interfaces/protocol problem which can and should be solved by applying computer science knowledge.”
A similar theme appeared in a post earlier this week by security researcher and blogger Brian Krebs. In it, he details a heartbreaking situation where a stolen phone number led to the death of a disabled woman’s husband. The man had begun having a heart attack and when his wife tried to contact paramedics, she discovered her phone number had been stolen. Because she was unable to get to a working phone soon enough, her husband died in front of her.
Krebs post also cites the case of Lorrie Cranor, chief technologist for the U.S. Federal Trade Commission, who experienced a similar stolen phone number situation this summer. In her case, the thieves walked into a mobile phone store, claimed to be her, and asked to upgrade her phones. The person was able to walk out of the store with two brand new iPhones assigned to her telephone numbers, leaving Cranor with no service and a massive bill.
“My phones immediately stopped receiving calls, and I was left with a large bill and the anxiety and fear of financial injury that spring from identity theft,” Cranor wrote in a blog about the situation on the FTC’s site.
The situations of Cranor, myself and countless others illustrate a very real problem with the protocol mobile companies have set up for authenticating users and point to much larger risks beyond just inconvenience. I follow the rules when it comes to my security. My carrier should, too.
