Cell Phones

Social engineering is the new method of choice for hackers. Here's how it works

  • Last Updated:
  • Feb 11th, 2019 10:59 am
[OP]
Deal Guru
User avatar
Mar 25, 2003
13490 posts
2731 upvotes
Markham

Social engineering is the new method of choice for hackers. Here's how it works



Social engineering is the new method of choice for hackers. Here's how it works.

https://www.cbc.ca/news/technology/mark ... -1.5009279
Is your name and your phone number all it takes for a hacker to take over your cellphone account?

Marketplace's latest investigation has found that just a few pieces of personal information could leave you and your accounts vulnerable.
96TB Mediasonic H82-SU3S2 / 72TB Raid 50 on Mediasonic H8R2-SU3S2
48TB Node 304 / i5-3570 / Server 2016 Essentials
12TB HP Mediasmart EX 495 (E8400, 3.0GHZ, 4GB Mushkin), with Server 2016 Essentials
16TB Qnap TS-459 Pro
23 replies
Deal Expert
Aug 22, 2006
21163 posts
7190 upvotes
What? That's not new.
Social engineering has been used for decades.
Deal Fanatic
Oct 6, 2007
6947 posts
3095 upvotes
Kootenays
death_hawk wrote:
Feb 9th, 2019 3:30 pm
What? That's not new.
Social engineering has been used for decades.
Not to access and clean out online banking and crypto accounts! One woman on the show lost $30,000 in crypto, the down payment on her mortgage. For their loose lips, Rogers first offered 3 free months of cell service, then upped it to a year. She said no thanks and now is suing them.
Last edited by smacd on Feb 9th, 2019 6:36 pm, edited 1 time in total.
Deal Expert
Aug 22, 2006
21163 posts
7190 upvotes
smacd wrote:
Feb 9th, 2019 6:20 pm
Not to access and clean out online banking and crypto accounts!
To be fair, these haven't even been around for a decade.

EDIT: Wait a minute... how the hell do you social engineer out cryptocurrency?
I mean like stealing keys, not convincing someone to buy it while pretending to be the CRA.
Deal Fanatic
Oct 6, 2007
6947 posts
3095 upvotes
Kootenays
death_hawk wrote:
Feb 9th, 2019 6:23 pm
To be fair, these haven't even been around for a decade.

EDIT: Wait a minute... how the hell do you social engineer out cryptocurrency?
I mean like stealing keys, not convincing someone to buy it while pretending to be the CRA.
I believe she said they took over her account through her phone app which they hacked after gaining access to her phone through Rogers. Could be wrong, though, but don't want to re watch it.
Deal Expert
Aug 22, 2006
21163 posts
7190 upvotes
smacd wrote:
Feb 9th, 2019 6:32 pm
I believe she said they took over her account through her phone app which they hacked after gaining access to her phone through Rogers. Could be wrong, though, but don't want to re watch it.
I didn't want to waste 17 minutes watching it the first time, hence why I asked.
I did read the article, but it outlined on how they social engineered the account, but no mention of how the crypto was hijacked.

That's where my question lies though: How did getting access to a SIM card give access to her crypto accounts?
I couldn't care less if someone cloned my SIM. They wouldn't get squat in terms of cryptocurrency.
The only way to get any of it is basically this: https://xkcd.com/538/

The ONLY way I could see is if she was already compromised through an exchange and the SIM was used for 2FA.
If that were true, there's not really much else standing in the way of the hacker having complete access to everything else.
It's just through sheer luck that she was using SMS based 2FA.
Deal Fanatic
Oct 6, 2007
6947 posts
3095 upvotes
Kootenays
Went back and rewatched. Watch from the 2:00 minute mark to the 3:00 minute mark. Hackers did a "sim swap".
Member
Jul 15, 2003
403 posts
132 upvotes
Social engineer the carrier to gain control of the phone number by transfer to a new sim.

Use the phone number to gain access to email accounts.

Use the access to email accounts to find where all the other accounts are and use the phone and email account to reset passwords elsewhere.
Deal Expert
Aug 22, 2006
21163 posts
7190 upvotes
smacd wrote:
Feb 9th, 2019 6:38 pm
Hackers did a "sim swap".
To quote the video:
"It's called a sim swap and can give hackers access to all your apps and financial accounts"

Image

Image
Deal Expert
Aug 22, 2006
21163 posts
7190 upvotes
SecretSauce wrote:
Feb 9th, 2019 7:57 pm
Social engineer the carrier to gain control of the phone number by transfer to a new sim.

Use the phone number to gain access to email accounts.

Use the access to email accounts to find where all the other accounts are and use the phone and email account to reset passwords elsewhere.
This is more plausible, assuming your phone number is the recovery point for your email, which it shouldn't be.

Still... there's zero reason why the bulk of her crypto should have been stolen unless she's storing on an exchange which is another can of worms.

Bank accounts should be fine too since some to most of them challenge you with "security" questions that I'm hoping Rogers didn't reveal.
Even if they did, there's also zero reason to use legitimate security questions because they are inherently insecure.
Deal Addict
Aug 18, 2018
1443 posts
1031 upvotes
SFO <==> YYZ
death_hawk wrote:
Feb 9th, 2019 8:19 pm
To quote the video:
"It's called a sim swap and can give hackers access to all your apps and financial accounts"

[images removed]
So basically the same old port-out scam then? (assuming "sim swap" means what I think it means)

This is where VoIP really shines, by breaking the link between the SIM and your DID number. Hell they could even steal my physical SIM for all I care, but they're not getting access to any of my accounts.
Deal Expert
Aug 22, 2006
21163 posts
7190 upvotes
arkane wrote:
Feb 9th, 2019 9:02 pm
This is where VoIP really shines, by breaking the link between the SIM and your DID number.
I guess it depends on where their point of entry was.
If they have access to your email already, porting out of voip would be trivial.
Hell they could even steal my physical SIM for all I care, but they're not getting access to any of my accounts.
Outside of being a recovery point to a single primary email, I still can't figure out how a sim swap compromised her entire financial life.

Not that I can talk... I lost money on Quadriga.
Deal Addict
Aug 18, 2018
1443 posts
1031 upvotes
SFO <==> YYZ
Disclaimer: didn't want to waste 17 minutes of my life so didn't watch video

Fair enough if your email is compromised already. But I think most port-out scams start with porting out your number to a physical SIM owned by them (hence the name). Once they own your number, it's trivial to reset your primary email's password since most people link their number as a recovery method. And once your primary email is compromised, it just goes downhill from there.
Deal Addict
May 12, 2014
1904 posts
1317 upvotes
Montreal
death_hawk wrote:
Feb 9th, 2019 8:23 pm
This is more plausible, assuming your phone number is the recovery point for your email, which it shouldn't be.
What would you recommend as a recovery option for your email account?

Top