Ever since they appeared a decade ago smart phones have been a thorn in the side of CISOs, offering attackers a way into corporate networks through devices often not controlled by the enterprise.
Malware, either installed through malicious email or a recklessly downloaded app, are the usual vectors. But a report this week in the New York Times warns that lazy support staff at wireless providers — aided by equally lazy handset owners — are another vulnerability.
According to the story, an increasing number of people are reporting their cellphone numbers have been hijacked by criminals who get the providers to transfer the numbers to their own devices. Then, if the devices aren’t locked with a password, criminals can change application logins used by the victims to access enterprise and personal applications.
In the U.S., says the Times, figures from the Federal Trade Commission indicate number of phone hijackings has been rising. In January 2013, there were 1,038 such incidents reported; by January 2016, that number had increased to 2,658. Equivalent data in this country is hard to find. The office of the Commissioner for Complaints for Telecommunications Services said for the fiscal year that ended July 31, it had received 23 complaints alleging fraudulent disruption or suspension of service.
In response to a query, neither Bell Canada nor Telus could offer any statistics on how often wireless phone hijacking takes place.
Bell said in a statement that it is “continually updating our security measures to counter threats of cybercrime, including those related to SIM swapping and identity theft schemes. As always, we encourage our customers to remain vigilant about password protecting their devices and to be careful about sharing of personal information.”
In a statement Telus said protecting customer privacy is a priority at the carrier. “We’ve implemented security protocols, including enhanced verification processes such as PINs and secondary security questions, designed to ensure that we’re only speaking to authorized users about an account. We also have our Telus Wise initiative, a free educational program available to all Canadians that focuses on Internet and smartphone safety and security to help keep consumers safe from online criminal activity such as financial fraud.”
Rogers Communications didn’t reply to a query on the issue.
The Times report serves as a warning to Canadian businesses that sharp threat actors may try to take advantage of weak security practices of uses and providers to take control of mobile devices.
For best protection users have to ensure a caller to a carrier support centre can’t impersonate them. That means if possible insisting on non-standard questions that have to be answered (especially avoiding mother’s maiden name, for example), and ensuring that a PIN number is set up that a phoney caller won’t know. It also means not posting personal information on social media sites like Twitter or LinkedIn that can be used by an impostor, such as your birthday, wedding day, public schools you went to, the names of your children, your cellphone number and details of trips away from home. And most important, despite the inconvenience make sure you have a PIN number or biometric activated on your mobile devices.
At the same time carriers have to crack down on support staff to ensure they don’t sympathize to unknown people on the line who seem oh-so-close to guessing the right answer to a challenge question.
The Times article said criminals seem to be targeting people with valuable online accounts such as virtual currency traders. They are apparently found because they are loose-lipped on social media. “Everybody I know in the cryptocurrency space has gotten their phone number stolen,” one Bitcoin entrepreneur is quoted as saying.
In a number of cases involving digital money enthusiasts, the article says, the attackers accessed and then held sensitive email and phones for ransom.