(Allison) Nixon said countless companies have essentially built their customer authentication around the phone number, and that a great many sites still let users reset their passwords with nothing more than a one-time code texted to a phone number on the account. In this attack, the fraudster doesn’t need to know the victim’s password to hijack the account: He just needs to have access to the target’s mobile phone number.
And there are many ways that the crook can gain access even control over that number even if you are still using that number. Most people have heard of SIM cards, the little thumbnail sized computer chip inside their mobile phone or tablet. But SIM chip cloning isn’t as well known even though it has been around for decades. By cloning (or copying the identification of your SIM chip) the crook can make and receive calls and texts that appear to be your phone.
It’s one of the major reasons I maintain a Land Line in this day and age. It is the only number I give out or have listed for my accounts and a landline can’t receive ‘Texts’. So if a crook steals the monthly statement out of the mailbox (email or snail mail, all the same) and attempts to hijack my account they will fail because they can’t text to the landline and they can’t steal it’s identity.
Sometimes your email accounts can be compromised by the Email Provider themselves, due to their complete lack of concern or caution over security.
A while ago I bought a new phone number. I went on Yahoo! mail and typed in the phone number in the login. It asked me if I wanted to receive an SMS to gain access. I said yes, and it sent me a verification key or access code via SMS. I typed the code I received. I was surprised that I didn’t access my own email, but the email I accessed was actually the email of the previous owner of my new number.
Yahoo! didn’t even ask me to type the email address, or the first and last name. It simply sent me the SMS, I typed the code I received, and without asking me to type an email or first and last name, it gave me access to the email of my number’s PREVIOUS OWNER. Didn’t ask for credentials or email address. This seriously needs to be revised. At minimum Yahoo! should ask me to type the email address or the first and last name before sending me an SMS which contains an access code.
I don’t want the government, especially a government with Obama appointees still sitting at a desk, to “Fix the issue”. A joint committee or task force of business, banking, Federal and scientific members should hash out a set of new regulations for the way ecommerce and ebanking should be done.
In the meantime, don’t give anyone your cell phone or mobile number for any reason. Practice saying, “Fuck off!”.