Social engineering attacks are happening every day, and it is often the first technique hackers turn to, because “calling somebody on the phone is so much easier than doing the technical magic you need to break into a computer.”
Is your name and your phone number all it takes for a hacker to take over your cellphone account?
It turns out it can be. Former cryptocurrency executive Erynn Tomlinson lost about $30,000 in cryptocurrency after hackers used a few of her personal details during interactions with Rogers customer service representatives to ultimately gain access to her account. Tomlinson is a victim of the latest type of hack plaguing the telecommunications industry: it’s called a SIM swap, and hackers use what’s known as social engineering to make it happen. Social engineering fraud typically occurs through email, phone, or text — or in Tomlinson’s case, through online chat windows. Hackers use charm and persuasion to convince a customer service representative they are actually the account holder.
How does it work?
The hackers might have a few pieces of publicly available personal information: a person’s name, email address, birthdate, postal code or phone number. Hackers use some of those details to try to sweet talk a representative into handing over more information and ultimately gain access to an account. “The attackers are very sophisticated. In this case, Rogers didn’t provide any friction for them and made it far too easy,” Tomlinson said of her experience.
As far as Tomlinson can tell, the hackers had only her name and her phone number. Over a series of eight different online chats, the hackers managed to obtain her date of birth, email address, account number, the last four digits of her credit card, and other details about her account. Armed with this information, the hacker convinced a Rogers rep to activate a new SIM card linked to Tomlinson’s account, which could then be placed into a phone in their possession. A SIM card is a chip used to identify and authenticate a subscriber to a service provider. Once the hackers had executed the SIM swap, they were able to use their own phone to gain access to a number of Tomlinson’s sensitive accounts, including those tied to her finances.
Tomlinson used two-factor authentication on her sensitive accounts, an extra security step that sends a message to your cellphone before granting access. Tomlinson believes the SIM swap allowed the hackers to divert those incoming messages to a new device, effectively bypassing her security measures. She first became aware something was wrong when her cellphone stopped working. After stopping by a nearby café to use the Wi-Fi, she realized one of her financial accounts was at zero. She rushed home and logged onto her other accounts, and also saw them being drained. In total, the hackers managed to steal the equivalent of $30,000 in cryptocurrency. “I hope this is a bit more of an extreme case,” she said. “But I think … every Canadian is at risk right now.”
Social Engineering attacks on the rise
Tomlinson’s losses may sound extreme, but companies around the world say social engineering attacks are on the rise. Canada’s federal privacy commissioner now requires all companies to report any security or privacy breaches. Since November 2018, there have been more than a dozen reports of social-engineering breaches in this country’s telecommunications sector alone. Privacy commissioner calling on wireless networks to plug security gap. In an email, the Office of the Privacy Commissioner told CBC Marketplace the trend “clearly raises concerns.” The emergence of social engineering fraud comes as no surprise to ethical hacker and cybersecurity expert Joshua Crumbaugh. “Social engineering’s been a popular thing, I mean, since the beginning of time — we just gave it a new term. It’s the same thing that grifters and con men have been doing forever … they’re just exploiting basic human weaknesses or vulnerabilities.”
See original full CBC article here