It’s my belief that security is the number one thing that should be on your mind whenever you do anything with money. Money might mean your bank account, it could mean your stock brokerage account, it could mean when your dealing with a sale on Craigslist, or it could mean when your dealing with cash or even cryptocurrencies.
It was hard enough to deal with security before we had all this technology to deal with. Maybe back in the day people just had find a place to hide their gold. Then we got banks and we could put things there. Then banks allowed people to use checks. Now everything can be done with your smartphone.
We’ve come a long way, but with each added convenience we’d also made it more convenient for someone with bad intentions to take advantage of us. If you think being hacked will never happen to you then I urge you to think again. These types of crimes or only increasing and if you’ve never taken your online security seriously then I urge you to start today.
Don’t think it really matters? Check out these articles to see for yourself. This first link takes you to a story about a reporter that asked a bunch of hackers to try and see what they could do to him. He thought he was pretty fortified in his defenses. It turned out he was very vulnerable.
You should also check out this post “How to lose $8k worth of bitcoin in 15 minutes with Verizon and Coinbase.com” where Cody explains how hackers took over his phone number and were then able to drain his account of all his cryptocurrency including Bitcoin, Litecoin, and Ethereum.
How do you hack your bank account, email, or Coinbase account once you have the phone number?
Some of you reading the linked posts above might be wondering how in the hell someone can take your email account after stealing your phone number with a little social engineering?
That’s what you’re about to try for yourself.
Let’s start with the most important thing that holds everything together. Your email account. If I had access to your email account then I would be able to request a lost password retrieve type thing and make up a new one. I’m sure you’re familiar with that.
However, you can also get passwords changed in many other ways. It won’t matter that you have the best password in the world, and that you use 2 factor authentication (without SMS) because if someone can call into a company X and “socially engineer” their way into your account then what’s the point?
Although in these examples they’re going after the phone companies, the hackers could hypothetically go after any company in this fashion. They can try to call pretending to be you and pretending that you had forgotten your password, or that you lost your phone, or that you misplaced your pin code. There’s a ton of ways to go about tricking them into giving up your account. The weak link in these examples is the Company X, not you.
Why are they going after the Telcos more and more? Because they’re one of the weaker ones to go after, and they’re also the key to many of your other accounts.
Show me how to hack my Gmail account.
Go to your Gmail account login page
Click on Forgot email?
Now it asks for your phone number or your recovery email. We want to go with the phone number here because that’s the one we’ve stolen.
I’ll stop here for a second because some of you might be asking how would they know my phone number to steal it in the first place? Try googling your name and see what you get. Or you could try it the other way and google your number and see what you get. Unfortunately the same convenience that online search is for us makes it also convenient for hackers.
There are a ton of places where you can buy peoples info online. Most of this stuff is somewhere online, and I’m not even talking about the dark web where you can buy people’s stolen identity info that include addresses, phone numbers, and even social security numbers.
Anyway, put your phone number in and click next
Now it asks for your first and last name. We’ve already covered how easy it is to get that info. Put it in and see what’s next.
Now it will tell you that google will send a verification code to your number. Click send.
Put in the verification code and click next
Now you can choose the email account you want to hack
Here it asks for your password. Lets try forgot password?
It will now ask for the last password you remember, we don’t care about this. We want to skip it. Click on “try a different question” right under the box.
Next it might show you a screen to get a prompt on your smartphone. We don’t want that option, what we want is the phone sms option. Click on try a different question again.
Finally it will give you the option to get a text or a phone call. Click on send text message. Enter your text code and click next.
I’m in. Now I can create a new password and I’ve hacked into my account.
If you would have clicked on “Try a different question” a few more times you would have seen all the other ways that hackers can get into your account. This convenience of getting back into your account is also a convenience for hackers to get in.
Great, That sucks. How do you stop it?
There’s no real sure way to stop your account from being hacked. I’m sorry, but there really isn’t. What you can do though is make it as difficult as you can for them to get in. Other than that, you need to be aware of it and stay vigilant about checking all your important accounts.
That being said, there are a few things you can do, and depending on how security conscious (or paranoid) you are you might want to do some or all of these things.
1- Make sure you have a PIN or a passcode with your Telco company that is required anytime you want to make changes to your account. This isn’t foolproof, but it can help.
2- Use 2 factor authentication whenever you can (Not with SMS). What you want to use are U2F security keys (like Yubikey) or at the least something like Google Authenticator or Authy (both apps) which are more secure than SMS 2 factor authentication.
3- You can try to compartmentalize your access to everything. Make a brand new email address that you use ONLY for sensitive data. Don’t share that email address with anyone.
You should have a separate email address that is associated with your phone company. Use it only for your phone and keep it separate from everything else. You can then have a 3rd email address for everything else.
Some people might go as far as saying that you could have a new and separate email account for each and every sensitive account you have. One for your bank account, one for your brokerage account, one for crypto exchange account and so on. In theory this would be an optimal way to go about it as long as you never connect any of these accounts to each other in any way. However, it’s unlikely that people would adopt this type of solution.
I personally recommend that you at least separate your email accounts into these 4 categories
1- Personal (share with friends and family)
2- Finance (Banks, Brokerage, Crypto)
3- Utilities etc (Cable, Electricity, Water, Netflix)
4- Telephone
If that doesn’t sound like something you want to do then at the very least you should put your Telco company on a separate email address. That may help save you.
If you’re deep in the cryptocurrency world then you might want to have a separate email address for all of those too. In other words you could split finance into two, Cryptos and the other stuff.
For some further reading I highly recommend these posts:
Hackers Are Hijacking Phone Numbers And Breaking Into Email, Bank Accounts: How To Protect Yourself
Security Advisory: Mobile Phones