Saturday, February 16, 2019

20 Recommendations on how to protect yourself from mobile phone SIM Card swap fraud


What exactly is a “SIM-Swap” scam?

Here is one definition: “SIM Swap fraud (also known as Port-Out scam or SIM splitting) is a type of account takeover fraud that generally targets a weakness in two-factor authentication & two-step verification, where the second factor or step is an SMS or a call placed to a mobile telephone. The fraud exploits a mobile phone operator’s ability to seamlessly port a telephone number to a new SIM destination. This feature is normally used where a customer has lost or had their phone stolen.”

This type of fraud is not new. It has been with us for three years, but volume levels have been low. It appears that the specifics of this con game have been shared with the global community of organized crime, judging from the recent preponderance of articles in various jurisdictions about this type of crime. Victims, if they have the courage to report the crime, and 85% elect not to, based on present estimates, have witnessed their financial accounts, whether banking, trading, or crypto, suddenly drop to zero. Law enforcement officials now report a 60% increase from prior complaint levels.



How does this type of fraud work?

This process goes in several steps. The worst part of this fraud is that you may be targeted long before the actual crime takes place.

·         A fraudster obtains your bank account details and registers your mobile phone number through phishing or malware.
·         He approaches your mobile service provider with your fake identity proof and, claiming loss of handset or SIM damage, seeks a duplicate SIM card.
·          A SIM swap typically happens using the following methods: Using identity theft to convince a MNO shop assistant that they are dealing with the account holder; or by stealing passwords from employees at the mobile operators or mobile dealers. Bill pay cellular users’ SIM cards can be cloned through a helpdesk by answering personal verification questions such as a home address or work number. The situation is more complex for pre-paid customers where the personal verification questions focus on the latest recharges or last numbers called. By using a fake ID document and other fake documents a person can also do a SIM swap at a mobile dealer. If a fraudster gains access (through a stolen password) to a support agent’s account, or that of a mobile dealer assistant, the SIM swap process becomes easy.
·         The SIM swap is typically performed late at night to avoid detection by the victim. Some fraudsters are also encouraging the victim to switch off their cell phone by harassing them with multiple calls.
·         After the phone is switched off, they do the SIM swap without fear of detection. Some mobile operators send an SMS notification that a SIM swap has been requested. To avoid the SIM swap being stopped, the fraudsters either use the above method or call the victim masquerading as a mobile operator employee to tell them the SMS was sent by mistake and should be ignored.
·         Following verification, the original SIM is deactivated and a new one is issued to the fraudster.
·         He then initiates financial transactions from your bank account, details of which he had earlier stolen, and receives payment confirmation requests on the duplicate SIM. Since the original SIM has been deactivated, the real customer remains unaware of the fraudulent transactions being made on their account.



As one security professional noted: “A high proportion of banking customers now have mobile phone numbers linked with their accounts, and so this attack is becoming common in some regions where this attack was not previously so common. Unlike mobile malware, SIM fraud attacks are usually aimed at profitable victims that have been specifically targeted through successful social engineering.”

Andrew Blaich, a security researcher at Lookout, recently explained in an interview that, “Unlike mobile malware, SIM fraud attacks are usually aimed at profitable victims that have been specifically targeted through social engineering. It’s a way attackers are attempting to gain access to their target’s cell phone communications. There are many public cases of attackers social engineering their way through a cellular company’s representative to get a SIM card issued for an account the attacker doesn’t own or have access to. It appears to be easy to do as all you need is a willing and susceptible representative at any cellular phone store.”

Mr. Blaich then added: “Once they’ve gained unfettered access to a victim’s phone number, criminals target bank accounts. Many banks will send you a code to log into an account or reset a password to a mobile phone via SMS, which means an attacker committing SIM fraud can request and receive the code and access your bank. Next, SIM fraudsters mask money withdrawals using a parallel system. They create a second bank account under the victim’s name (banks where the victim is already a customer have fewer security checks).”

There have also been a rash of articles detailing how employees of local phone stores have facilitated the scams taking place. Organized crime has used this tactic in many instances around the globe to coerce staff at the low end of the payscale to pass along critical information. All manners of threats of physical harm are used to force compliance with the criminal endeavor.

Can you protect from SIM-Swap scams?

Due to the nature of this scam, it would be extremely difficult to detect it before it happened. What does happen, once the SIM is swapped, is that your phone literally dies — No messages or calls in or out. If your financial account holders have the capability, request alerts in the form of emails, if and when transfers or major withdrawals take place. Alerts to your phone will not work.

Some banks and phone companies are already attacking the issue from a number of other perspectives, too: “There are multiple organizational and technical ways to combat SIM fraud — from introducing user alerting and additional checks for SIM reissuing to sharing knowledge of SIM swap activity between banks and phone companies. Banks can also consider looking for behavioral changes through behavioral analysis technology that can indicate a compromised device. It is possible to check whether your SIM card number and your international mobile subscriber identity (IMSI) are the same. If there is a discrepancy, your bank could contact you by email or landline to check.”



What to do in the event you become a victim of a SIM swap scam?

If you suspect you are the victim of a SIM swap scam, immediately call your mobile network operator for assistance. Be sure to call the right department. They may also have a form on their website for dealing with cases of fraud, which you can fill in, and they will assist you in an investigation of the matter.

Also make sure to call the appropriate department at your bank, and suspend all activity on your bank account, essentially locking it, so that nobody is even able to log in to your online banking profile.

If you are able to, you may consider accessing your online banking account, and changing your password, as well as changing your associated email address and mobile phone number, so the notifications and confirmation SMSes would arrive at a new number and email address. So even if the criminals succeed with the SIM swap operation, the number they have is no longer linked to your bank account. But I would more readily recommend that you just suspend activity on your account, especially in a panic situation or if you are unsure on how to go about doing all of that.

If money ends up getting taken out of your account, then you need to open a case with the police for theft, preferably within 48 hours of the fraudulent transfer or withdrawal of funds having taken place. During this process you may receive documentation from your bank’s claims department, which will aid in the investigation.

You might get your money back, and you might not. The banks claim that recourse depends on the circumstances of each case. In fact, some flat out refuse to reimburse a client, often claiming that it was the client’s fault – that they did something in order to help facilitate the theft. If you are fighting an uphill battle, it may be a good idea to get legal advice on the matter.



Some recommendations

1.       Make sure to become familiar with existing scams by reading appropriate blogs, forums, or articles in the newspaper, so when you see that email or SMS arrive in your inbox, you know it’s bogus.
2.       The first warning signal can be your mobile network. If your phone is out of network continuously for a few hours, it’s an alert, and you should complain to the mobile network operator immediately.
3.       Always make sure you have suitable anti-virus software installed and that your firewall is switched on.
4.       Don’t ever reply to suspicious emails. Your bank would never ask you to enter any confidential information in to an email.
5.       Don’t ever click through on links that may lead you to phishing websites – websites engineered to appear and operate like the official website. They may download a virus on to your PC, just by visiting them, which could serve as another means of obtaining your banking account password(s).
6.       Use your common sense. If you receive an email claiming to be from your bank, ask yourself if this is the same email address associated with your online banking account.
7.       Don’t use publicly visible email addresses for banking. Use a secure, private email address that nobody but you and your bank knows.
8.       Always visit the official website of you bank by typing in the address. Bookmarking the website isn't safe because there are forms of malware that could tamper with bookmarks so that they redirect you to phishing websites.
9.       Only ever try to log in to your online banking profile via the official website. There are ways to make sure that it’s the official website – not only by looking at the URL, but by checking the security certificate, which usually appears in the form of a padlock in your browser. You could even look up the website on a database, which would confirm whether the website is safe or not.
10.   Never disclose your Internet banking password or personal identification number (PIN) to anyone. Even your bank will never ask for this.
11.   Check your banking statements regularly for strange or unusual activity.
12.   Change your online banking passwords frequently. I would suggest at least once every 3 months. And make sure it’s a strong password too.
13.   Don’t answer calls or reply to SMSes from numbers you are not familiar with.
14.   The 20 digits SIM number on the back of your SIM card is top secret, and never share it with anyone.
15.   Even though it may be tempting to put your phone on silent or switch it off when multiple calls come through, it may not be the best idea, as this is exactly what the criminal may want you to do so that you don’t notice anything strange going on with your phone.
16.   Take note of the number the call or SMS came from. You can then look up this number on Google, or even contact your mobile network operator and check with them for more information if you receive a suspicious call or SMS.
17.   Consider joining a bank that gives you better security when it comes to banking, especially with online and cellphone banking. Some banks are known for not being secure with the features they provide. The same could be said for some cellular networks.
18.   If the bank only offers 2-step verification security that relies on using a mobile phone to access your account, then check whether or not you can set a backup number, or an email address where you can at least receive notifications at.
19.   Major carriers in the U.S. offer security that can help protect against SIM card swapping. Use it to secure your account:
a.       AT&T has “extra security,” a feature that requires you provide a passcode for any online or phone interactions with an AT&T customer representative. You can turn it on by logging into AT&T’s web dashboard or the myAT&T app.
b.       Sprint asks customers to set a PIN and security questions when they establish service.
c.       T-Mobile lets subscribers create a “care password,” which it’ll require when they contact T-Mobile customer service by phone. You can set one up by visiting a T-Mobile store or by calling customer care.
d.       Verizon allows customers to set an account PIN, which they can do by editing their profile in their online account, calling customer service, or visiting a Verizon store.



Sources and Additional Information:


Monday, January 28, 2019

Japan, Luxembourg, or Emirates: Which Passport is the Best?


For some people, a passport is a portal to the world. For others, it is a barrier to the travel freedom they seek.

Henley Passport Index

The Henley Passport Index (HPI) is a global ranking of countries according to the travel freedom for their citizens. It started in 2006 as Henley & Partners Visa Restrictions Index (HVRI) and was modified and renamed in January 2018. The site provides a ranking of the 199 passports of the world according to the number of countries their holders can travel to visa-free. The number of countries that a specific passport can access becomes its visa-free 'score'. In collaboration with the International Air Transport Association (IATA), and based on official data from their global database. Henley & Partners has analyzed the visa regulations of all the countries and territories in the world since 2006.

In 2019, Japan’s passport is ranked the strongest in the world for the second year running, allowing visa-free access to 190 countries to an estimated 17.5 million outbound Japanese travelers last year.

Asian countries dominate the index’s top spots, with Singapore and South Korea ranked second, with access to 189 destinations visa-free or visa-on-arrival. China has also jumped 16 places in the past two years, from 85th in 2017 to 69th in 2019.

European countries still fare well, with Germany and France ranked third, with 188; and Denmark, Finland, Italy and Sweden fourth, with 187.

US, sharing its score of 185 with Austria, Netherlands, Norway, Portugal, Switzerland, and UK, ranked sixths.

The past decade has seen a marked decline in many African countries’ rankings, including Sierra Leone, Nigeria, Gambia and South Africa, which have all dropped at least 18 places since 2009. Afghanistan and Iraq hold joint-last place for the third year in a row, with a current visa-free/visa-on-arrival score of 30.

Despite a rising isolationist sentiment in some regions, global mobility is improving, with an increase in visa-free access and mutually beneficial agreements overall. Historical data from the index shows that in 2006, an average passport holder could travel to 58 destinations without needing a visa; by the end of 2018 this number had almost doubled to 107.

“The general spread of open-door policies has the potential to contribute billions to the global economy, as well as create significant employment opportunities around the world,” said Christian H Kälin, chairman of Henley & Partners and index founder. “South Korea and the United Arab Emirates’ recent ascent in the rankings are further examples of what happens when countries take a proactive foreign affairs approach, an attitude which significantly benefits their citizens as well as the international community.”



Passport Index

The competitive data monitoring agency Passport Index will give you completely different story and password ranking trend.

The Passport Index is an interactive online tool that provides users with insights on passports with the ability to compare and rank the world’s passports. Ranking is based on freedom of movement and visa-free travel open to holders. Methodology for its ranking is based on freedom of movement and visa-free travel open to holders.

Surprisingly, here is United Arab Emirates capture the highest ranking – power rank 1. USA passport is ranked 3, and Japanese passport is only ranked 4. May be that is because in 2017, The Passport Index was assigned to monitor the development of the newly launched UAE Passport Force Initiative, with the aim to position the Emirati passport on the list of the five most powerful passports in the world by 2021.

As you see, the target achieved ahead of the schedule.



Nomad Passport Index

The Nomad Passport Index ranks 199 citizenships on five factors, more than any other passport index.
It is designed to show the best citizenships in the world to hold on the basis of visa-free travel, international taxation, perception, dual citizenship, and personal freedom.

It also paints a different picture of the best passports in the World to hold, and neither Japan, USA, or UAE can be seen among top countries.




Sources and Additional Information:


Wednesday, August 1, 2018

What to do if you got threatened by Sextortion?


Today, I have learnt a new English Word – Sextortion. Not that the issue was not seem before in the Internet Universe (the term has been introduced about 70 years ago), but just today coincidentally, several of my real and virtual friends reported their exposure to the new kind of scam.



What is Sextortion?

Based on Wikipedia, Sextortion is a form of sexual exploitation that employs non-physical forms of coercion to extort sexual favors from the victim. Sextortion refers to the broad category of sexual exploitation in which abuse of power is the means of coercion, as well as to the category of sexual exploitation in which threatened release of sexual images or information is the means of coercion.

Sextortion also refers to a form of blackmail in which sexual information or images are used to extort sexual favors from the victim. Social media and text messages are often the source of the sexual material and the threatened means of sharing it with others. An example of this type of sextortion is where people are extorted with a nude image of themselves they shared on the Internet through sexting. They are later coerced into performing sexual acts with the person doing the extorting or are coerced into posing or performing sexually on camera, thus producing hardcore pornography.

Difference…

… yes, there is a difference between the classical scheme, and the one used to all as a scam. The scammers do not need any sexual favors. They need money, plain and simple.

And online scammers have been even more innovating of late. In the last month, one group of ne’er-do-wells has sent out spam emails telling recipients they’ve been caught watching porn through their webcam, and if they don’t pay, all their dirty laundry will be aired in public. That’s not new. But putting a novel twist on that scam, the crooks are sending through passwords they claim to have stolen as proof they have been spying on the victim. So far, more than 150 people have coughed up $250,000 in Bitcoin for fear of their private Web browsing habits being exposed.



Examples

Example 1

I am aware one of your passphrase: password. Lets get directly to point. Not a single person has compensated me to investigate about you. You do not know me and you are probably wondering why you're getting this e mail?actually, I actually installed a software on the adult vids (sex sites) site and you know what, you visited this web site to have fun (you know what I mean). When you were viewing videos, your internet browser initiated working as a Remote control Desktop that has a key logger which provided me access to your display screen and also web cam. Right after that, my software program collected your complete contacts from your Messenger, FB, and email . After that I created a double-screen video. 1st part shows the video you were viewing (you've got a good taste haha . . .), and 2nd part shows the view of your webcam, and its u.
You do have only 2 alternatives. We are going to understand these types of choices in aspects:
1st solution is to disregard this message. In this case, I am going to send your actual video clip to just about all of your contacts and thus you can easily imagine about the disgrace you feel. Not to mention should you be in a relationship, just how it will eventually affect?
Number two choice will be to pay me $3000. We will think of it as a donation. As a consequence, I most certainly will without delay eliminate your videotape. You will keep going on your daily life like this never happened and you will not hear back again from me.
You'll make the payment through Bitcoin (if you do not know this, search for "how to buy bitcoin" in Google).

Example 2

Hi, victim. I write you because I put а malware on the web page with porn which you have visited. My virus grabbed all your personal info and turned on your сamеrа which сaрtured the рroсеss of your onаnism. Just after that the soft saved your соntaсt list. I will delete the compromising video and info if you pay me 999 USD in bitcoin. This is address for рaymеnt: 1K2jNTLdbHEwaALQWKMeGoKLWD67Cb6q8B.

I give you 30 hours after you ореn my message for making the transaction. As soon as you read the mеssаgе, I'll see it right away. It is not necessary to tell me that you have sent money to me. This address is соnneсtеd to you, my system will delete everything automatically after transfer соnfirmаtiоn. If you nееd 48 h just reply on this letter with +. You can visit the police station but nobody can help you. If you try to deceive me, I'll see it right away! I don’t live in your соuntry. So, they саn not track my lосаtiоn even for 9 months. Goodbye. Don’t forget аbоut the shame and to ignore, Your life can be ruined.

Example 3

𝕨hat's up.
If you were more vigilant while playing with yourself, I wouldn't worry you. I don't think that playing with yourself is very bad, but when all colleagues, relatives and friends get video record of it- it is obviously for u.

I adjusted virus on a porn web-site which you have visited. When the victim press on a play button, device begins recording the screen and all cameras on your device starts working.

Moreover, my program makes a dedicated desktop supplied with key logger function from your device , so I could get all contacts from ya e-mail, messengers and other social networks. I've chosen this e-mail cuz It's your working address, so u should read it.

Ì think that 730 usd is pretty enough for this little false. I made a split screen vid (records from screen (u have interesting tastes) and camera ooooooh... it’s awful)

So its your choice, if u want me to erase this compromising evidence use my Bitcoin wallet address-  1JEjgJzaWAYYXsyVvU2kTTgvR9ENCAGJ35

You have one day after opening my message, I put the special tracking pixel in it, so when you will open it I will know. If ya want me to share proofs with ya, reply on this message and I will send my creation to five contacts that I've got from ur contacts.
P.S... You can try to complain to cops, but I don't think that they can solve ur problem, the investigation will last for several months- I'm from Estonia - so I dgf LOL

Example 4

I know, password, is your pass word. You may not know me and you're most likely wondering why you are getting this e mail, correct?

In fact, I placed a malware on the adult vids (porn material) web-site and you know what, you visited this website to have fun (you know what I mean). While you were watching video clips, your internet browser initiated operating as a RDP (Remote Desktop) that has a keylogger which provided me access to your screen and also webcam. Immediately after that, my software program gathered your entire contacts from your Messenger, social networks, as well as email.

What did I do?

I made a double-screen video. 1st part shows the video you were watching (you have a good taste lmao), and 2nd part shows the recording of your webcam.
exactly what should you do?

Well, I believe, $2900 is a fair price for our little secret. You'll make the payment by Bitcoin (if you don't know this, search "how to buy bitcoin" in Google).
BTC Address: 1MQNUSnquwPM9eQgs7KtjDcQZBfaW7iVge
(It is cAsE sensitive, so copy and paste it)

Note:
You have one day in order to make the payment. (I have a specific pixel in this email message, and at this moment I know that you have read through this email message). If I do not get the BitCoins, I will definitely send out your video recording to all of your contacts including family members, coworkers, etc. However, if I do get paid, I'll destroy the video immediately. If you want to have evidence, reply with "Yes!" and I will certainly send out your video to your 14 contacts. This is the non-negotiable offer, so please don't waste my personal time and yours by responding to this email message.



You got one? What to do?

For most people, who got such letter, it is not fun. At least one my virtual friend got into serious medical condition due to the stressful situation, even thou he does not masturbate in front of his computer, and does not even have camera on his desktop. The mere idea of somebody getting your password and violating your virtual privacy might be painful to unbearable.

The first rule – do not panic. Most likely, they only have your old password, that’s it. They use the fear of the recipients to extort money, and if even one out of 10 victims will pay they already justify their time and efforts.

The second rule - do not pay the ransom. As said, this email still doesn't mean you've been hacked. The scammers in this case likely matched up a database of emails and stolen passwords and sent this scam out to potentially millions of people, hoping that enough of them would be worried enough and pay out that the scam would become profitable.

The third rule – do not respond to the email. With this type of scam, the perpetrator relies on the likelihood that a small number of people will respond out of a batch of potentially millions. Fundamentally this isn't that much different from the old Nigerian prince scam, just with a different hook. By default, they expect most people will not even open the email, let alone read it. But once they get a response—and a conversation is initiated—they will likely move into a more advanced stage of the scam. It’s better to not respond at all.

Prevention, prevention, prevention!

According to the FBI, here are some things you can do to avoid becoming a victim:

* Never send compromising images of yourself to anyone, no matter who they are — or who they say they are.
* Don’t open attachments from people you don’t know, and in general be wary of opening attachments even from those you do know.
* Turn off [and/or cover] any web cameras when you are not using them.
* Make sure to enable two-factor authentication whenever that is an option on your online accounts.
* If get affected, stop using the password, that the scammer used in the phishing email, immediately, and consider employing a password manager to keep your passwords strong and unique.

Sources and Additional Information: