Data breaches: its the risk you don’t expect that gets you
Another day another data breach. (Have you checked yourself on https://haveibeenpwned.com/? I’m thinking of making “have i not been pwned” and the answer is NO). OK, we are getting inured to this by now. Yawn, change the password on that site, we are good right?
Well, no. The media reporting always has the same things in it “they didn’t get financial information” so we don’t worry. After all, with today’s Bell Canada breach, what could anyone use my ExpressVu info for? So we go down this logical fallacy path of “did i share that password with other sites” etc. And the advice we are always given causes us to keep going the wrong way… “no financial info”… “only email + name + phone number + address + account number”. Who cares what my ExpressVu account number is? I make my phone number available to people, so…
OK, here’s where they get you. Ever switched carriers? You go to carrier B, buy a sim, and the number is ported over. Or maybe you’ve lost a phone/sim, get a new one, and they move it. What info did u provide to make that happen? What? the same info as in the breach? Oh, this means someone could ‘take over’ my sim (maybe with a little social engineering hacks). Hmm. OK, that would be an irritant but… Wait, I use that phone number as a 2-factor-authentication w/ SMS on another site. And, the phone number is the ‘backup’ for ‘I forgot my password’ at my bank.
And then the penny drops. You see, the mundane info of your phone company relationship is not interesting. But, it can be used to take over something that is interesting, like your banking. You see, it likely needs very little info to have a bank rep call you on the number on file, or SMS you, with a new password. So if I can get your SIM, I can get your life. And phone company info is prime for that, but also lots of sites have those ‘mundane’ details.
One defence which you would think would work would be to call the mobile company and have them put a note on your file “do not port out this sim”. Well, it turns out, that doesn’t always work. The scammer will keep calling the call centre until someone is busy, or doesn’t notice. Check this thread for this happening w/ t-mobile (t-mobile has this page about how to protect yourself, and tons of threads of angry people who didn’t read it.). Want to know more? Click here. This is an excellent blog post on the subject and motivations, and the blogger actually tests the UK carriers (hint, they fail).
So, next time you see a data breach, and a bunch of text about how some low-level risk can be mitigated, ask yourself, what about the risks they are not mentioning? Social engineering is powerful, and getting that account info makes it not too hard.
And maybe look into with your carrier how to put a lock on porting your sim out (or adding a second line).