sim phish

Your Ongoing pwnage, your phone #, and why SMS is a bad idea

Another day another breach. ~550M facebook users have their, well, everything including their colonscopy results, released online for cheap. And, this includes (for many) their phone number. Should you care?

Yes. In a word. Facebook bought WhatsApp, and is trying to force users to accept a weakened privacy policy. And WhatsApp has your phone number as the key. You know, the same phone number you used with your Bank to call you in case you forget your password? The one you used for 2-factor authentication because you through SS7 was secure?

Fortunately its the work of minutes for someone to steal your phone number by walking in to a phone shop in a mall and knowing one or two facts that are *in the same breach*. “I lost my sim”. OK, we just need to verify your account, first name, last name, date of birth, phone number, here you go. Boom, now they go to your bank, click the “i forgot my password”, and, well, the bank txt them a link to reset it.

So, head on over to https://haveibeenpwned.com/ and enter your phone number (in E.164 format I think, side note: all phone numbers start with a + sign and then a country code or you are doing it wrong… go fix your address book now). The good folks there will tell you if you’ve been breached. Welcome to the public domain.

While you’re at it, open up your WhatsApp, and add me on Signal. Same phone number. After may, whatsapp will die for me.


Posted

in

by

Tags:

Comments

2 Responses to “Your Ongoing pwnage, your phone #, and why SMS is a bad idea”

  1. Regis Martins

    Oh no — pwned!
    Pwned in 9 data breaches and found no pastes (subscribe to search sensitive breaches)

  2. Yuval

    And i deleted my non-active FB account about a year ago… that didn’t seem to help 🙁

Leave a Reply

Your email address will not be published. Required fields are marked *