Plain English Cyber in 3 articles, 2 numbers and 1 action.
This week: The bad guys are after your money and your phone is their way in (part 1 and 2). And in future, you can’t trust the sound of someone’s voice or their image on a screen.
This week’s action: SMS-based MFA is better than Sweet-FA. But Authenticator apps are better than SMS.
If you’d prefer to listen to Cyber 3-2-1: This week’s episode is accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.
1: The bad guys are after your money. And your phone is their way in. [Part 1]
What? The Journal reports on how an RTE researcher was fooled by a scam which resulted in €15,000 being stolen from his AIB bank account. “The scam began on Monday this week, when he got a call from someone claiming to be from AIB who said there was unusual activity on his account. The call came from a phone number with a Dublin area code and when he searched the number online the result indicated that it was an AIB helpline. The caller had all of his details and listed several transactions that [he] had legitimately made, along with others that he had not. The caller said they would block the fraudulent transactions and cancel [his] cards and online account; they just needed him to approve the process with his AIB card reader.” He received a phone call the following day from someone who really was from AIB, informing him that the bad guys had drained his bank account.
So what? As Ronan Murphy of Smarttech is quoted in the article as saying, this type of scam – “which is known as smishing –is becoming increasingly common and generating hundreds of millions of euros for fraudsters. [..] The fraudsters use SMS spoofing, which makes it appear that their phone call or text message is coming from a legitimate organisation, such as AIB. [..] The messages usually look for information or claim that urgent action is needed, such as clicking on a link”. If you receive a message or call which is pushing you to take urgent action, this should ring alarm bells. Do not click links in these messages. Hang up on the caller. Call the company back on a number that you already have on file for them – e.g. the banks usually have their number printed on your bank card.
One other thought: How did the bad guys know about the legitimate transactions on the victim’s account? And also, in this particular scam, they weren’t looking for his MFA security code required to log in to his account. They were looking for the code from his AIB card reader, which is usually only required to set up a new payee on an AIB account, so they had clearly already got through the online login process. How had they done this? Had the victim been fooled into revealing his AIB 8-digit online ID, 3 of the 6 digits of his online PIN, and his MFA security code, or is there something bigger going on here?
2: The bad guys are after your money. And your phone is their way in. [Part 2]
What? In another scam affecting AIB customers, The Independent reports on a recent conviction of a man involved in the theft of €205,000 from AIB customers. The man worked in a phone shop and enabled the money to be stolen by issuing duplicate SIM cards that cloned phone numbers of AIB customers, so the bad guys could receive security codes sent by AIB as SMS messages.
So what? I know I never stop talking about multi-factor authentication (MFA), and the significant security benefits that it provides. With MFA enabled, the bad guys need more than just your password to gain access to your account. But if MFA involves you receiving a security code via an SMS text message, then there is a risk that the bad guys could take control of your mobile phone number so they receive these security codes rather than you. They can do this if they have an insider within the mobile phone company (as seems to have been the case here) or if they can fool someone working in the phone company that they are you (as happened recently to a friend of mine). I talk about strategies to avoid this problem in this week’s action.
Another final thought: Similar to the first article, the scammers couldn’t have stolen this money by just getting these duplicate SIM cards. They also needed the customers’ online login details. In AIB’s case, this is an 8 digit online ID and a 6 digit online PIN. Did they fool the victims into revealing this information, or did they have another source of the information?
3: Confirming someone’s identity isn’t getting any easier
What? The Chief Communications Officer (CCO) of Binance, a major cryptocurrency exchange, has reported that criminals used a deepfake hologram impersonating him to try to fool “several highly intelligent crypto community members”. The objective of the criminals is unclear and it is unknown if anyone lost money as a result of the scam.
So what? While this is far from an accurate definition, I would describe “deepfakes” as fake images, audio or videos, either showing events that did not happen and/or individuals saying things that they never said. This scam is an example of a deepfake being used to fool victims into thinking that they are on a video call with a well-know and trusted individual. If the victims trust the individual, they are more likely to be fooled into doing something that later turns out to be problematic. So, in future, not only will you no longer trust messages or phone calls, you won’t be able to trust video calls either! By the way, if you want to prove that you are talking to a real human being and not a hologram, apparently you just need to ask them to turn their heads to the side, as the tech isn’t yet smart enough to impersonate the side of someone’s head. Yet.
What? RTE recently reported that Bank of Ireland has seen a 50% increase in smishing scams involving fake text messages “which appear to come from a delivery company, An Post or Government agencies such as the HSE and Revenue.” Victims are fooled into revealing their online banking details to the scammers, which enables the bad guys to gain access to the victims’ bank accounts.
So what? As the article states, “Text messages appearing to be from third parties like delivery companies or Government agencies should be treated with caution”. Assume they are a scam. If you think they may be genuine, call the third party using contact details that you already have on file for them – e.g. the number printed on your bank card or, at worst, listed on their genuine website.
2: GBP £200,000
What? According to the Wall Street Journal, this is the amount of money lost when “Criminals used artificial intelligence-based software to impersonate a chief executive’s voice”, fooling one of the CEO’s employees into making the payment.
So what? We are being told that we can’t trust messages or phone calls anymore. It appears that this remains the case, even if the caller sounds like your boss. Keep that in mind the next time you don’t want to answer that call from your boss – Your explanation that “I didn’t trust the call” may give you just enough plausible deniability!
1: SMS-based MFA is better than Sweet-FA. But Authenticator apps are better than SMS.
What? One of this week’s stories demonstrates the risks of receiving your MFA security codes via an SMS text message. If the bad guys can clone your number, they receive the code. Cloning your SIM card involves a bit of effort and most scammers won’t bother, especially given the number of accounts that are not protected with MFA and can be breached with a single password. But as this story shows, some scammers will exert the effort.
So what? To avoid this problem, you should use a free authenticator app wherever possible – e.g. Google Authenticator, Microsoft Authenticator, or Authy – at least for your most important accounts (e.g. your email account). By using these apps, the security code is generated within the app – It is not sent via SMS. If the bad guys want the security code, they need to gain access to your physical phone. That’s not impossible, but it requires far more effort than the majority of criminals won’t bother exerting. And it would appear to require more effort than finding an insider in a mobile phone company who will clone the SIM cards of dozens of customers for a fee.