Beep boop - this is a robot. A new show has been posted to TWiT…
What are your thoughts about today’s show? We’d love to hear from you!
You finally motivated me to freeze my credit, but TransUnion said their credit freeze tool was not currently available, so I have to try again latter.
Doing this was very easy, and I saved the info in Bitwarden so I can unfreeze it latter. Doing all 4 only took 10 minutes.
When Steve was talking about how the T-Mobile hack can be used to leverage the take over of other accounts, it made me realize that one way to prevent that is the use of virtual phone numbers, like Google Voice.
I use the GV number only and never give out the real number of the phone, so any phone hack would not be able to get any SMS messages sent to the number listed on my account on other services. Although I did have to use the real phone number for Google since if I got locked out of it, then I would be locked out of GV. But I do have 2-factor enabled for Google, so that should help.
Here, in Germany, the providers can only send a new SIM to the registered address on the account. That means that it is hard for someone to SIM jack.
You also have to enter a * code to activate SMS on the new SIM, if it is a second SIM. I believe that also activates a message on the other device to,tell it that it will no longer receive SMS. You also have to pay extra for a second SMS, which also causes an SMS to the original SIM, that a second card has been added to the account, as well as a separate letter to the registered address.
Or they have to register the original SIM declared lost or stolen, which means the original SIM will be locked, before the new one is sent out.
So a determined attacker would simply say that you moved and first go through the change of address process. Then they would say I need a new SIM at this new address disconnecting and calling back as many times as necessary. Since the agents want to provide customer service, they would be only to happy to be social engineered this way if the attacker is skilled enough… ?
Getting the customer’s NFC ID card would be difficult, along with its PIN. Plus the proof of address change from the new local council. You need to post or email the proof of identity and the change of address, I believe.
Certainly, when I needed a new SIM card for one of our employees, they would only deliver the card to our registered address. I had to arrange to send it on to the employee, who was working in Austria and had had his phone stolen.
There’s another one that is often recommended to freeze too. Chex Systems.
There’s something wrong with a system where the end user is expected to know all possible suppliers and manage their data with each one separately. It should be possible to do like the “do not call registry” and have a “do not issue credit without my permission” list.