Sim Card Hi-jacking

What is it?

With the extra method of securit of enabling a second factor for authentication other than a password, attackers are looking at seeing how easy it is to social engineer this. Sometimes the factor is recieving a text message or call to a mobile phone. If the attacker can call up your cell provider and pretend to be you , they can move your number to their simcard and get your password reset!

Look at the video below to show you how easy this is when the attacker has no or the incorrect imformation!

How can I protect from it?

1) If  you can try and use an App insteaf of a text message for your second factor. As long as your phone is properly secured and encrypted and also the backup is , it will be near impossible for an attacker to exploit this.

2) If you have to enable a txt message or a phonecall as your second factor , make sure your provider has undergone strict processes nessesary before moving the number to a new sim card.

How to prevent your business from getting hacked ..

1) Use two-factor Authentication for Authentication to all your web and application services

Your password now is a single point of failure for your email or service getting hacked by unauthorized users. The chances are the account would be exploited in the first day against some social engineering trying to get money from your finance department. Your bank and financial institutions have been using 2fa for years now and it's the recommended solution now to add to the rest of your cloud and local services. 

2) Use SSL Certificates whether possible

This is usually added to company's Web Application such as a Document Management Solution or Content Management Solution which use certificates to encrypt traffic between your web browser and the app to make sure no prying eyes will see any confidential data.

SMTP emails should be set to use TLS for mail flow by default over normal port 25.

3) Have a fully up-to-date antivirus program that also Alerts

Windows 7 and Windows 10 now-a-days come with Free Antivirus checkers ( Windows Defencer and Security Essentials)  however these are only licensed for Home use. It's best to get a fully managed AV like Webroot where Virus detections are alerted on straight away.

4) Use a third party for Spam Filtering

Even with cloud providers such as Google's Google Apps for Email or Microsoft's Email Hosting 365 , they need that added layer of protection against Spoofing, Phishing and Virus.

Services such as Mimecast and Postini can help protect all the above and provide real time protection to new threats

5) Regularly change your password

Per Bullet point 1) the first form of defense if your password! Make sure this is changed once a month and sign up to https://haveibeenpwned.com/ to make sure this hasn't been compromised elsewhere

6) Keep your Equipment Up-To-Date

Make sure all the firmware on your Wireless Devices , Servers and Routers are kept up-to-date to make sure you install security updates as well as feature updates

7 ) User training

Make sure users are told regularly about current well-known attacks such as phishing , Spear Phishing or Cryptolocker so they can understand what to look out for and ask before clicking!