ABC reports about a worrying scam involving phone number porting. The attacker finds the phone number, name, and date of birth, and other easy-to-find information about a first victim and uses that information to port their number to a new service under control of the attacker. This enables them to access the victim's Facebook account, which is used in a social engineering attack against the victim's friends, who become new victims when they hand over their banking details, which are then used to transfer money and make purchases.
This attack obviously works better with the large amount of personal information people are putting on social networks. But how well would this kind of thing work against the average Soylentil?
This discussion has been archived.
No new comments can be posted.
Telco Union Officials Lured Into Identity Fraud Scam
|
Log In/Create an Account
| Top
| 30 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(Score: 2) by Kymation on Friday January 20 2017, @07:27PM
But this wouldn't get very far. They might get my phone number, which is annoying, but it stops there: I have no Facebook account. No social media = small attack surface.
(Score: 3, Touché) by Anonymous Coward on Friday January 20 2017, @07:57PM
I have no Facebook account. No social media = small attack surface
AHHH even better now they can create whatever they want and not have to bother to break in.
(Score: 2) by edIII on Saturday January 21 2017, @12:15AM
An interesting point! Similar to my credit report. Why spend any effort at maintaining credit when it's trivially simple to just use somebody else's and ruin it? Use their dependence on an artificial and contrived cage that is the credit reporting agencies against them.
I was in my mid 20's when I decided to check just for the hell of it. At least a dozen other people were already using it. Tried to send in some letters, but one of the fucking assholes refused to believe I wasn't 30 years older and didn't live at such and such address. Spent a little time with it and then figured out it was one big game, an artificial market, for cleaning up credit. That and the credit agencies have extremely little to keep them honest and consumer oriented. I remember looking into submitting entries for a business once and I found that adding ONE black mark was easy, but adding a good mark? That had to batched, at least 1,000 transactions minimum, etc. Adding good marks to credit meets a much higher barrier to entry than adding bad marks. Gee, I wonder why? Credit isn't about representing who is good and who is bad, but to provide real and pragmatic duress upon people outside of due process and the court systems. Unlike the court systems, the credit agencies have a guilty before innocence approach.
In other words, there is nothing to be gained from social networking or credit reporting agencies and everything to lose.
All of that information in just a few places so that one can be abused easier and easier. Small attack footprint indeed when you refuse to participate. At least I embraced the corruption of my credit report! All that Bayesian poisoning and I don't even KNOW the people helping me :)
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 4, Interesting) by bzipitidoo on Friday January 20 2017, @08:53PM
My father is not computer savvy and is always asking me for help with trivial stuff like sending an email. He has a shaky grasp of the difference between composing a letter in a web browser that's visiting a web based email site, and composing a letter in a word processor.
So one of the many times he asked for my help was for Google mail asking him to login again. Complained about Google always logging him out, etc, but more than half the times he logged himself out without realizing it, or thought he was logged out but actually only "lost" the window. I told him to just log in. Should've checked first, because that one time he'd actually been spoofed and of course didn't realize. I would have spotted the phishing attempt before ever opening the email, but I took him at his word about what had happened, and when I got in front of the computer I saw the familiar looking Google login screen. When the login didn't go quite as expected, I saw, too late, that the address in the URL was not Google mail. I hastily logged him in to the real Google mail site and changed his password, in less than 1 minute. But the crooks had already managed to send out some spam from his email account, and harvested his contact list. They didn't for whatever reason lock us out by changing his password too, and I'm not sure why, perhaps Google has some protection in place to prevent password changes from strange locations, or more like they want their victims to continue using their accounts to give them more cover. His simple password change of changing one character at the end wasn't good enough to keep them out for long either, they broke back in in under 10 minutes. I made a real password change to something totally different, then checked for such things as changes to the alternate email address and/or phone numbers for password reset.
(Score: 2) by DannyB on Friday January 20 2017, @09:31PM
I also do not have FaceTwit and seem ineligible for this attack.
The lower I set my standards the more accomplishments I have.
(Score: 3, Funny) by deimtee on Saturday January 21 2017, @01:43AM
Hah, I can do better. I don't have any of Facebook, Twitter, a credit rating, or friends.
If you cough while drinking cheap red wine it really cleans out your sinuses.
(Score: 1) by baldrick on Saturday January 21 2017, @03:45AM
I don't even have a basement
I make do with a damp cave
... I obey the Laws of Physics
(Score: 0) by Anonymous Coward on Saturday January 21 2017, @04:28AM
I envy you, with your cave. I don't even have that, just my hoodie and my aviator sunglasses.
(Score: 0) by Anonymous Coward on Saturday January 21 2017, @01:13PM
none of the above...and also no cell phone.
(Score: 2) by art guerrilla on Saturday January 21 2017, @01:59PM
i can only communicate by letting my tears drip in a pattern of morse code on the bare dirt beneath my gimp box, the pattern being quickly erased by the rats scurrying to catch my feces...
*sigh*
its a hard life being a gimp with no wireless access...
(Score: 2) by Snotnose on Friday January 20 2017, @08:09PM
First, no FB account. Second, I'm paranoid and don't give out personal info easily. Third, why would I tell a friend any banking information past what bank I use?
When the dust settled America realized it was saved by a porn star.
(Score: 0) by Anonymous Coward on Friday January 20 2017, @09:00PM
I don't have a bank account to pilfer :)
Works better if you have a cash based business and few bills requiring mail-in payments rather than once or twice a year in-person payments though!
(Score: 2) by Runaway1956 on Saturday January 21 2017, @01:16AM
^this
Seriously, why WOULD you give banking details to your friends or acquaintances? I just can't imagine doing so. If - and I repeat IF - it ever made any sense to tell someone some detail or another, my online response to that request would be, "I'll see you tomorrow, and we can discuss it then." Posting it to Facefook or whatever is beyond stupid.
(Score: 3, Informative) by number11 on Friday January 20 2017, @08:15PM
The headline and summary fail to mention that this happened in Australia, so may or may not be relevant to your own telco.
Also, the fact that the victims were union officials was only relevant in that they worked for the telco in question (though not in any capacity that had anything to do with accounts or line porting), it doesn't actually have anything to do with the union.
(Score: 2, Insightful) by nitehawk214 on Friday January 20 2017, @08:23PM
who become new victims when they hand over their banking details
Why, for the sake of anything would you give your banking details to a friend or family in the first place, much less over the internet or phone?
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 4, Insightful) by JeanCroix on Friday January 20 2017, @08:32PM
(Score: 0) by Anonymous Coward on Friday January 20 2017, @08:50PM
The number can only be ported because of all of the masters of the universe without brains in their heads that will cuss and bitch and yell and cuss and cuss and cuss some more when they can't understand why they need to submit paperwork to port "their" number from their call center.
(Score: 3, Funny) by rts008 on Friday January 20 2017, @08:56PM
Sometimes, having nothing to lose is a form of freedom.
I don't have a Facebook account, friends, bank account, credit cards, or money...so I have no fears about any of those things being taken away from me.
Things are looking up! '-)
(Score: 2) by Zz9zZ on Friday January 20 2017, @10:37PM
I am working on eliminating all my debt, and I am incredibly hesitant to try home ownership. The freedom of having fewer attachments is wonderful!
~Tilting at windmills~
(Score: 1) by nitehawk214 on Friday January 20 2017, @10:42PM
Owning a house is only debt if you purchase in a bubble and your house is not worth as much as you paid for it.
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 3, Interesting) by Zz9zZ on Friday January 20 2017, @10:52PM
You owe the bank money, it is debt. Hopefully if the bottom falls out you can then sell it and break even, but if a recession hits or you can't short sell the house in time or for enough money then you owe the bank. It is a gamble with your down payment and a long term debt game where you pay a lot more with interest than the house is worth. It almost feels like there was a deliberate plan in the 70s/80s to get home prices high enough that everyone needed a mortgage. Before then (so I am told) people would just outright buy there houses, or at least with minimal loans instead of the majority of the purchase price.
~Tilting at windmills~
(Score: 2) by Runaway1956 on Saturday January 21 2017, @01:23AM
Home ownership is nice - when you don't owe the bank. No rent, no inspections, no claims for damages because the wife insists on keeping a cat that claws the walls, no claims for unruly children running a tricycle into a dryboard wall, no one tells you that you must mow the patch of weeds in front of your door - the list goes on and on. If the plumbing backs up, you deal with it, no need to discuss it with some asshole who first refuses to deal with it, then wants to blame you for destroying eighty year old rotten pipes.
Taxes, though. The assessor seems to believe that my home and property should be valued at downtown Manhattan rates, despite the fact that I live in Outback, Nowhere. I can make a case that my property is totally worthless - nobody else wants it.
(Score: 2) by Zz9zZ on Saturday January 21 2017, @02:04AM
Yeah, I know the benefits and would like to have my own home, but until I am more financially secure and able to put a significant down payment I'm not too interested in the gamble. Maybe if the world goes all Kumbaya and the threat of WW3 seems less likely.
Does the assessor value surrounding homes similarly? I'm sure you can push back by doing market research to show your property isn't as valuable as they'd like.
~Tilting at windmills~
(Score: 2) by Runaway1956 on Saturday January 21 2017, @02:51AM
The assessors office has been challenged a few times. Sometimes he wins, sometimes he loses. Partly, I think the laws are stupid. For starters, I pay a timber tax every year. I did the math one time - if I plant fast growing pine on my property, and harvest that pine every 16 to 20 years, the state has already taken about 20% of the value of that timber before I harvest. In actuality, I have some quite old trees, and a lot of scrub on the property. I pay a timber tax on greenery that will never be fit for timber, as well as those few old trees that should be preserved for future generations to admire. No timber here. But, the assessor's office still gets that tax every year.
Oh well - a bitching taxpayer is a happy taxpayer, right?
(Score: 2) by Zz9zZ on Saturday January 21 2017, @06:28PM
Such stories are when I agree that government can go too far, and it would be great if we had some sort of "common sense" law where you could appeal the application of stupid laws...
~Tilting at windmills~
(Score: 1) by nitehawk214 on Monday January 23 2017, @01:43AM
You pay a timber tax on trees you don't cut down? wtf
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 2) by Runaway1956 on Monday January 23 2017, @04:07AM
I went digging just a little bit, to see if I could explain and/or justify a timber tax. What I discovered was, I am actually paying a "land use" tax, under a subcategory, "timber". Apparently, I have to pay for the privilege of using the land I own, and each use that I put that land to comes under a different heading. The assessor's office has online satellite images, with little red blocks, delineating each little parcel of land, and how it is used. It turns out that I am paying less "timber tax" than I thought I was paying - and the balance appears to be for other uses and different taxes lumped under "land use".
So, despite the fact that the tax is less than I believed it to be, yes, I do indeed pay a tax on trees standing on my property.
(Score: 0) by Anonymous Coward on Saturday January 21 2017, @01:26PM
I lived cheaply for years & saved, then was able to buy a house for cash. Paid $200K about 10 years ago for a 3 br. brick ranch in a quiet neighborhood. This area didn't participate in the real estate bubble/crash which were (iirc) mostly near the east and west coasts.
The actual purchase was simple, I used a lawyer and realtor, but didn't have to appear anywhere except at the realty office for the down payment. Paid the balance in a big bank check, they handled it all and gave me the key. At the same time I called my insurance agent (auto) and bought homeowner's insurance.
Cash purchases still happen.
(Score: 3, Insightful) by edIII on Friday January 20 2017, @09:05PM
Phone porting laws in the USA are different. I deal with them on a more or less routine basis.
In order for me to successfully port any Soylentils phone number (assuming you are in the USA), I will need:
1) A fully signed LOA, which is a specific document signed by the customer explicitly stating that the phone number in question (along with local and long distance) will be transferred from the losing carrier to the new carrier. It's a legal document with MY name on it along with the Soylentil's.
2) The MOST recent phone bill that has all of the information from the phone bill matching the LOA.
IF somebody did game the system, I would be on the hook for hefty fines for each and every phone number that failed #1 & #2. So the new carrier, and quite possibly the VoIP provider, will be on the hook for damages. I don't know of too many carriers that are also the VoIP provider. They may be white labeling, and the carrier is usually very large and the one to receive the phone number. VoIP providers are often just servicing these numbers, and not actually holding them.
Which is WHY I've not seen ported phone numbers for just anyone, and not over the Internet either. You need to be a paying customer first, which usually involves a purchase of hardware, and in many cases a site eval when a business is doing the porting. Obviously, it's not too terribly hard to contrive a reason for calling the customer ON THAT PHONE NUMBER and speaking with them about their decision to port their phone number. "Ohh, Mr. Johnson! Glad I caught you. Thanks so much for switching your service and we look forward to serving you sir!". CHECK. Number verified.
If something like this gains traction in the USA, which is doubtful, it will become slightly harder to port a phone number, but not that much harder. The losing carrier may put an additional check with the consumer beforehand, like some new carriers already do.
Those porting fines are not fucking around. They want number porting to happen correctly or not at all. So the reality is that are three victims with these scams, and one of the victims is large enough to fight back.
Lastly, if you are with AT&T, fear not. The legal limit is 14 days to transfer a land line and 24 hours to transfer a cellular number. AT&T don't give a shit about none of that nonsense, and you're left with praying. The number of AT&T phone ports I've had last over a month are numerous. You're probably safe :)
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2, Interesting) by nitehawk214 on Friday January 20 2017, @10:49PM
I have had people complain about how many steps it took to port their phone number.
"Well would you want it to be so easy that anyone could steal your number?"
That usually shuts them up.
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh