Part one of Securing Your Mobile looked at updating, your PIN, restricting access to messages, password managers and account breach checking. This week we are going to look at “SIM Jacking”, Authentication Apps and Security Keys.
Once you have been through these 2 articles and changed your phone settings accordingly, you will be A LOT more secure. Note that I’m not talking here about securing your device from attacks and spying on you as a person, but more protection against identity theft, leading to business account compromises.
After this week we will begin to look at devices on your business network.
SIM Jacking
SIM Jacking is similar to hijacking in that the criminal takes something that is yours, in the case your SIM card of your phone, and acquires it for themselves. This allows the criminal to receive all your calls and text messages including password resets sent to your mobile.
In practice SIM jacking has been far more common that the attacks mentioned in the part 1, which relied on your device being stolen, or lost. The advantage that SIM jacking has for criminals is that they can do it perform the attack from their home, or even another country, so there is little risk to themselves.
So how is SIM jacking typically carried out? This tends to be a “social engineering” attack. All that means is essentially that the attacker will do something like phone up your mobile phone provider and try to convince them that they are you, and that you have lost your phone and need a new SIM card. If they are convincing enough, the provider, being eager to help, will send a SIM card out and the attack is complete. There are also ways to bypass even this by using SMS online service providers to link up with your number. Essentially though the attacker wants access to your SMS messages so they can reset accounts and lock you out.
The good news is that many Australian phone companies are now waking up to SIM jacking and have started requiring a PIN number to grant access to your account (Telstra PIN). You have probably received notification about this if you use Telstra. If you have a business, make sure you set this up ASAP. There are instructions for doing this at https://www.telstra.com.au/support/account-payment/what-is-telstra-pin.
Although I’m not a customer, Optus at the moment does not seem to have a similar system to the Telstra PIN. I may be wrong here and please correct me if I am. However, I really hope that if they don’t have this protection, they get are acting quickly to require it, like Telstra.
It’s worth noting here that the same rules for creating a PIN that were mentioned in part 1 apply here too. Whatever you do, don’t pick a PIN from the top 10 list, your birth date etc etc as they are way too easily guessed. The most common PINS, and therefore the ones to avoid are shown again below: –
| PIN | Freq | PIN | Freq | |||
| #1 | 1234 | 10.713% | #11 | 9999 | 0.451% | |
| #2 | 1111 | 6.016% | #12 | 3333 | 0.419% | |
| #3 | 0000 | 1.881% | #13 | 5555 | 0.395% | |
| #4 | 1212 | 1.197% | #14 | 6666 | 0.391% | |
| #5 | 7777 | 0.745% | #15 | 1122 | 0.366% | |
| #6 | 1004 | 0.616% | #16 | 1313 | 0.304% | |
| #7 | 2000 | 0.613% | #17 | 8888 | 0.303% | |
| #8 | 4444 | 0.526% | #18 | 4321 | 0.293% | |
| #9 | 2222 | 0.516% | #19 | 2001 | 0.290% | |
| #10 | 6969 | 0.512% | #20 | 1010 | 0.285% |
Finally, for some interesting reading about just what damage can be done with SIM jacking, with little risk to the attacker, have a read through the below: –
- https://www.news.com.au/finance/money/costs/sydney-couple-lose-37k-after-leaked-class-list-exposes-them-to-scammers/news-story/3082fae1f9087364fdfaaf0b7cbdd8ef
- https://www.simprotect.org.au/
Authentication Apps and Devices
One common way that is often offered to secure your online accounts is 2-factor authentication.
Firstly we need to discuss what 2-factor or even multifactor authentication actually is. Traditionally we have always used a username and password to identify ourselves to websites. This is what is know as a single factor, the factor being your password, or “something you know”.
To verify further you are who you say you are we need other factors. These typically take the forms of: –
- Something you are
- Something you have
There are now other factors starting to be considered like “somewhere you are” and “something you do”, but those are not yet in normal use.
Typically at the moment we use the “something you have” factor and that is typically your mobile phone. You prove that you have your phone often by receiving a text message (less secure) or using an authenticator app.
You might also see some companies using the “somewhere you are” factor too. You have noticed this through services like Google, warn you if someone has logged in from a new location, and Lastpass which will actively prevent you from logging in if they have concerns your location is not somewhere they have seen before.
Authenticator Apps and Usage
There are quite a few different authenticator apps available for both iPhone and Android Phones. Common ones include: –
- Google Authenticator
- Microsoft Authenticator
- Twilio Authy
- Lastpass Authenticator
- Zoho OneAuth
- Duo etc.
The basic functionality is all pretty much do the same thing though. Allow you to scan a QR code (or enter a code manually) to set up the second factor. The authenticator app will then generate a 6 digit code that changes every 30 seconds which you need to enter into the site you are signing into. Because the code changes every 30 seconds, it is not something that you can guess and so it proves that you have the device with you and that you are you.
Once you have your code set up, logging in is as simple as using your normal username and password, then you are asked for the 6 digit PIN generated by your app.
There are a couple of issue with authenticator apps on your phone and they both really relate to the same thing. If you are signing into a service on your phone, there’s a good chance that the something you know and something you have are actually on the same device. For example, if you use Apples keychain to sign into a device, and that requires a 2nd factor, the factor is on the device that is signing you in, so really all you have is a single factor, something you have. For this reason it is very important to use a phone secured with a strong password, and make sure you have FaceID, TouchID or an App specific PIN set up in your authenticator app.
That said, if your phone password is compromised, you would still be in trouble, so my advice would be for important accounts like email, use your authenticator on a second phone or Security Key that you maybe keep in a drawer and is not commonly used.
For larger companies with multiple employees that need access to the second factor, managing this can be a real problem. I know multiple companies that do not tend to set up two factor authentication, despite knowing the risks, just because of those painful calls and messages as you are trying to get the second factor before the login attempt times out. For those applications there is a solution…security keys.
Security Keys
A security key, or multiple security keys are by far the best way of securing your accounts with Multifactor authentication. What is a security key? They often look like USB drives as shown below
These security keys are from Yubico (https://www.yubico.com/), the leader in the field. You can see that hey are available with USB-A, USB-C and Lightning connectors and some are available with NFC wireless connections. There are even some that have fingerprint readers built in to give you yet another factor.
Security keys are used to authenticate against the FIDO2 standard most commonly and dramatically cut down successful attacks on those accounts (Google says to zero). The only problem is, many things you sign into, are not compatible FIDO standards, such as a typical WordPress website.
Yubico’s solution is to build into the key an authenticator system that relies on an outside app (Yubico Authenticator) to generate one time passwords.
Having used a Yubikey for the last 6 months, I am convinced that the Yubico Authenticator offers not only a workaround solution for one time passcodes, but a superior way to manage small business 2nd factor authentication. This is because multiple Yubikeys can be set up with the same authentication codes. So the solution is: –
- Buy at least 2 Yubikeys. One will be for the business owner and the other for “the office”
- Download Yubico Authenticator to all devices
- Add the second factor codes into both Yubikeys for all accounts
- The office Yubikey can be kept in a central location, maybe attached to a tracking device so it can be found if lost.
- If an office worker needs to log into account that requires authentication, they can fire up Yubico Authenticator on their device, plugin in the Yubikey to generate the code to login, then return the key to a central location. No calling round and hoping the person with the phone isn’t busy, just a simple, secure login process.
- Why the second key with the business owner? In case the first key goes missing!
Google also supply their own security key, but the industry standard is the YubiKey (https://www.yubico.com/) as it supports the most devices, the most authentication methods and was the first device of its kind.
If you really want to be sure that your logins are secure or manage your 2nd factors more easily in a small business, get a security key!
Summary
A quick summary of the above: –
- Secure your phone from SIM jacking using an account PIN.
- Use 2 factor authentication wherever possible when signing into an online account (typically you’ll find the option in Settings, Security).
- For easier management in the office and a more secure 2 factor sign in experience, get a couple of security keys such as a Yubikeys (https://www.yubico.com/).
Next week we will start to look at network devices including routers, switches, Network Attached Storage (NAS) and more.
