Subscribe
Notify of
guest

52 Comments
newest
oldest most voted

JG
JG (@guest_560558)
February 14, 2018 15:13

I just setup my T-Mobile line with PIN port authentication. The representative had me change my existing password on my account and then said that if a port is ever initiated for a voice line that I will be sent a one time PIN code to authorize that port. This effectively gives two factor authentication for a port to proceed.

Jeffrey
Jeffrey (@guest_560490)
February 14, 2018 05:26

Microsoft also offers an Authenticator app. As Google isn’t a company exactly focused on customer privacy and try to turn customer data into profitable information, I try to stay away from their products whenever I can.

Daniel
Daniel (@guest_560466)
February 14, 2018 00:30

Just an FYI from experience with 3 TMobile prepaid numbers that I ported throughout the past year: The pin is automatically set to the last 4 digits of the phone number you are assigned when you sign up. You can call and get this changed or I also believe there is an automated way?

lilurbanachiever
lilurbanachiever (@guest_560474)
February 14, 2018 01:17

There is not automated way: but the reps would change the pin at your request in one minute. The problem is that tmobile is notorious for being stupid: the reps would port phone number even when hackers did not have the right pins.

reader
reader (@guest_560440)
February 13, 2018 21:27

Security, touch-id and mobile phones can be considered as oxymoron.

One of the fundamental features of using a password is ability to change it when compromised. Using touch-id (or any other biometrics) as a security measure is unwise (if not plain stupid) because they are irrevocable. In case of touch id, it’s double “unwise” because your password stamped all over your phone. [it should be regarded SOLELY as a convenience tool, not security].

Mobile phones (or anything mobile for that matter) are inherently insecure by definition. Using them as a way to enhance anything’s security by 2-or 3-level authentication almost always will result in the opposite effect, creating more vulnerability. in other words, any account protected by a mobile phone is insecure. PERIOD.

dmoney
dmoney (@guest_560428)
February 13, 2018 20:25

Social Engineering can often be easily used to access your info and/or change your security measures, just by a simple phone call to your ISP or cellular provider. 2FA is a must, but we still definitely need to be vigilantly keeping an eye out for unauthorized activity. Check out this short video on just how easy it can be to change that pin or add a user via a sympathetic phone rep, even if you have that pin setup. https://www.youtube.com/watch?v=lc7scxvKQOo

NinjaX
NinjaX (@guest_560410)
February 13, 2018 19:18

good to see a “krebs on security” post here. definitely relevant.

however, for anyone who cares about this post is probably already into cyber security anyway. youre not gonna get any conversions here, but always good to try and inform the ignorant public. its a simple “dont care will always dont care and those who do, will care even more” scenario.

cyber security is a systematic change in someones lifestyle online behavior which 99% will ignore and find too troublesome. everyone LOVES to login with their instagram, snap, and facebook accounts for everything and never logout. “SAVE MY PASSWORD” and “REMEMBER ME”. SMH. people are hilarious.

anyway, good FYI post tho. but i would say this is hardly a comprehensive guide. its not just about hardening your Mobile Phone and Email. its much more than that.

NoonRadar
NoonRadar (@guest_560425)
February 13, 2018 20:11

This isn’t the type of page that anyone would claim an all-tech comprehensive guide, but contributions are welcome, so how about you also share some tips mr ninja dudeman? 🙂

I don’t think it’s such a drastic lifestyle change for people to implement reasonable measures and I’m aware ‘reasonable’ is a subjective term for each person, but the threats that most people face are less varied.

There’s a different hacking risk for the vast majority of us vs someone who e.g. has a high gov job or another job that entails being a target of gov intel (like journalists who cover national security) or non-gov sophisticated hacking attempts, like industrial espionage. They will necessarily implement more rigid measures, like physical keys, always end-to-end encryption etc. Can we all benefit from such measures? Sure. We can also all benefit from wearing a helmet while driving cars, but not nearly as much as people who ride bikes.

I’m not advising less secure practices, but especially in the context of people thinking ‘this is too much, I’ll just let my browser save my passwords’ and things like that, they don’t have to drastically change their digital lives to significantly improve the security of their digital lives.

And even with drastic security measures, if, say, the US gov or other similarly well-funded and sophisticated entities really wanted to get to a specific person, short of being offline there’s probably no way for them to hack-proof themselves.

NinjaX
NinjaX (@guest_560453)
February 13, 2018 23:32

well, for those who care about cyber security, they can gauge their own threat level fairly easily based on their daily behaviors and activities in life. its up to you to decide was is “reasonable”.

If you have significant investments tied to online banking or overseas institutions and use robo advisors then its critical you are protected. the number of n00bs in cryptocurrencies now is very shocking and its even worse that they dont have technical knowledge to back up their investment choices nor effectively protect themselves against a cyber threat. this is why i said the stupid will always be stupid and the smart will just get smarter. its very cliche.

i agree that its almost impossible to guarantee cyber protection from nation state attacks. fortunately, most of us are not national dignitaries with classified information.

even still, low level peons like us need to protect ourselves from “mass market” attacks where hackers scan various IP ranges and attack vulnerable routers to log into your PC at home. or shady email attachments.

your earlier post on Vice/Motherboard is good enough. you can use that as a launchpad for your intellectual curiosity and discovery of hardening your cyber life. not talking about pornhub btw. altho u can include that too. haha. anyway, i suggest you become a follower of “Krebs on Security” which is a premier resource on the shit happening in the infosec world. then develop strategies to close off attack vectors.

heres another suggestion. everything noted on Vice/Motherboard is really one sided on software. not enough on “hardware” and social engineering attacks like protecting your identity (i.e. different laptops, phones, phone numbers, legal entities, different emails for banks vs utilities, etc) even credit reports, SSN lock, Lexisnexis. up to you on how far u wanna go.

Abey
Abey (@guest_560344)
February 13, 2018 16:06

Data Point.
Got scared, called T-mobile.
They said everyone gets a default 4 digit pin which is the last 4 of their social. And they advised me for added security i could reset mine to a 6 digit pin. I did that and they sent me a text with a code to read back to them to verify ownership and then they asked me to select a 6 digit pin.
Yay. Thanks Chuck.

Travis
Travis (@guest_560318)
February 13, 2018 14:55

This is awesome. Thank you!!

Phil
Phil (@guest_560303)
February 13, 2018 13:23

It might be worth mentioning U2F as another method of 2FA. It uses hardware as the 2nd factor (USB stick). The one I use is called a Yubikey (https://www.yubico.com/) and I use it to secure my LastPass and gmail.

NoonRadar
NoonRadar (@guest_560306)
February 13, 2018 14:03

Can you elaborate a bit on your experience using a physical 2FA, did you use a digital 2FA (app) before, do you find it inconvenient at all to carry around and use the usb key?

FYI for those looking to get Yubico, Wired magazine is offering one for free with their subscription, which I think costs $20/year plus tax after 3 months free trial: https://subscribe.wired.com/subscribe/wired/114200#/

I don’t know how/if this differs from the ones Yubico sells directly, but saw some people recommending this online as a 2 for 1 type of deal.

NinjaX
NinjaX (@guest_560416)
February 13, 2018 19:32

the best is to just do your own research. theres way too much info to share on U2F. many websites dont support U2F. its all about how balls deep u wanna get. hardware tokens almost make crap impossible to hack because you need physical access and u combine that with software and solid state HD encryption and nobody is touching your shit even with porting.

Scodoc
Scodoc (@guest_560517)
February 14, 2018 11:23

Except when you have it with you and it is taken from you along with your devices.

Phil
Phil (@guest_560302)
February 13, 2018 13:22

It might be worth mentioning U2F as another method of 2FA. It uses hardware as the 2nd factor (USB stick). The one I use is called a Yubikey (https://www.yubico.com/) and I use it to secure my LastPass and gmail.