ReplyAll #130 The Snapchat Thief

Excerpt from this podcast:

ALEX: Yeah. So take everything he says with a grain of salt. But he told me that he and his fellow hackers actually have a pretty reliable method for how they usually get accounts. It’s called SIM Swapping.
PJ: OK.
ALEX: So here’s how SIM Swapping works: You, PJ, have a phone number. I’m not going to say it on the radio even though that would be such a good troll.

ALEX: Um. So, so, what they do is they find out that you have a valuable account and they find out your number. And they call the phone company and pretend to be you and say, “I’ve got a new phone that you need to transfer my phone number to.” So the phone company transfers your phone number to the hacker’s phone.
PJ: And then they have logins on all your apps?
ALEX: They don’t have logins on all your apps. But since everybody uses two factor authentication on their phones–
PJ: Ahhhh! Then they go to instagram and they’re like “I forgot my password!”
ALEX: Exactly. And then Instagram sends a password reset text to the phone number, which they’re now in control of, and just like that, they have your account.
WORTHY: You know what OGUsers is right? 
ALEX: Oh, do I ever.
WORTHY: Yeah, so basically, OGs like that–OG handles, those are easy because it’s normal people like me and you. As long as I got the number, done. All I got to do is call T-Mobile, Verizon–any phone companies and you’ll have it for about 24 hours before they notice, you know, it was obviously a fraud. But by the time you know that happens you’ve already swapped that OG handle, you’ve got it. It’s yours. It’s done.
PJ: I mean, I don’t know if this is true, but there’s probably a lot of people at T-Mobile who are trusted to port a number.
ALEX: Yeah like my experience at every phone store I’ve ever been to is that the people there are moving phone numbers from one phone to another all day every day. Like, anytime you buy a new phone, that’s what they’re doing.
Advertisements

People Are Actually Using a Joke Dating Site That Matches People Based on Their Passwords

Excerpt from this article:

Finding love has never been easier—at least if you judge by the sheer number of dating apps available on the internet today. But it’s just as hard as it’s always been to find your real soulmate, someone who really understands your quirks (and may even share them), someone who shares your passions, and your password.

Wait, what?

Your Mother’s Maiden Name Is Not a Secret

Excerpt from this article:

Security questions are astonishingly insecure: The answers to many of them are easily researched or guessed, yet they can be the sole barrier to someone gaining access to your account. The cryptology and security expert Bruce Schneier once described them as an “easier-to-guess low-security backup password that sites want you to have in case you forget your harder-to-remember higher-security password.”

There has been no shortage of incidents demonstrating these questions’ vulnerabilities. In 2005, Paris Hilton’s T-Mobile account was hacked by a teenager who, like anyone who searched “Paris Hilton Chihuahua” on the internet, knew the answer to “What’s your favorite pet’s name?” In 2008, Sarah Palin’s Yahoo account was hacked by a college student who reset her password using her birth date, ZIP code and the place where she met her spouse.

How many of us can answer the premillennial “What city were you in to celebrate the year 2000?” or “What year did you take out your first mortgage?” And how many Indian- or Brazilian-born users went to a high school without a mascot, or grew up on a street with no name? How many of our mothers never changed their names?

The other main type of security question asks for a subjective answer. Such questions imagine lives punctuated by distinct firsts and bests and filled with enduring favorites, but favorites and bests and even firsts can change when people maintain accounts for decades. At some point, both factual and subjective security questions become archaeological. “In what month did you meet your significant other?” requires a framing question: Whom were you with when you set up this account?

A 2015 study by Google engineers found that only 47 percent of people could remember what they put down as their favorite food a year earlier — and that hackers were able to guess the food nearly 20 percent of the time, with Americans’ most common answer being pizza.

 

‘I Forgot My PIN’: An Epic Tale of Losing $30,000 in Bitcoin

Excerpt from this article:

The problem was, I was the thief, trying to steal my own bitcoins back from my Trezor. I felt queasy. After my sixth incorrect PIN attempt, creeping dread had escalated to heart-pounding panic—I might have kissed my 7.4 bitcoins goodbye.

I barely slept that night. The little shuteye I managed to get was filled with nightmares involving combinations of the numbers 1, 4, and 5. It wasn’t so much the $8,000 that bothered me—it was the shame I felt for being stupid enough to lose the paper and forget the PIN. I also hated the idea that the bitcoins could increase in value and I wouldn’t have access to them. If I wasn’t able to recall the PIN, the Trezor would taunt me for the rest of my life.

Be ‘very concerned’ about cell phone searches at U.S. border, says privacy czar

Truck traffic

Excerpt from this article:

New Democrat MP Nathan Cullen asked if that means no Canadian should cross the border with a phone, laptop or tablet unless they have “great comfort” with a U.S. border official inspecting the contents.

“Yes, as a matter of law,” Therrien said, though he acknowledged officers would not have time to inspect everyone’s devices, given the huge numbers of people that cross the border daily.

Therrien agreed with Cullen’s suggestion that nothing in law could prevent U.S. border officials from peeking at a senior Canadian official’s “playbook” on a trade negotiation.

Cullen said one of his constituents was denied entry to the U.S. on health-related grounds because information on the person’s phone indicated a prescription for heart medication.

 

As ‘Game of Thrones’ Returns, Is Sharing Your HBO Password O.K.?

Excerpt from this article:

The seventh season of “Game of Thrones” returns on Sunday, and if you’re like a significant chunk of HBO’s viewership, you can watch it thanks to the login credentials tracing back to your friend’s ex-boyfriend’s parents.

But if you listened to the headlines after a court decision last July, you might fear a SWAT team could bust down your door in the middle of your illicit “Veep” episode. Countless news sites reported that sharing your password would be a “federal crime,” while others suggested you might “go to jail” for it.

The less hysteric truth is more complicated but experts largely agree: You are in very little danger of legal trouble by sharing your password or using a shared one. The laws remain murky, but the government is unlikely to prosecute you, and the streaming video services have shown no desire to go after customers.

(We’re not saying you should use someone else’s password. As an ethical issue, it’s probably a good idea to pay for it. The same goes for news.)