“Accepting & Apprehensive”, “Trust but Verify”, “Accept but Authenticate”, “Provide but Protect”. All give the same sentiment we should have as it pertains to Personally Identifiable Information (PII) and any person asking us to provide it (ours or others we are trusted with).
Identity theft is real and expensive, both for the PII leaking source (if it was hacked or phished from a company) and the victims. You may be asking “Why is he “preaching to the choir” on this, it is drilled into us regularly?”. Good question! I know, you know, this is a very real threat, and you are taking it seriously. I also trust you are doing everything you can to protect your identity: monitoring your credit, using chip enabled cards, enabling multi-factor authentication (MFA), strong passwords and all the other things I’ve written about.
You may recall, I speak about “attack vectors” regularly when talking cyber security, today all I’m doing today is re-iterating the need for diligence around PII and account security because of the shift in “attack vectors”. This brings us back to the this month’s topic, with the use of chip enabled cards (making it difficult to skim and use them) and people using MFA and their mobile devices (receiving text messages {not the preferred method by the way, this is –> } or token generators {like Google Authenticator, or MS Authenticator}) to validate it is you accessing an account on your device) it is harder for criminals to steal your money or get a toe hold on your identity.
However {here’s the shifting attack vector}, that is changing with the increase in “Mobile Number Hijacking”. Criminals realize if they can gain access to your phone, they begin to have the ability to start operating as you! They can make changes on any account where you have used that number as the phone of record and also purchase things on your account and receive any text messages you may get to validate account access or warnings on spending. It is not as hard as you would think to do so, and the story here recants how easy it is.
As I often try to do, I want to help protect you and your family’s “cyber hygiene” as well. So, I include here for your reference, (included in the linked article as well), key signs your device has been hijacked and some hints to be less of a target:
- If your phone receives “no signal” or says, “Emergency calls only,” even after restarting the phone, then use another phone to call your provider and have them check the status immediately, your number may have been hijacked.
- Phone hijacking can also happen via phishing attacks. Do not click on suspicious links. Malware embedded in links can secretly download on your device. When in doubt, open a browser and type in the address you wish to visit.
- Do not publish your phone number on your public profiles on social media.
Again, protecting who sees your number helps prevent it from being a target and the bigger the target you are {and ease of attack makes you a bigger target, or “low hanging fruit” for an attacker as much as job title or social status} the more likely you could be a target. Now, of the steps you should have already taken to help prevent a mobile phone hijacking, the biggest is making sure you have set up the appropriate PIN / account access controls with your carrier to ensure that some malicious actor cannot easily take your number (and a huge step in stealing your identity and more). This added security is not a 100% solution for the issue, but it does make it more challenging. Remember to stay vigilant in monitoring your accounts and protecting PII data, as we (the good guys) adjust, they (the bad guys) also work to adjust.
Newsletter By: Rob Collings, ISHPI’s VP of Cybersecurity | CISO
November 1, 2023
