Tag Archives: sim-hacking

Sim hacking is a new technique used my hackers to gain sensitive information peoples cellular devices. Every cellular device (phone) has a SIM-card that stores all memory and data on the phone. Messages, calls, search history, and any other information input onto the phone. Hackers can hack the SIM-card and receive all of the SIM-cards information onto their private computer. This is especially dangerous when things such as SSNs and credit card information are in play.

Cyber Liability Insurance, Risk Management

Buying Cyber Insurance Does Not Protect Your Organization From Cybercriminals

Buying Cyber Insurance Does Not Protect Your Organization From Hackers

 

Understand that purchasing Cyber Insurance does not protect your organization from hacking. It simply finances pieces of the loss. A recent report by cybersecurity company Barracuda reported that Google-branded Spear Phishing attacks are up significantly since the start of 2020. These attacks only accounted for 4% of the total cyber attacks in 2020 so far. Barracuda reported over 100,000 form based attacks since Jan 1. 2020, 65% of them were branded to look like a Google form. These Google-branded attacks are significantly more prevalent than other branded competitor attacks.  Microsoft was the 2nd most impersonated account at 13% of the total spear-phishing attacks (1)

 

With 43% of all cyberattacks targeting small businesses (2), and the attacks increasing by 73% since the pandemic we encourage your company to build out a cybersecurity plan. At Metropolitan Risk we called our initiative “Operation Lockdown”  after we read a Wall Street Journal article on how cybercriminals are increasingly attacking small businesses and holding their work files for ransom. Cybercriminals understand that many small and medium-sized businesses haven’t the focus, the budgets, and the staffing to defend against these cyber attacks. They are in effect low hanging fruit and easy prey. 

How is your Company Vulnerable?

Further many businesses now are even more vulnerable due to the recent mobilization of the workforce from the physical office. This is because home networks aren’t secure, the data doesn’t sit behind a firewall or is not encrypted like in the office.  While newly remote employees were struggling to create routines, employers focusing on this new shift in workflows, cybercriminals know the back door is unlocked.

 

Here are two really important concepts to understand assuming we have your rapt attention with respect to the soft underbelly of your org. Understand that locking down your company from a cyberattack doesn’t guarantee that you won’t be hacked and won’t suffer damage. What it does do is significantly lower the probability that such an attack will be successful or cause much damage. A friend of my Nick Lagalante from Tenable Cyber Security explains it this way. “Your goal is not to outrun the bear, your goal should be to outrun the slowest runners”. In essence, by making it more difficult to penetrate your systems and employees, cybercriminals should in effect move on quickly. 

 

Here’s the second big picture item to understand; Cyber Insurance is NOT cyber risk management. Cyber insurance functions as a way to finance the loss you incurred from the hack. It’s a safety net when plan A (Operation Lockdown) fails. Cyber Insurance should NEVER BE PLAN A. Here’s more good news. If you’ve been hacked, the chances of you being hacked again are exponentially higher. Insurance carriers know this which is why the Cyber Insurance policies increase significantly in cost once you have been hacked as the carriers’ exposure to loss increases if they decide to insure you! 

Learn More: Conducting An Organization-Wide Phishing Test

This is why we built this case study on how at Metropolitan Risk took this challenge on for ourselves. It’s not the holy grail of cybersecurity prevention, and we don’t want to lead you to believe it is. What our case study does do is make you a bit faster than most of your competitors who will suffer a hack and the corresponding costs that go with it. At Metropolitan Risk our goal is to keep you cost-efficient and cost consistent. When you read our Case Study it gives you an idea of how to organize the challenge, and address each item incrementally. 

 

The last point, this is a big one. You don’t have to figure all this out on your own. As a reminder, we built a full-on Cyber Assessment built for small to medium-sized businesses that assess your current systems, protocols, and security measures. Upon completion, you get a report that gives you a green light for things you have done well, yellow for items that need to be tweaked, and red for let’s jump on this ASAP. 

 

Then we suggest we get you a really solid cyber insurance policy as a Plan B just in case. Our cyber polices are 25% less expensive IF you execute our assessment and tackle the items in red. 

 

How do you eat an Elephant? Piece by piece. CLICK HERE to take the Cyber Assessment. 

 

General Liability Insurance, HR Challenges, Line of Insurance, Practice Groups, Risk Management

Cybersecurity Program Checklist Help

Cyber liability insurance is a trailer to a strong cybersecurity program. The insurance portion helps your organization recover costs associated with the negative effects of a successful cyber attack. Cyber liability insurance cannot prevent you from experiencing loss. A strong cybersecurity program can help mitigate some of the potential losses by making your organization a difficult cyber target.

Cybercriminals are looking for targets with minimum cybersecurity on their systems. If your organization trains your employees to recognize potential foul cyber activity and focuses on an organization-wide goal of cybersafety, you are on the right path to a strong cybersecurity program.

Managing Devices

Device management can seem like such a small part of a strong cybersecurity program, but according to NetStandard 1 in every 3 employees do not lock their work computers when they go to lunch or leave for work (1). This leaves the computers open for every device that accesses your organization’s files. Documents can also be an access point for cybercriminals. An effective device management program encourages your employees to lock down their devices with passwords and to use better when working in public workspaces.

Password Authentication Protection

We’ve previously highlighted the importance of using multi-factor password authentication. Password authenticators vary between digital & physical authenticators, as well as options that are a combination of both. All accounts at your organization should be outfitted with a multifactor authentication process. This added layer of cybersecurity can save your organization

Email, Webpages & Social Media

Cybersecurity is more than protecting your passwords and devices. A strong cybersecurity program includes using smart practices while reading emails, entering data into unfamiliar websites, and safe social media practices. Phishing scams are one of the most common ways cybercriminals gain access to company information. These criminals pose as a safe and familiar entity and request the victim to allow them access to the account they are trying to take over.

If you have any additional concerns regarding your cybersecurity program and cyber liability coverage contact a Risk Advisor at 914-357-8444

Cyber Liability Insurance, General Liability Insurance, HR Challenges, Risk Management, Vlogs

Our SIM-Hacking Prevention Guide

We recently wrote a piece about what SIM-Hacking or SIM-Swapping is. Click this link here to read it. We’re following up on that article with a quick guide to preventing SIM-hacking. We’re not here to re-explain what SIM-hacking is, we’re here to talk about how to protect yourself from risk.


If you agree with us that SIM-Swapping is a potential problem & you want to protect yourself from cybercriminals, then this guide can help you protect your accounts from cybercriminals.

 

1. Make a list of the important stuff that would pain you if you were hacked.

Here are a few accounts to start with.  Your list of accounts to protect may grow longer but these accounts would be the most problematic.

  • Work Email/ Work Google Account
  • Bank Account for Work or Personal
  • Organizational/Workplace Databases
  • Social Media Accounts (Facebook, Linkedin & Vimeo)

2. Understand how each account lets you recover/reset your password.

In this case, each one uses 2-step verification. The first factor is typically the primary email address you used to set up the account. The second factor is your mobile phone number (text messaging). I suggest testing each account above to have them bring you through the steps of a password reset. The ones that send a text message to your mobile phone are the ones that are most vulnerable to SIM-HACKING as that is the purpose.

These are the accounts we are going to lock down in the next few steps.

 


How To Protect Yourself From SIM-Hackers

At Metropolitan Risk, we purchased a YUBIKEY, which is a small piece of hardware that replaces the text message/cellphone as a second level authenticator. Google offers a similar product known as the Titan Security KeyWe opted to use a security key because you must have the key in your physical possession and you must confirm to the hardware that you are a human being. These security keys require human touch to confirm and cycle the key on. If you don’t like the idea of a separate piece of software, there are some apps on your cellphone called Authenticators that can do similar things.

We opted for a separate piece of hardware to the cellphone as a 2nd step in the 2-Step Verification. We do use an authenticator as a 3rd level authentication process in the event we lost the YUBIKEY hardware. 

 

1. If you’ve purchased a YUBIKEY, your next task is to log into the accounts you are concerned about & research the multi-step authentication process for password recovery.

    • This is the most time-consuming part of the process as each account can have different methods & steps to execute this piece.
      For Example,  you are telling Google not to send a text message to your cellular phone. Instead, you are telling Google to look for your YUBIKEY as the primary authentication.

NOTE: that if your organization manages your email account, that you speak with your admin. As our google account administrator, I’ve turned on 2-step verification to allow my staff to use yubikey. My staff would not have been able to set this up without admin approval. CLICK HERE for a quick guide for Google as an example on how to execute 2 step authentication as an example.

2. Once you follow the instructions for linking your account with the YubiKey you can select “trust this device”. This way you won’t need to use the YubiKey every time you log into an account because the software recognizes your device AND it has been properly authenticated.

What Happens if I lose my YubiKey?

 In all the accounts you set up with the Yubikey make sure there is a 3rd way to authenticate in case the YubiKey isn’t available for some reason. This gives you an additional way to access your account and prevents you from getting locked out of say your google account. In our case, we use Google Authenticator as the 3rd option in case the Yubikey is damaged or otherwise unavailable. 

Call me paranoid, or maybe just a Risk Advisor… same thing. I purchased a TILE which is essentially a very small chip that allows me to always locate whatever the chip is attached to. I have one for my wallet, one for my keys and one for my backpack. You download an app onto your cell phone. The cell phone app communicates with the tile which is attached to your keychain/YubiKey and voilà, keys found. It can also reverse and help you find your cellphone by making it ring if you press a button, even when the sound is on mute for the phone.

Help and More

At this point, I’m feeling better about my personal situation.

The 2-step verification ensures that the person accessing your account on a new device is you. Remember, once a hacker obtains your user name and password, they try to access your account from devices that are not recognized by the site or software. The software is trying to figure out if it is really you on a completely different account or a hacker. If the hacker has some way to authenticate their device to trick your software that it is you behind the device, they aren’t getting in.

Last point, just like in the physical world. If they really want to steal your car…gone. By locking down your digital life and making it a bit more difficult, the hackers usually move on to easier prey. Then, there is no shortage of easy prey out there. 

We hope you found this helpful. There are a ton of resources online to execute this tactic to lock down your accounts and your life. Our goal was simply to make you aware of the SIM-Hacking. At least get you to start the process of locking down your very vulnerable digital life. 

Still have questions? Still want more info? Contact a risk advisor today OR visit our website here.

Other

Losing Your Identity Through Your Phone Number: How SIM-Swapping Attacks Can Leave You Vulnerable

SIM-swapping is the latest way cybercriminals & hackers are performing attacks on your cell phone.  Could you be next?

Picture this: It’s Friday and you just got paid. You go to the ATM to withdraw $100 for the weekend. The message on the screen says your account is overdrawn and no funds are available. You march into the bank to discuss what must be an obvious error. This is only to find out that all your money has disappeared from your account. How did this happen? Your cell phone was hacked, cell account stolen & your bank account passwords reset which was how they swept your bank account. SIM Swapping is very real and very effective. Here’s how it goes down. 

What is SIM-swapping?

The term SIM swap refers to the tiny “chip” that your cell phone uses to store your number and account information. This may include pictures, texts, emails, contacts, apps, etc, usually located on the inside of your phone.

SIM-Swapping is a relatively new attack where criminals steal a victim’s telephone number. They have figured out that your most important accounts, like bank accounts, are using two-factor identification when resetting your passwords. From identifying your cell-phone number they are able to find out any personal information about you. SIM swappers use the “Forgot my password” tool for online services with the intent to take over your online accounts. Within minutes of access into your accounts, these hackers are able to look through old email messages looking for access to financial accounts. These include not only financial accounts but cryptocurrency accounts, social media, bank accounts, and even IRAs. Investigators have also seen SIM swapping used to compile photos for money and blackmail, resulting in an awful violation of privacy.

 

“You want to protect your accounts from being able to reset simply because somebody has your phone number.” -Mr. Selby, NYPD

 

Once inside your accounts, these criminals change your passwords to your most important accounts & lock you out. They switch your security settings so that your accounts can’t be reset when you’re finally able to recover your phone number. These criminals use an app called “Authenticator” designed by Google. You can still get locked out of your accounts through this app, even if you’ve recovered your phone number. 

The law-enforcement task force, Investigators with the Regional Enforcement Allied Computer Team, stated they know more than 3,000 victims, accounting for $70 million in losses nationwide. Worse is the rate at which this technique is growing because it’s so powerfully effective in stealing your identity. 

 

“ If the richest man in the world had his cell phone hacked, where does that leave the rest of us?” Charlie Warzel – NY TIMES

 

WAYS TO PROTECT YOURSELF

FROM SIM CARDS HACKS : 

    1. Do not post online that you are leaving for vacation, to avoid calling attention to an empty house filled with valuables. Social media not only presents an opportunity for criminals; it provides them with more personal details about you, which allows them to create the mosaic they can use to impersonate you.
    2. Call your cell phone carrier and ask to add a passcode on your phone account. Make sure to remember your passcode! 
    3. Try the “Forgot my password” option on your most important accounts and see what the process is for that.
    4. Get a password manager to store all of your passwords. CLICK HERE for Best Password Managers from CNET.  If you want extra security protection, use applications such as Yubikey or Google Titan, which allow for one-time passwords and two-factor authentication.
    5. Turn off SMS authentication. For Android Phones CLICK HERE. For Apple Phones CLICK HERE. Make sure to remember your passwords if you do this, as sometimes you may not be able to recover your accounts
    6. People hired to help you, like accountants and lawyers, can innocently provide a way into your financial life, especially if THEY are hacked. The best that people can do is verify everything through basic human interaction that will slow and eventually stop hackers.

 

 If you’re interested in reading the whole article on SIM-swapping, click this link here.

 

For more information contact a Metropolitan Risk Risk Advisor or call 914-357-8444.