Aug 22, 2018
Find out how one hacker stole millions as Craig discusses SIM hacking and trends at this year's DEFCON with Ken and Matt
Craig is putting up a new membership site (Yes, it is free, but you have to sign up) On it will have all his special reports that he puts out and you will be the first to get them.
These and more tech tips, news, and updates visit - CraigPeterson.com
3 Trends Hackers At Black Hat And Defcon Are Watching
How A Hacker
Allegedly Stole Millions By Hijacking Phone Numbers
Below is a rush transcript of this segment, it might contain errors.
Airing date: 08/15/2018
Security Secrets We Learned At Blackhat And Defcon
Craig Peterson:[00:00:00] Hey, Good morning, Craig Peterson, here. I had a conference yesterday well actually a webinar. And I was running it. And my guest for the FBI InfraGard's program on the Webinar was a gentleman from Black Ops partners. Now, Black Ops partners is an intelligence firm. They deal a ton with various types of intelligence and they provide information to the government, to businesses, and NGOs all of those people. They had a bunch of warnings for us yesterday, some of that stuff I really can't share with you at this point. But we do know about what's been going on out in Vegas with the Black Hat conference and with DEF CON. So, this morning with Ken and Matt I kind of loaded them up with articles on security and some of the things we need to be very cautious with. Things are boards of directors need to be paying more attention to than most of them are. And, things that you should be paying attention to including I don't know. Ever heard of sim hijacking. Well, I explain that this morning and how this could cause you to lose a ton. Including it already did, One guy lost five million dollars, because of it. So, here we go with Ken and Matt.
[00:01:25] Were back again and it is that time of the week again, 738 on a Wednesday means time for Craig Peterson on deck. Craig how are you this morning.
[00:01:34] Hey, good morning gentlemen. Doing just fine.
[00:01:37] So, now Craig now can they steal information from our love our online accounts through voicemail.
[00:01:45] Yeah listen a surprising. I assume you guys know what two-factor authentication is, right.
[00:01:52] I do. I wouldn't bet on that.
[00:01:57] It's hard to say, what it's called.
[00:02:00] Most of us now are have started using something called two-factor authentication where in most cases we're using our phones and we're getting a text message. So, for instance, you're logging in from a new location, a new browser, etc. and the Web site's going to pop up and say I'm not sure I've seen this device before so, I need to verify you, and in most cases, it sends you a text message. So, that text message comes into your phone and it's got a number and you type that number into the Website and now it knows it's you. Well, we just had a conference going on in Vegas and there were two of them they run back to back every year in August. There is Defcon and there's black hat. These are where there's all kinds of fun games. For instance, they're talking in these conferences about hacking and how to hack in and leads basically to help the good guys understand how the bad guys are getting in, OK. And they have games like well the normal one, spot the Fed. So, they are in a conference talking about something and they try and figure out who the people in the room are that are from the federal government so, that's kind of a fun game.
[00:03:17] Another big one this year, was hack the voting machines and we'll have to talk about that next week a little bit. But, we had an 11-year-old win this year on the hack of the voting machines, just to show you how great these things are. But in this case, we had a presentation about using that text message type functionality to get into almost any account including WhatsApp and Signal, even. But, your standard accounts from Microsoft and Apple and Google. What they did in order to hack these accounts was they figured Oh well wait a minute now they're going to send a text message. Wow. These places all we're talking with all of your major vendors will all give you the option to call you on the phone. So, all the bad guy has to do if he's targeting you is go ahead and hack your voicemail account. Well, how would you hack your voicemail account? Well, they run a little program and the programs available online that will call your voicemail. Now, you guys I assume you both use voicemail to some degree right.
[00:04:27] As much as I hate it, Yes. And how many digits is your pin? You have to type in a pin right.
[00:04:33] No, actually no I don't. I have Verizon and I have the visual voicemail thing to call in.
[00:04:41] I think when I used to call anything I just portion of it talks me. I've got to I've got to I've got an app in my phone that does. Yeah, but when I used to call it it was like four digits, I think. All right. I might have an iPhone Ten I push it and it talks to me. But, I also see that message as well.
[00:05:02] I noticed when you push, Matt, he talks to you too.
[00:05:05] But, anyway here's a couple of problems that are inherent in this system. One is if you call into your voicemail and your voicemail automatically starts talking to you, right, giving you your messages etc. It's probably using your caller ID and that is easily faked. So, for instance, if I wanted to find out messages that came in the Ken Altschuler all I need is a phone number and I can get his voicemail. If you're using an app for your voicemail you may be a little bit safer. But even if you have a pin on your voicemail account, does it back off? So, for instance, Ken when you had your iPhone what was your previous on a, 7.
[00:05:50] So, when you had your iPhone 7 and knew you had to type in the code on the front of your phone and you made a mistake you'd have to re-enter it.
[00:05:59] Correct, Yeah. And, Matt the same thing with you right with Right. Yeah. So, we make a mistake. It gives you the chance to do it again. Did you notice that it backs off?
[00:06:11] So, every time you make a mistake you may get ten tries. But the first two tries are right away. Then third try it's going wait a couple of minutes so forth to try it's going to wait many minutes. And by the time you get to the 10th try, it can be as long as a week. That's called an incremental backoff. And the idea is if you've only got a four character or four-digit PIN it's going to take them at least a year or two or three to break in if they're able to do it. So, that's incremental backup. Does your voicemail have that? Well, it turns out most of them don't. So, if they can get your phone number if they're targeting you. And remember the FBI is warning us that they're targeting small businesses and I have another one last week that I was talking to that was targeted. But, if they're targeting you, this little program just sits there and keeps trying pins because most voicemail systems do not back off. So, within a few minutes, the hacker has your voicemail and has the ability to get into it. So, all they have to do is go into your account, online.
[00:07:20] say forgot my password have it use the voice option. Call it to leave a message on your voicemail with a new pin. The hacker now has full access to your account because they already hacked your voicemail using an automated system. So, there's something more to think about our voicemail systems. Most of them are really bad when it comes to this. Now some of the professional stuff is good, it does a good job but you might want to think twice before using your phone and SMS text messaging. Think twice before using text messaging as your two-factor authentication method, Google Authenticator, and there a company called Duo. If you're really paranoid, like I am because I got to take care of my customer's data right. Use things like Yubi keys. There's a lot, and of course, you can see a lot of this up on my Web site. I've got this article up there for people. We're talking to Craig Peterson as we typically do at this time every Wednesday.
[00:08:22] Craig speaking of being paranoid about my phone ruining my life. Apparently, a hacker has stolen millions of dollars by hijacking phone numbers I guess 40 victims or so five million dollars. Tell us about this.
[00:08:35] Yeah, isn't that something you know when you get right down to it we're just confident with our technology, Right. It's like Matt you were saying last week, yeah. There may be vulnerabilities in Android, but you're using it, right. The same thing with having an Alexa in your home or a Google home etc. etc.. This technique came out again here. This is a this is a 20-year-old who is from Boston and he has hacked about 40 different victims that they know of. There were probably some accomplices involved, but this is a different technique called Sim swapping. And, again what happens is they're able to redirect and not your voicemail in this case but your entire phone number etcetera, etcetera to a third party phone. So, this has been happening more and more. We've got alerts out on this. You have to be careful with here. It works for any provider. This is a provider thing AT&T, T-Mobile, Verizon. If they can defraud the carrier into switching your phone number to the different SIM card they can pull off the scam. In this case, it was about five million dollars in cryptocurrencies that were stolen by this guy. So, five million bucks not so bad for 20-year-old although he stole it and it's going to be very bad for him because he ended up in jail you know getting charged and down in New York City. Yes, and may He did a bunch of this stuff so you may get transferred to a different district. But, all would all of the entrepreneur knew whose money cryptocurrency was stolen in this case was his phone stopped working and he didn't notice it until later in the day and then he called up they tracked it down. The FBI got involved. But if your phone stops working you may think you may want to hop on it really quickly and not just think your phone broke. That's the bottom line, there.
[00:10:44] We're on our Craig Peterson our tech guru. You can always go to Craig Peterson dot com and get all of the information first. So, so you know we talk about terrorism and all these horrible things facing America. But, do most people fear are most intelligence agencies authorities fear a cyber attack is that the worst thing that could happen to America.
[00:11:05] Yeah, this is interesting. I ran webinars yesterday for the FBI. Their Infragard program. And I had on the head of Black Ops partners. Now, this is a company that provides a lot of intelligence for the government, for private industry, et cetera and that's all very interesting stuff and it was fun talking to a great guy. But, again there's a lot to be aware of. And, we've got to get boards of directors aware of this stuff. And on top of it. Because, we are talking now about crippling cyberattack that can happen. Now, this is scary because again all levels of government are warning about this but, a well executed cyberattack could knock out the electric grid, shut off power, compromise vital government systems, financial data. We've got General David Petraeus. He's a former CIA director saying this is a quote "What worries me most is the cyber equivalent of a weapon of mass destruction fall into the hands of extremists". "They'd be very difficult to deter and the willingness to blow themselves up on the battlefield and take us with them says a lot". Now, China has been hacking us for a long time. Microsoft yesterday just announced that they had found Russian involvement, where they were pretending to be various U.S.
[00:12:35] based political party sites. In other words, Microsoft caught and stopped the Russians from pretending they were the Democrats and pretending they were the Republicans. They're equal opportunity offenders. This is going to continue. This is the next battlefield. And, as of yesterday BlackOps Partners was talking about this. This is the typical unconventional warfare. Rights were really big. They're really small. Sun Tzu, The Art of War. They have ways of attacking us, they can frankly cripple us. So, we've got to continue to improve. We are improving security with things like power stations. But your business has to improve your cybersecurity. We've got to step up. We need to pay attention even as consumers, because things will get critical, right. Three days after our computer systems go off-line there will no longer be bread in the grocery stores etc., etc. You going to have to go out fishing off the coast to get your food all by yourself. It's very scary, and I can't emphasize this enough, I know we speak about it all the time, but it's very real, very real Ken. We've been talking to Craig Peterson, our tech guru who joins us on Wednesdays at this time to give us an eye on technology.
[00:13:59] Craig thanks so much. We will talk to you again next Wednesday. Hey, take care guys. Bye-bye. We're going to take a quick break here.
[00:14:06] By the way I should mention, if you are interested in getting involved with the FBI InfraGard program go to InfraGard.org or I N F R A G A R D dot Org. Lots of great information you'll be getting some of it's a little bit of inside information that is not shared with the general public. It is not like top secret stuff or anything. But it's important stuff to know. So, check it out Ifraguard dot org. Take care. Have a great rest of the week and I'll be back with you on Saturday. Although, I am starting to try and get this posted my radio show when, I prerecord which I've been doing lately. I try and get it up on Friday, so, keep an eye out for that. We can podcast as early as Friday and you can get there from Craig Peterson dot com slash iTunes, make sure you subscribe. Give me a rating 5-star. I hope, Take care.
Don't miss any episode from Craig. Visit http://CraigPeterson.com/itunes. Subscribe and give us a rating!
Thanks, everyone, for listening and sharing our podcasts. We're really hitting it out of the park. This will be a great year!
More stories and tech updates at:
Don't miss an episode from Craig. Subscribe and give us a rating:
Follow me on Twitter for the latest in tech at:
For questions, call or text: