This is the Shared Security Weekly Blaze for August 20, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here!
Show Transcript
This is your Shared Security Weekly Blaze for August 20th 2018 with your host, Tom Eston. In this week’s episode: ATM cashout attacks, mobile phone voicemail security and Google location tracking.
The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details.
Hi everyone, this is Tom Eston, co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
This the 30th episode of the Weekly Blaze Podcast! I wanted to give a quick shout out and thank you to our listeners and sponsors for supporting the show! Thank you for all the feedback that you provide and we look forward to bringing you more great content in the coming weeks and months. Thanks for listening!
The Federal Bureau of Investigation is warning banks that criminals are looking to carry out a highly organized global “ATM cash out” in which criminals take previously cloned credit cards and use them at ATMs around the world to withdraw millions of dollars of cash all within a few hours. In the past, this attack has been done around a holiday when banks and financial institutions are closed. This is because the limited staff at banks during a holiday make it difficult for a bank to quickly respond to an attack like this. Similar attacks in the past have targeted small to medium sized banks, which may not have the robust security and fraud teams that a larger bank may have. Brian Krebs from Krebsonsecurity.com reports that this most recent FBI alert was related to a card breach of a bank in India called Cosmos. In this incident attackers drained $13.5 million from accounts using cloned cards at 25 different ATMs located in India, Hong Kong and Canada. Malware was also installed on the bank network which was used to help process the fraudulent ATM transactions. In the alert to banks the FBI noted several common tips to help prevent banks from becoming a victim but the truth of the matter is that many small and medium sized banks do not have the resources or staff to properly defend their systems from a dedicated attacker on their network. The best course of action for the rest of us is to stay vigilant about checking our credit and debit card statements and ensure you set up some type of fraud alerts for any transactions that may happen on your card. As a reminder, using a debit card instead of a credit card can be more risky due to the fact that money is instantly removed from your checking account and can take weeks for the bank to reimburse you. Check out our show notes for a link to our episode on credit card fraud in which we discuss tips how to prevent becoming a victim of this type of crime.
When was the last time you thought about the security of the voicemail on your mobile phone? If you’re like most of us, probably not at all. But as one security researcher named Martin Vigo demonstrated at the DEF CON hacking conference in Las Vegas this past week, it’s all too easy to hack into someone’s voicemail. Why would someone want to hack into your voicemail you may ask? Well there are many popular online apps and services that use a phone call to deliver a code that you can use to verify your identity through things like a password reset process. You may be surprised to know that this is a popular option for authentication alongside SMS text messaging, which hopefully all of you know is considered insecure. If you can hack someone’s voice mail, you now have the potential to compromise someone’s email, social networks, banking apps, conversations and much more. Martin’s research showed that sites like PayPal, WhatsApp, Instagram and LinkedIn all have a feature to call you to reset your password.
So how does one go about hacking into someone’s voicemail? The first step is to find the backdoor number for the victim’s mobile carrier which allows you to login to the voicemail system to hear messages. Voice mailboxes are protected with a PIN code and many of these mailboxes are configured with default or easy to guess PINs codes, many of which are only 4 or 6 digits in length. In fact, Martin wrote a tool that can brute force common PIN codes and can also try random combinations of numbers until one of them works. Once this access is gained there are several techniques that Martin describes are available to flood the victims number or to determine if the phone is powered on or not so that when the password reset process calls the victim’s number, the call goes straight to voicemail. In a blog post written by the researcher, he describes multiple attack scenarios using several workarounds for bypassing different types of voicemail systems. Check out our show notes for a link to this really impressive research. While Martin did contact the major mobile carriers about the issues he found, the response from these companies was, not surprisingly, less than impressive. There are, however, some things that you can do to protect your voicemail. First, use a strong PIN on your voicemail account. That means something greater than the default given to you and make sure its long and unique. You may have to look up your own mobile carrier’s process for changing your PIN but in the show notes we’ve provided links to AT&T’s and Verizon’s process. Next, don’t provide your phone number to online services unless it’s required or it’s the only way available for two-factor authentication. As mentioned on the podcast previously, we recommend using a virtual phone number like Google voice to prevent SIM Hijacking attacks that are very popular right now. Lastly, use app based two-factor authentication like Authy or Duo if it’s available from the online service you’re using. Hopefully through awareness and research done from security researchers like Martin Vigo, the mobile carriers look at further ways to increase the security of voice mail systems.
Google was in the news this past week regarding an Associated Press investigation that found many Google services store your location data despite disabling Google’s own privacy controls that allow you to prevent your location from being shared. In most cases while using apps like, Google Maps, it’s a given that your location is going to be used. However, if you disable a setting called “location history” Google will still collect your location data. Regardless of this setting, just by opening up the Google Maps app your location is shared, the built in weather app if you have an Android phone shares your location and many other different situations like making certain web searches may trigger Google to also record your location.
Google argues that the location history setting is doing what it was designed to do but critics, like Jonathan Mayer, the Princeton researcher that worked with the Associated Press on this, quickly points out that quote “If you’re going to allow users to turn off something called ‘location history’, then all the places where you maintain location history should be turned off,” Mayer said. “That seems like a pretty straightforward position to have.” end quote
Totally turning off location sharing on all Google apps and services is quite the daunting task and it’s not clear if in certain cases your location data is being tracked or not. Not only do you have to disable location history but you need to disable something called “web and app activity” which stores all types of information about your activities on Google’s various apps and services. Changing this setting only prevents Google from adding your location to something called their “timeline” but it does not fully prevent Google from tracking you through other means. You’ll have to delete each location record individually or delete all of your stored activity which is essentially what we call hitting the “big red button”. It should be no surprise to anyone that Google insists on tracking your location, and making it difficult to turn off, because it’s another way for Google to boost advertising revenue. If you’re interested in seeing all the data that Google is collecting about you can visit myactivity.google.com while logged into your Google account. If you use many different Google services you may be very surprised to see the amount of detail that Google collects about your activities. With the news of this recent location tracking issue it may be yet another reason to move off of Google’s services completely. Especially, if you’re really concerned about your location privacy.
That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.
