Yesterday, Trijo News revealed that big mobile operators like AT&T let themselves get fooled by hackers who want to gain access to their customer’s Gmail- and Hotmail-accounts. The process itself is quite simple: the hacker calls your mobile operator, claim to be you and asks the operator to move your phone number to a new sim card controlled by the hacker.
This might not sound all that bad, but the problem is that many people have also connected their phone number to their Gmail- or Hotmail-account. Thanks to this, the hacker can order a password recovery text message and then gain full access to everything you have stored with your email service provider. If you are also, as many people are, using the web browser Google Chrome there is a huge risk that the hacker also is able to login to Chrome and get access to all passwords you have stored in the browser.
Might get huge consequences outside of the internet as well
Let this sink in for a couple of seconds and think about what passwords you might have saved directly in the browser. If you use Chrome (or Microsoft Edge for that matter), there is a big risk that a hacked account means access to everything from online casinos to online shops or even your Facebook account.
The hacker who was interviewed in our article, Daniel, had specialized in stealing cryptocurrencies, but he also told us that he can find other things that you really do not want a hacker to find: photos of ID-cards, credit card numbers and private photos. These are documents that could be used to hijack your identity, steal your money and to do things that could have huge consequences for you even outside of the internet.
The mobile operators refuse to answer our questions
When working on the article about Daniel, we contacted some of the big mobile operators. We wanted to get a comment on why their security protocols for moving numbers to a new sim card is so poor that it could be used by hackers trying to steal your identity. Only one of them, Telenor, even bothered to reply to our email.
But it is not really that strange that they fail to comment if you think about it. To be honest: they are probably well aware that they lack the right security protocols, which means that there is really nothing for them to win by talking about it in public. It is easier to simply say nothing and hope to be able to continue their business as usual.
Despite this, the big mobile operators could easily implement security systems to verify your identity when you contact them by phone or chat messages. For example, they could design a system where you have to answer correctly to a control question picked by you when signing up as a customer. That question could be “What was the name of your first pet?”. If you answer correctly, they would be a whole lot more certain that it is, in fact, you who contacts them, which would make it much harder for hackers to hijack your identity.
But such security protocols costs both time and effort, and therefore it is easier and cheaper to pretend that this isn’t a problem. But it really is.
I find this absolutely unspeakable.