Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label two-factor authentication. Show all posts
Verizon SIM protection
Cyber Security mobile account security prevent SIM hijacking protect phone number SIM swap attacks two-factor authentication Verizon SIM protection

How to Safeguard Your Phone Number From SIM Swap Attacks in 2025

 

In 2025, phone numbers have become woven into nearly every part of our digital lives. Whether you’re creating accounts on e-commerce sites, managing online banking, accessing health services, or logging in to social networks, your phone number is the gateway. It helps reset forgotten passwords and powers two-factor authentication codes that keep your accounts secure.

But if a hacker gets hold of your phone number, they can essentially impersonate you.

With control over your number, attackers can infiltrate your online accounts or manipulate automated phone systems to convince customer service representatives they’re speaking to you. In some cases, a stolen phone number can even be used to breach a company’s internal network and retrieve confidential information.

That’s why it’s more important than ever to protect your number against SIM swapping — a cyberattack where someone fraudulently transfers your number to a new SIM card. The good news? Locking down your number has never been simpler.

SIM swap attacks typically begin when a criminal contacts your mobile carrier, pretending to be you. By using publicly available personal details — like your name and birth date — the attacker convinces support staff to port your number to a SIM card they control. Once the transfer is complete, your number is live on their device. From there, they can send messages and make calls in your name.

Often, the only clue that something is wrong is if your phone abruptly loses service without explanation.

These attacks exploit gaps in the internal security processes at phone companies, where representatives can make account changes without always verifying the customer’s consent.

To fight back against these social engineering scams, the three largest U.S. mobile carriers — AT&T, T-Mobile, and Verizon — have launched security tools that help prevent unauthorized account takeovers and SIM swaps. However, these protections may not be turned on by default, so it’s worth taking a few minutes to review your account settings.

AT&T: In July, AT&T rolled out its free Wireless Account Lock, designed to block SIM swapping attempts. “The feature allows AT&T customers to add extra account protection by toggling on a setting that prevents anyone from moving a SIM card or phone number to another device or account.” You can activate this safeguard in the AT&T app or through your online account dashboard. Be sure your account is secured with a unique password and multi-factor authentication.

T-Mobile: T-Mobile gives customers the option to lock their accounts against unauthorized SIM swaps and number porting at no cost. To enable this, the primary account holder must log in to their T-Mobile account and switch on the protection settings.

Verizon: Verizon offers two layers of defense: SIM Protection and Number Lock. These features stop SIM swaps and unauthorized phone number transfers. You can enable them through the Verizon app or the account portal. Verizon notes that if you disable these protections, any account changes will be delayed by 15 minutes, giving legitimate users time to undo suspicious activity.

Take a moment to check whether these safeguards are active on your account. While they aren’t always advertised prominently, they can make all the difference in keeping your phone number — and your identity — safe
Read more »
two-factor authentication
FIDO Alliance Microsoft Authenticator app online security updates Passkeys password autofill ending Technology two-factor authentication

Microsoft Phases Out Password Autofill in Authenticator App, Urges Move to Passkeys for Stronger Security

 

Microsoft is ushering in major changes to how users secure their accounts, declaring that “the password era is ending” and warning that “bad actors know it” and are “desperately accelerating password-related attacks while they still can.”

These updates, rolling out immediately, impact the Microsoft Authenticator app. Previously, the app let users securely store and autofill passwords on apps and websites you visit on your phone. However, starting this month, “you will not be able to use autofill with Authenticator.”

A more significant shift is just weeks away. “From August,” Microsoft cautions, “your saved passwords will no longer be accessible in Authenticator.” Users have until August 2025 to transfer their stored passwords elsewhere, or risk losing access altogether. As the company emphasized, “any generated passwords not saved will be deleted.”

These moves are part of Microsoft’s broader initiative to phase out traditional passwords in favor of passkeys. The tech giant, alongside Google and other industry leaders, points out that passwords represent a major security vulnerability. Despite common safeguards like two-factor authentication (2FA), account credentials can still be intercepted or compromised.

Passkeys, by contrast, bind account access to device-level security, requiring biometrics or a PIN to log in. This means there’s no password to steal, phish, or share. The FIDO Alliance explains: “passkeys are phishing resistant and secure by design. They inherently help reduce attacks from cybercriminals such as phishing, credential stuffing, and other remote attacks. With passkeys there are no passwords to steal and there is no sign-in data that can be used to perpetuate attacks.”

For users currently relying on Authenticator’s password storage, Microsoft advises moving credentials to the Edge browser or exporting them to another password manager. But more importantly, this is a chance to upgrade your key accounts to passkeys.

Authenticator will continue to support passkeys going forward. Microsoft advises: “If you have set up Passkeys for your Microsoft Account, ensure that Authenticator remains enabled as your Passkey Provider. Disabling Authenticator will disable your passkeys.”
Read more »
User Privacy
Mobile Security SMS Code threat report two-factor authentication User Privacy

Here's Why Using SMS Two-Factor Authentication Codes Is Risky

 

We've probably all received confirmation codes via text message when trying to enter into an account. These codes are intended to function as two-factor verification, confirming our identities and preventing cybercriminals from accessing our accounts solely through a password. But who handles the SMS codes, and can they be trusted? 

 New findings from Bloomberg and the collaborative investigative newsroom Lighthouse findings offer insight on how and why text-based codes might put people in danger. In their investigations, both organisations stated that they got at least a million data packets from a phone company whistleblower. Individual users got the packets, which contained SMS texts with two-factor authentication codes. 

You may believe that these messages are handled directly by the companies and websites with which you have an account. However, Bloomberg and Lighthouse's investigation suggests that this is not always the case. In this case, the messages went through a contentious Swiss company called Fink Telecom Services. And Bloomberg used the label "controversial" to describe Fink for a reason. 

"The company and its founder have worked with government spy agencies and surveillance industry contractors to surveil mobile phones and track user location. Cybersecurity researchers and investigative journalists have published reports alleging Fink's involvement in multiple instances of infiltrating private online accounts,” Bloomberg reported. 

Of course, Fink Telecom didn't exactly take that and other comments lying down. In a statement shared with ZDNET, Fink called out the article: "A simple reading of this article reveals that it presents neither new findings nor original research," Fink noted in its statement. "Rather, it is largely a near-verbatim repetition of earlier reports, supplemented by selective and out-of-context insinuations intended to create the appearance of a scandal-without providing any substantiated factual basis.”

Bloomberg and Lighthouse discovered that the senders included major tech companies including Google, Meta, and Amazon. Several European banks were also involved, as were applications like Tinder and Snapshot, the Binance cryptocurrency market, and even encrypted communication apps like Signal and WhatsApp. 

Why would businesses leave their two-factor authentication codes to an outside source, especially one with a questionable reputation? Convenience and money. External contractors can normally handle these types of SMS messages at a lower cost and with greater ease than enterprises themselves. That is especially true if a company has to interact with clients all around the world, which can be complicated and costly. 

Instead, firms turn to providers like Fink Telecom for access to "global titles." A global title is a network address that allows carriers to interact between countries. This makes it appear that a company is headquartered in the same country as any of its consumers. 

According to Lighthouse's investigation, Fink utilised worldwide titles in Namibia, Chechnya, the United Kingdom, and his native Switzerland. Though outsourcing such messages can be convenient, it carries risks. In April, UK phone regulator Ofcom banned global title leasing for UK carriers, citing the risk to mobile phone users. 

The key issue here is whether the data in the documents examined by Bloomberg and Lighthouse was ever at risk. In an interview with Bloomberg, Fink Telecom CEO Andreas Fink stated: "Our company offers infrastructure and technical services, such as signalling and routing capabilities. We do not analyse or meddle with the traffic sent by our clients or their downstream partners. 

Fink further shared the following statement with ZDNET: "Fink Telecom Services GmbH has always acted transparently and cooperatively with the authorities," Fink said. "Legal opinions and technical documentation confirm that the company's routing services are standardized, internationally regulated, and do not require authorization under Swiss telecommunications law, export control law, or sanctions legislation. Authorities were also informed that the company is in no way involved in any misuse of its services.”

In terms of outsourcing, Google, Meta, Signal, and Binance informed Bloomberg that they did not deal directly with Fink Telecom. Google also stated that it was discontinuing the use of SMS to authenticate accounts, although Signal stated that it provided solutions to SMS vulnerabilities. A Meta representative told Bloomberg that the company has warned its partners not to do business with Fink Telecom.
Read more »
VPN for public Wi-Fi
AI Privacy cybersecurity tips Incogni data removal Passkeys Password Manager Protect Personal Data Technology two-factor authentication VPN for public Wi-Fi

Digital Safety 101: Essential Cybersecurity Tips for Everyday Internet Users

 9to5Mac is brought to you by Incogni: a service that helps you wipe your personal data—including your phone number, address, and email—from data brokers and people-search websites. With a 30-day money-back guarantee, Incogni offers peace of mind for anyone looking to guard their privacy.


1. Use a Password Manager

The old advice to create strong, unique passwords for each website still holds true—but is only realistic if you use a password manager. Fortunately, Apple’s built-in Passwords app makes this easy, and there are many third-party options too. Use these tools to generate and save complex passwords every time you sign up for a new service.

2. Update Old Passwords

Accounts created years ago may still have weak or repeated passwords. This makes you vulnerable to credential stuffing attacks—where hackers use stolen logins from one site to access others. Prioritize updating your passwords for financial services, Apple, Google, Amazon, and any accounts that have already been compromised. To check this, enter your email on Have I Been Pwned.

3. Enable Passkeys Where Available

Passkeys are becoming the modern alternative to passwords. Instead of storing a traditional password, your device uses Face ID or Touch ID to verify your identity, and only sends confirmation of that identity to the site—never the actual password. This reduces the risk of your credentials being hacked or stolen.

4. Use Two-Factor Authentication (2FA)

2FA provides an added layer of security by requiring a rolling code each time you log in. Avoid SMS-based 2FA—it's prone to SIM-swap attacks. Instead, opt for an authenticator app like Google Authenticator or use the built-in support in Apple’s Passwords app. Set this up using the QR code provided by the service.

5. Monitor Last Login Activity

Some platforms, especially banking apps, show the date and time of your last login. Get into the habit of checking this regularly. Unexpected logins are an immediate red flag and could signal that your account has been compromised.

6. Use a VPN on Public Wi-Fi

Public Wi-Fi networks can be unsafe and vulnerable to “Man-in-the-Middle” (MitM) attacks. These involve a rogue device impersonating a Wi-Fi hotspot to intercept your internet traffic. While HTTPS reduces the risk, using a VPN is still the best protection. Choose a trusted provider that maintains a no-logs policy and undergoes third-party audits. “I use NordVPN for this reason.”

7. Don’t Share Personal Info With AI Chatbots

Conversations with AI chatbots may be stored or used as training data. Avoid typing anything sensitive, such as passwords, addresses, or identification numbers—just as you wouldn’t post them publicly online.

8. Consider Data Removal Services

Your personal information may already be listed with data brokers, exposing you to spam and scams. Manually removing this data can be tedious, but services like Incogni can automate the process and reduce your digital footprint efficiently.

9. Verify Any Request for Money

If someone asks for money—even if it looks like a friend, family member, or colleague—double-check their identity using a separate communication method.

“If they emailed you, phone them. If they phoned you, email or message them.”

Also, if you're asked to send gift cards or wire money, it's almost always a scam. Be especially cautious if you're told a bank account has changed—confirm directly before transferring funds.
Read more »
two-factor authentication
2FA security account protection Cyber Security Malware Threats man-in-the-middle Phishing Attacks two-factor authentication

How to Protect Your Accounts from 2FA Vulnerabilities: Avoid Common Security Pitfalls

 

Securing an account with only a username and password is insufficient because these can be easily stolen, guessed, or cracked. Therefore, two-factor authentication (2FA) is recommended for securing important accounts and has been a mandatory requirement for online banking for years.

2FA requires two distinct factors to access an account, network, or application, which can be from the following categories:
  • Knowledge: Something you know, like a password or PIN.
  • Possession: Something you have, such as a smartphone or security token like a Fido2 stick.
  • Biometrics: Something you are, including fingerprints or facial recognition.
For effective security, the two factors used in 2FA should come from different categories. If more than two factors are involved, it's referred to as multi-factor authentication. While 2FA significantly enhances security, it isn't completely foolproof. Cybercriminals have developed methods to exploit vulnerabilities in 2FA systems.

1. Man-in-the-Middle Attacks: Phishing for 2FA Codes
Despite the secure connection provided by Transport Layer Security (TLS), attackers can use various techniques to intercept the communication between the user and their account, known as "man-in-the-middle" attacks. A common approach involves phishing pages, where attackers create fake websites that resemble legitimate services to trick users into revealing their login credentials. These phishing sites can capture not only usernames and passwords but also the 2FA codes, allowing attackers to access accounts in real time. This type of attack is highly time-sensitive, as the one-time passwords used in 2FA typically expire quickly. Despite the complexity, criminals often use this method to steal money directly.

2. Man-in-the-Browser Attacks: Malware as a Middleman
A variation of man-in-the-middle attacks involves malware that integrates itself into the victim’s web browser. This malicious code waits for the user to log in to services like online banking and then manipulates transactions in the background. Although the user sees the correct transfer details in their browser, the malware has altered the transaction to divert funds elsewhere. Notable examples of such malware include Carberp, Emotet, Spyeye, and Zeus.

Prevention Tip: When authorizing transactions, always verify the transfer details, such as the amount and the recipient's IBAN, which are typically sent by banks during the 2FA process.

3. Social Engineering: Tricking Users Out of Their 2FA Codes
Attackers may already have access to usernames and passwords, possibly obtained from data breaches or through malware on the victim's device. To gain the second factor needed for access, they may resort to direct contact. For instance, they may pose as bank employees, claiming to need 2FA codes to implement a new security feature. If the victim complies, they unknowingly authorize a fraudulent transaction.

Prevention Tip: Never share your 2FA codes or authorizations with anyone, even if they claim to be from your bank or another trusted service. Legitimate service representatives will never ask for such confidential information.

Understanding these threats and remaining vigilant can significantly reduce the risks associated with 2FA vulnerabilities.
Read more »
YouTube security
cybercriminal threats info-stealing malware online safety tips phishing Technology two-factor authentication Youtube YouTube channel YouTube security

YouTube: A Prime Target for Cybercriminals

As one of today's most popular social media platforms, YouTube frequently attracts cybercriminals who exploit it to run scams and distribute malware. These schemes often involve videos masquerading as tutorials for popular software or ads for cryptocurrency giveaways. In other cases, fraudsters embed malicious links in video descriptions or comments, making them appear as legitimate resources related to the video's content.

The theft of popular YouTube channels elevates these fraudulent campaigns, allowing cybercriminals to reach a vast audience of regular YouTube users. These stolen channels are repurposed to spread various scams and info-stealing malware, often through links to pirated and malware-infected software, movies, and game cheats. For YouTubers, losing access to their accounts can be distressing, leading to significant income loss and lasting reputational damage.

Most YouTube channel takeovers begin with phishing. Attackers create fake websites and send emails that appear to be from YouTube or Google, tricking targets into revealing their login credentials. Often, these emails promise sponsorship or collaboration deals, including attachments or links to supposed terms and conditions.

If accounts lack two-factor authentication (2FA) or if attackers circumvent this extra security measure, the threat becomes even more severe. Since late 2021, YouTube content creators have been required to use 2FA on the Google account associated with their channel. However, in some cases, such as the breach of Linus Tech Tips, attackers bypassed passwords and 2FA codes by stealing session cookies from victims' browsers, allowing them to sidestep additional security checks.

Attackers also use lists of usernames and passwords from past data breaches to hack into existing accounts, exploiting the fact that many people reuse passwords across different sites. Additionally, brute-force attacks, where automated tools try numerous password combinations, can be effective, especially if users have weak or common passwords and neglect 2FA.

Recent Trends and Malware

The AhnLab Security Intelligence Center (ASEC) recently reported an increase in hijacked YouTube channels, including one with 800,000 subscribers, used to distribute malware like RedLine Stealer, Vidar, and Lumma Stealer. According to the ESET Threat Report H2 2023, Lumma Stealer particularly surged in the latter half of last year, targeting crypto wallets, login credentials, and 2FA browser extensions. As noted in the ESET Threat Report H1 2024, these tools remain significant threats, often posing as game cheats or software cracks on YouTube.

In some cases, cybercriminals hijack Google accounts and quickly create and post thousands of videos distributing info-stealing malware. Victims may end up with compromised devices that further jeopardize their accounts on other platforms like Instagram, Facebook, X, Twitch, and Steam.

Staying Safe on YouTube

To protect yourself on YouTube, follow these tips:

  • Use Strong and Unique Login Credentials: Create robust passwords or passphrases and avoid reusing them across multiple sites. Consider using passkeys for added security.
  • Employ Strong 2FA: Use 2FA not just on your Google account, but also on all your accounts. Opt for authentication apps or hardware security keys over SMS-based methods.
  • Be Cautious with Emails and Links: Be wary of emails or messages claiming to be from YouTube or Google, especially if they request personal information or account credentials. Verify the sender's email address and avoid clicking on suspicious links or downloading unknown attachments.
  • Keep Software Updated: Ensure your operating system, browser, and other software are up-to-date to protect against known vulnerabilities.
  • Monitor Account Activity: Regularly check your account for any suspicious actions or login attempts. If you suspect your channel has been compromised, follow Google's guidance.
  • Stay Informed: Keep abreast of the latest cyber threats and scams targeting you online, including on YouTube, to better avoid falling victim.
  • Report and Block Suspicious Content: Report any suspicious or harmful content, comments, links, or users to YouTube and block such users to prevent further contact.
  • Secure Your Devices: Use multi-layered security software across your devices to guard against various threats.
Read more »
two-factor authentication
Artificial Intelligence business loss Cyber Fraud cybersecurity advocate fraudulent call Identity Theft Scam Alert Scams two-factor authentication

$1.2 Million Stolen from Grafton Family Business, Sparks Cyber Security Warnings

 

Paul Fuller has revealed how his business suffered a devastating loss of nearly $1.2 million due to a fraudulent call. The caller, identifying as "Mike" from the National Australia Bank (NAB), seemed trustworthy since Mr. Fuller's company had prior dealings with a NAB representative named Mike in Coffs Harbour. 

This imposter displayed an alarming level of knowledge about the business, including recent payments made. With deceptive claims of investigating fraudulent activities, the imposter coerced the accounts manager into granting access to the company's bank accounts. In a matter of minutes, $1.2 million vanished, causing severe damage to the business.

Although NAB managed to recover $84,000, they informed Mr. Fuller that further retrieval efforts were futile. This substantial financial setback has put immense strain on Mr. Fuller, who is now struggling to maintain the viability of his business. A total of 25 families depend on the company for their livelihoods, a responsibility that weighs heavily on his shoulders.

Mr. Fuller promptly reported the incident to both the police and the banking ombudsman, though he held little hope for additional restitution. In response, the company has implemented stringent security measures, including a policy to exclusively communicate with their designated bank manager.

Mr. Fuller issues a stern warning to fellow businesses, emphasizing that legitimate banks do not initiate such inquiries over the phone. He urges against divulging sensitive information to any unsolicited callers.

In a contrasting narrative, Bastian Treptel shares his unique journey from teenage hacker to cybersecurity advocate. At the age of 14, he infiltrated a major Australian bank, pilfering credit card details. When apprehended at 17, authorities offered him a choice between juvenile detention and aiding in cybercriminal detection. Opting for the latter, he spent the next 14 years running a company devoted to safeguarding businesses from cyber threats.

Mr. Treptel likens cyber attacks to a silent menace, with many erroneously assuming immunity. He stresses that a staggering one in three individuals falls victim to such breaches, yet only 4 percent manage to reclaim their losses.

Highlighting the vulnerability of small businesses, Mr. Treptel explains that they often possess fewer security measures and more accessible funds, making them attractive targets. He underscores the evolution of hacking, now employing sophisticated techniques aided by artificial intelligence. Malicious emails or files are no longer prerequisites; even innocuous actions, like downloading images, can facilitate cyber infiltration.

Furthermore, Mr. Treptel cautions about the potential risks posed by everyday devices like smart TVs and printers, all of which can serve as gateways for cyber intrusion. He advocates for the widespread adoption of two-factor authentication as a crucial defense measure.

ID Support NSW, a state agency aiding victims of identity theft and hacking, underscores the importance of bolstering cybersecurity. Recommendations include enforcing robust passwords, scrutinizing the security of third-party systems, limiting access to sensitive information, and collecting only essential personal data.
Read more »
Subscribe to: Posts (Atom)