We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
The Forum is currently experiencing technical issues which the team are working to resolve. Thank you for your patience.
What mobile phone company is most secure from hacks and number porting exploits?
seatbeltnoob
Posts: 1,354 Forumite
in Techie Stuff
Increasingly your mobile phone number is your online passport. If you or anyone can gain access to your phone or sim card and receive one time passwords (OTP) then they can pretty much access your very valuable online accounts.
If you own a social media account that is one word like tiger, f16, rich etc. those social media accounts can be very valuable and trade hands for a lot of money.
If you own a domain name that's valuable - that can be worth a substantial amount of money and someone with access to your email and/or sim card can do a password recovery and take your account.
Let's not forget some banks have lax password recovery rules, paypal accounts, online crypto wallets, trading sites, etc etc etc.
I've listened to a lot of cyber security podcasts and one common targeted hack that's happening is criminals are able to social engineer a way to make the phone operater beliebe that they have lost their sim card or it's been stolen and convince the operator to do a sim swap. In fact, you can do sim swap online with many providers so you have absolutely no idea your phone number has become stolen and thieves can then rinse all your online accounts and destroy your lives.
I was curious as to if there are any UK networks that are aware of this cyber security issue?
Also as a general rule, if you have a big online presence and have a lot of digital assets, know that your DOB, mothers maiden name, your email etc are all probably publicly available. Your passwords are probably pwned on the dark web. Do not under any circumstances share your mobile number to anyone other than very very close friends. That phone number will be the gateway to everything.
0
Comments
-
seatbeltnoob said:Increasingly your mobile phone number is your online passport. If you or anyone can gain access to your phone or sim card and receive one time passwords (OTP) then they can pretty much access your very valuable online accounts.If you own a social media account that is one word like tiger, f16, rich etc. those social media accounts can be very valuable and trade hands for a lot of money.If you own a domain name that's valuable - that can be worth a substantial amount of money and someone with access to your email and/or sim card can do a password recovery and take your account.Let's not forget some banks have lax password recovery rules, paypal accounts, online crypto wallets, trading sites, etc etc etc.I've listened to a lot of cyber security podcasts and one common targeted hack that's happening is criminals are able to social engineer a way to make the phone operater beliebe that they have lost their sim card or it's been stolen and convince the operator to do a sim swap. In fact, you can do sim swap online with many providers so you have absolutely no idea your phone number has become stolen and thieves can then rinse all your online accounts and destroy your lives.I was curious as to if there are any UK networks that are aware of this cyber security issue?Also as a general rule, if you have a big online presence and have a lot of digital assets, know that your DOB, mothers maiden name, your email etc are all probably publicly available. Your passwords are probably pwned on the dark web. Do not under any circumstances share your mobile number to anyone other than very very close friends. That phone number will be the gateway to everything.
How do organisations send you one time codes then?
Things that are differerent: draw & drawer, brought & bought, loose & lose, dose & does, payed & paid0 -
seatbeltnoob said:I was curious as to if there are any UK networks that are aware of this cyber security issue?It is the provider's responsibility to minimise the risk as far as is practically possible.If the user is too lazy, picks an easy password, doesn't both with 2FA and then reuses that password and it gets pawned, and then used to trash an account, that's ultimately their problem.You can have all the security and defences in the world but the weakest link is the user. And if you don't have users you don't have a business. Can't protect against apathy.0
-
oldernonethewiser said:seatbeltnoob said:Increasingly your mobile phone number is your online passport. If you or anyone can gain access to your phone or sim card and receive one time passwords (OTP) then they can pretty much access your very valuable online accounts.If you own a social media account that is one word like tiger, f16, rich etc. those social media accounts can be very valuable and trade hands for a lot of money.If you own a domain name that's valuable - that can be worth a substantial amount of money and someone with access to your email and/or sim card can do a password recovery and take your account.Let's not forget some banks have lax password recovery rules, paypal accounts, online crypto wallets, trading sites, etc etc etc.I've listened to a lot of cyber security podcasts and one common targeted hack that's happening is criminals are able to social engineer a way to make the phone operater beliebe that they have lost their sim card or it's been stolen and convince the operator to do a sim swap. In fact, you can do sim swap online with many providers so you have absolutely no idea your phone number has become stolen and thieves can then rinse all your online accounts and destroy your lives.I was curious as to if there are any UK networks that are aware of this cyber security issue?Also as a general rule, if you have a big online presence and have a lot of digital assets, know that your DOB, mothers maiden name, your email etc are all probably publicly available. Your passwords are probably pwned on the dark web. Do not under any circumstances share your mobile number to anyone other than very very close friends. That phone number will be the gateway to everything.
How do organisations send you one time codes then?
I meant in public on your socials/websites etc.0 -
There was recent mention on the forum (which I can't now find) whereby a customer of EE was able to restrict their mobile account such that any replacement SIM would only ever be issued in-store on production of photo-ID.
Might be useful to some if it were an option that was generally available but, of course, is only applicable to those mobile companies (and individuals) that have accessible retail outlets.0 -
To add to this I just switched a couple of days ago from esim back to physical sim with EE. They used to scan your ID in and another (head?) office gave an authorisation to issue. Thats changed - now they also have to include a photo of yourself taken in store as well.flaneurs_lobster said:There was recent mention on the forum (which I can't now find) whereby a customer of EE was able to restrict their mobile account such that any replacement SIM would only ever be issued in-store on production of photo-ID.
Might be useful to some if it were an option that was generally available but, of course, is only applicable to those mobile companies (and individuals) that have accessible retail outlets.
Can't speak for online options though.Peter
Debt free - finally finished paying off £20k + Interest.0 -
Hadn't considered e-SIMs, I guess it would be pretty counter-intuitive to have to go to a store to obtain an item that is, by definition, virtual.nyermen said:
To add to this I just switched a couple of days ago from esim back to physical sim with EE. They used to scan your ID in and another (head?) office gave an authorisation to issue. Thats changed - now they also have to include a photo of yourself taken in store as well.flaneurs_lobster said:There was recent mention on the forum (which I can't now find) whereby a customer of EE was able to restrict their mobile account such that any replacement SIM would only ever be issued in-store on production of photo-ID.
Might be useful to some if it were an option that was generally available but, of course, is only applicable to those mobile companies (and individuals) that have accessible retail outlets.
Can't speak for online options though.
Do know that to "obtain" an O2 e-SIM for a smartwatch, a visit to a physical store is required. Suspect that this is likely a limitation of their systems rather than a security measure, Vodafone have no such limitation.0 -
why not use an autenicator app, eg authy,microsoft authenticor or something like yubikey
4.8kWp 12x400W Longhi 9.6 kWh battery Giv-hy 5.0 Inverter, WSW facing Essex . Aint no sunshine ☀️ Octopus gas fixed dec 24 @ 5.74 tracker again+ Octopus Intelligent Flux leccy0 -
oldernonethewiser said:
How do organisations send you one time codes then?
Authenticator apps are a better solution.
0 -
wongataa said:oldernonethewiser said:
How do organisations send you one time codes then?
Authenticator apps are a better solution.
Do many organisations offer that a means of logging on to their sites?
Things that are differerent: draw & drawer, brought & bought, loose & lose, dose & does, payed & paid0 -
They don't do a physical sim swap, they ask for a PAC code and port the number to their sim.What happens is-someone gives away* your email address, physical address, mobile number, bank account number & sort code together with the password you used and your security answers. (everything except your password and security answers is public domain stuff if you look for it, giving it all away in one package, all linked nicely together is more convenient)The big danger is if you re-used that password.Then they hack into your email account so they can send emails from you and read all your mail, and delete mail from the server if they can read it before you.Then they get your mobile operator to email you a PAC code. If they can read it and delete the mail from the server before you can pull it down, bonus, otherwise you are somewhat confused, as you never asked for one.They then port your number to their SIM.If they know your google id and password (probably apple id & password will work) they pop the sim in a phone and it builds a clone of your phone from the cloud backup you made, complete with banking apps. Now they load their biometrics into the authenticator (they have full access with email, phone number, google id & password)And they empty your bank accounts.If they don't, then all isn't lost, they use your bank's online portal, and follow the "I am a scammer and I want access have forgotten my details" link to get access to your accounts, using the 2FA codes that now go to their phone, and your email account.And they empty your bank accounts.*they claim it's a data breach (boo hoo, not our fault, big bad hackers, hand winging time) but really it is just lazy incompetence in having all this data forward facing.I want to go back to The Olden Days, when every single thing that I can think of was better.....
(except air quality and Medical Science
)0
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350K Banking & Borrowing
- 252.7K Reduce Debt & Boost Income
- 453.1K Spending & Discounts
- 242.9K Work, Benefits & Business
- 619.8K Mortgages, Homes & Bills
- 176.4K Life & Family
- 255.9K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 15.1K Coronavirus Support Boards