info@qualityplusconsulting.com l +1 262-553-6510

Special note for Ubuntu users

Breakfast Bytes podcasts are streaming MP3. In order for Firefox on Ubuntu to play the streaming MP3, install the GStreamer extra plugins that list MP3 as one of the supported formats. GStreamer can be obtained through the Ubuntu Software Center.

Breakfast Bytes - Sim Jacking

11/17/2018

SIM Jacking, TruthFinder, Why SMS-based MFA is very risky

MP3 - SIM Jacking, Truthfinder, SMS MFA Risks

 

 

TruthFinder Evaluation

TruthFinder is a website where you can access a lot of publicly accessible information for a fee. You may want to investigate yourself via this website to find out how much information is publicly accessible about you. Note that there are aspects to the information presented that you should be aware of.

  • Not all criminal record information is complete
  • Associates or people links may be false
  • People who have a lot of social profiles are going to have a lot of information exposed
  • Some types of professional licenses are exposed while others are not
  • Some of the data can be hard to interpret, especially lien data. You may not be able to sort out why those liens existed or if they are still outstanding.
  • It is interesting that registered sex offenders in your area are listed for you
  • Neighbor information for an address is usually available
  • Thankfully, SSNs are not published

I really only see value in using this website on a one-time basis, NOT as a subscription. Use it to assess the risk that you or your family members face associated with information that is publicly available. If you choose to try it out, be very careful about not getting sucked into their subscription model and their seemingly endless add-on fees. You will see one fee presented, but assume you will get add-on fees that will double that cost, and you must actively cancel the subscription before the next month's renewal cycle occurs.

DO NOT give them your cell phone number or home phone number. DO NOT get sucked into that. And do not fall prey to the game of paying a monthly fee for them to not show your information to other subscribers. Your publicly available information could simply be obtained from another site.

SIM Jacking

SIM jacking is where someone convinces your cell phone provider to route your phone number and all the services associated with it to terminate into a different IMEI number. That could be to a different SIM or a different flip phone; regardless you will no longer receive calls or SMS text messages. The bad guys will now get that content to be able to get past your multi-factor authentication layers using it.

Virtually everyone that has ever publicly posted that they have BitCoin has been a victim of SIM jacking.

Check your cell phone provider account to ensure that you have a custom PIN setup in order provide another measure of protection to prevent your phone number from being stolen.

 

Why using your cell phone for SMS-based multifactor authentication is very risky

Don't use SMS-based methods for MFA if you have an alternative. A much better option is a sophisticated authenticator app that runs on a device that is NOT vulnerable to hacking through a SIM card. It is possible to send a maliciously crafted text message to a phone and compromise that phone. Then the hacker can have remote, stealth access and control over microphone, camera, content, emails, TXT messages, etc. They can also steal your keystrokes of whatever you type into the phone such as the PIN for your voicemail or username/password combos for accounts.

For the systems where you must use SMS for MFA, a better option is to use a more sophisticated method to obtain those messages than your cell phone that can so easily be hacked or number stolen. This would require you to obtain a phone number that is not tied to your personally identifiable information yet supports voice and SMS where you can still receive those methods of contact.

And no, a Google voice number is not going to do this for you.

 
 
 
Linkedin