A terrifying new smartphone scam is on the rise
I don't know about you but I get nervous when someone uses my phone. It doesn't matter what they're using it for. You're just low level anxiety on my part because almost every sensitive thing can be accessed with that phone from my bank information Asian to government correspondence to like ten thousand pictures of my kid. It's all there. That's probably true for you as well so imagine and then waking up one day and discovering that even though your phone is still right there next to you all the data inside it all of the passwords authentication in an all your media are gone. They've been stolen by someone on the other side of the world who's now got your identity despite never getting their actual hands on your machine so your phone no longer works so you check your email and there's someone in there waiting for you may tell you they've got your phone now they want money or else and then they start locking you out of your own apps won I won. I won. I start sending you your own pictures threatening to send them elsewhere. What do you do now? I'm Jordan Heath Rowlings. This is the big story. Retest Khotak they cybersecurity expert. He's consulted with businesses institutions and police services around the world here How's it going? Excellent how are you. I'm great thank you so much for coming in. I guess you just explain what phone porting or Sim swopping actually is yes. So what phone porting is is simply early me taking my phone number and going to another carrier so traditionally what we've seen is You might have a phone with with carrier. A and then carrier be has really amazing new plan it could be more data or more minutes and or cheaper and you say you know what I really I really want to switch from carrier Ada carrier be so what you do. Is You put your number over. And this is something that that's that's it's not really new but has been something that's starting to be offered by some of these carriers a couple years ago and the reason that it started to be offered was curious how to hold on individuals because you had their phone number right. If you've got a switch you got a switch numbers to and that sucks which is which which is a pain because everything is connected to our mobile numbers now so for example two factor authentication. We might be giving our phone numbers to our friends and family and we don't want to give the mother number. We filled out applications with their phone numbers on it as well. So if you got to change your number the consequences of changing your number could be being quite great so what carriers wanted to do was make it easier for you to switch from carrier to carrier and keep your phone number to keep your digital identity and by doing this The process essentially is called phone. Importing the reason we want to talk to you. Today is because the way you just described described the way it's supposed to work. How do bad actors use it so again whenever you have a technology that's been created especially for convenience convenience and this is why I was credos created with probably the most noble intentions and that's convenience for for consumers but at the same time the same the same technology -nology could essentially be weaponized against members of the community? And that's what we're starting to see with phone porting where bad actors are doing. Essentially Sim this idea of Sim swopping or phone. Reporting without your consent to a device that they Own So essentially. They're taking control over for me personally. One of the most personal things I have. And that's my telephone number my personal mobile cell phone number and taking control of it and there's not a lot of mechanisms in place to to essentially stop it and prevented and once it's got once you've lost your number. Reclaiming it and the and reclaiming essentially your digital identity becomes that much more difficult and is a real pain. So how does it look like what do they do. So there's several oh things that that they can do. The first thing that they can do is again. This doesn't need to be Super High Tech. This could be super low tech as well. If you wanted to change your number what do you do you. Essentially you can go into a mall you can go to a kiosk and go to You can go to one of the One of the carriers yes and he can say I want to change my phone number. I WANT TO SWITCH TO I. I'm currently with With the carrier A and I wanna go to carrier and I WANNA come to your your company for whatever never reason right and the process is actually relatively simple where they'll literally go into a computer and say okay no problem we will port or your phone number over. It might take a couple days. There might be a little bit of service interruption. You show them some. Id to verify that it's that it's you and that's it and the reporting process starts immediately. So essentially that is the easiest way to to port. A phone number over there are other ways as well. L. Where people have called into carriers and they've called into carriers and they've essentially social engineered their way into making the person on the other line believe achieved there somebody else essentially the person with the number and the way they do that is through an act called spoofing and what spoofing is is. Imagine me calling you right now. L. But I'm calling you with not my phone number even though I'm using my phone or I'm using a VOIP Line which is voice over. Internet Protocol So essentially a computer. And I'm giving I'm sending you this call but the caller ID or the number that's displayed is a completely different number in we've seen Fraud with respect people pretending to be government agencies or police agencies but imagine if I use that same idea the same concept to call a carrier and I use your phone number that I've been able to obtain now as I'm calling the carrier. What's popping up on their screen? Is the phone number that I wanNA port right so put them in the mindset immediately of Oh it really is Jordan. He's calling from that number. It's immediate trust is what happens here. Is that trust all of a sudden is elevated. Because now what I gotTa to do is authenticate in some other ways. Can you please if you've ever called in with your phone number. Some and this has happened to me. They say thank you for. Thank you for calling Mr Khattak. Can you please verify your name and your address because the phone number has already populated that so now It's it's relatively simple If you know what you're doing if you're a fraudster or hacker and there's also open data of people's information that they're able to now L. culminate all this information and trick the other person on the other line to authenticate that yes. I am this person when in reality you're not and and once you've authenticiated once you know that Once they feel convinced now will you can do is say well. I want to switch my number or I WANNA change the account information on it. And he started going through that process and once you've cleaned somebody's digital identity. Now you can do just the whole a whole array of things to really cause problems and mess up. Somebody's digital life soda out of curiosity when we talk about phone spoofing and just how easy it is. Just a trick somebody. Would you like to see a demonstration. You're going to spoof me or call me from a spoof number. I'M GONNA I'M GONNA call you and make it seem like you're getting a call all from I don't know who would you like What number would you like to appear make? It seem like a pizza. Pizza's calling me. Just for fun okay. So you know the number I will write down mine not saying my phone number on the Erica's enough people will like that. They are right. Well let's put the phone number and let's hope that this works so I'm calling you. I'm calling you from my phone. So here's the call and what number number has appeared the famous pizza pizza number. How calling my cellphone? How `bout you answer the call? Okay Hello Hi this is Pizza Pizza calling your pepperoni pizzas ready for delivery. The only thing I need you to do is verify your social insurance number your password and your home address. I just listened to a podcast about this so I'm not GonNa do that. Go by any and you can see with a couple loosely. A couple clicks on a free APP. Just how simple it is to fool somebody now again. We knew that this was happening but imagine putting noise in the background. Imagine altering voice a little bit and you could really trick people. Now if I called into a carrier using this type type of technology Right off the bat they would have my phone number or the spoof number and they would actually believe that the number is is real. Give me some examples examples of what these people do once. They've managed to report a number so once. You've ported a number one. I have that phone number. It's what can I do well. There's a couple of things I can and do. For example would we actually use our number four now we use it for two factor authentication. So so what is two factor authentication. It's essentially when I log into a website. I mean I put in my user name but I might say forgot password. I don't have my password so I click on forget password and what is do it. Sends you a text message with the code. Well the tex-mex if I have that phone number now. That text message is not going to you Rightful owner is coming to me. Bad fraudster and now that I have that number number I can put that into into the portal and with a couple of clicks. I change your password. I now got access to your email. Once I get access to your email. What are you using your email to authenticate with well? Maybe your social media profiles now. I got access to your social media profiles and I changed Password and changed the phone number. Used to log in and you also have sensitive information on there you might be using You might be using backup drives online drives. There's there's a lot of popular ones out there where your photos might be automatically sinked to the to these drives. Your videos might automatically be sinked so now I got access to your emails. I got access to your profiles files I got access to your phone number and I got access to all your pictures and videos now. What I can do is essentially one of two things and the most common thing that people will do do with this with this type of data is going to come and try to extort? You might say we got this video of you are able to get this private photograph of you and if view what your identity back is going to cost you two bitcoins. Three BITCOINS and the rest. It just keeps ballooning from there so it gets very difficult to reclaim your identity back so once you once we've crossed that line once we've gone over it kind of getting are getting our digital identity back becomes that much more difficult. What is typically the first signer one of the first signs that somebody is trying to do this to you? So what you might see is activity activity on on your account so you might see for example emails coming in that somebody tried to access your account you might as also see Log Log in information coming in to your to your email as well if you'd have it properly set up if there's any logging that might happen from an Ip address or computer that you haven't previously logged in from there might be a notification there might also be notifications with respect to the system because member these fraudsters don't need to be near in geography's not a barrier anymore. They can be essentially anywhere in the world. So you might also see These loggins coming from or a potential log INS coming from some across the world so those are kind of like the first signs that something fishy might be going on. Doesn't necessarily mean phone porting. Maybe they're just going in and saying forgot password or they're trying to do what's called brute force into your account. We're trying to guess your password or say forget password and then you have a bunch of security questions or challenge questions. Yeah and if you make those challenge questions really easy to guess what was my first car and there's a picture of you saying. Hey take a look at my first car on facebook right. It's it's hackers and fraudsters are will be able to piece two and two together and kind of guests their way into your account the most common one that I see his. What's my mother's maiden name? Of course please do not ever give your mother's maiden name as a secure as a security challenge question you might have again again on your social media profile the name the name listed you might identify or tag your mother in a photograph and then and then Oh at my parents house right my grandparents house and obviously the name there would be the maiden name there's also potential court records and and other databases where the maiden name might actually be he listed which is relatively easy for fraudsters and hackers to come by but you see these types of questions and then once hackers and fraudsters are able to infiltrate infiltrate your account? Then you'll start seeing things such as I'm not able to log into my counts anymore. Phone calls have stopped. I'm not getting text messages. You you might see alerts from other other APPs for example messaging APPs that saying Phone has been changed. Or can you please verify A new device they start seeing these alerts alerts popping up and then try to call your number and imagine that feeling in the pit of your stomach when somebody else picks up. Yeah which has happened as as well. So it's kind of it's not just with the snap of a finger. It's been ported and all your accounts and everything is gone. You'll start seeing little bit. You'll start start seeing some signs some activities here and there and you need to act as quickly as possible to ensure you're able to regain your digital identity and keep your your your telephone number which is used for so many different things today. What's your first Stephan? The carrier the police so again if there's extortion there's fraud the filing a report with the Police Service. There's a Canadian anti-fraud center those are all viable options to my first step would be to call the carrier to to call my service provider and say there's something fishy going on here and I need help and they will have people on staff who can look up if your phone's being ported boarded mechanisms in place. there's probably call history and logs that are available that they can sort of try to investigate and pieces different pieces of the puzzle together to know. Actually something fishy is going on here and you might be a victim of illegal foreign porting or even the identity theft and that kind of then balloons into secondary steps of what of what needs to be done to either. Stop the process or for for you to regain your digital identity back. How difficult is that once? It's been stolen like what's the process of kind of reclaiming you painted a picture of so many accounts accounts in so many places that this information can can grant access to unfortunately it is extremely difficult to gain to gain to gain access back and to reverse the process and the reason for that is because our lives are so digitally connected to these to these APPs to these platforms it forms We use your phone for just about everything. Imagine the what would happen. If you've not only lost her device and you don't have access assists the phone number for days if not weeks Minutes an intimate part of our lives. Now there's no there's no doubt about it. This is a part of our identity now rate it's a a part of our not only our digital identity but also our physical identity. Our entire lives are on these devices. Like just if I lose my phone the pictures that I have on the videos that gotta have on at all the memories that have on that is very important to me in very intimate to me and losing. That would be devastating to most people and I think that and his wife fraudsters are really prey on individuals because they know how valuable these types of this type of data is to them and people will pay for it and unfortunately unfortunately that's a situation and and people get victimized as a result of it and this can happen to anybody his this. This could happen to me. There's is not enough mechanisms in place to prevent something like this from happening. There's a lot of work being done but again there's not enough mechanisms in place and as a result people will get victimized and continue to be victimized. What kind of mechanisms could be emplaced? That would actually help nip this at the start of the process. So it's one thing thing to call a carrier or to to call a platform and say I have a question about about my account or I want to change my plan or you might see a plan where you have unlimited data or something or something that you really want. That's a that's a great deal and you give them McCall and you say I need to change US okay so I kind of want to break this down in threshold that to me is a lower threshold of verifying identity again. It's important but if I want report a phone number I would think the mechanisms and steps in place it's a it's a higher bar and a higher threshold because of the consequences if it's done on wrong so there needs to be more again much much better ways of verifying identity. So how would you do. That is the question. Here's the simplest way way to do that. I call the carrier. I WANNA put my phone number. This is my This is my phone number now. They might have spoofed the number as well which we discussed earlier. Okay thank you Mr Kotok. Not a problem. We're going to hang up and call you back just making. That step alone will solve the problem because Louis absolutely absolutely because if it's a spoof number it's me calling with Through my cell phone or through my voip line making it look like it's your phone number so if I call that number back my cell phone will ring and if that person can pick up and verify that Yes I've authorized as phone pointing to happen. That is so so should be a signal. So that's probably the simplest way to prevent this this. It's not that we need to invest Millions or billions of dollars just some common sense policies here would in itself probably prevent the bulk of this from happening. There is another element of it as well as we said we can go. We can walk into a kiosk us at a mall and say I wanNA switch carriers and are the people at those kiosks actually trained to again verify identity. How do you know that identity? He's not fraudulent. It's how do you know that right. And those people are incentivized. I guess to get that switch right like you want that person to switch over to your company absolutely the believer absolutely and and it's it's it's it's business for you. It's it's a sale. And you WanNa do you WANNA get the sale but in the process are you you not putting the same scrutiny. On verifying the individual's identity especially because of the risks that are associated with it so having a a a a period before that phone number actually gets ported where additional mechanisms are put in place where there's additional verification more scrutiny. Again calling that number and having the person verify that Just enough why I we are importing. Your number on this date. One verified that all the information is accurate and unless unless you get that verification don't poured it right. It's it's as simple as that or technical solutions as well that are that are being discussed especially in the United States. We're seeing some of the stuff in some of these some of these discussions in in Canada and that S- again through a mechanism of preventing phone. Spoofing I'm from social engineering tricking. The person on the other line that you are who you are. We'll you you've worked with law enforcement agencies. How prepared are they to deal deal with this kind of crime? And how quickly do they need to adapt when it comes to the enforcement aspect of. Not only this this crime but just I digital crime. In General Handri's box has been opened. And there's there's an influx of these types of of these types of incidences. So what you've seen Dina's before we had physical physical crime where it's really easy to pinpoint an individual or or do and what's not easy actually very difficult But to actually do through a physical investigation now that physical investigation has gone digital. It's virtual it's in the cyber world where victims and And fraudsters could be located anywhere in the world where they can hide behind. VPN's virtual private networks masking their virtual address. Which is an IP address compared to a physical address and they can essentially use technologies to make it very difficult for law enforcement to catch these individuals etchells also the payment mechanism? It's not meet me at the park at six. PM for further instructions. And there's a note that says leave the bag of money any behind the bench. No it's done through crypto currency decentralized currency. That's almost impossible to trace and and it's done through an and that's done by purpose and the reason that's done is the anonymity is now. I can be anonymous. I can be behind behind the the virtualshield essentially the virtual cloaks sort of Harry Potter. You just throw a cloak on and you disappear. This is exactly exactly that and I'm disappearing during virtually bitcoin gone. It's gone it's gone. Good luck tracing it and and getting it back to the best thing to do is just be aware for any any strange log log in from anywhere the best thing to do is yeah. Unfortunately there is no highway until it happens and try to catch it right away anytime. There's something suspicious going in on and you start getting those alerts right away I would do. I would contact out. Contact the carrier now. Even even carriers are aware that this is this is happening and they are taking certain steps to protect their clients their consumers such as again try calling the consumer but again it's a hit and miss is let's all a race right like these guys as soon as we have a new Verification Process they're going to be trying to get behind that it is a race and it's also Lacombe. Oh so I might be able able to take one element or one type of hack or or fraud component down by three new components pop up that I never thought thought of before and this is what we're dealing with in the social cyber digital world and what we need to get a lot more nimble at dealing with. This is not something something that we need to continue to commission reports and continuously research because the fraudsters don't play by the same rules gotTa Hack. They'RE GONNA they're gonNA exploited waited so organizations need to figure out a way that we're we can be a lot more agile and deploy mechanisms to protect consumers to protect individuals especially for something as intimate as as cell phones and your digital identity. Thanks so much for helping us Explain this well. Thank you so much for having me retest. Khotak cybersecurity expert. That was the big story. You want more from us. You can head to the big story. podcasts dot ah you can also find us on twitter at the big story F. P. N.. And of course everywhere you get podcasts. Specially on your phone. We're right there apple apple. Google stitcher. spotify doesn't matter you can find us rate review five stars whole deal thanks for listening. I'm Jordan Heath Rawlings. We'll talk tomorrow the.