TWO-FACTOR COMMENTS

For those, not as well versed in security some facts should be presented. Two-factor security is not secure.

SIM cards are widely used with mobile phones, what most do not realize is that blank cards are easily programmed with any account number. Programming machines are not very expensive and they have been used by fraud artists for several years.

Generally phones now are unlocked so that the SIM card can be swapped for a different carrier. When connected to a tower the tower receives the SIM card number along with the IMEI and the phone number. This way when a call is made it can be routed to the proper handset.

Image result for IMSI-catchers
IMSI catcher

In China a few years back, some click fraud operation targetting Tencent was uncovered. Police found hundreds of phones and several thousand SIM cards. Police worked with local telephone companies and eventually they were able to trace the culprits red handed.

A black op works a bit different. The agent makes a copy of the target SIM card and installed it into available phone. Now when a hacked account wants two-step, the cloned phone steps in. So much for security.

Cloned phones go back to the early days when miscreants made vast numbers of calls using stolen phone codes. The expected cash fiesta for carriers soon became a nightmare as clone phones became more common.

The GSM SIM card offered slightly more protection from cloned phones and for some time this was stable. In the last decade however, cloned SIM cards are starting to become more common. Cloning is rare mainly as lower cost phones and service have made mobile phones available to almost everybody. Most cloning is now done by dark ops who have some agenda.

Image result for IMSI-catchers
low cost IMSI catcher

IMSI-catchers are a telephone eavesdropping technology. This is an example of a man-in-the-middle class attack. Body-worn IMSI-catchers that target nearby mobile phones are being advertised to law enforcement agencies in the US. IMSI-catchers have been used in the US and in other countries. To circumvent this, many message services now use end-to-end encryption so that eavesdropping is impossible.

Like some of its predecessors, LTE attempts to conceal the location of a specific phone by assigning it a regularly changing TMSI, short for a temporary mobile subscriber identity. When a network interacts with a handset, it will address it by its TMSI rather than by its phone number or other permanent identifier to prevent attackers monitoring network traffic from tracking the location of a given user.

Apple has taken many steps to secure their phones and that includes IMSI-catchers etc. Security has been a focus at Apple for a long time. Simjacker isn’t the main SIM-based assault that could put telephones in danger. Ginno Security Lab has pinpointed another adventure, WIBattack, that bargains the WIB (Wireless Internet Browser) application on some SIM cards to assume responsibility for key telephone capacities.

Like its partner, WIBattack contaminates a telephone through a deliberately arranged SMS message that runs guidelines on cards that don’t have key security highlights empowered. On the off chance that effective, the intruders can send texts, start calls, direct your internet browser toward explicit sites, show a message and send location data.

Windows on the mobile network is not nearly as hardened as the iPhones are. One solution is to use the phone to connect instead of a built-in cellular modem. The big push for HTTPS is misguided. Many certificates have copied and used for criminal purposes. Lenovo even went a far as to install certificates into the BIOS which turned out to be a serious lapse in judgement. Certificates are nothing but a cash fiesta for vendors.