If a scammer phones up a Telco and says "I have had my phone stolen and I want to swap my phone SIM", the Telco support staff should call the number of the "stolen phone" to see who answers it. If the phone has not been stolen then the true owner of the phone will now be speaking to the Telco support staff member. Problem solved.
Plus due to the rampant data breaches, etc, nobody answers numbers they don't know anymore because they're usually scammers or robocallers. I'd say save the number for customer support in your contacts, but there's no knowing what number the actual dept or employee will call from. Then there's the fact that we sleep and do other activities where we have phone set to silent or can't be near our phone. That'd be a full time job just trying to catch that one call. Assuming they always use the "my phone was stolen" social engineering excuse, cell companies should require a police report first. Phones aren't cheap. For starters, best thing you can do use a service that limits it's SIM cards & doesn't do eSIM without getting their physical SIM first. Some service providers only sell their SIMs at one store chain, and that store won't sell them online. No matter what, you use this provider, someone's gotta go in person to buy the SIM where they'll be caught on surveillance cameras. It's a deterrent. There's also less data out their tying your identity to a pay as you go provider. They don't require SSNs or PID to activate a brand new SIM, and they do contact the prior service provider before they port that existing number. I recall it taking upwards of 3 hours dealing with CS when I switched to a pay as you go provider. I believe somebody tried to SIM swap me 2 days ago, because I got a text from customer service asking to rate their service or contact them if I need anything else. The text was legit, not phishing. So I immediately tried to login to my acct, but it kept giving an error that my acct was "invalid." Their site has become a nightmare, so it took a very long time to finally locate "forgot password" (it's not on login menu), which required me to 2FA from SMS several times to get there, and then again to select reset option. From there, they emailed a link to reset that expires in 10 min (wouldn't work with any DNS or browser ad/tracking blockers enabled), and yes, if your email's been hacked, this is extremely problematic, but they do continuously require SMS code authentication & I use an email proxy so no one can use that email address to login to the email itself. The site was buggy as hell, but I was finally able to change my password, pin, etc - and since I had to know my SIMs SN to activate, I saved it, and carrier showed my number's still on the same SIM. So, hacker waisted their time, and now my acct's on lockdown. In my case, I use a proxy email address that can't be used to login to the actual email acct. This "hidden" feature is avail free with free some email services, it's just not an advertised feature so you have to dig and it can't be an annoying process to set up. It's worth it given it helped me avoid a doomsday scenario when my extremely old email was compromised in multiple data breaches and there were tons of login attempts presumably to reset other acct passwords. I was able to keep the email without having to manually change email login on dozens of accts by creating a proxy email and swapping it to be primary, and then blocked logins from the compromised email address. For all important accts now, I use proxies for login and compartmentalize which email addresses I use for different security levels (i.e. banking, social media, cloud, personal, retailers, etc).
@@ShannonMorse Message in a bottle..., Ive been social enginered, in sweden (didnt know they had customer support in swedish) I got hit by roaming mantis, cosmicstrand, both UEFI / lojax full control and a variant of xhelper. They have access over my gmail, and I cant do anything. Ive even tried installing linux with n external USB, but they have UEFI access so didnt succeed. Im alone here, so if someone see this. Please help me! they have control over my number with simcard jacking introduced after getting full access on one phone. Everything since rented out my appartment and they didnt pay rent so i cut internet, then I can see in the loggs (afterwards) tried to get free internet from me. That open the backdoor on my huw awei router and now my asus laptop, zenfone 9 , my girlfriends mac and her iphone. They have supershell access to this computer, and i dont even no if this comment will end up and your place shannon . But IF it do, please help me! i have lost everything and have nothing, i cant even pay my re nt. All accounts down. Im just a teacher and have been sick for 3 weeks now trying to solve this. But its not possible. If you help me I will be one of your paying subscriber forever. I worked with IT a long time ago (2011) I have done everything I know, but cant stop it. They just gaind more access, now having it all. THese 3 weeks of h ell making all my devices rooted with different malwares. DNS rerout, cookie poison, server cookie poison, everything. My m 4li is 1 a t u r ld o t1 with the last numbrs being the numbr equalent to letters. please somebody, help.
Message in a bottle..., Ive been social enginered, in sweden (didnt know they had customer support in swedish) I got hit by roaming mantis, cosmicstrand, both UEFI / lojax full control and a variant of xhelper. They have access over my gmail, and I cant do anything. Ive even tried installing linux with n external USB, but they have UEFI access so didnt succeed. Im alone here, so if someone see this. Please help me! they have control over my number with simcard jacking introduced after getting full access on one phone. Everything since rented out my appartment and they didnt pay rent so i cut internet, then I can see in the loggs (afterwards) tried to get free internet from me. That open the backdoor on my huw awei router and now my asus laptop, zenfone 9 , my girlfriends mac and her iphone. They have supershell access to this computer, and i dont even no if this comment will end up and your place shannon . But IF it do, please help me! i have lost everything and have nothing, i cant even pay my re nt. All accounts down. Im just a teacher and have been sick for 3 weeks now trying to solve this. But its not possible. If you help me I will be one of your paying subscriber forever. I worked with IT a long time ago (2011) I have done everything I know, but cant stop it. They just gaind more access, now having it all. THese 3 weeks of h ell making all my devices rooted with different malwares. DNS rerout, cookie poison, server cookie poison, everything. My m 4li is 1 a t u r ld o t1 with the last numbrs being the numbr equalent to letters. please somebody, help.
In Malaysia, SIM card replacement requires walk-in to nearest mobile center, inserting the national ID to a validator device, scanning a thumbprint to validate ID ownership before proceeding to print the SIM card. New SIM Card registration requires a national ID or Passport for foreigner. Liability falls on the registrant if the number is used for criminal activities. You can keep same phone number even if you switch carriers
Every time I think of security, I think of this: You are the weakest link. Humans should not be trusted with security of any kind because we are fallible and easily corruptible. SIM swap should not be allowed over the phone or email, only in person, face to face, complete a form and it must be signed by the customer, the agent and a higher up at the company. Companies should take responsibility for their failures in security. It astounds me on the lack of foresight when they hire people to work in an environment where they have access to personal information of people, yet they have ZERO security clearance.
@@ShannonMorse With the increase in SIM swap fraud, people should also move away from OTP authentication and rather let them send the code request to a secure email. Another thing would be to use supplied security certificates on transactional devices which should remove the SIM swap problem.
More and more use prepaid phones. Your idea only works if you have a contract. Or if you can go into a store. Even then you have to have an 'account' most of the human race does not. I had a phone years ago. All I had to do was turn it on. I had a number.
@@jamesedwards3923 Where I am from, if you do not use the number for 3 months, it is gone. Secondly, all numbers in use must be on the "RICA" system. All numbers are connected to a SIM, a person and that person's address. Unfortuantely only one bank here requires physical presence when activating cellphone banking with a working and registered SIM and phone and during setup the client's phone setup, a form is signed and finger prints taken. A really secure setup. If client's phone or SIM changes, these steps will need to be repeated. Prepaid and contract are all registered.
Here's my tip after getting SIM swapped weeks after I switched to a new carrier: Request upgraded security on your account. That means that the carrier will disable you from accessing your account on their website to make any account changes. Your 8 digit PIN code won't work. The only way you can make changes to your account is to go in to a corporate location and show them your ID or provide an alpha numeric password that you set up when requesting the security upgrade.
Never give your SSN to anyone who isn't paying you or your financial institutions - both for tax purposes. The healthcare industry is notorious for asking for SSN - write in DECLINE. They only want it to be able to send you to collections if you don't pay your bill - you should pay your bills. Without a SSN, it is extremely difficult to send you to collections. And lock all of your accounts on the major credit reporting agencies. It's easy enough to unlock them temporarily if you authorize a credit check.
Thank you Shannon for this much needed information. I am currently going through some troubles with every phone I get. For some reason I feel like I'm not doing something right from the time I turn the phone on until I break it or buy a new one. It's very frustrating. I just wanted to thank you for the work your doing and information you have made available.
I would love to transition to not having a cell phone at all, and I would love to hear from you or others about ways to transact with banks and businesses and the world without owning a cell phone.
a little late to the watching this video! lol! I work in fraud for a big communication company and the biggest thing a person can do to protect them self is protect your phone number and your email. You give real good advice!!
Sharp lady and great advice. Not technical myself, I notice you have great color for your nails, they are short enough to indicate you work for a living. Best
Hi from 2021! I have been planning, dreaming, learning about starting a TH-cam channel but I'm a really private person and I have been so worried about safety. This video is really helpful, I took notes and I'm going to follow your advice. Thank you!
It's hard work, but I recommend not providing correct PII if possible. You need to record what you tell the website and I find that a password manager is convenient for that. I also suggest not storing payment details in the account if possible. It might be inconvenient to re enter CC details every time you but something, but it's one less thing to leak in a data breach
Hey Shannon, I hope you do more videos like this even after this mini series is over! Threatwire isn’t often enough for me to get my Shannon-Tech fix. It’s been hard on me since Tekthing ended. 😉Seriously though, you’re one of my favorites and I love all your content. A++
Yes, please! Your 30 day challenge you did a year or two ago sparked my interest in the subject. I view everything differently now and am in a much better position after implementing as much of the suggestions as possible. Thank you for that! 🙏🏻
AT&T wont make those changes without seeing your state DL. But the carrier should then be liable for not verifying the true identity of the customer!!! More law suits coming now doubt.
@@garynagle3093 you commenting that you should change it to your favorite song lyric is now info that someone could use. Another tip: never talk about what your Security answer is or what its about.
In Australia, you only need DOB, address and phone number to sim port. Once a telco has had the request to port your number, they must do it by law, even if the authorised account holder tells them not to. The only way to protect yourself is to move house or change your phone number, or lie about your DOB, which apparently is an offence under the act.
In terms of setting a PIN code for locking up cell phone SIMs, should it be plain numbers or a mixture of numbers and letters? I saw some SIM card with an alphanumeric code on the card packing. Secondly, will 4 digits be adequate or should it be at least 6 digits?
Secret Questions are an excellent old fashioned tool for authentication. They are easy to change and easy to store in alternate locations. In an encrypted state of course.
warning: i tried setting up a pin on my unlocked iphone6. I turned on sim lock and it asked to enter a pin code. Entered my new code twice and said that it could not lock the sim. I then tried to disable sim lock and it asked for a PUK code. I have no memory of ever locking the sim on this phone and had never heard of it before this video so its highly unlikely the sim was locked already. I had to call tmobile for a PUK code. what a pain!
Better: Park that phone and get a life. (I.e., stay off social media.) And use a laptop/desktop when you want or need to be online - those are 10,000x better than a phone.
My hacker also listens to my sim calls live distorts the line & drops it just to be annoying is this still a sim swap attack or is he using some sort of Tower near where i live to intercept the line?
At over seventy years of age it becomes difficult to jump over these high mental fences. When asked to choose three out of eight security question, I only knew one. ( this is the first one of your videos I have seen).
5 ปีที่แล้ว +1
I dont how but in Turkey, Banks uses one time code and if sim card change new one they stop one time code until you call customer services or going to atm.
Domestic violence survivors are often victims. I have experienced every device I obtain hacked for many years and now sim swapped. Perpetrators work together and make it impossible for their victims to use technology without being hacked & cyberstalked. Sim swappers have turned off my phones. They also seem to enjoy having their victims use the victim phone while they watch and perpetrate all kinds of destructive acts against their victims. I tried only accessing my telecom account at their stores. Telecom employees copied my IDs many times. My service and accounts became even worse; with my identity seemingly stolen. How can a domestic violence and stalking survivor of extremely intelligent, high tech perpetrators possibly move forward??? 😓😓😓
You are a cute letting us know about this threats. I was hacked so many times. Last time I couldn't use my Facebook or WhatsApp sending OR receiving photos, videos or voice message. Thanks for your help. I am appreciating it.
Ha-ha, so somewhere there in "advanced OmeriGa" one can call mobile provider and ask to switch SIM based on statement that the caller is a real owner of a "stolen" phone, even without presenting himself alive to the provider service center to prove the identity of a subject?
Its not clear to me that put a pin or passcode in the SIM card would avoid cloning the phone number. Because that PIN is for my physical SIM card, inside my phone. Does it sync to any SIM card created for that specific phone number?
This information is great. Too bad that the way I found this video is because I was SIM swapped and over $11,000 was stolen from me. But going for are, I will use some of these tips.
Hi, just a thought here, how about having another phone or with a dual sim phone have another sim purely for all finances, ie banks, crypto exchanges ect ect and not used for anything else, ie phone calls messages ect. And furthermore, on this phone have a sim pin/passcode?
Important question. To open up a new phone number for 2Auth they need my official name, which means that it will go to the white pages, and even if I never give my new number to anyone, a hacker could still find it on the white pages. Do you have a solution for that? Please help!
if someone called up and gave the wrong birthday or mothers middle/ maiden name or something that could not be remembered wrong and the company doesn't or can't report that to authorities they are partially/ unintentionally allowing ID theifs to incentivise their efforts. Collecting statistics like that might at least give some insight on how rampant ID theft is in different areas
Hi, Can you make a video about SIM LOCK, this feature available in Android and iPhone. How is the sim lock work? Would it prevent SIM SWAP? AND further more about Esim. Would Esim prevent sim swap since it's not a physical sim card? Thanks
Funny how we all are required by LAW to walk-in in person when we open (even if it is a zero-balance) bank account to protect THE BANK and the TAX AUTHORITY's interests of being able to open a bank account to a non-existing or false identity person. But when it comes to keeping our money safe, the main key to our bank account is easily given away to anybody over the phone.
Even if the scammers get the SIM card working on anew phone and they now have access to your apps, messages, emails, etc. how can they drain your bank accounts if they don’t know the usernames and passwords?
If you have account resets or password resets tied to your phone number, that can be used to bypass the original password. Because they would receive your text messages.
Also, stop putting one's life online. This makes social engineering easier because a person would not have to speak to that person to get what they want
But I don't get it. Wouldn't the persons phone they just called customer service to sim swap and activate their phone cause the persons phone that was swapped service to shut down? Thus, disabling the victims phone would suggest they wouldn't try to use any 2FA push and making any intercepts unlikely.
When I switch my sim or esim to a new phone, my old phone never shuts down. The ONLY thing that happens is the little icon at the top changes from showing me 5g to showing me wifi only. If someone doesn't notice that they'd have no clue their phone number was swapped.
Why is it hard to believe? I review phones and swap my sims in between them at least once a month. I've also don't over 2500 videos about sec/priv (my OG channel is called Hak5). I think I know what I'm talking about.
Which is why manual backups of data to the cloud is my preference. Whether you use a zero knowledge backup provider like spider oak. Or some other cloud service. If you encrypt the data with layers of encryption and multi factor efforts. The data should be reasonably secure. Encrypting a file in a simple encrypted file and then encrypting that file in another file. Is the easiest common sense approach. So even if an inside man compromises a cloud service and extract your encrypted file. They would have to attack all the layers of encryption. For example PeaZip allows for keyfile encryption. Typically most people do not use keyfiles for a zip file or a .7zip file. Which means a typical hacker will normally not account for that vector. Depending on the software applications. You can use key files or hardware keys. This is why you must actually sit and ponder how you are going to secure your data.
Does the USB hardware key have a password as well to use it, for example if someone did steal it from you they would they still not be able to use the hardware usb key due to needing a password or is it just plug it in and it just does what it needs to do? Great video thank you so much.
I have a yubikey and you can enable a password for some of the key's features. You can actually store the same type of 2fa time based TOTP codes that authy uses on the yubikey and use yubico authenticator to view the codes. For that you can protect it with a password. For Fido U2F, which is the method you would use to register the key with your Google, Facebook, Twitter, etc account. For that, I don't think you can protect the yubikey with an additional password. But keep in mind it's a second factor, so they would need your login username + password + physical posession of your yubikey to gain access to your accounts and if they could get all 3 of those things from you, then they could probably steal that additional password too. If you're gonna buy a yubikey, you should ALWAYS buy two and register both of them with all the same accounts so that if you were to lose possession of one of them, you would still be able to access everything.
Miss mamas came thru with all this Information ℹ️! Great video Totally explains why I don’t get half of the text messages I used too. Lol 😂 silly rabbit 🐰
Great explanation and very useful tips; especially number 7. However, it seems like SIM swapping is not something hackers could get away with for a long time as I should almost immediately notice that my phone is no longer working. Or is there another more subtle way of getting away with this?
Its more like they can start attacking so fast oncce they have the number they hope you take at least 15-30 mins to recover. That way they can exploit your email's SMS recovery or bank SMS recovery and by then theyre into all the important accounts of yours. If they lose the phone number after that its not a big deal because they already got the access and have changed passwords etc... Especially if you have crypto coins somehow linked thru emails that get compromised. It can be devastating. It isnt meant to be a long con. It's more like "swap it, now exploit as much as possible as fast as possible"
Ostensibly, if you have a PIN set up and someone calls to change your sim to another card, they will have to give the correct PIN. BUT do not put any faith in pins, because carrier agents have the power to go around PINs, if the criminal can give enough of your personal information to convince the agent, then theyll void the PIN and swap the sim over. Best course of action is to simply give no power to someone who gains your phone number. No reocvery sms, no sms 2FA, nothing for any important accounts.
Cloaked Wireless solved SIM swap attacks. So glad I moved my number to them.
If a scammer phones up a Telco and says "I have had my phone stolen and I want to swap my phone SIM", the Telco support staff should call the number of the "stolen phone" to see who answers it. If the phone has not been stolen then the true owner of the phone will now be speaking to the Telco support staff member. Problem solved.
If only telcos would do this before swapping the sims!
That does not work for the paid bribed insider.
Plus due to the rampant data breaches, etc, nobody answers numbers they don't know anymore because they're usually scammers or robocallers. I'd say save the number for customer support in your contacts, but there's no knowing what number the actual dept or employee will call from. Then there's the fact that we sleep and do other activities where we have phone set to silent or can't be near our phone. That'd be a full time job just trying to catch that one call.
Assuming they always use the "my phone was stolen" social engineering excuse, cell companies should require a police report first. Phones aren't cheap.
For starters, best thing you can do use a service that limits it's SIM cards & doesn't do eSIM without getting their physical SIM first. Some service providers only sell their SIMs at one store chain, and that store won't sell them online. No matter what, you use this provider, someone's gotta go in person to buy the SIM where they'll be caught on surveillance cameras. It's a deterrent. There's also less data out their tying your identity to a pay as you go provider. They don't require SSNs or PID to activate a brand new SIM, and they do contact the prior service provider before they port that existing number. I recall it taking upwards of 3 hours dealing with CS when I switched to a pay as you go provider.
I believe somebody tried to SIM swap me 2 days ago, because I got a text from customer service asking to rate their service or contact them if I need anything else. The text was legit, not phishing. So I immediately tried to login to my acct, but it kept giving an error that my acct was "invalid." Their site has become a nightmare, so it took a very long time to finally locate "forgot password" (it's not on login menu), which required me to 2FA from SMS several times to get there, and then again to select reset option. From there, they emailed a link to reset that expires in 10 min (wouldn't work with any DNS or browser ad/tracking blockers enabled), and yes, if your email's been hacked, this is extremely problematic, but they do continuously require SMS code authentication & I use an email proxy so no one can use that email address to login to the email itself. The site was buggy as hell, but I was finally able to change my password, pin, etc - and since I had to know my SIMs SN to activate, I saved it, and carrier showed my number's still on the same SIM. So, hacker waisted their time, and now my acct's on lockdown.
In my case, I use a proxy email address that can't be used to login to the actual email acct. This "hidden" feature is avail free with free some email services, it's just not an advertised feature so you have to dig and it can't be an annoying process to set up. It's worth it given it helped me avoid a doomsday scenario when my extremely old email was compromised in multiple data breaches and there were tons of login attempts presumably to reset other acct passwords. I was able to keep the email without having to manually change email login on dozens of accts by creating a proxy email and swapping it to be primary, and then blocked logins from the compromised email address. For all important accts now, I use proxies for login and compartmentalize which email addresses I use for different security levels (i.e. banking, social media, cloud, personal, retailers, etc).
@@ShannonMorse Message in a bottle..., Ive been social enginered, in sweden (didnt know they had customer support in swedish) I got hit by roaming mantis, cosmicstrand, both UEFI / lojax full control and a variant of xhelper. They have access over my gmail, and I cant do anything. Ive even tried installing linux with n external USB, but they have UEFI access so didnt succeed. Im alone here, so if someone see this.
Please help me! they have control over my number with simcard jacking introduced after getting full access on one phone.
Everything since rented out my appartment and they didnt pay rent so i cut internet, then I can see in the loggs (afterwards) tried to get free internet from me. That open the backdoor on my huw awei router and now my asus laptop, zenfone 9 , my girlfriends mac and her iphone.
They have supershell access to this computer, and i dont even no if this comment will end up and your place shannon . But IF it do, please help me! i have lost everything and have nothing, i cant even pay my re nt. All accounts down. Im just a teacher and have been sick for 3 weeks now trying to solve this. But its not possible. If you help me I will be one of your paying subscriber forever.
I worked with IT a long time ago (2011) I have done everything I know, but cant stop it. They just gaind more access, now having it all. THese 3 weeks of h ell making all my devices rooted with different malwares. DNS rerout, cookie poison, server cookie poison, everything. My m 4li is 1 a t u r ld o t1 with the last numbrs being the numbr equalent to letters. please somebody, help.
Message in a bottle..., Ive been social enginered, in sweden (didnt know they had customer support in swedish) I got hit by roaming mantis, cosmicstrand, both UEFI / lojax full control and a variant of xhelper. They have access over my gmail, and I cant do anything. Ive even tried installing linux with n external USB, but they have UEFI access so didnt succeed. Im alone here, so if someone see this.
Please help me! they have control over my number with simcard jacking introduced after getting full access on one phone.
Everything since rented out my appartment and they didnt pay rent so i cut internet, then I can see in the loggs (afterwards) tried to get free internet from me. That open the backdoor on my huw awei router and now my asus laptop, zenfone 9 , my girlfriends mac and her iphone.
They have supershell access to this computer, and i dont even no if this comment will end up and your place shannon . But IF it do, please help me! i have lost everything and have nothing, i cant even pay my re nt. All accounts down. Im just a teacher and have been sick for 3 weeks now trying to solve this. But its not possible. If you help me I will be one of your paying subscriber forever.
I worked with IT a long time ago (2011) I have done everything I know, but cant stop it. They just gaind more access, now having it all. THese 3 weeks of h ell making all my devices rooted with different malwares. DNS rerout, cookie poison, server cookie poison, everything. My m 4li is 1 a t u r ld o t1 with the last numbrs being the numbr equalent to letters. please somebody, help.
In Malaysia, SIM card replacement requires walk-in to nearest mobile center, inserting the national ID to a validator device, scanning a thumbprint to validate ID ownership before proceeding to print the SIM card. New SIM Card registration requires a national ID or Passport for foreigner. Liability falls on the registrant if the number is used for criminal activities. You can keep same phone number even if you switch carriers
@Faye Cushnie Seems like you are also still stuck in the 70s
@@SU-IICould be, don't you agree it is old but safe?
Every time I think of security, I think of this: You are the weakest link. Humans should not be trusted with security of any kind because we are fallible and easily corruptible. SIM swap should not be allowed over the phone or email, only in person, face to face, complete a form and it must be signed by the customer, the agent and a higher up at the company. Companies should take responsibility for their failures in security. It astounds me on the lack of foresight when they hire people to work in an environment where they have access to personal information of people, yet they have ZERO security clearance.
Yes!!! This!!! I completely agree with you.
@@ShannonMorse With the increase in SIM swap fraud, people should also move away from OTP authentication and rather let them send the code request to a secure email. Another thing would be to use supplied security certificates on transactional devices which should remove the SIM swap problem.
More and more use prepaid phones. Your idea only works if you have a contract. Or if you can go into a store. Even then you have to have an 'account' most of the human race does not. I had a phone years ago. All I had to do was turn it on. I had a number.
@@jamesedwards3923 Where I am from, if you do not use the number for 3 months, it is gone. Secondly, all numbers in use must be on the "RICA" system. All numbers are connected to a SIM, a person and that person's address. Unfortuantely only one bank here requires physical presence when activating cellphone banking with a working and registered SIM and phone and during setup the client's phone setup, a form is signed and finger prints taken. A really secure setup. If client's phone or SIM changes, these steps will need to be repeated. Prepaid and contract are all registered.
@@JohanlastZa Wow, you are way more secure than most of us.
Here's my tip after getting SIM swapped weeks after I switched to a new carrier: Request upgraded security on your account. That means that the carrier will disable you from accessing your account on their website to make any account changes. Your 8 digit PIN code won't work. The only way you can make changes to your account is to go in to a corporate location and show them your ID or provide an alpha numeric password that you set up when requesting the security upgrade.
Most often the customer service rep is the problem, they are low-paid and poorly trained to spot something suspicious.
Just stumbled upon your channel since I've started to strengthen my security seriously. Great content. Thank you
I feel like this is similar to why we need to stop using SSNs as a national ID number
Exactly SSN's aren't even secure
Even a credit card’s card number by itself is more secure than a SSN because it has more digits.
considering fingerprint scanners are in every phone, I feel like that would be much more secure
Never give your SSN to anyone who isn't paying you or your financial institutions - both for tax purposes. The healthcare industry is notorious for asking for SSN - write in DECLINE. They only want it to be able to send you to collections if you don't pay your bill - you should pay your bills. Without a SSN, it is extremely difficult to send you to collections. And lock all of your accounts on the major credit reporting agencies. It's easy enough to unlock them temporarily if you authorize a credit check.
I agree with you. And the original Social Security cards state that they are not to be used as a personal identifier.
Four years later and Canadian banks are still only accepting SMS for 2FA
Thank you Shannon for this much needed information. I am currently going through some troubles with every phone I get. For some reason I feel like I'm not doing something right from the time I turn the phone on until I break it or buy a new one. It's very frustrating. I just wanted to thank you for the work your doing and information you have made available.
Absolutely! Happy to help!
@@ShannonMorse does encrypting your phone help?
great vid thanks for explaining !
I would love to transition to not having a cell phone at all, and I would love to hear from you or others about ways to transact with banks and businesses and the world without owning a cell phone.
Or not transacting with a bank at all.
This is good advice. I'm leaving my browser open on this video and I'll watch it again but I plan on implementing much if not all of this. Thanks!
a little late to the watching this video! lol! I work in fraud for a big communication company and the biggest thing a person can do to protect them self is protect your phone number and your email. You give real good advice!!
I’m sure it’s happened to me mate
Good list of tips! Ever since seeing the Threatwire video I’ve been worrying about this. Thanks for making this video!
Thank you. Your TH-cam is the best I've seen on this so far.
I have a Google number that is tied to my phone so it’s time to get another Google number! Thank you for the info! I came here from Roberto’s channel.
Sharp lady and great advice.
Not technical myself, I notice you have great color for your nails, they are short enough to indicate you work for a living.
Best
You can solder with long nails, FYI.
Thank you!!! If you stopped using SMS 2FA, wouldn't that completely eliminate the ability to SIM swap???
Hi from 2021! I have been planning, dreaming, learning about starting a TH-cam channel but I'm a really private person and I have been so worried about safety. This video is really helpful, I took notes and I'm going to follow your advice. Thank you!
It's hard work, but I recommend not providing correct PII if possible. You need to record what you tell the website and I find that a password manager is convenient for that.
I also suggest not storing payment details in the account if possible. It might be inconvenient to re enter CC details every time you but something, but it's one less thing to leak in a data breach
Hey Shannon, I hope you do more videos like this even after this mini series is over! Threatwire isn’t often enough for me to get my Shannon-Tech fix. It’s been hard on me since Tekthing ended. 😉Seriously though, you’re one of my favorites and I love all your content. A++
Thank you!! I'd love to do more security and privacy videos!
Yes, please! Your 30 day challenge you did a year or two ago sparked my interest in the subject. I view everything differently now and am in a much better position after implementing as much of the suggestions as possible. Thank you for that! 🙏🏻
AT&T wont make those changes without seeing your state DL. But the carrier should then be liable for not verifying the true identity of the customer!!! More law suits coming now doubt.
The problem is you may not always to be able to get to your provider. Life is problematic.
If you can find it in their:
Public Bills.
Contract.
Customer Service Call.
Etc.
You have a law suite.
Oh yes much more lawsuits cali. NM. TX. Yep
Thanks for the Tips! Roberto sent me and I'm glad I listened
Me too
@@dilshanmaduranga6669 Me three...
This is truly valuable content ~ thanks for what you do!
Wow that is a lot if information. I will have to watch a few times and take notes! Thank you.
Great tips. Now I’m nervous about someone stealing my phone number. 🤪
You're likely fine as long as you use some of these tips and good internet hygiene!
Shannon Morse, I need to investigate the google phone tip for sure, and my replacing my mother’s maiden name with my favorite song phrase
@@garynagle3093 you commenting that you should change it to your favorite song lyric is now info that someone could use. Another tip: never talk about what your Security answer is or what its about.
Thank you for tips. Sadly I still need this information broken down simplifer as I am not tech savvy. Can you recommend a book or something - thanks!
OMG .. I wonder how many people have changed there secret answer to " a scrub is a guy who can't get no love from me"
Excellent advice, thanks
In Australia, you only need DOB, address and phone number to sim port. Once a telco has had the request to port your number, they must do it by law, even if the authorised account holder tells them not to. The only way to protect yourself is to move house or change your phone number, or lie about your DOB, which apparently is an offence under the act.
In terms of setting a PIN code for locking up cell phone SIMs, should it be plain numbers or a mixture of numbers and letters? I saw some SIM card with an alphanumeric code on the card packing. Secondly, will 4 digits be adequate or should it be at least 6 digits?
Encrypt your hard drive. I only encrypt folder or files. Even when the hacker hacks your PC, the info is useless to them if your files are encrypted,
You can also ask a family member to get you a sim. This way, the phone number/plan you are using is under their name and not yours!
Secret Questions are an excellent old fashioned tool for authentication. They are easy to change and easy to store in alternate locations. In an encrypted state of course.
also only you would know some of them. Unfortunately people seem to be phasing them out.
@@camaroman101 Unfortunately.
Your video is the best I've seen on this subject. Thank you💓🙏
Excellent video. Well researched, thank you !
If I get a new SIM Card and Phone Number, will that stop 'Spam Calls' ?
Came here from Roberto and I really needed to know about this. Thanks for these tips!
So how do they get your social medias info?
warning: i tried setting up a pin on my unlocked iphone6. I turned on sim lock and it asked to enter a pin code. Entered my new code twice and said that it could not lock the sim. I then tried to disable sim lock and it asked for a PUK code. I have no memory of ever locking the sim on this phone and had never heard of it before this video so its highly unlikely the sim was locked already. I had to call tmobile for a PUK code. what a pain!
The carrier has a default code. Google tells me that tmobile's default is 1234
Better: Park that phone and get a life. (I.e., stay off social media.) And use a laptop/desktop when you want or need to be online - those are 10,000x better than a phone.
Even BETTER... Throw away ALL of your technology and go live in a forest!!! 😁
My hacker also listens to my sim calls live distorts the line & drops it just to be annoying is this still a sim swap attack or is he using some sort of Tower near where i live to intercept the line?
At over seventy years of age it becomes difficult to jump over these high mental fences. When asked to choose three out of eight security question, I only knew one. ( this is the first one of your videos I have seen).
I dont how but in Turkey, Banks uses one time code and if sim card change new one they stop one time code until you call customer services or going to atm.
Very informative information indeed. Thanks for sharing. I will share this to my friends
Thank you for making this video. Much appreciated.
Thank you for the help 🙏
Shannon, Thank You
Roberto Blake suggested your channel. Thanks for this information.
If my SIm is swapped and my phone does not work, how do I communicate to solve the problem?f
Domestic violence survivors are often victims. I have experienced every device I obtain hacked for many years and now sim swapped. Perpetrators work together and make it impossible for their victims to use technology without being hacked & cyberstalked. Sim swappers have turned off my phones. They also seem to enjoy having their victims use the victim phone while they watch and perpetrate all kinds of destructive acts against their victims. I tried only accessing my telecom account at their stores. Telecom employees copied my IDs many times. My service and accounts became even worse; with my identity seemingly stolen. How can a domestic violence and stalking survivor of extremely intelligent, high tech perpetrators possibly move forward???
😓😓😓
🤔many many thanks to you
...
I have Google Voice configured on an OBi200 VOIP phone connected to my wifi.
For extra coolness, it’s connected to a red auto-dial phone. My family has a hotline to my cellphone.
and how do you get SMS thru your OBI cordless I wonder
Thank you, please continue these videos!
You got it!
Opened my eyes!
You are a cute letting us know about this threats. I was hacked so many times. Last time I couldn't use my Facebook or WhatsApp sending OR receiving photos, videos or voice message. Thanks for your help. I am appreciating it.
Ha-ha, so somewhere there in "advanced OmeriGa" one can call mobile provider and ask to switch SIM based on statement that the caller is a real owner of a "stolen" phone, even without presenting himself alive to the provider service center to prove the identity of a subject?
Hello - what is the liability for selling a SIM card not in use by your phone account anymore?
Thanks!
Google Voice, sounds good but who can trust Google?
Its not clear to me that put a pin or passcode in the SIM card would avoid cloning the phone number. Because that PIN is for my physical SIM card, inside my phone. Does it sync to any SIM card created for that specific phone number?
This information is great. Too bad that the way I found this video is because I was SIM swapped and over $11,000 was stolen from me. But going for are, I will use some of these tips.
Awesome video 🔥
Hi, just a thought here, how about having another phone or with a dual sim phone have another sim purely for all finances, ie banks, crypto exchanges ect ect and not used for anything else, ie phone calls messages ect. And furthermore, on this phone have a sim pin/passcode?
should I buy a second sim? or a thrid
Important question. To open up a new phone number for 2Auth they need my official name, which means that it will go to the white pages, and even if I never give my new number to anyone, a hacker could still find it on the white pages. Do you have a solution for that? Please help!
if someone called up and gave the wrong birthday or mothers middle/ maiden name or something that could not be remembered wrong and the company doesn't or can't report that to authorities they are partially/ unintentionally allowing ID theifs to incentivise their efforts. Collecting statistics like that might at least give some insight on how rampant ID theft is in different areas
Is it advisable to use your channel email account to buy any video editing app or audio for your channel?
Hi, Shannon. I have a question. Do I need each ubit key for one application or can I put multiple applications into 1 ubit key?
Thank you for this!!!
No problem 😊
Thanks for this Ma'am :). Btw i really love your cute anime stuff at the back hehe.
Thanks!
Hi, Can you make a video about SIM LOCK, this feature available in Android and iPhone. How is the sim lock work? Would it prevent SIM SWAP? AND further more about Esim. Would Esim prevent sim swap since it's not a physical sim card? Thanks
great advice
Will a Yubi Key still work if your hacker is a mind reader i am not joking & can the Yubi key be cloned?
What about enable a PIN on the Sim?
Use google and Microsoft authenticator. Don't need to use too many
Funny how we all are required by LAW to walk-in in person when we open (even if it is a zero-balance) bank account to protect THE BANK and the TAX AUTHORITY's interests of being able to open a bank account to a non-existing or false identity person. But when it comes to keeping our money safe, the main key to our bank account is easily given away to anybody over the phone.
What about a private mail server with Google Authenticator?
Even if the scammers get the SIM card working on anew phone and they now have access to your apps, messages, emails, etc. how can they drain your bank accounts if they don’t know the usernames and passwords?
If you have account resets or password resets tied to your phone number, that can be used to bypass the original password. Because they would receive your text messages.
@@ShannonMorse okay, now I get it. Thanks.
Roberto Blake sent me here, this video was fantastic thank you!!!
How can we know or confirm that our sim is cloned by someone or not?
Also, stop putting one's life online. This makes social engineering easier because a person would not have to speak to that person to get what they want
agree
I bought a ybi key over a year ago. Still don’t know how to use it
How about SimJacker where they just send you a hidden text message and take over your phone at the baseband level?
You need to make longer videos. I like your videos, but I like longer ones.
But I don't get it. Wouldn't the persons phone they just called customer service to sim swap and activate their phone cause the persons phone that was swapped service to shut down? Thus, disabling the victims phone would suggest they wouldn't try to use any 2FA push and making any intercepts unlikely.
When I switch my sim or esim to a new phone, my old phone never shuts down. The ONLY thing that happens is the little icon at the top changes from showing me 5g to showing me wifi only. If someone doesn't notice that they'd have no clue their phone number was swapped.
Oh wow, That's hard to believe. Thanks the info@@ShannonMorse
Why is it hard to believe? I review phones and swap my sims in between them at least once a month. I've also don't over 2500 videos about sec/priv (my OG channel is called Hak5). I think I know what I'm talking about.
What to do after you got scammed, I lost over $1000.
Thanks! good stuff
thank you!
About crashplan, what about privacy? Security?
Encrypt the files before you upload them. Problem more or less solved.
VeraCrypt.
PeaZip
7zip
KeePass
Password Safe
Which is why manual backups of data to the cloud is my preference. Whether you use a zero knowledge backup provider like spider oak. Or some other cloud service.
If you encrypt the data with layers of encryption and multi factor efforts. The data should be reasonably secure. Encrypting a file in a simple encrypted file and then encrypting that file in another file. Is the easiest common sense approach. So even if an inside man compromises a cloud service and extract your encrypted file. They would have to attack all the layers of encryption.
For example PeaZip allows for keyfile encryption. Typically most people do not use keyfiles for a zip file or a .7zip file. Which means a typical hacker will normally not account for that vector.
Depending on the software applications. You can use key files or hardware keys.
This is why you must actually sit and ponder how you are going to secure your data.
Does the USB hardware key have a password as well to use it, for example if someone did steal it from you they would they still not be able to use the hardware usb key due to needing a password or is it just plug it in and it just does what it needs to do? Great video thank you so much.
I have a yubikey and you can enable a password for some of the key's features. You can actually store the same type of 2fa time based TOTP codes that authy uses on the yubikey and use yubico authenticator to view the codes. For that you can protect it with a password. For Fido U2F, which is the method you would use to register the key with your Google, Facebook, Twitter, etc account. For that, I don't think you can protect the yubikey with an additional password. But keep in mind it's a second factor, so they would need your login username + password + physical posession of your yubikey to gain access to your accounts and if they could get all 3 of those things from you, then they could probably steal that additional password too. If you're gonna buy a yubikey, you should ALWAYS buy two and register both of them with all the same accounts so that if you were to lose possession of one of them, you would still be able to access everything.
Look up the FIDO standard. Answers all your questions.
Thank u..very helpful..
Happy to help
I had a pass code and they still have my chip away
Miss mamas came thru with all this Information ℹ️! Great video
Totally explains why I don’t get half of the text messages I used too. Lol 😂 silly rabbit 🐰
Great explanation and very useful tips; especially number 7. However, it seems like SIM swapping is not something hackers could get away with for a long time as I should almost immediately notice that my phone is no longer working. Or is there another more subtle way of getting away with this?
Its more like they can start attacking so fast oncce they have the number they hope you take at least 15-30 mins to recover. That way they can exploit your email's SMS recovery or bank SMS recovery and by then theyre into all the important accounts of yours. If they lose the phone number after that its not a big deal because they already got the access and have changed passwords etc... Especially if you have crypto coins somehow linked thru emails that get compromised. It can be devastating. It isnt meant to be a long con. It's more like "swap it, now exploit as much as possible as fast as possible"
Very helpful
Looks great
How does sim pin prevent sim swab ?
Ostensibly, if you have a PIN set up and someone calls to change your sim to another card, they will have to give the correct PIN. BUT do not put any faith in pins, because carrier agents have the power to go around PINs, if the criminal can give enough of your personal information to convince the agent, then theyll void the PIN and swap the sim over. Best course of action is to simply give no power to someone who gains your phone number. No reocvery sms, no sms 2FA, nothing for any important accounts.
Oh a SIM PIN. I thought you meant a PIN on your phone company account.
Mam i have a question please respond if you see this. I just activated a sim against my identity. Please respond to my query i will explain more.
A very comprehensive critique of sim swap security! Thank you!