I like to think I take an above average amount of steps to secure myself online: I use a password manager, unique passwords as complex as the site will allow, and turn on 2-factor authentication when possible. A true security expert will likely find some sort of flaw in my setup, but I'll argue that I am doing more than 95% of the planet.
So how did I, someone who is reasonably secure, have his cell phone disabled, his PayPal account compromised, and a few hundred dollars withdrawn from his bank account?
You Can't Secure Against Human Error
Yesterday evening, I was driving to the airport to drop off someone and noticed my phone had zero bars on AT&T: the "No Service" text was listed where the bars should be. I assumed it was because Denver's airport is in the middle of nowhere and a tower died. Or the iOS 11 beta is buggy and somehow it’s just a byproduct of that.
I restarted the phone. No help. Reset network settings in iOS Settings. Still no success. I checked my iPad because I carry it with me and keep a SIM in it. The iPad still has service, which seemed interesting. At this point I was still blaming iOS 11 because I'm a software developer and we always blame the software.
Once I returned home I checked my email and saw two new emails. The first is from Google with a security reset code. I did a quick phishing check and the URLs were legitimate.
The second email I see was from PayPal stating that $200 AUD was transferred from my bank (which is an obscure / small bank) to another person. Again, checked for phishing just on the off chance that someone figured out who my bank was to craft an elaborate password fetching scheme. It's valid.
Finally, it clicked: someone has taken over my cell phone.
I instantly called AT&T's customer service line to explain what is happening. I give them my name, my phone number, and my security passcode (this is key). The man on the phone reads through the notes and explains that yes, someone has been dialing the AT&T call center all day trying to get into my phone but was repeatedly rejected because they didn't know my passcode, until someone broke protocol and didn't require the passcode.
Once the intruder found someone who didn't require my AT&T security passcode the intruder had the AT&T call center rep switch my number from my iPhone's SIM card / IMEI to his/her burner phone (I don't fully understand GSM technology, so I may have this technically wrong, but you get the gist).
I had the call center rep I was speaking with (who was great) suspend service on my phone, deactivate the "new" SIM that was created an hour earlier and make a bunch of notes on my account so it would be easier for me to go to the AT&T store this morning to get a new SIM.
My next point of contact was to my bank to inform them of what happened. They were sympathetic but there wasn't much they could do beyond giving me new account numbers and canceling my debit card (for extra paranoia). I no longer have access to my bank account until this is resolved, so look forward to my Patreon in the next few days when I need to go to the grocery.
Next I called PayPal to dispute the $200 AUD charge. I had assumed I'd talk to a live human, but no. It was all automated. I disputed the charges and got an email saying they'll let me know if I can have my money back in 9 business days. I'm not optimistic because PayPal is terrible.
You're likely wondering how my cell phone being compromised leads to my PayPal account being compromised? All you need to reset a PayPal password is an email address and a phone number to accept the verification code. Since PayPal only supports SMS-based authentication, all the perpetrator needed was to be able to receive SMS messages as "me" and he was in.
I have spent the morning trying to evaluate my security practices and there's not much I can think about that I'd do otherwise. Twitter tells me I shouldn't use SMS-based 2 factor authentication and should use app-based 2 factor instead. I agree! The problem is that some sites like PayPal don't offer the better security. The alternative is to just go back to single factor, which I am not so sure is the best solution either.
I don't even place blame on PayPal for this directly. The fault lies with the AT&T call center representative who let someone manipulate my account without knowing my passcode. I've been told this is being escalated internally, but I haven't heard anything from corporate channels, so I remain skeptical until I see or hear something.
Until then, I'll be going back to watching my bank account, ensuring my credit cards are valid, and wearing this tinfoil hat I crafted this morning. For all the advances that we have made in technology over the last decade, online security still has a ways to go.