I Got Hacked and All I Got Was This New SIM Card

I like to think I take an above average amount of steps to secure myself online: I use a password manager, unique passwords as complex as the site will allow, and turn on 2-factor authentication when possible. A true security expert will likely find some sort of flaw in my setup, but I'll argue that I am doing more than 95% of the planet.

So how did I, someone who is reasonably secure, have his cell phone disabled, his PayPal account compromised, and a few hundred dollars withdrawn from his bank account?

You Can't Secure Against Human Error

Yesterday evening, I was driving to the airport to drop off someone and noticed my phone had zero bars on AT&T: the "No Service" text was listed where the bars should be. I assumed it was because Denver's airport is in the middle of nowhere and a tower died. Or the iOS 11 beta is buggy and somehow it’s just a byproduct of that.

I restarted the phone. No help. Reset network settings in iOS Settings. Still no success. I checked my iPad because I carry it with me and keep a SIM in it. The iPad still has service, which seemed interesting. At this point I was still blaming iOS 11 because I'm a software developer and we always blame the software.

Once I returned home I checked my email and saw two new emails. The first is from Google with a security reset code. I did a quick phishing check and the URLs were legitimate.

The second email I see was from PayPal stating that $200 AUD was transferred from my bank (which is an obscure / small bank) to another person. Again, checked for phishing just on the off chance that someone figured out who my bank was to craft an elaborate password fetching scheme. It's valid.

Finally, it clicked: someone has taken over my cell phone.

I instantly called AT&T's customer service line to explain what is happening. I give them my name, my phone number, and my security passcode (this is key). The man on the phone reads through the notes and explains that yes, someone has been dialing the AT&T call center all day trying to get into my phone but was repeatedly rejected because they didn't know my passcode, until someone broke protocol and didn't require the passcode.

Once the intruder found someone who didn't require my AT&T security passcode the intruder had the AT&T call center rep switch my number from my iPhone's SIM card / IMEI to his/her burner phone (I don't fully understand GSM technology, so I may have this technically wrong, but you get the gist).

I had the call center rep I was speaking with (who was great) suspend service on my phone, deactivate the "new" SIM that was created an hour earlier and make a bunch of notes on my account so it would be easier for me to go to the AT&T store this morning to get a new SIM.

My next point of contact was to my bank to inform them of what happened. They were sympathetic but there wasn't much they could do beyond giving me new account numbers and canceling my debit card (for extra paranoia). I no longer have access to my bank account until this is resolved, so look forward to my Patreon in the next few days when I need to go to the grocery.

Next I called PayPal to dispute the $200 AUD charge. I had assumed I'd talk to a live human, but no. It was all automated. I disputed the charges and got an email saying they'll let me know if I can have my money back in 9 business days. I'm not optimistic because PayPal is terrible.

You're likely wondering how my cell phone being compromised leads to my PayPal account being compromised? All you need to reset a PayPal password is an email address and a phone number to accept the verification code. Since PayPal only supports SMS-based authentication, all the perpetrator needed was to be able to receive SMS messages as "me" and he was in.

Lessons Learned?

I have spent the morning trying to evaluate my security practices and there's not much I can think about that I'd do otherwise. Twitter tells me I shouldn't use SMS-based 2 factor authentication and should use app-based 2 factor instead. I agree! The problem is that some sites like PayPal don't offer the better security. The alternative is to just go back to single factor, which I am not so sure is the best solution either.

I don't even place blame on PayPal for this directly. The fault lies with the AT&T call center representative who let someone manipulate my account without knowing my passcode. I've been told this is being escalated internally, but I haven't heard anything from corporate channels, so I remain skeptical until I see or hear something.

Until then, I'll be going back to watching my bank account, ensuring my credit cards are valid, and wearing this tinfoil hat I crafted this morning. For all the advances that we have made in technology over the last decade, online security still has a ways to go.

Read more about. . .

Shooting the Messenger

We now supposedly know who is responsible for the Apple Developer Portal being down for the past four days. Security researcher Ibrahim Baliç has revealed himself as the source behind what Apple is calling an “intrusion” into their systems.

Baliç discovered a vulnerability, among 12 other security issues, that allowed him to access details on over 100,000 Apple developer accounts including their email addresses and names. To see the hack in action, check out his YouTube video.

Why 100,000 Records?

I’m not a security researcher, but my guess is that he accessed that many records to see how deep he could go when reporting the vulnerability. The more data you can access, the bigger an issue it is.

Could he have stopped at 100 records and reported the issue? Probably, but we don’t know if Apple would have been so quick to react to it.

Why the Video?

If you look at Apple’s statement they put out on Sunday it reads as if they are the victim of a malicious hacker that broke into their systems and stole information. Here’s the actual wording:

Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.

In reality (assuming that Baliç is indeed the source for this downtime), a security researcher with a proven track record of being a white hat hacker discovered the vulnerability and reported it to Apple through their official channels: RadarWeb.

But That Video Shows Personal Information!

Indeed, his biggest crime is posting the personal information of five people in a YouTube video to prove the vulnerability. The irony of a security researcher being so personally insecure about how he is labeled that he goes to YouTube isn’t lost on me.

And there are likely better ways he could have proven the hack to the media such as with technical details, but the video is 2 minutes of absolute proof that the issue is there and far easier to understand than technical jargon.

Baliç’s biggest crime is having an ego and not wanting his work misrepresented. I don’t approve of the way he went about it, but I’m not going to vilify him over showing five or so email addresses when the good he’s done in helping Apple secure their stuff far outweighs the bad.

It will be unfortunate if the only thing people focus on is this video rather than the fact that Apple had a serious vulnerability in their system that left all of our personal information at risk.

How Do Other Companies Handle This?

A lot of tech companies have dedicated pages where they highlight the channels for responsibly reporting security issues. They also give public acknowledgement to the folks who have reported the biggest vulnerabilities. Here are just a few:

Baliç is listed on Facebook’s list of white hat reporters so I’m willing to give him the benefit of the doubt as doing this work for good rather than nefarious purposes.

I’m not a security researcher, but I’ve watched Hackers enough to know that one of the big reasons for exploring these sorts of cracks in systems like Apple’s is for the recognition amongst your peers and other companies. To a white hat hacker, being listed on Google or Twitter’s list of people who have reported major vulnerabilities is not only validation for your work, but also likely money in your pocket as others will hire you to break into their systems.

Apple is a culture built around secrecy so I highly doubt they’d set up a public page that championed folks like this, but they have long listed reporters in their Security Update knowledge base articles.

Someone Must Take The Blame!

The vulnerability isn’t Baliç’s. It’s Apple’s. He just discovered it and Apple deemed it severe enough that their response was to take down their entire developer program until they can close the hole.

I’ve been incredibly vocal about the inconvenience that the downtime has caused me, but knowing how big of an issue it is, I’m fine with Apple taking their time to get the fix right.

I am not fine, however, with them trying to paint themselves the victim of malicious intent when in reality it looks as though someone properly reported a vulnerability in their code to them.

No one comes out of this looking clean, but it could have been a lot worse if a more dark hacker discovered the vulnerability before Baliç.

Read more about. . .