Hack attack!
The Money Mail team challenged a cyber firm to break into their phones and emails. The frightening results should be a wake-up call for every reader
HACKERS are exploiting the pandemic to launch cyber-attacks on some of the UK’s biggest companies. Firms distracted by the crisis are more vulnerable than ever. In May, easyJet revealed that it had been the victim of a cyber-attack, which had compromised the details of 9.8 million customers.
It said 2,200 credit card details were accessed, while the rest was limited to names, emails and travel details. But it might not be obvious what damage can be done with just names and emails.
So I asked ethical hackers CyberNews to see if they could break into the personal accounts of Money Mail staff, armed with only our names and email addresses — with their permission!
Unaware it was linked to the CyberNews challenge, Money Mail editor Victoria Bischoff revealed how she nearly fell victim to a cold-call scam (Last Word, August 26). She received a call from a man posing as a PayPal representative, who told her there had been some unusual activity on her account.
He could refund the money but required some details. Fortunately, she was wise to it and ended the call.
It was one of a number of clandestine tricks they used in their attempts to steal our online identities. Others were more successful. They fooled Google’s initial security checks and my mobile phone provider in order to intercept my calls and text messages via another device.
The hackers took advantage of nuggets of publicly available information and the worryingly lax security of tech giants.
Senior researcher Edvardas Mikalauskas says the first step was to gather information online. The most potent weapon was our mobile phone numbers. They obtained these by pretending they had forgotten the password to our social media accounts.
In this instance, Facebook will verify your identity by sending a code to your mobile phone. Before it does so, it asks you to check it has the right number by showing you the last two digits.
In Victoria’s case, the hackers then did the same with PayPal, which provided the first two and last four digits of her number.
ANd by doing this across multiple accounts they were able to piece together the full number. Once they had this, they could attempt a so-called Sim-swap attack. This is when fraudsters call your mobile phone company to request a secondary Sim card to install on a new device.
This means they will be able to intercept calls and text messages, and lock the victim out of their account by deactivating the original Sim card.
If successful, it gives hackers free rein to break into other accounts, including online banking.
When CyberNews did so, it exposed shocking flaws in customer security.
The hackers called my mobile phone provider 13 times until they found an agent who failed to carry out proper checks.
Edvardas says all he had to do was strike up a conversation.
‘The approach was to engage in a long talk about how I was interested in getting a smart watch, and using it with another
Sim card,’ he adds. ‘Then, I confirmed the details, which was pretty much just the phone number. For answers I didn’t know, I tried to mumble.’ The Sim card was then shipped. An attempt to hack our Google email accounts also revealed alarming gaps in security. The hackers asked for a password reset link to be sent to one of their email addresses.
To pass the initial verification stage, all they needed to know was my phone number and Victoria’s mother’s maiden name, which they found on an online blog. Normally, password reset links are automatically sent to a registered device, such as the account holder’s home computer.
When requests are made from an unfamiliar source, Google asks the recipient to wait a couple of days so it can carry out a manual review before sending the link. This is then used to set a new password, locking the victim out of their account and granting the hackers access to their emails.
Ironically, a customer service backlog caused by the pandemic means Cyber News is yet to receive this. Edvardas says he has spoken to cyber criminals who have temporarily given up on this method due to sluggish response times.
CyberNews was limited by their adherence to ethical methods. For example, they did not pay for information on the so-called dark web. Real scammers face no such constraints.
My Facebook account is private, I only Tweet about work, football and cricket, and I don’t have an active Instagram account. But a team of cyber experts from Eastern Europe was still able to garner enough information about me to fool some of the world’s biggest tech firms. Only my colleague Fiona Parker was deemed secure.
My mobile phone provider says all customer service agents are trained to follow strict security and data protection protocols.
Google says CyberNews did not ‘hijack’ accounts or ‘access the information they contain’.
A spokesman says it uses a variety of checks ‘to ensure people’s attempts to regain access to their accounts are legitimate and safe’.
Google believes its security checks would likely have blocked the hackers during its manual review.