VERIZON WIRELESS USERS CHANGE YOUR PIN NOW

[BehindBlueI's]

Just to clarify this in my mind, is this a PIN you use on a daily basis or is this a PIN you set up to prevent cell phone port fraud?

The PIN for my Verizon account. I don't have a PIN on my phone, it's a fingerprint reader with a backup "pattern swipe" thing. I had no idea "port fraud" was a thing until yesterday.

Go to bank web site
Click "forgot user name"
Ask bank to send user name to a device linked to the account (phone)
Go to bank web site
Click "forgot password"
Ask Bank to send reset link to a device linked to your account.

Pretty much this, per USAA. Even though it's coming from a totally different state, a different MAC address and an entirely different kind of phone apparently that doesn't trigger any issues that make you need to speak to a real person, know your existing phone password, PIN, email address associated with the account, etc. etc. Now that I've been compromised I set up a higher level of authentication. USAA will eat the $1k their shitty security let get transferred out, and luckily I'm not in the situation were being down a grand for a few days affects me. I suspect many others would not have that luxury. I'm strongly considering moving at least my savings account to a local credit union. Changing my checking account would be a giant PITA, though.

[scw2]

The PIN for my Verizon account. I don't have a PIN on my phone, it's a fingerprint reader with a backup "pattern swipe" thing. I had no idea "port fraud" was a thing until yesterday.

The scary thing is you had your PIN compromised. Most of the suggestions I've heard in the for combating port fraud is to set up a PIN on your cell phone side. I had a buddy get hit, but she didn't have a PIN set up on her phone so I chalked it up to bad luck and somewhat lax security on her end.

This article from Krebs on how to fight port out scams:

T-Mobile suggests adding its port validation feature to all accounts. To do this, call 611 from your T-Mobile phone or dial 1-800-937-8997 from any phone. The T-Mobile customer care representative will ask you to create a 6-to-15-digit passcode that will be added to your account.

“We’ve included alerts in the T-Mobile customer app and on MyT-Mobile.com, but we don’t want customers to wait to get an alert to take action,” the company said in its statement. “Any customer can call 611 at any time from their mobile phone and have port validation added to their accounts.”

Verizon requires a match on a password or a PIN associated with the account for a port to go through. Subscribers can set their PIN via their Verizon Wireless website account or by visiting a local shop.

Sprint told me that in order for a customer to port their number to a different carrier, they must provide the correct Sprint account number and PIN number for the port to be approved. Sprint requires all customers to create a PIN during their initial account setup.

AT&T calls its two-factor authentication “extra security,” which involves creating a unique passcode on your AT&T account that requires you to provide that code before any changes can be made — including ports initiated through another carrier. Follow this link for more information. And don’t use something easily guessable like your SSN (the last four of your SSN is the default PIN, so make sure you change it quickly to something you can remember but that’s non-obvious).

What they recommend later on in the article for higher level protection is likely what we need to start moving to, especially since the cell carrier may end up being a single point of failure if they lose not only the PIN, but other sensitive personal information.

Bigger picture, these porting attacks are a good reminder to use something other than a text message or a one-time code that gets read to you in an automated phone call. Whenever you have the option, choose the app-based alternative: Many companies now support third-party authentication apps like Google Authenticator and Authy, which can act as powerful two-factor authentication alternatives that are not nearly as easy for thieves to intercept.

[Jaywalker]

I'm strongly considering moving at least my savings account to a local credit union. Changing my checking account would be a giant PITA, though.

Banks as a whole have awful online security - USAA is one of the best.

USAA allows you to set two-factor authentication (2FA) that is NOT a text sent to your cellphone, which, after port fraud you do not control. With USAA you download an app either to your cellphone or to your computer that uses a time-based code generator that's good for 30 seconds - it does not have to be connected to the internet to work, so you still have it working on your phone even if you've been port-fraud(ed?). If you have that (Symantec VIP) enabled the scammer would have to try to talk his way past (social engineering) the USAA operator, who would be flagged that you did not authenticate properly. Other banks, if they use 2FA at all, rely on sending a six-digit text to the phone you no longer control. Personally, I've been moving money away from those weak-ass sites and moving it to USAA.

I suspect this was you targeted, not a general Verizon issue, though it doesn't hurt to change PINs occasionally anyway.

I raised this issue in my August post on two-factor authentication: https://pistol-forum.com/showthread....108#post772108

[BehindBlueI's]

I suspect this was you targeted, not a general Verizon issue, though it doesn't hurt to change PINs occasionally anyway.

I suspect you suspect wrong. I was the second person to call in to that particular Verizon rep with the exact same issue, the operator next to him was taking a third. All three had the exact same dollar amount, and the exact same fake name the number was ported to. Per USAA, the request didn't even come from my state, and it came from a city I have zero connection to other than traveling through twice in 40 years, neither of which was recent. Nobody knows my PIN but me, not even my wife.

[Jaywalker]

Even though it's coming from a totally different state, a different MAC address and an entirely different kind of phone apparently that doesn't trigger any issues that make you need to speak to a real person...

People change phones pretty often legitimately, so a MAC address likely doesn't get much weight, security-wise, and it can be spoofed anyway. As for location, lots of folks (including me) use virtual private networks (VPN) to prevent my local ISP from snooping on my web traffic; with one click my location will change to Dallas, Atlanta, Toronto, etc., so that doesn't set many flags.

Cell phone numbers have become a default ID - that's weak because the SIM card/phone system is not built for security.

The email address is also an ID and is worth defending. I've taken my cell phone number out of my Gmail account so that it can't be taken with a cell phone number text authentication. For gmail account recovery, I now have (1) a Yubikey hardware token, (2) an Authy software token, and (3) 10 one-time use passwords. That's adequate for recovery and allows me to remove the weak link, the cell phone number text authentication.

And for technical reasons I'm abandoning Microsoft outlook.com because it automatically updates the password in my iPhone, even if I want to change the password because of a lost or stolen phone.

[Jaywalker]

Nobody knows my PIN but me, not even my wife.

A Verizon kiosk operator can change your PIN by "verifying" identity locally. But sure, it could be a part of a bigger leak. Most of them are local, though. I imagine they can see it, too, without changing it, unless the process is shielded from them and handled automatically; can't say. When you call into your account does someone ask you for your PIN to identify you? If they do, then that PIN is readable over the Verizon system. Probably.

[RJ]

Thanks BBL I changed my PIN this morning via Verizon.

Wow. That sucks big time. Sorry it happened.

Anecdote: Two years ago a similar thing happened to me. My cell phone stopped working (Verizon) as in, no service.

Weird, I thought. As I was contemplating why that might be, USAA emailed me indicating my account was locked due to an unauthorized access attempt; apparently the thieves did not supply the right info to confirm access to my banking account. I got on the phone with Verizon from my wife's number and it turned out my phone was ported to another phone somewhere in Europe. I was able to have that reversed but only after a tense weekend on the phone with Customer Service. I then unlocked my USAA account. No damage was done.

We have since move every account possible to 2 factor authentication where available. We both use the USAA "token" or physical hardware keychain device to enter an additional passcode every time we access a bank account.

Again, very sorry to hear this happened.

[Mark D]

PIN changed. Thanks.

[BehindBlueI's]

People change phones pretty often legitimately, so a MAC address likely doesn't get much weight, security-wise, and it can be spoofed anyway. As for location, lots of folks (including me) use virtual private networks (VPN) to prevent my local ISP from snooping on my web traffic; with one click my location will change to Dallas, Atlanta, Toronto, etc., so that doesn't set many flags.

It probably should. Enough to talk to a real person and verify phone password, etc. at the minimum. But I know, it's cheaper just to let the fraud happen then not use the automated system and hire more people. Plus I probably limp wristed the phone, or put it back together wrong.

[Grey]

I suspect you suspect wrong. I was the second person to call in to that particular Verizon rep with the exact same issue, the operator next to him was taking a third. All three had the exact same dollar amount, and the exact same fake name the number was ported to. Per USAA, the request didn't even come from my state, and it came from a city I have zero connection to other than traveling through twice in 40 years, neither of which was recent. Nobody knows my PIN but me, not even my wife.

Agree with BBI. There is no way someone is going through this trouble for a measly $1k. This is a blanket attempt to cracking as many accounts as possible in a short order.