• H3H3 Your Privacy Is at Risk
    60 replies, posted
?Lollipop? (v5.1.1 I have) lets you disable unwanted and un-uninstallable apps I disabled all that shit verizion added like slacker radio, verizion blah blah, imdb, amazon, polaris office, and... nfl... mobile? WHAT
[QUOTE=AJ10017;50674640]since im a Project Fi customer.[/QUOTE] You and me, we get along.
[QUOTE=LoneWolf_Recon;50673842]How fucking retarded are these customer service reps? Is there no authorization for if you are an actual employee? Also, giving up a SIM that easily (probably for the sake of ~convenience~) is goddamn idiotic.[/QUOTE] Like other people said, the easiest part of these hacks is social engineering. Customer service reps are hired to be friendly, helpful, and do whatever the customer needs them to do, cause 99.9% of the time it's just a customer who'll get impatient and angry if they're treated like a hacker. They're not security guards or trained to spot an attacker, and until that changes then attacks like these will keep happening. Maybe a lawsuit could change their policy but I wouldn't be optimistic about winning against a few of the 100 biggest companies in the world.
[QUOTE=1/4 Life;50674017]Pro tip: Use an authentication app and never rely on two-step verification via something as awful as SMS. [/QUOTE] Unfortunately 2FA is only as secure as the weakest method of authentication. For instance with Google, even if you have a dedicated offline TOTP device, this attack vector will still work because you can just get an OTP sent via SMS instead.
[QUOTE=TurtleeyFP;50674685]Like other people said, the easiest part of these hacks is social engineering. Customer service reps are hired to be friendly, helpful, and do whatever the customer needs them to do, cause 99.9% of the time it's just a customer who'll get impatient and angry if they're treated like a hacker. They're not security guards or trained to spot an attacker, and until that changes then attacks like these will keep happening. Maybe a lawsuit could change their policy but I wouldn't be optimistic about winning against a few of the 100 biggest companies in the world.[/QUOTE] Right, but as a customer the only pertinent information they'll ever need is about whatever product they need. Customers don't need the personal details, employee #, etc about some rep, and if that comes up it should be an automatic red flag and pass off the call to a manager/supervisor briefing them about the situation. But yeah the friendly, helpful attitude of reps and what not is where social engineering can really be effective.
I should probably up my security on my accounts I haven't done it in ages.
[QUOTE=thelurker1234;50674568]Recovery questions are pretty horrid. Reason is is that most of them are stupidly easy for a stranger to find basically just by checking your social media. And the rest can often be easily found out by just chatting someone up. It was actually a somewhat common method of hacking on xbox live, to get recovery answers out of people.[/QUOTE] Whenever something asks for a recovery question I have my password vault randomly generate another password for me and I note that down.
[QUOTE=usaokay;50673793]It's pretty insane that people go the extra distance just to be an asshole to innocent entertainers. Even if you love or hate some Youtubers, stealing information to cause harm is a major dick move.[/QUOTE] I don't think these hackers are doing this just for the sake for being a dick, they probably steal money this way or something.
It sounds like poor training internally. I've worked for a mobile carrier and if there wasn't any data we couldn't see when talking to another colleague, the colleague was obliged to ask you to forwards the customer on as they couldn't verify anything 100% for sure via yourself. That said, the security of systems like these is only as strong as the weakest link and it wasn't the first time I'd seen or heard less than stellar colleagues almost hand some of this information out like it was nothing.
the sad thing is a lot of employees at call centers won't read the notes on the account at all, all depends on who you get on the phone with.
[QUOTE=Arc Nova;50675069]the sad thing is a lot of employees at call centers won't read the notes on the account at all, all depends on who you get on the phone with.[/QUOTE] even if they did it wouldn't matter due to the lack of information and education regarding proper security habits online it's amazing that identify theft isn't a bigger thing than it already is
[QUOTE=unrezt;50675124]even if they did it wouldn't matter due to the lack of information and education regarding proper security habits online it's amazing that identify theft isn't a bigger thing than it already is[/QUOTE] I worked at an AT&T call center last summer. What amazed me (besides the 90s era software) was the level of incompetence for general information technology from all levels of staff. After a month there I was already taking on supervisor calls coming in from the call centers in India and the Philippines. The amount of information at the hands of untrained staff is staggering. Addresses, names, birthdays, SSNs, phone numbers, credit ratings, credit card information, banking information, you name it. In the short time that I was there I had several calls where people would ask me for information that they were clearly not entitled to, and hang up immediately after denying them.
"Cell service just dropped" So normal T-Mobile service
[QUOTE=DOG-GY;50673877]As I understood it: T-Mobile called Ethan and recommended he setup a passcode as a security layer. They then gave the passcode to the attacker who called and again impersonated a employee, probably since giving up a code to someone who acts like an employee would be perceived as way more benign than giving up a SS number. They must have called back and used the passcode to verify it was "Ethan", then activated a SIM card on a phone they possess. Once that's active all of Ethan's service goes to the new phone and they can straight up go through 2fa to reset the Google password because the attacker's phone is now the only one able to receive any calls/messages.[/QUOTE] nah, the "passcode" was likely a simple note on the account that most people don't read and the guy called until he got someone who didn't ask for it. [editline]8th July 2016[/editline] [QUOTE=LoneWolf_Recon;50673867]Actual hacking is 90% social engineering, 10% actual computer hacking: [video=youtube;pL9q2lOZ1Fw]http://www.youtube.com/watch?v=pL9q2lOZ1Fw[/video][/QUOTE] this was a nice watch, where can I get more? any documentary stuff like this? love it
[QUOTE=FlamingSpaz;50674723]Unfortunately 2FA is only as secure as the weakest method of authentication. For instance with Google, even if you have a dedicated offline TOTP device, this attack vector will still work because you can just get an OTP sent via SMS instead.[/QUOTE] Also in some cases your phone number would work as a verification step for services where you use a 2FA device/app to get that removed. It really sucks.
[QUOTE=1/4 Life;50674017]Pro tip: Use an authentication app and never rely on two-step verification via something as awful as SMS. Also, H3H3 is a little confused, because emails and contacts aren't going to 'come in' with a sim card change.[/QUOTE] Google Authenticator is fine right?
[QUOTE=RearAdmiral;50674540]It depends on the internal structure of the company. Chances are T-Mobile has a lot of separate departments at different sites that communicate to one another remotely via phone or email, if that's the case then chances are someone in one department doesn't know the name of every single other person in another department. In Ethan's case it sounds like the guy calling at one point was posing as a store rep.[/QUOTE] It's as simple as having a security key that updates every minute or less, that employees quote to one another when communicating across departments. O2 uses that sort of system; of course that its self is probably vulnerable but it'd take some actual computer hacking on top of the social engineering to get that far.
[media]https://twitter.com/JohnLegere/status/751490098240167937[/media] CEO of T-Mobile responded to Ethan on twitter
The CEO of T-Mobile is actually kind of a kickass dude. One of the few who seem to be in touch with reality and not just a drone out for money and money only
[QUOTE=simzboy;50673972]It's scary how far you can get if you sound somewhat official over the phone. [media]https://www.youtube.com/watch?v=h8kWcggio5A&ab_channel=PhoneLosersofAmerica[/media][/QUOTE] I actually just watched a movie the other day about a real life case where someone was able to get a fast food employee apprehended, strip searched by multiple people, made to do jumping jacks nude, get spanked, and then orally raped, [I]just[/I] by saying they were a police officer. [Url=https://en.wikipedia.org/wiki/Strip_search_phone_call_scam]And it was only one of dozens of cases like that.[/url] it's kind of fucking terrifying how you can pull off shit like this by literally just saying you're an authority figure or an official
[QUOTE=TheTalon;50676971][del]The CEO of T-Mobile[/del] is actually kind of a kickass dude. One of the few who seem to be in touch with reality and not just a drone out for money and money only[/QUOTE] His PR team*
[QUOTE=TurtleeyFP;50677565]His PR team*[/QUOTE] Pretty sure he doesn't use a PR team for what he says. He's pretty vocal and foul mouthed. It's great
[QUOTE=Tacooo;50676894][media]https://twitter.com/JohnLegere/status/751490098240167937[/media] CEO of T-Mobile responded to Ethan on twitter[/QUOTE] He's just doing it for the dunnie
[QUOTE=TurtleeyFP;50677565]His PR team*[/QUOTE] He's often very vulgar and direct, saying things such as "The fuckers (at AT&T) hate you." I'm pretty against worshiping any business but this one isn't that bad. [QUOTE=Dr. Doughnut;50677950]He's just doing it for the dunnie[/QUOTE] Oh my, I googled it and got this treat of a photo [thumb]http://www.h3h3productions.com/images/pics/hila5.jpg[/thumb] I just woke up and my day is already perfect
Joke's on them! I still have a slide phone from like 2009!
IMO A lot of these big youtubers should be using HW 2FA. Google supports stuff like yubikey, meaning the hackers would literally have to steal a physical key to gain access to their account.
[QUOTE=glitchvid;50678763]IMO A lot of these big youtubers should be using HW 2FA. Google supports stuff like yubikey, meaning the hackers would literally have to steal a physical key to gain access to their account.[/QUOTE] I remember blizzard doing this stuff back in like 08 with their blizzard authenticators and it was pretty good. Only thing that kinda sucks about this is the lack of support, the only service listed that I use and could use it for is google, facebook, and my password manager (tho, I use a 4096 password-protected RSA key for that so it's pretty good already.)
[QUOTE=CommanderPT;50674332]Sweden is really stupid too. Our SSN equivalent is apparently "public information" so if you just sign up to website you can access the info of people if I am not mistaken. Somebody tried to steal my dad's identity and buy a phone on contract recently. Takes minimal effort. Luckily my dad intercepted the package and had it returned.[/QUOTE] The difference is that the Swedish SSN equivalent basically doesn't do anything if you obtain it, you might be able to borrow a library book or register someone to something but it's not at all like the American system where you can steal someone's identity with their SSN. It's not stupid at all.
Sorry, you need to Log In to post a reply to this thread.