T-Mobile, AT&T and other mobile carriers are reminding customers to take advantage of free services that can block identity thieves from easily “porting” your mobile number out to another provider, which allows crooks to intercept your calls and messages while your phone goes dark. Tips for minimizing the risk of number porting fraud are available below for customers of all four major mobile providers, including Sprint and Verizon. Unauthorized mobile phone number porting is not a new problem, but T-Mobile said it began alerting customers about it earlier this month because the company has seen a recent uptick in fraudulent requests to have customer phone numbers ported over to another mobile provider’s network. “We have been alerting customers via SMS that our industry is experiencing a phone number port out scam that could impact them,” T-Mobile said in a written statement. “We have been encouraging them to add a port validation feature, if they’ve not already done so.” Crooks typically use phony number porting requests when they have already stolen the password for a customer account (either for the mobile provider’s network or for another site), and wish to intercept the one-time password that many companies send to the mobile device to perform two-factor authentication. Porting a number to a new provider shuts off the phone of the original user, and forwards all calls to the new device. Once in control of the mobile number, thieves can request any second factor that is sent to the newly activated device, such as a one-time code sent via text message or or an automated call that reads the one-time code aloud. In these cases, the fraudsters can call a customer service specialist at a mobile provider and pose as the target, providing the mark’s static identifiers like name, date of birth, social security number and other information. Often this is enough to have a target’s calls temporarily forwarded to another number, or ported to a different provider’s network. “Port out fraud has been an industry problem for a long time, but recently we’ve seen an uptick in this illegal activity,” T-Mobile said. “We’re not providing specific metrics, but it’s been enough that we felt it was important to encourage customers to add extra security features to their accounts.” In a blog post published Tuesday, AT&T said bad guys sometimes use illegal porting to steal your phone number, transfer the number to a device they control and intercept text authentication messages from your bank, credit card issuer or other companies. “You may not know this has happened until you notice your mobile device has lost service,” reads a post by Brian Rexroad, VP of security relations at AT&T. “Then, you may notice loss of access to important accounts as the attacker changes passwords, steals your money, and gains access to other pieces of your personal information.” Rexroad says in some cases the thieves just walk into an AT&T store and present a fake ID and your personal information, requesting to switch carriers. Porting allows customers to take their phone number with them when they change phone carriers. The law requires carriers to provide this number porting feature, but there are ways to reduce the risk of this happening to you. T-Mobile suggests adding its port validation feature to all accounts. To do this, call 611 from your T-Mobile phone or dial 1-800-937-8997 from any phone. The T-Mobile customer care representative will ask you to create a 6-to-15-digit passcode that will be added to your account. “We’ve included alerts in the T-Mobile customer app and on MyT-Mobile.com, but we don’t want customers to wait to get an alert to take action,” the company said in its statement. “Any customer can call 611 at any time from their mobile phone and have port validation added to their accounts.” Verizon requires a match on a password or a PIN associated with the account for a port to go through. Subscribers can set their PIN via their Verizon Wireless website account or by visiting a local shop. Sprint told me that in order for a customer to port their number to a different carrier, they must provide the correct Sprint account number and PIN number for the port to be approved. Sprint requires all customers to create a PIN during their initial account setup. AT&T calls its two-factor authentication “extra security,” which involves creating a unique passcode on your AT&T account that requires you to provide that code before any changes can be made — including ports initiated through another carrier. Follow this link for more information. And don’t use something easily guessable like your SSN (the last four of your SSN is the default PIN, so make sure you change it quickly to something you can remember but that’s non-obvious). Bigger picture, these porting attacks are a good reminder to use something other than a text message or a one-time code that gets read to you in an automated phone call. Whenever you have the option, choose the app-based alternative: Many companies now support third-party authentication apps like Google Authenticator and Authy, which can act as powerful two-factor authentication alternatives that are not nearly as easy for thieves to intercept. Several of the mobile companies referred me to the work of a Mobile Authentication task force created by the carriers last fall. They say the issue of unauthorized ports to commit fraud is being addressed by this initiative. For more on tightening your mobile security stance, see last year’s story, “Is Your Mobile Carrier Your Weakest Link?“ from https://krebsonsecurity.com/2018/02/how-to-fight-mobile-number-port-out-scams/
0 Comments
It’s been a busy few weeks in cybercrime news, justifying updates to a couple of cases we’ve been following closely at KrebsOnSecurity. In Ukraine, the alleged ringleader of the Avalanche malware spam botnet was arrested after eluding authorities in the wake of a global cybercrime crackdown there in 2016. Separately, a case that was hailed as a test of whether programmers can be held accountable for how customers use their product turned out poorly for 27-year-old programmer Taylor Huddleston, who was sentenced to almost three years in prison for making and marketing a complex spyware program. First, the Ukrainian case. On Nov. 30, 2016, authorities across Europe coordinated the arrest of five individuals thought to be tied to the Avalanche crime gang, in an operation that the FBI and its partners abroad described as an unprecedented global law enforcement response to cybercrime. Hundreds of malicious web servers and hundreds of thousands of domains were blocked in the coordinated action. The alleged leader of the Avalanche gang — 33-year-old Russian Gennady Kapkanov — did not go quietly at the time. Kapkanov allegedly shot at officers with a Kalashnikov assault rifle through the front door as they prepared to raid his home, and then attempted to escape off of his 4th floor apartment balcony. He was later released, after police allegedly failed to file proper arrest records for him. But on Monday Agence France-Presse (AFP) reported that Ukrainian authorities had once again collared Kapkanov, who was allegedly living under a phony passport in Poltav, a city in central Ukraine. No word yet on whether Kapkanov has been charged, which was supposed to happen Monday. HOW WELL DO YOU REALLY WANT TO KNOW YOUR CUSTOMERS?Lawyers for Taylor Huddleston, a 27-year-old programmer from Hot Springs, Ark., originally asked a federal court to believe that the software he sold on the sprawling hacker marketplace Hackforums — a “remote administration tool” or “RAT” designed to let someone remotely administer one or many computers remotely — was just a benign tool. The bad things done with Mr. Huddleston’s tools, the defendant argued, were not Mr. Huddleston’s doing. Furthermore, no one had accused Mr. Huddleston of even using his own software. The Daily Beast first wrote about Huddleston’s case in 2017, and at the time suggested his prosecution raised questions of whether a programmer could be held criminally responsible for the actions of his users. My response to that piece was “Dual-Use Software Criminal Case Not So Novel.” The court was swayed by evidence that yes, Mr. Huddleston could be held criminally responsible for those actions. It sentenced him to 33 months in prison after the defendant acknowledged that he knew his RAT — a Remote Access Trojan dubbed “NanoCore RAT” — was being used to spy on webcams and steal passwords from systems running the software. Of course Huddleston knew: He didn’t market his wares on some Craigslist software marketplace ad, or via video promos on his local cable channel: He marketed the NanoCore RAT and another software licensing program called Net Seal exclusively on Hackforums[dot]net. This sprawling, English language forum has a deep bench of technical forum discussions about using RATs and other tools to surreptitiously record passwords and videos of “slaves,” the derisive term for systems secretly infected with these RATs. Huddleston knew what many of his customers were doing because many NanoCore users also used Huddleston’s Net Seal program to keep their own RATs and other custom hacking tools from being disassembled or “cracked” and posted online for free. In short: He knew what programs his customers were using Net Seal on, and he knew what those customers had done or intended to do with tools like NanoCore. The sentencing suggests that where you choose to sell something online says a lot about what you think of your own product and who’s likely buying it. Daily Beast author Kevin Poulsen noted in a July 2017 story that Huddleston changed his tune and pleaded guilty. The story pointed to an accompanying plea in which Huddleston stipulated that he “knowingly and intentionally aided and abetted thousands of unlawful computer intrusions” in selling the program to hackers and that he “acted with the purpose of furthering these unauthorized computer intrusions and causing them to occur.” NEVER HAD NO CUSTOMERS TO KNOW?Bleeping Computer’s Catalin Cimpanu observes that Huddleston’s case is similar to another being pursued by U.S. prosecutors against Marcus “MalwareTech” Hutchins, the security researcher who helped stop the spread of the global WannaCry ransomware outbreak in May 2017. Prosecutors allege Hutchins was the author and proprietor of “Kronos,” a strain of malware designed to steal online banking credentials. On Sept. 5, 2017, KrebsOnSecurity published “Who is Marcus Hutchins?“, a breadcrumbs research piece on the public user profiles known to have been wielded by Hutchins. The data did not implicate him in the Kronos trojan, but it chronicles the evolution of a young man who appears to have sold and published online quite a few unique and powerful malware samples — including several RATs and custom exploit packs (as well as access to hacked PCs). MalwareTech declined to be interviewed by this publication in light of his ongoing prosecution. But Hutchins has claimed he never had any customers because he didn’t write the Kronos trojan. Hutchins has pleaded not guilty to all four counts against him, including conspiracy to distribute malicious software with the intent to cause damage to 10 or more affected computers without authorization, and conspiracy to distribute malware designed to intercept protected electronic communications. Hutchins said through his @MalwareTechBlog account on Twitter Feb. 26 that he wanted to publicly dispute my Sept. 2017 story. But he didn’t specify why other than saying he was “not allowed to.” MWT wrote: “mrw [my reaction when] I’m not allowed to debunk the Krebs article so still have to listen to morons telling me why I’m guilty based on information that isn’t even remotely correct.” According to a story at BankInfoSecurity, the evidence submitted by prosecutors for the government includes:
The case against Hutchins continues apace in Wisconsin. A scheduling order for pretrial motions filed Feb. 22 suggests the court wishes to have a speedy trial that concludes before the end of April 2018. from https://krebsonsecurity.com/2018/02/bot-roundup-avalanche-kronos-nanocore/ We are regularly adding new phone and tablet models to the site so that you can book your repair directly online. Take a look at some of the new models added:
iPad Pro 12.9 (2017) Screen Repair
iPad Pro 10.5 (2017) Screen Repair
Samsung Galaxy J5 (2017) Screen Repair
Samsung Galaxy J3 (2017) Screen Repair
Samsung Galaxy A7 (2017) Screen Repair
Sony Xperia L1 Screen Repair
Price: £109.99
HTC U11 Screen Repair
Price: £159.99 See All HTC U11 Repairs
Is you Mobile Phone or Tablet in need of a repair? Look no further than iMend.com. Click here to see our full range of repairs. The post New Models Added – Samsung Galaxy J3/J5 (2017), Google Pixel 2 & 20 Other Models appeared first on iMend Blog. from https://www.imend.com/blog/new-lines-added-google-pixel-2-lg-v30-20-other-models/ In October 2017, KrebsOnSecurity warned that ne’er-do-wells could take advantage of a relatively new service offered by the U.S. Postal Service that provides scanned images of all incoming mail before it is slated to arrive at its destination address. We advised that stalkers or scammers could abuse this service by signing up as anyone in the household, because the USPS wasn’t at that point set up to use its own unique communication system — the U.S. mail — to alert residents when someone had signed up to receive these scanned images. The USPS recently told this publication that beginning Feb. 16 it started alerting all households by mail whenever anyone signs up to receive these scanned notifications of mail delivered to that address. The notification program, dubbed “Informed Delivery,” includes a scan of the front and back of each envelope or package destined for a specific address each day. The Postal Service says consumer feedback on its Informed Delivery service has been overwhelmingly positive, particularly among residents who travel regularly and wish to keep close tabs on any bills or other mail being delivered while they’re on the road. It has been available to select addresses in several states since 2014 under a targeted USPS pilot program, but it has since expanded to include many ZIP codes nationwide. U.S. residents can find out if their address is eligible by visiting informeddelivery.usps.com. According to the USPS, some 8.1 million accounts have been created via the service so far (Oct. 7, 2017, the last time I wrote about Informed Delivery, there were 6.3 million subscribers, so the program has grown more than 28 percent in five months). Roy Betts, a spokesperson for the USPS’s communications team, says post offices handled 50,000 Informed Delivery notifications the week of Feb. 16, and are delivering an additional 100,000 letters to existing Informed Delivery addresses this coming week. Currently, the USPS allows address changes via the USPS Web site or in-person at any one of more than 35,000 USPS retail locations nationwide. When a request is processed, the USPS sends a confirmation letter to both the old address and the new address. If someone already signed up for Informed Delivery later posts a change of address request, the USPS does not automatically transfer the Informed Delivery service to the new address: Rather, it sends a mailer with a special code tied to the new address and to the username that requested the change. To resume Informed Delivery at the new address, that code needs to be entered online using the account that requested the address change. A review of the methods used by the USPS to validate new account signups last fall suggested the service was wide open to abuse by a range of parties, mainly because of weak authentication and because it is not easy to opt out of the service. Signing up requires an eligible resident to create a free user account at USPS.com, which asks for the resident’s name, address and an email address. The final step in validating residents involves answering four so-called “knowledge-based authentication” or KBA questions. The USPS told me it uses two ID proofing vendors: Lexis Nexis; and, naturally, recently breached big three credit bureau Equifax — to ask the magic KBA questions, rotating between them randomly. KrebsOnSecurity has assailed KBA as an unreliable authentication method because so many answers to the multiple-guess questions are available on sites like Spokeo and Zillow, or via social networking profiles. It’s also nice when Equifax gives away a metric truckload of information about where you’ve worked, how much you made at each job, and what addresses you frequented when. See: How to Opt Out of Equifax Revealing Your Salary History for how much leaks from this lucrative division of Equifax. All of the data points in an employee history profile from Equifax will come in handy for answering the KBA questions, or at least whittling away those that don’t match salary ranges or dates and locations of the target identity’s previous addresses. Once signed up, a resident can view scanned images of the front of each piece of incoming mail in advance of its arrival. Unfortunately, anyone able to defeat those automated KBA questions from Equifax and Lexis Nexis — be they stalkers, jilted ex-partners or private investigators — can see who you’re communicating with via the Postal mail. Maybe this is much ado about nothing: Maybe it’s just a reminder that people in the United States shouldn’t expect more than a post card’s privacy guarantee (which in can leak the “who” and “when” of any correspondence, and sometimes the “what” and “why” of the communication). We’d certainly all be better off if more people kept that guarantee in mind for email in addition to snail mail. At least now the USPS will deliver your address a piece of paper letting you know when someone signs up to look at those W’s in your snail mail online. from https://krebsonsecurity.com/2018/02/usps-finally-starts-notifying-you-by-mail-if-someone-is-scanning-your-snail-mail-online/ It’s finally here! After weeks of anticipation the mobile technology event of the year has arrived! With some of the leading brands in the mobile and tablet industry expected to showcase their latest and greatest pieces of tech, this event is surely not one to miss. The rumours and leaks have been in abundance this year, with big announcements from Nokia, Huawei and Sony expected as well a Samsung’s highly anticipated Galaxy S9 and S9 Plus will be making its first appearance to the public. No matter what the rumours say, it all falls down to the opening day. We will be showing you what you can expect to see in Barcelona today… Say hello to the Samsung Galaxy S9/ S9 Plus Undoubtedly the most anticipated phone of the year, the Samsung Galaxy S9/ S9 Plus has already been unveiled to the press and many journalists and gadget experts have witnessed the flagship device in action. Many of the rumours were true. When glancing at the Samsung Galaxy S9 and the Samsung Galaxy S8, aesthetically, there is not a huge difference between the latest and the latter. But it’s not what’s on the outside that makes this phone so appealing. The phone now boasts an upgraded camera, a fresh facial recognition system and (like the iPhone X) all new AR Emojis? Both the Samsung Galaxy S9 and S9 Plus are available for pre-order come March 2nd for around $719.99. A little bit cheaper than the launch price of the S8, just under a year ago. The Xperia X2 is decent Sony has once again delivered with their latest flagship device. The Xperia X2 is an upgrade for those looking for a smarter and sleeker phone compared to its earlier models. As expected, the camera is once again phenomenal and the phone is following trends with it’s thin bezels. But it’s its brand new features such as a Dynamic Vibration System which makes this device stand out. The system uses vibrations when watching media, enhancing your experience. It’s little brother, the Sony Xperia X2 Compact will also be making an appearance too. Nokia have already been making noise over the past year with the release of the Nokia 7 and the re-release of the classic 3310. This convention, Nokia are showing off four new smartphones including the Nokia 1, Nokia 6, Nokia 7 Plus and the Nokia 8 Sirocco. Hoping to squeeze their way to the top of the mid-range market, Nokia are releasing a flagship phone – the Nokia 8 Sirocco, boasting a beautiful 5.5inch OLED screen, fingerprint scanning and the ever-popular dual camera. Coming in at a whopping $749, is the price just a little too expensive? Last year saw the return of the 3310, this year the banana phone is back. The Nokia 8810, formerly known as the banana phone, is being re-released with a 2018 upgrade. The iconic device now comes with 4G, but don’t worry, still maintains that everlasting battery. New Tablets From Huawei There is very little info on these device at the moment. One thing that can be certain is that there is a range of tablets under the series name: The MediaPad 5. The tablets are expected to be expensive and fall into higher end of the market but information is sparse and these details may change as the week concludes. The LGV30 gets an upgrade It’s big, it’s thin and it looks like the LGV30…. It’s the LGV30S ThinQ. The phone does have some great new features but they are ever so similar to both Samsung and Apple’s recent ventures. AR, bigger storage and a slightly improved camera. There’s not much more to add really… A surprise from Alcatel HQ Alcatel are known for their budget phones. For many, it’s a trusty backup for those that have broken or smashed their main device. Your opinion may be swayed with the recent launch of the Alcatel 5. The latest phone from Alcatel has a number of cool features such as facial recognition, a dual selfie camera and a great display screen which are popular among mid-range and flagship phones, however at just $280, this budget phone packs a hefty punch with a little cost. As you all can imagine, Samsung are currently stealing the show with the Galaxy S9/S9 Plus and after their opening show last night, it is surely going to stay on the lips of all entrants this week. It seems that a lot of the big-named companies have held back this year, which is understandable after observing the snowballing hype for Samsung’s latest flagship phone. However it’s Nokia and Alcatel that have took the press by surprise and it seems that both companies are looking to gain tracks over the next week. If your mobile phone or tablet is in need of a repair, look no further than iMend.com, we are the UK’s leading call-out repair service in the UK. Click here to see our repairs. The post MWC 2018 – Here’s the latest news appeared first on iMend Blog. from https://www.imend.com/blog/mwc-2018-heres-the-latest-news/ Multiple Chase.com customers have reported logging in to their bank accounts, only to be presented with another customer’s bank account details. Chase has acknowledged the incident, saying it was caused by an internal “glitch” Wednesday evening that did not involve any kind of hacking attempt or cyber attack. Trish Weller, director of communications for the retail side of JP Morgan Chase, said the incident happened Wednesday evening, for “a pretty limited number of customers” between 6:30 pm and 9 pm ET who “sporadically during that time while logged in to chase.com could see someone else’s account details.” “We know for sure the glitch was on our end, not from a malicious actor,” Weller said, noting that Chase is still trying to determine how many customers may have been affected. “We’re going through Tweets from customers and making sure that if anyone is calling us with issues we’re working one on one with customers. If you see suspicious activity you should give us a call.” Weller urged customers to “practice good security hygiene” by regularly reviewing their account statements, and promptly reporting any discrepancies. She said Chase is still working to determine the precise cause of the mix-up, and that there have been no reports of JPMC commercial customers seeing the account information of other customers. “This was all on our side,” Well said. “I don’t know what did happen yet but I know what didn’t happen. What happened last night was 100 percent not the result of anything malicious.” The account mix-up was documented on Wednesday by Fly & Dine, an online publication that chronicles the airline food industry. Fly & Dine included screenshots of one of their writers’ spouse logged into the account of a fellow Chase customer with an Amazon and Chase card and a balance of more than $16,000. Kenneth White, a security researcher and director of the Open Crypto Audit Project, said the reports he’s seen on Twitter and elsewhere suggested the screwup was somehow related to the bank’s mobile apps. He also said the Chase retail banking app offered an update first thing Thursday morning. Chase hasn’t responded yet to questions about whether the incident was limited to mobile users, or if the update White mentioned was somehow related. “There’s only so many kind of logic errors where Ken logs in and sees Brian’s account,” White said. “It can be a devil to track down because every single time someone logs in it’s a roll of the dice — maybe they get something in the warmed up cache or they get a new hit. It’s tricky to debug, but this is like as bad as it gets in terms of screwup of the app.” White said the incident is reminiscent of a similar glitch at online game giant Steam, which caused many customers to see account information for other Steam users for a few hours. He said he suspects the problem was a configuration error someplace within Chase.com “caching servers,” which are designed to ease the load on a Web application by periodically storing some common graphical elements on the page — such as images, videos and GIFs. “The images, the site banner, all that’s fine to be cached, but you never want to cache active content or raw data coming back,” White said. “If you’re CNN, you’re probably caching all the content on the homepage. But for a banking app that has access to live data, you never want that be cached.” “It’s fairly easy to fix once you identify the problem,” he added. “I can imagine just getting the basics of the core issue [for Chase] would be kind of tricky and might mean a lot of non techies calling your Tier 1 support people.” from https://krebsonsecurity.com/2018/02/chase-glitch-exposed-customer-accounts/ iMend.com have recently slashed their prices on numerous iOS and Android Repairs, with big savings on iPhone, Samsung and other major devices. Here are the latest reductions:
iPhone 8 Plus Screen Repair
iPad Pro 9.7 (2016) Screen Repair (LCD)
Samsung Galaxy Note 8 Screen Repair
Was:
NOW: £264.99
Samsung Galaxy S8 Screen Repair
Samsung Galaxy S7 Edge Screen Repair
Samsung Galaxy S6 Edge Screen Repair
Samsung Galaxy S6 Screen Repair
Samsung Galaxy S5 Screen Repair
Samsung Galaxy J5 (2016) Screen Repair
Samsung Galaxy J3 (2016) Screen Repair
Samsung Galaxy A5 (2017) Screen Repair
Samsung Galaxy A5 (2016) Screen Repair
Samsung Galaxy A3 (2017) Screen Repair
Samsung Galaxy A3 (2016) Screen Repair
Sony Xperia XZ Screen Repair
Sony Xperia XA Ultra Screen Repair
LG G6 Screen Repair
LG G5 Screen Repair
Huawei P10 Screen Repair
Huawei P9 Screen Repair
Google Pixel Screen Repair
OnePlus 3 Screen Repair
If your device is in need of a little TLC, look now further than iMend.com. The post Big Reductions on iPhone, Samsung, Sony. LG Huawei & Other Makes appeared first on iMend Blog. from https://www.imend.com/blog/big-reductions-on-iphone-samsung-sony-lg-huawei-other-makes/ |
ABOUT MEHi my name is Anthony I am 32 years old from Houston. I am working in local store selling electronic devices. I have been interested in eclectronics since childhood and I like to reacd about it. Archives
April 2019
Categories |