Bitcoin Forum
September 16, 2019, 05:35:15 PM *
News: If you like a topic and you see an orange "bump" link, click it. More info.
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: Privacy at risk using mobile phones. Not only Bitcoin-related.  (Read 215 times)
fillippone
Hero Member
*****
Offline Offline

Activity: 616
Merit: 2437


I drink wine in glass bottles.


View Profile
September 13, 2019, 12:12:01 PM
Last edit: September 13, 2019, 01:42:05 PM by fillippone
Merited by El duderino_ (4), redsn0w (2), HairyMaclairy (1)
 #1

I read this horror story on an Italian newspaper, so I looked for an english version:  

Simjacker attack exploited in the wild to track users for at least two years

Quote
Security researchers have disclosed today an SMS-based attack method being abused in the real world by a surveillance vendor to track and monitor individuals.

"We are quite confident that this exploit has been developed by a specific private company that works with governments to monitor individuals," security researchers from AdaptiveMobile Security said in a report released today.

"We believe this vulnerability has been exploited for at least the last 2 years by a highly sophisticated threat actor in multiple countries, primarily for the purposes of surveillance."

More info here:
https://simjacker.com/


This reminds me of what can happen with a SIM swap attack:

 My SIM swap attack: How I almost lost $71K, and how to prevent it


Quote
I’m a security-conscious IT professional working in blockchain for 3 years, and was stunned by the ease of the attack and how my normal security precautions failed. While the attack was frustrating and embarrassing, I believe strongly that we must learn from failure — and we must socialize to do better in the future. So I am sharing what happened, what I learned and what we can do better to prevent this kind of fraud.

You can try to apply some precautions, but it's always too little , too late.

How to Protect Yourself Against a SIM Swap Attack

Quote
Perfect security hygiene won’t always keep someone from fooling your carrier, and in fact, they may not even have to; Flashpoint has found some indications that SIM hijackers recruit retail workers at mobile shops to gain access to protected accounts. A comprehensive SIM swap fix would require fundamentally rethinking the role of phone numbers in 2018. “Phone numbers were never intended to be a way to confirm someone’s identity,” says Nixon. “Phone companies were never in the business to sell identity documents. It was imposed on them.”

The good news is, you can take steps to limit the chances that a SIM swap attack will happen to you—and limit the fallout if it does.

This should be a wake up alarm, we all thing we are tech/savy, prudent and operate with good OpSec.
Reality is: the bar not to be hacked is higher than we (Fillippone) tought.

EDIT: Apparently the exploit has long been knwon, but telcos' nevever gasred to fix it, or even worse knew about governments paln about our data:
How I hacked SIM cards with a single text - and the networks DON'T CARE



1581904954
Hero Member
*
Offline Offline

Posts: 1581904954

View Profile Personal Message (Offline)

Ignore
1581904954
Reply with quote  #2

1581904954
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1581904954
Hero Member
*
Offline Offline

Posts: 1581904954

View Profile Personal Message (Offline)

Ignore
1581904954
Reply with quote  #2

1581904954
Report to moderator
joelsamuya
Member
**
Offline Offline

Activity: 532
Merit: 41

https://emirex.com


View Profile
September 13, 2019, 12:19:45 PM
 #2



There  will always be talented (and even genius) people who can use a technology for a different purpose than what we normal people know them for. This case for the mobile phone can be an alarming one all because billions of people can be at risk here if that same hacking technology can be employed to track people without the consent of the individuals involved. In the world where privacy is endangered, this news is making me uneasy but it is good that this brought to light right now so we can be aware and solutions can be done against it.
kingcolex
Legendary
*
Offline Offline

Activity: 2114
Merit: 1226



View Profile
September 13, 2019, 12:27:50 PM
Merited by fillippone (1)
 #3

Don't keep coins on exchanges, don't keep coins on phones and make sure your 2fa isn't sms based. It's an easy way to not take a apart in these. That and don't give your phone number out to everyone, they have to know who to target as well.

Possibly run a second burner phone with just sms and Google auth and other 2fa, nothing else.

THE FIRST DECENTRALIZED & PLAYER-OWNED CASINO
.EARNBET..EARN BITCOIN: DIVIDENDS
FOR-LIFETIME & MUCH MORE.
. BET WITH: BTCETHEOSLTCBCHWAXXRPBNB
.JOIN US: GITLABTWITTERTELEGRAM
bitsurfer2014
Hero Member
*****
Offline Offline

Activity: 770
Merit: 516


View Profile
September 13, 2019, 12:39:10 PM
 #4

I understand that no one is safe in this digital world and we should always be security conscious and practice utmost safeguards and

precautions that will help lessen the possibility of  our security and privacy being compromised! Much better if we lessen our digital

footprints by using these mobile device less frequently. Smiley
yazher
Sr. Member
****
Offline Offline

Activity: 644
Merit: 392



View Profile
September 13, 2019, 12:41:53 PM
 #5

For 2 years? he has some kind of mental illness like he won't stop until he gets what he wants.
this is some serious matters and one of the creepiest story I've ever heard.
Luckily poor people like us are not prone to this kind of attacker even he tracks people like us he gets nothing in return.

smartmixer.io▀  ▀  ▀  ▀  ▀
▄  ▄  ▄  ▄  ▄

▀  ▀  ▀  ▀  ▀
▄  ▄  ▄  ▄  ▄

▀  ▀  ▀  ▀  ▀
▄  ▄  ▄  ▄  ▄

▀  ▀  ▀  ▀  ▀
▄  ▄  ▄  ▄  ▄

▀  ▀  ▀  ▀  ▀
Make your Cryptos untraceable!
(( ███████ ((    TELEGRAM    )) ███████ ))
▄▄███████▄▄
▄███████▀███████▄
▄███▀▀▀ ▄▄▄ ▀▀▀███▄
▄███ ▄▀▀▀   ▀▀▀▄ ███▄
████ █  ▄   ▄█ █ ████
████▌▐▌ ▀█▄█▀ ▐▌▐████
▀████ ▀▄  ▀  ▄▀ ████▀
▀████▄ ▀▄▄▄▀ ▄████▀
▀█████▄▄ ▄▄█████▀
▀▀███████▀▀
.

NO LOGS
▄▄███████▄▄
▄██████▀▀▀██████▄
▄█████▀ ▄▄▄ ▀█████▄
▄██████ ▀   █ ██████▄
███████   █▀  ███████
████████▄ ▄ ▄████████
▀████▀         ▀████▀
▀███   ▄   ▄   ███▀
▀███████████████▀
▀▀███████▀▀
.

NO SIGN-UP
▄▄███████▄▄
▄███████████████▄
▄███████▀   ▀█████▄
▄████▀  ▀      █████▄
████     ▄▀▄  ▀ ▀████
███    ▄▀▄ ▄▀▄    ███
▀███▄▄  ▀█ █▀   ▄███▀
▀████████ ████████▀
▀███████████████▀
▀▀███████▀▀
.

70% COMSN
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
MIX NOW!
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀  ▀  ▀  ▀  ▀
▄  ▄  ▄  ▄  ▄

▀  ▀  ▀  ▀  ▀
▄  ▄  ▄  ▄  ▄

▀  ▀  ▀  ▀  ▀
▄  ▄  ▄  ▄  ▄

▀  ▀  ▀  ▀  ▀
▄  ▄  ▄  ▄  ▄

▀  ▀  ▀  ▀  ▀
Lucius
Legendary
*
Offline Offline

Activity: 1694
Merit: 1522


⚔ Fortis Fortuna Adiuvat ⚔


View Profile WWW
September 13, 2019, 12:49:10 PM
 #6

I'm not at all surprised that someone did something like this, we can say that spying is one big business today. Not only security agencies are involved in this, but also the private sector who then sells the informations to interested parties. There is one big obsession with total control over people, and the technology that exists today is ideal for precisely this kind of surveillance.

However, I think that most users who use smartphones today share their location in some way on a completely voluntary basis via Google services, Viber and similar apps. I see biggest problem is fact that this kind of attacks can do much more than just locate users, and in this regard something like this can be potentially dangerous for those who use crypto wallets on their mobile phones, or any type of 2FA protection.

The company that discovered this is say that they are block attacks, and that they are working with mobile providers and manufacturers of SIM cards to prevent this in future.

AjithBtc
Sr. Member
****
Offline Offline

Activity: 1092
Merit: 259



View Profile
September 13, 2019, 12:52:56 PM
 #7

Being into digitized atmosphere is an advancement, by the same time it has got the highest level of risk. Even a small error could lead to breach and loss of entire funds. We've got various levels of security features, but those were also developed by human.

There will be people who can break this barriers. So, we need to be careful handling all the funds whether through mobile or personal computers. While using through mobile phones it is good to find the trusted application and use it. Most of the issues happen through untrusted application installation.

▄▄▄▄▄▄▄▄▄▀▀
      ▄▄▀▀
      ▄▄▀▀
      ▄▄█▌
     ████
    ▐███▌▐█▄
    ████ ████▄
   ▐███▌  ▀████▄
   ████     ▀███▀
  ▐███▌    ▄▄▄█████
  ████      ▀██████
 ▐███▌ ▄▄▄█████▄▄█▀
 ██████████▀▀▀
▐████▀▀▀
Betller
 █
 █
 █
 █
███
███
███
███
███
███
███

 █
███
███
███
███
███
███
 █
 █
 █
 █
 █

 
 
 █
▄█▄
███
███
███
███
███
███
███
 █

 █
 █
███
███
███
███
███
███
███
███

 
 
 
 
 
 
███
███
███
███
███
▀█▀

 
 █
 █
 █
███
███
███
███
███
 █
 █

 █
 █
 █
 █
███
███
███
███
███
███
███

 █
███
███
███
███
███
███
 █
 █
 █
 █
 █

 
 
 █
▄█▄
███
███
███
███
███
███
███
 █
████
██
██
██
██
██
██
██
██
██
██
██
████
.ANN.████
  ██
  ██
  ██
  ██
  ██
  ██
  ██
  ██
  ██
  ██
  ██
████
Ibizugbe1
Jr. Member
*
Offline Offline

Activity: 213
Merit: 1


View Profile
September 13, 2019, 01:01:57 PM
 #8

This is why I don't engage in random download of Apps, I try to always go through the developers web link just to be very sure of an not installing a phishing app. And friends should be enourage too to follow the develpers weblink and check ratings and developers.

[ IXINIUM ] Transactions In Seconds, Backed By Real 100% Insured Assets.
http://ixinium.io/
target
Legendary
*
Offline Offline

Activity: 1554
Merit: 1015


View Profile WWW
September 13, 2019, 01:13:39 PM
Merited by kingcolex (1)
 #9

When your phone number is known, the risk is there.

Don't keep coins on exchanges, don't keep coins on phones and make sure your 2fa isn't sms based. It's an easy way to not take a apart in these. That and don't give your phone number out to everyone, they have to know who to target as well.

Possibly run a second burner phone with just sms and Google auth and other 2fa, nothing else.

Also don't repost anything related to crypto and brag about how much coins you got in your wallet on your social media account. This is why I don't join the facebook campaigns besides the fact that I have no idea who of my friends are also into crypto. Sharing information can make you a target to a crime. 
hatshepsut93
Legendary
*
Offline Offline

Activity: 1428
Merit: 1111


( ͡° ͜ʖ ͡°)


View Profile
September 13, 2019, 01:37:17 PM
 #10

Don't keep coins on exchanges, don't keep coins on phones

Imagine how Bitcoin's already low adoption would be crippled if everyone stopped keeping their coins on exchanges (lower liquidity) and didn't use mobile wallets (less real-world payments). The better advice is to take as much precautions as possible, and only store amounts that you can afford to lose in those unsecure environments. The rest of the coins should be stored in cold storage. But storing all your coins in cold storage is not very practical, as it hinders your ability to quickly make payments.

coiningz
Jr. Member
*
Offline Offline

Activity: 132
Merit: 7


View Profile
September 13, 2019, 01:45:21 PM
 #11

There are almost no privacy in our days. SIMs have a lot of vulnerabilities (s7, for example), android is the one big security hole.
You can be safe only if you dont use smartphones
bitbunnny
Legendary
*
Offline Offline

Activity: 1974
Merit: 1048


WOLF.BET - Provably Fair Dice Game


View Profile
September 13, 2019, 01:45:40 PM
 #12

When smartphones appeared our privacy disappeared, that is a well known fact.
Unfortunately many people are still very reckless and kepp all sort of data and applications on their phones unprotected. Sometimes they even download all sort of apps from unknown sources and thus endanger their private and financial data.
Cryptocurrencies are very attractive for people with bad intentions and almost everyone of us also has mobile wallet. Make sure to protect it the best you can.

.WOLF.BET.▄███████████▄
███████    ████████████▄
███████    ███████   ▀██
██████████████████    ██
██    ██████████████████
██    ███████    ███████
█████████████    ███████
███████    █████████████
███████    ███████    ██
██████████████████   ▄██
██        ▀███████████▀
██
██

█████
  ███
  ███
  ███
  ███
  ███
  ███
  ███
  ███
  ███
  ███
█████


[/center
Artemis3
Hero Member
*****
Offline Offline

Activity: 560
Merit: 773


★Bitvest.io★ Play Plinko or Invest!


View Profile
September 13, 2019, 01:55:45 PM
 #13

I read this horror story on an Italian newspaper, so I looked for an english version:  

Simjacker attack exploited in the wild to track users for at least two years

Quote
Security researchers have disclosed today an SMS-based attack method being abused in the real world by a surveillance vendor to track and monitor individuals.

"We are quite confident that this exploit has been developed by a specific private company that works with governments to monitor individuals," security researchers from AdaptiveMobile Security said in a report released today.

"We believe this vulnerability has been exploited for at least the last 2 years by a highly sophisticated threat actor in multiple countries, primarily for the purposes of surveillance."

More info here:
https://simjacker.com/


This reminds me of what can happen with a SIM swap attack:

 My SIM swap attack: How I almost lost $71K, and how to prevent it


Quote
I’m a security-conscious IT professional working in blockchain for 3 years, and was stunned by the ease of the attack and how my normal security precautions failed. While the attack was frustrating and embarrassing, I believe strongly that we must learn from failure — and we must socialize to do better in the future. So I am sharing what happened, what I learned and what we can do better to prevent this kind of fraud.

You can try to apply some precautions, but it's always too little , too late.

How to Protect Yourself Against a SIM Swap Attack

Quote
Perfect security hygiene won’t always keep someone from fooling your carrier, and in fact, they may not even have to; Flashpoint has found some indications that SIM hijackers recruit retail workers at mobile shops to gain access to protected accounts. A comprehensive SIM swap fix would require fundamentally rethinking the role of phone numbers in 2018. “Phone numbers were never intended to be a way to confirm someone’s identity,” says Nixon. “Phone companies were never in the business to sell identity documents. It was imposed on them.”

The good news is, you can take steps to limit the chances that a SIM swap attack will happen to you—and limit the fallout if it does.

This should be a wake up alarm, we all thing we are tech/savy, prudent and operate with good OpSec.
Reality is: the bar not to be hacked is higher than we (Fillippone) tought.

EDIT: Apparently the exploit has long been knwon, but telcos' nevever gasred to fix it, or even worse knew about governments paln about our data:
How I hacked SIM cards with a single text - and the networks DON'T CARE

Truth is, OpSec and smartphone is something that doesn't normally go together. Unless you have one of the rare (non Android) Linux phones, installed and secured by yourself, instead of the usual android/ios...

The Android ecosystem is very vulnerable and exploits have been occurring nonstop. Its almost as dangerous as running Windows in a PC, thanks to its closed proprietary software ecosystem, and "shortcuts" taken in its OS design.

Would be interesting to see if Huawei's OS fares any better. At least they promised to provide the source code...



.
.BIG WINNER!.
[15.00000000 BTC]


▄████████████████████▄
██████████████████████
██████████▀▀██████████
█████████░░░░█████████
██████████▄▄██████████
███████▀▀████▀▀███████
██████░░░░██░░░░██████
███████▄▄████▄▄███████
████▀▀████▀▀████▀▀████
███░░░░██░░░░██░░░░███
████▄▄████▄▄████▄▄████
██████████████████████

▀████████████████████▀
▄████████████████████▄
██████████████████████
█████▀▀█▀▀▀▀▀▀██▀▀████
█████░░░░░░░░░░░░░████
█████░░░░░░░░░░░░▄████
█████░░▄███▄░░░░██████
█████▄▄███▀░░░░▄██████
█████████░░░░░░███████
████████░░░░░░░███████
███████░░░░░░░░███████
███████▄▄▄▄▄▄▄▄███████

██████████████████████
▀████████████████████▀
▄████████████████████▄
███████████████▀▀▀▀▀▀▀
███████████▀▀▄▄█░░░░░█
█████████▀░░█████░░░░█
███████▀░░░░░████▀░░░▀
██████░░░░░░░░▀▄▄█████
█████░▄░░░░░▄██████▀▀█
████░████▄░███████░░░░
███░█████░█████████░░█
███░░░▀█░██████████░░█
███░░░░░░████▀▀██▀░░░░
███░░░░░░███░░░░░░░░░░

██░▄▄▄▄░████▄▄██▄░░░░
████████████▀▀▀▀▀▀▀██
█████████████░█▀▀▀█░███
██████████▀▀░█▀░░░▀█░▀▀
███████▀░▄▄█░█░░░░░█░█▄
████▀░▄▄████░▀█░░░█▀░██
███░▄████▀▀░▄░▀█░█▀░▄░▀
█▀░███▀▀▀░░███░▀█▀░███░
▀░███▀░░░░░████▄░▄████░
░███▀░░░░░░░█████████░░
░███░░░░░░░░░███████░░░
███▀░██░░░░░░▀░▄▄▄░▀░░░
███░██████▄▄░▄█████▄░▄▄

██░████████░███████░█
▄████████████████████▄
████████▀▀░░░▀▀███████
███▀▀░░░░░▄▄▄░░░░▀▀▀██
██░▀▀▄▄░░░▀▀▀░░░▄▄▀▀██
██░▄▄░░▀▀▄▄░▄▄▀▀░░░░██
██░▀▀░░░░░░█░░░░░██░██
██░░░▄▄░░░░█░██░░░░░██
██░░░▀▀░░░░█░░░░░░░░██
██░░░░░▄▄░░█░░░░░██░██
██▄░░░░▀▀░░█░██░░░░░██
█████▄▄░░░░█░░░░▄▄████
█████████▄▄█▄▄████████

▀████████████████████▀




Rainbot
Daily Quests
Faucet
d_eddie
Hero Member
*****
Offline Offline

Activity: 966
Merit: 844



View Profile
September 13, 2019, 02:14:38 PM
 #14

Truth is, OpSec and smartphone is something that doesn't normally go together. Unless you have one of the rare (non Android) Linux phones, installed and secured by yourself, instead of the usual android/ios...

The Android ecosystem is very vulnerable and exploits have been occurring nonstop. Its almost as dangerous as running Windows in a PC, thanks to its closed proprietary software ecosystem, and "shortcuts" taken in its OS design.

Would be interesting to see if Huawei's OS fares any better. At least they promised to provide the source code...

Huawei software is a joke. Horrible bloat without a use, and you can't delete any of it. This could appear to be unrelated, but it's a prime sign of sloppy thinking. Besides, they are not giving out bootloader unlock codes, because "the user experience could be worsened by customizations". Yes, that's their official response. So you're in their hands - no alternative option.

I'll believe a software vendor cares about security when they slim the software down to reasonable sizes. Going full open source would be another green mark.
fillippone
Hero Member
*****
Offline Offline

Activity: 616
Merit: 2437


I drink wine in glass bottles.


View Profile
September 16, 2019, 11:49:25 AM
 #15

Android is a semi-closed environment under the control of Google (otherwise it wouldn't be possible for Google to ban Huawei from using it)
Apple is a closed environment under the control of Apple (I think nobody can argue  with that)
Other solution are totally sub-par, considering support, efficiency and number of available applications.
Yes, I do think mobile security is fundamentally broken.
Critical apps should be taken away from mobile, inconvenient truth.

mazdafunsun
Full Member
***
Offline Offline

Activity: 462
Merit: 121


send and receive money instantly, with no hidden c


View Profile
September 16, 2019, 02:58:32 PM
 #16

SMS based attacks in my view is just the tip of the iceberg.
Backdoors in popular apps are affecting 10s of millions of users, not to mention the surveillance of Facebook app. There are rumors that Whatsapp will also soon be spying on us.

fillippone
Hero Member
*****
Offline Offline

Activity: 616
Merit: 2437


I drink wine in glass bottles.


View Profile
September 16, 2019, 03:02:27 PM
 #17

While you can be exempt from being spied by apps, simply not installing them and keeping your system clean, it is difficult being tracked down by this GSM exploit, as it happens automatically, without user interaction, whatever the system  software is.
So bigger threat: caused by just having a mobile in your hand.

isaac_clarke22
Member
**
Offline Offline

Activity: 826
Merit: 37

★777Coin.com★ Fun BTC Casino!


View Profile
September 16, 2019, 03:28:23 PM
 #18

It seems to be applicable also to those who uses mobile phone to reset their passwords in social media and I've seen quite few of those just for an experiement. Good thing that they're willing to add a layer of security by adding 2fa using Authy or Google Auth.
For crypto, I've never stored my coins in any exchanges even the reputated ones like Binance even if the info leak didn't happen yet that time . It is just seemingly causing me to be anxious that a large exchange is handling my own bought coins rather than me.

jake zyrus
Full Member
***
Offline Offline

Activity: 798
Merit: 121



View Profile
September 16, 2019, 03:41:39 PM
 #19

There's really a risk in digital world. It's the cons of technology nowadays. Although technology wasn't made with that purpose, it's the abusing people who are inevitable. Especially we all know that most people now have a lot of important information on their cellphones. As we depend on technology like our phones with our privacy, we become more vulnerable. Crypto is not an exemption. It's more vulnerable for bad people that's why we should always be careful with what we do in our phones and social media

Nadziratel
Sr. Member
****
Offline Offline

Activity: 952
Merit: 284


★777Coin.com★ Fun BTC Casino!


View Profile
September 16, 2019, 04:13:41 PM
 #20

There's really a risk in digital world. It's the cons of technology nowadays. Although technology wasn't made with that purpose, it's the abusing people who are inevitable. Especially we all know that most people now have a lot of important information on their cellphones. As we depend on technology like our phones with our privacy, we become more vulnerable. Crypto is not an exemption. It's more vulnerable for bad people that's why we should always be careful with what we do in our phones and social media

There's a proverb in my country. The door doesn't last to the thief. Of course we have to take precautions, but I don't think we have much luck when the thief is malicious. Like I said, there's no need to make an obsession. Just take precautions.

Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!