spoolin01
Contributor
I see from my content history that in late March, someone began using my handle spoolin01 to DM a couple of members trying to sell them some dive lights. This was not me in those exchanges. Hope no one got taken.
Account hacked? Anything to do?
- Thread starter spoolin01
- Start date
Please register or login
Welcome to ScubaBoard, the world's largest scuba diving community. Registration is not required to read the forums, but we encourage you to join. Joining has its benefits and enables you to participate in the discussions.
Benefits of registering include
- Ability to post and comment on topics and discussions.
- A Free photo gallery to share your dive photos with the world.
- You can make this box go away
Wookie
Proud to be a Chaos Muppet
Staff member
ScubaBoard Business Sponsor
ScubaBoard Supporter
Scuba Instructor
Have you reset your password or used 2FA?
Wookie
Proud to be a Chaos Muppet
Staff member
ScubaBoard Business Sponsor
ScubaBoard Supporter
Scuba Instructor
Ah. Many of us reset your password
Cenotes
Registered
Before you decide that two-factor authentication is for you, read this, about the $400,000,000.00 heist from FTX that was so simple using the total vulnerability of two-factor authentication, that a young girl could do it with a fake ID at the mobile carrier store, using only an image that her accomplice created with Photoshop or similar software, and texted to her: Highland Park Man Led Hacker Crew's $400 Million Heist From FTX: Feds. Then, if you still don't understand how easy it is to steal 400 million dollars without a gun or a ski mask, read this, subject to an understanding not explained below--and beyond the scope of this post--that given certain unusual factors that come into play only with Scubaboard coupled with certain users' personal histories of repetitive password usage, it may be beneficial for them to use two-factor authentication only on this site:
Vulnerabilities of Two-Factor Authentication Where a Phone Number is One of the Factors:
Two-factor authentication (2FA) is designed to enhance security by requiring two forms of identification before granting access to an account. However, when using a SIM card or phone number as one of the two factors, there are significant vulnerabilities that can compromise this security measure and as such, privacy and intelligence experts strongly recommend against using it for the following reasons.
1. SIM Swapping Attacks
One of the most critical risks associated with using a phone number for 2FA is the potential for SIM swapping attacks. In this scenario, an attacker contacts the victim's mobile carrier, impersonates the victim, and convinces the carrier to transfer the victim's phone number to a new SIM card controlled by the attacker. Once this transfer is successful, the attacker can receive all SMS messages sent to that number, including verification codes or password reset links. This method allows even unsophisticated hackers to gain access to accounts that rely on SMS-based verification, effectively bypassing any password protections in place.
2. Social Engineering Risks
Attackers often employ social engineering tactics to exploit weaknesses in mobile carrier security protocols. For instance, they may trick customer service representatives into divulging sensitive information or transferring a phone number without proper verification. This vulnerability highlights how easily attackers can manipulate systems designed for user protection.
3. Lack of Encryption
SMS messages are generally unencrypted and can be intercepted relatively easily compared to other communication methods. Although intercepting SMS requires some technical skill and resources, it remains a viable threat vector for attackers who wish to obtain sensitive information like authentication codes.
4. Account Takeover Risks
The use of phone numbers linked directly to accounts creates additional risks if those numbers are reused across multiple platforms or services. If an attacker gains access to one account through SIM swapping or phishing techniques, they may be able to leverage that access to take over other accounts linked to the same phone number.
5. False Sense of Security
Many users believe that enabling 2FA through SMS provides robust security; however, this belief can lead them to neglect other important security practices such as maintaining strong passwords, unique passwords between various websites, and being vigilant about phishing attempts. This false sense of security may ultimately make users more vulnerable rather than less so.
In summary, while two-factor authentication via SIM cards and phone numbers adds a purported extra layer of security that makes its user "feel good," it is fraught with vulnerabilities that can be exploited by attackers through various simple means such as SIM swapping and social engineering tactics.
Vulnerabilities of Two-Factor Authentication Where a Phone Number is One of the Factors:
Two-factor authentication (2FA) is designed to enhance security by requiring two forms of identification before granting access to an account. However, when using a SIM card or phone number as one of the two factors, there are significant vulnerabilities that can compromise this security measure and as such, privacy and intelligence experts strongly recommend against using it for the following reasons.
1. SIM Swapping Attacks
One of the most critical risks associated with using a phone number for 2FA is the potential for SIM swapping attacks. In this scenario, an attacker contacts the victim's mobile carrier, impersonates the victim, and convinces the carrier to transfer the victim's phone number to a new SIM card controlled by the attacker. Once this transfer is successful, the attacker can receive all SMS messages sent to that number, including verification codes or password reset links. This method allows even unsophisticated hackers to gain access to accounts that rely on SMS-based verification, effectively bypassing any password protections in place.
2. Social Engineering Risks
Attackers often employ social engineering tactics to exploit weaknesses in mobile carrier security protocols. For instance, they may trick customer service representatives into divulging sensitive information or transferring a phone number without proper verification. This vulnerability highlights how easily attackers can manipulate systems designed for user protection.
3. Lack of Encryption
SMS messages are generally unencrypted and can be intercepted relatively easily compared to other communication methods. Although intercepting SMS requires some technical skill and resources, it remains a viable threat vector for attackers who wish to obtain sensitive information like authentication codes.
4. Account Takeover Risks
The use of phone numbers linked directly to accounts creates additional risks if those numbers are reused across multiple platforms or services. If an attacker gains access to one account through SIM swapping or phishing techniques, they may be able to leverage that access to take over other accounts linked to the same phone number.
5. False Sense of Security
Many users believe that enabling 2FA through SMS provides robust security; however, this belief can lead them to neglect other important security practices such as maintaining strong passwords, unique passwords between various websites, and being vigilant about phishing attempts. This false sense of security may ultimately make users more vulnerable rather than less so.
In summary, while two-factor authentication via SIM cards and phone numbers adds a purported extra layer of security that makes its user "feel good," it is fraught with vulnerabilities that can be exploited by attackers through various simple means such as SIM swapping and social engineering tactics.
mrtechbench
Contributor
Lots of good information above. Some carriers may let you lock your number so it can't be transferred out. Not sure how robust that protection actually is.
The two options provided by SB for 2FA are an authenticator app and email. In this case, you don't need to worry about all the SMS stuff as it's not an option. 2FA is a good idea and you should set it up.
sena_akutsa
Registered
my advice:
check carefully your Windows computer and your Smartphone for any
keylogger/ virus/ trojan/ malware/...
Only then change your password for one containing :
- at least 12 characters,
- Upper case letters,
- lower case letters,
- numbers,
- symbols.
In most of situations I had to solve, the password was either a simple 8 characters pronoun, or, more often, there was a Malware running on the victim's peripheral.
Cleaning the computer, then replacing the password by a middle-strength one solved the issue in most cases.
EDIT: beware of "airport and other public WiFi hotspots";
many times there were reports that hackers set-up a middle-router as a Skimmer in order to record your whole activity in search of entered passwords and card numbers.
check carefully your Windows computer and your Smartphone for any
keylogger/ virus/ trojan/ malware/...
Only then change your password for one containing :
- at least 12 characters,
- Upper case letters,
- lower case letters,
- numbers,
- symbols.
In most of situations I had to solve, the password was either a simple 8 characters pronoun, or, more often, there was a Malware running on the victim's peripheral.
Cleaning the computer, then replacing the password by a middle-strength one solved the issue in most cases.
EDIT: beware of "airport and other public WiFi hotspots";
many times there were reports that hackers set-up a middle-router as a Skimmer in order to record your whole activity in search of entered passwords and card numbers.
Similar threads
