Your Text Messages Can be Hacked, Too

Back in 2014, the television program ran a report on a vulnerability in cell phone services that can allow hackers to access, and even text to and from, a smartphone.

Since at least that time, cell phone companies have known about that weakness in their SS7 system—but they haven’t done anything about it.

Using this vulnerability, hackers in Germany recently accessed people’s bank accounts directly from their phones—without even having to work enough to get through their computer security systems.

Other hacks have include intercepting text messages containing the second factor of two-factor authentication, allowing the hackers access to passwords and the ability to mimic users inside the user’s own systems.

There are a lot of other very bad things that have come out of the hacks using this vulnerability, but you get the point, hopefully.

Cell phones, in the sights of the wrong people, can be even more vulnerable to attack that a computer system—and, once the hacker is in a phone, those phones can lead right into the back door of any computer system.

What is SS7, you ask?

Signaling System Number Seven, or SS7, is the worldwide cell phone infrastructure that connects one cell network to another (it goes by different names in different countries). It is what allows you to receive text messages from any phone in the world at any place you are. The vulnerability that hackers have been exploiting for the last few years is “a feature, not a bug” of every cell phone service on the planet.

Numerous reports have found that the cell companies know about the vulnerability and have for years (allegedly) but (allegedly) refuse to fix it. This weakness is built in, and is actually the strength of the system—SS7 is designed to ease communications, so its settings automatically trust a request for communication from another source. While this open communication setup can be exploited by hackers, at the same time, the phone companies won’t close it, other than through some work-arounds, because closing that hole goes against the entire idea of the system.

That doesn’t help victims of these hacks.

In the German hack, the hackers obtained passwords and other information by intercepting text messages, and then used the SMS-based second factor of two-factor authentication to break into bank accounts.

This is different from, more dangerous than, and less detectible than regular “smishing,” which is the text message version of email phishing. In both of those cases, the advice is the same—don’t click on any links contained in emails or texts where you don’t know the sender, and immediately delete them and mark them as spam.

The SS7 vulnerability, however, is worse, because, by the time it’s been detected, it’s already too late.

The only real solution to this problem is for each smartphone owner to take responsibility for securing each individual phone, by using only private, app-based texting and then revoking the option for SMS two-factor and account recovery entirely.

Everybody with a smartphone needs to do this, and right now. Kimmell Cybersecurity can work with you to apply these security measures quickly and easily. Give us a call.


October is National Cyber Security Awareness Month

Although every month (and week and day) at Kimmell Cybersecurity is Cyber Security Awareness month, the federal government declares every October National Cybersecurity Awareness Month (NCSAM), and sends out a series of guidelines for businesses to help them with securing their data.

The Department of Homeland Security has said “NCSAM “[…] is designed to engage and educate public and private sector partners through events and initiatives to raise awareness about the importance of cybersecurity, provide them with tools and resources needed to stay safe online, and increase the resiliency of the Nation in the event of a cyber incident.”

Here are your government’s 9 tips for increasing your business’s cybersecurity, slightly rearranged, and all of which Kimmell Cybersecurity is prepared to assist your business in doing:

First: implement an information security management system. A proper ISMS will include all policies, procedures, guidelines, resources, personnel, equipment, and everything else that is designed to protect your company’s data.

Next, run a data awareness inventory that is designed from the cybersecurity point of view, called an information security risk profile or information security audit. This is an activity that Kimmell Cybersecurity is exceptional at, and will always form the basis of any cybersecurity program. Every company is different, and has different security needs. You need a real pro to assess your security needs.

Third, implement five basic security controls. These are:

  • Firewalls and internet gateways
  • Secure system configuration
  • Control of access to the system
  • Malware protection
  • Patch/ upgrade awareness and management

Four: Train, train, train, test, and train and test some more. Make cybersecurity a matter of employee habit.

Five: In reference to the above, implement a system of personal accountability for breaches of cybersecurity protocols. Reduce that system to writing and post it next to every computer.

Six: Beyond limiting system access, also limit physical access. Physically quarantine access to the system, including all desktops, phones, laptops, tablets, etc. If you haven’t gone completely paperless yet, or keep paper backups, make sure those are secured and have limited access. Once a physical document is scanned into the system, have a definitive process for destroying it.

Seven: Have and train employees to an incident reporting procedure. There are federal laws that require information breaches to be reported in a certain way. Make sure that this is part of the company DNA.

Eight: Have a definitive business continuity plan in the event of a breach that wipes out the company data or in the case of an emergency like a flood or fire. This includes data backup, both in the cloud and, possibly, physically, as well as, potentially, alternative disaster office space.

Nine: Obtain ISO 27001 certification, which is dedicated to cybersecurity. It may or may not prevent a breach, but it falls under “best practices” and may mitigate lawsuit damages (maybe—not giving legal advice here).

And ten—get to these thresholds by employing a dedicated cybersecurity firm—say Kimmell Cybersecurity—to handle all of this for you.

Better safe than sued and out of business!