Microsoft PC hacked with just victims phone number

[WillyW]

Traditional media can sometimes put out good PSAs.

 

The victim here had a laptop with a Microsoft sign in (using his hotmail to sign in) and the hacker only used his phone number to access his PC.

 

In Canada you can request your mobile number to be ported to another carrier, so let's say if you want to take your business elsewhere you can easily take your device with it's phone number to another carrier if your current carrier does something you don't like.

 

In this case it proved to be a vulnerability:

 

[His number had been]

Quote

It had been fraudulently "ported" — transferred from his Rogers account to a Bell prepaid customer. The fraudster then seems to have used a password retrieval process involving text message verification to gain access to Baran-Chong's Microsoft account, tied to his computer's operating system and a cloud-based file backup service.

(Rogers and Bell are Canadian mobile phone providers)

 

Because the victim used a Microsoft Account to sign in with his computer, and used cloud services to store all his information the hacker was able to gain access to his personal data and attempt to extort him with images he had with intimate partners:

 

Quote

the fraudster threatened to take the attack a step further: send two bitcoins (about $25,000 at the time) "or I'm dropping your sex tapes to all of your coworkers, investors and relatives.

He used cloud services:

Quote

Baran-Chong had several years' worth of photos and videos saved in his cloud account. Among them were clips of him engaging in sex acts with women. (He says the sex was consensual and the women involved have been told of the breach.)

 

If he used something like remote desktop or other remote service like teamviewer, or the hacker could figure out where he was, there is also the possibility that the hacker could have had remote access to his internal network. Since the hacker had his computer password, they could have easily connected directly to his computer if they were able to figure out which IP address the victim was using, which is not all that difficult.

 

See the full story here:

https://www.cbc.ca/news/technology/phone-porting-extortion-1.5352300

 

Do not:

- Use you phone or email address as the sole form of 2 factor authentication

- Use a Microsoft Account to login to your PC, use a 'local account' (it also makes it easier for Microsoft to track you and exposes your data to being hacked)

- Use cloud accounts to store sensitive information or media.

- Use weak passwords

 

Do:

- Use a third party authentication app like Authy or other compatible service

- Use a U2F usb key to authenticate your service in addition to a strong password.

 

 

[Arika]

Very disingenuous title. This exact same thing has been going on for ages and affects every service where password resets are done via sms/phone. 

[TetraSky]

The main issue that I see here is that the "hacker" was able to port the number without him being told about it during the process.

You normally need some information to do so, like your account's pin, account number, IMIE, personal info on file and what not... If the hacker had all that info... The victim really had some serious security issues.

 

I remember years ago, both carriers manually contacted us when we attempted to switch. The old one trying to retain us and the new one to confirm it all...

But these days, last I did it a few months ago, everything was done online, never got a single phone call or email in the process, needed the account number, pin and address on file, that was all...

[samcool55]

This happens a LOT, at some point even Linus got problems because someone managed to transfer his number to a new sim.

It's just social engineering, that's it. Happens all the time.

[Ashley MLP Fangirl]

security, what is that?

[Ashley MLP Fangirl]

1 hour ago, WillyW said:

Do not:

- Use a Microsoft Account to login to your PC, use a 'local account' (it also makes it easier for Microsoft to track you and exposes your data to being hacked)

microsoft made this impossible in the latest versions of 1903. if you fresh install it the option to log in with a local account no longer appears. you need to disconnect from the internet in order to get the option back.

[Jotoco]

Misleading.

 

The problem lies with the carriers that don't confirm information. 

 

By doing that the hacker also got access to this guys WhatsApp, Telegram and probably Facebook and Twitter.

 

Why are you not bashing those services as insecure?

 

If I have your sim card and access to your phone number there are a huge number of services that I can access. 

 

The fault is 100% of the phone companies and wherever the hacker got the info needed to transfer the number. 

[rcmaehl]

2 hours ago, Arika S said:

Very disingenuous title. This exact same thing has been going on for ages and affects every service where password resets are done via sms/phone. 

Seriously, SaaS Superbly Sucks Sticks

[Sauron]

Not the first time I hear about this, iirc it was even mentioned in the WAN show a few years ago - regardless this is a problem with Canadian carriers, not Microsoft or Windows. Don't use your phone for 2FA if you don't trust your carrier.

[Sauron]

46 minutes ago, Twilight said:

microsoft made this impossible in the latest versions of 1903. if you fresh install it the option to log in with a local account no longer appears. you need to disconnect from the internet in order to get the option back.

Really? I just did a fresh install a couple of months ago and I could still choose a local account... I think it was 1903 but I'm not sure. Seems pretty dumb. Regardless I guess I can just disconnect the internet next time...

[Ashley MLP Fangirl]

1 minute ago, Sauron said:

Really? I just did a fresh install a couple of months ago and I could still choose a local account... I think it was 1903 but I'm not sure. Seems pretty dumb. Regardless I guess I can just disconnect the internet next time...

it's in a recent ISO of 1903. it was a change that's only been present for a month iirc, maybe a little longer. an old iso like you had won't have that change in it. 

[Sauron]

12 minutes ago, Twilight said:

it's in a recent ISO of 1903. it was a change that's only been present for a month iirc, maybe a little longer. an old iso like you had won't have that change in it. 

I downloaded a brand new image for that fresh installation, but I guess the change could still be more recent than that.

[GoodBytes]

How does the hacker know his e-mail address AND phone number to start with. And how did he know which carrier he had? This indicates, to me at least, especially that he moved from Roger to Bell (both Canadian service providers), it is someone close to him taking revenge. Maybe he even lost his phone.

 

And most Canadians like US are with Contracts. You can't easily switch. They first want FULL payment of the remaining of the phone, plus cancellation fees. I think he would notice his phone bill, which the provider require a to be paid first before you can transfer your phone number to another mobile operator. My point is that it is too many things, too well aligned.

[GoodBytes]

Also the better advice, of you plan to put sensitive info in OneDrive with the same PC account, make one which you don't share it with anyone.

[GoodBytes]

1 hour ago, Sauron said:

Really? I just did a fresh install a couple of months ago and I could still choose a local account... I think it was 1903 but I'm not sure. Seems pretty dumb. Regardless I guess I can just disconnect the internet next time...

Home edition only, and you need internet access. But yes.

[Sauron]

1 minute ago, GoodBytes said:

Home edition only, and you need internet access. But yes.

Oh I see, I have Pro so that explains why I didn't get it.

[TetraSky]

2 hours ago, GoodBytes said:

And most Canadians like US are with Contracts. You can't easily switch. They first want FULL payment of the remaining of the phone, plus cancellation fees. I think he would notice his phone bill, which the provider require a to be paid first before you can transfer your phone number to another mobile operator. My point is that it is too many things, too well aligned.

Maybe his phone was paid in full already or he was on a contractless agreement with a "bring your own phone" kind of deal, pretty much every carrier does that.

Lots of missing info from the article like how the hacker obtained that info to begin with, etc etc... I'm starting to think it really was someone close to him that just "hacked" him. Would be hard for someone far away to get all the info necessary to do this, even with a keylogger or what not.

[AngryBeaver]

6 hours ago, WillyW said:

Traditional media can sometimes put out good PSAs.

 

The victim here had a laptop with a Microsoft sign in (using his hotmail to sign in) and the hacker only used his phone number to access his PC.

 

In Canada you can request your mobile number to be ported to another carrier, so let's say if you want to take your business elsewhere you can easily take your device with it's phone number to another carrier if your current carrier does something you don't like.

 

In this case it proved to be a vulnerability:

 

[His number had been]

(Rogers and Bell are Canadian mobile phone providers)

 

Because the victim used a Microsoft Account to sign in with his computer, and used cloud services to store all his information the hacker was able to gain access to his personal data and attempt to extort him with images he had with intimate partners:

 

He used cloud services:

 

If he used something like remote desktop or other remote service like teamviewer, or the hacker could figure out where he was, there is also the possibility that the hacker could have had remote access to his internal network. Since the hacker had his computer password, they could have easily connected directly to his computer if they were able to figure out which IP address the victim was using, which is not all that difficult.

 

See the full story here:

https://www.cbc.ca/news/technology/phone-porting-extortion-1.5352300

 

Do not:

- Use you phone or email address as the sole form of 2 factor authentication

- Use a Microsoft Account to login to your PC, use a 'local account' (it also makes it easier for Microsoft to track you and exposes your data to being hacked)

- Use cloud accounts to store sensitive information or media.

- Use weak passwords

 

Do:

- Use a third party authentication app like Authy or other compatible service

- Use a U2F usb key to authenticate your service in addition to a strong password.

 

 

This has been a known vulnerability for ages. I mean most password resets are based on an email address, which is why it is so important to use very complex passwords for them. I have moved to mostly 2 factor authentication that also requires a fingerprint to retrieve the key (if a soft token). My email password is very complex and I would not be able to remember it if not for a password vault I use that also requires a finger print for verification to access.

 

It is always best to use as many variables as possible to require authentication so just because a service only offers 2 factor doesn't mean you can't add a third by requiring some form of biometric system to access it.

[Thaldor]

This seems like very lucky hacker/thief or directed work (as in the hacker/thief knew the person and knew what he/she was going to get).

 

Doesn't Canadian mobile providers have remorse time? Like at least in Finland even if it was to possible to move the customer and the number from one provider to the other instantly, they still do it in couple of days to couple of weeks just to be extra sure that the customer really wants to change their provider (most of the time the next business day the earlier provider will call the customer and give them their best deal they can give in try to keep the customer). Only difference is if you get a phone with the contract but then the phone is it's own contract (they like to say that you pay XX€/month for the plan and the phone but legally its XX€/month for the plan + XX€/month for the phone and you can change the plan whenever you want [there were some cancellation costs back in the day but here where the competition is alive they gave up on those because it was better for them so they can more easily lure people to change their provider]).

[Mark Kaine]

Seems more on the phone company than Microsoft. 

 

But yeah using an account *and* cloud storage of course makes you vulnerable,  who would have thought! 

 

It's still on the phone company though, literally WTF 

[mr moose]

13 minutes ago, Mark Kaine said:

Seems more on the phone company than Microsoft. 

 

But yeah using an account *and* cloud storage of course makes you vulnerable,  who would have thought! 

 

It's still on the phone company though, literally WTF 

I am afraid it is cool to smash MS for anything and everything these days.  Any opportunity no matter how erroneous to further internet tropes.

 

The thing that annoys me with these types of threads is that they muddy the issue,  genuine Issues we should be raising and being concerned with are getting flooded under all the paranoid BS and the ensuing debates just confuse the issue.  I can guarantee the take away from this thread for a least a few people will be don't use windows security measures,  when it should be guard your phone number/email details and be careful where you use them in security.

[kirashi]

15 hours ago, WillyW said:

In Canada you can request your mobile number to be ported to another carrier, so let's say if you want to take your business elsewhere you can easily take your device with it's phone number to another carrier if your current carrier does something you don't like.

Ah, so your post title is misleadingly wrong - the only hacking here was that Canadian Cellular providers failed to properly verify ownership of the phone number before allowing the "hacker" (read: social engineer) to port the number to their account. Nothing Microsoft could have done here would have prevented this, and this would have impacted any other accounts also secured using 2FA through this phone number. sigh

[strajk-]

I didn't bother reading the post at all, just the title, so let me guess.

It was social engineering where they had access to a SIM Card by calling a service provider that got tricked, thus giving the """""hacker""""" the means to request a password reset.

 

How far off am I?

[ZacoAttaco]

16 hours ago, WillyW said:

- Use a Microsoft Account to login to your PC, use a 'local account' (it also makes it easier for Microsoft to track you and exposes your data to being hacked)

14 hours ago, Twilight said:

microsoft made this impossible in the latest versions of 1903. if you fresh install it the option to log in with a local account no longer appears. you need to disconnect from the internet in order to get the option back.

After reading the article I don't think this is neccesarily a related issue though. The intimate videos were stored on his OneDrive so it didn't really matter how we logged into his personal devices. He hypothetically could have used Ubuntu and used OneDrive through the Firefox Browser.

 

Anyway, I don't know why anyone would store those kind of videos on a public cloud service in the first place. Guy kind of had it coming.

 

The article mentions this:

Quote

His password had been reset and his email address removed as a verification method.

I'm surprised there isn't another verification in place for this kind of drastic changes to account security. I suppose the verification could have occured via SMS which obviously was compromised but still surprising that there wouldn't be a secondary form of verification. In this case it was single point of failure and had entire access to the account.

22 minutes ago, strajk- said:

I didn't bother reading the post at all, just the title, so let me guess.

It was social engineering where they had access to a SIM Card by calling a service provider that got tricked, thus giving the """""hacker""""" the means to request a password reset.

 

How far off am I?

Right on the money. 

[jagdtigger]

Never use online services as login for an OS, period.

 

14 hours ago, Twilight said:

you need to disconnect from the internet in order to get the option back.

Just sinkhole MS domains, problem solved.

Edited November 11, 2019 by jagdtigger