Facebook just got into the headlines for the wrong reason again! This time over 419 million records of Facebook users were found online on a password-less database. Each record contains an unique Facebook ID and a corresponding mobile number. According to Techcruch, there are 133 million records from US, 18 million records from UK and another 50 million records from Vietnam! According to Engadget, Facebook responded to them and said that the dataset contains quite a number of duplicated data. Hence, the actual affected users should be about half of 419 million.
Still, to put things into proper perspective. Considering that USA's population is slightly under 330 million, 133 million records represent over 40% of the population! UK's population is about 67.5 million, which means about 26% of population is affected. But the worst hit seems to be Vietnam, with a population of about 97 million and a 50 million records leaked, it means that over half of Vietnam's population is affected! Even if we consider the duplicated records and halve those numbers, the figures are still quite staggering.
SIM Swapping Scam
You may think that exposing your phone number is no big deal. You might want to think again. By exposing your phone number alone may not be of much harm. However, in this case, the database also contains the victims Facebook ID, gender and country. All these combined with a little social engineering may lead to a successful SIM swapping scam.
The “SIM swap” scam is a two-step process. First, identity thieves gather the information they need to convince your wireless provider that they are you. This information can include your name, Social Security Number, street address, and the name of your wireless provider. This information can be gathered from a legitimate-looking phishing email. Other fraudsters have also employed a phone scam where they call and impersonate your mobile provider and ask you a series of questions to coax you into revealing the needed data....
After the identity thieves obtain your information, they create a falsified document such as a driver's license and head to your wireless provider’s retail store. Once there, the thieves will claim that they lost “their” phone or damaged “their” SIM card and that it needs to be replaced. After answering a few questions and providing the falsified documents, the fraudsters will be allowed to pick out a new phone (or phones) and your actual phone will stop working immediately...
Once your number is taken over, there are multitude of things the fraudster can do. The most direct way to make use of your number is to charge purchases (e.g. for a new phone) to your number. If they somehow also compromised your passwords and you are using your phone as a second factor authentication, then they would have compromised your account totally. Some sites use mobile OTP as a mean to reset your password, taking over your phone number also means taking control of those accounts. The recent hack on Jack Dorsey's (Twitter's CEO) Twitter account was also likely due to Sim Swapping. In addition, Sim Swapping technique was also used to compromise multiple high value Instagram accounts and to steal cryptocurrencies.
Such scams are especially effective in countries that do not impose very strong process controls to acquire or replace SIM cards. For example developing countries like Vietnam. Vietnam is like my second home and this phone number leak got me worried for the people there. The Vietnamese are avid users of Facebook. Many of them use Facebook for the fun and convenience. Sadly, not many are aware of the potential risks around personal data leaks and privacy issues. If you are Vietnamese reading this post, do help to spread the word!
There are a few ways to mitigate SIM Swapping scams. First, the most effective way is to set a PIN for your SIM. Many service providers allow a PIN to be set on your SIM card and in order to replace it, you will need your PIN. A 4 digit PIN may not be the strongest defense but it is still quite an effective one to deter fraudsters who just want to try their luck indiscriminately. Unfortunately not many people are aware that they can set a PIN for their SIM card. I won't attempt to teach you how to set the PIN as different phones have different ways to do it, you will have to Google for the steps meant for your phone.
Next, be aware of social engineering attempts. A seemingly innocent call from a stranger posing to be from the telecom company to get your information might be a social engineering attempt. Always make it a point to not divulge personal information to unsolicited callers/emails before ascertaining the identity of the other party.
Finally, use a stronger second factor authentication and avoid using your phone number as the second factor authentication. Things like Google authenticator and separate hardware tokens are better alternatives to just a phone number. A phone number is never meant to be a secure mean to identify someone. Somehow or rather, phone numbers become a way to identify an individual even though it was not designed to be. Hence, whenever possible, use a stronger second factor authentication method.
The world is a dangerous place. So, do stay safe and vigilant! Do not fall victim to such scams and cause your hard earned money/investments to go down the drain.
The "Raise to 50" Initiative
Under 50 SP and finding it hard to do much on this platform? I might just be able to raise your SP to 50. Check this post to find out more!
This article is created on the Steem blockchain. Check this series of posts to learn more about writing on an immutable and censorship-resistant content platform: