tag:blogger.com,1999:blog-6244999628674918029.post3607674899044894824..comments2024-03-29T09:25:32.972-05:00Comments on Bayou Renaissance Man: I was a victim of the Equifax data breach - and then things got interestingPeterhttp://www.blogger.com/profile/10595089829300831372noreply@blogger.comBlogger14125tag:blogger.com,1999:blog-6244999628674918029.post-40407205805805926262017-09-16T23:19:22.763-05:002017-09-16T23:19:22.763-05:00This has become a common cold calling technique, t...This has become a common cold calling technique, to call and ask for [random name], and seamlessly flow into "well, maybe you can help me" followed by the pitch.<br /><br />I believe it's mainly a way to limit legal exposure from violating do-not-call lists.<br /><br />The first couple of times I encountered this, I was actually polite (firm about not providing my name, any words that could be taken as positive, or donating to their cause, but nice about it).<br />Now, I'm not. <br />Mostly, I don't answer. <br />But some have gotten really good at spoofing numbers, and there are a couple of switchboards that I get important information from on a regular basis. (Medical facilities are big believers in Op-Sec.)<br />In which case, I'll have fun with them if I have the time and am in the mood for it. (Impassioned rants about the dirty so-and-so they're supposedly calling are a favorite of mine. But playing slightly deaf and creatively mishearing what they say is also fun.) It's a lot more effective at getting the calls to stop than blocking spoofed numbers.Unknownhttps://www.blogger.com/profile/12822511906907583597noreply@blogger.comtag:blogger.com,1999:blog-6244999628674918029.post-30588734808076339672017-09-15T22:08:45.932-05:002017-09-15T22:08:45.932-05:00Here's what to say to "wrong numbers"...Here's what to say to "wrong numbers" that are right numbers: "I'm sorry, there's nobody here by that name". You can always make up a sufficiently believable pretext if you make a mistake, and the default is that any would-be attacker <i>simply doesn't get any farther with you</i>.<br /><br />As for what I do personally, I operate on the assumption that most call attempts now from unknown callers are some kind of effort to scam me or to extract information from me, and so I simply dump 95% of calls entirely. "Wrong numbers" are sometimes not wrong numbers, but are instead cloaked ways of getting you to reveal information about yourself.<br /><br />For instance:<br />"I just got a call from 303-555-9191 which is your number ... who are you and why are you calling me?"<br /><br />Use a CNAM lookup service: you may already be leaking calling party name (CNAM) ID information on any US numbers. These are usually cheap to use in small volumes and are cheaper yet in large volumes. Some even give out free trial accounts that are suitable for checking out your own numbers.<br /><br />A would-be attacker could get some of your information and then try to fill in the gaps with CNAM. Having failed at this, the attacker simply calls you and fakes information about your having called him. The truth is that the landline and mobile operators have an accurate list of calls, even if the calls are not billed, and so there's nothing to defend against.<br /><br />My favourite way of dealing with this:<br />"I don't know who the hell you are, you just called a fax number in a data center that has been unused for months."<br /><br />And then promptly block this caller ... <i>or if you've already been paying attention, you wouldn't have answered this call in the first place</i>.<br /><br />Otherwise, welcome to The Wonderful World of Op-Sec.Post Alley Crackpotnoreply@blogger.comtag:blogger.com,1999:blog-6244999628674918029.post-44914430021265355312017-09-15T22:04:54.876-05:002017-09-15T22:04:54.876-05:00You have a single phone number that's tied to ...You have a single phone number that's <i>tied to everything</i>?<br /><br />What happened to defence in depth?<br /><br />Here's how to do this with phones:<br />1. Use multiple phone numbers<br />2. Use voice over IP forwarding so you can direct incoming calls to any of them at any time<br />3. Use prepaid mobile services <i>always</i> -- buy a new prepaid SIM in every country when you travel<br />4. Never give anyone outside your most trusted circle your primary mobile number<br />5. Do not use SMS for two-factor authentication <i>(read Borepatch <a href="https://borepatch.blogspot.com/2017/05/a-text-message-from-your-bank-is-not.html" rel="nofollow">for recent SS7 hacks in Germany</a>)</i><br />6. Always call people outside your most trusted circle using voice over IP in a way that presents the calling party ID <i>you want</i><br />7. Use a separate work number <i>always</i> and be vigilant about using it specifically for that purpose <i>only</i><br />8. Implement advanced call filtering or simply route all calls from unknown callers to voicemail (or busy signals for known scammers)<br />9. Dump all unknown calls to your mobile phones without answering them<br />10. Have a voicemail greeting that <a href="https://www.fcc.gov/consumers/guides/voicemail-system-hacking" rel="nofollow"><i>contains no positive words</i></a>, such as "yes" or "please", in order to minimise the risk of voice replay attacks with your own voice: "leave a message after the tone"<br />11. Have a backup phone and voice over IP setup nobody knows about, <i>including your most trusted circle</i>, that you can switch to during a full targeted identity compromise<br />12. Use <a href="http://faradaybag.com/products/phone-shield-ps1-faraday-bag-rf-shielding/" rel="nofollow"><i>tin foil hats</i></a> (example in link) if you are concerned about scans of your phones that are offline<br /><br />Putting it into practice:<br />1. Mobile phones: one primary, one spare, one backup, all with active cheap mobile service that doesn't expire or is relatively cheap to maintain over a year (e.g., T-Mobile USA, Petro-Canada Mobility, EE UK, etc.)<br />2. Voice over IP lines: one primary number, one work number, one number you give out <i>only</i> to financial institutions and another <i>only</i> to government institutions, plus any inward access (<a href="https://www.myvoipapp.com/docs/mss_services/direct_inward_system_access/index.html" rel="nofollow">DISA</a>) lines you need<br />3. Voicemail: voice over IP forwarding of voicemail to E-mail with a copy <i>sent to an account nobody else knows about</i><br />4. The most trusted circle: they get the one primary number and the one active mobile, <i>and that's all they get</i><br />5. Using voice over IP: use a service that only does prepaid billing so if your account gets hacked, they only get that money, and then get a softphone like Zoiper for Android and learn how to use it<br />6. Travel: when travelling, set up trip-specific numbers in those countries and then get rid of them when the trip is done<br />7. The general rule: if anyone new you meet needs a general purpose number to call you, give them the primary voice over IP number or a temporary number you have for that purpose, and establish trust over time<br /><br />This makes it very easy to sort out <i>who should be calling on a specific line</i> -- vetting callers is one of the highest priorities.<br /><br />I'll offer some specific advice in my next comment.Post Alley Crackpotnoreply@blogger.comtag:blogger.com,1999:blog-6244999628674918029.post-24899456850473984452017-09-15T20:20:22.882-05:002017-09-15T20:20:22.882-05:00jeff weimer,
we are deep in also.. medicine...
tr...jeff weimer, <br />we are deep in also.. medicine...<br />trying to get out.<br />God bless you!deb harveyhttps://www.blogger.com/profile/05110992898072146282noreply@blogger.comtag:blogger.com,1999:blog-6244999628674918029.post-88246346294169088162017-09-15T19:22:36.721-05:002017-09-15T19:22:36.721-05:001) The problem with using the Equifax web verifica...1) The problem with using the Equifax web verification site is that it gives random results, or reports you're exposed if you enter a random number like '123456'.<br /><a href="https://yro.slashdot.org/story/17/09/10/0128214/techcrunch-equifax-hack-checking-web-site-is-returning-random-results" rel="nofollow">link</a><br /><br />2) As other people have noted, by signing up with Equifax credit monitoring, you give up your right to sue, and agree to binding arbitration.<br /><a href="https://arstechnica.com/tech-policy/2017/09/are-you-an-equifax-breach-victim-you-must-give-up-right-to-sue-to-find-out/" rel="nofollow">link</a><br /><br />3) Security researcher Brian Krebs has several postings on <a href="http://krebsonsecurity.com/" rel="nofollow"> this</a>, and states that the best thing you can do to protect yourself is to "freeze" your credit & only "unfreeze" it when you require it for business. Doing this prevents the problem of "after the fact" notification when someone has used your ID in a fraudulent manner.Steve Skyhttps://www.blogger.com/profile/00626594557764599205noreply@blogger.comtag:blogger.com,1999:blog-6244999628674918029.post-52681197449647870142017-09-15T17:13:40.267-05:002017-09-15T17:13:40.267-05:00I checked and Equifax said my info was possibly ex...I checked and Equifax said my info was possibly exposed. If they try to open any accounts with my info the company is gonna die laughing once they see my credit score.<br /><br />Not my first rodeo with ID theft. I had my SSN and info stolen back in the very early 90s when it was pretty unheard of. Navigated that mess pre-internet which was lots of sending registered letters, trips to notaries, police reports locally and across the country and hours on the phone. Since then I've had to change debit cards that were breached once a year at least.<br /><br />In dealing with my own situation and assisting many others it's clear that the CC and other parties aren't interested in ending the fraud. On multiple occasions I gave CC companies and relevant LE agencies all the pertinent info to go make a case against the perpetrators and they just had no interest in pursuing the case. I'd done the actual investigative leg work and had names, addresses, point where the breach occurred, places where merch was sent etc but the police, prosecutors and companies weren't interested. At all.<br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6244999628674918029.post-36370724163205059072017-09-15T15:54:33.168-05:002017-09-15T15:54:33.168-05:00I was affected by the OPM data breach a few years ...I was affected by the OPM data breach a few years ago, and have credit monitoring *gratis* as a result. <br /><br />I haven't had anything pop up from the Equifax breach yet, although I'm likely affected. Perhaps that's because I don't have much overhead on my credit accounts. I'm not proud of getting so far in debt, but I'm working my way out.Jeff Weimerhttps://www.blogger.com/profile/07802456524746485019noreply@blogger.comtag:blogger.com,1999:blog-6244999628674918029.post-30277445346329372532017-09-15T14:47:32.181-05:002017-09-15T14:47:32.181-05:00I notice that all of your references to getting co...I notice that all of your references to getting control of phone numbers are for the Big 4 phone companies; is it only happening there, or is it also happening at smaller operators? <br />I used to be on Verizon and am now with a smaller operator - I've found their phone service VERY difficult to use and rather time consuming; I wonder if that is why they are focusing on large companies with easier-to-get-to-a-person-to-fool systems.<br />Additionally, I have been dismayed by the number of people who post personal contact info online, mostly on social media, but also on blogs, LinkedIn, and other publicly accessible sites - given that type of info, control of a phone number (and knowing who it belongs to in the first place) is more useful than somebody whose info is harder to find (like mine is).<br /><br />Aargh, the days we live in ...Jonathan Hhttps://www.blogger.com/profile/10476185257203343474noreply@blogger.comtag:blogger.com,1999:blog-6244999628674918029.post-31721410895809683292017-09-15T12:06:16.239-05:002017-09-15T12:06:16.239-05:00+100 on DaveS.
I won't say that Credit Monito...+100 on DaveS.<br /><br />I won't say that Credit Monitoring is useless, but it isn't very helpful. You should put a freeze on your credit, which will stop those attacks.Borepatchhttps://www.blogger.com/profile/05029434172945099693noreply@blogger.comtag:blogger.com,1999:blog-6244999628674918029.post-4804065574582546442017-09-15T11:41:34.367-05:002017-09-15T11:41:34.367-05:00Perhaps very similar to the information posted abo...Perhaps very similar to the information posted above by Anonynous, here's a very good article about credit freezes and why credit monitoring is rather ineffectual. https://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-embrace-the-security-freeze/<br /><br />DaveShttps://www.blogger.com/profile/01688116113875695262noreply@blogger.comtag:blogger.com,1999:blog-6244999628674918029.post-74264168381511394102017-09-15T11:24:32.764-05:002017-09-15T11:24:32.764-05:00Yep. They (presumably in an attempt to lower their...Yep. They (presumably in an attempt to lower their risk of being lynched) recently added a section that allows you to decline that part of the contract...but only if you send a physical letter within the first *30 days* after applying for the year of "free" (automatically renewed at full price, unless you deliberately opt out...because they care, don'tcha know? /sarcasm) protection. Email is not an option. This fellow has a pretty good summary of the whole issue: (starts at 3:02 into the vid, you can skip to there...oh, and he talks pretty fast [per my parents...I didn't notice, heh] but there are links to his sources in the description box) <br />https://youtu.be/aS6z0bEpVpMBibliotheca Servarehttps://www.blogger.com/profile/11643412827583261562noreply@blogger.comtag:blogger.com,1999:blog-6244999628674918029.post-28022048303952422362017-09-15T11:07:16.447-05:002017-09-15T11:07:16.447-05:00I have been told that buried in the agreement with...I have been told that buried in the agreement with Equifax is a section giving up the right to sue them for damages.<br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6244999628674918029.post-75387360911081540922017-09-15T10:59:46.369-05:002017-09-15T10:59:46.369-05:00At this point I don't think I'd use Equifa...At this point I don't think I'd use Equifax for anything; do you really think their monitoring will be any better than their security? And, as the following link suggests, SSNs and other identifying info don't change, and thieves only have to wait a year to start using them (assuming Equifax's monitoring actually works.) The fact that Equifax waited at least 6 weeks to divulge critical information it is said to have already known is enough to lose my trust for the foreseeable future.<br /><br />https://www.bloomberg.com/view/articles/2017-09-11/equifax-bungles-the-details-over-and-over-again<br /><br />Blocking your credit info through all 3 credit reporting agencies is probably a better way to go. You can find detailed instructions for all 3 at Clark Howard's website:<br /><br />http://clark.com/personal-finance-credit/credit-freeze-and-thaw-guide/<br /><br />Good luck,<br /><br />GoatroperAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-6244999628674918029.post-45493579431297031322017-09-15T10:41:07.076-05:002017-09-15T10:41:07.076-05:00Thanks for the info Peter. I have also signed up f...Thanks for the info Peter. I have also signed up for monitoring.<br /><br />Did you see the info about the woman that was in charge of security?<br /><br />This is going to get interesting:<br /><br />https://www.hollywoodlanews.com/equifax-chief-security-officer/<br /><br />Things are getting scrubbed off the internet as the days go by.<br /><br />Check out her credentials.Irishhttps://www.blogger.com/profile/09772405362867585844noreply@blogger.com