I'm sure I've covered this before, but the problem seems to be getting worse (at least overseas), so I thought I'd give everybody a friendly little reminder on this one.
Okay, so you know how some online services will let you authenticate your identity by sending you a pin number via sms (yeah, even some banks do this)? Well, it turns out that mobile phone service providers aren't super-duper strict on security. So if somebody finds out your phone number, your address, and your date of birth (either through social media, or some company's database leak*) there's a good chance that they'll be able to go to your tel-co, pretend to be you, say they lost their phone, and get your telephone number diverted to a new sim card. Now, they will be able to go to any online service where sms authentication is set up, and go through the automated process required to reset your password.
Okay, so at this point, you may be wondering why being able to reset your passwords via sms is worse than being able to reset them via email. In principle it's not. However, in practice, it's just much much easier to hijack someone's phone number than it is to hijack their email account. Hopefully, that might change if this becomes a big enough issue.
Until then, it might be best to disable these kinds of services wherever you can.
*Oh, and yes, I'm opting out of the "My Health Record" database. I figure I've survived this long without it, and I carry a slip of paper with my important medical details (blood group, allergies, etc) in a wallet that I carry everywhere (it's also got my keys in it).
1 comment :
Interesting, thanks - I've never heard of this at all
Post a Comment