WebProNews

Tag: Krebs on Security

  • Hackers Reportedly Compromised T-Mobile 100+ Times in 2022

    Hackers Reportedly Compromised T-Mobile 100+ Times in 2022

    T-Mobile does not have a good reputation when it comes to cybersecurity, and that’s about to get a whole lot worse.

    T-Mobile has had multiple cybersecurity breaches over the last few years, impacting tens of millions of users and costing the company hundreds of millions in settlements. Unfortunately, that may be just the tip of the iceberg, according to a new report from Krebs on Security.

    According to Krebs, three different hackers groups claim to have accessed the company’s internal systems:

    Three different cybercriminal groups claimed access to internal networks at communications giant T-Mobile in more than 100 separate incidents throughout 2022, new data suggests. In each case, the goal of the attackers was the same: Phish T-Mobile employees for access to internal company tools, and then convert that access into a cybercrime service that could be hired to divert any T-Mobile user’s text messages and phone calls to another device.

    The hackers’ goal was SIM-swapping, a term for when a hacker is able to gain control over a victim’s cellphone number.

    The data regarding attacks was collected by monitoring various Telegram channels used by the hacker groups. The message “Tmobile up!” or “Tmo up!” was posted anytime a hacker successfully SIM-swapped a target.

    Krebs initially planned on counting the instances for all of 2022, working backward from the end of the year. Unfortunately, the number of hacks racked up much faster than anticipated.

    But by the time we got to claims made in the middle of May 2022, completing the rest of the year’s timeline seemed unnecessary. The tally shows that in the last seven-and-a-half months of 2022, these groups collectively made SIM-swapping claims against T-Mobile on 104 separate days — often with multiple groups claiming access on the same days.

    It’s unclear why T-Mobile is suffering so many of these attacks. While there are similar efforts against Verizon and AT&T, the number of successful attempts is far less. Some experts believe the magenta carrier is not doing enough to secure its systems.

    “These breaches should not happen,” said Nicholas Weaver, a UC Berkeley researcher. “Because T-Mobile should have long ago issued all employees security keys and switched to security keys for the second factor. And because security keys provably block this style of attack.”

    For its part, T-Mobile told Krebs it is combating the issue while also emphasizing it is an industry-wide problem.

    “And we are constantly working to fight against it,” the statement reads. “We have continued to drive enhancements that further protect against unauthorized access, including enhancing multi-factor authentication controls, hardening environments, limiting access to data, apps or services, and more. We are also focused on gathering threat intelligence data, like what you have shared, to help further strengthen these ongoing efforts.”

    There is evidence to suggest the company is making progress, with the hacker groups complaining that their access after a successful swap is being severed much sooner than before. Some have even theorized that T-Mobile’s security team may be monitoring the Telegram channels.

    While it’s encouraging to see T-Mobile is making progress, it’s still disturbing that the company is experiencing this many breaches.

  • IRS Backtracks, Ends Bid to Require Facial Recognition

    IRS Backtracks, Ends Bid to Require Facial Recognition

    The IRS is backtracking on its plans to require facial recognition to access online accounts, following backlash from security and privacy experts.

    The IRS announced in mid-January that it was partnering with ID.me, with plans to require facial recognition for users accessing their online accounts. As Krebs on Security documented, the process involved in setting up facial ID was relatively complicated. Meanwhile, security experts and customers worried about the implications of people’s biometric data being collected.

    According to The New York Times, the Treasury Department is now abandoning the plan, despite awarding ID.me an $86 million contract.

    “The I.R.S. takes taxpayer privacy and security seriously, and we understand the concerns that have been raised,” said Charles P. Rettig, the agency commissioner. “Everyone should feel comfortable with how their personal information is secured, and we are quickly pursuing short-term options that do not involve facial recognition.”

    The agency is evidently working on an alternative method of identification that will not involve facial recognition, although it’s unclear at this time what that method may be.

  • IRS Will Require Photo ID and Live Selfie to Access Online Account

    IRS Will Require Photo ID and Live Selfie to Access Online Account

    The IRS will soon begin requiring a photo ID, paired with a live selfie, in order to access online accounts.

    As online security becomes a growing concern, the IRS is taking a major step forward to verify users’ identities. According to Krebs on Security, the IRS is adopting ID.me’s verification service.

    Beginning in the summer of 2022, users looking to access their online IRS accounts will need to upload a copy of their government-issued IDs, such as a driver’s license or passport. Once the document is uploaded, the new system requires the person to use their computer camera or mobile device to film a video selfie, which ID.me then compares to the uploaded photo ID.

    The system then prompts the user for a mobile or landline phone number — not a VoIP service — along with a copy of a social security card, birth certificate, health insurance card, or utility bill. In fact, Krebs reports the system requires two such “secondary identification documents.”

    Users may be understandably concerned about giving over so much personal information to a third-party company, but ID.me founder and CEO Blake Hall told Krebs that if a person signs up “in connection with legal identity verification or a government agency we will not use your verification information for any type of marketing or promotional purposes.”

    Despite the hassle, Krebs believes services like ID.me are unavoidable, and may provide significant security benefits.

    Love it or hate it, ID.me is likely to become one of those places where Americans need to plant their flag and mark their territory, if for no other reason than it will probably be needed at some point to manage your relationship with the federal government and/or your state. And given the potential time investment needed to successfully create an ID.me account, it might be a good idea to do that before you’re forced to do so at the last minute (such as waiting until the eleventh hour to pay your quarterly or annual estimated taxes).