Last bound, Dena Haritos Tsamitis left a work meeting to discover she was unable to get a signal on her cellphone. Fifty-fifty after rebooting the device, she couldn't go service, leaving her unable to contact her college student daughter, who usually communicated with her throughout the day.

"She was frantic, worrying about me, considering she had tried to attain me several times," Tsamitis says she learned when she got abode. "She said she chosen her friend to selection her upwards to look for me, because she was worried about me."

Tsamitis called her phone company for help with the issue, only to detect she had been the victim of fraud.

"The client service representative said, you purchased new phones earlier this afternoon, and therefore we cut the service from the old phone," says Tsamitis. "And I said, no, I didn't, I've been in meetings this afternoon."

When information technology comes to digital security, Tsamitis is about far as from an amateur as could be: She's a professor at Carnegie Mellon Academy, director of the schoolhouse's Data Networking Institute, and a founding director of CMU's CyLab security and privacy institute. Yet information technology was nonetheless easy for criminals armed with fake IDs to purchase new devices and accuse them to her account, a trouble that wasn't resolved until she spent hours on the phone with her carrier and even visited ane of the company's retail stores.

"It's just very frustrating, and the carrier didn't actually accept an appropriate response or guidance as to steps I tin can take," she says. "I was simply overwhelmed and frustrated at the number of hours it took to deal with this."

And while the fraudsters who targeted Tsamitis may take only been looking to steal hardware, other victims of similar crimes have seen attackers also hijack other logins linked to their telephone numbers. Criminals who can trick or hack phone companies into letting them access legitimate customers' accounts tin can use text-message-based password reset tools to proceeds access to individual emails, social media, and even fiscal accounts.

"I was hacked today: my Twitter account, 2 email addresses, & my phone," wrote Blackness Lives Thing activist DeRay McKesson on Twitter last June. "It was non due to passwords, they hacked my phone account itself."

Calling his telephone company, hackers were able to impersonate McKesson, have his telephone number assigned to a new SIM card nether their control and use that to reset his Twitter password through text-based authentication, he wrote. They and then posted a number of tweets to his account, including i endorsing Donald Trump for president.

He isn't the only prominent victim of such an attack: the popular YouTube host known every bit Boogie2988, known for his viral video rants under the proper name "Francis," wrote on Medium last fall that a teenage hacker used a similar technique. The hacker tricked a Verizon employee into rerouting Boogie2988's telephone number to the hacker'due south phone, which allowed the hacker to take control of Boogie2988'southward email, YouTube, social media, and even PayPal accounts.

"PayPal had been raided but luckily they managed to freeze the assets when they realized something was wrong," he wrote. "I had been locked out of my own account though and it took hours on the telephone to regain access."

Other accounts took weeks to recover, wrote the YouTube star, who didn't respond to multiple requests for annotate. And while he and Tsamitis were hacked by criminals who tricked private phone company workers, other criminals have pulled off similar feats by exploiting security holes in phone company networks. Before this year, hackers reportedly drained High german bank accounts past intercepting login confirmation codes sent via text, directing phone company computers to route the texts to their own systems.

Meet Signaling System seven, A Hacker's Best Friend

The attack, and others similar it, relied on an esoteric worldwide computer network known every bit Signaling System 7. It's essentially a decades-one-time parallel internet used past telephone companies to route calls and texts betwixt their systems, and experts say it was built with lilliputian attention to security, since historically phone companies causeless they could trust one another.

"In the 1980s, this is AT&T, they're making an interconnect agreement with British Telecom in the U.Yard.," says Dawood Ghalaieny, CEO of Dublin telecom security visitor Cellusys. "They don't have whatsoever reason for BT to defraud them."

But in the cellphone historic period, the number of companies with access to the global phone network has exploded, and not all telephone companies have the same level of security.

Many of those phone companies have systems connected both to the traditional internet and the phone signaling system. And like all internet-continued systems, they can be compromised by hackers who spot security flaws like out-of-appointment software with vulnerabilities or burn down off targeted phishing attacks to employee inboxes.

Through such hacks, or if an unscrupulous employee allows them admission, fraudsters can send messages through the phone signaling network,  impersonating the hacked company. They contact the victim'south carrier, falsely claiming that the victim is traveling and using their phone on the hacked visitor'southward network. Then, the victim's phone visitor will route the victim's incoming calls and texts to the hacked network. There, instead of being delivered to the victim's telephone, they're passed on to the hackers. Since telephone signaling systems are designed to brand roaming across networks easy, and were congenital without this kind of fraud in listen, hackers are able to steal messages from even some of the most digitally secure phone companies by hacking into a weaker carrier elsewhere in the world.

And while theoretical attacks on the SS7 arrangement take been discussed at estimator security conferences for years–computer security experts even worked with Rep. Ted Lieu, a Democratic Congressman from California, to demonstrate the technique terminal year on threescore Minutes–phone companies have had difficulty fixing the problem.

[Photo: Flickr user Eric Kim]

"Security was never supposed to exist a part of this, then applying security on top of all of this is a bit of a hack," says Ghalaieny. Phone companies are gradually adding tools similar to internet firewalls that can filter out suspicious requests. For case, they can notice if a phone is of a sudden claimed to be connected to a network halfway around the world from where it was recently operating, and and then warning security teams or block the request as clearly fraudulent, he says. And carriers and their security contractors can wait for unusual patterns of requests that could indicate fraud, simply as in other areas of digital security.

"You look for signatures, if you're seeing certain patterns yous proactively either stop them or you notify [security officials] and so they're not happening again," says Pardeep Kohli, CEO of Dallas-area telecom software visitor Mavenir.

How Prophylactic Is 2-Factor Authentication In The Historic period Of Phone Hacking?

To keep data safe from phone company hacks and fraud, many experts advise moving away from SMS-based hallmark whenever possible. Ordinary text messages have recently gained popularity equally office of two-factor authentication, where users log in to systems using 2 proofs of identity, similar knowledge of a countersign and possession of a concrete item. ATMs, which require both a bill of fare and a PIN to withdraw money, are a archetype example. These days, many online services require users to enter a countersign and also a pin number texted to their mobile device earlier they log on to an internet-based service. Just the National Institute of Standards and Technology concluding year stopped recommending SMS for the two-factor practice, thanks to the risk of phone hackers getting access to those texts.

Some companies at present offer alternative approaches, including tools like Google's Authenticator that employ secure algorithms to generate codes on a user's telephone rather than sending them over the airwaves, and apps that send login codes over encrypted connections so that attackers can't read them fifty-fifty if they intercept them.

"Systems similar what we have at Duo are a lot safer considering essentially what they practice is verify who they're talking to, and they actually validate they're talking to the right device," says Steve Manzuik, director of security research at two-gene hallmark provider Duo Security. Duo'south app, like Google Authenticator and some other apps, uses a secret digital key that's only stored on your phone to generate quondam login codes that Duo servers tin can verify came from your device, without needing to send text letters back and forth.

Similar systems are increasingly used by financial institutions to verify banking app users across just checking their passwords, he says.

Simply while in that location's no uncertainty that text-based verification can be vulnerable to hacks and scams, Manzuik argues that in cases where information technology's all that providers offer, it's still ameliorate than simply using passwords.

"It definitely is risky, but it also depends on your personal threat model," he says. "For the boilerplate person, I think having SMS is a lot better than having zero at all.