Intego Mac Security Podcast

How Hackers Can Take Over Your Phone by SIM Swapping – Intego Mac Podcast Episode 340

Posted on by

The popular streaming service Roku was hit with its second data breach this year, and the info of hundreds of thousands of users was exposed. Another Google service has met its end, we’ll tell you about the newest resident of the Google graveyard. And take a deep dive into how hackers use SIM swapping attacks and how you can stop them.


If you like the Intego Mac Podcast, be sure to follow it on Apple Podcasts, Spotify, or Amazon.

Intego Mac Premium Bundle X9 is the ultimate protection and utility suite for your Mac. Download a free trial now at intego.com, and use this link for a special discount when you’re ready to buy.

Get Apple security news delivered straight to your inbox, for free. Intego’s twice-monthly newsletter will keep you informed about Apple-related privacy and security, along with tips and tricks for getting the most out of your Mac or iPhone. Subscribe for free—no strings attached.


Transcript of Intego Mac Podcast episode 340

Voice Over 0:00
This is the Intego Mac Podcast—the voice of Mac security—for Thursday, April 18, 2024.

This week’s Intego Mac Podcast security headlines include: The popular streaming service Roku was hit with its second data breach this year, and the info of hundreds of 1000s of users was exposed. Another Google service has met its end, we’ll tell you about the newest resident of the Google graveyard. And SIM swapping phone attacks can be thwarted. We’ll tell you how hackers use SIM swapping attacks and how you can stop them. Now here are the hosts of the Intego Mac Podcast: veteran Mac journalist Kirk McElhearn and Intego’s Chief Security Analyst, Josh Long.

Kirk McElhearn 0:50
Good morning, Josh, how are you today?

Josh Long 0:52
I’m doing well. How are you, Kirk?

What are mercenary attacks and can Apple products be affected by them?

Kirk McElhearn 0:53
I’m doing just fine. Hey, I was wondering something. Have you gotten any emails from Apple? Lately, Apple has been notifying users in 92 countries that they may have been targets in mercenary spyware attacks.

Josh Long 1:03
What’s going on here is if people are trying to break into your Apple account or your Apple ID, then that’s where you’ll get this notification. Once you sign in, you get a little alert across the top that says threat notification. Apple sent you a threat notification via email and iMessage on and they give the date. And you can click View Details to find out more about that. So this, this is something that you see after you sign in. But if you haven’t signed in to the web version of your Apple account recently, then at least you should have gotten an email and an iMessage about this at some point previously. And that should be your first clue that somebody not just anybody but some potentially nation state level threat actor is trying to break into your account for some reason, with mercenary spyware.

Kirk McElhearn 1:53
I love that term mercenary spyware, it sounds like pirates on a sailing ship someplace. It’s important to note that Apple will send you an email and a message notification, but that they will not contain links for you to click on, they will just tell you to sign into your Apple ID account. And when was the last time you signed into your Apple ID account.

Josh Long 2:12
For me it was probably maybe a couple of months ago, something like that. It’s it’s not something I do on a regular basis. Just because I don’t have a particular reason to be changing settings. there. Pretty much just using the standard apps like I get all the things done that I need to on a regular basis. This is really interesting because you know mercenary spyware, which is something that Apple repeats I think about a dozen times in this new support article is kind of an interesting concept. We don’t really hear about that all that often. But basically, that’s things like Pegasus right from the NSO Group. And they do actually specifically mentioned such as Pegasus from the NSO Group in this Apple support article. So it’s something that is a problem. And it really does exist and Apple is trying to do what they can to at least alert users to the fact that somebody is trying to break into their accounts.

Kirk McElhearn 3:04
I like the way they explain this in the support document. They say “such attacks are vastly more complex than regular cyber criminal activity and consumer malware. As mercenary spyware attackers apply exceptional resources to target a very small number of specific individuals and their devices. Mercenary spyware attacks cost millions of dollars and often have a short shelf life, making them much harder to detect and prevent.” So they are pointing out that they can’t stop these attacks. And we’ve talked about a number of these attacks. Often no click attacks where all it takes is an image to be displayed as a preview. But as you say they mentioned the NSO Group. And they’re involved in legal action against NSO because of this. So in any case, if you do get an email from Apple, or real email won’t have a link to click, it’ll tell you to go to your Apple ID page, which is apple.com. If you do see a link, then be very careful. Now, most people when they go to sign in on that site on iCloud or Apple ID, or whatever their Apple ID and password will autofill because it’s been saved in the iCloud Keychain. If you do end up accidentally clicking the link and go to a page and it doesn’t autofill then that’s a sign that it’s a phishing page. Because the iCloud Keychain is only going to autofill when it’s on the appropriate domain. And if it goes to a different domain, it won’t autofill.

Josh Long 4:24
I’m glad that you brought up that you shouldn’t click on links in these emails. Because this is something that phishing emails do all the time, right? They they lead you to believe that something has happened. That might be a potential concern. Like for example, you might get an email saying that you recently made this purchase on the app store, right? And if you’re like, wait a minute, I didn’t make that purchase, then that might make you a little bit upset. And now if they they can copy the official Apple email template exactly, but then add a little line that says don’t recognize this purchase, click here to dispute this charge or whatever. Some some language similar to that, to trick you into clicking on that, and thinking that this is a legitimate email from Apple and that you’re going to get the opportunity to sign into your Apple account. And then that could actually be a phishing page. So be very careful about anything that you get links in emails in text messages, even iMessages. As we mentioned recently, sometimes criminals even use iMessage.

Kirk McElhearn 5:25
The most common email I get that purports to be from Apple talks about my iCloud storage, being full and needing to log in to do something to buy more storage. So Apple will not send you emails with links like that. Now, you may get a receipt from the app store with a link to go to your account or something. But be very careful if it says, Well, you bought this app for $150. And if you don’t think you bought this, click this link, be very careful. Apple doesn’t do that. In fact, there aren’t many apps that cost that much on the App Store. There’s one that I use to edit podcast called Logic Pro, which costs $200. And I believe there’s another video app, there are a couple of things that are really expensive, but it’s rare. We’ve talked recently about these fake invoices coming from like the Best Buy Geek Squad, and they’re usually like $1,000, Apple doesn’t have anything like that. Anyway, apple won’t send you emails asking you to log into the site.

Josh Long 6:16
Logic Pro, by the way, is an Apple app that you can pay for. So it’s pretty rare that any other things are going to cost more than a few dollars.

Kirk McElhearn 6:25
Oh, I don’t know. $50. (Really, there are apps that are 50 $100?) Sure there are productivity apps that are the games games can cost 50 or $60. Right?

Josh Long 6:33
Oh, that’s interesting. I hadn’t thought about that. But that’s a good point. Obviously, I don’t play a lot of like these big title games on my iPhone. Yeah. But But yeah, that’s, that’s true. The other thing that I see a lot more often is really expensive subscriptions or in app purchases, a lot of times they try to hook you by giving you a free app, and then making you pay for it later if you want more features.

What is Amazon Sidewalk and do I need it?

Kirk McElhearn 6:54
Okay, I think you told me earlier that you bought some new hardware, and you were confronted with some setup options that you didn’t really like.

Josh Long 7:02
Yeah, so we had an article that we published on the Mac security blog about three years ago about Amazon sidewalk. And this was a newly announced feature that they were going to be enabling for not only Amazon Echo devices, but also ring cameras. And so starting with particular models that were available at the time, and in all models that have been released, ever since then, Amazon has included some technology that allows for devices that don’t belong to you to be able to potentially connect to your Wi Fi network, through your Amazon devices, including potentially your ring doorbell, or any Amazon echoes that might be near enough to the street that people walking by, or dogs walking by isn’t in one example that they give might be in range. So you could potentially use some Amazon product to track where your dog is because of if there’s enough people on your block who are using Amazon devices like this. The problem with that is well first of all, it’s it’s pretty creepy to think about the idea of anybody else’s device, just being able to freeload off of my network. Even if it’s not that much data, I really don’t like the idea, it makes me very uncomfortable to think about some device of mine, without my explicit permission, giving access to the internet to some other device that doesn’t belong to me, and that I didn’t authorize individually. So this is a setting that you can turn off if that makes you uncomfortable, too. And we have a number of steps that you can go through to make sure this is off in your Alexa app on your phone. And also your ring app. If you happen to have ring doorbells, the reason that we thought this was worth mentioning again, is because as I was going through the setup process for a new Amazon Echo device that I’m adding to my network, I got a prompt that basically was encouraging me to enable Amazon sidewalk. And in the fine print on the on this screen it said something about if you don’t make any selection here, then we’ll go with whatever you have previously set. And well there’s only two buttons on that screen there’s disable and there’s enable which is highlighted in a bright colored so encourage you to tap on that. You know, it’s something that you might have turned off way back when we talked about it three years ago. And it might be back on if you weren’t paying really close attention when setting up a newer device more recently. So we’ll have a link in the show notes to this article. And you can double check that setting in your apps if that interests you.

Kirk McElhearn 9:53
Remember the good old days of “wardriving”?

Josh Long 9:56
Oh yeah. Wardriving was this thing where like people would drive around in a van and like travel through a neighborhood, and they would scan all the Wi Fi networks and figure out like, who’s using what Wi Fi network and what ones they could get into for free? And what ones might, they might be able to easily break into, because they were only using WEP encryption, which is super easy to break, and so forth. Yeah, we’re driving was the thing. Nobody really has to do that anymore. Because, well, frankly, there’s free Wi Fi in so many different places now, and you hardly need to really go anywhere to get on Wi Fi for free.

Roku data breach affects over half-a-million users.

Kirk McElhearn 10:31
Okay, you don’t use a Roku device, do you?

Josh Long 10:34
You know what I actually do own a couple of Roku devices.

Kirk McElhearn 10:38
Have you changed your password recently, because they were the second major breach of the year. The first one was in March, and it affected 15,000 users and this one affected 576,000 users Josh, between last week talking about the AT&T data breach. And this week talking about Roku, you really better check all your passwords and two factor authentication. Because this was a credential stuffing attack, you’re gonna explain what that means in a minute. And they were able to get partial credit card numbers, according to Roku for about 400 people to make unauthorized purchases for subscriptions to streaming services on Roku devices.

Josh Long 11:13
And by the way, if you want to know more about credential stuffing, the short version of that is some past data breach from potentially some other company leaked email addresses and passwords of users as part of that breach. And credential stuffing attacks are basically just password reuse attacks. So somebody takes an existing known combination from some other companies breach, and then they just retry these across many other sites, or maybe one particular site. If they’re targeting a particular site like Roku, for example, we’ll have an article in the show notes about credential stuffing attacks and more details about what that means. But the best thing that you can do to protect yourself from credential stuffing attacks, is just don’t use the same password on more than one site. We’ve mentioned many times before the importance of using a password manager. If you don’t want to pay for a subscription to any password manager, there are legitimate free ones out there. Apple even has their own if you don’t even want to use a third party one. One good password manager that has a free tier that I recommend is bit warden. They also have paid plans as well that offer additional features. So I would suggest that if you haven’t signed up for a password manager yet, at least use apples, because that will give you the ability to have unique passwords on every site. And that’s the way to do this. Because if you’re reusing passwords, you’re absolutely susceptible to credential stuffing attacks. And that is a scary thing.

Does Netflix actually read its users’ Facebook messages?

Kirk McElhearn 12:47
Okay, we have an article which it’s a bit confusing Meta in parenthesis again, denies that Netflix read users private Facebook messages. Why would Netflix want to read users private messages? Were they targeting specific users? Or were they just reading everyone’s messages to know whether they liked the latest Netflix series?

Josh Long 13:07
Well, this this whole thing has been spreading on social media recently. But it apparently originated with a report from the New York Times in 2018, claiming that both Netflix and Spotify, by the way could read users private messages, according to some documents that the New York Times said it had obtained. And so even back then Meta was denying those claims. And they put up a blog post called facts about Facebook’s messaging partnerships. And they said that Netflix and Spotify did have access to API’s application programming interfaces, that allowed consumers to send messages with friends about what they’re listening to, or watching on one of these services. And then this required the companies to have right access to that meant that they could compose messages to friends, and also read access to allow users to read messages back from friends and delete access. So this sounds like they were giving access to these companies to be able to not only send messages, but also read messages that you had gotten. However, according to this Facebook blog post post from back in 2018, no third party was reading your private messages or writing messages to your friends without your permission. Many news stories imply we were shipping over private messages to partners, which is not correct. So basically, this is something you would have to opt into. And so you would have to read the fine print and really understand what was going on here. But it’s not something that happens by default, just because you’re using Spotify or Netflix. And Facebook does not mean that those services can read your private messages.

Kirk McElhearn 14:49
Okay, we’re gonna take a break. When we come back we’re going to talk about SIM swapping, which is a very serious threat to people’s mobile phones, privacy and security.

Voice Over 15:00
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego’s Mac Premium Bundle X9 includes Virus Barrier, the world’s best Mac anti-malware protection, Net Barrier, powerful inbound and outbound firewall security, Personal Backup to keep your important files safe from ransomware. And much more to help protect, secure and organize your Mac. Best of all, it’s compatible with macOS Sonoma, and the latest Apple Silicon Macs. Download the free trial of Mac Premium Bundle X9 from intego.com today. When you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode’s show notes at podcast.intego.com. That’s podcast.intego.com and click on this episode to find the special discount link exclusively for Intego Mac Podcast listeners. Intego. World class protection and utility software for Mac users made by the Mac security experts.

Will the UK ban smart phone sales to people under sixteen years old?

Kirk McElhearn 16:15
We want to briefly mention an article that was in The Guardian last week. And this is one of those things that makes us scratch our heads. UK ministers considering banning sale of smartphones to under sixteen. (Okay, why?) Well, they think that social media is dangerous and smartphone, distract people they’ve already they’re already starting to ban them in schools, which they should have done a long time ago because you don’t need to be using them in class or in schools or whatever. We don’t want to discuss this too much, because it’s really a complicated issue. But banning smartphones to under 16. Does that mean that the kids can’t buy them but the parents can? How do they ensure that parents don’t buy smartphones for kid? Are they going to put them in jail? If they do? It seems a little bit ridiculous. You’re trying to stop the conduit for bad content rather than stopping the bad content?

Josh Long 17:06
Yeah, I feel like this is something that parents should be considering. And this is a weird thing for there to be legislation about. Right. But I think you’re also right, that there’s probably not a lot of kids under age 16 who are going to be going out and buying their own smartphones anyway. So yeah, kind of a weird bit of legislation that’s being considered in the UK.

What happened to Google’s VPN called Google One?

Kirk McElhearn 17:27
Okay. Have you ever heard of the Google One VPN service?

Josh Long 17:32
Yeah, I don’t remember if we talked about it on the podcast, but I certainly do. Remember, when this thing was first announced, I was like, really Google running a VPN service. So as if they don’t already have enough of my data. Now, they want me to send all of my web traffic and everything else that I’m doing all my internet traffic to Google, that they can potentially analyze and use to profile me like, Heck, no, I would never use a VPN service offered by Google.

Kirk McElhearn 18:01
Well, you’re not the only one who thought that because they’re shutting it down. After just four years. Apparently, it hasn’t been popular enough. And it is joining what’s known as the Google graveyard. And I want to link in the show notes to killed by google.com Wish List as of today, 295 Google services that have been killed off now. Every company kills off services, right, killing off things like Google podcasts, which was quite popular Google domains, Google Groups, and all the various Google services, it shows that you really can’t trust Google to keep anything alive for very long. Now, it’s true that some of these have morphed into different versions like Google Hangouts became Google meat. So it’s not necessarily shut down entirely. But Google is kind of notorious for shutting down services like that. And again, as you say, Do you really want Google to have your access to your all your browsing information to a VPN, which may not be entirely secure.

Josh Long 18:56
I will mention too, that we do have some VPN brands that we do recommend. Intego actually has a VPN for Mac and Windows users called Intego privacy protection, and we’ll have some more information in the show notes about that.

What is SIM swapping and how do hackers use it?

Kirk McElhearn 19:10
Okay, SIM swapping this is an interesting thing. A scammer somehow gets access to your phone, they trick the phone company into giving them a new SIM card with your phone number. And once it’s registered in their phone, your phone doesn’t get any of the calls or messages. And this means that well since a lot of services send two factor authentication codes via SMS. SIM swapping could allow malicious users to access your email account your bank account, your other online accounts. It’s not just that someone can use social engineering to say, Oh, I lost my phone. I lost my SIM card. But we’re going to link to a couple of stories about people working for telecom companies doing SIM swaps one for $1,000 and T Mobile and Verizon workers have been getting text messages offering $300 For SIM swap So now swapping a SIM like that is a criminal offense and people could go to jail for it. So I can’t understand why anyone would want $300 For something that they know is illegal. They’ve certainly been trained about how dangerous this is.

Josh Long 20:14
Well, that’s actually a really good point. And yeah, when I first saw $300, in one of these headlines, I was like, you’ve got to be kidding me. So this is something that maybe previously you could pay off an employee at one of these companies in that had the right level of access to be able to pull off one of these SIM swap attacks or help you to pull it off right. Now, if they’re just reaching out to a whole bunch of employees and offering $300. How many employees are actually going to say, yeah, 300 bucks a pop? Sure, no problem. The thing about this is that if somebody were to say, okay, sure, why not, I could use the extra money. They’re also not considering the fact that first of all, this is illegal, or they hopefully they do know that I really hope that employees of all of these mobile phone service companies are being trained on social engineering tactics, and are fully aware that this is very illegal and dangerous and could land you in jail if you go through this. Now, if they’re not being trained on that, then that’s a serious problem. Because this really is something that everybody who potentially has that level of access needs to have training on. exactly for this reason, because otherwise, SIM swapping attacks are really a big deal. Remember that, you know, a lot of people are using SMS text messages for their two factor authentication, right? A lot of people don’t have an authenticator app that they’re using as their second factor, or some services may still only offer text messages, or maybe a phone call as their only two factor options, which is not great. It’s generally speaking better than not having it enabled at all, because somebody would at least have to go through one of these SIM swapping attacks, in order to get that text message or to get that phone call that’s intended for you. It’s a complicated process. It’s it’s kind of a pain and somebody really has to be targeting you, in order to decide to go through with one of these SIM swapping attacks. So it does require extra steps. And so that’s why generally speaking, I would say if you have no other option, it’s still fine to use text message based or phone call based two factor authentication. It’s just if you have any other option, you should be using that instead. They might be authenticator apps, like, for example, Google Authenticator, or Microsoft authenticator, or Authy, or Okta, all of those have apps that you can get in the app store that do this exact thing. They act as authenticator apps where you scan a QR code. And now in the future, anytime that you need to get an one time code, you get it from the app. There’s also things like hardware, dongles, like you can get a YubiKey. For example, these are usually work with USB C, or NFC, near field communications. If you have an older iPhone, for example, that doesn’t have a USB C port, you can potentially use a YubiKey as your second factor, when you’re logging in on it on your phone. You can also use past keys, Apple has added support for that recently. And so there’s a number of other things that you can do, instead of using a text message, as long as the service that you’re logging into supports that.

Kirk McElhearn 23:35
I’ve noticed some interesting ways of confirming identity. Microsoft has a system now that when you go to log into a Microsoft website, you have to confirm your identity on your phone using the Microsoft app. And what it does is the app gives you a dialog with three two digit numbers. And the screen where you’re logging in says tap the number 37 or whatever and you have three options. Steam, I recently got a steam deck to play games. And when you log into your Steam account on the Steam deck, you have to go to the Steam app on your phone and confirm that it’s you. So no one can like steal your steam deck. Since there’s no protection on it. There’s no password to play on the Steam deck, no one can steal your steam deck and go buy a whole bunch of games from you. So there are services to do this without using SMS two factor authentication. So the easiest method of swapping a SIM is to steal someone’s phone. Because if someone steals your iPhone and it’s locked in, they can’t get in, they can still get the SIM card out and use your phone number, potentially getting these two factor authentication codes. There’s one way to protect thAT&That’s to put a pin on your SIM card and if you do that, this is actually written to the card and the card can’t be reused. If you have an iPhone you can go to Settings sell your SIM pin and set up a PIN for the SIM card. Different phone carriers in the us have different ways to lock your account so it can’t be transferred. And in this article that we have on the Intego Max security blog, how to protect yourself from SIM swapping attacks, we will get a couple of them. AT&T has a feature on by default that uses a pin if you want to transfer your number, so you need to enter a PIN to be able to port it. Verizon has something similar they call it number walk. T Mobile has account takeover protection. And it’s not on by default. Whereas for AT&T and Verizon it is. So check with your carrier if they have something like this. Because, yes, there’s social engineering, someone calls the phone company and says, Well, I’ve lost my phone, and or my SIM card doesn’t work. But there’s also the fact of paying off employees and $300 or $1,000, it’s not much, you really need to protect yourself against this. Now, you can also use an e SIM and an e SIM means that if you’re using an e SIM and your phone stolen, no, no, we’ll get the SIM card out. So they can’t use that sort of SIM swapping. And in fact, iPhone sold in the US since the iPhone 14 only support e SIM, they don’t use a physical SIM card. And this of course can be a problem. If you travel, you may want to buy a cheap Pay As You Go SIM card in a different country and you can’t put it in. So that means you have to buy an e SIM in a different country, which might not be as cheap, etcetera, it gets complicated. But II Sims do prevent someone stealing your phone or finding a lost phone. And using the SIM card from that. But you really should check your carrier settings and find out how to set a PIN or a password to prevent your phone number from being transferred.

Josh Long 26:28
So, again, the main takeaways from this, if you get a new phone, at least in the US, you’re going to get one that has an e SIM. So that at least prevents people from being able to grab your phone and pull out your SIM card and use that kind of physical SIM swapping attack. E sims are a good thing, turning on that pin or number lock or whatever the different carriers call it. That’s a good feature to prevent account takeover as well. And I guess beyond that, the other main takeaway that I would recommend here is that you please please, if you can avoid it, don’t rely on getting text messages for your second factor because it’s just not safe. Remember, text messages don’t use any kind of encryption at all. And so that means that potentially anybody who works for your carrier who has that level of access could potentially intercept those messages, too. And then login as you and maybe not forward on that message all the way to your device. So it’s very unlikely that something like that would happen. But let’s say in a scenario where maybe a government agency wants to get into your accounts, and you’re using two factor authentication, maybe they have a warrant, maybe they went to AT&T or or Verizon or T Mobile and said, we’ve got this warrant, we need to be able to get into their Google account, and they’re using text messaging for their second factor we just need all we need you to do is just to prevent that text message from going to them and just give it to us since then. That’s the kind of thing that you want to try to avoid it. And again, remember this can happen in other countries, you might be visiting another country and get a text message and you have no idea how secure or how corrupt potentially some carrier in some other country might be.

Kirk McElhearn 28:18
Okay, that’s enough for this week. Until next week, just stay secure.

Josh Long 28:21
All right, stay secure.

Voice Over 28:24
Thanks for listening to the Intego Mac Podcast, the voice of Mac security with your host, Kirk McElhearn and Josh Long. To get every weekly episode, be sure to follow us on Apple Podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like or review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at podcast.intego.com. The Intego website is also where to find details on the full line of Intego security and utility software: intego.com.

About Kirk McElhearn

Kirk McElhearn writes about Apple products and more on his blog Kirkville. He is co-host of the Intego Mac Podcast, as well as several other podcasts, and is a regular contributor to The Mac Security Blog, TidBITS, and several other websites and publications. Kirk has written more than two dozen books, including Take Control books about Apple's media apps, Scrivener, and LaunchBar. Follow him on Twitter at @mcelhearn. View all posts by Kirk McElhearn →