A couple of my colleagues at InvestSmart have had their bank accounts hacked this month and money was stolen. With one of them, the thieves simply rang Telstra, pretended to be him and asked for a new password, which worked! The other was a complicated scam involving placing a call forward on the phone somehow, so that when the bank rang to confirm his identity, the call went to the crooks, who took it from there. As a result, a lot of work has been going on in our company about cyber security, how to protect yourself, and what to do if you’ve been hacked. I thought it would be worthwhile passing on the lessons to you – some of them are obvious, that you probably already know and do, but some may be new. The important thing to note is that this stuff is not going away, and is only getting worse.

Hacked!

 

What follows is an email to all staff from our technology department. I hope it might help:

Telcos are arguably the weakest link in the online security chain (i.e. Telstra, Optus, Vodafone etc). Here are some things to do & to look out for…

1. Add a PIN on your telco accounts - contact your mobile carrier and insist that a PIN (of your choosing) be associated with your mobile account (not the PIN used to unlock your phone, but a PIN at the account level). No changes should be made without that PIN being quoted, so insist a note be placed on your account requesting PIN verification before any changes are made to your account. Real-life cases have shown that a hacker need only know your name, mobile number, and date of birth, and they can change almost anything e.g. porting your phone number to a different carrier altogether OR adding call forwarding so your calls are diverted to another number without your knowledge so they can reset your passwords where your service provider such as Microsoft (ie Hotmail and outlook) call your number to verify password reset or text verification codes to reset passwords.
2. Ensure your physical phone is secured via a PIN/Fingerprint/FaceID etc – these options are common on most phones these days. Also, do the same with apps installed on your phone too!
3. Check the “Call Forwarding” settings on phone – regularly check for unknown “Call forwarding” settings on your phone. Some carriers/phones have call forwarding in place for voicemail services but any unknown/unrecognised number should be treated as suspicious… especially when set to forward “all calls”. If you find a suspicious call forwarding number/setting on your phone, take a screen shot of the number(s) in question, turn off call forwarding (from your device) and contact your telco/carrier immediately. Ask them to remove the call forwarding and insist on getting log/transcript outlining how & when the change was made.

 

Online Services & Email (e.g. Gmail, Outlook.com, Hotmail, Bigpond etc) & your home WiFi…

1. Use strong & long passwords – this means a mix of characters (upper & lower case letters, numbers & special characters e.g. !$%() etc) AND… the longer the better!!! I know they are a pain to remember but try for passwords with at least 12 characters.
2. Turn on two-/multi-factor authentication (2FA or MFA) – wherever possible, enable 2FA/MFA on all online services, particularly those where sensitive or personal information is stored e.g. email services, cloud file storage services (e.g. DropBox), banks, telco accounts, paypal, eBay, Amazon, share trading/investment accounts etc 
3. Use authenticator mobile apps for 2FA/MFA – given the weakness in the telcos’ processes & security, it’s advised to use an authenticator mobile app wherever possible and disable SMS & voice options for 2FA/MFA. Authenticator apps, although installed on your physical mobile device, are not tied to you phone number. So, even if your phone number were to be ported to another carrier or SMS/call forwarding activated without your knowledge, then the authenticator app(s) will still work on your phone. Some examples of authenticator apps include Microsoft Authenticator, Google Authenticator, Authy etc. Generally, you can use your authenticator of choice and use that for multiple services however, some online services only support a particular vendor OR have their own (e.g. Microsoft have their own authenticator app).
4. Don’t use the same password everywhere – it’s advisable not to choose one password and use it everywhere online. If someone were to come into possession of your “use-it-everywhere” password (e.g. find it, guess it, crack it) then they may gain access to an array of your online services.
5. Don’t share or disclose your passwords – for convenience, it’s very easy to simply tell someone else your password so they can access a product or service. This exposes you to both malicious and/or accidental security breaches. Ideally, when multiple people need access to the same product or service, setup individual user accounts for each person AND with each account having their own (and differing) passwords. 
6. Don’t use personal passwords at work – this simply means that the password(s) you use to access work-related services (e.g. email, Office 365, AdminX, Salesforce, Marketo, Intercom, Xero etc) MUST be different to those passwords used for personal products & services. 
7. Don’t store your passwords insecurely – do not email yourself (or others) your passwords! Do not write your passwords on a post-it note stuck under your keyboard! Do not store passwords in files on your computer(s), mobile phones OR in the “cloud”! The BEST method to store passwords is… committing them to memory! Alternatively, you could use a reputable password manager - please see below
8. Use password managers – password managers are software programs/apps can be used to create complex, and differing, passwords for you to use across all of your online services. These password managers keep a list of all your passwords so you don’t have to remember them. They will often have a browser plug-in and a mobile app, so accessing the password for any given service is relatively painless. Be sure to do your research and choose a reputable password manager! 
9. Be vigilant with SMS & Emails alerts - always keep an eye out for (and double check) emails or text messages indicating that a change has been made to one of your accounts. If you didn’t make the changes outlined, then action may be required. 
10. Check email forwarding & inbox rules – regularly check that there are no suspicious or unrecognised email forwarding settings or inbox rules on your email services e.g. a rule that automatically deletes emails from [email protected] might be a sign that someone has been into your account and could be trying to reset your password.

 

Software & Apps…

1. Update your devices’ operating systems - be sure to regularly check for, and install, updates for things like Windows, MacOS, iOS, Android etc. This applies to PCs, mobile phones, tablets, home internet routers/modems etc.
2. Update your installed applications/programs – again this applies to applications/programs installed on your PCs, phones, tablets etc. Updates to applications/programs can often include security improvements, as well as offering you new features.
3. Ensure you have anti-malware installed, updated & running – this is the old “anti-virus” software. Viruses are just one beast… the general term is “malware” (short for “malicious software”) and is used to describe viruses, ransomware, spyware, Trojans, and any other type of code or software built with malicious intent. Be sure to install & update your anti-malware software regularly.

Been hacked? Now what? – what to do if you think you have been hacked or been compromised online in any way…

1. Change ALL passwords wherever possible & turn on 2FA/MFA – try & log in to your major online accounts e.g. banks, email, Paypal, work accounts, social accounts etc and change your passwords AND setup 2FA/MFA asap (hopefully you’ve already done this)! If you can’t access an account, you can try a “password reset”. If this fails, then contact the service provider in question, and raise an urgent/priority “Security Breach” support case with them.
2. Force a sign-out/log-out of your accounts – a lot of online service providers (e.g. Office 365, Hotmail, Gmail/Google, Facebook etc) have the ability to log your account out of all locations & devices (but it can take up to 24 hours). This will effectively “kick out” any malicious people who are logged in as you. NOTE: you will need access to your account to perform this type of “kick out”… so, it’s important to get back in control of your account ASAP!
3. Check the “Call forwarding” settings on your phone – if call forwarding has been activated without your knowledge then take a screenshot of the number, delete and contact your telco. You can also dial *#21# on your mobile phone to get a report of all forwarding settings.
4. Check email forwarding or inbox rules on all of your email accounts – if you find anything unusual, take a screenshot and remove the rules.
5. Contact you bank(s) and credit card issuers – let them know you may have been subject to an online security breach/hacking attempt, and ask for their advice on the next steps to secure your accounts e.g. they might suggest putting a temporary block on your credit cards.
6. Watch your bank accounts, credit cards, paypal, broking/investment accounts etc VERY closely – if you see any suspicious transactions, then report this to your bank, credit card issuer or investment institution immediately. 
7. Report the incident - you can lodge official reports with these organisations 

• Report | Cyber.gov.au
• IDCARE Official Website | Identity Theft & Cyber Support
• Help for identity theft | Australian Taxation Office (ato.gov.au)
• Identity theft - If you think the hackers have access to copies or physical identification documents such as Passport, Driver’s licence, and Medicare card you should look to cancel and renew these documents. And place a ban on your Credit Report with all credit agencies so hackers cannot apply for new credit cards in your name. IDCARE Fact Sheet - Credit Bans - Australia

   Source: https://www.eurekareport.com.au/investment-news/weekend-briefing-edition-18-2022-dont-buy-the-dips-yet/151307