February 21 2021 – On February 17, 2021, the FBI released a Private Industry Notification (TLP-White PIN) that Emergency Call Centers may be targeted for Denial-of-Service attacks.All organizations should take notice. Hackers or other unhappy people, who have little technical knowledge acting as key personnel in your organization, may easily hijack your main business numbers—effectively shutting your business down. The technique is known as port hacking or port out fraud.
When combined with a ransomware attack, it becomes a triple threat to the organizations’ operation. One, the ransomware itself. Two, count on the network being exfiltrated. Meaning all valuable information is extracted, has been thoroughly examined, will be used, and eventually held out for ransom. Three, your primary business phone line is owned by the actors/hackers, and it will be held for ransom.
Most telephony companies have protections against unauthorized phone porting, but some carriers are easier to fool than others. Whether you fall victim to a phone porting fraud or not depends mostly on your providers’ security practices.
Getting your phone number back is difficult, if not impossible, once someone else "owns" it. Phone ransom is an emerging trend; count on it being held for ransom too.
Invoke "Port Validation" with all your telephony companies, even key personnel cell phone companies. Port validation requires device users to create a separate password, which must be entered before the telephony service provider will approve a request to move the number to another phone or account.
There are things you can do to stay on the safe side and protect your organization.
1)Immediately (today), call your telephony company and either request that your phone number has a "Port Validation" clause, what it is and how it works, and that it meets your security policy; for each telephony company.
2)Have a copy of the "Port Validation" included in your Data Breach and Response Plan from each telephony company.
3)At least use multi-factor authentication as part of the validation; note cell phones are becoming weak points.
4)Authenticators other than SMS are best such as Google Authenticator, Microsoft Authenticator, or a product such as Authy, which has multiple functionalities for security purposes.
5)Keep the organization’s static identifiers private, such as the EIN, date filed, effective date, even the State where original documents were filed.
6)Zero Trust. Minimize the number of people who have access to corporate authenticators and private information. Use multiple authenticators if you need to be extremely safe.
The bad guys only need our phone number, location, organizations’ legal name, physical address, EIN number and account login (which would be exfiltrated if a ransomware attack or shared with employees they will have) to execute this technique.
Once they have your phone number, they will answer your calls, take your messages, have access to bank accounts, emails, social media accounts, cloud applications, and cloud storage.
Having Port Validation in place ensures your phone number, your organizations’ operation should be secure even if you are attacked by hackers or successfully phished.
Don’t let your telephony company land-lines or cell phones be your weakest link.
Who to contact if you are victimized or suspect a scam or fraud:
–Your local law enforcement’s fraud or cybercrime division
–BBB Scam Tracker
–File a complaint with the Department of Justice (DOJ) on their fraud chart
–Federal Trade Commission at 1-877-FTC-HELP, 1-877-ID-THEFT, or online at www.ftc.gov
–Internet Crime Complaint Center (IC3) is partnered with the FBI
–FBI: Directly at FBI Tips
–File a report on Fraud.Org
Research by: Karl Norris | DUOLARK Founder & CEO
For more information please contact us (954) 324-3478 | info@duolark.com | www.duolark.com
