Member-only story
The Lore Of Hijacking Systems, Part 1
System: Machine And Method
32 min readJul 20, 2021
Control all vital keys to control the system and the system will be under your mercy. — Re: The system is merely an illusion, 2008-09.28
Law 0: List all knowns and unknowns that may hint the path to the infiltration (and later exfiltration).
Compatible to known system or protocols also means compatible inherit the same limits, flaws and risks.
Law 1: Technology is not a panacea.
Corollary: Technology is not just machines, it is `(Hu)man, machine, method`.Your machines can betray you.
Example Attack:
Attackers do not have to steal your phone. They just have to swap your SIM.
1. The SIM card can be rigged from the start (right from the carrier).
2. Rogue teleco employee can still bypass the security by attacking from the inside.SIM swap fraud: Swapping the line assigned to a SIM card between devices is a legitimate service that allows customers to upgrade or replace a lost or stolen device. SIM swap fraud happens when a customer’s phone number is assigned to a new SIM card and mobile device without their knowledge or consent. Fraudsters may use the victim’s personal information or mobile account information, including phished passwords or fake IDs, to impersonate the real customer and make the SIM card change. Attackers can also ask for specific numbers (which were previously owned by specific mark) to be re-assigned to them. Port out fraud: Porting a phone number occurs when a customer chooses to change carriers but wants to keep their number. Allowing customers to port their numbers is a legitimate practice and an important freedom that helps customers choose carriers and plans that best suit their needs. Fraudulent porting happens when a fraudster gains access to the victim’s mobile account information, often by phishing the account password, to port the victim’s number to a new account at a new carrier.Check on your telco by calling:
1. Set a strong passcode/PIN on your accounts
- Ensure it applies to ALL account changes
- Ensure it applies to all numbers on the account
- Ask them what happens if you forget the passcode (Ask them what happens if you lose that too)
2. Institute a port freeze
3. Institute a SIM lock
4. Add a high-risk flag
5. Close your online web-based management account
6. Block future registration to online management system
7. Hack yourself
- See what…