The ‘SMS As A Recovery Option For Any Of Your Online Accounts Is A Bad Idea’ Viral Post

There is a popular post on FB making the rounds regarding a Mr. Ian Caballero and his recent unfortunate incident with Globe Telecoms. To summarize, his postpaid Globe SIM was replaced (copied) without his authorization. The only time you would usually allow this is when you lose your SIM or it is unusable for some reason.

To make matters worse his mobile number is used as a factor for recovering passwords to his email accounts which he in turn uses to do his banking with. These were quickly taken advantage of as he received a notice from his bank that a fund transfer occurred sending money from his account to another bank for P48,000.00.

sms

Suffice to say, Mr. Caballero was having a really really REALLY bad day.

A few things I note from his message.

  • These crimes are serious, numerous and grave. Replacing a SIM card without authorization (Crime 1) is serious enough. Using it to hack into email accounts (Crime 2) and then using those email accounts to hack into your bank account (Crime 3) and then illegally transferring cash from that account to another (Crime 4) all add salt to an already gaping wound. If and when this person is caught, and she will probably caught eventually as it can’t be that hard given the clues, she will hopefully be in jail for quite a while.
  • Globe Telecom did not help matters any by refusing to show CCTV footage. In Ian’s message he was already entertaining unsubstantiated information when he mentioned his friend told him ‘it is highly possible that Globe cannot produce footage simply because nobody was an impostor‘, etc. If Globe values their customer and values public opinion they would put a stop to this immediately and address the situation directly by showing the CCTV or at least doing something with authority. For the most part that’s all we customers really want to see and feel – that something is being done. If you think about it that might not even be true – your issue might be just one of a thousand sitting in the inbox of some underpaid clerk in the overloaded complaints section, but if the customer feels his situation is being addressed it helps alleviate the anger of having something taken from you.
  • The security tips Ian gives on his message are helpful. Yes you should never share your mobile number if you can help it. This is one of those things IT guys know as a matter of fact (especially IT guys who have worked in the telcos!). There really is no reason you should be sharing your mobile number on FB for example. Or if you need to to do something, delete it later. You should also have another email account and distribute any login information between that and your main account.
  • HOWEVER! I take exception to his recommendation on using password managers. I have, continue to and always will dislike any app, web based, browser based or what have you, that is solely meant to maintain passwords. It can use 2560000 bit encryption and I still don’t trust it. There are many reasons why, primarily because I’ve always felt if you call an application a ‘Password Manager’, this is the first thing any hacker would want to hack. It’s akin to putting your jewels into a treasure chest and labelling it ‘TREASURE CHEST!!’ in bold gold lettering.That is probably simplistic, but unfortunately the only solution I can think of is also simplistic: REMEMBER YOUR PASSWORD. Or you can develop tricks like I do, like remember two passwords, then jumble them up to make a third. Or you can hide your password in an innocuous file you keep in your doc folder or text editor on your phone, or an SMS message to yourself (don’t label it ‘password’). Or learn to meditate or take vitamins to improve your memory. Whatever it takes to remember passwords, DO IT. Because unless someone develops a way to hack into your brain soon that really is the ultimate way to protect it.

I’m very glad Ian wrote his message. It is well written and even updated as events happen. It’s definitely better than anything I would have written if I was in his situation.

We need more people like him to complain when serious crimes such as his occur, and his is a serious crime indeed. I would go as far as saying this is one of if not the most serious identity theft situations to happen locally, with the potential of uncovering gaping security flaws in how a major telco handles its customer accounts.

However like I said above it is not impossible to solve. The thief left quite a few clues and the NBI (if it comes to that), can move swiftly to fix this.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.