SIM Swapping is a powerful form of fraud in which criminals convince the phone company to switch your phone number to a SIM they control; once they have your phone number, they can bypass the SMS-based two-factor authentication protecting your cryptocurrency wallets, social media accounts, and other valuable systems. Read the rest

Online services increasingly rely on SMS messages for two-factor authentication, which means on the one hand that it's really hard to rip you off without first somehow stealing your phone number, but on the other hand, once someone diverts your SMS messages, they can plunder everything Read the rest

In a paper for IEEE Security, researchers from Cyberpion and Israel's College of Management Academic Studies describe a "Password Reset Man-in-the-Middle Attack" that leverages a bunch of clever insights into how password resets work to steal your email account (and other kinds of accounts), even when it's protected by two-factor authentication. Read the rest

The SS7 vulnerability has long been understood and publicized: anyone who spends $1000 or so for a mobile data roaming license can use the SS7 protocol to tell your phone company that your phone just showed up on their network and hijack all the traffic destined for your phone, including those handy SMSes used to verify sketchy attempts to log into your bank account and steal all your money. Read the rest

Day six! It's also a pretty shitty password. Let's hope he's got 2-factor auth turned on! Also, Trump's still using his insecure personal Android device. Read the rest

Ryan McGeehan, who specializes in helping companies recover from data-breaches, reflects on the worst year of data breaches (so far) and has some sound practical advice on how to reduce your risk and mitigate your losses: some easy wins are to get your staff to use password managers and two-factor authentication for their home computers (since everyone is expected to work in their off-hours, most home computers are an easy way to get into otherwise well-defended networks); and stress-test your network for breach recovery. Read the rest

The Electronic Frontier Foundation has launched a new series, 12 Days of 2FA, in which every installment explains how to turn on two-factor authentication for a range of online services and platforms. Read the rest

The University of Toronto's Citizen Lab (previously) is one of the world's leading research centers for cybersecurity analysis, and they are the first port of call for many civil society groups when they are targeted by governments and cyber-militias. Read the rest

Citizenlab details an "elaborate phishing campaign" against Iranian expats and activists, combining phone-calls from fake Reuters reporters, mostly convincing Google Docs login-screens, and a sophisticated attempt to do a "real-time man-in-the-middle attack" against Google's two-factor authentication. Read the rest