Recovering From A Bank Hack

One of the downsides of technology is that it makes it easier for bad people in distant lands to do bad things. A couple of years ago we got hacked and learned some good security lessons as a result. They might help you avoid finding yourself in a similar situation.

The Backstory:

A couple of years ago, my mobile phone number and Chrissy’s mobile phone number were both fraudulently ported to another carrier – meaning somebody set up fake accounts with a phone carrier in our names, then requested that new carrier transfer our numbers over from our existing carrier. This is known as “number portability” and was set up years ago to make it easy for people to change service providers. Of course when they did that, nobody foresaw the day when mobile numbers would be used as authentication for bank accounts, etc. All they needed to provide to port our numbers was our mobile number, name, DOB and address. Pretty easy information to get, especially if they have access to your Facebook profile, etc. The number gets ported over to the new carrier within minutes and our phones were left with “SOS Only”. No signal. No carrier. If you’re lucky, you get a SMS message just before it happens. Chrissy got one – I didn’t. But it wouldn’t have mattered anyway, because we were camping and didn’t have much reception.

Once the hackers have access to your phone number, then any account where you have 2-factor authentication (2FA) connected to that number (eg bank accounts, email accounts, Dropbox, any cloud service) can be lost minutes later. The process is simple. They try to login to your online account (which requires them to know your email address or bank account number) – and check the “Forgot Password” box. That generates a six digit code which is sent to the mobile number as a text. They enter that number online and then create a new password. They can also change the email address on the account, the security questions, etc. And, of course, empty the bank accounts – which is what they did to us.

They also took over a couple of my email accounts which, of course, they use to try to find out things like your bank account number, family details (birthdays, names, passport numbers, etc). All of which they can use for further identity theft. All of this took a few minutes from start to finish.

Fortunately we got our money back quickly (although I had to play hardball with the bank). We also got our mobile numbers back, that took a few days. And with those I could retrieve the lost email accounts.

So that’s how it happens. Here’s what I did afterwards to try to prevent it happening again.

  1. Remove my public mobile number from all forms of 2FA.
  2. Where possible, use a physical security token for 2FA for things like bank accounts. I set up new accounts with a new bank, got tokens on our accounts, and locked the accounts down so the token is required for every login. It means always having the token on my person but that’s a small price to pay.
  3. Where a physical token isn’t possible, try to use a Time-based One-Time Password algorithm (TOTP) authentication app, like Google Authenticator. It works for Gmail, Dropbox, Evernote, Stripe, Facebook, Twitter, PayPal, etc. You need to provide a six digit code for every login and that code is provided the app on your phone (not the mobile number on the phone). An alternative is something like Yubikey, a USB-based physical token but support for Yubikey isn’t widespread yet.
  4. Where I can’t use a physical token or GA, I have set up a separate, totally secret mobile number. It’s on a SIM card which is sitting in an old iPhone 4 I had lying around which surprisingly still works. It’s only purpose now is to receive 2FA texts. The number will never be made public and therefore should be difficult to fraudulently port.

Hope you find that useful. I highly recommend setting something like this up. ID Fraud is apparently a lot larger (and easier) than I previously understood.

Evernote “Use With Siri” iOS 11

I updated my iPad Pro and iPhone 7 Plus to iOS 11 today and noticed under Settings > Siri & Search > Evernote on the iPad this new “Use With Siri” option. I turned it on, tried a few things, but nothing worked. So I posted on the Evernote forum and DT Low gave me the secret mantra.

Hey Siri   Create a note in Evernote called Testing

Hey Siri    Find a note in Evernote

The first time I tried this on the iPad, Siri told me something like “I’m sorry (Dave, but I can’t do that) – you’ll need to open Evernote to continue.” So I let her do that and that’s where the experiment ended. But I tried again, invoking Siri from the lock screen, and TADA. It worked. Now I can create and search notes using Siri! I can die a happy man.
Except – the “Use With Siri” option doesn’t appear on the iPhone 7 Plus and I don’t know why.

evernote ios 11 use with siri

Update: Doh! To get it working on the iPhone I just had to update the Evernote app!

Find & Replace in Evernote

Cross posting this solution from the Evernote Support forum.

If you are trying to work out how to find and replace inside Evernote (nb: this is a MAC only solution), here’s the best current solution (as Evernote doesn’t support it natively for some unknown reason).

  1. CMD-A the text of the note you want to edit.
  2. Right Click inside the note then Services ▹ New TextEdit Window Containing Selection”.
  3. Then in TextEdit “Edit ▹ Find ▹ Find & Replace”.
  4. Then copy all and paste back over selection in Evernote.

How To Print Index Cards From Word

I’ve wasted hours of the last couple of weeks trying to work out how to print 3×5 index cards from Word via my Canon MP250. I finally worked it out today and here’s how I did it.

  1. First of all, it’s worth knowing that the Canon Mp250 will NOT print 3×5 cards. So stop trying.
  2. It WILL, however print 4×6 index cards – so go down to your nearest office supplies place and buy some of those.
  3. Open Word and create a new document. Or just use this template I created for you.
  4. If you’re on a Mac, go to FILE>PAGE SETUP and select 4×6
  5. Copy and paste your content into this document.
  6. Place cards in printer vertically (ie with smallest edge at the top)
  7. aaaaand print!

These days I’m using index cards to memorise a bunch of things, including the opening monologue for my documentary about Jesus, the entire text of The Raven by Poe, and a bunch of random facts I want to remember. I’ve tried using Evernote as flash cards over the years, but it just doesn’t work for me. I can carry around flash cards made from index cards in my pocket or briefcase and just test myself whenever I have a few minutes. Sometimes you just can’t beat the old school methods.

Lou Reed Bids Farewell To The Wild Side

This has to be one of the last times Lou ever performed his biggest hit live. I saw him play live twice over the years and never saw him play it.

Speaking of Lou, I stumbled across this VERY high quality live bootleg from 9 October 1974 (the day before my 4th birthday), the “Sally Can’t Dance” Tour, featuring Prakash John on bass but without Dick Wagner and Steve Hunter, who had left his touring band by this stage (ROCK N ROLL ANIMAL was recorded ten months earlier). This was the tour where journalist Nick Kent from NME commented that Lou looked like a “ravaged monkey”.

The latest version of Garageband iOS is really a fun composing tool. I spent my lunchbreak adding a guitar track to a song I’ve been working on. So much fun.

I”ve been working on client stuff all day, now I’m going to try to get in a few hours on the documentary.