Isracard used a single cell phone to communicate with credit card clients, and receive documents via WhatsApp. An employee stole the phone. He reformatted the phone and replaced the SIM card, which was oddly the best possible outcome, given the circumstances. Using the data to steal money would have been much worse.
Here’s a link to an archived version.
Ron Helwig • September 8, 2021 6:47 AM
This is why I have a problem with Signal. It uses your phone number as the base identity. Doesn’t that mean that all your usage of it is tied to your identity through the phone company, which just gives your info to the bad guys? And then WHEN you change phones all your contacts need to be updated. Your “identity” is tied to the services you use, so you don’t really control it.
On the other hand, I own my email address. I own the domain and have for over 20 years. I control it.
Even better would be a crypto-based ID. That could be at least psuedo-anonymous and maybe truly anonymous.
I don’t think we’ll get decent security until we can control our identities.
Mr. Verhart • September 8, 2021 8:38 AM
@xChris: You are correct. Looks like the second “it” refers to the phone and not the SIM.
“In the course of the oversight process, it was found that an internal investigation conducted by Isracard revealed that a company employee had taken possession of the cellphone at the end of a work day, removed its SIM card [containing the phone’s basic identification information and other data], formatted it, associated it with his personal Gmail account and installed his own personal SIM,” the privacy authority’s reported stated.
Clive Robinson • September 8, 2021 10:59 AM
@ Bruce,
He reformatted the SIM
You’ve been typing faster than you are thinking.
As the archived article indicates the person,
1, Took the phone.
2, Took out the SIM.
3, Reset the phone (to factory default?).
4, Put his own SIM in.
What is not clear is who the employee was position wise. I’m assuming some kind of junior or non core business person (cleaners, janitor, etc). Because stealing the phone is first off not the brightest thing to do for an enoloyee especially ifcas would appear to be the case they keep it around them…
Winter • September 8, 2021 12:58 PM
@Ron Helwig
“Doesn’t that mean that all your usage of it is tied to your identity through the phone company, which just gives your info to the bad guys? ”
Not anymore.
ht tps://nakedsecurity.sophos.com/2020/05/22/signal-secure-messaging-can-now-identify-you-without-a-phone-number/
lurker • September 8, 2021 1:49 PM
@Bruce:
Security Risks of Relying on a Single Smartphone
Security risk to whom? Note that in this case the perp erased the phone and had no interest in the data on it. If this had been Joe Blow’s phone, Joe could have had a backup, in the Cloud(!), or on a SD card in the sock drawer; all modern phones have an app that does it prominent in the menus and instructions.
Security risk to Isracard, yes. But for
Security risk for Isracard’s clients, yes. But how can any Joe Blow assess the security worthiness of anyone he wishes to do do business with?
Otherwise this is little more than another “theft as a servant” story.
echo • September 8, 2021 8:33 PM
I have no apps which can spend money on any of my phones. The one app which is unavoidable and does is passworded at the point of sale and no I never tick the “remember password” box. Good luck cracking that. Yes it’s a pain and yes I need to type it in from a copy stored somewhere else but that is how it is.
And yes my phones are passworded and encrypted and relatively speaking access controlled.
No I don’t have anything showing on the lock screen other than an email address to contact in case my phone is found after being lost or stolen.
While it’s not going to stop an APT I also have a portable safe to put a phone in if for any reason I need to leave it unattended for any period of time. A Tupperware box is handy to keep water out or anything else if you need to take it swimming or even bury it. Not only that you can store sandwiches in it.
My emergency feature phone I sometimes use for travel has nothing on it other than any number I need to use at the time.
If anyone did break through and abused any details in my address book they would have bigger worries. I also like personal and in-person banking and have the business card of my favourite member of bank staff. He usually greets me with “Hello, trouble” so I think we get on fine. I don’t have any online banking facilities by choice nor contactless payments of any form.
My phones are also PAYG so congrats. I’m down about £10-20 maximum.
SpaceLifeForm • September 13, 2021 6:55 PM
@ Echo
I don’t have any online banking facilities by choice nor contactless payments of any form.
Good answer.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
john • September 8, 2021 6:22 AM
Gotta wonder what acceptable security is or even if it even exists?
It seems to me that the common factor in poor security is really either Microsoft of Google!
Is a even possible for a phone or a ‘cloud’ to be secure?
I think not!