Okey to Monitor Me!
We recently learned of a company offering a free service to consumers to safeguard them from a serious problem that we had no idea was possible. Most consumers are already aware that the service launched in 1988 known as “Caller ID” is no longer trustworthy. Sadly, it hasn’t been for years now. Criminals around the world, as well as legitimate businesses, can spoof their phone calls to look like anyone from anywhere. For example, organized cybercriminals frequently spoof Amazon’s customer service number and call consumers to trick them in a variety of fraudulent ways that can cost a lot of money. Now imagine how dangerous it could be if cybercriminals were able to redirect data such as SMS messages meant for your phone to their phones, or send texts to others that look like your phone is the source. This is very possible, says Christopher Brown, Co-Founder and CEO of Analog Cat House, the “think tank” research group that OkeyMonitor.com was born out of. Doug from TDS recently had the pleasure to speak with Chris, his Chief Information Officer (who goes by the name Lucky225) and Shane Pizzutello, the Senior Director at Okey Monitor.
Way back in 2002, Lucky225 demo’ed caller ID spoofing at the Hope Conference (H2K2). This got more attention again in 2004 at a Security Focus conference. 2015, Chris started thinking about the fact that Caller ID could no longer be trusted and neither could the billing number behind that caller ID. He thought there had to be a better solution to protect consumers from fraud delivered through their phones. But, it turns out, there wasn’t. It is easy, Chris and his team say, to have your SMS messages rerouted to other phones you don’t own through secondary routing services. Chris said “these other services implicitly trust that you own that phone number when you are the reseller enabling that SMS route. No one actually verifies that you have authentication for that actual line. The existing frameworks for SMS messaging were implemented initially in an extremely reckess and short minded way that misses the components needed to keep your device a known trusted device.” Chris also said that if he knew the telephone number for the United States White House, for example, he could have that phone number manipulated so that the SMS messages are rerouted through these other services, resulting in siphoning information such as SMS messages to him. Shane shared with me an anonymously taken photo of a Motorola TalkAbout Pager showing a text message with a phone number that was registered to the White House (yes, “the” White House) during George W. Bush’s Presidency. The device shows a text message captured on it that says “Hack the Planet – Grand Central Station.” This phrase is a reference to the 1995 movie called Hackers. We are not able to verify if this device had, indeed, captured a text that was meant for the White House or was sending a text pretending to be from the White House, but it certainly illustrated Chris’ point. And, he added, if he wanted to he could send messages that come from the White House phone number. (Not “spoofing” the White House number, but indeed taking it for his own use because the services that send those SMS messages had been changed.)
To their own credit, Chris did say that these routing service resellers are beginning to understand how easily they can be manipulated and are starting to set up safeguards to prevent this manipulation, but not fast enough to this team’s satisfaction! But this, says Lucky225, is exactly what Okey Monitor is doing! Their service will verify and identify suspicious changes made to your SMS routing. As an example, he recently pulled such a stunt on a well known Cyber Security businessman who said “show me if you can take my numbers.” And Chris did just that. With some relatively easy manipulation, to hear Chris tell us, texts meant for this businessman were suddenly rerouted to Chris’ phone in less than 30 minutes. The Okey Monitor service also showed the businessman that his SMS messages had been rerouted. As a result, Okey Monitor is now monitoring this businessman’s phone numbers!
Chris and his team emphasized how severely this can be abused. (He also said that this subterfuge is currently easier to perpetrate against a landline than a smartphone.) Imagine, he said multiple times, if a criminal could steal the phone number of a bank, business, Senator, or police department and impersonate the legitimate owner of that phone? And not by spoofing it, but by stealing the use of that phone number sms routes while maintaining the victims normal voice and imessage services uneffected! Imagine if texts, such as 2-factor authentication (2-FA) codes, were rerouted to cybercriminals? We found these ideas frightening. We have often called an individual’s email address the “keys” to their digital kingdom. Second in that security line of defense is your phone number! Testimony to this security feature should be evident to anyone who has received a 2-FA security code sent to your phone! Another simple example is a Gmail account. Google, upon request, will send a verification code to your phone to allow you to recover access if you can’t remember your password.
Without revealing the exact details HOW this SMS theft is done, Chris told us that it is possible to steal someone’s phone number with as few as 2 clicks, resulting in rerouted texts. This actually happened to Chris himself some years ago when his phone number was accidentally reassigned to someone else. Suddenly his texts stopped coming to him and were instead sent to another person’s phone identified as his phone number. He says that everyone is at risk for this type of intentional fraud if the fraudsters were clever enough to know how to do it. Our experience over the last six-plus years at The Daily Scam is that there are many very clever scammers in the world and we see new and more clever scams develop and evolve year after year.
So what is OkeyMonitor.com and how can they help? Chris, Shane, Lucky225, also joined by Nate, Blake and Kevin to round out the Team, have created a tool that will monitor any changes made to the routing of your phone data, such as porting that data through a new carrier or service, or changes to the registration of your phone number. They can even monitor changes made to the settings of your phone service with phone carriers. Should a change occur, Okey Monitor will notify you immediately, and provide you with a phone number to call to notify your carrier of unauthorized changes. You can also enter a secondary endpoint to receive notifications of these changes, such as the phone number of a spouse, sibling or friend. Chris emphasized the current telecom services don’t monitor changes made to SMS routing as much as they should. Also, Okey Monitor will also soon be able to give corporate users the convenience of sending SMS messages through other channels such as iMessage, Telegram and Keybase apps. The AI tools at Okey Monitor builds a profile about each corporate user and monitors their profile. If that profile changes in any unauthorized way the SMS data is not rerouted and the user is notified of the attempted change, giving them the opportunity to identify if that change was legitimate or not and how to contact the service responsible for that change. Additionally, the enduser can elect to use iMessage to deliver the One Time Passcodes over iMessage instead of relying on SMS.
Chris says “Step 1 was disclosure and allowing the general population to have a view and monitor their own lines without any cost to them and without any use of their data.” There is no charge for the personal phone monitoring. Okey Monitor hopes to make money from offering 2-FA in a new, unique and much more secure way to corporate businesses, without sacrificing the user experience. Imagine how interested banks and other financial institutions will be to use this service once they see how much more secure it is than current 2-FA.
We were curious why our phone providers were not offering protective services like these. I logged into my Verizon service and looked at the Privacy/Security settings of my account and was surprised to find a feature I had never seen before. Verizon was offering consumers a feature they called “Number Lock” designed to “protect your number from an unauthorized transfer.” Just two months ago this feature was not present! Clearly, the team at Okey Monitor was spot on! Verizon was now quietly acknowledging that such a threat was possible. But why wouldn’t they automatically turn this on for all consumers and then notify them of the new security feature protecting them? I recommend that everyone visit their phone service account and look through their privacy/security settings to see what is now available. Increase the security for your phone numbers!
The Okey Monitor team first launched their service in beta format on February 13 and had more than 4000 people sign up that first day! I asked the team how many alerts they had received between that opening date and our interview on April 1st. They said sixteen, keeping in mind that not all alerts were malicious. They might have been caused by accidental account changes or simply because someone failed to pay their bill and their phone number was taken away and reassigned to someone else.
Perhaps most remarkable of all to us at The Daily Scam is not that such digital cyber heists are possible, or that the team at Analog Cat House (the Parent Company) has figured out a way to monitor them and notify those affected with the information needed to contact their phone carrier to correct it. All of this is, afterall, the cat and mouse nature of technology use and misuse. What struck us most remarkably was when Doug asked this group of very smart guys how much they were likely to charge consumers for this product after the beta tests were done. Chris immediately and vehemently said “nothing, it will always be free to end users!” He continued saying that he wants this tool to be free for consumers because it’s the right thing to do. He said “you can’t disclose something like this and then expect the average consumer to pay to protect themselves.” The team added that they have figured out ways to partner with corporations that will pay for this service. Chris went on to say that the culture in our society treads badly, even recklessly, ordinary consumers. As he said this, I couldn’t help but make the comparison to Mark Zuckerberg and Facebook’s model for earning money by monetizing people’s personal data. To Facebook, people ARE the product to be used and sold to advertisers. I’ve heard countless stories of how people have had their Facebook accounts seriously abused but find it impossible to get any help from Facebook to rectify the problems. (On April 8, WCVB Channel 5 published a story about this problem.) It was refreshing to hear Chris say that they value the public they serve.
Finally, I asked Chris why the public should trust his service with their phone numbers to monitor. His response was priceless! He said “We live in a world that appears to be so broken and unfair, but that doesn’t mean it’s okay for us not to be fair. When a person has a love in their heart to create something better, they will. I mean, life is a chance. It’s a gift. There will be people who let us down. But what’s the alternative; not to trust anyone? That’s not a life worth the candle. That’s why finding the empathy in others is so important to me. -Without it there’s no potential for anything great to happen.
Why should the public trust us? Why should the public trust anyone? I don’t think trust is something you can do or command. It’s like …love. It just is. If anyone in public doesn’t trust us, I understand and respect that. I just ask that person to observe, ask questions, have a mind to seek understanding if they really do care. I want everything we do to represent something good. In the end, we want to work on things that stand on their own. We want to solve all the things ™️ while we are here.”
Given the growing Internet/Smartphone fraud, misuse of personal data and increasing reliance on technology, we strongly recommend that people use OKEY Monitor to keep an eye on their phones, even if number lock is offered by your carrier!