In November of 2016 T-mobile violated the law and their own established procedures to protect customer privacy by allowing someone to access my account against my permission. By their own admission of guilt the ability to make changes on my account was protected only by the last four digits of my social security number. This practice clearly violates the laws which the FCC should be enforcing to protect consumer privacy. Once the attacker was granted the ability to change the sim card associated with my phone number the attacker was able to steal my phone number. This would allow the attacker to send and receive calls and texts from a phone number associated to my Yahoo, Google, and other accounts. In doing so the attacker could utilize account recovery as a backdoor to circumvent my password. Many people prior to and after my hack have been subject to this vulnerability known as a sim-swap attack. For more detailed information as to T-mobile’s wrongdoing please read my first article. But a quick summary of how my account’s security was compromised can be seen by watching this video here.
The question for this blog post is “What role if any did Dropbox have in taking steps to prevent this type of attack?”
My Email to Dropbox’s Privacy Shield Department
From: Joshua Davis
To: “email@example.com” <firstname.lastname@example.org>
Sent: Friday, September 22, 2017 6:11 PM
Subject: Privacy shield violation for account
EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield. When transferring data from the European Union, the European Economic Area, and Switzerland, Dropbox relies upon a variety of legal mechanisms, including contracts with our users. Dropbox complies with the EU-U.S. and Swiss–U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the European Economic Area, and Switzerland to the United States. You can find Dropbox’s Privacy Shield certification here. You can also learn more about Privacy Shield at https://www.privacyshield.gov.
Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data.
As you can see from the attachment Dropbox did not take “reasonable and appropriate measures to protect (my data) from … unauthorized access”
This is because:
Dropbox tracks IP addresses which access an account as well as OS type and browser type. (https://www.dropbox.com/account/security) Since it logs this information It should have been aware of suspicious activity on my account and it should have frozen any downloading on my account immediately.
The attacker had used a social engineering attack to steal my phone number. This means that my phone number could not be used to authenticate me nor could my email address because the attacker used my phone number to compromise my accounts using account recovery to reset access to my email.
After this occurred:
1. The attacker resets my Dropbox password and immediately takes steps 2–4
2. The attacker logs in from a country (Netherlands IP 184.108.40.206) from which I had never previously accessed dropbox.
3. The attacker doesn’t access dropbox using the same OS type and browser type as me. I had never used that OS type or browser type previously.
4. I had accessed dropbox using my normal IP and OS type / browser type less than 12 hours previously.
5. The attacker begins downloading all files in my account to a new device previously not associated with the account
How could I have logically accessed my account a few hours earlier from the US and then a few hours later access my account from the Netherlands if I was not regularly using a VPN to access dropbox? The attacker was accessing dropbox from a new device / new OS / new browser I had not used previously. Why would I suddenly change my device / OS / and browser after changing my password?
A password change represents the potential of unauthorized access but the other factors listed above (access from a previously unknown IP address, access from a previously unknown OS and a previously unknown browser) should have triggered a security red flag requiring the account to undergo further verification’s before any data could be downloaded.
Why did an attempt to download all of my files totaling nearly 80GB of data immediately after a password reset not trigger a red flag freezing downloads on this account for a 24 hour period?
This did not happen thus Dropbox did not take “reasonable and appropriate measures to protect (my data) from … unauthorized access” Access should have been cut until they could personally verify my identity using other means than my phone number or my email address.
I deleted my Dropbox because I felt that Dropbox had violated my privacy but at that time I was not aware that Dropbox had violated their own ToS. Only recently was I made aware that in my case dropbox had indeed violated their ToS.
I require that a full investigation of this matter be opened immediately
Why I think Dropbox violated their terms of service
The following items are not an issue when taken individually:
- A user performs password recovery using a text msg sent to their phone.
- A user attempts to download files from their account during a time of the day they normally never access Dropbox because they are sleeping.
- A user access their account from a device they had never used previously.
- A user accesses their account from an IP address identifying a device located in a state or country from which they had never attempted access previously.
- A user attempts to use an app or service to download all of their data.
When the following conditions however occur in the following order there is a problem:
- Less than 24 hours elapse from the time a user was able to previously perform a successful authentication.
- The password is changed using an account recovery mechanism.
- Immediately a different device as identified by device ID / operating system / browser attempts to access the account.
- This device attempts access from an IP address which identifies a state or country from which the user never previously attempted access.
- This device attempts file transfers during a period of time where the user is normally asleep or inactive.
- This device attempts to download all of the the users data.
What Dropbox should have done differently
heightened alert triggered:
User performs account recovery bypassing a users password
Orange flag triggered:
This occurs during a time period where the user would normally never accesses these services because the user would normally be asleep during that time.
Orange flag triggered:
The device attempting access has a different OS / Browser configuration than any the user had used previously.
In addition the OS / Browser configuration is different than the device the user successfully used in the past 12 hours to authenticate into their account
Red flag triggered:
The device attempting access to the account has an IP address which is located in a state or country from which the user had never previously attempted access.
Red flag triggered:
The user attempts to add an app, method or device by which all of their files can be downloaded to a new device.
Red flag triggered:
The user attempts to remove previously authorized devices from the user’s account.
This is determined to NOT be normal user activity and account access is frozen for a 24 hour period during which time the user is required to wait. This 24 hour window is sufficient time for a user to rectify a situation where a phone number or an email account has been hijacked. If no attempt is made to restore access to the user’s Dropbox account or revert a password change then the user should be able to fill out an online form where they request to regain access to unfreeze their account.
Additionally for those Dropbox customers such as myself who pay Dropbox for their services all access should have been frozen until which time the users identity could be verified through another method that was not tied to a users phone number. Perhaps requesting that the user engage in a Skype call where the user is able to hold up a picture of a passport or drivers license and a visual identification can be made comparing the face of the user to the face on the ID.
At the time I was paying Dropbox 10 dollars a month or something similar. For them to not offer me this type of protection is unacceptable and a violation of not only consumer trust but also of law.
What you should do
Take these matters seriously and stop providing your publicly known phone number to services such as Yahoo, Google, Dropbox and others. Realize that these companies do not take the responsibility to safeguard your personal data and your privacy seriously. Realize that these companies do not abide by the requirements to protect consumer privacy as they are obligated to do by law.
#SIM port hack #SIMPortHack