Is it safe without clicking the link? Be careful of the broken voice mailbox

        In Taiwan, LINE is not only a communication software, but also a digital life tool for everyone. Whether it's family contacts, friend gatherings, or daily payments, LINE groups of all sizes connect our daily lives, but they have also become the number one target in the eyes of fraud groups. The recent large-scale account theft incidents, which exploit loopholes in telecommunications mechanisms, have made it difficult for many alert users to prevent them. This issue of "Information Network" analyzes the paths of hacker intrusion and provides four principles for protecting accounts.

        Achilles tendon of digital identity: voicemail vulnerability

                The most well-known methods of account theft often stem from clicking on unknown phishing links or mistakenly believing in social engineering scams. However, the latest wave of attacks exploits vulnerabilities in the telecommunications industry's "voice mailbox" mechanism. Even if the user does not click on the link, attackers can still intercept the voice verification code (OTP, One Time Password) and directly take control of the account, causing the user's account to be forcibly logged out and valuable communication records to disappear. Therefore, the lack of the concept of 'Security by Default' will pose a serious threat to an individual's digital assets.

        Hacker's' Late Night Script ': Three Steps to Capture Accounts

        According to the observation of relevant security units, the hacker did not exploit complex program vulnerabilities, but accurately grasped the "backup path" of system verification. The script for this psychological battle is as follows:

        Step 1: Trigger Verification Shift: When a user logs into LINE on a new device, the system usually sends a text message verification code to confirm their identity. But if the SMS verification cannot be completed in a timely manner, the system will provide an option for "voice call verification".

        Step 2: Select Defense Window Period: Once voice verification is selected, the system will automatically make a phone call and have the verification code read out by the computer voice. Hackers specifically target individuals who are unable to answer phone calls, such as late at night, when their phones are turned off, or during long-distance flights. When a voice call is transferred to the telecommunications company's "voicemail" due to no one answering, the verification code will exist in the form of a voice message.

        Step 3: Use the preset password to seize power: Then, the hacker uses the "remote listening" function provided by the telecom provider. This was originally intended to allow users to listen to messages on other phones even when they don't have a mobile phone, but for the sake of convenience, telecom operators often set the voicemail password to "0000", "1234", or the last four digits of the phone. Hackers only need to enter the target door number and match it with a preset password to listen to the verification code in the message, and then take over the account, forcing the original user to log out.

        From technical vulnerabilities to defense strategies: the strength of cybersecurity depends on 'people'

        Careful disassembly of the above process reveals that hackers are not exploiting the system's defenses, but rather human negligence - due to excessive reliance on the security settings of communication equipment manufacturers and the pursuit of convenience, while neglecting security configurations. This reflects the core of investment security: the strongest firewall is not in expensive equipment, but in everyone's behavior.

        A new practice of sincerity, diligence, simplicity, and prudence in the digital age

        The founding spirit of Far Eastern Group, established by its founder, is "sincerity, diligence, simplicity, and prudence," providing the best protection guidance in today's digital age.

        Sincerity: Sincere communication to prevent the leakage of authentication codes

        When receiving requests from family and friends to borrow money, purchase or collect verification codes, one must confirm their identity through real voice or multiple channels, not blindly trust the message text, and adhere to the principle of "not sharing, not disclosing" verification codes. Remember that any legitimate login webpage will not require the input of a 'SMS authentication code', and seeing this requirement will determine it as fraud.

        Diligence: diligent in checking, not letting negligence become a loophole

        Information security defense is not a one-time fix, it requires diligent checking of various settings, including: regularly checking login device records in communication software, and immediately forcibly logging out if unknown devices are found; Be diligent in updating applications and operating systems to patch security vulnerabilities. When there is an abnormal prompt on the account, please notify the official immediately and take the initiative to handle it. In addition, being diligent in learning about new forms of fraud information is also crucial.

        Park ": Simplify complexity and turn off unnecessary functions

        Excluding unnecessary settings and services can effectively concentrate defense forces. Therefore, in response to the voice mailbox vulnerability, unnecessary automatic transfer functions can be disabled. If this function needs to be retained, a more complex 4 to 8-digit password should be used instead of the preset password. The following are the rapid self-protection settings of Taiwan's three major telecommunications companies:

        Far EasTone Telecommunication: Turn off this feature through the "Far EasTone Telecommunication Heart Life" app or official website; Or dial 222 directly on your phone and set a new password.

        ChungHwa Telecom: Simply dial # 002 # on your phone to cancel all transfer services with just one click, or you can set it through the official app.

        Taiwan Mobile Co., Ltd.: Directly dial 123 on your phone, then press 3 and select "Change Password"; Alternatively, you can use the official app or call customer service hotline 188 to request assistance in canceling this service.

        Caution: Carefully evaluate and implement the zero trust principle

        Deploy multiple validations in advance, without relying on a single line of defense. For example, complete the "two-step verification" setup (Settings>Account>Second stage authentication) and bind an Apple ID or Google account as a rescue account. In the face of "account suspension soon" or constantly pushing login requests (Multi Factor Authentication fatigue attack), it is necessary to remain calm. If unfortunately hacked, the telecom password should be changed first, and then the communication account should be processed to ensure that hackers cannot invade through the same path again.

        In the digital age, there are no outdated services, only forgotten protections. Only by implementing the spirit of "sincerity, diligence, simplicity, and prudence" in mobile phone settings can we strengthen the resilience of personal accounts and group communication protection. To safeguard digital security, start by disabling automatic voice mailbox forwarding.

        *Image source: freepik

        #