Listen "Physical threats to mobile phones, SIM hijacking, out of band SMS, and Yubikeys"
Episode Synopsis
                            Part 1 of a two-part series on threats to mobile devices and through mobile devices. Tactics and techniques to deal with those threats.
Cohost: Tom Dean – Consulting Ventures
Tom has decades in capital goods manufacturing industry (fortune 500 scale)
Years of experience in marketing, sales & interfacing with independent dealers/distributors (small/medium scale)
Current focus is strategy & risk management consulting
Lifelong learner and an interest in technology.
Strategy + risk management ---> mobile devices
Personal travel:
Laptops have transformed to mobile devices (phones and tablets)
Risk was more contained with laptops, but the impact is much higher with mobile phones. A lot of nuances around "was the password revealed?"
Biometrics are convenient but quite dangerous
Biometrics are a proxy for a numeric passcode on a mobile device.
Physical compromise is a 5-alarm fire situation.
Physical loss when it is not compromised is not that big of an issue as long as authenticators are backed up.
Must have erase after 10 bad password attempts. Turn off notifications on screen lock. Do not have notifications turned on to display on the lock screen.
Avoid banking apps.
The first things that the baddies go after are Venmo, Apple Pay, Cash apps.
Out of band SMS for MFA
SIM swapping risk, or eSIM embedded in the phone
Put a PIN on your physical SIM.
MySudo – Can clone that instance to other phones.
Password manager on phone
Disaster if this is based upon your biometric. You can use a different or secondary PIN. You can use Yubikey.
Password manager helps you recover.
Segmentation strategies
They can see all the emails on your phone and change passwords or password reset is typically done via email
Screentime on Apple can be helpful, but there are weaknesses there. The only way to really secure the device is to use a MDM. You still need to be concerned about MFA and account takeovers.
Need to have an out of band mechanism to receive alerts and ability to remove kill the device.
Microsoft Authenticator and Google Authenticator do not have a separate PIN.
Authy is free. It has its own separate PIN.
Yubikey is great but assumes that you can manage controlling the physical access to that. Do not store on your key chain.
Diversification strategy with inventory.
MDM
Kill apps
Apple configurator – small scale
Apple Business Manager
Jamf – requires Apple Business account for security
Inexpensive “Jamf Now” for small businesses. Minimum is one device. The first 3 are free. Still affordable beyond that.
Don’t let anyone change the account on this device.
You have to figure out a lot on your own and block URLs that you don’t want accessed.
Apple devices need to be in supervised mode, so it matters how you buy them.
Intune
Risk examples
loss of device (resiliency e.g. MFA)
theft of device involving passcode surrender (loss mitigation)
SIM swap (cellular store employees)
SIM card theft (removal of SIM card from phone)
Risk reduction / resiliency
OS decision (iOS vs. android)
Note that one is not better than the other
Risk reduction is all about an individual's ability to manage the risks based upon platform selection
MDM (remote data wipe): small-scale co (Apple Configurator or JamfNow) vs. corporate MDM
MFA backup/diversification (SMS via cell or VOIP providers vs. TOTP vs. passkey/yubikey etc.)
App selection (OS-based or Independent)
App protection (‘independent’ PIN protection vs. face/touch ID)
‘Attack Surface’ – minimization of exposure (e.g. banking apps, cash apps, findmyfriends etc.)
Resources
https://www.darkreading.com/application-security/okta-flaw-involved-mgm-resorts-breach-attackers-claim
https://arstechnica.com/security/2023/09/a-phone-call-to-helpdesk-was-likely-all-it-took-to-hack-mgm/amp/
 
                        
                    Cohost: Tom Dean – Consulting Ventures
Tom has decades in capital goods manufacturing industry (fortune 500 scale)
Years of experience in marketing, sales & interfacing with independent dealers/distributors (small/medium scale)
Current focus is strategy & risk management consulting
Lifelong learner and an interest in technology.
Strategy + risk management ---> mobile devices
Personal travel:
Laptops have transformed to mobile devices (phones and tablets)
Risk was more contained with laptops, but the impact is much higher with mobile phones. A lot of nuances around "was the password revealed?"
Biometrics are convenient but quite dangerous
Biometrics are a proxy for a numeric passcode on a mobile device.
Physical compromise is a 5-alarm fire situation.
Physical loss when it is not compromised is not that big of an issue as long as authenticators are backed up.
Must have erase after 10 bad password attempts. Turn off notifications on screen lock. Do not have notifications turned on to display on the lock screen.
Avoid banking apps.
The first things that the baddies go after are Venmo, Apple Pay, Cash apps.
Out of band SMS for MFA
SIM swapping risk, or eSIM embedded in the phone
Put a PIN on your physical SIM.
MySudo – Can clone that instance to other phones.
Password manager on phone
Disaster if this is based upon your biometric. You can use a different or secondary PIN. You can use Yubikey.
Password manager helps you recover.
Segmentation strategies
They can see all the emails on your phone and change passwords or password reset is typically done via email
Screentime on Apple can be helpful, but there are weaknesses there. The only way to really secure the device is to use a MDM. You still need to be concerned about MFA and account takeovers.
Need to have an out of band mechanism to receive alerts and ability to remove kill the device.
Microsoft Authenticator and Google Authenticator do not have a separate PIN.
Authy is free. It has its own separate PIN.
Yubikey is great but assumes that you can manage controlling the physical access to that. Do not store on your key chain.
Diversification strategy with inventory.
MDM
Kill apps
Apple configurator – small scale
Apple Business Manager
Jamf – requires Apple Business account for security
Inexpensive “Jamf Now” for small businesses. Minimum is one device. The first 3 are free. Still affordable beyond that.
Don’t let anyone change the account on this device.
You have to figure out a lot on your own and block URLs that you don’t want accessed.
Apple devices need to be in supervised mode, so it matters how you buy them.
Intune
Risk examples
loss of device (resiliency e.g. MFA)
theft of device involving passcode surrender (loss mitigation)
SIM swap (cellular store employees)
SIM card theft (removal of SIM card from phone)
Risk reduction / resiliency
OS decision (iOS vs. android)
Note that one is not better than the other
Risk reduction is all about an individual's ability to manage the risks based upon platform selection
MDM (remote data wipe): small-scale co (Apple Configurator or JamfNow) vs. corporate MDM
MFA backup/diversification (SMS via cell or VOIP providers vs. TOTP vs. passkey/yubikey etc.)
App selection (OS-based or Independent)
App protection (‘independent’ PIN protection vs. face/touch ID)
‘Attack Surface’ – minimization of exposure (e.g. banking apps, cash apps, findmyfriends etc.)
Resources
https://www.darkreading.com/application-security/okta-flaw-involved-mgm-resorts-breach-attackers-claim
https://arstechnica.com/security/2023/09/a-phone-call-to-helpdesk-was-likely-all-it-took-to-hack-mgm/amp/
More episodes of the podcast QPC Security - Breakfast Bytes
                                
                                
                                    AI Use Insights and the Dangers of UCaaS                                
                                                                    30/07/2025
                                                            
                                                    
                                                    
                                                    
                                
                                
                                    A Deep Dive into SaaS Risks and Backups                                
                                                                    30/04/2025
                                                            
                                                    
                                                    
                                                    
                                                    
                                             ZARZA We are Zarza, the prestigious firm behind major projects in information technology.
ZARZA We are Zarza, the prestigious firm behind major projects in information technology.
				 
                 In God we trust
 In God we trust