The SIM Hijackers (vice.com) 50
Lorenzo Franceschi-Bicchierai of Motherboard has a chilling story on how hackers flip seized Instagram handles and cryptocurrency in a shady, buzzing underground market for stolen accounts and usernames. Their victim's weakness? Phone numbers. He writes: First, criminals call a cell phone carrier's tech support number pretending to be their target. They explain to the company's employee that they "lost" their SIM card, requesting their phone number be transferred, or ported, to a new SIM card that the hackers themselves already own. With a bit of social engineering -- perhaps by providing the victim's Social Security Number or home address (which is often available from one of the many data breaches that have happened in the last few years) -- the criminals convince the employee that they really are who they claim to be, at which point the employee ports the phone number to the new SIM card. Game over.
Re: (Score:3)
Re: Chilling? (Score:1)
Bill Paxton strongly disagrees.
I mean, did you SEE those things out there?!?!
The drop ship is complete wreckage. This is just great.
And how can they cut the fucking power, the power, on a nuclear teraforming plant?!
Game over man, game over.
Yubikey (Score:2)
I wonder how long until these "hackers" figure out how to call a company and steal my Yubikey authentication credentials...
Re: (Score:2)
Not sure if you're trolling or what, but perhaps you have no idea how yubikey works.
https://www.yubico.com/solutio... [yubico.com]
Re: (Score:3)
Re: Yubikey (Score:1)
Everyone should call their carrier and put a security notice on their account that in order to change a SIM the user needs to appear in person at a retail store with photo ID. It's not foolproof but it's a big step forward.
2FA (Score:5, Interesting)
Re: (Score:2)
When the owner calls to pay or update an account, they ask for your password and some personal details.
It's a shame that all you need to switch service providers is a few personal details.
Turn authentication up to 3 (Score:2)
A call on a POTS? Use the mail and a mailbox to secure another way of communications?
Re: (Score:1)
We need a physical visit to the operator's store and a government provided ID card to do things like the submission describes. YOU WILL TOO!!!
Not new (Score:5, Informative)
I work in the crypto asset space and these types of attacks have been going on for years now. If your 2FA is based on SMS or a call-back, you're doing it very wrong.
For those interested in doing 2FA correctly, buy a yubikey (USB-C if your phone supports) and couple that with Yubico authenticator which is 100% compatible with Google Authenticator. The major difference is that none of your 2FA codes appear until you plug your yubikey into your phone and nothing sensitive is stored on the phone itself. This way, the attacker would physically need your yubikey to authenticate as you - problem solved.
Comment removed (Score:5, Interesting)
Re: (Score:2)
Is this a joke? (Score:2)
Social Security Number or home address are public. (Score:1)
No need for any "hack" since the information is already available for free to anyone asking for it.
Solution (Score:4, Interesting)
If the victim has an email address associated with the mobile phone account (almost everyone does), the phone service should send a code to the email address and ask the "customer" to read it out when they receive it.
No code, no phone redirect. We'll stick a new SIM card in the post to put in your new phone.
Technical checks (Score:1)
Why don't carriers check basic stuff like whether the SIM is still active on the network in the same mobile device it has always been before doing the swap?
Re: (Score:2)
Because it wouldn't make much difference? There can be plenty of legitimate reasons why you want to transfer the SIM despite the SIM actually being active on the network already.
Like say, you losing your phone and thus wanting to transfer your service to a new phone (and new SIM card).
Given the hacker already can transfer the SIM which quires knowing thi
hackers flip seized instagram handles? (Score:2)
Talk about a word salad. Interior crocodile alligator, I drive a Chevrolet movie theater.