Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Security Social Networks

The SIM Hijackers (vice.com) 50

Lorenzo Franceschi-Bicchierai of Motherboard has a chilling story on how hackers flip seized Instagram handles and cryptocurrency in a shady, buzzing underground market for stolen accounts and usernames. Their victim's weakness? Phone numbers. He writes: First, criminals call a cell phone carrier's tech support number pretending to be their target. They explain to the company's employee that they "lost" their SIM card, requesting their phone number be transferred, or ported, to a new SIM card that the hackers themselves already own. With a bit of social engineering -- perhaps by providing the victim's Social Security Number or home address (which is often available from one of the many data breaches that have happened in the last few years) -- the criminals convince the employee that they really are who they claim to be, at which point the employee ports the phone number to the new SIM card. Game over.
This discussion has been archived. No new comments can be posted.

The SIM Hijackers

Comments Filter:
  • I wonder how long until these "hackers" figure out how to call a company and steal my Yubikey authentication credentials...

    • Not sure if you're trolling or what, but perhaps you have no idea how yubikey works.

      https://www.yubico.com/solutio... [yubico.com]

    • by Luthair ( 847766 )
      Hi customer service, I lost my 2 factor device can you remove it from my account. k thx bye.
      • by Anonymous Coward

        Everyone should call their carrier and put a security notice on their account that in order to change a SIM the user needs to appear in person at a retail store with photo ID. It's not foolproof but it's a big step forward.

  • 2FA (Score:5, Interesting)

    by JaredOfEuropa ( 526365 ) on Wednesday July 18, 2018 @01:30AM (#56966580) Journal
    Meanwhile, many banks here are dropping actual 2FA based on the chips in our bank cards, and replacing it with security codes sent by SMS. Great idea. What really surprises me in this story is that T-mobile sent a warning to their customers instead of changing their procedures, and no longer perform sim swaps for any Tom Dick & Harry identifying themselves with a (semi public) SS number.
    • by dohzer ( 867770 )

      When the owner calls to pay or update an account, they ask for your password and some personal details.
      It's a shame that all you need to switch service providers is a few personal details.

  • Are we going to need another step?
    A call on a POTS? Use the mail and a mailbox to secure another way of communications?
    • by Anonymous Coward

      We need a physical visit to the operator's store and a government provided ID card to do things like the submission describes. YOU WILL TOO!!!

  • Not new (Score:5, Informative)

    by golgotha007 ( 62687 ) on Wednesday July 18, 2018 @01:33AM (#56966592)

    I work in the crypto asset space and these types of attacks have been going on for years now. If your 2FA is based on SMS or a call-back, you're doing it very wrong.

    For those interested in doing 2FA correctly, buy a yubikey (USB-C if your phone supports) and couple that with Yubico authenticator which is 100% compatible with Google Authenticator. The major difference is that none of your 2FA codes appear until you plug your yubikey into your phone and nothing sensitive is stored on the phone itself. This way, the attacker would physically need your yubikey to authenticate as you - problem solved.

  • Or are there still companies out there using SSN for authentication.
  • No need for any "hack" since the information is already available for free to anyone asking for it.

  • Solution (Score:4, Interesting)

    by Rik Sweeney ( 471717 ) on Wednesday July 18, 2018 @04:47AM (#56966970) Homepage

    If the victim has an email address associated with the mobile phone account (almost everyone does), the phone service should send a code to the email address and ask the "customer" to read it out when they receive it.

    No code, no phone redirect. We'll stick a new SIM card in the post to put in your new phone.

  • by Anonymous Coward

    Why don't carriers check basic stuff like whether the SIM is still active on the network in the same mobile device it has always been before doing the swap?

    • by tlhIngan ( 30335 )

      Why don't carriers check basic stuff like whether the SIM is still active on the network in the same mobile device it has always been before doing the swap?

      Because it wouldn't make much difference? There can be plenty of legitimate reasons why you want to transfer the SIM despite the SIM actually being active on the network already.

      Like say, you losing your phone and thus wanting to transfer your service to a new phone (and new SIM card).

      Given the hacker already can transfer the SIM which quires knowing thi

  • Talk about a word salad. Interior crocodile alligator, I drive a Chevrolet movie theater.

Some people claim that the UNIX learning curve is steep, but at least you only have to climb it once.

Working...