Tag Archive for: SIM

Tech security expert warns about sim card scam on T-Mobile customers


It’s Deja Vu for some T-Mobile customers. In August, hackers exposed 50 million customers’ data.

Now there is another issue.  The bad guys finding a way to swap your SIM cards.

How scammers take control of your phone number

Cyber risk expert David Derigiotis with Burns & Wilcox explained how it works.

“Your phone essentially goes dead and the attacker ports out your number to their device and now they start receiving all of your calls, all of your text messages,” Derigiotis said.

The bad guys take control.  Then they call your phone company and tell them they want to switch your information to a new phone.

“The other is, good old-fashioned social engineering,” he said. “They called, they trick the individual pretend that they are you. And they’re asking to port out that number and they’re able to simply do that by deceiving and tricking which is social engineering, taking advantage of that human element.”

Dangers of SIM card swapping

Here’s the real danger. Many of us have authentication for other programs on our computers tied to our phones.  So, think about it.  You try to get into a program on your laptop, it pushes an authentication message to the cellphone the crooks now have in their control.

“If you’re using the text message as a second form of authentication for logging into an account whether it be a banking, email, whatever it may be,” Derigiotis said. “They got access to that second authentication mechanism. That’s what happened to a number of individuals.”

How to protect yourself from T-Mobile scam

So, the best advice, double down on safety around your cell.

“What everyone should do is stop using their cell phone number, stop using that text as a second form of authentication,” he said. “Because we see right here, this is the real weak spot, and breaking through that, and being able to get into an online account.

“I think it’s more important to use some type of app-based authentication, they have different forms out…

Source…

Sixth Member of International Hacking Community Sentenced in SIM Card Scheme


A U.S. court sentenced a member of an international hacking organization to 10 months in prison along with heavy fines in connection with a multi-million dollar hacking scheme.

The perpetrator, Garrett Endicott, 22, of Warrensburg, Mo., pleaded guilty to cyber crimes affiliated with a large-scale SIM hijacking plot, acting U.S. Attorney Saima Mohsin confirmed on Tuesday. Endicott is the sixth and final defendant to be tried in connection with an international hacking group known as The Community.

Members of The Community are known to engage in SIM hijacking or SIM swapping, which is an identity theft technique rooted in exploiting cell phone numbers. The group’s objective is to steal cryptocurrency from victims nationwide, with incidents spanning California, Missouri, Michigan, Utah, Texas, New York and Illinois.

SIM hijacking is usually carried out through bribing an employee of a cell phone provider to have access to certain phone numbers. In other instances, members of the group contacted a cellular service provider pretending to be a victim, and requested that a phone number registered to another user would be switched to a separate SIM card, effectively stealing the number and cell phone account.

From here, the hackers can access sensitive personal information, such as email addresses and financial criteria. Cryptocurrency exchange account information is particularly of interest to hackers within The Community. By having access to the victims’ cell phone numbers, The Community could pass stronger security measures such as a two-factor authentication.

In total, law enforcement officials estimate that the range of cryptocurrency theft value stands at over $9 million among sentenced defendants. 

“The actions of these defendants resulted in the loss of millions of dollars to the victims, some of whom lost their entire retirement savings,” Mohsin said.  “This case should serve as a reminder to all of us to protect our personal and financial information from those who seek to steal it.”

Endicott was ordered to pay $121,549.37 in restitution fees. 

Other defendants convicted in association with The Community’s SIM hijacking schemes were based in Florida, South Carolina,…

Source…

FCC Proposal Targets SIM Swapping, Port-Out Fraud – Krebs on Security


The U.S. Federal Communications Commission (FCC) is asking for feedback on new proposed rules to crack down on SIM swapping and number port-out fraud, increasingly prevalent scams in which identity thieves hijack a target’s mobile phone number and use that to wrest control over the victim’s online identity.

In a long-overdue notice issued Sept. 30, the FCC said it plans to move quickly on requiring the mobile companies to adopt more secure methods of authenticating customers before redirecting their phone number to a new device or carrier.

“We have received numerous complaints from consumers who have suffered significant distress, inconvenience, and financial harm as a result of SIM swapping and port-out fraud,” the FCC wrote. “Because of the serious harms associated with SIM swap fraud, we believe that a speedy implementation is appropriate.”

The FCC said the proposal was in response to a flood of complaints to the agency and the U.S. Federal Trade Commission (FTC) about fraudulent SIM swapping and number port-out fraud. SIM swapping happens when the fraudsters trick or bribe an employee at a mobile phone store into transferring control of a target’s phone number to a device they control.

From there, the attackers can reset the password for almost any online account tied to that mobile number, because most online services still allow people to reset their passwords simply by clicking a link sent via SMS to the phone number on file.

Scammers commit number port-out fraud by posing as the target and requesting that their number be transferred to a different mobile provider (and to a device the attackers control).

The FCC said the carriers have traditionally sought to address both forms of phone number fraud by requiring static data about the customer that is no longer secret and has been exposed in a variety of places already — such as date of birth and Social Security number. By way of example, the commission pointed to the recent breach at T-Mobile that exposed this data on 40 million current, past and prospective customers.

What’s more, victims of SIM swapping and number port-out fraud are often the last to know about their victimization. The FCC…

Source…

SIM Swapping Is a Growing Cyber Threat — Here’s Help


A CNBC story last week led with this headline: “Coinbase slammed for what users say is terrible customer service after hackers drain their accounts.”

Here’s an excerpt: “For Tanja Vidovic, it was a moment of panic: She had received a series of alerts about someone changing access to her cryptocurrency account. And she realized, as she stared at her computer screen, that nearly all of her $168,000 in holdings was gone — vanished before her eyes. …

“In a response to his frantic email, Coinbase told Ben his computer had been hacked and there wasn’t anything the company could do. …


“Experts say SIM swapping, where fraudsters seize control of a victim’s phone number and SIM card through their phone company, is to blame for many of the cryptocurrency thefts.”

You can watch a video segment on the same topic here:

Another recent example comes from Forbes, which highlighted an FBI bitcoin and cryptocurrency alert:

“The FBI advised financial and crypto companies to check the origin of emails and keep an eye on recently created accounts while those buying bitcoin and cryptocurrencies were encouraged to use multi-factor authentication — meaning they must have access to at least two devices or accounts linked to the platform—avoid download requests, remote access applications and any unofficial company communication channels.”

One more headline, from earlier this year, read “Europe SIM swapping: 10 arrested in Europe over €82.4m scam to hijack celebrities’ phones“: “European police have arrested 10 people for allegedly hijacking mobile phones belonging to high-profile celebrities in the United States. …

“Europol said that “sim swapping” can be done either by fooling the phone company with “social engineering techniques” or by using a “corrupt insider.”

WHAT IS SIM SWAPPING?

I often get asked questions about growing cyber threats and how to keep online accounts safe — including cryptocurrencies. One area that has been getting a lot more attention is SIM-swapping fraud.

A SIM-swapping attack is also known as SIM splitting, SIMjacking, SIM hijacking and port-out…

Source…