Tag Archive for: Swapping

FCC Proposal Targets SIM Swapping, Port-Out Fraud – Krebs on Security

/in


The U.S. Federal Communications Commission (FCC) is asking for feedback on new proposed rules to crack down on SIM swapping and number port-out fraud, increasingly prevalent scams in which identity thieves hijack a target’s mobile phone number and use that to wrest control over the victim’s online identity.

In a long-overdue notice issued Sept. 30, the FCC said it plans to move quickly on requiring the mobile companies to adopt more secure methods of authenticating customers before redirecting their phone number to a new device or carrier.

“We have received numerous complaints from consumers who have suffered significant distress, inconvenience, and financial harm as a result of SIM swapping and port-out fraud,” the FCC wrote. “Because of the serious harms associated with SIM swap fraud, we believe that a speedy implementation is appropriate.”

The FCC said the proposal was in response to a flood of complaints to the agency and the U.S. Federal Trade Commission (FTC) about fraudulent SIM swapping and number port-out fraud. SIM swapping happens when the fraudsters trick or bribe an employee at a mobile phone store into transferring control of a target’s phone number to a device they control.

From there, the attackers can reset the password for almost any online account tied to that mobile number, because most online services still allow people to reset their passwords simply by clicking a link sent via SMS to the phone number on file.

Scammers commit number port-out fraud by posing as the target and requesting that their number be transferred to a different mobile provider (and to a device the attackers control).

The FCC said the carriers have traditionally sought to address both forms of phone number fraud by requiring static data about the customer that is no longer secret and has been exposed in a variety of places already — such as date of birth and Social Security number. By way of example, the commission pointed to the recent breach at T-Mobile that exposed this data on 40 million current, past and prospective customers.

What’s more, victims of SIM swapping and number port-out fraud are often the last to know about their victimization. The FCC…

Source…

SIM Swapping Is a Growing Cyber Threat — Here’s Help

/in


A CNBC story last week led with this headline: “Coinbase slammed for what users say is terrible customer service after hackers drain their accounts.”

Here’s an excerpt: “For Tanja Vidovic, it was a moment of panic: She had received a series of alerts about someone changing access to her cryptocurrency account. And she realized, as she stared at her computer screen, that nearly all of her $168,000 in holdings was gone — vanished before her eyes. …

“In a response to his frantic email, Coinbase told Ben his computer had been hacked and there wasn’t anything the company could do. …


“Experts say SIM swapping, where fraudsters seize control of a victim’s phone number and SIM card through their phone company, is to blame for many of the cryptocurrency thefts.”

You can watch a video segment on the same topic here:

Another recent example comes from Forbes, which highlighted an FBI bitcoin and cryptocurrency alert:

“The FBI advised financial and crypto companies to check the origin of emails and keep an eye on recently created accounts while those buying bitcoin and cryptocurrencies were encouraged to use multi-factor authentication — meaning they must have access to at least two devices or accounts linked to the platform—avoid download requests, remote access applications and any unofficial company communication channels.”

One more headline, from earlier this year, read “Europe SIM swapping: 10 arrested in Europe over €82.4m scam to hijack celebrities’ phones“: “European police have arrested 10 people for allegedly hijacking mobile phones belonging to high-profile celebrities in the United States. …

“Europol said that “sim swapping” can be done either by fooling the phone company with “social engineering techniques” or by using a “corrupt insider.”

WHAT IS SIM SWAPPING?

I often get asked questions about growing cyber threats and how to keep online accounts safe — including cryptocurrencies. One area that has been getting a lot more attention is SIM-swapping fraud.

A SIM-swapping attack is also known as SIM splitting, SIMjacking, SIM hijacking and port-out…

Source…

T-Mobile discloses data breach after SIM swapping attacks

/in


T-Mobile discloses data breach after SIM hijacking attacks

Image: Mika Baumeister

American telecommunications provider T-Mobile has disclosed a data breach after an unknown number of customers were apparently affected by SIM swap attacks.

SIM swap fraud (or SIM hijacking) allows scammers to take control of targets’ phone numbers after porting them using social engineering or after bribing mobile operator employees to a SIM controlled by the fraudsters.

Subsequently, they receive the victims’ messages and calls which allows for easily bypassing SMS-based multi-factor authentication (MFA), stealing user credentials, as well taking over the victims’ online service accounts.

The criminals can then log into the victims’ bank accounts to steal money, change account passwords, and even locking the victims out of their own accounts.

The FBI shared guidance on how to defend against SIM swapping following an increase in the number of SIM hijacking attacks targeting cryptocurrency adopters and investors.

Undisclosed number of SIM swap attacks

In a data breach notice sent to impacted customers on February 9, 2021, and filed with US attorney generals’ offices, T-Mobile revealed that an unknown attacker gained access to customers’ account information, including personal info and personal identification numbers (PINs).

As the attackers were able to port numbers, it is not clear if they gained access to an employee’s account or did it through the compromised users’ accounts.

A T-Mobile spokesperson was not available for comment when contacted by BleepingComputer earlier today.

“[A]n unknown actor gained access to certain account information. It appears the actor may then have used this information to port your line to a different carrier without your authorization,” T-Mobile said.

“T-Mobile identified this activity—terminated the unauthorized access, and implemented measures to protect against reoccurrence.”

The information accessed by the hackers might have included customers’ full names, addresses, email addresses, account numbers, social security numbers (SSNs), account personal identification numbers (PIN), account security questions and answers, date of birth, plan information, and the number of lines subscribed to their accounts.

“T-Mobile…

Source…

Two Charged in SIM Swapping, Vishing Scams — Krebs on Security

/in


Two young men from the eastern United States have been hit with identity theft and conspiracy charges for allegedly stealing bitcoin and social media accounts by tricking employees at wireless phone companies into giving away credentials needed to remotely access and modify customer account information.

Prosecutors say Jordan K. Milleson, 21 of Timonium, Md. and 19-year-old Kingston, Pa. resident Kyell A. Bryan hijacked social media and bitcoin accounts using a mix of voice phishing or “vishing” attacks and “SIM swapping,” a form of fraud that involves bribing or tricking employees at mobile phone companies.

Investigators allege the duo set up phishing websites that mimicked legitimate employee portals belonging to wireless providers, and then emailed and/or called employees at these providers in a bid to trick them into logging in at these fake portals.

According to the indictment (PDF), Milleson and Bryan used their phished access to wireless company employee tools to reassign the subscriber identity module (SIM) tied to a target’s mobile device. A SIM card is a small, removable smart chip in mobile phones that links the device to the customer’s phone number, and their purloined access to employee tools meant they could reassign any customer’s phone number to a SIM card in a mobile device they controlled.

That allowed them to seize control over a target’s incoming phone calls and text messages, which were used to reset the password for email, social media and cryptocurrency accounts tied to those numbers.

Interestingly, the conspiracy appears to have unraveled over a business dispute between the two men. Prosecutors say on June 26, 2019, “Bryan called the Baltimore County Police Department and falsely reported that he, purporting to be a resident of the Milleson family residence, had shot his father at the residence.”

“During the call, Bryan, posing as the purported shooter, threatened to shoot himself and to shoot at police officers if they attempted to confront him,” reads a statement from the U.S. Attorney’s Office for the District of Maryland. “The call was a ‘swatting’ attack, a criminal harassment tactic in which a person…

Source…