Sim Swap Attacks are a Thing? Man Loses Life Savings.

Mai72

Lifer
Sep 12, 2012
11,562
1,741
126
That is some scary stuff. The hacker convinced AT&T reps that he needed a new sim card. Got the card, and essentially got hold of the man's bank account. Took about $1m dollars.


How to protect yourself. Seems that SMS verifictaion, and 2 factor authentication seem to not be so good. This guys has some good tips.

 

Captante

Lifer
Oct 20, 2003
30,316
10,814
136
SMS = Not secure. This is not new information.

Thus if that's what you rely on for 2FA I have some bad news.

Authenticator-apps are far from perfect but still a big improvement.
 
Last edited:

dasherHampton

Platinum Member
Jan 19, 2018
2,543
488
96
I would NEVER use my phone or regular PC/Mac to do ANYTHING financial. I cringe when I see people do that.

I have an iMac that is the only computer I use to access my brokerage accounts. I use it for nothing else. All of my accounts have an IOS-generated password that is only on that iMac (I write it down just in case, of course).
 

Captante

Lifer
Oct 20, 2003
30,316
10,814
136
I would NEVER use my phone or regular PC/Mac to do ANYTHING financial. I cringe when I see people do that.

I have an iMac that is the only computer I use to access my brokerage accounts. I use it for nothing else. All of my accounts have an IOS-generated password that is only on that iMac (I write it down just in case, of course).


I have a second checking account not attached to anything else that I do check on my phone.

Just as importantly (if not more) I don't do anything sketchy with my primary phone, keep installed crap to a bare minimum and disable everything I can't remove that I don't use frequently.
 

MrSquished

Lifer
Jan 14, 2013
23,003
21,127
136
There only bank account I use on my phone is a checking account I never have too much in. It's attached to multiple things like venmo and Google play, but there is never too much in there. That gets transferred in from the pc.
 
  • Like
Reactions: Captante

Captante

Lifer
Oct 20, 2003
30,316
10,814
136
There only bank account I use on my phone is a checking account I never have too much in. It's attached to multiple things like venmo and Google play, but there is never too much in there. That gets transferred in from the pc.


Forgot ... mine is actually also my Paypal checking. I have a PP Mastercard to get cash directly from not-my-bank ATM's.

Been a LONG time since I used Paypal!
 

ch33zw1z

Lifer
Nov 4, 2004
38,156
18,647
146
ATT has a passcode you can enable that must be provided to make changes to the account. Not sure if this guy had it.
 

Red Squirrel

No Lifer
May 24, 2003
68,413
12,593
126
www.anyf.ca
It boggles my mind that the telcos don't have better security for this. SMS is actually a very good idea in principal because it's already an established standard and does not rely on needing a proprietary app for every single site, and if your phone dies and you get a new one it will still work.

But the fact that telcos allow for sim swapping so easily makes it unsecure. But here's the part I don't understand, to use two factor auth don't you still need the person's password? How are these people getting hacked so easily?
 

skyking

Lifer
Nov 21, 2001
22,376
5,337
146
how does that work if you have complex usernames and passwords?
There is nothing in my emails that gives a hacker a leg up on that info.
My banking unames are essentially another password.
 

CZroe

Lifer
Jun 24, 2001
24,195
857
126
It boggles my mind that the telcos don't have better security for this. SMS is actually a very good idea in principal because it's already an established standard and does not rely on needing a proprietary app for every single site, and if your phone dies and you get a new one it will still work.

But the fact that telcos allow for sim swapping so easily makes it unsecure. But here's the part I don't understand, to use two factor auth don't you still need the person's password? How are these people getting hacked so easily?
Maybe they are using the phone number for verification when resetting the password.
 
  • Like
Reactions: Ken g6

VirtualLarry

No Lifer
Aug 25, 2001
56,548
10,171
126
This is why I'm annoyed that Nicehash has recently (after their DNS got hacked), started to say that 2FA (using Google Authenticator app on Android), is no longer "optional", but "mandatory", to enable withdrawls of BTC from their platform. It's just another layer to get screwed up, if someone hacks your phone or Google acct., and I personally want as little as possible to do with Google. This essentially makes you required to use Google's ecosystem, if you want to use Nicehash, and have a cell phone, as well as a PC for mining on. Pure BS.

Edit: After Nicehash got hacked the first time, a few years back, those of us still using it, made it a point not to have or leave any significant portion of BTC on their server wallet at any time, should they be hacked again. And if some hacker got my password on my local PC somehow, I would just change it through password-recovery. It's not like they could steal much from me, anyways.
 

Red Squirrel

No Lifer
May 24, 2003
68,413
12,593
126
www.anyf.ca
This is why I'm annoyed that Nicehash has recently (after their DNS got hacked), started to say that 2FA (using Google Authenticator app on Android), is no longer "optional", but "mandatory", to enable withdrawls of BTC from their platform. It's just another layer to get screwed up, if someone hacks your phone or Google acct., and I personally want as little as possible to do with Google. This essentially makes you required to use Google's ecosystem, if you want to use Nicehash, and have a cell phone, as well as a PC for mining on. Pure BS.

Edit: After Nicehash got hacked the first time, a few years back, those of us still using it, made it a point not to have or leave any significant portion of BTC on their server wallet at any time, should they be hacked again. And if some hacker got my password on my local PC somehow, I would just change it through password-recovery. It's not like they could steal much from me, anyways.


I hate the current state of two factor auth in general because of this, you're basically forced to use whatever app/system they use and rely on a 3rd party, and there's not really any standard. They really should come up with some kind of standard that is independent of a 3rd party company. I also don't like the fact that if something happens to your phone you're basically screwed. I've been told that you can save the QR code so you can re-enter it later into a new phone, but you have to know to do that at the time you set it up.

IMO they need to come up with some form of standard, something that works offline, ideally. Kinda like RSA tokens, but it could be a soft token. There could then be various apps, on phones and on PCs that use the same standard, so you're not tied to one specific one or a 3rd party server.

I think FIDO would do that, but most sites don't use that and just use their own thing.
 

ch33zw1z

Lifer
Nov 4, 2004
38,156
18,647
146
If someone hacks your Google account, then you have little security involved. You can lock that thing down hard.

Unfortunately, teclos have to cater to the lowest security minded individuals, and that's how things like SIM swapping happens. Make security too "hard", and people shy away, make it too lax, and problems like this happen.

I mentioned it earlier, ATT has a "passcode" option, it's an 8 digit number that is required to make any changes to the account.
 

ch33zw1z

Lifer
Nov 4, 2004
38,156
18,647
146
I hate the current state of two factor auth in general because of this, you're basically forced to use whatever app/system they use and rely on a 3rd party, and there's not really any standard. They really should come up with some kind of standard that is independent of a 3rd party company. I also don't like the fact that if something happens to your phone you're basically screwed. I've been told that you can save the QR code so you can re-enter it later into a new phone, but you have to know to do that at the time you set it up.

IMO they need to come up with some form of standard, something that works offline, ideally. Kinda like RSA tokens, but it could be a soft token. There could then be various apps, on phones and on PCs that use the same standard, so you're not tied to one specific one or a 3rd party server.

I think FIDO would do that, but most sites don't use that and just use their own thing.

Check out authy for 2FA. I have authy running on my phone, and my pc, sync'd. If my phone implodes, I can reinstall it later and recover authy back onto it. the passcodes to unlock authy are safely stored in a password manager, all of them are 20+ characters, randomly generated

Also, you're not screwed totally. You just have to keep track of your recovery methods for each website. The big players typically generate a one time passcode list, save it, and upload it as a text file to the password manager.

Edit: there are security tokens you can buy. Google makes one called titan. Usb for the PC's, BT for the phone.

IMO, more sites, especially telcos, need to add support for 2FA software. Both ATT and Comcast don't have it
 
Last edited:
  • Like
Reactions: Captante

DigDog

Lifer
Jun 3, 2011
13,746
2,263
126
i'm dumb but i don't see a reason for alarm here, the very first line of text "convinces AT&T rep" pretty much explains that they will have liability - after a court battle, obviously. Guy's gonna get back his money and more.
 

CZroe

Lifer
Jun 24, 2001
24,195
857
126
i'm dumb but i don't see a reason for alarm here, the very first line of text "convinces AT&T rep" pretty much explains that they will have liability - after a court battle, obviously. Guy's gonna get back his money and more.
"Two-factor" means they would not likely be considered fully responsible since they didn't compromise the other half of your security measures.
 

DigDog

Lifer
Jun 3, 2011
13,746
2,263
126
i dunno, i think that's what the SIM was needed for. As someone who works with DPA every day, i can totally see how an agent could have been fooled.
 

KB

Diamond Member
Nov 8, 1999
5,402
386
126
How do you just log into someones bank account and just take the money? My bank has no online transfer feature. Second if you could transfer the money you would likely have to transfer it to another bank, which would have the criminals name on the account. The bank could also reverse any ACH transactions, so this must have been something different.
 

ponyo

Lifer
Feb 14, 2002
19,688
2,810
126
How do you just log into someones bank account and just take the money? My bank has no online transfer feature. Second if you could transfer the money you would likely have to transfer it to another bank, which would have the criminals name on the account. The bank could also reverse any ACH transactions, so this must have been something different.
ACH is reversible. Wire transfer is not.
 

ponyo

Lifer
Feb 14, 2002
19,688
2,810
126
I'm not going to watch the video because it's Mai72 linked video. But I do worry what would happen if I happened to lose my phone while I was overseas. I don't think I can log into one of my brokerage account on my laptop without my phone.