cross-posted from: https://midwest.social/post/9868784

SIM swappers have adapted their attacks to steal a target’s phone number by porting it into a new eSIM card, a digital SIM stored in a rewritable chip present on many recent smartphone models.

  • Chozo
    link
    fedilink
    369 months ago

    This says that they’re able to hijack the phone numbers by scanning a QR code to configure an eSIM. But doesn’t the carrier need to authenticate device swaps like that in the first place? If the carriers allow SIM swaps without anything more than a line of text, then that’s a major account security issue that I have to imagine has already been accounted for when this tech and the policies for it were developed. I feel like there’s some very important details missing to this.

    • @[email protected]
      link
      fedilink
      English
      189 months ago

      From what I understand, the attackers steal your number by gaining access to your phone carrier account.

      They can gain access to your account either by finding your info in a data breach, or by phishing the account details from you.

      That’s why they say that you need to setup a strong password with 2FA for your phone carrier account to protect yourself from this kind of attack.

      • Chozo
        link
        fedilink
        139 months ago

        That makes more sense. In which case, yeah this is just basic account security 101 stuff. Certain accounts in life you need to treat with extra security, and until we can wean society off of insecure SMS authentication services, your phone account is one of those that needs extra care put into it.

      • @AA5B
        link
        English
        39 months ago

        I was going to say, I’ve never needed to talk to my phone provider with a new eSIM, i just need to login to the app and confirm. That makes it the obvious route for sim stealers

        Remember this, next time some says “I don’t need a good password. What are they going to do, pay my phone bill?”

    • @[email protected]
      link
      fedilink
      English
      139 months ago

      Before esim, a lot of sim swap attacks were done by bribing a rank-and-file support guy from the carrier to issue you a new sim. Nothing new here.

    • Slayer
      link
      fedilink
      English
      79 months ago

      Now, attackers breach a user’s mobile account with stolen, brute-forced, or leaked credentials and initiate porting the victim’s number to another device on their own.

      They can do this by generating a QR code through the hijacked mobile account that can be used to activate a new eSIM. They then scan it with their device, essentially hijacking the number.

      Simultaneously, the legitimate owner has their eSIM/SIM deactivated.

  • @atrielienz
    link
    English
    49 months ago

    I haven’t had this kind of problem but I’ve had Google Fi since it was project Fi around 2017. And had a yubikee on my Google account for just as long. Wonder if that’s why. I do remember back in the day losing an old Verizon flip phone and buying a new one in store. They didn’t properly disconnect my account from the old phone and someone was deleting messages before I could read them etc for a solid month before Verizon figured it out. But that was like 2001? Things have changed quite a lot.