Well, not quite an attack… But I did go into my mobile carrier and ask to upgrade my SIM. The helpful clerk asked for my phone number, switched my account to the new SIM and just handed it to me. It was just that easy. No ID needed. No account PIN. Just the phone number. They never even looked at my old SIM. I had all of that stuff ready to show, but didn’t need any o fit.
I suppose I’m shocked, but not that shocked. I’ve heard of people doing SIM swap attacks, but I thought crooks needed to use clever subterfuge to pull it off absent an inside person at a cell company. Nope. Just ask for a new SIM for a phone number and at least some places that’s it.
So, even more so, I’d say any company that only offers SMS 2FA is negligent.
It allows you to have the legit phone number, intercept calls and SMS and take control of sms 2FA protected apps since you now have the confirmation codes as they’re generated.
Yes, primarily it allows you text messaging and phone calls, allowing you to get any SMS authentication codes sent to the phone. And, with some sloppy companies apparently including Instagram, you can get the password reset sent to the phone number, not just to the account email (not sure if Instagram has fixed that yet).
A full SIM swap is a crude attack because the victim will eventually notice that their phone service is interrupted. More sophisticated attacks allow interception of the SMS message in parallel to the victim’s phone rather than instead of. Brian Krebs noted that T-Mobile (and, I imagine, other carriers) fails to sent out a notice of the swap to the old SIM address, so users won’t get any alert notices about the changout. Only the new SIM, which doesn’t need one, gets an alert.
It’s a full takeover of the number(unlike a SIM clone; which may still be a thing, don’t really move in those circles; but isn’t one the Telco will assist you with): you become the recipient of all traffic to that number(and can use it outgoing if you wish) and the target loses service(which can be a minus, in that they notice; but can also keep them conveniently excommunicado while you finish cleaning out their accounts.)
It should be treated as a matter of some gravity; but in practice you usually only get jerked around if you try to port numbers between companies, since the one receiving the poet request is usually petulant about a customer leaving the feedlot.
Oh I see - a clone would just copy all of that access but not stop the original phone from getting messages too. But a swap would interrupt the original phone’s access. I’ve watched You so I know exactly how this could be used…
