Is there anything you can do to prevent this? Does Verizon have an option to lock your account against SIM swapping attempts without heightened security procedures (OTP, etc?)
I think switching to Google Fi seems to be the best option we have right now with respect to any sim swap attacks. Fi doesn’t have physical stores and it’s associated with my Google account which I can secure using non SMS based 2FA options. Unfortunately Fi is also a liability in the sense that Google can kill my account any time.
Maybe you know something I don't, but switching to an entirely-virtual provider in response to a difficult-to-execute physical threat seems a bit misguided to me.
Google also has notoriously nonexistent customer service. It does not instill confidence that anyone should rely on them for something as critical as identity management. The threat of them fucking you over when you need their help far outweighs the threat of hackers and scammers.
(Virtual money was supposed to be more secure than physical coin. That experiment didn't work so well either.)
It doesn’t seem that difficult-to-execute if the attack is targeted. Google Fi is known to have pretty good customer service, unlike rest of the free Google products. Again, considering everything, I came to the conclusion that Fi is the best option for me right now. YMMV.
I think no tech support is the only real defense against SIM swap.. Then you need other redundancies that are equally impervious to social attack to be able to withstand a lock out from one of them. Actual security is a real pain, pretending you have it while having a tech support that can bypass it isn't nearly as painful and gives the same sense of security until it is tested.
I gave up trying to solve this at the mobile operator level, they don't care, they don't get fined/sued enough and legislators are too incompetent/slow to fix this.
I just never use any service that forces 2FA by SMS. If it not avoidable for some reason, I make this account completely isolated from the rest of my online identity (new email just for it, regularly change password).
If your bank/financial institution forces 2FA by SMS, it is time to change, most of the serious ones have their own app that handles 2FA. I'm yet to find one that allows to use your own OTP generators, so I'm usually forced to use their app for now.
If they used SMS to identify the customer, isn't it a form of authentification? Having the credit card/credit card info is the first factor and the second factor seems to only have been being able to receive the SMS to confirm it wasn't fraud.
I've experienced better banking apps which did use SMS at the initialization, but coupled it with other identifying factors (eg the phone IMEI or a code sent through postal services). If these app needed to be reinstalled the whole verification process would have to be redone.
App-based 2FA is offered for both checking and investment accounts at Fidelity, Schwab, and E-Trade. (The common factor is that these are all brokerages first, and banking providers second.) There may be others, but those are the ones I know of.
Use prepaid and don't associate your real name with your cellular account, which has a multitude of privacy benefits as well. Verizon will let you set a six-digit PIN which you can use instead. Also, stop using SMS-based MFA.
It seems that Verizon needs to better train their employees on ID verification. Drivers licenses have become quite a bit more complicated. Also, most mobile providers require a account password before accessing/changing anything on the account. Either the employee never bothered to confirm the password or the author never set one up.
1) HOW did the hackers get their mobile phone number once they had their card? Was it a dark web purchase based upon their name and address? A mailed CC should just have name and address, no email/phone number should be included in that physical mailing.
2) What are pros/cons of using a virtual phone number like Google Voice or Ooma for these type of financial services? Would that be an improvement? Though I know some do not support non-mobile carrier like GV.
A phone number is not hard to find online if the target individual has kept the same number for several years. There are dozens of so called people search sites setup by data brokers. You can start a search just based on a name and then narrow down by the address you have. Pay about $10-20 or less if doing bulk searches and most of these sites will reveal a lot of information about a person. I tried it on myself couple of years ago and it listed every phone number I had since college. (25 years ago). Including landlines. Not to mention names of close and extended family members, their names , ages, address etc.
What I'm curious about is how the scammer knew that the author was a Verizon subscriber and not a subscriber with ATT or T-Mobile or one of the dozen or so MVNOs.
While the author was glad to get the information they did from the store Psycho Bunny, it seems to me they also shared too much information with her. I doubt they rigorously verified her identity any more than the Verizon store employee who was scammed.
The initial problem was that her mail got stolen by the mail person. USPS Informed Delivery would have told showed her the letter that she should have gotten since it came to the processing center nearest her local post office.
Informed Delivery also shows you tax mail (like W2s) that get mailed and are commonly stolen with informed delivery you know when they are mailed to you.
>But there was one last twist to the mystery. Sue Brennan, a spokesperson for the Postal Service, explained that my credit card was scanned at the processing center nearest to my local post office. Which means that the thieves stole it in New York City on July 16 and took it all the way back to Ohio in time for its big day of spending at the mall on July 22.
>Two months after my hack, on September 29, federal prosecutors in New York announced that they had busted up a scheme that sounded familiar. Three postal workers were charged with stealing credit cards out of the mail and passing them on to five "shoppers," who used them to buy luxury clothes and bags at stores like Chanel and Hermès that they could resell online.
I get a dozen letters a day. I have USPS informed delivery - which my roommate also gets, and neither nof us had to prove our address. I don't look at it. A dozen pictures of junk letters aren't worth my time in this attention economy. I would never notice the missing letter.
> The fraud investigator had listened to the recording and had called me to check whether it was the same voice. While he wouldn't give much detail, he said it clearly wasn't me who had approved the purchase.
Well, if that was the key convincer to get the investigation moving, it's good job widespread voice impersonation isn't in the offing or anything.
> But when I spoke with higher-ups at Verizon, they explained that actually, their device-activation process had worked precisely the way it was supposed to.When two-factor authentication isn't possible — like when a phone has been lost, stolen, or destroyed — an ID card will suffice.
This sounds reasonable enough, except they never actually verified the phone was lost, stolen or destroyed.
But how could they do that? At first I was thinking they could send a text to the phone number, and if you respond within 7 days, they will assume it's not stolen. But the problem with that is if the phone was stolen, then they would be letting the thief continue to use it, which ends up almost like the opposite scam (stealing the phone itself).
I'm not sure there are any great solutions to this, unless you're okay with opting into an extra-security category where you really are screwed if you actually lose your phone.
You could nominate a number or bunch of numbers that you trust (possibly with the caveat of them having to be with the same carrier), any of which could validate a request for a new SIM. Valid events would likely be a rare occurrence and so unlikely to annoy your family and friends much, but might significantly increase the difficulty of SIM-swap attacks.
Or have a password that you set up for this circumstance. If you forget your password, your password reset information is mailed to your billing address.
My bank once had an "IRL password" like this, which I'd use when calling them. They silently dropped this feature after a few months. I'm guessing it results in negative ROI once you factor in the number of people who would opt-in despite routinely using password reset as their login method.
That password thing isn't as useful as I'd hoped. Mine is maybe 20 digits and I use it frequently when I'm calling my phone carrier for routine activities - they do check it.
For traveling overseas I needed a different SIM card and bought one at a local store (to be repaid by my carrier). The clerk at the store did not need my password because I showed him my valid identification. Password was useless in this case.
Not counting fake IDs that get past clerks, a few years ago Krebs On Security noted that the normal bribe at a phone kiosk was $85 to do the SIM swap illegally.
Even without a bribe, you still have to trust the minimum wage worker at the store. Motivated criminals or organized gangs could send people to apply to jobs at mobile providers. Come to think of it, that's probably already happening... spies too...
There's a big gap between the high trust and low salary that companies give their frontline employees. And despite (or because of) that gap, they're not motivated to do extensive background checks.
But the average employee at the Verizon kiosk in the local mall is arguably handling more sensitive data than an employee at the passport office in the State Department.
In this case the phone was presumably destroyed, so a reply would debunk it, a call would debunk it instantly by the fact of a connection to the phone. If it's stolen, the thief can be asked to confirm their identity in person.
2FA is hell. It was forced on people to control them, not to help them. There should be a law that would forbid banks and other companies to demand a phone number. But, unfortunately, things are upside down now. :(
The thing that impressed me the most from this story is how it didn't just end at paragraph one with the words "I called customer service but didn't manage to speak to a human".
37 comments
[ 0.91 ms ] story [ 87.1 ms ] threadGoogle also has notoriously nonexistent customer service. It does not instill confidence that anyone should rely on them for something as critical as identity management. The threat of them fucking you over when you need their help far outweighs the threat of hackers and scammers.
(Virtual money was supposed to be more secure than physical coin. That experiment didn't work so well either.)
Google Fi’s implementation of verification also seems more robust and secure: https://support.google.com/fi/answer/9834243?hl=en
I just never use any service that forces 2FA by SMS. If it not avoidable for some reason, I make this account completely isolated from the rest of my online identity (new email just for it, regularly change password).
If your bank/financial institution forces 2FA by SMS, it is time to change, most of the serious ones have their own app that handles 2FA. I'm yet to find one that allows to use your own OTP generators, so I'm usually forced to use their app for now.
They swapped the sim to get access to credit card fraud alerts, delivered via SMS.
I've experienced better banking apps which did use SMS at the initialization, but coupled it with other identifying factors (eg the phone IMEI or a code sent through postal services). If these app needed to be reinstalled the whole verification process would have to be redone.
1) HOW did the hackers get their mobile phone number once they had their card? Was it a dark web purchase based upon their name and address? A mailed CC should just have name and address, no email/phone number should be included in that physical mailing.
2) What are pros/cons of using a virtual phone number like Google Voice or Ooma for these type of financial services? Would that be an improvement? Though I know some do not support non-mobile carrier like GV.
What I'm curious about is how the scammer knew that the author was a Verizon subscriber and not a subscriber with ATT or T-Mobile or one of the dozen or so MVNOs.
https://www.usps.com/manage/informed-delivery.htm
The initial problem was that her mail got stolen by the mail person. USPS Informed Delivery would have told showed her the letter that she should have gotten since it came to the processing center nearest her local post office.
Informed Delivery also shows you tax mail (like W2s) that get mailed and are commonly stolen with informed delivery you know when they are mailed to you.
>But there was one last twist to the mystery. Sue Brennan, a spokesperson for the Postal Service, explained that my credit card was scanned at the processing center nearest to my local post office. Which means that the thieves stole it in New York City on July 16 and took it all the way back to Ohio in time for its big day of spending at the mall on July 22.
>Two months after my hack, on September 29, federal prosecutors in New York announced that they had busted up a scheme that sounded familiar. Three postal workers were charged with stealing credit cards out of the mail and passing them on to five "shoppers," who used them to buy luxury clothes and bags at stores like Chanel and Hermès that they could resell online.
Well, if that was the key convincer to get the investigation moving, it's good job widespread voice impersonation isn't in the offing or anything.
This sounds reasonable enough, except they never actually verified the phone was lost, stolen or destroyed.
But how could they do that? At first I was thinking they could send a text to the phone number, and if you respond within 7 days, they will assume it's not stolen. But the problem with that is if the phone was stolen, then they would be letting the thief continue to use it, which ends up almost like the opposite scam (stealing the phone itself).
I'm not sure there are any great solutions to this, unless you're okay with opting into an extra-security category where you really are screwed if you actually lose your phone.
For traveling overseas I needed a different SIM card and bought one at a local store (to be repaid by my carrier). The clerk at the store did not need my password because I showed him my valid identification. Password was useless in this case.
Not counting fake IDs that get past clerks, a few years ago Krebs On Security noted that the normal bribe at a phone kiosk was $85 to do the SIM swap illegally.
There's a big gap between the high trust and low salary that companies give their frontline employees. And despite (or because of) that gap, they're not motivated to do extensive background checks.
But the average employee at the Verizon kiosk in the local mall is arguably handling more sensitive data than an employee at the passport office in the State Department.