[BEWARE] Sim Port Attack - page 2. | Bitcointalksearch.org

r1s2g3

sr. member

Activity: 742

Merit: 395

I am alive but in hibernation.

Quote from: Thirdspace on May 24, 2019, 06:19:51 PM

Quote from: r1s2g3 on May 24, 2019, 01:37:37 PM

I will like to reply all you guys that are saying it is identity breach or it major security flaw in provider service.
~
So anybody who has eavesdropped you can successfully do this attack without having any kind of your physical identity.

imo it's a security flaw in the the sim card replacement procedure,
a simple confirmation call from provider to old sim card should help mitigate this attack
if this can't be done, then it requires "a personal visit to store and proof of identity" like Lucius said

They should be, but they heavily rely on last 4 digit of SSN. If your last 4 digit of SSN become public a lot of attacks like (sim port), I guess can be successfully launched.

If by chance , if your all 10 digit of SSN are known, then somebody will able to take the bank loan on it. (Again no physical identity paper (SSN) required.

Ipwich

hero member

Activity: 1050

Merit: 529

Student Coin

Quote from: PrimeNumber7 on May 24, 2019, 03:06:14 AM

Quote from: Ipwich on May 24, 2019, 02:58:32 AM

I avoided downloading files online using my phone to prevent from getting hack, but hackers now are getting smarter.

This attack has nothing to do with malware or downloading software. It is a social engineering attack that tricks your cell phone carrier into transferring your service to another phone so the attacker can receive your text messages.

Yeah I understand, thanks for clarifying it.

So this is riskier than downloading files in the internet, this one, even if you are online, you can still be victim of hack.
As I have stated, what I only avoid is downloading files online but don't know it's still possible to get hack with the new way of hack shared by OP.

gentlemand

legendary

Activity: 2590

Merit: 3008

Welt Am Draht

No one should be putting any aspect of their online security in the hands of a phone company. Social engineering is a very, very powerful thing.

Think it over. You're placing your wealth or poverty in the hands of some bored shitless call centre worker on $10 an hour who barely registers what people say to them any more and wouldn't care if a million customers dropped dead tomorrow. Would you class that person as worthy of deciding the course of your entire future?

The tools are out there to completely shut this particular route to disaster down. Use them.

PrimeNumber7

copper member

Activity: 1624

Merit: 1899

Amazon Prime Member #7

Quote from: Thirdspace on May 25, 2019, 10:21:14 AM

Quote from: PrimeNumber7 on May 24, 2019, 11:03:02 PM

Quote from: Thirdspace on May 24, 2019, 06:19:51 PM

if this can't be done, then it requires "a personal visit to store and proof of identity" like Lucius said

Your solution is still flawed because it requires all employees of a carrier to not be corrupt, and to follow policy to the "t".

are we, in this thread, talking about sim port attack or a corrupt employee commits a crime?
internal review and investigation will reveal this employee as a perp or an accomplice or simply negligence

Quote from: PrimeNumber7 on May 24, 2019, 11:03:02 PM

A store employee can write down they checked ID, but checking a box in a computer does not guarantee this happened.

I'm not sure how it works in your country, but we have to sign paperwork to request for sim card replacement
if the employee also falsify this paperwork then he's commiting another crime... this no longer a simple sim port attack

Quote from: PrimeNumber7 on May 24, 2019, 03:06:14 AM

This attack has nothing to do with malware or downloading software. It is a social engineering attack that tricks your cell phone carrier into transferring your service to another phone so the attacker can receive your text messages.

you said it yourself, "it is a social engineering attack that tricks your cell phone carrier"
when you talk about corrupt employee and such, you strayed from the discussion about sim port attack

I would consider a corrupt employee one mode of completing a Sim Port attack. The end result is still the same, that is a third party can control a person's cell phone number and receive calls/texts to that number, that is not authorized to do so.

If a single employee helps with Sim Port attacks many times, the carrier's internal controls should detect this. If an employee, or a manager over a group of employees helps with a Sim Port attack a small number of times infrequently, it would be more difficult to detect.

Thirdspace

hero member

Activity: 1232

Merit: 738

Mixing reinvented for your privacy | chipmixer.com

Quote from: PrimeNumber7 on May 24, 2019, 11:03:02 PM

Quote from: Thirdspace on May 24, 2019, 06:19:51 PM

if this can't be done, then it requires "a personal visit to store and proof of identity" like Lucius said

Your solution is still flawed because it requires all employees of a carrier to not be corrupt, and to follow policy to the "t".

are we, in this thread, talking about sim port attack or a corrupt employee commits a crime?
internal review and investigation will reveal this employee as a perp or an accomplice or simply negligence

Quote from: PrimeNumber7 on May 24, 2019, 11:03:02 PM

A store employee can write down they checked ID, but checking a box in a computer does not guarantee this happened.

I'm not sure how it works in your country, but we have to sign paperwork to request for sim card replacement
if the employee also falsify this paperwork then he's commiting another crime... this no longer a simple sim port attack

Quote from: PrimeNumber7 on May 24, 2019, 03:06:14 AM

This attack has nothing to do with malware or downloading software. It is a social engineering attack that tricks your cell phone carrier into transferring your service to another phone so the attacker can receive your text messages.

you said it yourself, "it is a social engineering attack that tricks your cell phone carrier"
when you talk about corrupt employee and such, you strayed from the discussion about sim port attack

GreatArkansas

legendary

Activity: 2282

Merit: 1344

Buy/Sell crypto at BestChange

Quote from: r1s2g3 on May 24, 2019, 01:37:37 PM

(This is IMHO based on my experience though I never did simport but successfully closed phone numbers and started new number by just a phone call.)

Isn't that alarming or dangerous since you can do it by just a phone call.
However, its should be come first responsibility of the owner of phone number how they can protect their phone number or privacy, such their personal information.

PrimeNumber7

copper member

Activity: 1624

Merit: 1899

Amazon Prime Member #7

Quote from: Thirdspace on May 24, 2019, 06:19:51 PM

Quote from: r1s2g3 on May 24, 2019, 01:37:37 PM

I will like to reply all you guys that are saying it is identity breach or it major security flaw in provider service.
~
So anybody who has eavesdropped you can successfully do this attack without having any kind of your physical identity.

imo it's a security flaw in the the sim card replacement procedure,
a simple confirmation call from provider to old sim card should help mitigate this attack
if this can't be done, then it requires "a personal visit to store and proof of identity" like Lucius said

Your solution is still flawed because it requires all employees of a carrier to not be corrupt, and to follow policy to the "t".

A store employee can write down they checked ID, but checking a box in a computer does not guarantee this happened. This would also create many negative experiences for customers who do not live near their phone carrier's store locations.

TheHas

full member

Activity: 616

Merit: 167

This is a major security issue, and I'm sorry to hear you lost so much that must be devastating.

In my country you hear of phone companies saying that a phone number was never meant to be used as a security checking device, and so they are of the view that while they have (basic) security procedures in place, they are not responsible if taking your phone number results in a breach of your broader accounts attached to your phone. They will take responsibility for costs incurred relating to the phone specifically (like making a bunch of overseas calls) but not something like coins, emails or other personal information attached to your account.

I hope there is some recourse for you through the phone companies or maybe even insurance.

Thirdspace

hero member

Activity: 1232

Merit: 738

Mixing reinvented for your privacy | chipmixer.com

Quote from: r1s2g3 on May 24, 2019, 01:37:37 PM

I will like to reply all you guys that are saying it is identity breach or it major security flaw in provider service.
~
So anybody who has eavesdropped you can successfully do this attack without having any kind of your physical identity.

imo it's a security flaw in the the sim card replacement procedure,
a simple confirmation call from provider to old sim card should help mitigate this attack
if this can't be done, then it requires "a personal visit to store and proof of identity" like Lucius said

r1s2g3

sr. member

Activity: 742

Merit: 395

I am alive but in hibernation.

I will like to reply all you guys that are saying it is identity breach or it major security flaw in provider service.

Let me explain you how the provider services generally work in USA.

In USA every individual have Social Security Number (SSN) it is 10 digit number and confidentiality of this number need to be maintained.
In some case where you were asked of SSN, then it is the last 4 digit of SSN (instead of full 10).

So phone providers in US verify you by asking your name, DOB and last 4 digit of SSN. If you made this call in public, somebody can easily eavesdrop this data. By your name and DOB it will be very easy to find the phone number.

So anybody who has eavesdropped you can successfully do this attack without having any kind of your physical identity.

(This is IMHO based on my experience though I never did simport but successfully closed phone numbers and started new number by just a phone call.)

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

If somebody can commit such an attack only via phone call then this is a major security breach of the provider. Such a thing should not be possible, because today is not so difficult to get some data about someone, and then over the phone steal the identity of that person. Only proper way for such actions is personal visit to store and proof of identity there. This also can be abused if attacker is have your fake ID, but I think it's still too much risk for them to walk in store and to be captured on security cameras.

Bottom line in this story is that users should avoid to use mobile numbers / SIM for extra security of crypto related accounts, this proved to be very ineffective and in some cases resulted in huge financial losses.

DdmrDdmr

legendary

Activity: 2310

Merit: 10758

There are lies, damned lies and statistics. MTwain

Last month I came across a similar case (see California Jails Student for 10 Years for $7.5 Million SIM-Swap Bitcoin Hack). The events took place in 2018 (mostly during the Concencus event), and involve at least 40 victims, many high-tech crypto profiles, but the court sentence came through recently. And this was in the US …

GreatArkansas

legendary

Activity: 2282

Merit: 1344

Buy/Sell crypto at BestChange

Quote from: whotookmycrypto on May 24, 2019, 12:25:17 AM

Also, we wrote an article for Binance that does touch on some other ways to protect yourself (https://www.binance.vision/security/common-scams-on-mobile-devices)

Oh, it's really helpful that we should never disclose to anyone our personal information which is prone to use to impersonate you.

Quote from: jseverson on May 24, 2019, 01:25:31 AM

Additionally, there have been instances where hackers have people on the inside of the telecommunications company helping them pull off the attack.

This thing is really dangerous which it is the first thought comes to my mind about this sim porting which can be done with "inside job" attack for every carrier network company.

Quote from: mk4 on May 24, 2019, 12:27:34 AM

Heck, I'm not even comfortable in leaving $200 on an exchange.

Same here, Since I am a trader, I even withdraw my funds in exchange when I about to go for a long vacation or out of town trip.

Quote from: PrimeNumber7 on May 24, 2019, 02:46:46 AM

You should not use SMS text messages as a 2FA to access your exchange accounts.
~snip
Google authenticator is far superior in terms of 2FA.

Google authenticator > SMS authenticator. But there are some website that doesn't support google authenticator, that's the bad thing about that.

PrimeNumber7

copper member

Activity: 1624

Merit: 1899

Amazon Prime Member #7

Quote from: Ipwich on May 24, 2019, 02:58:32 AM

I avoided downloading files online using my phone to prevent from getting hack, but hackers now are getting smarter.

This attack has nothing to do with malware or downloading software. It is a social engineering attack that tricks your cell phone carrier into transferring your service to another phone so the attacker can receive your text messages.

Ipwich

hero member

Activity: 1050

Merit: 529

Student Coin

It's the most advance way of hack that I read, very new to me and I don't even think it's possible.
I avoided downloading files online using my phone to prevent from getting hack, but hackers now are getting smarter.

Thank you for giving such good information, really appreciate it, try to change some plans.

PrimeNumber7

copper member

Activity: 1624

Merit: 1899

Amazon Prime Member #7

You should not use SMS text messages as a 2FA to access your exchange accounts. Even if you do not keep any money on an exchange, if someone successfully takes over your cell phone number, and can learn your password, or access your email account, they can drain your linked bank account, or max out your credit card associated with/linked to your Coinbase/exchange account.

Google authenticator is far superior in terms of 2FA. In laymens terms, it uses a private key plus the current time to calculate a code good for a limited time. As long as your physical device is kept secure, and malware free, an attacker will be unable to obtain the private key to calculate the 2FA codes.

joniboini

legendary

Activity: 2170

Merit: 1789

Quote from: GreatArkansas on May 24, 2019, 12:07:06 AM

1. Is there any carrier provider that allowed you to change your sim card or port to another device via phone call only?

In my country, there is none AFAIK. You need to go to their local center, bring your ID and related materials that can proof you're the owner of that number before you can port a new sim. But this doesn't mean there is no risk.

I guess the only possible way to hack this is if a hacker found a way to edit and replicate the national ID of the target. In short, you should protect your private information as strong as you could, don't ever leak any info online, and never expose to others that you own cryptocurrency.

jseverson

hero member

Activity: 1834

Merit: 759

Quote from: GreatArkansas on May 24, 2019, 12:07:06 AM

1. Is there any carrier provider that allowed you to change your sim card or port to another device via phone call only?

It's possible, but this method typically requires you to share private information to verify the caller's identity. If you've been sloppy with your privacy, gotten phished, etc., you could be vulnerable to this. Additionally, there have been instances where hackers have people on the inside of the telecommunications company helping them pull off the attack.

So yeah, you should not be relying on SMS authentication to protect significant amounts (I mean, it's still better than no other protection at all), regardless of carrier.

mk4

legendary

Activity: 2716

Merit: 3817

Paldo.io 🤖

For the number of hacks that have occurred over the years in the cryptocurrency space, it baffles me how much people still like to leave their funds on exchanges and custodial wallets; and take note that we're talking about $100,000 in this case. Heck, I'm not even comfortable in leaving $200 on an exchange.

whotookmycrypto

full member

Activity: 168

Merit: 214

WhoTookMyCrypto.com

Quote from: GreatArkansas on May 24, 2019, 12:07:06 AM

I have some questions:

1. Is there any carrier provider that allowed you to change your sim card or port to another device via phone call only?
2. If this case happens, can we blame our carrier provider on this or take some legal actions?
and what more tips or advice you can give to avoid this kind of attack.

Not sure about 1.

On 2, yes there have been cases where this has been successful. Example: https://www.coindesk.com/crypto-investor-awarded-over-75-million-in-sim-swapping-hack-case

Quote from: GreatArkansas on May 24, 2019, 12:07:06 AM

Tips to avoid this
> Avoid storing your coins or funds for long term in a centralized exchange.
> Avoid using centralized cryptocurrency wallet.
> User hardware wallet or cold wallet.

Also, we wrote an article for Binance that does touch on some other ways to protect yourself (https://www.binance.vision/security/common-scams-on-mobile-devices)

Quote

> Do not use your mobile phone number for SMS 2FA. Instead, use apps like Google Authenticator or Authy to secure your accounts. Cybercriminals are unable to gain access to these apps even if they possess your phone number. Alternatively, you may use hardware 2FA such as YubiKey or Google's Titan Security Key.
> Do not reveal personal identifying information on social media, such as your mobile phone number. Cybercriminals can pick up such information and use them to impersonate you elsewhere.
> You should never announce on social media that you own cryptocurrencies as this would make you a target. Or if you are in a position where everyone already knows you own them, then avoid disclosing personal information including the exchanges or wallets you use.
> Make arrangements with your mobile phone providers to protect your account. This could mean attaching a pin or password to your account and dictating that only users with knowledge of the pin can make changes to the account. Alternatively, you can require such changes to be made in person and disallow them over the phone.

Topic: [BEWARE] Sim Port Attack - page 2. (Read 817 times)