cross-posted from: https://midwest.social/post/9868784
SIM swappers have adapted their attacks to steal a target’s phone number by porting it into a new eSIM card, a digital SIM stored in a rewritable chip present on many recent smartphone models.
This says that they’re able to hijack the phone numbers by scanning a QR code to configure an eSIM. But doesn’t the carrier need to authenticate device swaps like that in the first place? If the carriers allow SIM swaps without anything more than a line of text, then that’s a major account security issue that I have to imagine has already been accounted for when this tech and the policies for it were developed. I feel like there’s some very important details missing to this.
Now, attackers breach a user’s mobile account with stolen, brute-forced, or leaked credentials and initiate porting the victim’s number to another device on their own.
They can do this by generating a QR code through the hijacked mobile account that can be used to activate a new eSIM. They then scan it with their device, essentially hijacking the number.
Simultaneously, the legitimate owner has their eSIM/SIM deactivated.
From what I understand, the attackers steal your number by gaining access to your phone carrier account.
They can gain access to your account either by finding your info in a data breach, or by phishing the account details from you.
That’s why they say that you need to setup a strong password with 2FA for your phone carrier account to protect yourself from this kind of attack.
I was going to say, I’ve never needed to talk to my phone provider with a new eSIM, i just need to login to the app and confirm. That makes it the obvious route for sim stealers
Remember this, next time some says “I don’t need a good password. What are they going to do, pay my phone bill?”