cross-posted from: https://midwest.social/post/9868784

SIM swappers have adapted their attacks to steal a target’s phone number by porting it into a new eSIM card, a digital SIM stored in a rewritable chip present on many recent smartphone models.

  • Chozo@fedia.io
    link
    fedilink
    arrow-up
    0
    ·
    8 months ago

    This says that they’re able to hijack the phone numbers by scanning a QR code to configure an eSIM. But doesn’t the carrier need to authenticate device swaps like that in the first place? If the carriers allow SIM swaps without anything more than a line of text, then that’s a major account security issue that I have to imagine has already been accounted for when this tech and the policies for it were developed. I feel like there’s some very important details missing to this.

    • Slayer@infosec.pub
      link
      fedilink
      English
      arrow-up
      1
      ·
      8 months ago

      Now, attackers breach a user’s mobile account with stolen, brute-forced, or leaked credentials and initiate porting the victim’s number to another device on their own.

      They can do this by generating a QR code through the hijacked mobile account that can be used to activate a new eSIM. They then scan it with their device, essentially hijacking the number.

      Simultaneously, the legitimate owner has their eSIM/SIM deactivated.

    • waratchess@lemm.ee
      link
      fedilink
      English
      arrow-up
      0
      ·
      8 months ago

      From what I understand, the attackers steal your number by gaining access to your phone carrier account.

      They can gain access to your account either by finding your info in a data breach, or by phishing the account details from you.

      That’s why they say that you need to setup a strong password with 2FA for your phone carrier account to protect yourself from this kind of attack.

      • AA5B@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        8 months ago

        I was going to say, I’ve never needed to talk to my phone provider with a new eSIM, i just need to login to the app and confirm. That makes it the obvious route for sim stealers

        Remember this, next time some says “I don’t need a good password. What are they going to do, pay my phone bill?”