Search results
Oct 19, 2022 · Verizon has notified some prepaid customers that their accounts were compromised and their phone numbers potentially hijacked by crooks via SIM swaps. We're told that fraudsters somehow got hold of the last four digits of those people's credit card numbers – perhaps by exploiting some part of Verizon's online services – and used that ...
- Jessica Lyons Hardcastle
SIM swapping, sometimes called a SIM hijacking attack, occurs when the device tied to a customer’s phone number is fraudulently manipulated. Fraudsters usually employ SIM swapping as a way to receive one-time security codes from banks, cryptocurrency exchanges, and other financial institutions.
Jul 10, 2020 · Verizon now makes it possible for customers to defend against SIM swapping attacks by enabling the free Number Lock protection feature through the My Verizon app or the My Verizon website.
Jun 14, 2023 · SIM swapping happens when scammers contact your mobile phone’s carrier and trick them into activating a SIM card that the fraudsters have. Once this occurs, the scammers have control over your phone number. Anyone calling or texting this number will contact the scammers’ device, not your smartphone.
- Your Phone Company is a Weak Link
- With Your Phone Number, It's All Over
- Other Reset Procedures
- The Best Tech Newsletter Around
Related: Secure Yourself by Using Two-Step Verification on These 16 Web Services
The two-step authentication systems on many websites work by sending a message to your phone via SMS when someone tries to log in. Even if you use a dedicated app on your phone to generate codes, there's a good chance your service of choice offers to let people log in by sending an SMS code to your phone. Or, the service may allow you to remove the two-factor authentication protection from your account after confirming you have access to a phone number you configured as a recovery phone number.
This all sounds fine. You have your cell phone, and it has a phone number. It has a physical SIM card inside it that ties it to that phone number with your cell phone provider. It all seems very physical. But, sadly, your phone number isn't as secure as you think.
If you've ever needed to move an existing phone number to a new SIM card after losing your phone or just getting a new one, you'll know what you can often do it entirely over the phone -- or perhaps even online. All an attacker has to do is call your cell phone company's customer service department and pretend to be you. They'll need to know what your phone number is and know some personal details about you. These are the kinds of details -- for example, credit card number, last four digits of an SSN, and others -- that regularly leak in big databases and are used for identity theft. The attacker can try to get your phone number moved to their phone.
There are even easier ways. Or, For example, they can get call forwarding set up on the phone company's end so that incoming voice calls are forwarded to their phone and don't reach yours.
Heck, an attacker might not need access to your full phone number. They could gain access to your voice mail, try to log in to websites at 3 a.m., and then grab the verification codes from your voice mailbox. How secure is your phone company's voice mail system, exactly? How secure is your voice mail PIN -- have you even set one? Not everyone has! And, if you have, how much effort would it take for an attacker to get your voice mail PIN reset by calling your phone company?
Related: How to Avoid Getting Locked Out When Using Two-Factor Authentication
Your phone number becomes the weak link, allowing your attacker to remove two-step verification from your account -- or receive two-step verification codes -- via SMS or voice calls. By the time you realize something is wrong, they can have access to those accounts.
This is a problem for practically every service. Online services don't want people to lose access to their accounts, so they generally allow you to bypass and remove that two-factor authentication with your phone number. This helps if you've had to reset your phone or get a new one and you've lost your two-factor authentication codes -- but you still have your phone number.
Theoretically, there's supposed to be a lot of protection here. In reality, you're dealing with the customer service people at cellular service providers. These systems are often set up for efficiency, and a customer service employee may overlook some of the safeguards faced with a customer who seems angry, impatient, and has what seems like enough information. Your phone company and its customer service department are a weak link in your security.
Related: Security Questions Are Insecure: How to Protect Your Accounts
It's not just about your phone number, either. Many services allow you to remove that two-factor authentication in other ways if you claim you've lost the code and need to log in. As long as you know enough personal details about the account, you may be able to get in.
Try it yourself -- go to the service you've secured with two-factor authentication and pretend you've lost the code. See what it takes to get in. You may have to provide personal details or answer insecure "security questions" in the worst case scenario. It depends on how the service is configured. You may be able to reset it by emailing a link to another email account, in which case that email account may become a weak link. In an ideal situation, you may just need access to a phone number or recovery codes -- and, as we've seen, the phone number part is a weak link.
Here's something else scary: It's not just about bypassing two-step verification. An attacker could try similar tricks to bypass your password entirely. This can work because online services want to ensure people can regain access to their accounts, even if they lose their passwords.
For example, take a look at the Google Account Recovery system. This is a last-ditch option for recovering your account. If you claim to not know any passwords, you'll eventually be asked for information about your account like when you created it and who you frequently email. An attacker who knows enough about you could theoretically use password-reset procedures like these to get access to your accounts.
We've never heard of Google's Account Recovery process being abused, but Google isn't the only company with tools like this. They can't all be entirely foolproof, especially if an attacker knows enough about you.
By subscribing, you agree to our Privacy Policy and may receive occasional deal communications; you can unsubscribe anytime.
Share Share Share Share Share
Copy
Email
Share
Share Share Share Share Share
Jun 24, 2024 · Verizon customers are being targeted by phone scammers pretending to be helpful agents of the wireless titan. The predators deliver troubling news to their unaware victims and then provide urgent solutions to “fix” the problem. I know this firsthand because one of these crooks called my Verizon number and tried his scheme on me.
People also ask
Are Verizon customers being targeted by phone scammers?
Is Verizon a scam?
What happens if a Verizon Wireless user forgets a password?
What happens if a Verizon customer asks for personal information?
Why does my phone keep popping up a lot?
What if I receive a suspicious text message from Verizon?
Jul 26, 2024 · Changes or pop-ups crowd your screen. Malware might also be the cause of odd or frequent pop-ups, as well as changes made to your home screen. If you are getting an influx of spammy ads or your app organization is suddenly out of order, there is a big possibility that your phone has been hacked.
