How do you prevent this?
Is it a Rogers problem?
Is it a Rogers problem?
|
|
|
SIM Swapping
- Thread starter MotoX
- Start date
This scam looks internal to certain telecommunication companies. "Protect your info..." doesn't cut it when employees within are giving out your information.
well obviously there are things you have control over and things you do not.
When I switched from Telus to Bell, I asked Bell where do I get a new SIM card for my iPhone, they said it is a newer model, so it can have the old Telus SIM and there is a second electronic SIM that can be used. So if someone gets hold of your passwords I am assuming the SIM info can be sent to the fraudster.
No man...they call your carrier pretending to be you requesting a new SIM. Here's how the scam works:
sburns
Well-known member
I didn't get that from the police bullet. These people impersonated the people whom they stole their personal info from.
Basically don't open any suspicious emails, text, whatsapp from unknown people. Don't reply, just delete, block etc.
Same with unknown callers. I just don't answer.
For me I limit the amount of stuff I do on the phone, no banking, no financial apps, no personal info/passwords kept there.
Just calls, text, emails.
All the other stuff is done on a computer. I know this isn't always possible for some who the phone/device is there only computer etc.
Basically, you can't - it is entirely out of your hands. What you CAN do, is be very aware of accounts you have that use SMS(text messages) for SFA/2FA (Single Factor Authentication vs 2 Factor Authentication). SMS SFA is extremely cursed but there are websites/services that use it, or offer it as an option - avoid it at all costs. Even if you don't have it enabled, an adversary could potentially enable it themselves to subsequently authorize transactions or account changes. SMS 2FA is still risky - maybe you are using a password that has been stolen/leaked/breached and you aren't aware of it yet. The password being out there can be enough motivation on its own for an adversary to seek out accounts that use SMS 2FA and attempt to hijack the phone number.
Where it is an option, it is MUCH better to use an authenticator app, which on the surface may appear to function the same way but under the hood works VERY differently. I mostly use Microsoft Authenticator - it's not perfect and comes with some pitfalls of its own, but I don't have any better alternatives to recommend myself.
Furthermore, you need to recognize when it has happened to you and act immediately. If you notice your phone is complaining about an unregistered or inactive SIM, and as far as you know your account is in good standing, you need to call your carrier right away. You might think you would get email notifications for some of these account changes, but your adversary may have used your phone number to take over your email accounts and sign you out / revoke access to your email. This can make recovering control of your accounts a huge PITA!
No - it is unfortunately an industry problem. Much like the current problems with nuisance spam calls/texts, it is unlikely they will take serious measures to do anything about it until there is government intervention. eSIMs don't offer any advantages or protection when it comes to SIM hijacking.
POWERMAN
Well-known member
Curious - so even if the adversary was able to get the password to your account, how would they be able to figure out the phone number that was being used for 2FA?
The only people who would know such information would be friends, colleagues and family - no?
Pretty much everyone at this point has a footprint of leaked/stolen data. If they're able to tie your email address (very often used as a login) to a name, they can figure out your phone number with a little homework.
As recent as a year ago, there was a website selling scraped/stolen contact info from LinkedIn that came up in the first page of Google search results for my own full name. It's not there anymore, but it's a good example of how little effort that it can take on their part
Aens
Well-known member
Not just an industry problem. Keep in mind, Sim swapping is not the end goal here but the middle step. So what if you now own another person's number. It's what you do with it next. Considering how little time they could have before they are discovered (the second you call in to tech support about your phone saying no service/sim not registered), they aren't sitting on your number waiting for something to happen. No, they already know what they wanted. They already know your username to the bank or retail website for which they are resetting your password via MFA. But guess what, MFA is also via email so this avenue is only 1 of 2 routes to take.
This is really targetting online logins to websites that rely on email or phone number. Blame the website. Why didn't they have additional safeguards like unrecognized IP address detection, irregular login detection, automatic alerting of suspicious behavior?
Impersonation is so easy these days with social media oversharing combined with people being very lax with how they conduct themselves with financial data (like saving your payment information). They study you, they study the companies involved and process involved and then they execute it. It's really not that hard, just time consuming.
But it's moving on to the next phase now with AI voice impersonations being the new thing. You don't even need to sim swap to pull those off. Just spoof the number and pretend you are the CEO.
and if you think that's just a one off,
Ferrari CEO Impersonated by AI in Deepfake Scam Attempt – Report
In a recent attempt to defraud Ferrari, scammers impersonating CEO Benedetto Vigna were thwarted by a vigilant executive. This incident underscores the increasing sophistication of scams using artificial intelligence, posing significant risks to the automotive industry and beyond. According to a...
or you get the mass target version
Ontario man out $8K in scam that uses AI to mimic voices of friends and family
An Ontario man has lost $8,000 in a new impersonator scam where suspects use artificial intelligence to mimic the voice of friends and family.
Hop onto huggingface, take the 20 minutes to learn how to use github. Find a victim who overshared on social media. Call the relative and get a 1 minute audio clip. Then caller ID spoof and use the AI voice changer on the victim and apply pre-existing social engineering and money laundering methods. None of those steps besides the money laundering requires illegal tools.
It's literally the old soundboard prank call turned into a criminal enterprise.
Last edited:
POWERMAN
Well-known member
Will this service help me secure my stuff online?
Data Broker Removal Service | Incogni
Data brokers are collecting, aggregating and trading your personal data without you knowing anything about it. We make them remove it.
incogni.com
I usually try to keep track of my email address breach notifications via Have I Been Pwned: Check if your email has been compromised in a data breach
Sometimes Chrome lets me know that my password has been exposed when I sign into certain websites as well.
If you're worried about security AVOID chrome like the plague. It's the worst, it gathers the most information on you and is full of holes.
Actually all browsers are pretty awful, if you want security you have to work around the browser
Will this service help me secure my stuff online?
Data Broker Removal Service | Incogni
Data brokers are collecting, aggregating and trading your personal data without you knowing anything about it. We make them remove it.incogni.com
To a limited extent. As I understand it, Incogni helps limit your exposure to data breaches by basically asking websites to purge data on you that they no longer need. It doesn't do anything for data that has already been stolen, and it does require that the websites are cooperative. You can request the same thing on your own for each website - Incogni's selling point is that it maintains a large list of cooperative sites and automatically submits the requests for you.
Chrome has issues of its own, but the compromised password notification is useful. When you get that notification, you need to change that password and never use it again, on any website, ever. A good password manager will do the same thing.
|
|
|
|
|