Sim Swap Scam Hack?

[very_452001]

The only way for this hack to work is the hacker bribing someone at the cell phone sim company? Or can hacker just know your cell phone number?

If bribing then how does hacker know which cell phone network provider your with to begin with in the 1st place? Shall I assume hacker is already known to sim company or have a already existing relationship with someone at the sim company or does sim company employees nowadays accept any bribe for any amount offered? How does the hacker and sim company employee cover the traces of the bribe? Does the first few digits of a cell phone number reveal which cell phone network sim provider you are with?

So these sim swap hacks are organised in advance right? and if so how do they know their chosen victim is worth their hack and time? Usually is it the victim with lots of bitcoins? Yeah everybody knows bitcoins are on a public not private block chain that can be viewed by anyone. So small time bag hodlers are not victims of this, only the rich whales?

This hack can target individuals only, not groups of people at the same time right?

Does Google 2FA stop sim swap hacks?

So any website that uses normal sms text verification can be sim swap hacked?

If hacker already knows password to victim email account then no sim swap hack required? Just hacker requesting password changes. The sim swap hack is just needed to access the victim's email?

Finally whats the single best most convenient way of preventing a sim swap hack?

[GreatArkansas]

Look this a simple flow how the sim port attack:


read more here: https://bitcointalk.org/index.php?topic=5146701.msg51191498#msg51191498
(You can also found an incident happened which lost of almost $100,000 )

Rather than bribing someone at the cell phone sim company or your telecom provider, they can impersonate you or they will pretend as you just the telecom provider will believe. Or this could be an insider, some staff in your telecom provider can also do this.

Does Google 2FA stop sim swap hacks?

For me, some part yes. Especially those account that even you reset the password or change the email address, upon logging in, it still needs the 2FA code, but what if they will contact the website and pretend/impersonate again especially they already owned your email address or already changed it, you still can't guarantee here.

So any website that uses normal sms text verification can be sim swap hacked?

Not unless your sim will be swapped to the hacker's sim. A website that has SMS verifications are not the threat here.

If hacker already knows password to victim email account then no sim swap hack required? Just hacker requesting password changes. The sim swap hack is just needed to access the victim's email?

Chance will become higher on this. But what if the hacker will change the email address/password and it needs confirmation on the mobile number? So, it will still become useless. You have the access, but you can't fully owned it by changing the password or changing the mobile number connected to the account.

Finally whats the single best most convenient way of preventing a sim swap hack?

Avoid entertaining some random people on the internet especially asking for your personal information or avoid sharing your personal information.
2FA can also be helpful.
Having multiple mobile numbers, like you can separate some of your accounts that need to connect with your mobile number.

[BitMaxz]

Never heard about a Sim Swap and I think this is impossible to happen.
I know there is a sim card upgrade if you have an old sim card without LTE/4g/5g you can upgrade it to a new sim card with LTE/4g/5g sim card. It only needs the pin from the old sim card to activate the new sim card. But after that, you won't be able to use the old sim card and I think it won't receive any SMS and call from the old sim card. All calls and SMS will receive on the new sim card so it's impossible that you can be hack through sim swap.

Unless if they have full control of your Sim card and they know if what email you use. If you bring your phone to the service center or repair center it's possible that they can check your phone to get any sensitive files and information that they can use to have access to your email and phone.

Once he has access to your email connected from your phone he can able to request a sync from phone to email to get your SMS without your authorization.
We have email SMS sync it is enabled by default on our Android devices so if this is enabled every time you're connected to wifi it will automatically sync to your email which is very risky if someone knows your email he can use the email and sync it to his phone. and get your all sensitive files and information like SMS.

That's why you need to have a 2fa authentication on different devices like a laptop or on your phone to prevent this or use a Samsung with Knox security that provides a secure folder where you can save apps and sensitive files with your own password and you can able to hide it on the menu.

[ryzaadit]

Look this a simple flow how the sim port attack:

Not really easy.

I requested my new Sim Card with the same number, you need to go to the Provider Office to requested the swap number phone for a new sim card. I don't know about the procedure SIM Card on other country but on my country they will ask you about the problem of why you changing and want to swap your number, and they will request several documents to identify your self also doing KYC picture. And to confirmation that's is your number, they will ask you the last number you call using that Simcard only outgoing cal from you to other number.

I believe, not every provider cellphone will easily swap your sim card especially using a phone call to swap the number into a new sim card.

[stompix]

Never heard about a Sim Swap and I think this is impossible to happen.
I know there is a sim card upgrade if you have an old sim card without LTE/4g/5g you can upgrade it to a new sim card with LTE/4g/5g sim card. It only needs the pin from the old sim card to activate the new sim card. But after that, you won't be able to use the old sim card and I think it won't receive any SMS and call from the old sim card. All calls and SMS will receive on the new sim card so it's impossible that you can be hack through sim swap.

They happen, and it's mostly the fault or the laziness of the guys working for the telecom providers.

The "attacker" goes to an office, claims he has lost his hone and wallet and asks for a replacement sim card. Since he knows a few details about the original owner in some cases he can trick the guy at the desk in handling him another sim card with the number of the victim linked to it. Normally that shouldn't happen as you would need to provide an ID but there are cases when if you come up with a really good sob story they will issue you one nevertheless.
And once your sim card is replaced yours is useless as is no longer recognized by the network and by the time you grab notice, grab a phone manege to contact them to stop the cloned sim it's already too late.

But usually, and I must add luckily for us things are not that easy.

Shall I assume hacker is already known to sim company or have a already existing relationship with someone at the sim company or does sim company employees nowadays accept any bribe for any amount offered?

Bribing somebody or taking a bribe would be stupid.
The actions are logged when the swap happens so that guy would be caught in a matter of seconds.

Does the first few digits of a cell phone number reveal which cell phone network sim provider you are with?

Yes.

[Lucius]

I believe, not every provider cellphone will easily swap your sim card especially using a phone call to swap the number into a new sim card.

All they asked me when I exchanged my old SIM card for a new Nano SIM was my mobile number, without an ID or any other confirmation that I was the real owner - and all that in office, not via phone/e-mail. Although I knew before that SIM swap is something that happens, after my personal experience I would never use any verification via SIM card.

The first sign that a possible SIM swap has occurred is a complete loss of network/no service, and then you need to respond as quickly as possible with a call to your operator. What can be much more dangerous is SIM cloning, and in that case it can take a long time until you realize you have a copy.

This year there is case of SIM cloned in South Africa, state security minister and State Security Agency officials were victims in this incident. Slightly ironic that this happened to people who should care about the safety of others.

[Saint-loup]

In several countries a Porting Authorization Code is needed for doing a Mobile Number Portability, but the downside is that : as it's a kind of personal key, the operators don't check the identity of the customer asking for a number portability with this code.
So if someone knows your current Porting Authorization Code he can steal your phone number and receive your sms and phone calls on his device, by simply requesting a mobile number portability of your number to his own operator.  

[Shimmiry]

The only way for this hack to work is the hacker bribing someone at the cell phone sim company? Or can hacker just know your cell phone number?

There's no bribing required just to hack someone's phone number and use it to gain the number's owner's information. It is called social engineering in which the attacker would act like he owns the number or he has connections with you, every lies are possible to gain the sim company's help.

If bribing then how does hacker know which cell phone network provider your with to begin with in the 1st place? Shall I assume hacker is already known to sim company or have a already existing relationship with someone at the sim company or does sim company employees nowadays accept any bribe for any amount offered? How does the hacker and sim company employee cover the traces of the bribe? Does the first few digits of a cell phone number reveal which cell phone network sim provider you are with?

As Far as i know each and every network provider has differences with their phone numbers. i.e. AT&T number's starts with 22 while the other company starts with 55. Therefore, it would be easy to know your network provider by simply knowing your number alone.

So these sim swap hacks are organised in advance right? and if so how do they know their chosen victim is worth their hack and time? Usually is it the victim with lots of bitcoins? Yeah everybody knows bitcoins are on a public not private block chain that can be viewed by anyone. So small time bag hodlers are not victims of this, only the rich whales?

Any one can be an attacker's victim. It would only depend on what would be his purpose and  his motivations to do such actions.

This hack can target individuals only, not groups of people at the same time right?

Nope, even the government can be hacked or even a country, depending on how firm your security is.

Does Google 2FA stop sim swap hacks?

Nope, there is an attack that can bypass incoming texts to be sent to your mobile number and the attacker can simply read it. Hence, if he gained access with your number, he can do whatever he wants to do with it.

So any website that uses normal sms text verification can be sim swap hacked?

Everything is hackable and penetrable, hence, nothing even your own sim is secured to attacks.

If hacker already knows password to victim email account then no sim swap hack required? Just hacker requesting password changes. The sim swap hack is just needed to access the victim's email?

Unless you enable phone authorization on your email, then there's a need of your phone to change your password. Yet the bottom line is simple, he attacks you for a reason, and a single information such as phone number can lead to every attack possible with the use of that single piece of info.

Finally whats the single best most convenient way of preventing a sim swap hack?

Never let others know your number! Use separate numbers as possible, from personal use, to work use number.

Take a look at my discussion thread that can be helpful with your matter:
[DISCUSSION] Why you shouldn't trust any anonymous files and applications.

[very_452001]

Okay to summarise this thread so far, for easier understanding for readers:

- Sim upgrades means upgrading a micro sim to nano sim or 4g sim to 5g sim.

- Sim cloning is like how does the attacker clone sim cards? Who leaves their phones unattended for long periods of time to allow this to happen? I understand cloning or skimming credit cards is easy and can be done in less than a sec when customer pays by card in a shop. Sim cloning doesn't make sense as you gotta open the back cover of the phone to clone the sim which is time consuming and risky for the attacker if victim goes toilet leaving phone unattended in a restaurant for example.

- Sim swapping is when you need to swap your old sim to a new one because for example your old sim got bent, damaged or scratched that can affect your signal.

- PAC codes is when you want to still keep your number when changing network/provider.

As you can see listed above, all 4 methods are totally different to each other. So how does one protect from all 4 methods? Whats the best most effective way of protection?


Every old sim has a default pin? Where do you find this pin and please dont say default pin is 0000 or 1234 right?

What is Sim PIN1/PIN2 & PUK1/PUK2 codes?