Security News > 2022 > December > SIM swapper sent to prison for 2FA cryptocurrency heist of over $20m

SIM swapper sent to prison for 2FA cryptocurrency heist of over $20m
2022-12-06 19:56

As you'll know if ever you've lost a phone, or damaged a SIM card, mobile phone numbers aren't burned into the phone itself, but are programmed into the subscriber identity module chip that you insert into your phone.

A crook who can sweet-talk, or bribe, or convince using fake ID, or otherwise browbeat your mobile phone provider into issuing "You" a new SIM card.

Can walk out of the mobile phone shop [a] with your number in their phone, and [b] with your SIM card invalidated and thus unable to connect to the network to receive calls or get online.

Simply put, your phone goes dead, and theirs starts receiving your calls and text messages, notably including any two-factor authentication codes that might get sent to your phone as part of a secure login or a password reset.

The SIM-swap problem, namely that the right to reissue replacement SIM cards is vested in too many different people at too many different seniority levels in too many mobile phone companies to control reliably), is why the US public service no longer recommends SMS-based 2FA for general use, and has disapproved it for government staff.

After a SIM swap, your phone won't show any connection to your mobile provider.


News URL

https://nakedsecurity.sophos.com/2022/12/06/sim-swapper-sent-to-prison-for-2fa-cryptocurrency-heist-of-over-20m/