Security News
A 23-year-old British citizen has confessed to "Multiple schemes" involving computer crimes, including playing a part in the July 2020 Twitter attack that saw the accounts of Amazon CEO Jeff Bezos, Kanye West, and former President Barack Obama hijacked by an unidentified crew. The 2020 Twitter attack happened when blue ticks still meant "Verified account" and was accomplished using social engineering just as the COVID-19 pandemic was starting to gain traction.
Google Fi, Google's U.S.-only telecommunications and mobile internet service, has informed customers that personal data was exposed by a data breach at one of its primary network providers, with some customers warned that it allowed SIM swapping attacks. Google sent notices of a data breach to Google Fi customers this week, informing them that the incident exposed their phone numbers, SIM card serial numbers, account status, account activation date, and mobile service plan details.
As you'll know if ever you've lost a phone, or damaged a SIM card, mobile phone numbers aren't burned into the phone itself, but are programmed into the subscriber identity module chip that you insert into your phone. A crook who can sweet-talk, or bribe, or convince using fake ID, or otherwise browbeat your mobile phone provider into issuing "You" a new SIM card.
"The end objective of this campaign appears to be to gain access to mobile carrier networks and, as evidenced in two investigations, perform SIM swapping activity," CrowdStrike researcher Tim Parisi said in an analysis published last week. Initial access to the target environment is said to be undertaken through a variety of methods ranging from social engineering using phone calls and messages sent via Telegram to impersonate IT personnel.
Florida man Nicholas Truglia was sentenced to 18 months in prison on Thursday for his involvement in a fraud scheme that led to the theft of millions from cryptocurrency investor Michael Terpin. The funds were stolen following a January 2018 SIM swap attack that allowed Truglia's co-conspirators to hijack Terpin's phone number and fraudulently transfer roughly $23.8 million in cryptocurrency from his crypto wallet to an online account under Truglia's control.
The Spanish National Police have arrested 55 members of the 'Black Panthers' cybercrime group, including one of the organization's leaders based in Barcelona. The gang was operating four specialized activity cells dedicated to social engineering, vishing, phishing, and carding, having a very organized structure.
According to Schütz, he stumbled on a total Android lockscreen bypass bug entirely by accident in June 2022, under real-life conditions that could easily have happened to anyone. In Schütz's case, it was the humble PIN on his SIM card that stumped him, and because SIM PINs can be as short as four digits, they're protected by a hardware lockout that limits you to three guesses at most.
Verizon has notified some prepaid customers that their accounts were compromised and their phone numbers potentially hijacked by crooks via SIM swaps. From there, the crooks could access the personal info in an account and perform a SIM swap.
According to court documents [PDF] filed Friday in federal New York City court, Ellis Pinsky agreed to pay Michael Terpin $22 million for his starring role in the SIM swap and Bitcoin heist. In a Rolling Stone interview over the summer, Pinsky - dubbed Baby Al Capone by the media - admitted he swiped millions in crypto-coins from Terpin via a SIM swap.
A new possession-factor API now aims to do precisely that, replacing knowledge-based credentials, by using the SIM card for possession factor device binding and user authentication, thus reducing the possibility of phishing. It's inside everyone's mobile phone, and is built on cryptographic security when connecting to mobile network authentication.