The attacks, which lead to 2FA defeat and account takeover, have accelerated by several hundred percent in one year, leading to thousands of drained bank accounts.
SIM-swapping – the practice of duping mobile carriers into switching a target’s phone services to an attacker-controlled phone – is on the rise, the Feds are warning – leading to millions in losses for consumers who found their bank accounts drained and other accounts taken over.
Subscriber Identity Modules (SIMs) are small chips inside mobile phones that allow the carrier to identify and register subscriber devices – a requirement to provide service to them. Most SIM-swapping attacks take the form of social engineering, where the criminals impersonate victims and convince customer-service agents to change over victims’ services to new phones that they control.
Once the service has been redirected, the crooks have access to any of the victims’ calls, texts, voicemails and saved profile data, which allows them to send “Forgot Password” or “Account Recovery” requests to the victim’s email, which enables them to easily defeat two-factor authentication that uses one-time passcodes and thus to crack high-value accounts.
While SIM-swapping (aka SIM-jacking) isn’t a new practice, the attacks now seem