"This is still very raw (I have not even told my family)," Coonce wrote in a desperate media post. "I can not stop thinking about the little, simple things I could have done to protect myself this way."
On a Monday night in June, Matthew Miller's daughter woke him and said his Twitter account had been hacked. He had no cell phone service; Within days, Miller lost his Gmail and Twitter account and $ 25,000 from his family account.
In the case of Miller, the attacker disabled all of his Google services, deleting all of his tweets and blocking most of his 1
Both men were victims of SIM swap attacks in which someone was using personal information to persuade their wireless service provider to transfer their number and associated telephone account to a device owned by the attacker. With control of your phone number and your account, all connected accounts are automatically opened, usually starting with e-mail. The attacker changes the information in your accounts so that you can not get them back, sets up e-mail forwarding if you regain control of your e-mail, and scans all the documents stored in the cloud for valuable things.
uniquely personal and invasive attack. Thanks to Coonce and Miller, we now know much more about how these attacks are carried out and how horrible the destruction is. In Miller's case, we learned how unhelpful T-Mobile, Google, and Twitter were – both on Twitter and on Google, Miller was in hell trapped in filling in online forms for account recovery and sending them into an abyss of automated replies. And for those who wonder, Miller used two-factor (text / SMS) as an additional layer of security for his accounts. But with his phone out of his hands, it did not matter.
In addition, the company stated that a non-SMS two-factor method (such as a YubiKey) would only qualify if the attacker knows the victim's password. Google recommends Google Prompt or Google Authenticator with physical keys as the strongest form of two-factor. Google also said that SIM exchange attacks are rare and limited to certain goals, and that most people do not need two factors more than SMS (text-based).
Needless to say, Google's e-mail was a confusing answer The details we learned about Coonce and Miller's SIM swap attacks and account hijacks. For one thing, I think it's too conservative to say that most people are fine if they use SMS as a two-factor, and most people should not worry about SIM swap attacks.
Especially if we look at the context of two important things. First, we hear more than ever about SIM swaps and only high-profile technicians – we do not hear what's happening to ordinary people. And secondly, there was a major security breach that made an attack, which was usually considered a high-volume targeted attack, a much easier way to raise money and steal accounts.
This T-Mobile security breach was actually a big deal. 19659014] Coonce uses AT & T, while Miller uses T-Mobile and Google Fi. The SIM porting process for both networks is highly secure, with both companies uncovering customer pens for an unknown period in 2018, and T-Mobile recently suffered a violation of all information required for a SIM swap attack.
According to AT & T documentation, only the information found on a current mobile phone bill is required for the transfer: account number, name of the account holder, billing address and "PIN or password, if applicable" – and this should be noted Minimal billing information is all that is needed when someone "does not remember" their PIN or password. The same applies to a T-Mobile transfer, just information about an invoice. However, it does not specify if a password or PIN is required.
T-Mobile was hacked in August 2018 and the billing information of 2.5 million customers was stolen. The company assured the press that no financial data was compromised – but I bet that was not the point. It was all this great billing information that could be used by attackers to pay much more by SIM porting and theft of people's phone numbers and accounts.
The day after T-Mobile's news, a researcher discovered that all T-Mobile and AT & T PINs for customer accounts had been there for an unknown time, uncovered by website bugs.
Obviously, the SIM porting processes at both companies would have needed to be made more secure a long time ago – around the time we started living our entire lives on our phones. However, T-Mobile became even more pressing after its massive infringement. They do not have that and here we are.
SOS – Save our SIMS.