Online services increasingly rely on SMS messages for two-factor authentication, which means on the one hand that it's really hard to rip you off without first somehow stealing your phone number, but on the other hand, once someone diverts your SMS messages, they can plunder everything
And SMS messages and phone numbers just aren't that well-defended. A scam called "porting out" or "SIM hijacking" or "SIM swapping" allows crooks to steal your phone number by impersonating you to your phone company to report a lost SIM card and asking them to assign your number to a new one. Criminals use information from public sources and breaches to answer security questions, then they have your number assigned to a phone in their control. From there, it's easy to seize control of the lion's share of your accounts.
There's a thriving underground market for the kinds of accounts that can be stolen this way, from memorable Instagram usernames to Bitcoin exchange accounts.
Thus an entire criminal underground has been spawned to provide services to criminals who want to steal phone numbers. Services like Doxagram will find out the email address and phone number associated with an Instagram account for a fee. T-Mobile employees and other low-waged telcoms workers can make easy money by sharing poorly secured information from their workplace databases with criminals.
In some ways, this is Security Economics 101. The phone company's security assumes that all a criminal gains from stealing your phone number is the ability to make some anonymous and/or free calls, worth a few dollars at most. Then the online services come along and attach thousands of dollars' worth of assets to the ability to control your number, and the assumption that no one would spend real effort to steal a phone number is invalidated.
"The entire schema is super lucrative," Andrei Barysevich, a security researcher at Recorded Future who has studied the criminal business of SIM swapping, told me. "If you know how to swap a SIM card it's a venue to make a lot of money."
Take Cody Brown, the founder of virtual reality company IRL VR, who lost more than $8,000 in Bitcoin in just 15 minutes last year after hackers took over his cell number and then used that to hack into his email and Coinbase account. At the time of Brown's hack, such attacks were rampant enough that Authy, an app that provides two-factor authentication for some of the most popular online cryptocurrency exchanges, alerted users about SIM swapping and put extra security features to stop hackers.
The SIM Hijackers [Lorenzo Franceschi-Bicchierai/Motherboard]
(Thanks, Fipi Lele!