SIM swapping attacks involve tricking or bribing a phone company into assigning someone else's phone number to you; once you have the number, you can intercept SMS-based two-factor authentication messages and use them to take over accounts.
Though SIM-swapping is laughably easy (thanks to lax security in the mobile phone industry), it's still not fully automatable, and so SIM-swapping attacks usually target higher-value accounts, such as valuable social media handles, domain takeovers, and cryptocurrency wallet hacks.
Last weekend, parties unknown launched a wave of SIM-swap attacks against US cryptocurrency owners, succeeding in some cases, with at least one $100k score.
Some of the targets were saved by their use of hardware tokens or mobile apps for their two-factor authentication. 2Fa is generally very effective, even against targeted attacks; using a separate app or token is an extremely powerful form of security.
ZDNet also spoke with some of the other victims over the weekend. Some candidly admitted to losing funds, while others said the SIM swapping attacks were unsuccessful because they switched to using hardware security tokens to protect accounts, instead of the classic SMS-based 2FA system.
One victim, who wanted to remain anonymous, said that once hackers realized access to cryptocurrency exchange accounts was not possible, intruders quickly switched tactics and targeted social media and email accounts, successfully hijacking the victim's Instagram account.
This exact same thing also appears to have happened to other users, with hackers taking over social media accounts over the past week when they realized they couldn't access cryptocurrency accounts.
Wave of SIM swapping attacks hit US cryptocurrency users [Catalin Cimpanu/Zdnet]
Many large-scale data-breaches involve attackers gaining access to administrators' database logins; from there, they can clone the whole database and plunder it at will; but leading nosql database vendor Mongodb proposes to add another layer of security it's calling "Field Level Encryption" which encrypts the data in database fields with its own key -- possibly […]
Stalkerware -- spyware sold to people as a means of keeping tabs on their romantic partners, kids, employees, etc -- is a dumpster fire of terrible security (compounded by absentee management), sleazy business practices, and gross marketing targeted at abusive men who want to spy on women.
I recently wrote about how much I enjoyed testing the OnePlus 7 Pro. One of the nicer things about it was the fact that its in-display fingerprint reader, unlike the one in the last-gen OnePlus handset, works in a timely manner. Too bad that, no matter how quickly it can read a fingerprint, it still […]
So you cut the cord and got rid of cable? Join the steadily growing club. But while you’re out picking a streaming service, you might find one big blind spot: Local TV and sports, not to mention first-run programming from the big cable networks. Luckily, there’s a throwback way to get it for free: The […]
Even if you feel like AirPods are worth the price tag, you’ve got to admit there’s a certain anxiety that comes with using them. What if I lose them? What if they get wet in the rain? Or drenched in sweat? Or fall into the drink you dropped them into? Shiny tech is great, but […]
With the quick-fix appeal of video games and their own cell phones, it can be tough to keep kids focused on supposedly “educational” toys. And while it may seem counter-intuitive to fight tech with more tech, we’re all in when it comes to the Toybox 3D Printer. We’re not sure if anyone had envisioned a […]