HACKER Q&A
📣 heliodor

Has any U.S. mobile provider fixed SIM swap hacking?


From personal experience, it's clear T-Mobile hasn't fixed this problem.

Has anyone gotten hacked on AT&T or Verizon? Do you know what they have done, if anything, to address this?

Is Google Fi susceptible to this?

Is there a solution to this? I'm starting to think maybe I should not have a phone number anymore.

  👤 2squirrels Accepted Answer ✓
From what I understand it is more of a social engineering attack, deployed after the attacker has gained the personal information required to gain access to an account (which used to be sufficient, but in the Information Age we live in, a postal code / maiden name/date of birth are commonplace on someone’s Facebook profile and friends list).

So the issue is likely a combination of insufficient training for staff and dated methods for verification (for example, allowing people to verify via a PIN number over the phone, but not limiting the number of attempts before being locked out of the account, allowing brute force to be a viable (and successful) attack method.

Some attackers have taken advantage of the fact that some providers don’t have 24/7 support (don’t have the reference just remember reading about it being used to hack prominent crypto figures in social media, T mobile specifically if I can recall correctly) so they start the attack just before support hours end, giving them access to the account and then the down time to execute the attack (usually non-business hours) without the victim being able to do anything about it since they can’t get a hold of anyone once they notice they’ve been compromised (as the physical stores are closed and phone support unavailable until next morning). That is if they even notice as they could be asleep.