Verizon has been notifying prepaid service customers that an unauthorized threat actor managed to gain access to some accounts. According to Verizon, “we determined that between October 6 and October 10, 2022, a third-party actor accessed the last four digits of the credit card used to make automatic payments on your account.” By using the last four digits of the credit card numbers, the threat actor was able to access accounts and make SIM card changes in what is known as a SIM swapping attack. SIM swapping is when an attacker changes the SIM card information to take control of the victim’s phone number. By doing so, they can then use other breach data and attempt to log into third-party accounts. With access to the phone, they will receive the Multi-Factor Authentication codes that are sent via SMS upon login. Verizon has since notified affected customers and switched back all the SIM card changes the threat actors made.
SIM swapping attacks have gained popularity and are very useful to threat actors that already have breached credentials but get stopped from accessing accounts via Multi-Factor Authentication (MFA). MFA is always a recommended tool to add another layer of defense to credential theft, but it is typically recommended that MFA is provided through a trusted third-party application and never through a phone number. SIM swapping attacks are great example of why it is dangerous to have MFA set up via SMS messaging. Accounts that are currently set up with MFA through SMS should consider switching to a third-party application before they fall victim to an attack such as this.