As originally reported by ZDNet, the UK National Crime Agency has arrested eight men as part of a coordinated crackdown against a SIM swapping gang targeting US celebrities. By convincing US mobile operators to assign a celebrity’s phone number to a new SIM card under the attacker’s control, the SIM swappers were able to bypass two-factor authentication and reset victim’s passwords. According to Europol, these criminals stole more than $100 million worth of cryptocurrency using this method.
Analyst Notes
As SIM card swaps can occur remotely or in person, Binary Defense recommends that anyone who relies on text messages sent to their phone to authenticate access to online bank accounts or cryptocurrency trading accounts should take multiple steps to secure their device, including enabling a SIM card PIN lock, as well as notifying your mobile phone company that you may be at a higher risk for SIM card swaps. AT&T subscribers can set a “Wireless passcode” in the “Manage extra security” option on their account profile page. T-Mobile subscribers can set up a PIN or passcode in the “My T-Mobile account,” and Verizon customers can dial *611 and ask for a “Port Freeze” on their account. Additionally, Binary Defense recommends only using mobile authenticator apps such as Microsoft Authenticator, Google Authenticator or similar apps, or use physical USB keys for multi-factor authentication, instead of receiving one-time codes over text messages, so that a SIM card swap would not give attackers access to all accounts.
Read more on ZDNet here: https://www.zdnet.com/article/authorities-arrest-sim-swapping-gang-that-targeted-celebrities/
