I was reading an article on password security today and saw a discussion in the comments about hackers bypassing 2FA with what a user described as a “simple” SIM replica. I have friends that work in data security so this isn’t the first I’ve heard of this but I feel like either this is the phenomenon where professionals in an industry understate part of a task (ie. Any “5 minute life hack” video involving 3 or more power tools.) or that there must already be some other system compromise that enables the hacker to -also- acquire whatever is needed to duplicate your SIM card.
In: 9
I am not sure if this is the same thing, but this (https://www.youtube.com/watch?v=A-nIjUIFARA&t=3s) is a documentary of something related to that. Basically, after they swap someone’s SIM with theirs, they bypass 2FA because the 2FA code will go to their phone instead of the victims.
You’re correct. To duplicate your sim they either need physical access to your sim or they need to get access to (or from) your provider who (since SIM authentication is symmetric key based)
If course SMS is unencrypted so if they are proximate to you, then might just use passive monitoring to intercept the 2FA code and act before you do to compromise the account.
You’re correct. To duplicate your sim they either need physical access to your sim or they need to get access to (or from) your provider who (since SIM authentication is symmetric key based)
If course SMS is unencrypted so if they are proximate to you, then might just use passive monitoring to intercept the 2FA code and act before you do to compromise the account.
The hackers, having identified a high value target and acquiring a lot of knowledge about that person, go to a phone shop and say their phone has been lost or stolen and need to buy a new one, or some such other ruse.
The person in the shop them issues a new SIM or even a whole new phone and blocks the old one. Upshot is that the hacker ends up being able to receive calls and messages as if they were got, circumventing the 2FA security many organisations use.
The hackers, having identified a high value target and acquiring a lot of knowledge about that person, go to a phone shop and say their phone has been lost or stolen and need to buy a new one, or some such other ruse.
The person in the shop them issues a new SIM or even a whole new phone and blocks the old one. Upshot is that the hacker ends up being able to receive calls and messages as if they were got, circumventing the 2FA security many organisations use.
I am not sure if this is the same thing, but this (https://www.youtube.com/watch?v=A-nIjUIFARA&t=3s) is a documentary of something related to that. Basically, after they swap someone’s SIM with theirs, they bypass 2FA because the 2FA code will go to their phone instead of the victims.
Latest Answers