Verizon prepaid accounts hijacked by SIM swap crooks Verizon has notified some prepaid customers that their accounts were compromised and their phone numbers potentially hijacked by crooks via SIM swaps. We're told that fraudsters somehow got hold of the last four digits of those people's credit card numbers – perhaps by exploiting some part of Verizon's online services – and …
The more 'connected' everything is, the easier this sort of thing becomes - and it's not just money. There was a case a while ago where a man had his house 'stolen' and sold while he was on holiday.
The best security is multiple totally independent and DISconnected forms of verification - but that's more effort.
"fraudsters somehow got hold of the last four digits of those people's credit card numbers [..] and used that information to gain control of their accounts"
The last four digits of a PAN are considered by the PCI DSS to be displayable, so they are essentially public knowledge. There's absolutely zero justification for using publicly known information as a security credential, although almost every business does so, whether it be these digits, your date of birth, your postcode (zip code) or whatever.
You're constantly told that passwords must not be obvious common words, yet your sensitive personal data and services are "protected" by public information almost everywhere. The fault lies squarely with us -- the "security professionals" these organisations employ, who perpetuate fundamentally flawed common practice rather than actually thinking about the problems to be solved and the adequacy of their proposed solutions.
Yup. I complained to my bank about the "Verified by Visa" asking for my date of birth, pointing out that as a foreigner (in France), ridiculous loads of people (including them) have photocopies of my passport which has that information clearly marked.
"The security of our clients is our highest concern, blah blah."
Now, I get a one time code by text.
"Now, I get a one time code by text."
Little good that will do you, if your bank allows "access to customer accounts using the last four digits of the credit card linked to the account", as Verizon appears to have done. Or substitute some other publicly-known data point that the call center uses to identify you. Change the linked phone number, and the phisher can get the next code.
Around these parts, businesses wanting to look up my customer record constantly begin by asking "What's your phone number?" My reply, "I never gave it to you." Not because I don't want them to call me, which would be merely annoying. But because I expect they would treat anybody who knows my phone number as me, which could be devastating.
Fun fact, Verizon has an incorrect Social Security Number for my account. That was changed decades ago by Verizon sales, after they used the correct SSN to pull my initial credit report. But nobody at Verizon today can understand why that happened, so I just keep quiet about it.
That’s exactly how it always worked here in Ireland.
Someone sends an a number porting request online, on the phone to a customer care agent or in a store and the first step is you get a text saying “You have have requested to move your phone to a new network. Your confirmation code is 1A2B3C4D (random one time code).
You can’t complete the port without that code and it’s not based on any personal information and the database access is standard, and operated by a shared porting service provider, so the operators can’t override that.
You need physical access to the handset / SIM to get the code.
If the phone is registered, they need your billing account number for extra step verification.
It’s not perfect, but it seems like a simple and obvious security step to use a one time code.
The port is entirely automated and usually completes almost instantly, but they’ll allow up to two hours and the text alerts you that it’s being ported.
Contacting your current provider can also immediately block or reverse a port.
Landline / VoIP numbers all have a UAN (Universal Account Number) associated with them, which isn’t the billing account number and has to always be available to the customer. (You don’t have to ask permission to port or engage with the previous provider).
To move the number you need to provide the new provider with the registered address, customers’ name and the UAN. That’s also usually completed very quickly these days, but it’s a bit clunkier than mobiles.
The porting system uses a shared database here with a specialist porting service provider similar to a domain registrar, so when you port it just amends the routing information and it syncs up with every provider - comparable to a DNS record. It at least means the porting process is not really in the operators’ hands and there’s an external entity dealing with the system and standards.
If there’s an error / fraud undoing the port isn’t challenging.
In the early days, around 2000-2002, recently ported numbers used to sometimes take a day or so before every provider had synced up. You used to get routing errors until that happened. Technologies moved on and the old TDM based switches and IN solutions are gone, so things have become a lot more instantaneous.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
