
Ask HN: Has any U.S. mobile provider fixed SIM swap hacking? - heliodor
From personal experience, it&#x27;s clear T-Mobile hasn&#x27;t fixed this problem.<p>Has anyone gotten hacked on AT&amp;T or Verizon? Do you know what they have done, if anything, to address this?<p>Is Google Fi susceptible to this?<p>Is there a solution to this? I&#x27;m starting to think maybe I should not have a phone number anymore.
======
2squirrels
From what I understand it is more of a social engineering attack, deployed
after the attacker has gained the personal information required to gain access
to an account (which used to be sufficient, but in the Information Age we live
in, a postal code / maiden name/date of birth are commonplace on someone’s
Facebook profile and friends list).

So the issue is likely a combination of insufficient training for staff and
dated methods for verification (for example, allowing people to verify via a
PIN number over the phone, but not limiting the number of attempts before
being locked out of the account, allowing brute force to be a viable (and
successful) attack method.

Some attackers have taken advantage of the fact that some providers don’t have
24/7 support (don’t have the reference just remember reading about it being
used to hack prominent crypto figures in social media, T mobile specifically
if I can recall correctly) so they start the attack just before support hours
end, giving them access to the account and then the down time to execute the
attack (usually non-business hours) without the victim being able to do
anything about it since they can’t get a hold of anyone once they notice
they’ve been compromised (as the physical stores are closed and phone support
unavailable until next morning). That is if they even notice as they could be
asleep.

~~~
heliodor
I have a security code on the account, not that it's worth much. The customer
representative said records show no calls were received.

It was 2am Eastern, 11pm Pacific, no stores open. 8pm Hawaii. Probably no
stores open there either.

That leaves online hacking of some part of T-Mobile's systems or rogue
employees on the inside.

