How does an sms hijacking attack typically work? I know sms isn't secure, but how does one go from having a password to bypassing the sms confirmation? Is it as easy as having the number and carrier?
It happened to me. Cellular carriers, in my case T-Mobile, didn't require any confirmation to port a number to a new phone/sim.
Eventually some required the last 4 of your social security number to port a number, which we all know at this point are pretty much public anyway.
T-Mobile now lets you set an arbitrary pin, which my parents promptly set to their DOB :facepalm:
I haven't looked more into it, but as far as I know, sim swap/port attacks were hilariously simple to execute which is why I only use SMS verification when it's the only option.
Maybe what is needed is regulation that makes the service provider liable (with no option to disclaim it) for all damages suffered by the victim if the provider gives away their phone number to an attacker.
I accidentally ‘hijacked’ a number by typoing one number in my online request. I only found out after my wife pointed out my number was different after porting. It took a couple hours with the telco’s support agents, and practically no verification steps, to actually get my correct number back. Very sad state of affairs here.
