Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Maryland woman loses $17K in SIM card swap scam despite two-factor authentication | I-Team
WJLA ^ | Jan 24, 2024

Posted on 01/24/2024 8:02:10 PM PST by 11th_VA

WASHINGTON (7News) — 7News is asking a security question that deals with your cell phone. How did a Maryland woman lose $17,000 even though she had two-factor authentication on all her accounts?

It all started when Hussey got an email thanking her for the purchase of a new phone at Verizon. Minutes later her contact information at Bank of America had changed.

The problem? She didn't do either transaction and had two-factor authentication on her accounts.

"And the bottom just kind of dropped out,” added Hussey.

She called Bank of America, but her cell phone was no longer active. An online attempt required a verification code her phone couldn't receive.

Within minutes, her $17,000 was gone.

"Initially, I didn't realize how big of a deal it was. I thought I had handled it on the first day by calling the bank, calling Verizon. Figuring things out,” said Hussey.

Hussey told 7News that Verizon said someone in California walked into one of its stores and purchased a new phone along with a new SIM card and used Hussey's current phone number to activate the new phone.

When the new phone was turned on Hussey's phone went dead.

Hussey used a landline to contact Bank of America, but it was too late. Her $17,000 was gone.

"And I have two-factor identification which ended up biting me in the face when it all came down to it. That was the thing that completely hijacked everything. They had complete control of my phone and there was nothing I could do about it,” said Hussey.

SIM card swapping has been around for the past four years, but security experts told 7News that the scale of this type of scam has recently skyrocketed...

(Excerpt) Read more at wjla.com ...


TOPICS: Crime/Corruption; News/Current Events; US: Maryland
KEYWORDS: phone; scam; simcard; theft; yubikey
Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-8081-92 next last
To: 11th_VA

“how did they know where she banks ?”

Once they got access to the phone, they got access to all the apps she uses. She probably had an app for her bank on the phone as well as many other apps. Many apps store your log-in information and it connects you automatically the next time you use the app. Also, maybe a document with all of her passwords or a password manager.

I’m very vigilant but my wife isn’t. But my head is always spinning with all the accounts, all the log-in credentials, all the authenticator apps to use, my YubiKey, my security questions. A couple years ago, I began switching all my passwords over to very complex passwords created in LastPass or in the Apple OS Security feature. But there is no way to memorize those, so you MUST use a password manager. The one built into the Apple OS appears very good, but you must protect your computer with a tough log-in password.

Every day I reminisce fondly about black desk telephones with tangled cords, paper newspapers arriving at 6 am in the driveway, writing paper checks and keeping cash in my wallet.

I subscribed to IdentifyForce that keeps tabs on your digital presence and provides a million dollar insurance policy against losses like this. I’m not sure if the policy covers SIM Card theft, though.


21 posted on 01/24/2024 8:46:52 PM PST by ProtectOurFreedom (“Occupy your mind with good thoughts or your enemy will fill them with bad ones.” ~ Thomas More)
[ Post Reply | Private Reply | To 10 | View Replies]

To: 11th_VA

which is why i have always declined 2 factor for my financial stuff. it is a trap. it is not secure. i hope they (banks, etc.) get off it soon.


22 posted on 01/24/2024 8:51:42 PM PST by dadfly
[ Post Reply | Private Reply | To 1 | View Replies]

To: lee martell

“because it’s too tedious”

Generally 2FA is easy. You get a text message. On some computers, that security key number will auto-fill into log-in pages. The problem is that 2FA with phones is not very secure as the article points out.

The best security is to use either an authenticator app or a physical token like a YubiKey. But both are pains the keister.

Almost a year ago, I switched to “virtual credit cards” from Capital One. These are credit card numbers you create that are tied to a single merchant. They cannot be used at any other merchant. You can turn them on and off easily in their app and set expiration dates. All the virtual numbers roll-up to your “real” credit card number so your single statement shows all your purchases from all of your virtual cards. You also get a regular hard physical credit card to use in your wallet at stores. This is a HUGE security feature, especially if you use the virtual cards for auto-pay of monthly bills.


23 posted on 01/24/2024 8:52:24 PM PST by ProtectOurFreedom (“Occupy your mind with good thoughts or your enemy will fill them with bad ones.” ~ Thomas More)
[ Post Reply | Private Reply | To 12 | View Replies]

To: ProtectOurFreedom
Once they got access to the phone, they got access to all the apps she uses.

Wouldn't they need her Apple ID (or similar) to re-image her phone apps on the new Phone ?

24 posted on 01/24/2024 8:55:06 PM PST by 11th_VA (Celebrate Climate Change !!!)
[ Post Reply | Private Reply | To 21 | View Replies]

To: Brian Griffin

“The banking system is a security mess.”

I wonder what the real security / fraud losses are at banks, businesses and other financial institutions every year? Reported numbers are $5 to $10 billion per year for banks. Worldwide credit card fraud is reported to be $40 billion.

The institutions have incentives to low-ball the public numbers. It’s probably $100 billion per year.


25 posted on 01/24/2024 8:56:17 PM PST by ProtectOurFreedom (“Occupy your mind with good thoughts or your enemy will fill them with bad ones.” ~ Thomas More)
[ Post Reply | Private Reply | To 11 | View Replies]

To: ProtectOurFreedom

I have bank apps on my phone as well, but they require a password to sign in. I guess they could change that if they had other info like SS#, birth date, etc


26 posted on 01/24/2024 8:59:15 PM PST by 11th_VA (Celebrate Climate Change !!!)
[ Post Reply | Private Reply | To 23 | View Replies]

To: 11th_VA

Yes, you are right and that is correct for an Apple iPhone. You need an Apple ID to activate the phone. That’s an excellent additional level of security.

But Android? I don’t know.


27 posted on 01/24/2024 9:03:07 PM PST by ProtectOurFreedom (“Occupy your mind with good thoughts or your enemy will fill them with bad ones.” ~ Thomas More)
[ Post Reply | Private Reply | To 24 | View Replies]

To: Responsibility2nd
Verizon should be on the hook for the $17,000.

Plus damages. $250,000 would send the right message.

28 posted on 01/24/2024 9:04:01 PM PST by CatOwner (Don't expect anyone, even conservatives, to have your back when the SHTF in 2021 and beyond.)
[ Post Reply | Private Reply | To 5 | View Replies]

To: ProtectOurFreedom
Yes, you are right and that is correct for an Apple iPhone. You need an Apple ID to activate the phone. That’s an excellent additional level of security.

If that's true and this story gets out, Apple is likely to be flooded with new iPhone purchases.

29 posted on 01/24/2024 9:07:28 PM PST by CatOwner (Don't expect anyone, even conservatives, to have your back when the SHTF in 2021 and beyond.)
[ Post Reply | Private Reply | To 27 | View Replies]

To: ProtectOurFreedom

OK - That makes me feel better. Plus my Credit Union only allows withdraws of $300 per day max - I like that feature


30 posted on 01/24/2024 9:12:07 PM PST by 11th_VA (Celebrate Climate Change !!!)
[ Post Reply | Private Reply | To 27 | View Replies]

To: 11th_VA

1. Do Not click on any link in an e-mail message

2. Do Not click on any link in a text message

3. Do Not copy any verification code from an e-mail message

4. Do Not copy any verification code from a text message

5. Learn your Internet browsers’ (plural) settings

6. Set up and use a specific Internet browser dedicated to signing on to financial institutions. Do Not use that Internet browser for any other activity. Example: You tour the Internet, using Chrome or Microsoft Edge. Use Firefox for signing-on to financial institutions.

7. Use a unique username for signing on at each website. Use a password generator to create such usernames; 6 - 8 characters is OK.

8. Use a unique password for signing on at each website. Use at least a 20 character password, created by a password generator.

9. Use a password wallet for storing your username-and-password combinations. Do Not store them in an Internet browser.

10. Always quit your Internet browser after signing-out; and, clear all cookies, cache, and history.


31 posted on 01/24/2024 9:13:40 PM PST by linMcHlp
[ Post Reply | Private Reply | To 1 | View Replies]

To: ProtectOurFreedom

“you MUST use a password manager”

Yes


32 posted on 01/24/2024 9:16:02 PM PST by linMcHlp
[ Post Reply | Private Reply | To 21 | View Replies]

To: 11th_VA

“if they had other info like SS#, birth date, etc”

There have been so many massive data leaks lately that this info is out there in the aggregated hacker databases.

I just got notice last week that Delta Dental lost its customer database to hackers. I’m sure our SSNs are in there because you provide it to all health care providers.


33 posted on 01/24/2024 9:21:10 PM PST by ProtectOurFreedom (“Occupy your mind with good thoughts or your enemy will fill them with bad ones.” ~ Thomas More)
[ Post Reply | Private Reply | To 26 | View Replies]

To: 11th_VA

No bank / credit union apps on my phone.
Phones leak, not secure.
Computers are bad enough. I don’t run windows, that helps.

I sometimes wonder if I am paranoid enough....


34 posted on 01/24/2024 9:23:10 PM PST by dagunk
[ Post Reply | Private Reply | To 1 | View Replies]

To: dagunk
No bank / credit union apps on my phone.

Same here. I will not log into any financial or medical account from my smartphone. Same goes for our main email account.

The price of convenience is an increase in risk.

35 posted on 01/24/2024 9:25:42 PM PST by CatOwner (Don't expect anyone, even conservatives, to have your back when the SHTF in 2021 and beyond.)
[ Post Reply | Private Reply | To 34 | View Replies]

To: Swordmaker

What about this bro?


36 posted on 01/24/2024 9:26:46 PM PST by Mark17 (Retired USAF air traffic controller. Father of USAF Captain & pilot. Both bitten by the aviation bug)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Brian Griffin
You pay online with a debit card?

I never use my debit card, other than at the ATM.

I always pay by credit card. If fraud is committed with my card (it's happened), I'm not on the hook for the amount.

37 posted on 01/24/2024 9:29:07 PM PST by Angelino97
[ Post Reply | Private Reply | To 19 | View Replies]

To: dagunk
Phones leak, not secure.

I wonder if anyone has an opinion on these Bittium phones

38 posted on 01/24/2024 9:31:18 PM PST by Angelino97
[ Post Reply | Private Reply | To 34 | View Replies]

To: 11th_VA

As a computer scientist, I came to add more weight to what several others have said. The best advice is to use an Authenticator App or a physical security key, like a Yubikey.

The way these “SIM swap” operations work is like this: they somehow obtain your username and password to a particular website. But, the two-factor authentication (2FA) prevents them from logging in as you. So, they research and find out who you are, ultimately obtaining your cell phone number. If they can convince your carrier to transfer your number to a new phone, they can then intercept your texted 2FA codes. There is some speculation that these may even be “inside jobs”, where people get hired at the cell carriers just to help an organized crime-ring to co-opt people’s phone numbers.

An Authenticator App or security key thwarts this whole operation. Whenever possible, do not rely on texting as your 2FA. Security keys are the highest form of protection. I’m a bit shocked at how many financial institutions still do not offer authenticator apps as an option.


39 posted on 01/24/2024 9:35:23 PM PST by mbs6
[ Post Reply | Private Reply | To 1 | View Replies]

To: 11th_VA

Don’t the thieves also need the username and password for any such SIM/2FA to be useful?


40 posted on 01/24/2024 9:35:30 PM PST by CatOwner (Don't expect anyone, even conservatives, to have your back when the SHTF in 2021 and beyond.)
[ Post Reply | Private Reply | To 1 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-8081-92 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson