Twitter CEO's Own Account Compromised

[XLM]

Yesterday, on Friday August 30th, the CEO of Twitter Jack Dorsey's own twitter account (@jack) was compromised.

 

The hackers used a method called "Sim Swapping" which entails calling one's carrier and socially engineering them into switching the targets phone number to their sim card.

 

https://www.nytimes.com/2019/08/30/technology/jack-dorsey-twitter-account-hacked.html

https://www.bbc.com/news/technology-49532244

[Origami Cactus]

Then that's not really hacking now is it?

Just good old social engineering.

[Levent]

its starting to feel like US service providers have customer support workers with less IQ than my cat. When I call my service provider, I go through 3 checks including a voice password.

[XLM]

3 minutes ago, Origami Cactus said:

Then that's not really hacking now is it?

Just good old social engineering.

 

Yes unfortunately this method "Sim Swapping" is not getting very much limelight, it is an extremely powerful tool that has been used to hack many celebrities and steal millions of dollars from Crypto Currency investors.

[Master Disaster]

3 hours ago, XLM said:

 

Yes unfortunately this method "Sim Swapping" is not getting very much lime light, it is an extremely powerful tool that has been used to hack many celebrities and steal millions of dollars from Crypto Currency investors.

It was used against Linus a few years back, unfortunately it removes the security from you and places it in the hands of other people so there's not much you can do to prevent it.

 

3 hours ago, Origami Cactus said:

Then that's not really hacking now is it?

Just good old social engineering.

Well technically hacking is gaining access to a system you're not authorised to use so yeah, it's hacking. The method of obtaining the information is almost secondary to the intended use of the information.

[XLM]

1 minute ago, Master Disaster said:

It was used against Linus a few years back, unfortunately it removes the security from you and places it in the hands of other people so there's not much you can do to prevent it.

Yes this is why I use my google voice number for everything that requires a number and my security key for 2FA, it makes you invulnerable to this attack

[strajk-]

A method that doesn't work here in Switzerland. 

In order to get a sim card here you need to personally go to a shop with a provider stand and fill out paperwork including presenting your ID that is cross-referenced with a database to check for genuinity. 

This process is both for prepaid cards and subscriptions. 

 

My homeland Portugal, all you need to do is go to a shop and buy one, no questions asked. 

As far I know it's not possible to do sim swapping in Portugal either, so the US seems incredibly backwards in security in that regard. 

[yolosnail]

So US providers let you just transfer your number to any random sim? That seems a bit odd.

 

If I need a new sim, I have to either to into store to get the sim replaced, with proof that I am indeed me. Or I can call up or live chat and get a new sim sent out in the post, which I then have to log into my account and activate, which requires 2FA.

 

There's no way I could just get a new sim and ask them to just transfer my number to it.

 

It's like how in the US chip and pin still isn't mandatory.

Are Americans really that dumb they can't remember a 4 digit pin, or is it because they're too lazy to type it in. Or maybe it would cost the card companies more to implement than they lose to fraud.

The US think they are 'leaders' in technology, but they're way behind the rest of the world in so many things. 

[Trixanity]

Here in my country, three out of the big four service providers failed to protect its customers in a recent probe by journalists to see if they'd allow SIM swapping. Those three did it without any ID checks - only the phone number was required and they just handed out a SIM card on the spot. The one provider that didn't fail refused the SIM swap without a photo ID. 

 

What's odd is that none of the big news organizations are covering it despite how egregious it is although there are plenty of other scandals related to these companies such as emergency calls not working and scamming elderly customers but that's beside the point in my opinion.

[HomeBoi]

2 hours ago, Origami Cactus said:

Then that's not really hacking now is it?

Just good old social engineering.

Well i would say social engineering is a tool in a hackers toolbox and getting unauthorized access to data you should not have access to is basically the definition of hacking. So jamming a axe through a door until you can get in could also be concidered hacking, a stupid hack but a hack none the less

[williamcll]

No wonder why so much people fall for indian teach scammers.

[jiyeon]

Is SIM swapping primarily a thing in the US/North America region? I think this is the first time I've heard the term and I live in the UK. It sounds like an intimidating thing to fall victim to.

 

As far as I'm aware, it wouldn't happen here in the UK as my carrier would need me to attend store in person to swap my SIM, mobile number, name etc. I've also made clear to my local store before that I will be keeping my SIM and my phone number so in theory, I shouldn't have SIM swapping vulnerability in the back of my mind, right?

[Origami Cactus]

1 hour ago, sowon said:

Is SIM swapping primarily a thing in the US/North America region? I think this is the first time I've heard the term and I live in the UK. It sounds like an intimidating thing to fall victim to.

 

As far as I'm aware, it wouldn't happen here in the UK as my carrier would need me to attend store in person to swap my SIM, mobile number, name etc. I've also made clear to my local store before that I will be keeping my SIM and my phone number so in theory, I shouldn't have SIM swapping vulnerability in the back of my mind, right?

You can always try sim swapping yourself and see if it works.

[Froody129]

Why is it so easy to SIM swap?? It's a huge security risk and every other country has a proper vetting process

[suchamoneypit]

9 hours ago, Levent said:

its starting to feel like US service providers have customer support workers with less IQ than my cat. When I call my service provider, I go through 3 checks including a voice password.

I can speak that at least at Comcast if any changes are made on an account 3 different checks are required and if it has to do with changes to phones/numbers a special PIN number is required on top of that before changes are allowed. Not following those rules will get you fired and Comcast a large FCC fine. For obvious reasons this means Comcast doesn't take screw ups in this area lightly. Some people will just be dumb and not follow procedure though. Its not rocket scientists that service providers are hiring for lower level support.