What happens when fraudsters steal your mobile identity by committing Porting or SIM swap fraud? The following is a true real-life example of SIM swap fraud. This attack happened to “Bob”, a key employee of a security and risk prevention company.
The Fraudster Attacks
- The fraudster initiated a swap of Bob’s mobile phone number to a different phone/SIM.
- Bob had a pin code on his account to presumably prevent any activity with his mobile number but the wireless carrier allowed a one-time exception.
- The swap was completed on a Friday night just before retail customer service centers closed allowing the fraudster more time to exploit Bob’s identity before he became aware.
- Once in control of the mobile phone number, the fraudster reset Bob’s Gmail password to gain full access utilizing two-factor authentication involving a text message sent to the mobile phone.
- The fraudster reset not only the Gmail password but the mobile phone number associated with the account to a different phone number, locking anyone else out of the account.
- With access to Bob’s Gmail the fraudster quickly data-mined the email for banking information (e.g., US Bank, Wells Fargo, Paypal, Coinbase, etc.)
- Using Bob’s email as the username to target banking and bitcoin accounts, the fraudster systematically attacked for password resets via two-factor authentication.
The Fraud is Discovered
Bob realizes he has been attacked when he can’t use his phone to make a call. Then he realizes he can’t access his email.
How does he recover?
Read our next blog “Mobile Identity Nightmare - Response”