What happens when fraudsters steal your mobile identity by committing Porting or SIM swap fraud? The following is a true real-life example of SIM swap fraud. This attack happened to “Bob”, a key employee of a security and risk prevention company.
The Fraudster Attacks
The fraudster initiated a swap of Bob’s mobile phone number to a different phone/SIM.
Bob had a pin code on his account to presumably prevent any activity with his mobile number but the wireless carrier allowed a one-time exception.
The swap was completed on a Friday night just before retail customer service centers closed allowing the fraudster more time to exploit Bob’s identity before he became aware.
Once in control of the mobile phone number, the fraudster reset Bob’s Gmail password to gain full access utilizing two-factor authentication involving a text message sent to the mobile phone.
The fraudster reset not only the Gmail password but the mobile phone number associated with the account to a different phone number, locking anyone else out of the account.
With access to Bob’s Gmail the fraudster quickly data-mined the email for banking information (e.g., US Bank, Wells Fargo, Paypal, Coinbase, etc.)
Using Bob’s email as the username to target banking and bitcoin accounts, the fraudster systematically attacked for password resets via two-factor authentication.
The Fraud is Discovered
Bob realizes he has been attacked when he can’t use his phone to make a call. Then he realizes he can’t access his email.
How does he recover?
Read our next blog “Mobile Identity Nightmare – Response”
