azorius.net

Kroll Employee SIM-Swapped for Crypto Investor Data – Krebs on Security (krebsonsecurity.com)
from Raisin8659@monyet.cc to technology@lemmy.world on 26 Aug 2023 20:31
https://monyet.cc/post/448472

Summary

A security consulting giant Kroll disclosed that a SIM-swapping attack against one of its employees led to the theft of user information for multiple cryptocurrency platforms.
The attack targeted a T-Mobile phone number belonging to a Kroll employee and resulted in the transfer of that employee’s phone number to the threat actor’s phone.
As a result, the threat actor gained access to certain files containing personal information of bankruptcy claimants in the matters of BlockFi, FTX and Genesis.
People with stolen data are being subjected to phishing attacks.

Minimizing Reliance on Phone Company for Security

The SIM-swapping attack against Kroll is a reminder that we should not rely on mobile phone companies for our security.
Many online services allow users to reset their passwords by clicking on a link sent via SMS. This means that if someone gains control of your phone number, they can also gain access to your online accounts.
To protect yourself, you should remove your phone number from any online services that allow password reset using the phone number, starting with important accounts.
If you cannot remove your phone number from an online service, you should check to see if there is an option to disable SMS or phone calls for authentication and account recovery. Use a security key or a one-time code from a mobile authentication app instead of SMS for authentication.

SIM-swapping

SIM-swapping is a type of attack where the attacker tricks a mobile carrier into transferring a victim’s phone number to a device that they control.
This gives the attacker access to the victim’s SMS messages and phone calls, which can be used to reset passwords, gain access to online accounts, and commit other types of fraud.
SIM-swapping attacks are becoming increasingly common, and they have been used to steal millions of dollars from victims.
Mobile providers may not be liable for financial losses caused by SIM-swapping attacks. In a 2023 case, a California judge dismissed a lawsuit against AT&T for a 2017 SIM-swapping attack that resulted in the theft of more than $24 million in cryptocurrency.

#technology

threaded - newest

[deleted] on 26 Aug 2023 20:50 next collapse

Zectivi@sh.itjust.works on 27 Aug 2023 13:47 collapse

Exactly. Despite making it incredibly frustrating for existing customers who want/need to manage their sim cards, they continue to have these sim swap attacks.

coffee@lemm.ee on 27 Aug 2023 06:05 collapse

How people in the security sector operate without 2FA with dedicated apps is totally beyond me.

Raisin8659@monyet.cc on 27 Aug 2023 07:27 collapse

From the sound of this one, the person probably didn’t even have 2FA. Someone took over the phone number, requested for password reset, and got access to the accounts.