T-Mobile rep gets bamboozled into a SIM swap... all to steal a cool Instagram handle
Oh, the times we are living in. The good old days of number transfer scams are somewhat exhausted, it seems, as carriers are more "woke" to the problem now, and have put safeguards against unauthorized number porting. When you are trying to steal that coveted three-letter OG Instagram account, however, all bets are off.
That's exactly what happened to one Paul Rosenzweig, a fairly well-versed in account security software engineer, who did all the port-out scam precautions that T-Mobile now requires, like extra port validation pins or passwords. Still, he got bamboozled out of a sought-after Instagram account name by another method - SIM swapping. When you lose your damage your SIM card, or you got a phone that uses a different card size, you can ask your carrier to activate a new one, and that's exactly what Mr Rosenzweig suffered from.
The person who wanted access to his social media accounts, simply called a few T-Mobile stores in the region, and managed to get one employee to activate Rosenzweig's number on a phone they control, effectively rerouting all security code confirmation text messages to it. The victim didn't notice he lost signal at first, as he was at home browsing on Wi-Fi, but he did get a reset email from Instagram, and went to his account to relink his original email to his profile again.
When the next morning Snapchat sent him a password reset email notification, too, the proverbial bulb lit up in his head. He set a two-factor authentication for Snapchat, but, since Instagram allows changes to your profile to be effected with a link sent to your handset as well, a landgrab of his user name was already carried out. Instead of the short "par" moniker he had, an OG teen dream to acquire, his user name was now the automatically generated "par54384321."
Long story short, Instagram in the end did the right thing, and assigned his original user name to him, but he was still hoodwinked out of it from another phone number scam angle, thanks to lax security strategies at both his carrier, and Instagram, so word to the wise. "My phone was dead. I couldn’t even call 611," advised Paul Rosenzweig, indicating that the port-out scam precautions should now move to the next fraud pasture, in a constant game of whack-a-mole for carriers. Anyone willing to pay for a cool Insta handle? Someone is selling.
source: KrebsonSecurity
When the next morning Snapchat sent him a password reset email notification, too, the proverbial bulb lit up in his head. He set a two-factor authentication for Snapchat, but, since Instagram allows changes to your profile to be effected with a link sent to your handset as well, a landgrab of his user name was already carried out. Instead of the short "par" moniker he had, an OG teen dream to acquire, his user name was now the automatically generated "par54384321."
Long story short, Instagram in the end did the right thing, and assigned his original user name to him, but he was still hoodwinked out of it from another phone number scam angle, thanks to lax security strategies at both his carrier, and Instagram, so word to the wise. "My phone was dead. I couldn’t even call 611," advised Paul Rosenzweig, indicating that the port-out scam precautions should now move to the next fraud pasture, in a constant game of whack-a-mole for carriers. Anyone willing to pay for a cool Insta handle? Someone is selling.
source: KrebsonSecurity
FCC OKs Cingular\'s purchase of AT&T Wireless
Things that are NOT allowed: