Verizon prepaid accounts hijacked by SIM swap crooks

Verizon has notified some prepaid customers that their accounts were compromised and their phone numbers potentially hijacked by crooks via SIM swaps.

We're told that fraudsters somehow got hold of the last four digits of those people's credit card numbers – perhaps by exploiting some part of Verizon's online services – and used that information to gain control of their accounts.

From there, the crooks could access the personal info in an account and perform a SIM swap. That effectively transfers the victim's phone number to another person's device, allowing that stranger to use the number and any one-time security codes sent to it to hijack the victim's other online accounts.

"Between October 6 and October 10, 2022, a third party actor accessed the last four digits of the credit card used to make automatic payments on your account," the mobile network operator said in a letter [PDF] sent to prepaid customers. 

"Using the last four digits of that credit card, the third party was able to gain access to your Verizon account and may have processed an unauthorized SIM card change on the prepaid line that received the SMS linking to this notice," the alert continued.

The Register has asked Verizon how exactly the partial credit card numbers were obtained in the first place: were they obtained from Verizon or some other place? We'll let you know if there's answer. According to the US corp, about 250 people were affected.

The carrier assured customers that, "if a SIM card change occurred, Verizon has reversed it." Additionally, Verizon said it prevented further unauthorized access to customer accounts using the last four digits of the credit card linked to the account.

It also claimed that customers' full credit card numbers weren't exposed, and miscreants attempting the SIM swap attacks only had the last four numbers.

Plus, "in an abundance of caution," the network operator reset customers' PINs, and strongly advised customers to set a new security code, password, and secret question and answer for account access. Also, don't reuse PINs or passwords, because this just makes things easier for criminals.

Verizon also pointed out that whoever got into the accounts would be able to see each customer's "name, telephone number, billing address, price plans, and other service-related information."

No word as to whether this scam will find its way into Verizon's annual security breach report. 

It is worth noting, however, that the 2022 Data Breach Investigations Report found 82 percent of successful online intrusions involved stolen credentials, phishing, application misuse, or error.

FBI warns carriers about SIM swaps for crypto-heists

Earlier this year, the FBI warned mobile carriers and their customers about an uptick in SIM swapping as a means to steal money from cryptocurrency accounts.

From January 2018 to December 2020, the FBI received 320 complaints related to SIM swapping with losses totaling about $12 million. Then, in 2021 alone, the bureau received 1,611 SIM swapping complaints with adjusted losses of more than $68 million, it said in a February alert.

These schemes often start off with social engineering attacks, which typically involve a criminal pretending to be a customer and tricking one of the mobile carriers' employees into switching the victim's mobile number to a SIM card in the criminal's possession. Alternatively, a crook can bride a carrier staffer to do the swap for them.

Once the SIM is swapped, the scammer's phone receives the victim's calls, texts and other data. This allows the fiend to request a password reset for the target's webmail account, with the one-time verification code texted to the thief. 

• Verizon: Ransomware sees biggest jump in five years
• 'Baby Al Capone' to pay $22m to SIM-swap crypto-heist victim
• Eight Brits arrested after probe into SIM-swapping scam targeting US celebs
• It's happened again: AT&T sued for allegedly transferring victim's number to thieves in $1.9m cryptocoin heist

Now in control of the email account and phone number, the thief can start going through all of the victim's online accounts and apps, resetting passwords with the links and texts going to the webmail or hijacked phone number, logging into profiles and wallets, stealing any cryptocurrencies found, and so on.

And if all of this sounds familiar, it should. Last Friday, a man who lost $24 million in cryptocurrency in an elaborate SIM swapping scam won a multi-million-dollar judgment against the thief, who was 15 at the time of the hustle.

According to court documents filed in a federal New York City court, Ellis Pinsky agreed to pay Michael Terpin $22 million for his starring role in the SIM swap and crypto heist. Pinsky was a New York high school student at the time of the theft in 2018, and it's said he paid back $2 million about a year after the swindle to his victim.

Pinsky, now 20, has also agreed to testify against AT&T in a May 2023 trial, Terpin said on LinkedIn. ®