undefined | Better HN

0 pointsnemacol4y ago0 comments

And they would have had to do ~6000 SIM swaps? that seems like too many for a short period of time. Maybe?

0 comments

There is some speculation in another comment that their SMS verification server may have actually had a technical flaw, and the issue was not a lack of separate identity verification on SMS [0].

However, around the time of the breach date (March - May 2021), there were a number of "B2B" services that offered a "type in any SMS number and you will get all text messages to that number," type feature intended for customer support teams to use for shared SMS access. Those systems often had privileged access to telcos and were regularly exploited by attackers to break 2FA without even a SIM swap [1]. With those tools, stealing all SMS to a number required only intent, not conversations with telco support personnel.

[0]: https://news.ycombinator.com/item?id=28720280

[1]: https://krebsonsecurity.com/2021/03/can-we-stop-pretending-s...

nemacolOP4y ago

Interesting. thank you for the links.

j / k navigate · click thread line to collapse