How Sim Swap Hackers Steal Millions
Vložit
- čas přidán 26. 02. 2024
- In this video I explain how hackers are able to steal millions of dollars and access sensitive data in peoples accounts that are secured with SMS 2 factor authentication and how you can defend yourself from sim swapping attacks by using 2 factor authentication.
My merch is available at
based.win/
Subscribe to me on Odysee.com
odysee.com/@AlphaNerd:8
₿💰💵💲Help Support the Channel by Donating Crypto💲💵💰₿
Monero
45F2bNHVcRzXVBsvZ5giyvKGAgm6LFhMsjUUVPTEtdgJJ5SNyxzSNUmFSBR5qCCWLpjiUjYMkmZoX9b3cChNjvxR7kvh436
Bitcoin
3MMKHXPQrGHEsmdHaAGD59FWhKFGeUsAxV
Ethereum
0xeA4DA3F9BAb091Eb86921CA6E41712438f4E5079
Litecoin
MBfrxLJMuw26hbVi2MjCVDFkkExz8rYvUF - Věda a technologie
Worth mentioning that a group of 3 hackers recently got arrested for hacking FTX and stealing 400 million as it was collapsing by SIM swapping ftx senior leadership.
Stealing from thieves, good
@@fedyx1544 Or they used that as a cover to "steal" from themselves.
@@fedyx1544No honor among thieves, after all
Surely it was hackers and the money is definitely not in accounts in anti-west nations that aren't willing to share info with usa.
Link please?
It sounds wild to me that US carriers allow SIM swap on a phone request without going to the store and requesting an Id
It's almost like it's done by design
it's wild that people want rules and laws to keep them safe like theyre some sort of toddler.
@@borregoayudando1481has nothing to do with rules and laws, just phone carriers just not giving a shit about customer privacy 😂
What? You know you can do far more than sim swap without going in to a location to show ID?
Here in africa you have to go with ur id, they have a branch in every hood😂😂, I see sim swap... as a movie, if below 18 ya have to carry ya birth cert
It should be noted that even though anybody can get SIM swapped, the only reason you will likely ever be SIM swapped is if you have a rare social media username or if you have a ton of crypto stored on an exchange. And it should also be noted that by the time someone SIM swaps you, that person already has a ton of info on you and likely already has the passwords to your email and crypto accounts, and that the best way to prevent a SIM swap is to just not reuse emails or passwords, so that your valuable accounts aren't discovered by SIM swappers
I do wonder how many blockchain technologies and marketplaces have had data breaches involving users mobile numbers, would make for a great sim swap farm maybe.
@@jackygreenhow9889
Sim swap farm simulator...
Hmm.
Sounds like a mobile game.
@@jackygreenhow9889 Most SIM swap targs are already found through breaches in crypto-related sites. Typically though, all you need is a list of emails. Most swappers just use autodoxers to get everything else, and can just use a bunch of previous data breaches for cross reference to compile a list of passwords associated with each email. Most emails are also comped via some poorly secured recovery method. For example, a lot of older yahoo accounts have old emails linked to them that might have bruteforceable security questions as a recovery method
Why enter your phone numbers on to such financial services in the first place ? , when you can choose not to?
@@cOnfidentialcOrpyou can’t, most fiat exchanges want your email plus number
Imagine if it's done to multiple us politicians the things they could expose would be insane
We already know all the things they do in the open and no one does anything about it.
@@SedBuildsThings true but imagine that with proven evidence that is impossible to deny the media outrage from it would be far too big to hide
The stuff that has already been exposed about politicians is insane
Very true indeed... though I wouldn't wish SIM swapping on my worst enemy.
@@MrKing-771yeah idk what makes anyone think exposure to the info is what solves it... we already have the Panama papers, we already have the evidence against the GOP and trump... no one seems to care, or they are stupid enough to think its fake. They think its the "deep state" covering things, while they are BEING SHOWN the deep state that covers things...
19 yr old guy steals 800k - people going wild
FTX stealing literally billions - not really a big thing
"not really a big thing" to who??
@@denshitenshi
The us goverment
Well it was always like that.
Big important people will get away and get what they want
@@liamtheboxI mean, he is going to prison forever, and his victims were mostly mega banks and venture capital outfits acting retarded, soooo
FTX was a bank, it's kind of expected for them to steal money.
If only the politicians payed attention to this
😂 😂😂😂😂😂😂😂😂
Yeah right
Too busy regulating the big evil AI
FTC did resolve last year to put up rules and punishments for carriers who allow it to happen. In 8-10 years they might finally shove past enough lobbyists to enact something.
how about just not doing dumb things like tie all your account to something what you have no control over?
no, keep those idiots as far away from this as the companies that let it happen
It would stop immediately if telecoms would be guaranteed punished by at least recompese 100% of damages. Even if you are really cautious you can do very little to prevent such crimes. Just insane, they are practically involved in it.
One thing I like about this channel. He explains things clearly and easily for the majority of people to understand, not just tech people. Absolutely brilliant channel man💪
i dislike exactly that
yeah. that's why i watch him too.
Ya, but he left out the fact that starting in 2024 all US carriers text the owner a warning message that a sim swap has been initiated along with a prompt to respond Yes or No. Unless you respond it simply won't work, problem solved.
Don't choke on it 🍆
@@BillAntthat’s wrong. It’s not “all US carriers” it’s SOME that customers OPT into. Very different
SIM swapping is way much harder in Poland.
Every time you do it you have to come to your operator shop in person, present your ID or passport and person working there has to get your written consent before changing anything.
On top that you receive an email and SMS warning you about the upcoming change (and emails usually have a link you just have to click to stop the whole process)
Whole procedure is very verbose and takes up to 2 days. It's less convenient, but it's almost impossible to not notice that someone tries something shady
I strongly dislike services that don't allow me to disable SMS and only use TOTP. It's a big problem that companies don't understand that SMS is not secure and either force you to use it, or, when they enable TOTP, still give you the backup method of SMS without the ability to turn this off. I'm not a public figure, yet someone tried to SIM swap me and I was luckily notified via email about how sad it was that I would leave my provider. The police didn't really invest a lot of time to figure out who it was, because I was quick enough to prevent any damage on my end. It's ridiculous.
Nice, addressing what the problem is and how it works and a good way to combat it, informative in the complete sense
For me I hope the criminals win not everyone is going to see this video when there are hundreds of millions of people billions of people lots of companies lots of normies not everyone is going to have security training.
In movies most people don't want the criminals to win
Attackers are getting around OTP by having their credential harvesting domains proxy authentication attempts on behalf of the victim, stealing the user, pass, and MFA session token on the way. They're also using more QR codes in their phishing emails which gets the victim to stop using their work device, and get phished on their phone where they are less protected.
That's why FIDO2 hardware authenticators are superior to TOTP
As a person who works in telecom. Sim swap theft is highly related to telecom companies whether they take it seriously or not. As a standard procedure the physical being of the person or customer is a must in sim swap. Thumbprint is taking in the form of consent and new live photo of customer is taken in every sim swap he or she makes.
It's surprising how easy it is to do a sim swap in the US compared to other countries. For example, in Colombia, you must go to a carrier office and follow a series of security steps to show your ID document and answer questions related to your complex personal data (like the subscriptions or the related office addresses).
mental outlaw talking about kingbob and playboicarti gotta be the funniest thing to happen this year
I hope TGD leaks 🙏
babe wake up new Mental Outlaw just dropped
Sus
🍳🥓☕️
Bro really just said king Bob from the minions movies has committed millions of dollars worth of Sim swap fraud.
I was thinking King Bob from Recess.
@@ashliehigginsoh dude yes!
Watching this in the middle of my math class
based
🗿
Do they still use numbers for math?
We know dude. You ain’t slick.
"Meth class"
Mental Outlaw talking about king bob and grails was the last thing I expected 😂
KING BOB HAS FALLEN
may he rot in jail lmao
@@mrotssthose carti grails never coming now little guy free king bob
@@doverif idgaf about "grails", that dude is a fucking loser lmao
valuable advice regarding totp, appreciate it
Reminds me of e-prom burners and laptops with radio frequency spectrum analyzers in the 1990’s...
The more things change the more things are just repeated exploits using a new methodology based upon the same patterns.
Well thanks, now I'm terrified.
hmmm perhaps i should give up being a NEET and get a job at verizon
Become a regional manager at Verizon, criminals will pay you 50K to do a sim swap
@@JWL123and then when they trace where the swap originated from you get federal time while the others get away.
On top of that they probably stayed anom while contacting you so enjoy not being able to give good connections/leads to the cops for a lesser sentence.
Same shit with boxers and refunders 🤣
@@Tricvy 100% correct, I never said it was a GOOD idea🤣
Aggravate identity theft. Never understand that one.
In Spain the system is that you can block a SIM card by phone, but not issue (or transfer) a new one this way. You can ask for it to be sent to your registered address (you cannot change your address at that moment) or you have to go to a point to prove your identity (photo ID).
As well as by telephone, via a website and with familiar credentials. But never remotely issue the new SIM, only block it.
What sucks is that most banks only support SMS
My phone service provider recently blocked me from paying my bill with a Visa gift card. Said its because I could be anon. Well, yeah...but I was a customer for 2-3 years. Maybe I just decided to be a hacker with all of my personal data already known. Hmm...
Thanks for the news!
Thank you so much for the tutorial.
I'm quite happy with Aegis
the naval destroyer of the 2FA world.
one thing really annoying about google and microsofts authenticator is that you either can't put a password on it, or in the case of microsofts your forced to use pattern to open the app if you use it to unlock the phone which is redundant, so thanks for recommending that aegis, its a shame you cant do a pin instead of password though
Lol where i live (EU) the first tire telkos do still requiere you to wait for the new sim card (basicly nobody uses eSIM, incl. Iphone) or only allow the swap to the secondary SIM card you already got mailed. The benifits of ood scool tecnology ... i guess :D
As usual fine content 🎉
My school had a phone cubby system and i got a new phone so i decided to test how much of a risk it is
I put my old phone in there and then didn't grab them at the end of class, asked my friend to come in the next period
He said the teacher didn't even look up at him when he nabbed it
Luckily all the people at my highschool are too mentally ill and addicted to tiktok to have anything of value
Why is there even a need for a phone cubby system? Presumably one could just keep a phone in their locker, or even backpack, or even pocket or something? Sure Teachers presumably don't want people using their devices during class, but if it's kept in a bag or pocket (or obviously locker) then they are not using them.
@@MsHojat no idea, the teacher that didn't look up was my AP precalc teacher and he's the only one who actually enforced it
At my other classes they didn't ask or tell you to put it in the phone cubbies unless you were on your phone and your grade was lower than a C+
You must be fun to describe everyone like that.
@@maramba32 in my physics class there are like 3 people that pay attention
She has to go around and take them out of people's hands
It isn't a stretch to say they are both addicted to tiktok and mentally addled enough that they can't manage their own time
@@maramba32 I found the mentally ill tiktok user!
Is it as easy with eSims as well ? I'm not that techy. Thanks!
They did this to crypto and some celebrities, even that former CEO of CZcams
@@Octaviu5someone’s son dies to drugs and you think it’s awesome. What a great person
@@JWL123honestly I want to say I am mixed, I think Susan in general even as a rich person is just bad, her son was in college probably through some financial boost that others usually struggle with
However I will not lower myself to desecrate their death or make it into a laughable subject, it is disrespectful, and I agree
@@Octaviu5 Susan along with rich people like her just....they like to make it easy for their children while others struggle, some people still have debt
@@Octaviu5 Six million? I don't know, that sounds like a bit too much to me...
@@Octaviu5did Susan ruin your life? Lol
I bet that Florida hacker will have a big lawsuit from these artists.
Thank the spam callers who keep calling my number multiple times every day to let me know my number is still tied to my phone.
Now I feel bad that I never pick them up.... NOT!
Mental Outlaw is a former com kid for sure
privacy enjoyer =/= fat ogu kid
SMS will probably still remain the easiest 2FA for most elderly people.
sounds more wild to me how much people are willing to risk for the little convenience making all your banking via your mobile gadget rather than divers your sources of payments.
@MO - Excellent, useful info.
If you set a custom voicemail message instead of using your carrier's default voicemail message, it can help obfuscate which network the attacker needs to contact.
Thats weird my county normally states when im calling another carrier and voicemails are almost entirely unused.
You can simply look up any US mobile number online which carrier it belongs to, there are several free sited for that.
Can you please explain how cookie grabbers work to bypass 2FA Code generators? And how to defend against them? I really like the way you explain these topics so clearly
When you login in to website, you typically don't have to login in again the next time you use it.
How does the website know it is you? The answer when you login, the website stores a cookie on your browser which contains a token. This token is now sent in every request as a proof of your identity.
If this token is stolen (typically via a virus or social engineering) then the hacker can basically masquerade as you to the website
The cookie makes it so you dont have to login.
If they can get your cookie, then they too can skip login.
@@Paradocx-hy2qz @tripplefives1402
Thank you so much. What’s the best way to protect against this type of replay attack? Never checking the “Keep me signed in” box ? And automatically clearing cookies when closing the browser?
@@EnergeticGiraffes Don't be a person of value.
When I hear about SIM Swap attacks I always feel sorry for people from the USA where it looks to me like your mobile operators don't care 🤔
Like, my Polish mobile operator for instance:
- requires me to go to their point in person and there is no way to do this online,
- when I swap the card in-person, it's not already swapped - I get the SMS on my old SIM card telling me it will stop working after specific number of hours,
- during those hours, I will get couple another SMS messages (not only informative but telling me things like "if it wasn't you, contact us immediately to stop that"),
- after those hours, SIM is finally swapped.
This should be standard procedure everywhere.
thanks i needed that
Plot twist: the QR codes redirect to fake-clone websites made by the hackers.🤣
how i didn't though of this bruuh 😂
Sounds like a phone provider skill issue. If I want an extra SIM, I have to go to the physical store and show some ID.
My pixels were hacked by someone using russia and Ukraine IPs so I learned this. I've converted to esim, bought new sim shipped to new address and all 10 times with visible. I easily can sim swap anyone's card with getting a new sim and do it to anyone with no problem if I wanted to. That's how easy it is to find the cracks to manipulate to social engioneer anyone's sim. It only took me 10 trials getting new sims to see how their system works to manipulate it with zero real identification. Even getting the last 3 numbers called without hacking a phone
glad I am a luddite and only use my phone as a phone and not apps, so I would notice it fairly quickly
A simple solution can be that a sim PORT should require an OTP with a clear and atriculate message about what the OTP is about.
This is why you never give your # for 2fa. If a site requires this, they do not value your security.
this is why you dont give your number for anything.
Or just use a foreign number
Interesting… I thought some form of multifactor authentication is better than nothing.
it CAN be, but in the event that someone can use sms to recover the password for your account, for example. It's not.
And like they said, if they already have ur password, sim swapping is pretty trivial. @@josueramirez7247
Unfortunately a lot of websites and services only offer sms 2FA though. This is especially true when it comes to most financial related services in my experience.
In my country because of sim swapping attacks now there is a 24h cooldown period, when both the new and old sim cards wouldn't work.
You didn't mention the physical security keys they're great but they have to have two or more as a backup and set password for the keys as well just in case
Yo what’s up with randomly getting that ‘here’s your one time code’ email when I haven’t requested one the other day ?
5:35 really ?wont your cellphone data stop and those apps only work on wifi.
Yes
Yeah I think he’s overreaching there. If you get sim swapped then you would see that your phone has no service. Unless you’re always connected to Wifi, you would probably notice it.
If you use a carrier that doesn't have any physical stores and ship the phone and sim card to the address on record, you can avoid this problem. Even if the scammer changes your address, you'll get an emali notification about the shipment and the scammer will not receive the new sim card for a day or two.
It's like modern day cloning...
Some Keepass variants support TOTP too.
Really good video Mental! Just loaded up my TMobile Remo with Joe.
bro
Lol nice
LOL
The future is sounding so fun 😂
u had a big game against the warriors bro let’s finish strong and get that 1 seed
Damn so thats where also these fire playboy carti leaks have been coming from. I for one thank this hacker named noah
Who doesn't let you use anything BUT SMS 2FA, and won't let you opt out of using it? Of course, the US government and US banks. Because "security reasons".
Good fear driven content
In asian countries like Pakistan and India etc you have 18+ and have national identification card to get sim so with out visiting the telecom franchise and licensed shops you can't transfer the sim if you want to block the sim in the case of phone loss and sim loss you have to tell your information to block the sim
Great tutorial 👍
The simple "is sim still active" before issuing a new sim.
8:21 Uh, no, you don't get the "algorithm". How TOTP works is that you have a shared secret which then the code is based upon. Secret + time is essentially how a new code is generated. As long as nobody has access to where you store those (and thus doesn't know your secret), you are good since the generated token changes every 30 seconds or so (but can be used within a minute).
I’ve been using hardware keys for the past six months. Very seamless.
i now see why the EU is pushing for bank accounts to implement more complex verification methods in order to use your account (like fingerprint or in-app notifs)... props to them again?
edit: after watching the whole thing, you convinced me to be more nuanced with my current "opsec" xdddd just not to find my few savings stolen someday
Wake up baby… Mental Outlaw dropped a video! (FBI we’re only watching this to not get out sim card swapped)
To sim swap in my country, you need to go into the store and verify that it's you doing the swap.
LOOOL KING BOB LETS GOOO king bob made it in a mental outlaw video hahahahaha
They got King Bob in here
Sms and the phones are kind of obsolete at this point. I wonder if interested parts keep this business alive just so they don't have to swallow the flop right away.
Hey MO! Any updates on europe shipping on based win? love your content ❤️
Cringe fanboy
happened in Australia with optus because of poor opsec
didnt expect fgo grail to show
Most of the institutions use two factor authentication for logging into their account. These apps usually require access over the phone thus in turn providing access to the institutions involved.
Yep, and with that unauthorized SIM swapping in the US won't work in 99% of the cases. Now carriers require you to receive a 6 digit authorization code by text and read it back to them before they do the switch. If you claim it's lost or stolen, you either have to stop by a store with an valid ID, or they'll ask for bunch of information like your account security PIN, and 5 numbers dialed (not received) from your phone.
I won't use a service if it requires my number as I frequently change numbers
The real way to solve this is to throw away your personal tracking device.
Most banks and investment account providers I've encountered don't support anything besides SMS 2FA (if they even have that). Rather infuriating!
Didn't think would see a PNG from FGO on this channel
The pin code is a good idea but not secure because the insiders in the companies will just access them and confirm the swap
shoutout bob nd free joe
What about the security of eSim then?
Are rhese hackers affiliated with foreign governments?
The Auth apps also suck. If you get a new phone you will still have to use a phone number for recovery.
5:26 i mean i would definitely realise the no service message almost instantly
just simple. put side memory and send data
Mental Outlaw upload!
Are there any Aegis alternatives for IOS? Thanks!
Wireshark: all your sms are belong to meeee
quite cool to know
I never use online banking for this reason
What would be the best option of a free authenticator for iOS?
SIM SWAPING IS WILD ❤😢
Sending a text message to the number 24h before the switch I think it would be a good way to at least inform you about something like that.