[ZantaWB]

The underground marketplace for desirable social media handles (OG Handles) was explored in this excellent episode of Reply All: The Snapchat Thief [1].

In that story the basic technique was a SIM-swapping attack [2]. Fraudster calls the cell provider, claims to be the victim and that they lost their phone. Cell provider then ports the phone identity over to a new SIM. After that the fraudster just resets the account's password and gets the 2FA SMS (or even easier, one-time passwords) to their newly connected phone. Don't know if that same basic technique still applies nowadays, but in any case the most surprising part of the episode to me was how large and mature a black market there was for these account handles.

[1] https://gimletmedia.com/shows/reply-all/v4he6k

[2] https://en.wikipedia.org/wiki/SIM_swap_scam

e: Corrected, original post incorrectly said new number, not new SIM.

[kayge]

There are a couple [1][2] of good Darknet Diaries episodes on this topic as well:

[1] https://darknetdiaries.com/episode/97/

[2] https://darknetdiaries.com/episode/106/

[belltaco]

>Cell provider then ports the phone identity over to a new number

Do you mean port the phone number to a new SIM? Because the SMS 2FA will go to the old number. Porting it to a new number won't do anything.

[ZantaWB]

I did, thank you. Correcting the original post now.

[krolden]

Love how using a VoIP number would totally cancel out that attack, but so many websites require you to have a 'real' phone number. I assume its mostly to weed out scammers.

[29083011397778]

Yes and no. No, you can't buy a VoIP number and use it as your contact immediately and indefinitely. You would be amazed at how few companies update their list of VoIP vs POTS/Carrier numbers though. Hypothetically, one could transfer their carrier number to a VoIP provider, and use it for damn near everything. There would be trade-offs [0], of course, but I can attest to its effectiveness as a workaround.

[0] Trade-offs include a glitchy MMS experience, easy, automatic, and built-in call-recording, IVR capabilities to screen unknown callers, voicemail transcription, and the ability/requirement to use an email client as your SMS client. Though you then get to treat SMS and calls as device agnostic - desktop, laptop, tablet, and phone all send & recieve SMS and voice calls

[s-video]

Is this how new brands get usernames that would otherwise seem to be claimed long ago?

[tennisflyi]

So, "Zo" for Lonzo Ball (NBA) has a user ID number of 243,382,891 (profilePage_243382891).

"OBJ" for Odell Beckham Junior (NFL) has a user ID number of 309,853 (profilePage_309853).

"Abby" for Abby Pollock (influecner) has a user ID number of 239,219,491 (profilePage_239219491).

"Kevin" for Kevin Systrom (IG founder) has a user ID number of 3 (profilePage_3).

Pretty sure FB/Meta will set you up in some capacity. Two of these are far too large to not have been squatted.

> https://www.codeofaninja.com/tools/find-instagram-user-id/

[kjkjadksj]

If you can do that with social media accounts then I am sure private corporate logins must have also been breached hand over fist.

[rolenthedeep]

This is why everyone keeps saying SMS 2FA is bad.

[idiotsecant]

Yes and Yes, if corporate logins are using SMS based 2FA, which they absolutely shouldn't be.

[D13Fd]

What good is a SIM-swap to defeat 2FA if you don't have the password in the first place?

[legohead]

I just checked Snapchat's "I forgot my password" and there were two options -> Phone Number or Email Address. So there you go.

[MattGaiser]

At least with some companies, they use the phone number to let you reset the password.

[hobo_mark]

Ok sure, but how do you get the person's phone number in the first place?

[cypherpunks01]

There are hundreds of data brokers selling this type of info. An attacker who has a few minutes and a few dollars to spare will be able to acquire the average person's phone number. The underlying sources vary a lot.

Look up your own name or your friends on a site that is owned by or uses Intelius data, e.g. https://www.addresses.com/ - For many people (not all), their phone numbers come up right away. There are probably 500 different companies or websites doing the same thing.

[0xffff2]

Maybe I just have better data hygiene than average, but I found that site to be absolutely hilarious. I was able to find myself, but my address was several years and several moves out of date. My phone number was decades out of date and not even really my phone number. (It was a landline phone at my mom's house, with an old pre-area code split area code.)

[Zurrrrr]

Now try familytreenow.com for free or spokeo.com if you want to waste a dollar on a trial.

Pretty sure they won't be wrong or out of date.

[0xffff2]

The first one is indeed much closer for me. Still doesn't have my current phone number and while the broad strokes are there the dates are wildly inaccurate. Looking at my immediate family though, I actually seem to have the worst hygiene! It's 0/5 in providing an accurate phone number for any of us.

[Zurrrrr]

It's cause this info is consolidated from so many different databases, but it's out there. Some of the paid ones are scarily accurate.

[derwiki]

One of those data breaches we hear about all the time

[barbazoo]

Doesn't that mean they also need access to your email account?

[edflsafoiewq]

You normally do password reset over email, not SMS right?