On their tech support page [1], Google Fi is said to be resistant/immune to SIM swap attacks because the attacker needs physical access to your device and Google account. Yet earlier this year [2], the Google Fi hack said to have exposed Fi users to SIM swapping. Can anyone shed light on how this can happen without someone having your phone?
> Can anyone shed light on how this can happen without someone having your phone?
I do not know specific details of this particular incident but I would like to emphasize the fact that Google Fi, at least in the US, is a virtual network on top of the T-mobile's physical one. There is some extra level of security via obscurity that makes simple social engineering attacks harder but fundamentally it is still T-mobile underneath.
Think of it. You lost your phone and went to store and store employee or CS over the phone is able to issue you a SIM. Now the same employee takes bribe and give it to the hackers who use it to steal your fund
Implementation flaws like that are always possible, but my concern is that in so many cases, SIM swaps are ridiculously easy by design (or more accurately, by absence) of the phone provider's security procedures.
Issue is that FCC mandates a port out within 4 hours and stores don't make $$ while doing these so their goal is to get you out of the door ASAP so they can focus on the revenue. So that's why + bribe factor
I do not know specific details of this particular incident but I would like to emphasize the fact that Google Fi, at least in the US, is a virtual network on top of the T-mobile's physical one. There is some extra level of security via obscurity that makes simple social engineering attacks harder but fundamentally it is still T-mobile underneath.