FIFO Networks is a user on mastodon.technology. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.
FIFO Networks @fifonetworks

How an SMS phishing attack works.
This victim gave up the code for their own bank account.

· Web · 140 · 80

@fifonetworks but wouldn't it have been easier to simply hack into the SS7 network using forged credentials and then MITM their MSISDN and trombone all of their traffic through multiple layers of VPN obfuscation? Or throw up a rogue BTS and

@fifonetworks wait, how the heck does "i used to own your number many years ago" even work?

doesn't every cellphone user get a _new_ number?

@devurandom @fifonetworks Some providers will recycle old unused numbers, giving them to new customers.

And yes, that can result in some unfun things, like debt collectors calling looking for the previous owner of the number.

@D_ @fifonetworks @devurandom ah, that explains the viagra ads I used to get and why they called me the wrong name

@devurandom @fifonetworks hell no :( I actually got data usage alerts for my old number via email from VZ after I had to change my number

@devurandom @fifonetworks Nope. Numbers have been reused for years. My work phone's number used to be that of a Toyota dealership in the Bay Area. My watch used to have... Somebody's phone number in Pennsylvania. I get calls from recruiters and Job Corps two or three times a day for him.

@devurandom When a customer gives up their phone number for any reason, the carriers put it on ice for a period of time, according to their aging algorithm. It may be up to a year, or as little as 30 days. Then the number is available for assignment again.

@fifonetworks I think the original post was from @bitforth@twitter.com.

His claim is that he actually got access to his own account, that was connected to a former phone number.

twitter.com/bitforth/status/99

@fifonetworks Those numbers aren't censored properly. I see this all the time and wonder why people won't use the rectangle coloring tool instead.

@ninmi @fifonetworks

If the bank is any good, that code would have long expired by now.

@anw @fifonetworks I assume that's a phone number up top though? Which could easily reveal personal information.

@fifonetworks he is a life saver, he just paid someone's rent, and maybe a little more than that

@fifonetworks
Frankly I think it's the bank's fault for not saying something like "here's the code for your account at x bank"

@fifonetworks this is false, the original tweet says that the request was legit "but they could've been giving up the code to anything"

@fifonetworks @DialMforMara you use victim in a very negative way here. please don't. also making fun of people's mistakes, much wow!

bank fraud discussion Show more

bank fraud discussion Show more

bank fraud discussion Show more

@fifonetworks Also, there is the old "call the customer's cell phone provider, claim to be them, assign their account to a burner phone, and get the target's SMS messages directly."

MANY people have lost bitcoin this way as scammers take over high value target phone accounts just long enough to authenticate to their bitcoin exchange accounts and drain them.

SMS is not secure.

@orangesec_0 Lol! I copied the screenshot from an unknown source (they had copied it, too). But it's a great training tool, so I wanted to share it. Best regards to you.