How an SMS phishing attack works.
This victim gave up the code for their own bank account.

@fifonetworks wait, how the heck does "i used to own your number many years ago" even work?

doesn't every cellphone user get a _new_ number?

@devurandom @fifonetworks Some providers will recycle old unused numbers, giving them to new customers.

And yes, that can result in some unfun things, like debt collectors calling looking for the previous owner of the number.

@D_ @fifonetworks @devurandom ah, that explains the viagra ads I used to get and why they called me the wrong name

@devurandom @fifonetworks hell no :( I actually got data usage alerts for my old number via email from VZ after I had to change my number

@devurandom @fifonetworks Nope. Numbers have been reused for years. My work phone's number used to be that of a Toyota dealership in the Bay Area. My watch used to have... Somebody's phone number in Pennsylvania. I get calls from recruiters and Job Corps two or three times a day for him.

@devurandom When a customer gives up their phone number for any reason, the carriers put it on ice for a period of time, according to their aging algorithm. It may be up to a year, or as little as 30 days. Then the number is available for assignment again.

@fifonetworks I think the original post was from

His claim is that he actually got access to his own account, that was connected to a former phone number.

@fifonetworks Those numbers aren't censored properly. I see this all the time and wonder why people won't use the rectangle coloring tool instead.

@ninmi @fifonetworks

If the bank is any good, that code would have long expired by now.

@anw @fifonetworks I assume that's a phone number up top though? Which could easily reveal personal information.

@fifonetworks he is a life saver, he just paid someone's rent, and maybe a little more than that

Frankly I think it's the bank's fault for not saying something like "here's the code for your account at x bank"

@fifonetworks this is false, the original tweet says that the request was legit "but they could've been giving up the code to anything"

@fifonetworks @DialMforMara you use victim in a very negative way here. please don't. also making fun of people's mistakes, much wow!

bank fraud discussion 

bank fraud discussion 

bank fraud discussion 

@fifonetworks Also, there is the old "call the customer's cell phone provider, claim to be them, assign their account to a burner phone, and get the target's SMS messages directly."

MANY people have lost bitcoin this way as scammers take over high value target phone accounts just long enough to authenticate to their bitcoin exchange accounts and drain them.

SMS is not secure.

@fifonetworks normally the code comes with some context though. If it comes from my bank, I'd have to stop and think...

Sign in to participate in the conversation
Mastodon for Tech Folks

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!