Identity theft via hacking or social engineering is a common problem these days, and the results can quickly spiral out of control, locking you out of the accounts you depend on permanently, as in the case of today's horror story. A contributor over at ZDNet recently suffered what can only be called a total security meltdown in the space of a week when a hacker gained access to his Google account via a SIM-swap attack.
A SIM-swap attack, for the unfamiliar, is when an unauthorized individual ports a targeted phone number (usually tied to a two-factor authentication method attached to another account, the goal of the attack) to another SIM, surreptitiously redirecting that number to a new device. SIM-swap attacks often occur via social engineering, with carrier support agents performing the switch in the belief they're operating under the instruction of the account holder. Together with other information, like credentials gathered via a phishing attack or exposed in previous hacks, the nefarious agent can secure access to a third-party account ostensibly protected with SMS-based two-factor security. (As an aside: No one should trust SMS-based 2FA, precisely for reasons like these.)
In this case, the target, Matthew Miller, was a T-Mobile subscriber. T-Mobile's susceptibility to social engineering is extensively documented at this point, and even though he claims that a PIN was associated with his account, T-Mobile still reassigned his number to another SIM card. With text messages sent to that number now being redirected, together with either phished or gathered data, the hacker was able to gain access to Miller's Twitter and Google accounts.
Miller, though a checkmark-verified public figure, has been unable to get Twitter or Google to return access to his accounts.
The hacker then changed the information associated with Miller's Google account, preventing him from recovering access to it to this day. According to Google, his account has since been deleted. Secured in that account via Drive was information which included tax returns, bank account information, and other account passwords. With two-factor authentication for his financial accounts tied to the redirected phone number, the hacker even tried to perform an ACH transfer of $25,000 out of Miller's bank account, though the attempt was intercepted.
Although Miller was able to re-secure access to his phone number via T-Mobile — together with ostensibly tighter restrictions for SIM swapping on his account — he remains locked out of his Google and Twitter accounts.
This story serves as a cautionary tale: No matter how secure you might think you are, all it takes is one T-Mobile representative falling for a scammer to burn down your entire digital life.
In the wake of his experience, Miller has published a list of introspective recommendations to enhance your digital security, which you can read together with the full story at the source link below. We would personally add one more tip: Don't store user account and password details on Google Drive, at least not without some added layer of security to contain the credentials, like VeraCrypt.