Verizon issued a notice alerting prepaid customers that threat actors breached their accounts and used exposed credit card details in SIM swapping attacks.
American telecommunications conglomerate Verizon warned some of its prepaid customers that threat actors got a hold of the last four digits of credit cards customers used for payment.
“Upon further review, we determined that between October 6 and October 10, 2022, a third party actor accessed the last four digits of the credit card used to make automatic payments on your account,” Verizon’s notice said.
The company did not specify how many users were affected by the breach and how threat actors accessed the database where limited credit card details were stored.
“Using the last four digits of that credit card, the third party was able to gain access to your Verizon account and may have processed an unauthorized SIM card change on the prepaid line that received the SMS linking to this notice. If a SIM card change occurred, Verizon has reversed it,” the company said.
A SIM swapping attack can have dire consequences for someone relying on one-time SMS codes to login into sensitive accounts, such as online banking. During a SIM swapping attack, crooks switch the SIM card associated with a phone number to bypass two-factor authentication (2FA) on the victim’s personal accounts.
Verizon assured its customer that only the last four digits of their credit card number were exposed and stressed that attackers could not have accessed the full number. The company said it believes that the attack is no longer active.
While using 2FA is highly advisable, hackers have discovered multiple ways to bypass 2FA when the authentication method consists of one-time codes sent as an SMS message.
Bad actors use inexpensive mirroring apps to monitor SMS activity and grab SMS authentication codes without users knowing. Those that sync SMS messages with other devices, such as tablets and laptops, also increase their risks if a device is stolen by a hacker who can easily access codes.
Alternatives to SMS-based 2FA, such as Authy, Microsoft Authenticator, or Google Authenticator, deny threat actors the capabilities of carrying out SIM swapping attacks and may reduce the risk of being hacked.
More from Cybernews:
Subscribe to our newsletter