Brute force attacks should be a thing of the past, and yet companies keep making the same mistake.
SIM hacking is becoming popular once again. With smartphones becoming the primary way most are interacting with the internet, most accounts are now tied to our phones. Anything from entertainment, to credit cards, to even cryptocurrency, it seems it is all connected to our phone, and therefore, our phone numbers. Hackers and scammers can do a lot that begins with stealing your number, and a lapse in security by Apple and Asurion left users exposed to just this hack.
Carriers require a PIN in order to change transfer your number to a new device. The same type of error was found on sites for both Apple and Asurion that allowed unlimited attempts to guess a PIN. Once discovered, a person’s number could easily be stolen.
It was T-Mobile customers that were exposed through Apple’s site. All anyone would need would be a user’s phone number, and they could continue to guess at PIN numbers until they found the same one. Other carriers were not affected by the Apple vulnerability. It was just last month that T-Mobile alerted users of this type of scam. One must wonder if the Apple vulnerability contributed to the “few hundred” customers affected.
As for Asurion, they had the same type of vulnerability on their site, however this exposed a limited number of AT&T customers.