Attackers gained access to the last four digits of credit cards of Verizon prepaid customers and performed SIM swap attack, the U.S. largest carrier disclosed in a customer breach notification.
Verizon disclosed that between October 6 and October 10, 2022, unauthorized third parties accessed customers’ accounts and used saved credit cards to initiate automatic payments and perform SIM swaps.
“Using the last four digits of that credit card, the third party was able to gain access to your Verizon account and may have processed an unauthorized SIM card change on the prepaid line that received the SMS linking to this notice,” said Verizon.
Verizon reversed numbers transferred during the SIM swap attack
The company said it reversed numbers transferred during the SIM swap attack and reset Account Security Codes (PINs) for an undisclosed number of Verizon prepaid customers out of an abundance of caution.
Impacted Verizon prepaid customers must reset their PINs, passwords, and security questions to regain access to their accounts. The operator also recommended a password reset on email and social media accounts.
The company also blocked access to Verizon prepaid customers’ online accounts using the last four digits of their credit card numbers and believes that the SIM swap attack had stopped.
Verizon prepaid customers could take further actions to protect their accounts by locking in their numbers to avoid swapping or porting and enabling two-factor authentication to prevent account access using stolen credentials.
Attack exposed Verizon prepaid customers’ information
Verizon warned that attackers possibly accessed service-related information such as price plans and personally identifiable information (PII) such as customer name, phone number, and billing address.
However, they did not access full credit card numbers, Tax IDs, social security numbers (SSNs), financial and banking information, and account passwords.
The company’s spokesman disclosed that the SIM swap attack impacted 250 Verizon prepaid customers.
Nevertheless, Verizon did not disclose how fraudsters obtained the last four digits of the credit card numbers used in the SIM swap attack.
Likely, the attackers employed phishing or malware to take over employee accounts. However, incidents of fraudsters allegedly bribing employees to swap SIM cards have also been observed.
SIM swap attacks are on the rise
A SIM swap attack allows fraudsters to receive authentication codes and take over accounts. SIM card transfers enable fraudsters to take over victims’ online accounts, including crypto wallets.
Once attackers gain control of the phone, they can initiate account recovery for online accounts linked to the phone number.
In February 2022, the Federal Bureau of Investigation’s Internet Crime Complaint Center(IC3) warned that complaints about SIM swapping attacks had increased from 320 between 2018 to 2020, with losses amounting to $12 million, to 1,611 in 2021 with losses exceeding $68 million.
Although the number of victims in the Verizon SIM swap attack is relatively small, cybercriminals usually target high-value clients. FBI warned people against bragging online to avoid drawing hackers’ attention.