Verizon has informed around 250 of its prepaid customers that an attacker was recently able to gain access to their accounts.
As reported by BleepingComputer (opens in new tab), the mobile carrier identified unusual activity while monitoring customer accounts earlier this month. Between October 6 and 10, an unauthorized third party accessed the last four digits of credit cards used to make automatic payments by prepaid Verizon customers.
With this information in hand, the attacker was then able to gain access to some customers’ Verizon accounts. In a security notice (opens in new tab) sent out to affected customers, Verizon explained that the attacker “may have processed an unauthorized SIM card change on the prepaid line that received the SMS linking to this notice”.
Since the attacker gained access to Verizon accounts, the names, telephone numbers, billing addresses, price plans and other service-related information of affected customers may have also been exposed. Fortunately though, the banking and financial information, passwords, Social Security numbers, tax IDs and other personal information of prepaid Verizon customers wasn’t accessed by the attacker since user accounts don’t contain these details.
SIM swapping attacks
Although the number of Verizon customers affected by this recent cyberattack is relatively small, it highlights how dangerous unauthorized SIM card changes, which are more commonly known as SIM swapping, can be.
Once an attacker transfers your phone number to another SIM card, they can then retrieve two-factor authentication (2FA) codes and gain access to your other online accounts. In fact, BleepingComputer spoke with one of the affected Verizon prepaid customers who fell victim to a SIM swapping attack a week before the mobile carrier sent out its alert. They told the news outlet that the attacker breached their email and also tried to access their crypto accounts on Coinbase following the Verizon breach.
Although many companies encourage users to enable 2FA to further secure their accounts, this can actually be a double-edged sword if they happen to suffer a SIM swapping attack.
In a blog post (opens in new tab) discussing SIM swapping, the cybersecurity firm Norton recommends using an authentication app like Google Authenticator instead of using your phone number for 2FA. This way, your accounts still have an additional layer of protection but instead of being tied to your phone number, it’s tied to your physical device.
How to protect your Verizon account
After discovering that something was amiss, Verizon blocked any further unauthorized access to prepaid customer accounts. The company also reversed any SIM swapping that took place and reset customer’s PIN codes used to access their accounts.
Still though, Verizon recommends that affected customers set up a brand-new PIN code and avoid reusing any PIN codes they’ve used in the past. It’s also a good idea to change the credit card you used for autopay as well as the password and secret question for your My Verizon online account. If you have trouble coming up with strong, unique passwords, you can use one of the best password managers to generate one for you.
To prevent falling victim to future SIM swapping attacks, you can enable the mobile carrier’s free Number Lock (opens in new tab) protection feature. This can be done either through the My Verizon app or on the My Verizon website. By locking your phone number, you can prevent it from being moved to another line or mobile carrier and you won’t be able to move it to a different SIM card unless you remove the lock.
We’ll likely hear more from Verizon regarding this cyberattack and the person responsible once the company finalizes its investigation into the matter.