Worth mentioning that a group of 3 hackers recently got arrested for hacking FTX and stealing 400 million as it was collapsing by SIM swapping ftx senior leadership.

It sounds wild to me that US carriers allow SIM swap on a phone request without going to the store and requesting an Id

It should be noted that even though anybody can get SIM swapped, the only reason you will likely ever be SIM swapped is if you have a rare social media username or if you have a ton of crypto stored on an exchange. And it should also be noted that by the time someone SIM swaps you, that person already has a ton of info on you and likely already has the passwords to your email and crypto accounts, and that the best way to prevent a SIM swap is to just not reuse emails or passwords, so that your valuable accounts aren't discovered by SIM swappers

Imagine if it's done to multiple us politicians the things they could expose would be insane

19 yr old guy steals 800k - people going wild FTX stealing literally billions - not really a big thing

If only the politicians payed attention to this

It would stop immediately if telecoms would be guaranteed punished by at least recompese 100% of damages. Even if you are really cautious you can do very little to prevent such crimes. Just insane, they are practically involved in it.

One thing I like about this channel. He explains things clearly and easily for the majority of people to understand, not just tech people. Absolutely brilliant channel man💪

SIM swapping is way much harder in Poland. Every time you do it you have to come to your operator shop in person, present your ID or passport and person working there has to get your written consent before changing anything. On top that you receive an email and SMS warning you about the upcoming change (and emails usually have a link you just have to click to stop the whole process) Whole procedure is very verbose and takes up to 2 days. It's less convenient, but it's almost impossible to not notice that someone tries something shady

I strongly dislike services that don't allow me to disable SMS and only use TOTP. It's a big problem that companies don't understand that SMS is not secure and either force you to use it, or, when they enable TOTP, still give you the backup method of SMS without the ability to turn this off. I'm not a public figure, yet someone tried to SIM swap me and I was luckily notified via email about how sad it was that I would leave my provider. The police didn't really invest a lot of time to figure out who it was, because I was quick enough to prevent any damage on my end. It's ridiculous.

Nice, addressing what the problem is and how it works and a good way to combat it, informative in the complete sense

Attackers are getting around OTP by having their credential harvesting domains proxy authentication attempts on behalf of the victim, stealing the user, pass, and MFA session token on the way. They're also using more QR codes in their phishing emails which gets the victim to stop using their work device, and get phished on their phone where they are less protected.

It's surprising how easy it is to do a sim swap in the US compared to other countries. For example, in Colombia, you must go to a carrier office and follow a series of security steps to show your ID document and answer questions related to your complex personal data (like the subscriptions or the related office addresses).

As a person who works in telecom. Sim swap theft is highly related to telecom companies whether they take it seriously or not. As a standard procedure the physical being of the person or customer is a must in sim swap. Thumbprint is taking in the form of consent and new live photo of customer is taken in every sim swap he or she makes.

mental outlaw talking about kingbob and playboicarti gotta be the funniest thing to happen this year

Bro really just said king Bob from the minions movies has committed millions of dollars worth of Sim swap fraud.

Aggravate identity theft. Never understand that one.

Reminds me of e-prom burners and laptops with radio frequency spectrum analyzers in the 1990’s... The more things change the more things are just repeated exploits using a new methodology based upon the same patterns.

Mental Outlaw talking about king bob and grails was the last thing I expected 😂

babe wake up new Mental Outlaw just dropped

My phone service provider recently blocked me from paying my bill with a Visa gift card. Said its because I could be anon. Well, yeah...but I was a customer for 2-3 years. Maybe I just decided to be a hacker with all of my personal data already known. Hmm...

KING BOB HAS FALLEN

Well thanks, now I'm terrified.

Watching this in the middle of my math class

In Spain the system is that you can block a SIM card by phone, but not issue (or transfer) a new one this way. You can ask for it to be sent to your registered address (you cannot change your address at that moment) or you have to go to a point to prove your identity (photo ID). As well as by telephone, via a website and with familiar credentials. But never remotely issue the new SIM, only block it.

hmmm perhaps i should give up being a NEET and get a job at verizon

valuable advice regarding totp, appreciate it

What sucks is that most banks only support SMS

My school had a phone cubby system and i got a new phone so i decided to test how much of a risk it is I put my old phone in there and then didn't grab them at the end of class, asked my friend to come in the next period He said the teacher didn't even look up at him when he nabbed it Luckily all the people at my highschool are too mentally ill and addicted to tiktok to have anything of value

If you set a custom voicemail message instead of using your carrier's default voicemail message, it can help obfuscate which network the attacker needs to contact.

Lol where i live (EU) the first tire telkos do still requiere you to wait for the new sim card (basicly nobody uses eSIM, incl. Iphone) or only allow the swap to the secondary SIM card you already got mailed. The benifits of ood scool tecnology ... i guess :D

one thing really annoying about google and microsofts authenticator is that you either can't put a password on it, or in the case of microsofts your forced to use pattern to open the app if you use it to unlock the phone which is redundant, so thanks for recommending that aegis, its a shame you cant do a pin instead of password though

Thank the spam callers who keep calling my number multiple times every day to let me know my number is still tied to my phone. Now I feel bad that I never pick them up.... NOT!

In my country because of sim swapping attacks now there is a 24h cooldown period, when both the new and old sim cards wouldn't work.

If you use a carrier that doesn't have any physical stores and ship the phone and sim card to the address on record, you can avoid this problem. Even if the scammer changes your address, you'll get an emali notification about the shipment and the scammer will not receive the new sim card for a day or two.

A simple solution can be that a sim PORT should require an OTP with a clear and atriculate message about what the OTP is about.

I bet that Florida hacker will have a big lawsuit from these artists.

They did this to crypto and some celebrities, even that former CEO of KZbin

I'm quite happy with Aegis

Mental Outlaw is a former com kid for sure

You didn't mention the physical security keys they're great but they have to have two or more as a backup and set password for the keys as well just in case

When I hear about SIM Swap attacks I always feel sorry for people from the USA where it looks to me like your mobile operators don't care 🤔 Like, my Polish mobile operator for instance: - requires me to go to their point in person and there is no way to do this online, - when I swap the card in-person, it's not already swapped - I get the SMS on my old SIM card telling me it will stop working after specific number of hours, - during those hours, I will get couple another SMS messages (not only informative but telling me things like "if it wasn't you, contact us immediately to stop that"), - after those hours, SIM is finally swapped. This should be standard procedure everywhere.

This is why you never give your # for 2fa. If a site requires this, they do not value your security.

In asian countries like Pakistan and India etc you have 18+ and have national identification card to get sim so with out visiting the telecom franchise and licensed shops you can't transfer the sim if you want to block the sim in the case of phone loss and sim loss you have to tell your information to block the sim

Sounds like a phone provider skill issue. If I want an extra SIM, I have to go to the physical store and show some ID.

Can you please explain how cookie grabbers work to bypass 2FA Code generators? And how to defend against them? I really like the way you explain these topics so clearly

SMS will probably still remain the easiest 2FA for most elderly people.

Is it as easy with eSims as well ? I'm not that techy. Thanks!

8:21 Uh, no, you don't get the "algorithm". How TOTP works is that you have a shared secret which then the code is based upon. Secret + time is essentially how a new code is generated. As long as nobody has access to where you store those (and thus doesn't know your secret), you are good since the generated token changes every 30 seconds or so (but can be used within a minute).

My pixels were hacked by someone using russia and Ukraine IPs so I learned this. I've converted to esim, bought new sim shipped to new address and all 10 times with visible. I easily can sim swap anyone's card with getting a new sim and do it to anyone with no problem if I wanted to. That's how easy it is to find the cracks to manipulate to social engioneer anyone's sim. It only took me 10 trials getting new sims to see how their system works to manipulate it with zero real identification. Even getting the last 3 numbers called without hacking a phone

glad I am a luddite and only use my phone as a phone and not apps, so I would notice it fairly quickly

Thanks for the news!

Who doesn't let you use anything BUT SMS 2FA, and won't let you opt out of using it? Of course, the US government and US banks. Because "security reasons".

The simple "is sim still active" before issuing a new sim.

Yo what’s up with randomly getting that ‘here’s your one time code’ email when I haven’t requested one the other day ?

Thank you so much for the tutorial.

Sms and the phones are kind of obsolete at this point. I wonder if interested parts keep this business alive just so they don't have to swallow the flop right away.

u had a big game against the warriors bro let’s finish strong and get that 1 seed

Some Keepass variants support TOTP too.

Damn so thats where also these fire playboy carti leaks have been coming from. I for one thank this hacker named noah

Plot twist: the QR codes redirect to fake-clone websites made by the hackers.🤣

It's like modern day cloning...

Most of the institutions use two factor authentication for logging into their account. These apps usually require access over the phone thus in turn providing access to the institutions involved.

I’ve been using hardware keys for the past six months. Very seamless.

The Auth apps also suck. If you get a new phone you will still have to use a phone number for recovery.

Most banks and investment account providers I've encountered don't support anything besides SMS 2FA (if they even have that). Rather infuriating!

They got King Bob in here

To sim swap in my country, you need to go into the store and verify that it's you doing the swap.

Didn't think would see a PNG from FGO on this channel

The pin code is a good idea but not secure because the insiders in the companies will just access them and confirm the swap

Hey MO! Any updates on europe shipping on based win? love your content ❤️

Really good video Mental! Just loaded up my TMobile Remo with Joe.

5:26 i mean i would definitely realise the no service message almost instantly

5:35 really ?wont your cellphone data stop and those apps only work on wifi.

@MO - Excellent, useful info.

sounds more wild to me how much people are willing to risk for the little convenience making all your banking via your mobile gadget rather than divers your sources of payments.

The future is sounding so fun 😂

i now see why the EU is pushing for bank accounts to implement more complex verification methods in order to use your account (like fingerprint or in-app notifs)... props to them again? edit: after watching the whole thing, you convinced me to be more nuanced with my current "opsec" xdddd just not to find my few savings stolen someday

Sending a text message to the number 24h before the switch I think it would be a good way to at least inform you about something like that.

didnt expect fgo grail to show

Wireshark: all your sms are belong to meeee

In some countries if you get a new SIM you won’t be able to receive 2FA SMS codes from banks within a few days

The real way to solve this is to throw away your personal tracking device.

happened in Australia with optus because of poor opsec

I won't use a service if it requires my number as I frequently change numbers

I've been sim swapped. Luckly I had nothing for them to steal. I was very quick to detect it and have my number disabled until it was resolved.

Impersonation imagine id theft is hard to describe.

SIM SWAPING IS WILD ❤😢

On an off topic thing, I think it would be funny if sentient AI started charging commissions for their art

I think I would notice right away if I had no data… infact I did notice when it happened to me cause I couldn’t use my phone… luckily I have nothing worth stealing

Wake up baby… Mental Outlaw dropped a video! (FBI we’re only watching this to not get out sim card swapped)

As usual fine content 🎉

LOOOL KING BOB LETS GOOO king bob made it in a mental outlaw video hahahahaha

I never use online banking for this reason

whenever i buy a new sim card theres a small chance that its a reused number and i can login every account in there, crazy... one of my old numbers have been lost, i hope i didnt get hacked looool already removed that number in my main accounts

I sincerely hope that this is not a case in Europe

my goat king bob 💔

Identify theft is not a joke

What about the security of eSim then?

My bank won't let me remove my phone number, and went as far as saying if (when) I cancel my phone plan, they will lock my account and keep the money :(