Path: ...!weretis.net!feeder9.news.weretis.net!news.quux.org!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!eternal-september.org!.POSTED!not-for-mail From: Newyana2 Newsgroups: comp.mobile.android,uk.telecom.mobile Subject: =?UTF-8?Q?Re=3a_=22=27Scammers_stole_=c2=a340k_after_EDF_gave_out_m?= =?UTF-8?Q?y_number=22?= Date: Sun, 16 Mar 2025 11:54:30 -0400 Organization: A noiseless patient Spider Lines: 53 Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit Injection-Date: Sun, 16 Mar 2025 16:53:32 +0100 (CET) Injection-Info: dont-email.me; posting-host="12ae363a6f2aa69a2802dc60c2e42838"; logging-data="2195580"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18ht4DynwNy3mmiDnYA9Lf8jZtacQxVf4A=" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.3.1 Cancel-Lock: sha1:5opRHMadoTD5b1lW2ct53O1ltnQ= Content-Language: en-US In-Reply-To: Bytes: 3944 On 3/16/2025 9:47 AM, Java Jive wrote: > and went on to hack ...".  Further, if you reread the original report in > its entirety, how would he have persuaded EDF to give up the victim's > mobile number without personal identifying information that came from > access to his emails? " EDF explained the fraudster had his name and email address and had asked EDF to give them his mobile number, which the company did. "I said, 'Why would you do that?' They said the person had gone through security. 'With a name and email address', I asked?," he said. "EDF said, 'Yes' - and then offered me a £50 goodwill gesture to close the case. " You seem determined to not know the facts. So that you can feel safe using 2FA? > Next, how would he have been able to confirm the > request for a replacement SIM without being able to reply to the > confirmatory email? > As far as I can see, that part is not in the article. O2 never details exactly how the SIM swap happened. The article is not clear about all the details. Did the scammer have access to security question answers? Was he just a smooth talker? I don't see anyplace where that's mentioned. It's possible the email was hacked first, but that's never stated. The implication is that based on having some personal data, the scammer was able to do a SIM swap. Once that's done, getting into the email is easy because 2FA is a weak link. There are lots of holes in these operations. Last year, twice someone tried to get a credit card in my name. They were only stopped because my credit record is frozen. So Chase bank wrote me a letter saying, "Your new card is reay as soon as you unfreeze your creidt record." I wondered how this could work. How does the scammer actually get the card using my name and address? I was told that once the card is approved they call up and say they've changed their address. And the bank allows that! So the card gets sent to them. I think that's the critical point here: Security and convenience are at odds with each other. If you lose your phone then you want to get a new one quick. If you forget your email password then you want to get around that quick. Ditto for CCs. So companies are faced with finding a compromise between security and convenience.