T-Mobile Warns Customers Of SIM Card Scam That Could Drain Your Bank Account
Since the message looked a bit suspect and anyone with a bit of security sense knows to not click on links in sketchy looking emails and texts, many probably ignored the message. T-Mobile told Motherboard that it was messaging its "entire post-paid customer base" to warn them. It did say that messaging its entire customer base takes time and some might not have received the text yet (which can be seen below).
The scam consists of nefarious users calling a victim's cellular carrier or going to the store pretending to be the owner of the account. The crook asks for a new SIM card for the phone number they are targeting. The scam also works by porting out a number to another provider. Both ways result in the attacker having access to the phone number of the victim. This attack is also known as SIM hijacking and all carriers are vulnerable to this type of attack.
Once the hacker has the phone number, they can do things like reset bank passwords by asking the bank to send reset links via text. This potentially gives the crook access to the victim's bank account. This sort of attack was first seen last summer when a bug in the T-Mobile website was leveraged to give access to phone account data to help the hijackers impersonate the user more effectively.
T-Mobile wrote on its website, "fraudsters are attempting to compromise personal bank accounts by taking over and transferring phone numbers from one wireless provider to another."
T-Mobile wants customers to call customer service and ask to have a "port validation" passcode added to your account. That code is sometimes called a phone passcode or PIN.