The SIM Hijackers

Lorenzo Franceschi-Bicchierai of Motherboard has a chilling story on how hackers flip seized Instagram handles and cryptocurrency in a shady, buzzing underground market for stolen accounts and usernames. Their victim's weakness? Phone numbers. He writes: First, criminals call a cell phone carrier's tech support number pretending to be their target. They explain to the company's employee that they "lost" their SIM card, requesting their phone number be transferred, or ported, to a new SIM card that the hackers themselves already own. With a bit of social engineering -- perhaps by providing the victim's Social Security Number or home address (which is often available from one of the many data breaches that have happened in the last few years) -- the criminals convince the employee that they really are who they claim to be, at which point the employee ports the phone number to the new SIM card. Game over.

Not new

[golgotha007]

I work in the crypto asset space and these types of attacks have been going on for years now. If your 2FA is based on SMS or a call-back, you're doing it very wrong.

For those interested in doing 2FA correctly, buy a yubikey (USB-C if your phone supports) and couple that with Yubico authenticator which is 100% compatible with Google Authenticator. The major difference is that none of your 2FA codes appear until you plug your yubikey into your phone and nothing sensitive is stored on the phone itself. This way, the attacker would physically need your yubikey to authenticate as you - problem solved.