I Got Hacked and All I Got Was This New SIM Card
I like to think I take an above average amount of steps to secure myself online: I use a password manager, unique passwords as complex as the site will allow, and turn on 2-factor authentication when possible. A true security expert will likely find some sort of flaw in my setup, but I’ll argue that I am doing more than 95% of the planet.
So how did I, someone who is reasonably secure, have his cell phone disabled, his PayPal account compromised, and a few hundred dollars withdrawn from his bank account?
[…]
The man on the phone reads through the notes and explains that yes, someone has been dialing the AT&T call center all day trying to get into my phone but was repeatedly rejected because they didn’t know my passcode, until someone broke protocol and didn’t require the passcode.
[…]
You’re likely wondering how my cell phone being compromised leads to my PayPal account being compromised? All you need to reset a PayPal password is an email address and a phone number to accept the verification code. Since PayPal only supports SMS-based authentication, all the perpetrator needed was to be able to receive SMS messages as “me” and he was in.
