Before reading this, I want to underline that Ho. Mobile is a phone company which operates mainly in Italy and (maybe) some other European countries. But I'd just like to talk about this cause this hack was very interesting in my opinion.
For days now we have been talking about the serious theft suffered by Ho. Mobile, phone company offered by Vodafone Italia, due to a hacker attack. It would seem that some sensitive data of a part of its users have been found for sale on the Dark Web already on the day of December 22.
Initially, it was thought to be minor stuff, but the famous phone company has confirmed that customers' personal data and identification data of the various SIM cards have been stolen. Fortunately, no traffic data or information on bank accounts or payment systems were stolen, but the risks for users are still high.
The risks of SIM Swap
Ho. Mobile, after several investigative activities carried out by the Authorities, detected a leak of personal data of a part of its users. This information included names, surnames, telephone numbers, tax codes, emails, dates, and places of birth, as well as the ICCID of the SIM, a 19 or 20-digit number that uniquely identifies phone cards. This data was then put up for sale on the Dark Web, where an ad was found providing information of about 2.5 million users.
Fortunately, no bank data was involved, but every single user can risk serious SIM Swap attacks, i.e. cloning of their SIM. This happens because the ICCID, the unique code of the cards, could be used together with the personal data to get a new SIM at any point of sale, a bit like when you activate a new SIM in the name of a relative or friend who does not have time to go to a physical store. This is a very simple operation, but it can involve very serious risks.
In fact, once your SIM has been cloned, malicious people will be able to use your phone number as they please. In particular, they could exploit it to receive ''One-time passwords'', the code you receive via SMS when you want to make a payment or access your email. Once they have obtained your account numbers, which is much easier than a massive data theft against an entire mobile company like Ho., the hacker will have no problem making payments on your behalf, putting your bank account at serious risk.
Email swap and Phishing
In addition to the SIM swap case, Ho. Mobile users also run the risk of email swap and Phishing. The operation is simple: all the hacker has to do is enter your email and use the command ''I forgot my password'', through which he will receive a code on his (or rather your) SIM card which he will use to change the password of your email address. Once inside your email, it goes without saying that our little hacker now has all the tools at his disposal to jeopardize any kind of virtual account you have. Once he gets into your accounts, stealing extremely sensitive data, even from third parties, is very easy.
This last case, in particular, that of Phishing, is very likely to occur against users who are unfamiliar with virtual tools and who, due to COVID, have had to adapt with online accounts and money management apps.
What is the solution?
Regarding this episode of massive information theft, Ho. Mobile has alerted all its users via SMS of the incident, inviting them to go to any physical store to change their SIM for free. Our advice is to follow this suggestion as soon as possible, inviting operators to carry out further control operations.
In addition, it can be extremely useful to disconnect your mobile number from all digital accounts you have (see Facebook, Instragram, Whatsapp), unhook it from 2-factor verification (2FA) and disable the receipt of One-time passwords (OTP) for online payments. If necessary, contact your bank to disable OTP messages and use the opportunity to perform a movement verification while waiting for the perpetrators of the attack to be unmasked.
Ok, this part is a little bit unrelated to the part you've already read but, do you think this is really so serious? I mean, do some of you think that people are really going to use more than 2 million users' data to change account passwords and get data from other people? Well, I think that some could do it, maybe with some automated software, but I'd like to know your opinion about it! Just drop a comment below!
