Nos lo contaban hace algunas semanas en Fraudsters beat two-factor authentication, steal $45k.
Las compañías están obligadas a hacer las portabilidades rápido:
Well, as it turns out, they took advantage of the mobile phone number portability option offered by telecommunication companies and mandated by the Australian government so that the companies could not lock in customers, and employed social engineering skills to gather the information needed for such a move.
La portabilidad ocasiona problemillas técnicos:
… requested his account to be “ported” to a pre-paid account with an alternative provider. Once the move was completed, they sent the businessman a message supposedly coming from his provider (Vodafone), notifying him that he will likely experience problems with the reception in the next 24 hours, so that he would not become suspicious about the fact that he would not be receiving any calls or messages.
En resumen, el ataque se basa en portar un número temporalmente, hacer operaciones con él y devolvérselo al usuario casi sin que se de cuenta de que ha sido suplantado.
A veces, hay buenos motivos para no hacer algunas cosas demasiado rápido.