Wireless Carriers Have A SIM Hijacking Problem They Don't Want To Talk About
from the nothing-to-see-here dept
Wireless carriers are coming under increasing fire for failing to protect their users from the practice of SIM hijacking. The practice involves posing as a wireless customer, then fooling a wireless carrier to port the victim's cell phone number right out from underneath them, letting the attacker then pose as the customer to potentially devastating effect. Back in February, a man sued T-Mobile for failing to protect his account after a hacker pretending to be him, ported out his phone number, then managed to use his identity to steal thousands of dollars worth of cryptocoins.
It didn't take long for numerous customers to complain they were the victim of the same scam, and for T-Mobile to send out a warning to users encouring them to add a few layers of additional security to their account.
But the problem appears to be even worse than originally believed. A new report takes a closer look at the problem, exploring how identity thieves use SIM hijacking to do everything from cleaning out bank accounts, to stealing valuable Instagram usernames and selling them for Bitcoin. The process isn't particularly complicated, and more often than not involves the social engineering of a cellular carrier's support employees. The entire process tap dances around protections like two-factor authentication, and highlights the peril of relying too heavily on a single cell phone number for identity verification in apps and other services.
Carriers, for their part, don't much like to publicly talk about the problem. In part because it's occasionally their employees that are helping to facilitate the scams for a little extra cash:
"Thug and Ace explained that many hackers now recruit customer support or store employees who work at T-Mobile and other carriers and bribe them $80 or $100 to perform a SIM swap on their target. Thug claimed they got access to the T-Mobile tool by bribing an insider, but Motherboard could not verify this claim. T-Mobile declined to answer questions on whether the company had any evidence of insiders being involved in SIM swap scams."
Quite often, those cellular carrier employees are more than happy to provide hackers with direct access to cellular carrier support systems:
"(One hacker) said they do SIM swaps by using an internal T-Mobile tool to look up subscribers’ data. During our chat, the hacker showed me a screenshot of them browsing the tool. I gave (the hacker) my phone number as a test, and the hacker sent back a screenshot that contained my home address, IMSI number (a standardized unique number that identifies subscribers), and other theoretically secret account information. Thug even saw the special instructions that I gave T-Mobile to protect my account.
As is their usual MO, wireless carriers don't much want to have a serious conversation about the problem, and often insist that it's only impacting a few, rare accounts (in stark contrast to the laundry list of increasing complaints seen over the last few years):
"Motherboard reached out to AT&T, Verizon, Sprint, and T-Mobile—the big four US cell phone providers—requesting data on the prevalence of SIM swapping. None of them agreed to provide such information. An AT&T spokesperson said this kind of fraud “affects a small number of our customers and this is rare for us,” but did not respond when asked to clarify what “small number” means.
There's some steps users can take, including changing passwords frequently. T-Mobile users can also, for example, call 611 from your cellphone (or 1-800-937-8997), then tell a support staffer that you want to create a “port validation” passcode. Still, like the SS7 exploit that has been in the wild for years, it's pretty clear that wireless carriers might want to spend a little less time on mindless mergers and consolidation, killing net neutrality, and jacking up prices, and a little more time protecting their customers from security threats.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: fcc, hackers, scams, sim hijacking
Companies: at&t, sprint, t-mobile, verizon
Reader Comments
The First Word
“Subscribe: RSS
View by: Time | Thread
Port-out PIN
They can simply do a SIM swap, on the same carrier, suggesting to the customer service person that the customer is simply activating a new SIM on the account and switching phones, something that's done all the time.
The US carriers currently have no reasonable methods in play to prevent this, mainly because they want to make it convenient to sell their customers a new phone, thrown in a new SIM, activate it, move the telephone number (TN) and voila it all works.
As it does for the "hacker" stealing the TN.
Ehud
[ link to this | view in chronology ]
Re: Port-out PIN
[ link to this | view in chronology ]
Re: Re: Port-out PIN
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Not entirely meaningless. Many improvements could be made, notably: don't allow any employee to look up information on any customer. The person should be calling from the phone number linked to the account; in cases of stolen or lost phones, an override could be approved and logged. Geolocation could also help.
"Decent wages" are a good idea but can only go so far; there will always be some employee who could use another hundred bucks (lots of people manage to spend everything they make, even when it's a large amount of money).
[ link to this | view in chronology ]
Re: Re:
BTW, I didn't imply that paying employees better would end all insider espionage, just that it would make the price for "entry" considerably more expensive.
[ link to this | view in chronology ]
Re: Re: Re:
Yeah. It's no reason not to try. "Requiring" the phone doesn't mean they have to call customer service from it; maybe they just click a button saying they approve the transfer, or read a code printed on the SIM card. Security controls, like requiring approval for anything "unusual", work. Never perfectly: it's annoying when the grocery cashier has to wait for a manager because they double-scanned a $5 item, and cashiers are still prolific thieves in aggregate. But overall, these controls reduce opportunistic crime.
So pay the customer service people better, limit their access, run audits, and know that some people will get past all that—at least we'll get an impressive caper story from it.
[ link to this | view in chronology ]
No apparent relation to SIMs
[ link to this | view in chronology ]
Re: No apparent relation to SIMs
[ link to this | view in chronology ]
Re: Re: No apparent relation to SIMs
A dubious name still. The SIM never moves; the account is manipulated to accept an alternate SIM. It's doubtful there's anything "swapped", even virtually—why would the criminal go to the trouble of setting up their own account and giving the victim access to it?
[ link to this | view in chronology ]
Well There's Your
"and more often than not involves the social engineering of a cellular carrier's support employees"
[ link to this | view in chronology ]
Well There's Your Problem
"and more often than not involves the social engineering of a cellular carrier's support employees"
The weakest security link will always be people.
[ link to this | view in chronology ]
Went into Sprint when noticed no bills were arriving in her mailbox. Was informed she apparently now lives in Florida as that is where the bills are now being sent.
Friend informed Sprint of what is happening... was told by Sprint that the only way they could help her is to fill out a police report for stolen identity and then send Sprint the police report and have the officer making said report to call them. Sprint does not provide an internal number to their fraud department, at least not a number they would provide to my friend.
Inform the officer taking the report we do not have a contact number for him to call Sprint.. he says he will use department resources to get a number for Sprint.
Few days go by, officer calls back to say Sprint will not speak to him and refuses to give out any information.
Finally my friend was able to get the Florida address where the bills are currently being sent. Inform the police of the new info, and there is no progress as they require Sprint to cooperate with the police in order to move the investigation along... Sprint still refuses to cooperate with the police.
Currently account is gone to collections. The collections company has been made fully aware of what Sprint is doing so they (the collection company) are trying to get Sprint to speak with the police.
Sprint... not a company to do business with.
[ link to this | view in chronology ]
This is why...
[ link to this | view in chronology ]
Re: This is why...
[ link to this | view in chronology ]
Re: This is why...
[ link to this | view in chronology ]
Re: Re: This is why...
[ link to this | view in chronology ]
Re: Re: Re: This is why...
Additionally, if your phone is set up right, it is more secure than your computer: a lock screen password that wipes the device if you get it wrong 5 times, and a banking password that you also need to get right within 5 tries or you are locked out. If the thief can accomplish this, they don't need your phone, they can use their own computer.
[ link to this | view in chronology ]
Re: This is why...
It might be a hassle, but that's the price I'm willing to pay for my sanity.
[ link to this | view in chronology ]
WARNING
They dont want to Pay money to create a complicated system, with tons of REAL security..
Even the police agencies in the USA can spoof your phone, and listen to everything you say..
The security between your Phone and the Tower is the weakest thing you will ever find.
Many internet companies have found HOW to do Good security..NOT great.
[ link to this | view in chronology ]
Isn't the phone just one part of the two-factor?
Even if someone hijacks my cell phone number, how does that get them access to (for example) my bank? Don't they also need my password?
[ link to this | view in chronology ]
Re: Isn't the phone just one part of the two-factor?
In regards to banking, they'd most likely do a password reset and use the text option to "authenticate" the reset request. Some banks still use security questions as a secondary authentication method, which is why you should never use questions that ask for public info, or is otherwise available to sufficiently motivated strangers. That includes maiden names of relatives, birthplace, and education or employment history. If your first pet was a registered dog, then don't use it either. Frankly, banks should be embarrassed to use low hanging fruit to "secure" accounts from hacking. Luckily, they usually have a few questions that likely can only be answered by you or maybe a few close individuals. For example, your favorite book. Not the one you tell everyone is your favorite, the one you really love but won't admit to.
[ link to this | view in chronology ]
Re: Re: Isn't the phone just one part of the two-factor?
Whenever there's a security question, my "answer" is just mashing on the keyboard, which I copy-paste into a text file which immediately gets encrypted with my PGP public key.
[ link to this | view in chronology ]