Cops Slowly Wise Up To The SIM Hijacking Trend Carriers Don't Want To Seriously Address
from the you've-got-a-bit-of-a-problem-here dept
It only took a few years, but law enforcement finally appears to be getting wise to the phenomenon of SIM hijacking, which lets a hacker hijack your phone number, then take control of your personal accounts. As we've been noting, the practice has heated up over the last few years, with countless wireless customers saying their entire identities were stolen after thieves ported their phone number to another carrier, then took over their private data. Sometimes this involves selling valuable Instagram account names for bitcoin; other times it involves clearing out the target's banking or cryptocurrency accounts.
This week, news reports indicated that California authorities finally brought the hammer down on one 20-year-old hacker, who had covertly ported more than 40 wireless user accounts, in the process stealing nearly $5 million in bitcoin:
"Investigators accuse Ortiz of being a prolific SIM hijacker who mainly targeted victims to steal their cryptocurrency but also to take over their social media accounts with the goal of selling them for Bitcoin. According to the investigators, as well as people in the SIM swapping community, Ortiz was a member of OGUSERS, a website where members trade valuable Instagram or Twitter accounts."
In one of at least three attacks that happened during Consensus, Ortiz allegedly stole more than $1.5 million from a cryptocurrency entrepreneur, including nearly $1 million that he had crowdfunded in an ICO."
SIM hijacking has been making headlines for the better part of the last year, so it's nice to see law enforcement finally paying attention. What still isn't getting enough attention is the fact that these hackers are increasingly getting help from employees inside of major wireless carriers like T-Mobile. As security researcher Brian Krebs has been noting, wireless carrier employees can often be duped into conducting a SIM swap, allowing the hackers to steal another users' identity. Often hackers will go store to store until they've found an employee that's gullible enough or open to financial compensation to do it:
"A SIM swap is a legitimate process by which a customer can request that a new SIM card (the tiny, removable chip in a mobile device that allows it to connect to the provider’s network) be added to the account. Customers can request a SIM swap when their existing SIM card has been damaged, or when they are switching to a different phone that requires a SIM card of another size.
However, thieves and other ne’er-do-wells can abuse this process by posing as a targeted mobile customer or technician and tricking employees at the mobile provider into swapping in a new SIM card for that customer on a device that they control. If successful, the SIM swap accomplishes more or less the same result as a number port out (at least in the short term) — effectively giving the attackers access to any text messages or phone calls that are sent to the target’s mobile account."
And while some store employees have been duped, others are cooperating willingly with the hackers.
Reports over at Motherboard have highlighted how some employees are taking cash payments in exchange for private consumer data routinely only made available to carrier insiders. And despite this getting ample press (over the last month or two specifically), journalist Lorenzo Franceschi-Bicchierai has been pointing out that T-Mobile doesn't appear to want to much talk about it. For context, this is a screenshot taken of T-Mobile's internal systems, either by an employee being paid to participate in the SIM hijacking, or by a hacker that still has access to T-Mobile's private internal systems:
My stories on SIM swapping have been widely read, drawing attention to telecom providers' security weaknesses.
And yet...hackers can still access my personal data on @TMobile. Here's a screenshot that a hacker just sent me a few minutes ago. pic.twitter.com/XzPCOL5Mlu
— Lorenzo Franceschi-Bicchierai (@lorenzofb) July 30, 2018
There are systems in place that are supposed to prevent you from having your number ported out without your permission. For example, T-Mobile users can call 611 from their cellphone (or 1-800-937-8997) and tell a support staffer that they want to create a “port validation” passcode to prevent unauthorized number ports. But despite some ongoing lawsuits over this internal security and privacy problem at T-Mobile, it's still pretty clear the company isn't doing enough to protect its customers, in stark contrast to the ultra-consumer-friendly branding schtick the "uncarrier" has been cashing in on for years.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: arrest, scams, sim hijacking
Companies: t-mobile
Reader Comments
Subscribe: RSS
View by: Time | Thread
T-Mobile note
[ link to this | view in chronology ]
Re: T-Mobile note
[ link to this | view in chronology ]
Re: Re: T-Mobile note
Not to mention that "recommended" does not mean "people will actually do it".
[ link to this | view in chronology ]
Re: T-Mobile note
[ link to this | view in chronology ]
Re: Re: T-Mobile note
My wife had her identity stolen (we are fairly certain it came from the big credit bureau hack) and a person in the Mid-West tried to open up multiple phone lines and buy multiple phones with her identity. Some succeeded, most did not because the person did not have a valid ID or home address matching the social.
We only found out because they were idiots and tried it at nearly every Verizon store in their city. That finally hit the fraud team at Verizon and we got a call from them (I have no clue how they got our phone number since we have never had a Verizon account). We were able to get everything off of our credit and guarantees that the ones she did open we would not be responsible for. Apparently, some stores did sell the thief a phone and a plan with no ID verification at all. The fraud department said they would be getting a nasty visit from their district supervisor.
We filed a police report, but last time I checked nothing happened with it.
[ link to this | view in chronology ]
Re: Re: Re: T-Mobile note
Just get a credit report (which they probably already had at this point): you phone number, address and alot of other personal information will be on it.
[ link to this | view in chronology ]
Re: Re: T-Mobile note
PINs are also easy to socially engineer.
People in phone centers are typically motivated by a desire to (1) help a customer and (2) not get yelled at by the customer. The cases where a legitimate customer forgets their PIN probably outnumber the fraudulent attempts by an awful lot. Many support representatives, even well-trained ones, can be tricked into bending the rules and overlooking a bad or partial PIN.
Here's a good story from a few years back: How I lost my $50,000 Twitter username. It details how a social engineer managed to, among other things, give a GoDaddy support tech the last two digits of the real user's credit card and convince the tech to accept those instead of all four. (Incidentally, the user eventually got his account back.)
Story time: I was working at GoDaddy at the time. A man walked into our department, looked around, and said, "You all know that you can't modify an account unless the customer gives you the last four digits of their credit card number, right? It has to be all four." After he left, my supervisor turned to me and said, "That was one of the executives."
Later, I went to lunch, checked my RSS feeds, and saw that story on Ars. And I thought, "Oh, so that was what that was all about."
True story: the policy GoDaddy implemented to fix the issue was...to ask for the last six digits of users' credit card numbers.
[ link to this | view in chronology ]
Re: Re: Re: T-Mobile note
[ link to this | view in chronology ]
[ link to this | view in chronology ]
It is actually fraud perpetrated upon business who then expect the individual to make them whole.
[ link to this | view in chronology ]
LOL at PINs
A 'Port Out' pin is similarly worthless if the scammer gains control of the phone number.
Usually, by the time the target realizes there is something wrong it is too late, the damage has been done. When they call their carrier they will not be able to gain access to their account because they do not know the new PIN. Best case scenario will be for them to go to a retail location to show their ID as proof of ownership. But if the number was ported out to another carrier they are fucked. There is no easy way to prove to another carrier that they are the legitimate owner of a particular phone number. Meanwhile the person that now has the phone number is changing passwords on all kinds of accounts and setting up Two-Factor Authentication, locking the target out of their own accounts, banks, social media, whatever. All this can be done in a few hours. You could wake up tomorrow and be locked out of everything.
You won't notice anything is wrong because you won't be getting any email notifications because all your passwords have been changed.
What's worse is there are many 2FA apps out there that rely on an email or phone number for their own authentication. So if the scammer has access to their phone number, there is no service that they will not be able to change the authentication on.
This is a pandora's box that the carriers need to address. It is mandated that customers can take their phone numbers with them. We need to figure out a process that can reliably authenticate the person requesting the port instead of using a 4-digit code.
[ link to this | view in chronology ]
Re: LOL at PINs
A good stop to this would be a local authenticator app, like Blizzard's Battle.NET Authenticator, or any of the various ones you can use with services like github. (Assuming they still allow that after MS bought them. I haven't checked.)
Alternatively, you could always go for a yubikey, or some other hardware token for 2FA, but that's "inconvenient" for most people.
SMS has never been secure, and that fact has been known for over a decade now. The only reason it took off as a 2FA mechanism was because of the popularity of cellphones and the lack of a need for action on the user's part. Well, I guess we got what we paid for.
[ link to this | view in chronology ]
I wonder...
Yeah, ESIM!
NOT!
[ link to this | view in chronology ]