AT&T, Verizon Employees Caught Up In DOJ SIM Hijacking Bust
from the ill-communication dept
Wireless carriers are coming under increasing fire for failing to protect their users from the practice of SIM hijacking (aka a port scam). The practice involves posing as a wireless customer, then fooling a wireless carrier to port the victim's cell phone number right out from underneath them, letting the attacker then pose as the customer to potentially devastating effect. Last year, a customer sued T-Mobile for failing to protect his account after a hacker pretending to be him ported out his phone number then stole thousands of dollars worth of cryptocoins.
Subsequent reports have shown how identity thieves use SIM hijacking to do everything from cleaning out bank accounts, to stealing valuable Instagram usernames and selling them for Bitcoin. Reports often showed how these scams were being helped with the willful help of some cellular carrier employees, something wireless carriers haven't (understandably) been particularly keen on talking about.
That was confirmed again last week when the DOJ accused nine people of allegedly being part of a crime ring known as “The Community.” The organizations' specialty was SIM hijacking, which involved having three former employees at AT&T and Verizon steal user identities (and subsequently several million dollars):
"White, according to the feds, helped the criminals steal more than $2 million from several victims by performing 29 fraudulent SIM swaps. White communicated with the criminals via Telegram, according to the document. Jack, who was an associate of White, allegedly performed twelve fraudulent SIM swaps in May of 2018. White allegedly paid Jack $585.25 for his help in the SIM swapping conspiracy, according to the complaint."
The full DOJ announcement provides some interesting reading. In some instances the employees would conduct the SIM swaps themselves. In other instances they'd simply provide enough private account data to the scammers to help them pose as the customer. It's likely there's more such cases waiting in the wings, and critics continue to highlight how cellular carriers have consistently, repeatedly, failed to adequately police fraud perpetrated by their own employees:
“This isn’t social engineering anymore,” Ross, who was SIM swapped last year, said in an online chat. “The story needs to move from ‘the carriers aren’t doing enough to fix the problem’ to ‘the carriers have no control over their tens of thousands of customer service reps and knowingly allowed them to be bribed."
There are some steps users can take, including changing passwords frequently. T-Mobile users can also, for example, call 611 from your cellphone (or 1-800-937-8997), then tell a support staffer that you want to create a “port validation” passcode. Still, like the SS7 exploit that has been in the wild for years, it's pretty clear that wireless carriers might want to spend a little less time on mindless mergers and consolidation, killing net neutrality, and raising rates, and a little more time protecting their customers from security threats.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: doj, sim hijacking
Companies: at&t, verizon
Reader Comments
Subscribe: RSS
View by: Time | Thread
Gee its almost like giving cogs access to things with no oversight leads to problems...
Pay no attention to the police database abuses
Pay no attention to other database abuses
One thinks its sad the Feds managed to catch this while the carriers just fiddled, it's almost like they have no concern for customers. They are just a revenue source to be harvested without any concern.
If only we had a agency to provide oversight to the carriers & impose even the the slightest fines to motivate them to take action to protect the public & allow them to be sued when they fail to make the victims whole... instead of a smiling jackass who has no problem making sure the carriers don't even need to provide the smallest amount of lube while they....
[ link to this | view in chronology ]
Re:
I have heard enough from you. You toss insults around like you are infallible! Did you ever stop to think of what this pure use of insult you have given to the smiling jackasses of the world?
[ link to this | view in chronology ]
Re: Re:
Was that sarcasm or an incoherent rant?
[ link to this | view in chronology ]
You two seem to know a lot about this stuff…
…so why are you smiling all the time? ; ]
[ link to this | view in chronology ]
You two seem to know a lot about this stuff…
…so why are you two smiling all the time? ; ]
[ link to this | view in chronology ]
Re: Re:
I am infallible, I'm an immortal sociopath.
I was wrong once, when I had assumed that Mr. Duffy had passed away and been replaced by a manikin as he had missed some 15 court appearances. Turns out he was alive, & just really sucked at being a lawyer.
As sometimes spokescoward for teh gays, I can confirm none of us want Mr. Pai, not even for a hate fuck.
[ link to this | view in chronology ]
Re: Re: Re:
Boy, are you every gonna be surprised when I die and the universe comes to an end...
/s
[ link to this | view in chronology ]
Re: Re: Re: Re:
My delusions are more fun. :)
[ link to this | view in chronology ]
Security doublespeak
The carriers don't care about their customers until their own security and income is at risk.
[ link to this | view in chronology ]
‘the carriers have no control over their tens of thousands of customer service reps and knowingly allowed them to be bribed'
,,,,, sounds highly exaggerated
how many businesses anywhere have full control over all their Customer Service Reps ?
how many businesses have Anti-Bribery procedures in place for their Custoner Service Reps ?
[ link to this | view in chronology ]
Re:
How many businesses don't go looking for issues when they are pointed out? Some do, some don't.
I wonder what the percentages are when private companies vs publicly traded companies are compared with regard to this issue?
[ link to this | view in chronology ]
Re:
There's plenty of restrictions a large company is obliged to put into place to protect consumers from rogue employees, as well as procedures that should be in place to limit damage if those restrictions fail. There's also a lot of space between "full control" (your words) and "no control" (what you quoted)
It's not about being 100% perfect but if, as implied in the quote, they knew they had employees being bribed to do these things and did nothing to stop it, they deserve to have the book thrown at them.
[ link to this | view in chronology ]
Re:
How many businesses give complete and total access to Customer Service Reps?
How does having access to my porting password, mothers maiden name, last 4 of my social improve their ability to offer me a shitty credit when their service sucked??
How hard can it be to notice a record accessed & suddenly ported out afterwards?
Other than it might cost them some money to put security into place, is their any good reason for allowing this to happen?
Perhaps if the courts decided they were at fault when customers were robbed with assistance from their employees/contractors/sub-contractors (which are just dodges to avoid responsibility & benefits), they suddenly might discover they had the power to protect consumers all along.
[ link to this | view in chronology ]