After Jack Hack, Government Starts Taking Wireless 'SIM Hijacking' Seriously

from the yeah-maybe-get-on-that dept

Wireless carriers have been under fire for failing to protect their users from the practice of SIM hijacking. The practice involves posing as a wireless customer, then fooling a wireless carrier to port the victim's cell phone number right out from underneath them, letting the attacker then pose as the customer to potentially devastating effect. Back in February, a man sued T-Mobile for failing to protect his account after a hacker, pretending to be him, ported out his phone number, then managed to use his identity to steal thousands of dollars worth of cryptocoins.

Like the ongoing wireless industry's location data scandals, the FCC has so far refused to utter so much as modest condemnation of carriers that have failed to protect users.

But with Twitter CEO Jack Dorsey having his Twitter account recently hijacked thanks to SIM hijacking, the government appears to have finally gotten the message that we have a bit of a problem.

For example, the FBI issued a warning last month to its private industry partners, noting that two-factor authentication can be bypassed thanks to the hacks:

"The FBI has observed cyber actors circumventing multi-factor authentication through common social engineering and technical attacks," the FBI wrote in a Private Industry Notification (PIN) sent out on September 17. The FBI made it very clear that its alert should be taken only as a precaution, and not an attack on the efficiency of MFA, which the agency still recommends. The FBI still recommends that companies use MFA.

Carriers, for their part, don't much like to publicly talk about the problem. In part because it's frequently their employees who are helping to facilitate the scams for a little money on the side. Identity thieves use SIM hijacking to do everything from cleaning out bank accounts, to stealing valuable Instagram usernames and selling them for Bitcoin. The process isn't particularly complicated, and more often than not involves the social engineering of a cellular carrier's support employees. Until the Dorsey hack, their refrain has been this is a small problem that's very unique. It's not.

There are some steps users can take, including changing passwords frequently. T-Mobile users can also, for example, call 611 from your cellphone (or 1-800-937-8997), then tell a support staffer that you want to create a “port validation” passcode (here's a guide for other carriers). Still, like the SS7 wireless exploit that has been in the wild for years, it's clear wireless carriers might want to spend a little less time on mindless mergers and consolidation, killing net neutrality, and jacking up prices, and a little more time training their employees and protecting their customers from security threats.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: fbi, fcc, identity fraud, jack dorsey, sim hijacking, telcos


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 11 Oct 2019 @ 7:14am

    Aren't a "port" and a "SIM swap" two different things? Usually, "porting a number" means switching it to some other telephone company - while "SIM swap" means switching it just to some other telephone, which may be on the same carrier.

    link to this | view in chronology ]

    • icon
      James Burkhardt (profile), 11 Oct 2019 @ 7:39am

      Re:

      That would be an accurate description of the terminology. I think both techniques are being used to the ends presented here, but I agree it is irresponsible for the article to conflate the two.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Oct 2019 @ 9:49am

      Re:

      while "SIM swap" means switching it just to some other telephone

      The word "it" here could cause confusion. We're talking about moving the number to a different SIM card, not moving the SIM card to a different phone. "SIM swap" is not a good name for it, because the subscriber's SIM never got "swapped" or moved at all.

      link to this | view in chronology ]

      • icon
        James Burkhardt (profile), 11 Oct 2019 @ 10:31am

        Re: Re:

        A SIM swap is where you swap the SIM associated with a number. What other short descriptor would you use to describe swapping the associated SIM card? As the first AC points out, Porting is also confusing as that term refers to switching carriers, not getting a new SIM card.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 11 Oct 2019 @ 5:58pm

          Re: Re: Re:

          A SIM swap is where you swap the SIM associated with a number.

          "Swap" also implies symmetry, as if your SIM card would then be associated with the attacker's account.

          What other short descriptor would you use

          I don't necessarily have a solution to every problem I point out, but I question the tendency to pursue terseness at the cost of clarity. Would it be so bad to say the number was transferred without authorization? We could call it TWOL "transferred without official leave" if terseness is critical and a dated meaning of "leave" is acceptable.

          "SIM" is an irrelevant technical detail. We don't need to mention that any more than we mention ICCID, UICC, IMSI, or K_i.

          link to this | view in chronology ]

        • icon
          bhull242 (profile), 14 Oct 2019 @ 7:42am

          Re: Re: Re:

          How about a SIM transfer?

          link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Oct 2019 @ 7:45am

    Compelling evidence in support of not making critical data accessible via cell phone.

    link to this | view in chronology ]

  • identicon
    Pixelation, 11 Oct 2019 @ 7:59am

    Might be time for a high profile court case that drops the hammer on some of the employees caught doing this.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Oct 2019 @ 8:43am

      Re:

      Nothing will come of it when they only sacrifice a minimum wage employee. The management that directed the action will continue in their activities trashing some more low level lives in the process.

      link to this | view in chronology ]

  • identicon
    A Guy, 11 Oct 2019 @ 9:29am

    I surprised sim-cloning hasn't been much more common, unless they are almost never caught.

    No matter what the wireless providers do there will always be sim-cloning to fall back on. I don't think it's a patchable flaw in modern sim technology.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Oct 2019 @ 10:20am

      Re:

      The difficulty with sim cloning is, you need to have access to the sim card to do it. At least that's my understanding of it.

      link to this | view in chronology ]

    • icon
      James Burkhardt (profile), 11 Oct 2019 @ 10:38am

      Re:

      As the AC notes, SIM cloning requires physical access to the SIM card. Unlike TV depictions, SIM cloning isn't a wireless process. While its an open hole, its hard to pull off and if your mark notices a missing phone a legit SIM swap completely shuts down any future exploitation. SIM swapping doesn't require the SIM card, the phone, or even being in the same Time Zone as the targeted phone. And SS7 hacking is wireless and provides much of the same benefit as SIM Cloning. Its not an efficent vulnerability.

      link to this | view in chronology ]

      • identicon
        A Guy, 11 Oct 2019 @ 11:45am

        Re: Re:

        I can think of ways to do sim cloning without access to the device but I have not because I'm not a cyber criminal. If criminal organizations/governments haven't built it yet it's only due to laziness or lack of need.

        link to this | view in chronology ]

        • identicon
          A Guy, 11 Oct 2019 @ 11:50am

          Re: Re: Re:

          For me it is in fact both laziness and lack of need.

          link to this | view in chronology ]

          • icon
            James Burkhardt (profile), 11 Oct 2019 @ 1:25pm

            Re: Re: Re: Re:

            Ideas which would, conceivably, require remotely compromising the device to give up that information, fighting against device manufacturer's work to fill security holes, at which point you cloning the SIM card is the least of the mark's problems. You also are losing the benefit of not being able to close the SIM clone vulnerability, as Device manufacturers could close the vulnerability that gets you the SIM card information from the phone itself.

            I'm not saying SIM cloning isn't a thing. It likely is. But I perceive its only benefit being in longer term targeted surveillance by governments, rather than the benefits of SIM Swapping or SS7 hacking which are in rapid moves to steal assets in moments. And given that a SIM Swap stops the feed of information, or worse you might be vulnerable to intentional misinformation if the cloning is discovered, its likely not laziness or lack of need, but lack of practicality.

            link to this | view in chronology ]

            • identicon
              Anonymous Coward, 11 Oct 2019 @ 6:13pm

              Re: Re: Re: Re: Re:

              Ideas which would, conceivably, require remotely compromising the device to give up that information, fighting against device manufacturer's work to fill security holes, at which point you cloning the SIM card is the least of the mark's problems.

              Attackers have shown a penchant for finding security holes against very motivated manufacturers in related fields such as game consoles and satellite TV receivers, putting in much more effort than anyone could call reasonable. Stealing phone numbers gives a more direct path to real-world profit.

              Were I looking for a flaw here, I'd look toward the SIM manufacturers—bad cryptography (cf. ROCA) and initialization vulnerabilities (cf. the RSA SecurID compromise).

              link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Oct 2019 @ 2:08pm

      Re:

      And how will the network react when it has the same number has to map to two or more phones, because the phone is reporting in from two or more towers that have no overlap in service area.

      link to this | view in chronology ]

      • identicon
        A Guy, 11 Oct 2019 @ 3:07pm

        Re: Re:

        I could take random guesses but it depends on how the engineers in that particular network designed it. It could react any number of ways.

        link to this | view in chronology ]

  • icon
    ECA (profile), 11 Oct 2019 @ 12:54pm

    Many of you....

    Have been on the net along time, and understand abit of what the net is like. And even Fewer of you, understand the Old internet, thats still there.

    How many of you remember all the fun of creating a account, in the past, and NOW...
    It has taken years, for them to figure out a few things. Like verification... HOW to prove WHO/they you are..

    This is like Spam phone calls..HOW can you tell?

    1. in the first seconds THEY must ID themselves.
    2. Social sec. DONT make phone calls.
    3. YOUR credit card corp, WILL NOT call you and ASK for your card number to Verify you.(they have all that data)(OR SHOULD)
    4. Make a Permanent internet email account..NOT with an ISP, those get deleted if you change service. Gmail lets you have 3-4 from 1 account, and you can Gear them to importance..BILLS is a good one.

    Sorting all this out is a real pain unless you are really organized. Passwords are a pain also.

    Goggle has a pretty good verification, up to 3 parts..
    There is a trick I suggest to my customers... Its not the questions for verification, it Answer.. No matter the question, "where were you born", 'Da moon'.. is a better answer then the real location..

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Oct 2019 @ 2:02pm

    Yesterday you posted and article about Twitter 2FA. One would think that while researching that, you would have found out that you can't remove your phone number from Twitter without it disabling all 2FA.

    Then today you link to an article that incorrectly claims you can remove your phone number from Twitter without losing 2FA.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Oct 2019 @ 2:33am

      Re:

      what link are you talking about?

      Are you retring to the 'theverge' link? That article does not suggest numbers can be remove by 2FA. Unless you mean to suggest that Twitter itself is unable to effect the same changes their software interface will do for you.

      link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.