FCC Finally Gets Off Its Ass To Combat SIM Hijacking

from the better-late-than-never dept

So for years we've talked about the growing threat of SIM hijacking, which involves an attacker covertly porting out your phone number from right underneath your nose (sometimes with the help of bribed or conned wireless carrier employees). Once they have your phone identity, they have access to most of your personal accounts secured by two-factor SMS authentication, opening the door to the theft of social media accounts or the draining of your cryptocurrency account. If you're really unlucky, the hackers will harrass the hell out of you in a bid to extort you even further.

It's a huge mess, and the both the criminal complaints -- and lawsuits against wireless carriers for not doing more to protect their users -- have been piling up for several years. For several years, Senators like Ron Wyden have been sending letters to the FCC asking the nation's top telecom regulator to, you know, do something. After years of inaction the agency appears to have gotten the message, announcing a new plan to at least consider some new rules to make SIM hijacking more difficult.

Most of the proposal involves nudging wireless carriers to do things they should have done long ago. Such as updating FCC Customer Proprietary Network Information (CPNI) and Local Number Portability rules to require wireless carriers adopt secure methods of confirming the customer’s identity before porting out a customer’s phone number to a new device or carrier (duh). As well as requiring that wireless carriers immediately notify you when somebody tries to port out your phone number without your permission (double duh):

"The FCC’s proposal would also require that wireless providers immediately notify customers whenever a SIM change or port request is made on customers’ accounts. That this wasn’t yet industry standard practice—or covered by FCC rules—speaks to the sluggishness with which the government and industry have responded to the problem."

Again, this lack of action until now was fairly reflective of the Ajit Pai school of thought on telecom policy, which basically involved coddling major telecom companies in the misguided belief that this regulatory apathy somehow results in free market utopia. But as we've established for years, while deregulation can help improve functional, competitive, healthy markets, that's not what U.S. telecom is. It's a bunch of government-coddled regional monopolies and duopolies, that, thanks to increased consolidation, face increasingly less meaningful competition. When you remove both competition (and pro-competitive policies) and regulatory oversight, you don't get a miraculous free market, you usually get... a bigger, fatter Comcast.

Note these aren't actual rules yet, it's just the beginning of new rules. The Rosenworcel FCC is basically doing the bare minimum here to start the ball rolling, launching a Notice of Proposed Rulemaking (NPRM) to begin discussing the path forward. That this wasn't even contemplated until now speaks volumes as to the state of U.S. telecom regulatory oversight. Folks have been having vast fortunes stolen from under their noses for several years (seriously read this story) because wireless carriers failed to secure their own services, and the response from the U.S. government until now had been a giant, collective yawn.

Filed Under: fcc, sim hijacking

Study Shows The Internet Is Hugely Vulnerable To SIM Hijacking Attacks

from the ill-communication dept

U.S. Wireless carriers are coming under heavy fire for failing to protect their users from the practice of SIM hijacking. The practice usually involves conning or bribing a wireless employee to port a victim's cell phone number right out from underneath them, letting the attacker then pose as the customer to potentially devastating effect. Carriers are facing numerous lawsuits from victims who say attackers used the trick to first steal their identity, then millions in cryptocurrency, or even popular social media accounts.

Last week, six lawmakers, including Ron Wyden, wrote to the FCC to complain the agency isn't doing enough (read: anything) to pressure carriers into shoring up their flimsy security. This week, a group of Princeton researchers released a study showcasing how both traditional and prepaid wireless carriers remain incredibly vulnerable to such attacks despite several years worth of headlines. In the full study (pdf, hat tip ZDNet), the researchers showed how it was relatively easy to trick wireless company support employees into turning over far more private data than they should, helping to facilitate the illicit SIM swap:

"When providing incorrect answers to personal questions such as date of birth or billing ZIP code, [research assistants] would explain that they had been careless at signup, possibly having provided incorrect information, and could not recall the information they had used," researchers said, explaining the motives they provided to call center staff."

After failing the first two steps in confirming a caller's identity, wireless carriers then move on to a third confirmation option -- verifying the last two numbers called from the account. But researchers note that was easy to game as well:

"The research team says that an attacker could trick a victim into placing calls to specific numbers. For example, a scenario of "you won a prize; call here; sorry, wrong number; call here instead." After the attacker has tricked the SIM card owner into placing those two calls, they can use these details to call the telco's call center and carry out a SIM swap. Princeton researchers said they were able to trick all five US prepaid wireless carriers using this scenario."

Despite warning all five of the carriers they tested this trick on, four of the five still hadn't fixed their security gaps as of the study's publication. After showcasing how vulnerable mobile carriers are, the researchers took a closer look at what could be done once they had taken over a user's wireless accounts. As such they tested the multi-factor-authentication practices of 140 of the most popular services and sites, and found that 17 of those services had no systems in place to protect users from SIM hijacking (such as emailing users a one time password to confirm identity and verify the changes were actually requested).

Here's where, in a functional market with a functioning government, regulators would step in to pressure carriers to do more to actually protect consumers. Instead, the Trump FCC has spent the last three years rubber stamping every fleeting whim of the sector, including gutting most meaningful oversight of the sector, and rubber stamping massive mergers the majority of objective experts say will harm the market.

Filed Under: ajit pai, fcc, ron wyden, scams, sim hijacking, sim swap, social engineering, wireless carriers

After Jack Hack, Government Starts Taking Wireless 'SIM Hijacking' Seriously

from the yeah-maybe-get-on-that dept

Wireless carriers have been under fire for failing to protect their users from the practice of SIM hijacking. The practice involves posing as a wireless customer, then fooling a wireless carrier to port the victim's cell phone number right out from underneath them, letting the attacker then pose as the customer to potentially devastating effect. Back in February, a man sued T-Mobile for failing to protect his account after a hacker, pretending to be him, ported out his phone number, then managed to use his identity to steal thousands of dollars worth of cryptocoins.

Like the ongoing wireless industry's location data scandals, the FCC has so far refused to utter so much as modest condemnation of carriers that have failed to protect users.

But with Twitter CEO Jack Dorsey having his Twitter account recently hijacked thanks to SIM hijacking, the government appears to have finally gotten the message that we have a bit of a problem.

For example, the FBI issued a warning last month to its private industry partners, noting that two-factor authentication can be bypassed thanks to the hacks:

"The FBI has observed cyber actors circumventing multi-factor authentication through common social engineering and technical attacks," the FBI wrote in a Private Industry Notification (PIN) sent out on September 17. The FBI made it very clear that its alert should be taken only as a precaution, and not an attack on the efficiency of MFA, which the agency still recommends. The FBI still recommends that companies use MFA.

Carriers, for their part, don't much like to publicly talk about the problem. In part because it's frequently their employees who are helping to facilitate the scams for a little money on the side. Identity thieves use SIM hijacking to do everything from cleaning out bank accounts, to stealing valuable Instagram usernames and selling them for Bitcoin. The process isn't particularly complicated, and more often than not involves the social engineering of a cellular carrier's support employees. Until the Dorsey hack, their refrain has been this is a small problem that's very unique. It's not.

There are some steps users can take, including changing passwords frequently. T-Mobile users can also, for example, call 611 from your cellphone (or 1-800-937-8997), then tell a support staffer that you want to create a “port validation” passcode (here's a guide for other carriers). Still, like the SS7 wireless exploit that has been in the wild for years, it's clear wireless carriers might want to spend a little less time on mindless mergers and consolidation, killing net neutrality, and jacking up prices, and a little more time training their employees and protecting their customers from security threats.

Filed Under: fbi, fcc, identity fraud, jack dorsey, sim hijacking, telcos

Court Will Decide If AT&T Is Liable For Cryptocurrency Theft Caused By Shoddy Security

from the ill-communication dept

Wireless carriers are coming under increasing fire for failing to protect their users from SIM hijacking. The practice involves posing as a wireless customer, then fooling a wireless carrier to port the victim's cell phone number right out from underneath them, letting the attacker then pose as the customer to potentially devastating effect. Back in February, a man sued T-Mobile for failing to protect his account after a hacker pretending to be him, ported out his phone number, then managed to use his identity to steal thousands of dollars worth of cryptocoins.

T-Mobile customers aren't the only users who've experienced this problem. US entrepreneur and cryptocurrency investor Michael Terpin sued AT&T last summer (pdf) for the same thing: somebody ran a SIM hijacking scam on AT&T, then stole his identity and, in turn, stole $23.8 million in cryptocurrency. And while AT&T tried hard to have the case dismissed, a Los Angeles federal judge last week issued a mixed ruling that nixed AT&T's request to dismiss the case, but demanded that Terpin do a better job highlighting how AT&T is directly responsible:

"Wright agreed with AT&T that Terpin had not adequately explained how the hack of his account led to the theft of his cryptocurrency or why AT&T should bear responsibility. As a result, he dismissed claims that relied on Terpin's claimed $24 million loss. However, Wright dismissed the claims with "leave to amend," meaning that Terpin has 21 days to file a new version of his lawsuit that more fully explains how the cryptocurrency was stolen and why AT&T should be held responsible."

AT&T, as you might expect, has argued in court and in public that it's not liable for, well, anything. Ever.

Carriers frequently aren't keen on talking about the problem, in part because their employees keep getting busted for helping the scammers. And keep in mind AT&T keeps having these kinds of problems. Repeatedly. In just the last few years AT&T has been: fined $18.6 million for helping rip off programs for the hearing impaired; fined $10.4 million for ripping off a program for low-income families; and fined $105 million for helping "crammers" by intentionally making such bogus charges more difficult to see on customer bills.

In short this isn't a company with a great track record when it comes to ethical behavior or protecting its subscribers from scams. Terpin, for his part, has been given an additional three weeks to beef up his case before it proceeds:

"I am grateful that Judge Wright is allowing my case to proceed," Terpin said. "We must hold AT&T accountable. If AT&T demonstrated the same zeal to totally revamp its porous security system as it does to suppress the damning evidence of its callous indifference to its customers, we would not be in court."

Filed Under: cryptocurrency, liability, michael terpin, security, sim hijacking
Companies: at&t

AT&T, Verizon Employees Caught Up In DOJ SIM Hijacking Bust

from the ill-communication dept

Wireless carriers are coming under increasing fire for failing to protect their users from the practice of SIM hijacking (aka a port scam). The practice involves posing as a wireless customer, then fooling a wireless carrier to port the victim's cell phone number right out from underneath them, letting the attacker then pose as the customer to potentially devastating effect. Last year, a customer sued T-Mobile for failing to protect his account after a hacker pretending to be him ported out his phone number then stole thousands of dollars worth of cryptocoins.

Subsequent reports have shown how identity thieves use SIM hijacking to do everything from cleaning out bank accounts, to stealing valuable Instagram usernames and selling them for Bitcoin. Reports often showed how these scams were being helped with the willful help of some cellular carrier employees, something wireless carriers haven't (understandably) been particularly keen on talking about.

That was confirmed again last week when the DOJ accused nine people of allegedly being part of a crime ring known as “The Community.” The organizations' specialty was SIM hijacking, which involved having three former employees at AT&T and Verizon steal user identities (and subsequently several million dollars):

"White, according to the feds, helped the criminals steal more than $2 million from several victims by performing 29 fraudulent SIM swaps. White communicated with the criminals via Telegram, according to the document. Jack, who was an associate of White, allegedly performed twelve fraudulent SIM swaps in May of 2018. White allegedly paid Jack $585.25 for his help in the SIM swapping conspiracy, according to the complaint."

The full DOJ announcement provides some interesting reading. In some instances the employees would conduct the SIM swaps themselves. In other instances they'd simply provide enough private account data to the scammers to help them pose as the customer. It's likely there's more such cases waiting in the wings, and critics continue to highlight how cellular carriers have consistently, repeatedly, failed to adequately police fraud perpetrated by their own employees:

“This isn’t social engineering anymore,” Ross, who was SIM swapped last year, said in an online chat. “The story needs to move from ‘the carriers aren’t doing enough to fix the problem’ to ‘the carriers have no control over their tens of thousands of customer service reps and knowingly allowed them to be bribed."

There are some steps users can take, including changing passwords frequently. T-Mobile users can also, for example, call 611 from your cellphone (or 1-800-937-8997), then tell a support staffer that you want to create a “port validation” passcode. Still, like the SS7 exploit that has been in the wild for years, it's pretty clear that wireless carriers might want to spend a little less time on mindless mergers and consolidation, killing net neutrality, and raising rates, and a little more time protecting their customers from security threats.

Filed Under: doj, sim hijacking
Companies: at&t, verizon

Cops Slowly Wise Up To The SIM Hijacking Trend Carriers Don't Want To Seriously Address

from the you've-got-a-bit-of-a-problem-here dept

It only took a few years, but law enforcement finally appears to be getting wise to the phenomenon of SIM hijacking, which lets a hacker hijack your phone number, then take control of your personal accounts. As we've been noting, the practice has heated up over the last few years, with countless wireless customers saying their entire identities were stolen after thieves ported their phone number to another carrier, then took over their private data. Sometimes this involves selling valuable Instagram account names for bitcoin; other times it involves clearing out the target's banking or cryptocurrency accounts.

This week, news reports indicated that California authorities finally brought the hammer down on one 20-year-old hacker, who had covertly ported more than 40 wireless user accounts, in the process stealing nearly $5 million in bitcoin:

"Investigators accuse Ortiz of being a prolific SIM hijacker who mainly targeted victims to steal their cryptocurrency but also to take over their social media accounts with the goal of selling them for Bitcoin. According to the investigators, as well as people in the SIM swapping community, Ortiz was a member of OGUSERS, a website where members trade valuable Instagram or Twitter accounts."

In one of at least three attacks that happened during Consensus, Ortiz allegedly stole more than $1.5 million from a cryptocurrency entrepreneur, including nearly $1 million that he had crowdfunded in an ICO."

SIM hijacking has been making headlines for the better part of the last year, so it's nice to see law enforcement finally paying attention. What still isn't getting enough attention is the fact that these hackers are increasingly getting help from employees inside of major wireless carriers like T-Mobile. As security researcher Brian Krebs has been noting, wireless carrier employees can often be duped into conducting a SIM swap, allowing the hackers to steal another users' identity. Often hackers will go store to store until they've found an employee that's gullible enough or open to financial compensation to do it:

"A SIM swap is a legitimate process by which a customer can request that a new SIM card (the tiny, removable chip in a mobile device that allows it to connect to the provider’s network) be added to the account. Customers can request a SIM swap when their existing SIM card has been damaged, or when they are switching to a different phone that requires a SIM card of another size.

However, thieves and other ne’er-do-wells can abuse this process by posing as a targeted mobile customer or technician and tricking employees at the mobile provider into swapping in a new SIM card for that customer on a device that they control. If successful, the SIM swap accomplishes more or less the same result as a number port out (at least in the short term) — effectively giving the attackers access to any text messages or phone calls that are sent to the target’s mobile account."

And while some store employees have been duped, others are cooperating willingly with the hackers.

Reports over at Motherboard have highlighted how some employees are taking cash payments in exchange for private consumer data routinely only made available to carrier insiders. And despite this getting ample press (over the last month or two specifically), journalist Lorenzo Franceschi-Bicchierai has been pointing out that T-Mobile doesn't appear to want to much talk about it. For context, this is a screenshot taken of T-Mobile's internal systems, either by an employee being paid to participate in the SIM hijacking, or by a hacker that still has access to T-Mobile's private internal systems:

There are systems in place that are supposed to prevent you from having your number ported out without your permission. For example, T-Mobile users can call 611 from their cellphone (or 1-800-937-8997) and tell a support staffer that they want to create a “port validation” passcode to prevent unauthorized number ports. But despite some ongoing lawsuits over this internal security and privacy problem at T-Mobile, it's still pretty clear the company isn't doing enough to protect its customers, in stark contrast to the ultra-consumer-friendly branding schtick the "uncarrier" has been cashing in on for years.

Filed Under: arrest, scams, sim hijacking
Companies: t-mobile

Wireless Carriers Have A SIM Hijacking Problem They Don't Want To Talk About

from the nothing-to-see-here dept

Wireless carriers are coming under increasing fire for failing to protect their users from the practice of SIM hijacking. The practice involves posing as a wireless customer, then fooling a wireless carrier to port the victim's cell phone number right out from underneath them, letting the attacker then pose as the customer to potentially devastating effect. Back in February, a man sued T-Mobile for failing to protect his account after a hacker pretending to be him, ported out his phone number, then managed to use his identity to steal thousands of dollars worth of cryptocoins.

It didn't take long for numerous customers to complain they were the victim of the same scam, and for T-Mobile to send out a warning to users encouring them to add a few layers of additional security to their account.

But the problem appears to be even worse than originally believed. A new report takes a closer look at the problem, exploring how identity thieves use SIM hijacking to do everything from cleaning out bank accounts, to stealing valuable Instagram usernames and selling them for Bitcoin. The process isn't particularly complicated, and more often than not involves the social engineering of a cellular carrier's support employees. The entire process tap dances around protections like two-factor authentication, and highlights the peril of relying too heavily on a single cell phone number for identity verification in apps and other services.

Carriers, for their part, don't much like to publicly talk about the problem. In part because it's occasionally their employees that are helping to facilitate the scams for a little extra cash:

"Thug and Ace explained that many hackers now recruit customer support or store employees who work at T-Mobile and other carriers and bribe them $80 or $100 to perform a SIM swap on their target. Thug claimed they got access to the T-Mobile tool by bribing an insider, but Motherboard could not verify this claim. T-Mobile declined to answer questions on whether the company had any evidence of insiders being involved in SIM swap scams."

Quite often, those cellular carrier employees are more than happy to provide hackers with direct access to cellular carrier support systems:

"(One hacker) said they do SIM swaps by using an internal T-Mobile tool to look up subscribers’ data. During our chat, the hacker showed me a screenshot of them browsing the tool. I gave (the hacker) my phone number as a test, and the hacker sent back a screenshot that contained my home address, IMSI number (a standardized unique number that identifies subscribers), and other theoretically secret account information. Thug even saw the special instructions that I gave T-Mobile to protect my account.

As is their usual MO, wireless carriers don't much want to have a serious conversation about the problem, and often insist that it's only impacting a few, rare accounts (in stark contrast to the laundry list of increasing complaints seen over the last few years):

"Motherboard reached out to AT&T, Verizon, Sprint, and T-Mobile—the big four US cell phone providers—requesting data on the prevalence of SIM swapping. None of them agreed to provide such information. An AT&T spokesperson said this kind of fraud “affects a small number of our customers and this is rare for us,” but did not respond when asked to clarify what “small number” means.

There's some steps users can take, including changing passwords frequently. T-Mobile users can also, for example, call 611 from your cellphone (or 1-800-937-8997), then tell a support staffer that you want to create a “port validation” passcode. Still, like the SS7 exploit that has been in the wild for years, it's pretty clear that wireless carriers might want to spend a little less time on mindless mergers and consolidation, killing net neutrality, and jacking up prices, and a little more time protecting their customers from security threats.

Filed Under: fcc, hackers, scams, sim hijacking
Companies: at&t, sprint, t-mobile, verizon