Cops Slowly Wise Up To The SIM Hijacking Trend Carriers Don't Want To Seriously Address

from the you've-got-a-bit-of-a-problem-here dept

It only took a few years, but law enforcement finally appears to be getting wise to the phenomenon of SIM hijacking, which lets a hacker hijack your phone number, then take control of your personal accounts. As we’ve been noting, the practice has heated up over the last few years, with countless wireless customers saying their entire identities were stolen after thieves ported their phone number to another carrier, then took over their private data. Sometimes this involves selling valuable Instagram account names for bitcoin; other times it involves clearing out the target’s banking or cryptocurrency accounts.

This week, news reports indicated that California authorities finally brought the hammer down on one 20-year-old hacker, who had covertly ported more than 40 wireless user accounts, in the process stealing nearly $5 million in bitcoin:

“Investigators accuse Ortiz of being a prolific SIM hijacker who mainly targeted victims to steal their cryptocurrency but also to take over their social media accounts with the goal of selling them for Bitcoin. According to the investigators, as well as people in the SIM swapping community, Ortiz was a member of OGUSERS, a website where members trade valuable Instagram or Twitter accounts.”

In one of at least three attacks that happened during Consensus, Ortiz allegedly stole more than $1.5 million from a cryptocurrency entrepreneur, including nearly $1 million that he had crowdfunded in an ICO.”

SIM hijacking has been making headlines for the better part of the last year, so it’s nice to see law enforcement finally paying attention. What still isn’t getting enough attention is the fact that these hackers are increasingly getting help from employees inside of major wireless carriers like T-Mobile. As security researcher Brian Krebs has been noting, wireless carrier employees can often be duped into conducting a SIM swap, allowing the hackers to steal another users’ identity. Often hackers will go store to store until they’ve found an employee that’s gullible enough or open to financial compensation to do it:

“A SIM swap is a legitimate process by which a customer can request that a new SIM card (the tiny, removable chip in a mobile device that allows it to connect to the provider?s network) be added to the account. Customers can request a SIM swap when their existing SIM card has been damaged, or when they are switching to a different phone that requires a SIM card of another size.

However, thieves and other ne?er-do-wells can abuse this process by posing as a targeted mobile customer or technician and tricking employees at the mobile provider into swapping in a new SIM card for that customer on a device that they control. If successful, the SIM swap accomplishes more or less the same result as a number port out (at least in the short term) ? effectively giving the attackers access to any text messages or phone calls that are sent to the target?s mobile account.”

And while some store employees have been duped, others are cooperating willingly with the hackers.

Reports over at Motherboard have highlighted how some employees are taking cash payments in exchange for private consumer data routinely only made available to carrier insiders. And despite this getting ample press (over the last month or two specifically), journalist Lorenzo Franceschi-Bicchierai has been pointing out that T-Mobile doesn’t appear to want to much talk about it. For context, this is a screenshot taken of T-Mobile’s internal systems, either by an employee being paid to participate in the SIM hijacking, or by a hacker that still has access to T-Mobile’s private internal systems:

There are systems in place that are supposed to prevent you from having your number ported out without your permission. For example, T-Mobile users can call 611 from their cellphone (or 1-800-937-8997) and tell a support staffer that they want to create a ?port validation? passcode to prevent unauthorized number ports. But despite some ongoing lawsuits over this internal security and privacy problem at T-Mobile, it’s still pretty clear the company isn’t doing enough to protect its customers, in stark contrast to the ultra-consumer-friendly branding schtick the “uncarrier” has been cashing in on for years.

Filed Under: , ,
Companies: t-mobile

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Cops Slowly Wise Up To The SIM Hijacking Trend Carriers Don't Want To Seriously Address”

Subscribe: RSS Leave a comment
Ed (profile) says:

Re: T-Mobile note

That PIN is useless unless the employees pay any attention to it. Experience I’ve had, and many others as reported on other forums, shows many “customer service” people completely ignore the PIN and simply allow the user to verify their address or birthday as proof of ID. The problem is that T-Mobile doesn’t make verification of the PIN mandatory for their agents, it just shows up on the screen and they don’t have to pay any attention to it to go forward.

Anonymous Coward says:

Re: Re: T-Mobile note

Cant control for stupid service agents.

My wife had her identity stolen (we are fairly certain it came from the big credit bureau hack) and a person in the Mid-West tried to open up multiple phone lines and buy multiple phones with her identity. Some succeeded, most did not because the person did not have a valid ID or home address matching the social.

We only found out because they were idiots and tried it at nearly every Verizon store in their city. That finally hit the fraud team at Verizon and we got a call from them (I have no clue how they got our phone number since we have never had a Verizon account). We were able to get everything off of our credit and guarantees that the ones she did open we would not be responsible for. Apparently, some stores did sell the thief a phone and a plan with no ID verification at all. The fraud department said they would be getting a nasty visit from their district supervisor.

We filed a police report, but last time I checked nothing happened with it.

Thad (profile) says:

Re: Re: T-Mobile note

PINs are also easy to socially engineer.

People in phone centers are typically motivated by a desire to (1) help a customer and (2) not get yelled at by the customer. The cases where a legitimate customer forgets their PIN probably outnumber the fraudulent attempts by an awful lot. Many support representatives, even well-trained ones, can be tricked into bending the rules and overlooking a bad or partial PIN.

Here’s a good story from a few years back: How I lost my $50,000 Twitter username. It details how a social engineer managed to, among other things, give a GoDaddy support tech the last two digits of the real user’s credit card and convince the tech to accept those instead of all four. (Incidentally, the user eventually got his account back.)

Story time: I was working at GoDaddy at the time. A man walked into our department, looked around, and said, "You all know that you can’t modify an account unless the customer gives you the last four digits of their credit card number, right? It has to be all four." After he left, my supervisor turned to me and said, "That was one of the executives."

Later, I went to lunch, checked my RSS feeds, and saw that story on Ars. And I thought, "Oh, so that was what that was all about."

True story: the policy GoDaddy implemented to fix the issue was…to ask for the last six digits of users’ credit card numbers.

James Burkhardt (profile) says:

I ported my own number out from T-Mobile recently. I had a PIN supposedly. I didn’t know it. I don’t remember setting it up. It wasn’t anything I would have set it to. I called a number, validated my account with standard questions, and got the PIN changed. It might be me calling from the correct number that smoothed things out. But it felt significantly less valuable then advertised.

Spaceboy (profile) says:


PINs are useless in this scam. The ‘hacker’ is switching the targets phone number to a device they control. This can be done within a few minutes. They either already have access to the PIN, have someone on the inside, or are using social engineering to gain access to the targets phone number. Once they have local access to a phone number, they change the PIN to something else and do whatever it is they want to do.

A ‘Port Out’ pin is similarly worthless if the scammer gains control of the phone number.

Usually, by the time the target realizes there is something wrong it is too late, the damage has been done. When they call their carrier they will not be able to gain access to their account because they do not know the new PIN. Best case scenario will be for them to go to a retail location to show their ID as proof of ownership. But if the number was ported out to another carrier they are fucked. There is no easy way to prove to another carrier that they are the legitimate owner of a particular phone number. Meanwhile the person that now has the phone number is changing passwords on all kinds of accounts and setting up Two-Factor Authentication, locking the target out of their own accounts, banks, social media, whatever. All this can be done in a few hours. You could wake up tomorrow and be locked out of everything.

You won’t notice anything is wrong because you won’t be getting any email notifications because all your passwords have been changed.

What’s worse is there are many 2FA apps out there that rely on an email or phone number for their own authentication. So if the scammer has access to their phone number, there is no service that they will not be able to change the authentication on.

This is a pandora’s box that the carriers need to address. It is mandated that customers can take their phone numbers with them. We need to figure out a process that can reliably authenticate the person requesting the port instead of using a 4-digit code.

Anonymous Coward says:

Re: LOL at PINs

No, people need to stop relying on easily hacked devices / services to provide security for their identities.

A good stop to this would be a local authenticator app, like Blizzard’s Battle.NET Authenticator, or any of the various ones you can use with services like github. (Assuming they still allow that after MS bought them. I haven’t checked.)

Alternatively, you could always go for a yubikey, or some other hardware token for 2FA, but that’s “inconvenient” for most people.

SMS has never been secure, and that fact has been known for over a decade now. The only reason it took off as a 2FA mechanism was because of the popularity of cellphones and the lack of a need for action on the user’s part. Well, I guess we got what we paid for.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...