Cops Slowly Wise Up To The SIM Hijacking Trend Carriers Don't Want To Seriously Address
from the you've-got-a-bit-of-a-problem-here dept
It only took a few years, but law enforcement finally appears to be getting wise to the phenomenon of SIM hijacking, which lets a hacker hijack your phone number, then take control of your personal accounts. As we’ve been noting, the practice has heated up over the last few years, with countless wireless customers saying their entire identities were stolen after thieves ported their phone number to another carrier, then took over their private data. Sometimes this involves selling valuable Instagram account names for bitcoin; other times it involves clearing out the target’s banking or cryptocurrency accounts.
This week, news reports indicated that California authorities finally brought the hammer down on one 20-year-old hacker, who had covertly ported more than 40 wireless user accounts, in the process stealing nearly $5 million in bitcoin:
“Investigators accuse Ortiz of being a prolific SIM hijacker who mainly targeted victims to steal their cryptocurrency but also to take over their social media accounts with the goal of selling them for Bitcoin. According to the investigators, as well as people in the SIM swapping community, Ortiz was a member of OGUSERS, a website where members trade valuable Instagram or Twitter accounts.”
In one of at least three attacks that happened during Consensus, Ortiz allegedly stole more than $1.5 million from a cryptocurrency entrepreneur, including nearly $1 million that he had crowdfunded in an ICO.”
SIM hijacking has been making headlines for the better part of the last year, so it’s nice to see law enforcement finally paying attention. What still isn’t getting enough attention is the fact that these hackers are increasingly getting help from employees inside of major wireless carriers like T-Mobile. As security researcher Brian Krebs has been noting, wireless carrier employees can often be duped into conducting a SIM swap, allowing the hackers to steal another users’ identity. Often hackers will go store to store until they’ve found an employee that’s gullible enough or open to financial compensation to do it:
“A SIM swap is a legitimate process by which a customer can request that a new SIM card (the tiny, removable chip in a mobile device that allows it to connect to the provider?s network) be added to the account. Customers can request a SIM swap when their existing SIM card has been damaged, or when they are switching to a different phone that requires a SIM card of another size.
However, thieves and other ne?er-do-wells can abuse this process by posing as a targeted mobile customer or technician and tricking employees at the mobile provider into swapping in a new SIM card for that customer on a device that they control. If successful, the SIM swap accomplishes more or less the same result as a number port out (at least in the short term) ? effectively giving the attackers access to any text messages or phone calls that are sent to the target?s mobile account.”
And while some store employees have been duped, others are cooperating willingly with the hackers.
Reports over at Motherboard have highlighted how some employees are taking cash payments in exchange for private consumer data routinely only made available to carrier insiders. And despite this getting ample press (over the last month or two specifically), journalist Lorenzo Franceschi-Bicchierai has been pointing out that T-Mobile doesn’t appear to want to much talk about it. For context, this is a screenshot taken of T-Mobile’s internal systems, either by an employee being paid to participate in the SIM hijacking, or by a hacker that still has access to T-Mobile’s private internal systems:
My stories on SIM swapping have been widely read, drawing attention to telecom providers' security weaknesses.
— Lorenzo Franceschi-Bicchierai (@lorenzofb) July 30, 2018
There are systems in place that are supposed to prevent you from having your number ported out without your permission. For example, T-Mobile users can call 611 from their cellphone (or 1-800-937-8997) and tell a support staffer that they want to create a ?port validation? passcode to prevent unauthorized number ports. But despite some ongoing lawsuits over this internal security and privacy problem at T-Mobile, it’s still pretty clear the company isn’t doing enough to protect its customers, in stark contrast to the ultra-consumer-friendly branding schtick the “uncarrier” has been cashing in on for years.