AT&T, Verizon Employees Caught Up In DOJ SIM Hijacking Bust

from the ill-communication dept

Wireless carriers are coming under increasing fire for failing to protect their users from the practice of SIM hijacking (aka a port scam). The practice involves posing as a wireless customer, then fooling a wireless carrier to port the victim’s cell phone number right out from underneath them, letting the attacker then pose as the customer to potentially devastating effect. Last year, a customer sued T-Mobile for failing to protect his account after a hacker pretending to be him ported out his phone number then stole thousands of dollars worth of cryptocoins.

Subsequent reports have shown how identity thieves use SIM hijacking to do everything from cleaning out bank accounts, to stealing valuable Instagram usernames and selling them for Bitcoin. Reports often showed how these scams were being helped with the willful help of some cellular carrier employees, something wireless carriers haven’t (understandably) been particularly keen on talking about.

That was confirmed again last week when the DOJ accused nine people of allegedly being part of a crime ring known as ?The Community.? The organizations’ specialty was SIM hijacking, which involved having three former employees at AT&T and Verizon steal user identities (and subsequently several million dollars):

“White, according to the feds, helped the criminals steal more than $2 million from several victims by performing 29 fraudulent SIM swaps. White communicated with the criminals via Telegram, according to the document. Jack, who was an associate of White, allegedly performed twelve fraudulent SIM swaps in May of 2018. White allegedly paid Jack $585.25 for his help in the SIM swapping conspiracy, according to the complaint.”

The full DOJ announcement provides some interesting reading. In some instances the employees would conduct the SIM swaps themselves. In other instances they’d simply provide enough private account data to the scammers to help them pose as the customer. It’s likely there’s more such cases waiting in the wings, and critics continue to highlight how cellular carriers have consistently, repeatedly, failed to adequately police fraud perpetrated by their own employees:

?This isn?t social engineering anymore,? Ross, who was SIM swapped last year, said in an online chat. ?The story needs to move from ?the carriers aren?t doing enough to fix the problem? to ?the carriers have no control over their tens of thousands of customer service reps and knowingly allowed them to be bribed.”

There are some steps users can take, including changing passwords frequently. T-Mobile users can also, for example, call 611 from your cellphone (or 1-800-937-8997), then tell a support staffer that you want to create a ?port validation? passcode. Still, like the SS7 exploit that has been in the wild for years, it’s pretty clear that wireless carriers might want to spend a little less time on mindless mergers and consolidation, killing net neutrality, and raising rates, and a little more time protecting their customers from security threats.

Filed Under: ,
Companies: at&t, verizon

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “AT&T, Verizon Employees Caught Up In DOJ SIM Hijacking Bust”

Subscribe: RSS Leave a comment
That Anonymous Coward (profile) says:

Gee its almost like giving cogs access to things with no oversight leads to problems…
Pay no attention to the police database abuses
Pay no attention to other database abuses

One thinks its sad the Feds managed to catch this while the carriers just fiddled, it’s almost like they have no concern for customers. They are just a revenue source to be harvested without any concern.

If only we had a agency to provide oversight to the carriers & impose even the the slightest fines to motivate them to take action to protect the public & allow them to be sued when they fail to make the victims whole… instead of a smiling jackass who has no problem making sure the carriers don’t even need to provide the smallest amount of lube while they….

That Anonymous Coward (profile) says:

Re: Re: Re:

I am infallible, I’m an immortal sociopath.

I was wrong once, when I had assumed that Mr. Duffy had passed away and been replaced by a manikin as he had missed some 15 court appearances. Turns out he was alive, & just really sucked at being a lawyer.

As sometimes spokescoward for teh gays, I can confirm none of us want Mr. Pai, not even for a hate fuck.

Anonymous Coward says:

‘the carriers have no control over their tens of thousands of customer service reps and knowingly allowed them to be bribed’

,,,,, sounds highly exaggerated

how many businesses anywhere have full control over all their Customer Service Reps ?

how many businesses have Anti-Bribery procedures in place for their Custoner Service Reps ?

PaulT (profile) says:

Re: Re:

There’s plenty of restrictions a large company is obliged to put into place to protect consumers from rogue employees, as well as procedures that should be in place to limit damage if those restrictions fail. There’s also a lot of space between "full control" (your words) and "no control" (what you quoted)

It’s not about being 100% perfect but if, as implied in the quote, they knew they had employees being bribed to do these things and did nothing to stop it, they deserve to have the book thrown at them.

That Anonymous Coward (profile) says:

Re: Re:

How many businesses give complete and total access to Customer Service Reps?
How does having access to my porting password, mothers maiden name, last 4 of my social improve their ability to offer me a shitty credit when their service sucked??
How hard can it be to notice a record accessed & suddenly ported out afterwards?

Other than it might cost them some money to put security into place, is their any good reason for allowing this to happen?
Perhaps if the courts decided they were at fault when customers were robbed with assistance from their employees/contractors/sub-contractors (which are just dodges to avoid responsibility & benefits), they suddenly might discover they had the power to protect consumers all along.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...