After Jack Hack, Government Starts Taking Wireless 'SIM Hijacking' Seriously

from the yeah-maybe-get-on-that dept

Wireless carriers have been under fire for failing to protect their users from the practice of SIM hijacking. The practice involves posing as a wireless customer, then fooling a wireless carrier to port the victim’s cell phone number right out from underneath them, letting the attacker then pose as the customer to potentially devastating effect. Back in February, a man sued T-Mobile for failing to protect his account after a hacker, pretending to be him, ported out his phone number, then managed to use his identity to steal thousands of dollars worth of cryptocoins.

Like the ongoing wireless industry’s location data scandals, the FCC has so far refused to utter so much as modest condemnation of carriers that have failed to protect users.

But with Twitter CEO Jack Dorsey having his Twitter account recently hijacked thanks to SIM hijacking, the government appears to have finally gotten the message that we have a bit of a problem.

For example, the FBI issued a warning last month to its private industry partners, noting that two-factor authentication can be bypassed thanks to the hacks:

“The FBI has observed cyber actors circumventing multi-factor authentication through common social engineering and technical attacks,” the FBI wrote in a Private Industry Notification (PIN) sent out on September 17. The FBI made it very clear that its alert should be taken only as a precaution, and not an attack on the efficiency of MFA, which the agency still recommends. The FBI still recommends that companies use MFA.

Carriers, for their part, don’t much like to publicly talk about the problem. In part because it’s frequently their employees who are helping to facilitate the scams for a little money on the side. Identity thieves use SIM hijacking to do everything from cleaning out bank accounts, to stealing valuable Instagram usernames and selling them for Bitcoin. The process isn’t particularly complicated, and more often than not involves the social engineering of a cellular carrier’s support employees. Until the Dorsey hack, their refrain has been this is a small problem that’s very unique. It’s not.

There are some steps users can take, including changing passwords frequently. T-Mobile users can also, for example, call 611 from your cellphone (or 1-800-937-8997), then tell a support staffer that you want to create a ?port validation? passcode (here’s a guide for other carriers). Still, like the SS7 wireless exploit that has been in the wild for years, it’s clear wireless carriers might want to spend a little less time on mindless mergers and consolidation, killing net neutrality, and jacking up prices, and a little more time training their employees and protecting their customers from security threats.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “After Jack Hack, Government Starts Taking Wireless 'SIM Hijacking' Seriously”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re:

while "SIM swap" means switching it just to some other telephone

The word "it" here could cause confusion. We’re talking about moving the number to a different SIM card, not moving the SIM card to a different phone. "SIM swap" is not a good name for it, because the subscriber’s SIM never got "swapped" or moved at all.

Anonymous Coward says:

Re: Re: Re: Re:

A SIM swap is where you swap the SIM associated with a number.

"Swap" also implies symmetry, as if your SIM card would then be associated with the attacker’s account.

What other short descriptor would you use

I don’t necessarily have a solution to every problem I point out, but I question the tendency to pursue terseness at the cost of clarity. Would it be so bad to say the number was transferred without authorization? We could call it TWOL "transferred without official leave" if terseness is critical and a dated meaning of "leave" is acceptable.

"SIM" is an irrelevant technical detail. We don’t need to mention that any more than we mention ICCID, UICC, IMSI, or K_i.

James Burkhardt (profile) says:

Re: Re:

As the AC notes, SIM cloning requires physical access to the SIM card. Unlike TV depictions, SIM cloning isn’t a wireless process. While its an open hole, its hard to pull off and if your mark notices a missing phone a legit SIM swap completely shuts down any future exploitation. SIM swapping doesn’t require the SIM card, the phone, or even being in the same Time Zone as the targeted phone. And SS7 hacking is wireless and provides much of the same benefit as SIM Cloning. Its not an efficent vulnerability.

James Burkhardt (profile) says:

Re: Re: Re:2 Re:

Ideas which would, conceivably, require remotely compromising the device to give up that information, fighting against device manufacturer’s work to fill security holes, at which point you cloning the SIM card is the least of the mark’s problems. You also are losing the benefit of not being able to close the SIM clone vulnerability, as Device manufacturers could close the vulnerability that gets you the SIM card information from the phone itself.

I’m not saying SIM cloning isn’t a thing. It likely is. But I perceive its only benefit being in longer term targeted surveillance by governments, rather than the benefits of SIM Swapping or SS7 hacking which are in rapid moves to steal assets in moments. And given that a SIM Swap stops the feed of information, or worse you might be vulnerable to intentional misinformation if the cloning is discovered, its likely not laziness or lack of need, but lack of practicality.

Anonymous Coward says:

Re: Re: Re:3 Re:

Ideas which would, conceivably, require remotely compromising the device to give up that information, fighting against device manufacturer’s work to fill security holes, at which point you cloning the SIM card is the least of the mark’s problems.

Attackers have shown a penchant for finding security holes against very motivated manufacturers in related fields such as game consoles and satellite TV receivers, putting in much more effort than anyone could call reasonable. Stealing phone numbers gives a more direct path to real-world profit.

Were I looking for a flaw here, I’d look toward the SIM manufacturers—bad cryptography (cf. ROCA) and initialization vulnerabilities (cf. the RSA SecurID compromise).

ECA (profile) says:

Many of you....

Have been on the net along time, and understand abit of what the net is like. And even Fewer of you, understand the Old internet, thats still there.

How many of you remember all the fun of creating a account, in the past, and NOW…
It has taken years, for them to figure out a few things. Like verification… HOW to prove WHO/they you are..

This is like Spam phone calls..HOW can you tell?

  1. in the first seconds THEY must ID themselves.
  2. Social sec. DONT make phone calls.
  3. YOUR credit card corp, WILL NOT call you and ASK for your card number to Verify you.(they have all that data)(OR SHOULD)
  4. Make a Permanent internet email account..NOT with an ISP, those get deleted if you change service. Gmail lets you have 3-4 from 1 account, and you can Gear them to importance..BILLS is a good one.

Sorting all this out is a real pain unless you are really organized. Passwords are a pain also.

Goggle has a pretty good verification, up to 3 parts..
There is a trick I suggest to my customers… Its not the questions for verification, it Answer.. No matter the question, "where were you born", ‘Da moon’.. is a better answer then the real location..

Anonymous Coward says:

Yesterday you posted and article about Twitter 2FA. One would think that while researching that, you would have found out that you can’t remove your phone number from Twitter without it disabling all 2FA.

Then today you link to an article that incorrectly claims you can remove your phone number from Twitter without losing 2FA.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...