Wireless Carriers Have A SIM Hijacking Problem They Don't Want To Talk About

from the nothing-to-see-here dept

Wireless carriers are coming under increasing fire for failing to protect their users from the practice of SIM hijacking. The practice involves posing as a wireless customer, then fooling a wireless carrier to port the victim's cell phone number right out from underneath them, letting the attacker then pose as the customer to potentially devastating effect. Back in February, a man sued T-Mobile for failing to protect his account after a hacker pretending to be him, ported out his phone number, then managed to use his identity to steal thousands of dollars worth of cryptocoins.

It didn't take long for numerous customers to complain they were the victim of the same scam, and for T-Mobile to send out a warning to users encouring them to add a few layers of additional security to their account.

But the problem appears to be even worse than originally believed. A new report takes a closer look at the problem, exploring how identity thieves use SIM hijacking to do everything from cleaning out bank accounts, to stealing valuable Instagram usernames and selling them for Bitcoin. The process isn't particularly complicated, and more often than not involves the social engineering of a cellular carrier's support employees. The entire process tap dances around protections like two-factor authentication, and highlights the peril of relying too heavily on a single cell phone number for identity verification in apps and other services.

Carriers, for their part, don't much like to publicly talk about the problem. In part because it's occasionally their employees that are helping to facilitate the scams for a little extra cash:

"Thug and Ace explained that many hackers now recruit customer support or store employees who work at T-Mobile and other carriers and bribe them $80 or $100 to perform a SIM swap on their target. Thug claimed they got access to the T-Mobile tool by bribing an insider, but Motherboard could not verify this claim. T-Mobile declined to answer questions on whether the company had any evidence of insiders being involved in SIM swap scams."

Quite often, those cellular carrier employees are more than happy to provide hackers with direct access to cellular carrier support systems:

"(One hacker) said they do SIM swaps by using an internal T-Mobile tool to look up subscribers’ data. During our chat, the hacker showed me a screenshot of them browsing the tool. I gave (the hacker) my phone number as a test, and the hacker sent back a screenshot that contained my home address, IMSI number (a standardized unique number that identifies subscribers), and other theoretically secret account information. Thug even saw the special instructions that I gave T-Mobile to protect my account.

As is their usual MO, wireless carriers don't much want to have a serious conversation about the problem, and often insist that it's only impacting a few, rare accounts (in stark contrast to the laundry list of increasing complaints seen over the last few years):

"Motherboard reached out to AT&T, Verizon, Sprint, and T-Mobile—the big four US cell phone providers—requesting data on the prevalence of SIM swapping. None of them agreed to provide such information. An AT&T spokesperson said this kind of fraud “affects a small number of our customers and this is rare for us,” but did not respond when asked to clarify what “small number” means.

There's some steps users can take, including changing passwords frequently. T-Mobile users can also, for example, call 611 from your cellphone (or 1-800-937-8997), then tell a support staffer that you want to create a “port validation” passcode. Still, like the SS7 exploit that has been in the wild for years, it's pretty clear that wireless carriers might want to spend a little less time on mindless mergers and consolidation, killing net neutrality, and jacking up prices, and a little more time protecting their customers from security threats.


Reader Comments

The First Word

Subscribe: RSS

View by: Time | Thread


  1. icon
    Ehud Gavron (profile), 20 Jul 2018 @ 6:32am

    Port-out PIN

    Sure, you can set a Port-Out PIN, but the "hacker" doesn't need to port your number [to a different carrier] at all.

    They can simply do a SIM swap, on the same carrier, suggesting to the customer service person that the customer is simply activating a new SIM on the account and switching phones, something that's done all the time.

    The US carriers currently have no reasonable methods in play to prevent this, mainly because they want to make it convenient to sell their customers a new phone, thrown in a new SIM, activate it, move the telephone number (TN) and voila it all works.

    As it does for the "hacker" stealing the TN.

    Ehud

    reply to this | link to this | view in thread ]

  2. icon
    Ninja (profile), 20 Jul 2018 @ 9:20am

    Re: Port-out PIN

    This is actually another symptom of everybody treating security as an afterthought. And to treat the disease we'd need to start imposing heavy fines for breaches, something our lawmakers (and I'm including pretty much every country in the world) are either oblivious to the urgency or they are outright corrupt and stuffed with corporate money not to give a damn.

    reply to this | link to this | view in thread ]

  3. identicon
    any moose cow word, 20 Jul 2018 @ 10:00am

    System security is meaningless if a $100 bribe seems lucrative to an employee. Just another reason to pay them a decent wage.

    reply to this | link to this | view in thread ]

  4. identicon
    Anonymous Coward, 20 Jul 2018 @ 10:04am

    Re: Re: Port-out PIN

    It's also a problem of security vs convenience. Carriers can require all SIM updates to be done only in the store, cust consumers don't want to have to go to the store for that.

    reply to this | link to this | view in thread ]

  5. identicon
    Anonymous Coward, 20 Jul 2018 @ 10:05am

    No apparent relation to SIMs

    The article talks about "SIM swapping" and "phone hacking", but doesn't justify these terms. There's no evidence the customer's SIM card or phone is accessed; the problem described seems to be entirely on the telco side.

    reply to this | link to this | view in thread ]

  6. identicon
    Anonymous Coward, 20 Jul 2018 @ 10:07am

    Well There's Your

    "and more often than not involves the social engineering of a cellular carrier's support employees"

    reply to this | link to this | view in thread ]

  7. identicon
    Anonymous Coward, 20 Jul 2018 @ 10:08am

    Well There's Your Problem

    "and more often than not involves the social engineering of a cellular carrier's support employees"

    The weakest security link will always be people.

    reply to this | link to this | view in thread ]

  8. identicon
    Anonymous Coward, 20 Jul 2018 @ 10:32am

    Friend was using Sprint as her carrier. She lives on the west coast. Someone in Florida somehow stole her Sprint account and had her billing info moved to that Florida address.

    Went into Sprint when noticed no bills were arriving in her mailbox. Was informed she apparently now lives in Florida as that is where the bills are now being sent.

    Friend informed Sprint of what is happening... was told by Sprint that the only way they could help her is to fill out a police report for stolen identity and then send Sprint the police report and have the officer making said report to call them. Sprint does not provide an internal number to their fraud department, at least not a number they would provide to my friend.

    Inform the officer taking the report we do not have a contact number for him to call Sprint.. he says he will use department resources to get a number for Sprint.

    Few days go by, officer calls back to say Sprint will not speak to him and refuses to give out any information.

    Finally my friend was able to get the Florida address where the bills are currently being sent. Inform the police of the new info, and there is no progress as they require Sprint to cooperate with the police in order to move the investigation along... Sprint still refuses to cooperate with the police.

    Currently account is gone to collections. The collections company has been made fully aware of what Sprint is doing so they (the collection company) are trying to get Sprint to speak with the police.

    Sprint... not a company to do business with.

    reply to this | link to this | view in thread ]

  9. icon
    James Burkhardt (profile), 20 Jul 2018 @ 10:46am

    Re: No apparent relation to SIMs

    T-Mobile Referred to the issue as a Port-out scam, which seems to be a far more accurate representation of the fraud seen here. SIM swapping is another issue, As described in the first comment here.

    reply to this | link to this | view in thread ]

  10. identicon
    Anonymous Coward, 20 Jul 2018 @ 10:49am

    Re:

    System security is meaningless if a $100 bribe seems lucrative to an employee.

    Not entirely meaningless. Many improvements could be made, notably: don't allow any employee to look up information on any customer. The person should be calling from the phone number linked to the account; in cases of stolen or lost phones, an override could be approved and logged. Geolocation could also help.

    "Decent wages" are a good idea but can only go so far; there will always be some employee who could use another hundred bucks (lots of people manage to spend everything they make, even when it's a large amount of money).

    reply to this | link to this | view in thread ]

  11. identicon
    Anonymous Coward, 20 Jul 2018 @ 11:15am

    This is why...

    ... I will NEVER have any banking app or info on my cel. I will always use my PC at home, or if needed my laptop in the field. But never my cel!

    reply to this | link to this | view in thread ]

  12. identicon
    any moose cow word, 20 Jul 2018 @ 11:24am

    Re: Re:

    Most security measures the carrier could take can potentially be bypassed by an employee. Others could be bypassed by a hacker, including GPS. Requiring the users phone is a non-starter if the phone can't connect to the the network. Also, some corrections require a reboot, or even multiple reboots. While making users call back repeatedly may make some companies happy, it's a sure way to piss off customers.

    BTW, I didn't imply that paying employees better would end all insider espionage, just that it would make the price for "entry" considerably more expensive.

    reply to this | link to this | view in thread ]

  13. icon
    James Burkhardt (profile), 20 Jul 2018 @ 11:34am

    Re: This is why...

    Which has nothing to do with this issue. Banks suggest the use of two factor authentication, of which the simplest second factor, and therefore most common, is a text message with a one time code to an approved cell phone. A phone port out scam allows the hacker to capture that one time code, and gain access to various accounts like banks, Paypal, amazon, coinbase, ect. Not using mobile banking does nothing to resolve this issue.

    reply to this | link to this | view in thread ]

  14. icon
    Ninja (profile), 20 Jul 2018 @ 12:19pm

    Re: This is why...

    Because PCs are much less vulnerable. Not.

    reply to this | link to this | view in thread ]

  15. identicon
    Anonymous Coward, 20 Jul 2018 @ 12:46pm

    Re: Re: This is why...

    Oh come on. Your phone is far more likely to be lost or stolen than your PC, unless it's a laptop which is still not equal in likelihood to a cell phone as you carry it less often than your phone.

    reply to this | link to this | view in thread ]

  16. icon
    ECA (profile), 20 Jul 2018 @ 12:47pm

    WARNING

    Advanced tech and protections COST MONEY..
    They dont want to Pay money to create a complicated system, with tons of REAL security..

    Even the police agencies in the USA can spoof your phone, and listen to everything you say..
    The security between your Phone and the Tower is the weakest thing you will ever find.

    Many internet companies have found HOW to do Good security..NOT great.

    reply to this | link to this | view in thread ]

  17. identicon
    JarHead, 20 Jul 2018 @ 1:03pm

    Re: This is why...

    This is the approach I'm using also, but went a step further: never have anything related to banking on anything which has a processor in it. That includes PC. Then setup with my bank(s) that anything done on my account requires my physical presence on one of their branches.

    It might be a hassle, but that's the price I'm willing to pay for my sanity.

    reply to this | link to this | view in thread ]

  18. icon
    James Burkhardt (profile), 20 Jul 2018 @ 2:43pm

    Re: Re: Re: This is why...

    THen again, this scam has nothing to do with having access to your phone...in fact it specifically is designed to bypass your phone. So having no banking info on your phone does not help against this scam.

    Additionally, if your phone is set up right, it is more secure than your computer: a lock screen password that wipes the device if you get it wrong 5 times, and a banking password that you also need to get right within 5 tries or you are locked out. If the thief can accomplish this, they don't need your phone, they can use their own computer.

    reply to this | link to this | view in thread ]

  19. icon
    Matthew Cline (profile), 20 Jul 2018 @ 5:05pm

    Isn't the phone just one part of the two-factor?

    Even if someone hijacks my cell phone number, how does that get them access to (for example) my bank? Don't they also need my password?

    reply to this | link to this | view in thread ]

  20. identicon
    Anonymous Coward, 20 Jul 2018 @ 10:40pm

    Re: Re: Re:

    Most security measures the carrier could take can potentially be bypassed by an employee.

    Yeah. It's no reason not to try. "Requiring" the phone doesn't mean they have to call customer service from it; maybe they just click a button saying they approve the transfer, or read a code printed on the SIM card. Security controls, like requiring approval for anything "unusual", work. Never perfectly: it's annoying when the grocery cashier has to wait for a manager because they double-scanned a $5 item, and cashiers are still prolific thieves in aggregate. But overall, these controls reduce opportunistic crime.

    So pay the customer service people better, limit their access, run audits, and know that some people will get past all that—at least we'll get an impressive caper story from it.

    reply to this | link to this | view in thread ]

  21. identicon
    Anonymous Coward, 20 Jul 2018 @ 10:45pm

    Re: Re: No apparent relation to SIMs

    SIM swapping is another issue, As described in the first comment here.

    A dubious name still. The SIM never moves; the account is manipulated to accept an alternate SIM. It's doubtful there's anything "swapped", even virtually—why would the criminal go to the trouble of setting up their own account and giving the victim access to it?

    reply to this | link to this | view in thread ]

  22. identicon
    any moose cow word, 20 Jul 2018 @ 11:52pm

    Re: Isn't the phone just one part of the two-factor?

    In regards to banking, they'd most likely do a password reset and use the text option to "authenticate" the reset request. Some banks still use security questions as a secondary authentication method, which is why you should never use questions that ask for public info, or is otherwise available to sufficiently motivated strangers. That includes maiden names of relatives, birthplace, and education or employment history. If your first pet was a registered dog, then don't use it either. Frankly, banks should be embarrassed to use low hanging fruit to "secure" accounts from hacking. Luckily, they usually have a few questions that likely can only be answered by you or maybe a few close individuals. For example, your favorite book. Not the one you tell everyone is your favorite, the one you really love but won't admit to.

    reply to this | link to this | view in thread ]

  23. icon
    Matthew Cline (profile), 22 Jul 2018 @ 10:21am

    Re: Re: Isn't the phone just one part of the two-factor?

    Some banks still use security questions as a secondary authentication method, which is why you should never use questions that ask for public info, or is otherwise available to sufficiently motivated strangers.

    Whenever there's a security question, my "answer" is just mashing on the keyboard, which I copy-paste into a text file which immediately gets encrypted with my PGP public key.

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.