Scams

by Karl Bode


Filed Under:
arrest, scams, sim hijacking

Companies:
t-mobile



Cops Slowly Wise Up To The SIM Hijacking Trend Carriers Don't Want To Seriously Address

from the you've-got-a-bit-of-a-problem-here dept

It only took a few years, but law enforcement finally appears to be getting wise to the phenomenon of SIM hijacking, which lets a hacker hijack your phone number, then take control of your personal accounts. As we've been noting, the practice has heated up over the last few years, with countless wireless customers saying their entire identities were stolen after thieves ported their phone number to another carrier, then took over their private data. Sometimes this involves selling valuable Instagram account names for bitcoin; other times it involves clearing out the target's banking or cryptocurrency accounts.

This week, news reports indicated that California authorities finally brought the hammer down on one 20-year-old hacker, who had covertly ported more than 40 wireless user accounts, in the process stealing nearly $5 million in bitcoin:

"Investigators accuse Ortiz of being a prolific SIM hijacker who mainly targeted victims to steal their cryptocurrency but also to take over their social media accounts with the goal of selling them for Bitcoin. According to the investigators, as well as people in the SIM swapping community, Ortiz was a member of OGUSERS, a website where members trade valuable Instagram or Twitter accounts."

In one of at least three attacks that happened during Consensus, Ortiz allegedly stole more than $1.5 million from a cryptocurrency entrepreneur, including nearly $1 million that he had crowdfunded in an ICO."

SIM hijacking has been making headlines for the better part of the last year, so it's nice to see law enforcement finally paying attention. What still isn't getting enough attention is the fact that these hackers are increasingly getting help from employees inside of major wireless carriers like T-Mobile. As security researcher Brian Krebs has been noting, wireless carrier employees can often be duped into conducting a SIM swap, allowing the hackers to steal another users' identity. Often hackers will go store to store until they've found an employee that's gullible enough or open to financial compensation to do it:

"A SIM swap is a legitimate process by which a customer can request that a new SIM card (the tiny, removable chip in a mobile device that allows it to connect to the provider’s network) be added to the account. Customers can request a SIM swap when their existing SIM card has been damaged, or when they are switching to a different phone that requires a SIM card of another size.

However, thieves and other ne’er-do-wells can abuse this process by posing as a targeted mobile customer or technician and tricking employees at the mobile provider into swapping in a new SIM card for that customer on a device that they control. If successful, the SIM swap accomplishes more or less the same result as a number port out (at least in the short term) — effectively giving the attackers access to any text messages or phone calls that are sent to the target’s mobile account."

And while some store employees have been duped, others are cooperating willingly with the hackers.

Reports over at Motherboard have highlighted how some employees are taking cash payments in exchange for private consumer data routinely only made available to carrier insiders. And despite this getting ample press (over the last month or two specifically), journalist Lorenzo Franceschi-Bicchierai has been pointing out that T-Mobile doesn't appear to want to much talk about it. For context, this is a screenshot taken of T-Mobile's internal systems, either by an employee being paid to participate in the SIM hijacking, or by a hacker that still has access to T-Mobile's private internal systems:

There are systems in place that are supposed to prevent you from having your number ported out without your permission. For example, T-Mobile users can call 611 from their cellphone (or 1-800-937-8997) and tell a support staffer that they want to create a “port validation” passcode to prevent unauthorized number ports. But despite some ongoing lawsuits over this internal security and privacy problem at T-Mobile, it's still pretty clear the company isn't doing enough to protect its customers, in stark contrast to the ultra-consumer-friendly branding schtick the "uncarrier" has been cashing in on for years.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Coyne Tibbets (profile), 1 Aug 2018 @ 6:47am

    T-Mobile note

    The T-Mobile paragraph is not correct. They have recommended a pin at time of phone purchase since at least 2013, the date I recorded my pin.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 1 Aug 2018 @ 7:04am

      Re: T-Mobile note

      Your personal experience has nothing to do with policy.

      reply to this | link to this | view in chronology ]

      • icon
        PaulT (profile), 1 Aug 2018 @ 7:09am

        Re: Re: T-Mobile note

        Also, since T-Mobile is one of those companies that's gone trough a lot of acquisitions, mergers, etc., it's very possible that one part of the company required you to do that while in another area they didn't.

        Not to mention that "recommended" does not mean "people will actually do it".

        reply to this | link to this | view in chronology ]

    • icon
      Ed (profile), 1 Aug 2018 @ 7:15am

      Re: T-Mobile note

      That PIN is useless unless the employees pay any attention to it. Experience I've had, and many others as reported on other forums, shows many "customer service" people completely ignore the PIN and simply allow the user to verify their address or birthday as proof of ID. The problem is that T-Mobile doesn't make verification of the PIN mandatory for their agents, it just shows up on the screen and they don't have to pay any attention to it to go forward.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 1 Aug 2018 @ 8:28am

        Re: Re: T-Mobile note

        Cant control for stupid service agents.

        My wife had her identity stolen (we are fairly certain it came from the big credit bureau hack) and a person in the Mid-West tried to open up multiple phone lines and buy multiple phones with her identity. Some succeeded, most did not because the person did not have a valid ID or home address matching the social.

        We only found out because they were idiots and tried it at nearly every Verizon store in their city. That finally hit the fraud team at Verizon and we got a call from them (I have no clue how they got our phone number since we have never had a Verizon account). We were able to get everything off of our credit and guarantees that the ones she did open we would not be responsible for. Apparently, some stores did sell the thief a phone and a plan with no ID verification at all. The fraud department said they would be getting a nasty visit from their district supervisor.

        We filed a police report, but last time I checked nothing happened with it.

        reply to this | link to this | view in chronology ]

        • identicon
          Sharur, 2 Aug 2018 @ 1:47pm

          Re: Re: Re: T-Mobile note

          As someone who works in IT for a financial company, its trivial to get your phone number from your SSN.

          Just get a credit report (which they probably already had at this point): you phone number, address and alot of other personal information will be on it.

          reply to this | link to this | view in chronology ]

      • icon
        Thad (profile), 1 Aug 2018 @ 10:46am

        Re: Re: T-Mobile note

        PINs are also easy to socially engineer.

        People in phone centers are typically motivated by a desire to (1) help a customer and (2) not get yelled at by the customer. The cases where a legitimate customer forgets their PIN probably outnumber the fraudulent attempts by an awful lot. Many support representatives, even well-trained ones, can be tricked into bending the rules and overlooking a bad or partial PIN.

        Here's a good story from a few years back: How I lost my $50,000 Twitter username. It details how a social engineer managed to, among other things, give a GoDaddy support tech the last two digits of the real user's credit card and convince the tech to accept those instead of all four. (Incidentally, the user eventually got his account back.)

        Story time: I was working at GoDaddy at the time. A man walked into our department, looked around, and said, "You all know that you can't modify an account unless the customer gives you the last four digits of their credit card number, right? It has to be all four." After he left, my supervisor turned to me and said, "That was one of the executives."

        Later, I went to lunch, checked my RSS feeds, and saw that story on Ars. And I thought, "Oh, so that was what that was all about."

        True story: the policy GoDaddy implemented to fix the issue was...to ask for the last six digits of users' credit card numbers.

        reply to this | link to this | view in chronology ]

  • icon
    James Burkhardt (profile), 1 Aug 2018 @ 7:58am

    I ported my own number out from T-Mobile recently. I had a PIN supposedly. I didn't know it. I don't remember setting it up. It wasn't anything I would have set it to. I called a number, validated my account with standard questions, and got the PIN changed. It might be me calling from the correct number that smoothed things out. But it felt significantly less valuable then advertised.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Aug 2018 @ 9:38am

    Identity Theft is incorrect terminology.
    It is actually fraud perpetrated upon business who then expect the individual to make them whole.

    reply to this | link to this | view in chronology ]

  • icon
    Spaceboy (profile), 1 Aug 2018 @ 11:04am

    LOL at PINs

    PINs are useless in this scam. The 'hacker' is switching the targets phone number to a device they control. This can be done within a few minutes. They either already have access to the PIN, have someone on the inside, or are using social engineering to gain access to the targets phone number. Once they have local access to a phone number, they change the PIN to something else and do whatever it is they want to do.

    A 'Port Out' pin is similarly worthless if the scammer gains control of the phone number.

    Usually, by the time the target realizes there is something wrong it is too late, the damage has been done. When they call their carrier they will not be able to gain access to their account because they do not know the new PIN. Best case scenario will be for them to go to a retail location to show their ID as proof of ownership. But if the number was ported out to another carrier they are fucked. There is no easy way to prove to another carrier that they are the legitimate owner of a particular phone number. Meanwhile the person that now has the phone number is changing passwords on all kinds of accounts and setting up Two-Factor Authentication, locking the target out of their own accounts, banks, social media, whatever. All this can be done in a few hours. You could wake up tomorrow and be locked out of everything.

    You won't notice anything is wrong because you won't be getting any email notifications because all your passwords have been changed.

    What's worse is there are many 2FA apps out there that rely on an email or phone number for their own authentication. So if the scammer has access to their phone number, there is no service that they will not be able to change the authentication on.

    This is a pandora's box that the carriers need to address. It is mandated that customers can take their phone numbers with them. We need to figure out a process that can reliably authenticate the person requesting the port instead of using a 4-digit code.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 1 Aug 2018 @ 6:31pm

      Re: LOL at PINs

      No, people need to stop relying on easily hacked devices / services to provide security for their identities.

      A good stop to this would be a local authenticator app, like Blizzard's Battle.NET Authenticator, or any of the various ones you can use with services like github. (Assuming they still allow that after MS bought them. I haven't checked.)

      Alternatively, you could always go for a yubikey, or some other hardware token for 2FA, but that's "inconvenient" for most people.

      SMS has never been secure, and that fact has been known for over a decade now. The only reason it took off as a 2FA mechanism was because of the popularity of cellphones and the lack of a need for action on the user's part. Well, I guess we got what we paid for.

      reply to this | link to this | view in chronology ]

  • identicon
    oliver, 1 Aug 2018 @ 11:05pm

    I wonder...

    ... if there isn't a technical solution to that problem, that already exists...
    Yeah, ESIM!

    NOT!

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.