AT&T, Verizon Employees Caught Up In DOJ SIM Hijacking Bust

from the ill-communication dept

Wireless carriers are coming under increasing fire for failing to protect their users from the practice of SIM hijacking (aka a port scam). The practice involves posing as a wireless customer, then fooling a wireless carrier to port the victim's cell phone number right out from underneath them, letting the attacker then pose as the customer to potentially devastating effect. Last year, a customer sued T-Mobile for failing to protect his account after a hacker pretending to be him ported out his phone number then stole thousands of dollars worth of cryptocoins.

Subsequent reports have shown how identity thieves use SIM hijacking to do everything from cleaning out bank accounts, to stealing valuable Instagram usernames and selling them for Bitcoin. Reports often showed how these scams were being helped with the willful help of some cellular carrier employees, something wireless carriers haven't (understandably) been particularly keen on talking about.

That was confirmed again last week when the DOJ accused nine people of allegedly being part of a crime ring known as “The Community.” The organizations' specialty was SIM hijacking, which involved having three former employees at AT&T and Verizon steal user identities (and subsequently several million dollars):

"White, according to the feds, helped the criminals steal more than $2 million from several victims by performing 29 fraudulent SIM swaps. White communicated with the criminals via Telegram, according to the document. Jack, who was an associate of White, allegedly performed twelve fraudulent SIM swaps in May of 2018. White allegedly paid Jack $585.25 for his help in the SIM swapping conspiracy, according to the complaint."

The full DOJ announcement provides some interesting reading. In some instances the employees would conduct the SIM swaps themselves. In other instances they'd simply provide enough private account data to the scammers to help them pose as the customer. It's likely there's more such cases waiting in the wings, and critics continue to highlight how cellular carriers have consistently, repeatedly, failed to adequately police fraud perpetrated by their own employees:

“This isn’t social engineering anymore,” Ross, who was SIM swapped last year, said in an online chat. “The story needs to move from ‘the carriers aren’t doing enough to fix the problem’ to ‘the carriers have no control over their tens of thousands of customer service reps and knowingly allowed them to be bribed."

There are some steps users can take, including changing passwords frequently. T-Mobile users can also, for example, call 611 from your cellphone (or 1-800-937-8997), then tell a support staffer that you want to create a “port validation” passcode. Still, like the SS7 exploit that has been in the wild for years, it's pretty clear that wireless carriers might want to spend a little less time on mindless mergers and consolidation, killing net neutrality, and raising rates, and a little more time protecting their customers from security threats.

Filed Under: doj, sim hijacking
Companies: at&t, verizon


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    That Anonymous Coward (profile), 14 May 2019 @ 7:06am

    Gee its almost like giving cogs access to things with no oversight leads to problems...
    Pay no attention to the police database abuses
    Pay no attention to other database abuses

    One thinks its sad the Feds managed to catch this while the carriers just fiddled, it's almost like they have no concern for customers. They are just a revenue source to be harvested without any concern.

    If only we had a agency to provide oversight to the carriers & impose even the the slightest fines to motivate them to take action to protect the public & allow them to be sued when they fail to make the victims whole... instead of a smiling jackass who has no problem making sure the carriers don't even need to provide the smallest amount of lube while they....

    reply to this | link to this | view in chronology ]

  • identicon
    Annonymouse, 14 May 2019 @ 7:07am

    Security doublespeak

    The carriers don't care about their customers until their own security and income is at risk.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 May 2019 @ 7:09am

    ‘the carriers have no control over their tens of thousands of customer service reps and knowingly allowed them to be bribed'

    ,,,,, sounds highly exaggerated

    how many businesses anywhere have full control over all their Customer Service Reps ?

    how many businesses have Anti-Bribery procedures in place for their Custoner Service Reps ?

    reply to this | link to this | view in chronology ]

    • icon
      Anonymous Anonymous Coward (profile), 14 May 2019 @ 7:43am

      Re:

      How many businesses don't go looking for issues when they are pointed out? Some do, some don't.

      I wonder what the percentages are when private companies vs publicly traded companies are compared with regard to this issue?

      reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 14 May 2019 @ 7:59am

      Re:

      There's plenty of restrictions a large company is obliged to put into place to protect consumers from rogue employees, as well as procedures that should be in place to limit damage if those restrictions fail. There's also a lot of space between "full control" (your words) and "no control" (what you quoted)

      It's not about being 100% perfect but if, as implied in the quote, they knew they had employees being bribed to do these things and did nothing to stop it, they deserve to have the book thrown at them.

      reply to this | link to this | view in chronology ]

    • icon
      That Anonymous Coward (profile), 14 May 2019 @ 5:21pm

      Re:

      How many businesses give complete and total access to Customer Service Reps?
      How does having access to my porting password, mothers maiden name, last 4 of my social improve their ability to offer me a shitty credit when their service sucked??
      How hard can it be to notice a record accessed & suddenly ported out afterwards?

      Other than it might cost them some money to put security into place, is their any good reason for allowing this to happen?
      Perhaps if the courts decided they were at fault when customers were robbed with assistance from their employees/contractors/sub-contractors (which are just dodges to avoid responsibility & benefits), they suddenly might discover they had the power to protect consumers all along.

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.