After Jack Hack, Government Starts Taking Wireless 'SIM Hijacking' Seriously

from the yeah-maybe-get-on-that dept

Wireless carriers have been under fire for failing to protect their users from the practice of SIM hijacking. The practice involves posing as a wireless customer, then fooling a wireless carrier to port the victim's cell phone number right out from underneath them, letting the attacker then pose as the customer to potentially devastating effect. Back in February, a man sued T-Mobile for failing to protect his account after a hacker, pretending to be him, ported out his phone number, then managed to use his identity to steal thousands of dollars worth of cryptocoins.

Like the ongoing wireless industry's location data scandals, the FCC has so far refused to utter so much as modest condemnation of carriers that have failed to protect users.

But with Twitter CEO Jack Dorsey having his Twitter account recently hijacked thanks to SIM hijacking, the government appears to have finally gotten the message that we have a bit of a problem.

For example, the FBI issued a warning last month to its private industry partners, noting that two-factor authentication can be bypassed thanks to the hacks:

"The FBI has observed cyber actors circumventing multi-factor authentication through common social engineering and technical attacks," the FBI wrote in a Private Industry Notification (PIN) sent out on September 17. The FBI made it very clear that its alert should be taken only as a precaution, and not an attack on the efficiency of MFA, which the agency still recommends. The FBI still recommends that companies use MFA.

Carriers, for their part, don't much like to publicly talk about the problem. In part because it's frequently their employees who are helping to facilitate the scams for a little money on the side. Identity thieves use SIM hijacking to do everything from cleaning out bank accounts, to stealing valuable Instagram usernames and selling them for Bitcoin. The process isn't particularly complicated, and more often than not involves the social engineering of a cellular carrier's support employees. Until the Dorsey hack, their refrain has been this is a small problem that's very unique. It's not.

There are some steps users can take, including changing passwords frequently. T-Mobile users can also, for example, call 611 from your cellphone (or 1-800-937-8997), then tell a support staffer that you want to create a “port validation” passcode (here's a guide for other carriers). Still, like the SS7 wireless exploit that has been in the wild for years, it's clear wireless carriers might want to spend a little less time on mindless mergers and consolidation, killing net neutrality, and jacking up prices, and a little more time training their employees and protecting their customers from security threats.

Filed Under: fbi, fcc, identity fraud, jack dorsey, sim hijacking, telcos


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    ECA (profile), 11 Oct 2019 @ 12:54pm

    Many of you....

    Have been on the net along time, and understand abit of what the net is like. And even Fewer of you, understand the Old internet, thats still there.

    How many of you remember all the fun of creating a account, in the past, and NOW...
    It has taken years, for them to figure out a few things. Like verification... HOW to prove WHO/they you are..

    This is like Spam phone calls..HOW can you tell?

    1. in the first seconds THEY must ID themselves.
    2. Social sec. DONT make phone calls.
    3. YOUR credit card corp, WILL NOT call you and ASK for your card number to Verify you.(they have all that data)(OR SHOULD)
    4. Make a Permanent internet email account..NOT with an ISP, those get deleted if you change service. Gmail lets you have 3-4 from 1 account, and you can Gear them to importance..BILLS is a good one.

    Sorting all this out is a real pain unless you are really organized. Passwords are a pain also.

    Goggle has a pretty good verification, up to 3 parts..
    There is a trick I suggest to my customers... Its not the questions for verification, it Answer.. No matter the question, "where were you born", 'Da moon'.. is a better answer then the real location..


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.