After Jack Hack, Government Starts Taking Wireless 'SIM Hijacking' Seriously

from the yeah-maybe-get-on-that dept

Wireless carriers have been under fire for failing to protect their users from the practice of SIM hijacking. The practice involves posing as a wireless customer, then fooling a wireless carrier to port the victim's cell phone number right out from underneath them, letting the attacker then pose as the customer to potentially devastating effect. Back in February, a man sued T-Mobile for failing to protect his account after a hacker, pretending to be him, ported out his phone number, then managed to use his identity to steal thousands of dollars worth of cryptocoins.

Like the ongoing wireless industry's location data scandals, the FCC has so far refused to utter so much as modest condemnation of carriers that have failed to protect users.

But with Twitter CEO Jack Dorsey having his Twitter account recently hijacked thanks to SIM hijacking, the government appears to have finally gotten the message that we have a bit of a problem.

For example, the FBI issued a warning last month to its private industry partners, noting that two-factor authentication can be bypassed thanks to the hacks:

"The FBI has observed cyber actors circumventing multi-factor authentication through common social engineering and technical attacks," the FBI wrote in a Private Industry Notification (PIN) sent out on September 17. The FBI made it very clear that its alert should be taken only as a precaution, and not an attack on the efficiency of MFA, which the agency still recommends. The FBI still recommends that companies use MFA.

Carriers, for their part, don't much like to publicly talk about the problem. In part because it's frequently their employees who are helping to facilitate the scams for a little money on the side. Identity thieves use SIM hijacking to do everything from cleaning out bank accounts, to stealing valuable Instagram usernames and selling them for Bitcoin. The process isn't particularly complicated, and more often than not involves the social engineering of a cellular carrier's support employees. Until the Dorsey hack, their refrain has been this is a small problem that's very unique. It's not.

There are some steps users can take, including changing passwords frequently. T-Mobile users can also, for example, call 611 from your cellphone (or 1-800-937-8997), then tell a support staffer that you want to create a “port validation” passcode (here's a guide for other carriers). Still, like the SS7 wireless exploit that has been in the wild for years, it's clear wireless carriers might want to spend a little less time on mindless mergers and consolidation, killing net neutrality, and jacking up prices, and a little more time training their employees and protecting their customers from security threats.

Filed Under: fbi, fcc, identity fraud, jack dorsey, sim hijacking, telcos


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    James Burkhardt (profile), 11 Oct 2019 @ 1:25pm

    Re: Re: Re: Re:

    Ideas which would, conceivably, require remotely compromising the device to give up that information, fighting against device manufacturer's work to fill security holes, at which point you cloning the SIM card is the least of the mark's problems. You also are losing the benefit of not being able to close the SIM clone vulnerability, as Device manufacturers could close the vulnerability that gets you the SIM card information from the phone itself.

    I'm not saying SIM cloning isn't a thing. It likely is. But I perceive its only benefit being in longer term targeted surveillance by governments, rather than the benefits of SIM Swapping or SS7 hacking which are in rapid moves to steal assets in moments. And given that a SIM Swap stops the feed of information, or worse you might be vulnerable to intentional misinformation if the cloning is discovered, its likely not laziness or lack of need, but lack of practicality.


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.