After Jack Hack, Government Starts Taking Wireless 'SIM Hijacking' Seriously
from the yeah-maybe-get-on-that dept
Wireless carriers have been under fire for failing to protect their users from the practice of SIM hijacking. The practice involves posing as a wireless customer, then fooling a wireless carrier to port the victim's cell phone number right out from underneath them, letting the attacker then pose as the customer to potentially devastating effect. Back in February, a man sued T-Mobile for failing to protect his account after a hacker, pretending to be him, ported out his phone number, then managed to use his identity to steal thousands of dollars worth of cryptocoins.
Like the ongoing wireless industry's location data scandals, the FCC has so far refused to utter so much as modest condemnation of carriers that have failed to protect users.
But with Twitter CEO Jack Dorsey having his Twitter account recently hijacked thanks to SIM hijacking, the government appears to have finally gotten the message that we have a bit of a problem.
For example, the FBI issued a warning last month to its private industry partners, noting that two-factor authentication can be bypassed thanks to the hacks:
"The FBI has observed cyber actors circumventing multi-factor authentication through common social engineering and technical attacks," the FBI wrote in a Private Industry Notification (PIN) sent out on September 17. The FBI made it very clear that its alert should be taken only as a precaution, and not an attack on the efficiency of MFA, which the agency still recommends. The FBI still recommends that companies use MFA.
Carriers, for their part, don't much like to publicly talk about the problem. In part because it's frequently their employees who are helping to facilitate the scams for a little money on the side. Identity thieves use SIM hijacking to do everything from cleaning out bank accounts, to stealing valuable Instagram usernames and selling them for Bitcoin. The process isn't particularly complicated, and more often than not involves the social engineering of a cellular carrier's support employees. Until the Dorsey hack, their refrain has been this is a small problem that's very unique. It's not.
There are some steps users can take, including changing passwords frequently. T-Mobile users can also, for example, call 611 from your cellphone (or 1-800-937-8997), then tell a support staffer that you want to create a “port validation” passcode (here's a guide for other carriers). Still, like the SS7 wireless exploit that has been in the wild for years, it's clear wireless carriers might want to spend a little less time on mindless mergers and consolidation, killing net neutrality, and jacking up prices, and a little more time training their employees and protecting their customers from security threats.
Filed Under: fbi, fcc, identity fraud, jack dorsey, sim hijacking, telcos
Reader Comments
Subscribe: RSS
View by: Time | Thread
Re: Re: Re: Re:
Ideas which would, conceivably, require remotely compromising the device to give up that information, fighting against device manufacturer's work to fill security holes, at which point you cloning the SIM card is the least of the mark's problems. You also are losing the benefit of not being able to close the SIM clone vulnerability, as Device manufacturers could close the vulnerability that gets you the SIM card information from the phone itself.
I'm not saying SIM cloning isn't a thing. It likely is. But I perceive its only benefit being in longer term targeted surveillance by governments, rather than the benefits of SIM Swapping or SS7 hacking which are in rapid moves to steal assets in moments. And given that a SIM Swap stops the feed of information, or worse you might be vulnerable to intentional misinformation if the cloning is discovered, its likely not laziness or lack of need, but lack of practicality.
Add Your Comment