Cops Slowly Wise Up To The SIM Hijacking Trend Carriers Don't Want To Seriously Address

from the you've-got-a-bit-of-a-problem-here dept

It only took a few years, but law enforcement finally appears to be getting wise to the phenomenon of SIM hijacking, which lets a hacker hijack your phone number, then take control of your personal accounts. As we've been noting, the practice has heated up over the last few years, with countless wireless customers saying their entire identities were stolen after thieves ported their phone number to another carrier, then took over their private data. Sometimes this involves selling valuable Instagram account names for bitcoin; other times it involves clearing out the target's banking or cryptocurrency accounts.

This week, news reports indicated that California authorities finally brought the hammer down on one 20-year-old hacker, who had covertly ported more than 40 wireless user accounts, in the process stealing nearly $5 million in bitcoin:

"Investigators accuse Ortiz of being a prolific SIM hijacker who mainly targeted victims to steal their cryptocurrency but also to take over their social media accounts with the goal of selling them for Bitcoin. According to the investigators, as well as people in the SIM swapping community, Ortiz was a member of OGUSERS, a website where members trade valuable Instagram or Twitter accounts."

In one of at least three attacks that happened during Consensus, Ortiz allegedly stole more than $1.5 million from a cryptocurrency entrepreneur, including nearly $1 million that he had crowdfunded in an ICO."

SIM hijacking has been making headlines for the better part of the last year, so it's nice to see law enforcement finally paying attention. What still isn't getting enough attention is the fact that these hackers are increasingly getting help from employees inside of major wireless carriers like T-Mobile. As security researcher Brian Krebs has been noting, wireless carrier employees can often be duped into conducting a SIM swap, allowing the hackers to steal another users' identity. Often hackers will go store to store until they've found an employee that's gullible enough or open to financial compensation to do it:

"A SIM swap is a legitimate process by which a customer can request that a new SIM card (the tiny, removable chip in a mobile device that allows it to connect to the provider’s network) be added to the account. Customers can request a SIM swap when their existing SIM card has been damaged, or when they are switching to a different phone that requires a SIM card of another size.

However, thieves and other ne’er-do-wells can abuse this process by posing as a targeted mobile customer or technician and tricking employees at the mobile provider into swapping in a new SIM card for that customer on a device that they control. If successful, the SIM swap accomplishes more or less the same result as a number port out (at least in the short term) — effectively giving the attackers access to any text messages or phone calls that are sent to the target’s mobile account."

And while some store employees have been duped, others are cooperating willingly with the hackers.

Reports over at Motherboard have highlighted how some employees are taking cash payments in exchange for private consumer data routinely only made available to carrier insiders. And despite this getting ample press (over the last month or two specifically), journalist Lorenzo Franceschi-Bicchierai has been pointing out that T-Mobile doesn't appear to want to much talk about it. For context, this is a screenshot taken of T-Mobile's internal systems, either by an employee being paid to participate in the SIM hijacking, or by a hacker that still has access to T-Mobile's private internal systems:

There are systems in place that are supposed to prevent you from having your number ported out without your permission. For example, T-Mobile users can call 611 from their cellphone (or 1-800-937-8997) and tell a support staffer that they want to create a “port validation” passcode to prevent unauthorized number ports. But despite some ongoing lawsuits over this internal security and privacy problem at T-Mobile, it's still pretty clear the company isn't doing enough to protect its customers, in stark contrast to the ultra-consumer-friendly branding schtick the "uncarrier" has been cashing in on for years.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: arrest, scams, sim hijacking
Companies: t-mobile

Reader Comments

Subscribe: RSS

View by: Thread

  1. icon
    Spaceboy (profile), 1 Aug 2018 @ 11:04am

    LOL at PINs

    PINs are useless in this scam. The 'hacker' is switching the targets phone number to a device they control. This can be done within a few minutes. They either already have access to the PIN, have someone on the inside, or are using social engineering to gain access to the targets phone number. Once they have local access to a phone number, they change the PIN to something else and do whatever it is they want to do.

    A 'Port Out' pin is similarly worthless if the scammer gains control of the phone number.

    Usually, by the time the target realizes there is something wrong it is too late, the damage has been done. When they call their carrier they will not be able to gain access to their account because they do not know the new PIN. Best case scenario will be for them to go to a retail location to show their ID as proof of ownership. But if the number was ported out to another carrier they are fucked. There is no easy way to prove to another carrier that they are the legitimate owner of a particular phone number. Meanwhile the person that now has the phone number is changing passwords on all kinds of accounts and setting up Two-Factor Authentication, locking the target out of their own accounts, banks, social media, whatever. All this can be done in a few hours. You could wake up tomorrow and be locked out of everything.

    You won't notice anything is wrong because you won't be getting any email notifications because all your passwords have been changed.

    What's worse is there are many 2FA apps out there that rely on an email or phone number for their own authentication. So if the scammer has access to their phone number, there is no service that they will not be able to change the authentication on.

    This is a pandora's box that the carriers need to address. It is mandated that customers can take their phone numbers with them. We need to figure out a process that can reliably authenticate the person requesting the port instead of using a 4-digit code.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.