After Jack Hack, Government Starts Taking Wireless 'SIM Hijacking' Seriously
from the yeah-maybe-get-on-that dept
Wireless carriers have been under fire for failing to protect their users from the practice of SIM hijacking. The practice involves posing as a wireless customer, then fooling a wireless carrier to port the victim’s cell phone number right out from underneath them, letting the attacker then pose as the customer to potentially devastating effect. Back in February, a man sued T-Mobile for failing to protect his account after a hacker, pretending to be him, ported out his phone number, then managed to use his identity to steal thousands of dollars worth of cryptocoins.
Like the ongoing wireless industry’s location data scandals, the FCC has so far refused to utter so much as modest condemnation of carriers that have failed to protect users.
But with Twitter CEO Jack Dorsey having his Twitter account recently hijacked thanks to SIM hijacking, the government appears to have finally gotten the message that we have a bit of a problem.
For example, the FBI issued a warning last month to its private industry partners, noting that two-factor authentication can be bypassed thanks to the hacks:
“The FBI has observed cyber actors circumventing multi-factor authentication through common social engineering and technical attacks,” the FBI wrote in a Private Industry Notification (PIN) sent out on September 17. The FBI made it very clear that its alert should be taken only as a precaution, and not an attack on the efficiency of MFA, which the agency still recommends. The FBI still recommends that companies use MFA.
Carriers, for their part, don’t much like to publicly talk about the problem. In part because it’s frequently their employees who are helping to facilitate the scams for a little money on the side. Identity thieves use SIM hijacking to do everything from cleaning out bank accounts, to stealing valuable Instagram usernames and selling them for Bitcoin. The process isn’t particularly complicated, and more often than not involves the social engineering of a cellular carrier’s support employees. Until the Dorsey hack, their refrain has been this is a small problem that’s very unique. It’s not.
There are some steps users can take, including changing passwords frequently. T-Mobile users can also, for example, call 611 from your cellphone (or 1-800-937-8997), then tell a support staffer that you want to create a ?port validation? passcode (here’s a guide for other carriers). Still, like the SS7 wireless exploit that has been in the wild for years, it’s clear wireless carriers might want to spend a little less time on mindless mergers and consolidation, killing net neutrality, and jacking up prices, and a little more time training their employees and protecting their customers from security threats.
Filed Under: fbi, fcc, identity fraud, jack dorsey, sim hijacking, telcos
Comments on “After Jack Hack, Government Starts Taking Wireless 'SIM Hijacking' Seriously”
Aren’t a "port" and a "SIM swap" two different things? Usually, "porting a number" means switching it to some other telephone company – while "SIM swap" means switching it just to some other telephone, which may be on the same carrier.
Re: Re:
That would be an accurate description of the terminology. I think both techniques are being used to the ends presented here, but I agree it is irresponsible for the article to conflate the two.
Re: Re:
The word "it" here could cause confusion. We’re talking about moving the number to a different SIM card, not moving the SIM card to a different phone. "SIM swap" is not a good name for it, because the subscriber’s SIM never got "swapped" or moved at all.
Re: Re: Re:
A SIM swap is where you swap the SIM associated with a number. What other short descriptor would you use to describe swapping the associated SIM card? As the first AC points out, Porting is also confusing as that term refers to switching carriers, not getting a new SIM card.
Re: Re: Re: Re:
"Swap" also implies symmetry, as if your SIM card would then be associated with the attacker’s account.
I don’t necessarily have a solution to every problem I point out, but I question the tendency to pursue terseness at the cost of clarity. Would it be so bad to say the number was transferred without authorization? We could call it TWOL "transferred without official leave" if terseness is critical and a dated meaning of "leave" is acceptable.
"SIM" is an irrelevant technical detail. We don’t need to mention that any more than we mention ICCID, UICC, IMSI, or K_i.
Re: Re: Re: Re:
How about a SIM transfer?
Compelling evidence in support of not making critical data accessible via cell phone.
Might be time for a high profile court case that drops the hammer on some of the employees caught doing this.
Re: Re:
Nothing will come of it when they only sacrifice a minimum wage employee. The management that directed the action will continue in their activities trashing some more low level lives in the process.
I surprised sim-cloning hasn’t been much more common, unless they are almost never caught.
No matter what the wireless providers do there will always be sim-cloning to fall back on. I don’t think it’s a patchable flaw in modern sim technology.
Re: Re:
The difficulty with sim cloning is, you need to have access to the sim card to do it. At least that’s my understanding of it.
Re: Re:
As the AC notes, SIM cloning requires physical access to the SIM card. Unlike TV depictions, SIM cloning isn’t a wireless process. While its an open hole, its hard to pull off and if your mark notices a missing phone a legit SIM swap completely shuts down any future exploitation. SIM swapping doesn’t require the SIM card, the phone, or even being in the same Time Zone as the targeted phone. And SS7 hacking is wireless and provides much of the same benefit as SIM Cloning. Its not an efficent vulnerability.
Re: Re: Re:
I can think of ways to do sim cloning without access to the device but I have not because I’m not a cyber criminal. If criminal organizations/governments haven’t built it yet it’s only due to laziness or lack of need.
Re: Re: Re: Re:
For me it is in fact both laziness and lack of need.
Re: Re: Re:2 Re:
Ideas which would, conceivably, require remotely compromising the device to give up that information, fighting against device manufacturer’s work to fill security holes, at which point you cloning the SIM card is the least of the mark’s problems. You also are losing the benefit of not being able to close the SIM clone vulnerability, as Device manufacturers could close the vulnerability that gets you the SIM card information from the phone itself.
I’m not saying SIM cloning isn’t a thing. It likely is. But I perceive its only benefit being in longer term targeted surveillance by governments, rather than the benefits of SIM Swapping or SS7 hacking which are in rapid moves to steal assets in moments. And given that a SIM Swap stops the feed of information, or worse you might be vulnerable to intentional misinformation if the cloning is discovered, its likely not laziness or lack of need, but lack of practicality.
Re: Re: Re:3 Re:
Attackers have shown a penchant for finding security holes against very motivated manufacturers in related fields such as game consoles and satellite TV receivers, putting in much more effort than anyone could call reasonable. Stealing phone numbers gives a more direct path to real-world profit.
Were I looking for a flaw here, I’d look toward the SIM manufacturers—bad cryptography (cf. ROCA) and initialization vulnerabilities (cf. the RSA SecurID compromise).
Re: Re:
And how will the network react when it has the same number has to map to two or more phones, because the phone is reporting in from two or more towers that have no overlap in service area.
Re: Re: Re:
I could take random guesses but it depends on how the engineers in that particular network designed it. It could react any number of ways.
Many of you....
Have been on the net along time, and understand abit of what the net is like. And even Fewer of you, understand the Old internet, thats still there.
How many of you remember all the fun of creating a account, in the past, and NOW…
It has taken years, for them to figure out a few things. Like verification… HOW to prove WHO/they you are..
This is like Spam phone calls..HOW can you tell?
Sorting all this out is a real pain unless you are really organized. Passwords are a pain also.
Goggle has a pretty good verification, up to 3 parts..
There is a trick I suggest to my customers… Its not the questions for verification, it Answer.. No matter the question, "where were you born", ‘Da moon’.. is a better answer then the real location..
Yesterday you posted and article about Twitter 2FA. One would think that while researching that, you would have found out that you can’t remove your phone number from Twitter without it disabling all 2FA.
Then today you link to an article that incorrectly claims you can remove your phone number from Twitter without losing 2FA.
Re: Re:
what link are you talking about?
Are you retring to the ‘theverge’ link? That article does not suggest numbers can be remove by 2FA. Unless you mean to suggest that Twitter itself is unable to effect the same changes their software interface will do for you.