Wireless carriers are coming under increasing fire for failing to protect their users from the practice of SIM hijacking (aka a port scam). The practice involves posing as a wireless customer, then fooling a wireless carrier to port the victim's cell phone number right out from underneath them, letting the attacker then pose as the customer to potentially devastating effect. Last year, a customer sued T-Mobile for failing to protect his account after a hacker pretending to be him ported out his phone number then stole thousands of dollars worth of cryptocoins.
Subsequent reports have shown how identity thieves use SIM hijacking to do everything from cleaning out bank accounts, to stealing valuable Instagram usernames and selling them for Bitcoin. Reports often showed how these scams were being helped with the willful help of some cellular carrier employees, something wireless carriers haven't (understandably) been particularly keen on talking about.
That was confirmed again last week when the DOJ accused nine people of allegedly being part of a crime ring known as “The Community.” The organizations' specialty was SIM hijacking, which involved having three former employees at AT&T and Verizon steal user identities (and subsequently several million dollars):
"White, according to the feds, helped the criminals steal more than $2 million from several victims by performing 29 fraudulent SIM swaps. White communicated with the criminals via Telegram, according to the document. Jack, who was an associate of White, allegedly performed twelve fraudulent SIM swaps in May of 2018. White allegedly paid Jack $585.25 for his help in the SIM swapping conspiracy, according to the complaint."
The full DOJ announcement provides some interesting reading. In some instances the employees would conduct the SIM swaps themselves. In other instances they'd simply provide enough private account data to the scammers to help them pose as the customer. It's likely there's more such cases waiting in the wings, and critics continue to highlight how cellular carriers have consistently, repeatedly, failed to adequately police fraud perpetrated by their own employees:
“This isn’t social engineering anymore,” Ross, who was SIM swapped last year, said in an online chat. “The story needs to move from ‘the carriers aren’t doing enough to fix the problem’ to ‘the carriers have no control over their tens of thousands of customer service reps and knowingly allowed them to be bribed."
There are some steps users can take, including changing passwords frequently. T-Mobile users can also, for example, call 611 from your cellphone (or 1-800-937-8997), then tell a support staffer that you want to create a “port validation” passcode. Still, like the SS7 exploit that has been in the wild for years, it's pretty clear that wireless carriers might want to spend a little less time on mindless mergers and consolidation, killing net neutrality, and raising rates, and a little more time protecting their customers from security threats.
Filed Under: doj, sim hijackingCompanies: at&t, verizon