Just how much do you trust your mobile carrier? If cryptocurrency investor Michael Turpin is to be believed, you shouldn’t trust them at all. Turpin is suing AT&T for $23.8 million and an additional $200 million in punitive damages as a result of criminals carrying out SIM swap fraud by accessing his cellphone account. The SIM swap scam (according to Turpin) saw millions in cryptocurrency tokens being lifted from his account by the criminals who then transferred the tokens to an international crime syndicate. AT&T – his mobile carrier at the time of the fraud is disputing these allegations.
What is a SIM swap scam?
In simple terms a SIM swap scam occurs when a phone number is transferred to another SIM card (other than the owners) without his or her approval. This data can then allow criminals to hijack other digital accounts.
SIM swap scams are increasingly profitable for criminals with the growing dependence on phone-based authentication, used especially by many banks for internet banking. A large number of banking customers are linking their mobile number with their bank accounts, who then receives authentication codes via text message for access to their banking details. Criminals identify “lucrative victims” and target them through social engineering and phishing attacks to collect their personal information. This provides the groundwork for various forms of identity theft and SIM fraud.
The method that scammers use seems, on the face it to be remarkably simple. They identify an employee of a mobile carrier and contact with them with a simple business proposal. They will supply personal information of an account holder, including SSN and home address and the number of a new SIM card. The employee then would log on to the mobile carriers’ in-house employee customer service system and look up the customers details and transfer the account holder’s existing number to the number of the new SIM card. The employee would then be paid a fee in the range of $100.
Alternatively, the criminal will ask the employee for their Employee ID and PIN and then access the customer service systems themselves.
Finding cooperative employees can be as simple as combing through Reddit or social media sites such as LinkedIn. In some cases, the employee might be approached by friends shared with the would-be criminal.
The lure of easy money
Although the lure of easy money can be almost impossible for many of the mobile carrier employees to resist, most are aware of the risks.
A Verizon employee reportedly told the media that a criminal approached him via Reddit offering bribes in exchange for SIM card swaps. The employee refused, because (quite understandably) they preferred “to stay out of jail.” This employee also noted that the internal system logs every time an employee accesses an account.
So, it appears that at least some mobile carriers have basic safeguards systems in place to deter SIM swap scam.
However, common sense would suggest that a safeguard system which logs access would not be of much use within a real-world timeframe. By the time the criminal activity is noted it would almost certainly be too late to prevent the fraud from affecting a customer.
SIM card swaps increasingly common
Recent reports indicate that there are hundreds of people across the U.S. alone that have been victims of the SIM swap scam. Otherwise known as a ‘Port Out Scam’ the practice has resulted in hacked social media and email accounts. However, monetary losses have also been reported. A 20-year-old college student stands accused of being part of a syndicate that stole in excess of $5 million by hijacking phone numbers of people invested in blockchain and cryptocurrency. Mr. Turpin is by no means alone it seems – the newsworthiness of his story seems to be based on the value of the cryptocurrency loss.
Are network providers doing enough?
Is the problem top of mind for network providers? In the case of AT&T (the respondents in Mr. Turpin’s case) it appears not. At least according to a hacker who noted that he has two insiders at AT&T. One who has been active since February 2018 and the other since April.
An AT&T employee was quoted by the media saying that once a criminal identifies and lands a corrupt employee there simply are not enough safeguards in place to stop SIM swap scams. According to this employee the AT&T system is designed so that some employees have the ability to override security features such as phone passcodes which are usually required in order to port numbers.
Employees of other mobile service providers are even more scathing about security measures. A T-Mobile employee has noted that any of the company’s reps can enter an account and change the SIMS. They could easily bypass regular requirements for porting numbers.
Worryingly, this employee noted that, “There’s no passwords needed, there’s no ID.” He also noted that, “T-Mobile has had this issue for years and they seem to not be doing anything about it.”
Paul Bischoff, privacy advocate at Comparitech.com notes, “SIM-jacking arose as a response to the growing adoption of two-step verification (also referred to as two-factor authentication) as a means to protect online accounts from hackers. Most two-step verification requires entering a PIN number sent to the user’s phone number. Unfortunately, employees who work at stores run by mobile carriers like AT&T have free reign to ’hijack’ a SIM card and transfer the phone number to a different device. This can be done unbeknownst to the user, so thieves will seek out store employees who can be bribed to assist with SIM jacking.”
According to Mr. Bischoff there may be a solution, unfortunately most mobile providers are not making use of the appropriate authenticator apps.
“By using a fully automated service like Google Voice, there’s simply no one to bribe. Personally, I recommend utilizing an app like Google Authenticator or Authy whenever possible. These apps can receive a PIN over the internet and thus cannot be SIM-jacked, so they’re much more secure. Unfortunately, most sites, services, and apps rely solely on SMS verification and don’t yet support those apps.”
Conclusion
John Gunn, chief marketing officer, OneSpan noted that “If carriers, ISPs, and MNOs had to bear full financial responsibility for every crime and act of fraud committed across their networks, they would all cease to exist. Viewing this under the doctrine of assumed risk, it would be very difficult for the plaintiff in this action to prove they were unaware of the inherent risks of mobile and online transactions.”
To the layman, given the seeming lax attitude towards security displayed by mobile carriers this would verge on being a bankrupt argument. If the carriers improved their systems, they would be able to go a long way towards solving a problem that they are seemingly aware of. To claim that the customer must assume the full risk of protecting their personal data since carriers would go out of business seems ingenious at best. The risk it would seem is due to the inadequacy of the privacy policy and security practices of these carriers – not any weakness on the part of the customer when it comes to protecting personal data.
According to Turpin, “what AT&T did was like a hotel giving a thief with a fake ID a room key and a key to the room safe to steal jewelry in the safe from the rightful owner.”
Is he correct? That will be up to the courts to decide.
