The SIM Hijackers

Lorenzo Franceschi-Bicchierai of Motherboard has a chilling story on how hackers flip seized Instagram handles and cryptocurrency in a shady, buzzing underground market for stolen accounts and usernames. Their victim's weakness? Phone numbers. He writes: First, criminals call a cell phone carrier's tech support number pretending to be their target. They explain to the company's employee that they "lost" their SIM card, requesting their phone number be transferred, or ported, to a new SIM card that the hackers themselves already own. With a bit of social engineering -- perhaps by providing the victim's Social Security Number or home address (which is often available from one of the many data breaches that have happened in the last few years) -- the criminals convince the employee that they really are who they claim to be, at which point the employee ports the phone number to the new SIM card. Game over.

Chilling?

[Peter+P+Peters]

Game Over? Was this written by a twelve year old? TFA certainly sounds like it was....

Re: Chilling?

Shocking! 12-year-olds can write stupid stories.

Re:Chilling?

[hcs_$reboot]

"Game over" you mean like during the pinball era? Sounds more like it was written by a 60 years old.

Re: Chilling?

Bill Paxton strongly disagrees.

I mean, did you SEE those things out there?!?!

The drop ship is complete wreckage. This is just great.

And how can they cut the fucking power, the power, on a nuclear teraforming plant?!

Game over man, game over.

Re: Chilling?

_That's it! Game over, man! Game over! What the fuck are we gonna do now? What are we gonna do?_

Yubikey

[darkain]

I wonder how long until these "hackers" figure out how to call a company and steal my Yubikey authentication credentials...

Re:Yubikey

[golgotha007]

Not sure if you're trolling or what, but perhaps you have no idea how yubikey works.

https://www.yubico.com/solutio...

Re:Yubikey

Whoosh

Re:Yubikey

Wow! I didn't know yubikey prevents social engineering. I'll have to get me one!

Re:Yubikey

[Luthair]

Hi customer service, I lost my 2 factor device can you remove it from my account. k thx bye.

Re: Yubikey

Everyone should call their carrier and put a security notice on their account that in order to change a SIM the user needs to appear in person at a retail store with photo ID. It's not foolproof but it's a big step forward.

That's not new

https://www.youtube.com/watch?v=LlcAHkjbARs

Happened Linus Tech Tips as well. Carrier need to beef up their training and require more authentication

2FA

[JaredOfEuropa]

Meanwhile, many banks here are dropping actual 2FA based on the chips in our bank cards, and replacing it with security codes sent by SMS. Great idea. What really surprises me in this story is that T-mobile sent a warning to their customers instead of changing their procedures, and no longer perform sim swaps for any Tom Dick & Harry identifying themselves with a (semi public) SS number.

Re:2FA

[dohzer]

When the owner calls to pay or update an account, they ask for your password and some personal details.
It's a shame that all you need to switch service providers is a few personal details.

Re:2FA

Meanwhile, many banks here are dropping actual 2FA based on the chips in our bank cards, and replacing it with security codes sent by SMS. Great idea.

Before today, I never understood why people would say that that was insecure. No one could ever explain it to me. But TFS finally helped me to understand.

Re:2FA

Meanwhile, many banks here are dropping actual 2FA based on the chips in our bank cards, and replacing it with security codes sent by SMS. Great idea. What really surprises me in this story is that T-mobile sent a warning to their customers instead of changing their procedures, and no longer perform sim swaps for any Tom Dick & Harry identifying themselves with a (semi public) SS number.

Well, 2FA using SMS wouldn't help as long as the end users are dumb. Sad but true.

Turn authentication up to 3

[AHuxley]

Are we going to need another step?
A call on a POTS? Use the mail and a mailbox to secure another way of communications?

Re:Turn authentication up to 3

We need a physical visit to the operator's store and a government provided ID card to do things like the submission describes. YOU WILL TOO!!!

Not new

[golgotha007]

I work in the crypto asset space and these types of attacks have been going on for years now. If your 2FA is based on SMS or a call-back, you're doing it very wrong.

For those interested in doing 2FA correctly, buy a yubikey (USB-C if your phone supports) and couple that with Yubico authenticator which is 100% compatible with Google Authenticator. The major difference is that none of your 2FA codes appear until you plug your yubikey into your phone and nothing sensitive is stored on the phone itself. This way, the attacker would physically need your yubikey to authenticate as you - problem solved.

Re:Not new

Mostly good advice, but I would suggest any FIDO U2F compatible device, and make sure to have a minimum of 2, and keep 1 in a safe place. You can get U2F tokens that work using both USB and bluetooth so you can use the same token with your computer and your mobile phone.

Re:Not new

or andOTP app from fdroid

Re:Not new

[houghi]

That is because you only look at the security. I look at the usability. I would have to buy a new phone and what I can buy would be limited. Obviously the majority of the people would go for one that will be fixed on the phone, so having it on the phone is less secure than having data on the phone.

And I am sure there will be different ones from bank to bank. I already have two RSA key generators. One that works as it is, the other I have to put my card in. So that means that when I travel I either take them with me, with the risk of losing them. That would require replacement when I get home and that will take time. At least a day of work anb go to the bank and ask for a new one.

Or I do not take them with me and if I want to do a transfer, I am unable to do so. Yes, I have been in a situation where I needed to transfer more than the minimal daily amount I can do with my phone (limited at 2500 EUR) and did not have the RSA generators with me in a foreign country. Luckily the company understood the reason and took the risk of getting payment after they performed their service.

To me what would be OK is if they all used Google Authenticator and send the specific codes via snail mail, like they send pin codes via snail mail. Not via email. Not even if it is an emergency. Not to the bank. Not to your neighbor, or your dad or your son.

And changing the address must be done with proof. But in Belgium we have it easy. Everybody older than 12 has to have an ID. On that ID is a chip. That chip can be read with open source software and even can be used for other things. Just yesterday I filled out my taxes.

A change of address means you need to go to the city hall. They will edit your address and put the new address on the chip. SO if I say my SIM card is broken, they will send a new one. I do not think they will just put it on another sim card.

The real issue is that they put it on another sim card without you being there. Either send a new one or let people go to a store where they need to identify themselves in a manner that is normal where you live.

Re:Not new

The SIM is basically a smartcard, which provides your 2FA. This issue here is when you've "lost" your 2FA device, there's an issue where social engineering (tricking the support team) to allow someone else to take over your account, and tie it to someone else's 2FA device. It would be like if a hacker was able to trick google authentication service into revoking your yubikey, then assigning hacker's yubikey to your account.

Re:Not new

> I still use my iPhone 6s and reduce my monthly bill from $80 to $50. As a phone and a video cam ...

What's up with this iPhone 6 spam in the comments here? Did he buy a bulk-load of iPhones and is trying to drum up interest to sell them?

Re:Not new

Gaming search results.

Re:Not new

[datavirtue]

Remember when there was all that hubbub about the problem of social security numbers and congress was looking into solving the problem. Guess the banks crushed that shit.

Probably

Because IT WUZ HAXX0RZ!!1!

That's msmash for you.

Re: Probably

It wuz their 1337 H@x04 $%177$... nothink happens without 1337 and decepticon laptop stickers for +20 hp.

Is this a joke?

[volodymyrbiryuk]

Or are there still companies out there using SSN for authentication.

Social Security Number or home address are public.

No need for any "hack" since the information is already available for free to anyone asking for it.

Solution

[Rik+Sweeney]

If the victim has an email address associated with the mobile phone account (almost everyone does), the phone service should send a code to the email address and ask the "customer" to read it out when they receive it.

No code, no phone redirect. We'll stick a new SIM card in the post to put in your new phone.

Re:Solution

f the victim has an email address associated with the mobile phone account (almost everyone does), the phone service should send a code to the email address and ask the "customer" to read it out when they receive it.

No code, no phone redirect. We'll stick a new SIM card in the post to put in your new phone.

Hax0r: But I _can't_ login to my email because I use text messaging for 2FA!

Your second solution would suffice for those situations, but the customer retention department would complain that the company might lose customers if they made it too hard to get a new SIM, since it's just as easy to just switch providers at that point.

Technical checks

Why don't carriers check basic stuff like whether the SIM is still active on the network in the same mobile device it has always been before doing the swap?

Re:Technical checks

[tlhIngan]

Why don't carriers check basic stuff like whether the SIM is still active on the network in the same mobile device it has always been before doing the swap?

Because it wouldn't make much difference? There can be plenty of legitimate reasons why you want to transfer the SIM despite the SIM actually being active on the network already.

Like say, you losing your phone and thus wanting to transfer your service to a new phone (and new SIM card).

Given the hacker already can transfer the SIM which quires knowing things about the subscriber anyways, it wouldn't be much more effort to simply have them say "I lost my phone. I have a replacement and could you please transfer over my service?". "Yes, I tried calling it, but no one answered". "Yes, I looked at that location (using GPS location to find it)". etc. etc. etc.

Re:Technical checks

Depends on the check. This is a known con, and the carrier could send an email, sms, or robocall to the phone saying 'this number is being ported to a new SIM in 10 hours, if you didn't request that change please call'. There's a lot carriers can do. They just don't.

We had a little incident a few years ago

In the EUm a few terrorist used a huge number of prepayed SIM cards. Now everyone has to show some kind of ID, just to own one.

Why are people stealing Instagram accounts?

They are FREE....!

Re: Why are people stealing Instagram accounts?

Read the article.

Itâ(TM)s the unique name they are after

boop

great news, we'll soon have to have 3 forms of id to do anything to our phone accounts.

hackers flip seized instagram handles?

[ArchieBunker]

Talk about a word salad. Interior crocodile alligator, I drive a Chevrolet movie theater.

Re:hackers flip seized instagram handles?

It may be a dumb article, but it is not at all difficult to parse for a native speaker.

It's about that Rock link

It's not about the phone. It's about that Youtu.be affiliate link at the bottom of every post. It could be creimer, it could be one of his imposters, or it could be APK. I don't even know anymore. Anyway when you go watch the Rock go be a lolligirl or whatever its about, appleboi get like 25% of a whole penny!