How Criminals Recruit Telecom Employees To Help Them Hijack SIM Cards

An anonymous reader writes: Sources who work for some of America's major cellphone carriers tell us how criminals are trying to recruit them to get help hacking victims. Normally, criminals approach them online, offering to pay them in Bitcoin (the equivalent of $100 for example). In exchange, the employee has to log into a company portal and process a so-called SIM swap. From the report: How criminals find the employees in the first place can vary. Some SIM hijackers I spoke to told me they approach them through shared friends in real life, others told me they just comb LinkedIn, Reddit or social media sites. AT&T and Sprint did not respond to requests for comment about whether or not it had any knowledge of insiders helping criminals. A T-Mobile spokesperson said in a statement that the company is "aware of these ongoing and ever-changing attempts to take advantage of consumers across the wireless industry and we'll keep fighting to ensure our customers' safety." A Verizon spokesperson said the company doesn't share details of internal security processes or investigations, but the company "has systems in place that work to detect employee/vendor misconduct."

The 115th Rule Of Acquisition:

[gdonald]

Greed is eternal.

why can't the stores just move sims and not swap

[Joe_Dragon]

why can't the stores just move sims and not swap them all the time??

If only legitimate SIM Swaps were that easy

$100 for an illegitimate SIM swap? Sounds cheap compared to the incompetently-serviced hoop-jumping AT&T puts you through for a legitimate swap. this includes refusing to process the swap because their barcode reader couldn't process the barcode on the back of the ID the employee was holding in their hand. No wonder.

$100

[Oswald+McWeany]

$100 doesn't seem a lot of compensation in exchange for performing a federal crime.

Re:$100

Yeah but it's in bitcoin so it's closer to $300, no wait, now it's $25

Re:$100

I know! Who wouldn't do this for $1,000.00! That's like $600.00 profit! Just think what you could spend $750.00 on. I imagine a number of people might find $2,500.00 tempting...

Seriously though. I don't think the $50.00 is worth it.

Re:$100

[Joce640k]

$100 doesn't seem a lot of compensation

I assume they'll do more than one.

Re:$100

[110010001000]

Yeah but it is $100 per SIM and I am able to process about 800 per day so...oh crap. Forget I said anything.

Re:$100

[timholman]

$100 doesn't seem a lot of compensation in exchange for performing a federal crime.

Not if you're passing on 20 names a week. An extra $100K per year (tax free) would be very tempting to some.

On top of that, the criminal justice system doesn't work in an additive way for white collar crime. If caught, your jail time for selling the details of 1000 people won't be significantly greater that selling the details of 10 people, particularly if you plea bargain. Sure, the court will give you a bigger restitution amount to pay, but it's not as if most perpetrators would ever care about that. They'll be paying only a token restitution amount each month regardless.

A side effect of depressed wages

You make more money by helping a criminal than you do in months of work. The calculus is easy.

and the consequences?

[iamagloworm]

presumably, at some point there is an investigation and the employee has to explain why they "SIM swapped" dozens of customers when that is not their normal job? getting caught is an inevitability.

Re:and the consequences?

[oldgraybeard]

They may only know who if their software tracks the user id doing a SIM card swap but then the criminal employee could be using the log in for another employee. Or if it is a Database admin doing it directly with a query there may not be a record.

Just my 2 cents ;)

Re:and the consequences?

[ranton]

They may only know who if their software tracks the user id doing a SIM card swap but then the criminal employee could be using the log in for another employee. Or if it is a Database admin doing it directly with a query there may not be a record.

Each of these risks are trivial for a company as large as a major telecom to mitigate. Tracking the logged in user of every significant system update is obvious. Tracking the actual user id performing a task even when impersonating another user is also obvious. Logging of all database transactions in a location your database admins do not have edit rights to isn't a novel concept either.

I understand nearly all companies do not take this level of effort in their security, but large financial institutions, telecoms, etc. really should.

Re:and the consequences?

Companies don't make press releases for every time they have had to fire an employee and refer then to law enforcement. The people fired don't have a large incentive to make this public either. If they take a plea deal then you won't hear about a trial.

So assuming they aren't already doing this simply because you haven't seen a news article is a bit silly.

Re:and the consequences?

[oldgraybeard]

Both points are true, I have written software with add/access/change/delete/origin workstation tracking, activity/before-after data archiving, notifications and other recording of audit/oversight information. And know that there are means to track most db query activity.

So then the question is, if the policies, procedures, audits and oversight are in place. How can this be something which can be part of the social engineering, bribery tool box they use multiple times against large entities? Or maybe this activity is being exaggerated.

Just my 2 cents ;)

Re:why can't the stores just move sims and not swa

[Joce640k]

Even better: Log the user who does each SIM swap and let everybody know about the new policy.

Problem solved overnight.

College Student steal $5M using Sim swaps

This college student stole $5 million using this technique.

https://www.boston.com/news/local-news/2018/08/01/former-valedictorian-accused-of-stealing-cryptocurrency

Re:why can't the stores just move sims and not swa

Problem not solved because the work was outsourced to a region where the average wage is $25 a month and other companies would hire them even if they did get caught because of corporate collusion to keep wages low in said region.

It's not just cellphone carrier employees

[timholman]

Sources who work for some of America's major cellphone carriers tell us how criminals are trying to recruit them to get help hacking victims.

It's not just cellphone carrier companies - it's also the employees of banks, credit bureaus, doctors' offices, hospitals, HR departments, state and federal government tax departments, and just about any other organization that would have your personal information.

My Mom was targeted by an identity theft ring last year. The only point of contact between her and the bank / credit card agencies was her home phone number. The gang sent someone with a fake driver's license to a Verizon store a hundred miles away, and that person transferred my Mom's phone number to a cell phone. Once they had control of the phone number, half a dozen crooks with fake ID hit various stores to purchase big-ticket items. Any calls for verification went straight to the cell phone. The gang even got into her personal Chase bank account. The only thing that stopped them was the credit freeze that my wife and I had persuaded her to activate the year before, otherwise she'd still be cleaning up the mess with her finances.

But what amazed us was how much they knew about her. They had all the information on her credit card and bank accounts. They were able to create a fake driver's license. So where did it all come from? Our guess is that someone at a credit bureau was earning extra money on the side by passing on dossiers of elderly people with excellent credit ratings.

It doesn't matter what security measures you put in place. The weakest link will always be the person who can be bought by a crook.

Re:It's not just cellphone carrier employees

probably not an inside job -- they just Experian's data without paying anyone. You know, the incident from a year ago where they discovered hackers stole all their data, the CEO and top folks sold off as much stock as they were legally allowed and the affair later leaked out. Naturally the CEO and others have been cleared of wrong doing and its all okay because congress passed a law requiring the big three to allow free credit freezes (and unfreezes) for everyone starting Sep 21, 2018.

But that data is still out there.

disposable employees

[Lead+Butthead]

Treating employees as disposable commodity does not inspire loyalty in the employer.

How about reasonable controls?

[mysidia]

As in require the employee to type some facts into the computer that only the customer knows
in order to authorize a SIM Swap.

Starting with a "Support PIN" when the CSR opens up an account it should display a message that says something like
"A PIN is required to access some support functions for this customer"

In a normal call, the employee asks the customer to provide the PIN, and the employee types the PIN and gets a Yes/No "Support Functions Unlocked" OR "Access Denied"

Next, have a secondary identifier that needs to be entered to authorize a SIM swap specifically... something like "Last 4 digits of social", that Telco employees cannot view, but the computer will prompt them for, and must be entered correctly to access the SIM SWAP feature, Finally the procedure is Requested and will result in E-mail and SMS messages being sent... the customer will then have to wait X hours then call back and authorize completion of the SWAP --- Three incorrect entries of support PIN or SSN will put the account on "Support Lockdown," and Two Persons other than that employee will have to participate to do an Unlock.

Re:How about reasonable controls?

[bws111]

So you want the telcos to set up some process where, when purchasing a new phone (for instance), a customer must now provide a previously set up PIN? And then wait several hours? Good one!

While you MAY be able to do something like that if the new and old phones are on the same carrier (if you don't mind pissing off your customers), it would be illegal to do it across carriers. If requested to 'port' a number by another carrier, the carrier MAY NOT refuse the request, MAY NOT contact the customer, and MUST do the port within a day.

Re:How about reasonable controls?

[AHuxley]

It can be down with 100 point check https://en.wikipedia.org/wiki/...
That ensures every normal person on the telco system is a citizen/approved for that nation.
Then to background investigations on all staff.

LOL

[dnaumov]

I work for a major Nordic telco. The controls are so strict youâ(TM)d need to be a total moron to agree to this unless you were offered enough money to leave the country while being set for life.

Re:LOL

I thought prison sentences in Nordic countries were much shorter on average and far fewer per capita than the US for example. What exactly do you mean by your comment?

Youâ(TM)d have to be an idiot

I work as a sales rep for one of the companies mentioned in the article. I canâ(TM)t go in to too many details because I donâ(TM)t know how much I can post about it without getting myself into trouble. However I would like to clear up some misconceptions and assumptions stated in the comments here.

People participating in this are pretty dumb. With my company, every single action an employee performs on an account creates a non-editable account note containing information about whichever change was made, however minor, as well as who did it and when. Even attempting to pull up an account and then failing to properly authenticate the customer (no ID or security PIN) will leave a note on the account.

Certain actions like a sim-swap require two-factor authentication via SMS or email with a one time code. However, there are override processes in cases where a customer damages or loses their device which require additional personal information from the customer to proceed. Thats where the âoeinside manâ comes in. Theyâ(TM)d have to be willing to process the transaction despite all the normal red-flags that would likely be present.

If a sim swap occurs using an override process, that employee definitely shows up in a report however.

Hereâ(TM)s the thing though, making customers remember a special PIN for stuff like this just will not work. Half the customers I help donâ(TM)t even remember their google/Apple Account information and they use that all the time.

Also to the guy whose mother had her number stolen - that really sucks and itâ(TM)s a growing problem. Unfortunately the regulations regarding ports hasnâ(TM)t caught up to the scams. If a customer comes to me and says they want to port a number over and they have all the information required, I donâ(TM)t have much of a choice and the previous carrier is required to release the number. The ridiculous part is that itâ(TM)s actually much more difficult to transfer a number between accounts within the company!

Normal security

[DrYak]

when purchasing a new phone (for instance),

Sorry, what has *buying a phone* to do with swapping SIM?
you just take out the SIM from the old phone, fumble a bit with the size adapter (because the new phone uses yet a different format, but hey! It's 0.2mm thinner (tm) !)
and put it into the new phone.

At worse, you've lost all your precut adapters that came with your SIM originally (because you're moving from nano-Shit to some of the saner size).
The phone shop where you bought your new phone will happily sell you a new overpriced set of adapter (made from cheap Chinese plastic) - though still less overpriced than getting a new SIM.
There's zero need to get a new SIM (though some service providers, if you buy the phone from their own in house shop, will offer a rebate on the new SIM, in order for you to get a new one with up to date firmware inside).

Getting a new SIM is only needed when your phone was stolen, when the last SIM broke, or when your SIM is so antique that its firmware is incompatible with the current network (happened to me once, with a decade+ old SIM. That's the reason why in house shop propose SIM upgrades).

a customer must now provide a previously set up PIN? And then wait several hours?

That's normal procedure here around for any online/phone contact that isn't about trivial public information (anything more than "what's your catalog price for XyZ ?")
At the shop, any serious transaction (like buying a new phone on a payment plan or attaching your current account to a new SIM) requires signature and your ID. (And by ID, I don't mean any random bit of plastic that happens to have your picture on it like a credit card or a driver's licence that varies from place to place like you do in the US. But a real government issued ID like a ID Card or passport).

Once bought, the service providing company will run a separate check and you'll get a message on your SIM confirming that your account has successfully switched (in theory, you could need to wait up to 24 hours, though often it goes faster).

That's considered normal security practice for something that could potentially cost lots of money.

While you MAY be able to do something like that if the new and old phones are on the same carrier (if you don't mind pissing off your customers), it would be illegal to do it across carriers. If requested to 'port' a number by another carrier, the carrier MAY NOT refuse the request, MAY NOT contact the customer, and MUST do the port within a day.

here around it's "provided that the security check passes, they won't refuse it and do it under 24 hours".

But both your previous and your upcoming service providers need to make sure that the port is legit.

(which by the way gets abused by the carriers to try to make you stay, by bombarding you with paperwork specially if the situation is abit more complex - like the ownership of a landline shifting between family numbers - in the hopes that you'll think the procedure is too tedious and opt for not jumping ships. The upcoming new carrier will on the other hand happily assist you ghrough this).