[ALERT] SIM Swapping Scams
Even as the four major mobile service providers assert that we can trust them with our online identities, one of them stands in court accused of betraying a customer’s identity to thieves not just once, but twice in six months, ultimately costing him $24 million. Read on to learn about the Sim Swap Scam, and how you can protect yourself...
Don't Let Your SIM Get Swapped
The jaw-dropping carelessness that permitted this gigantic scam should squelch any hopes that any mobile carrier may harbor of becoming your trusted identity authenticator, for it is completely typical of every one of them. (See my article "Let My Phone Company Be My Online Identity – Are You Kidding"? from last week, with my thoughts on Project Verify.
Cryptocurrency investor Michael Terpin alleges that on January 7, 2018, AT&T was negligent in allowing hackers to divert a replacement SIM card to a phone they controlled. They then requested password resets for Terpin’s online accounts.
Following current “best practices,” the services sent plain text codes to Terpin’s phone via insecure SMS to authenticate his identity. But the codes followed the new SIM card into the hands of the crooks, who reset the passwords and thus gained full control of Terpins cryptocurrency accounts which they proceeded to loot.
The final attack was preceded on June 11, 2017, by a bogus remote password reset of Terpin’s phone, which was preceded by eleven (11) failed attempts to reset the password in AT&T stores. AT&T was thoroughly “on notice” that Terpin was targeted by thieves. The company even suggested to him its “extra security” feature: a PIN of six digits instead of the usual four which was required before any account changes could be made.
Yet AT&T still failed to stop a rogue employee from resetting Terpin’s password remotely, bypassing its “extra security” through a backdoor the company knew or should have known existed, according to Terpin’s complaint. That password reset gave crooks access to credentials they subsequently used to execute the fraudulent “SIM swap” that gave them Terpin’s second-factor authentication codes.
A SIM swap is the diversion of a replacement SIM card from the device for which it is intended to one controlled by bad actors. It can be as easy as telling a customer service agent that your SIM card was damaged and you have a new mailing address. A new SIM card will be mailed to the new address, inserted into a phone, and your online accounts will do the bidding of whoever holds that phone.
Terpin is suing for $24 million in actual damages plus $200 million in punitive damages. Another zero on the punitive side seems appropriate to me. A copy of his complaint is here.
“We dispute these allegations and look forward to presenting our case in court,” is AT&T’s only comment. When $224 million is on the line, you can bet your legal team will dispute the allegations, and hope to negotiate a much smaller settlement.
Phishing Casts a Wide Net
You may think you have nothing to fear because you are much too small a fish for such sophisticated, elaborate phishing gear. You’re right, but that’s not what will be coming after you and your small savings account. Every novel, effective hacking tool begins with an expensive prototype applied to only the richest targets. Then it is “downcycled” into automated malware that costs virtually nothing to reproduce and sells for a few dollars to thousands of would-be cybercrooks. The result is a massive wave of attacks that rolls indiscriminately across the Internet, sweeping up little fish as well as whales.
In other words, your turn will come.
Note that Terpin’s attackers relied heavily on the assistance of his carrier’s employees, the customer service agents we all expect a company to provide. Security researcher Brian Krebs astutely notes, “In this view of security, customer service becomes a customer disservice.”
How You Can Protect Against SIM Swapping
Krebs suggests switching to an Internet-based virtual phone service, such as Google Voice, that does not offer human customer service agents who can be bamboozled or corrupted into helping hackers steal your credentials and money. It’s really not a bad idea; I have used Google Voice ever since it debuted in 2009, and I can’t say I’ve missed live help. Here is what to do:
Create a Google account if you don’t already have one. If you have a Gmail, Google Photos, or Google Drive account, that's fine.
Select a Google Voice phone number. Go here for the step-by-step procedures for doing so from a PC, an Android device, or an iOS device.
Download and install the Google Voice app on your mobile phone. Configure it as instructed by the app. That process will link your Google Voice number to your carrier’s number, so that calls and texts to or from your phone are handled by Google Voice.
Go to your profile at all of your major online accounts and replace your carrier’s mobile phone number with your Google Voice number. The latter will henceforth be used for authentication code transmissions.
Now you are free of your carrier’s greatest security risk, its employees. No one has ever sweet-talked or bribed a Google employee into resetting a password, because password resets are handled only by software.
The Big Four carriers, with Project Verify, want us to go in the opposite direction, deeper into their clutches. I am not inclined to accept their invitation.
More trustworthy alternatives exist. Payfone.com has been offering to enterprise customers multifactor authentication services very similar to those envisioned for Project Verify since 2007. SQRL – Secure, Quick, Reliable Login – has been postulated by Steve Gibson for at least as long.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 17 Sep 2018
|For Fun: Buy Bob a Snickers.|
Let My Phone Company Be My Online Identity – Are You Kidding?
The Top Twenty
Geekly Update - 19 September 2018
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- [ALERT] SIM Swapping Scams (Posted: 17 Sep 2018)
Copyright © 2005 - Bob Rankin - All Rights Reserved