[ALERT] SIM Swapping Scams

Category: Mobile

Even as the four major mobile service providers assert that we can trust them with our online identities, one of them stands in court accused of betraying a customer’s identity to thieves not just once, but twice in six months, ultimately costing him $24 million. Read on to learn about the Sim Swap Scam, and how you can protect yourself...

Don't Let Your SIM Get Swapped

The jaw-dropping carelessness that permitted this gigantic scam should squelch any hopes that any mobile carrier may harbor of becoming your trusted identity authenticator, for it is completely typical of every one of them. (See my article "Let My Phone Company Be My Online Identity – Are You Kidding"? from last week, with my thoughts on Project Verify.

Cryptocurrency investor Michael Terpin alleges that on January 7, 2018, AT&T was negligent in allowing hackers to divert a replacement SIM card to a phone they controlled. They then requested password resets for Terpin’s online accounts.

Following current “best practices,” the services sent plain text codes to Terpin’s phone via insecure SMS to authenticate his identity. But the codes followed the new SIM card into the hands of the crooks, who reset the passwords and thus gained full control of Terpins cryptocurrency accounts which they proceeded to loot.

SIM Swapping scams

The final attack was preceded on June 11, 2017, by a bogus remote password reset of Terpin’s phone, which was preceded by eleven (11) failed attempts to reset the password in AT&T stores. AT&T was thoroughly “on notice” that Terpin was targeted by thieves. The company even suggested to him its “extra security” feature: a PIN of six digits instead of the usual four which was required before any account changes could be made.

Yet AT&T still failed to stop a rogue employee from resetting Terpin’s password remotely, bypassing its “extra security” through a backdoor the company knew or should have known existed, according to Terpin’s complaint. That password reset gave crooks access to credentials they subsequently used to execute the fraudulent “SIM swap” that gave them Terpin’s second-factor authentication codes.

A SIM swap is the diversion of a replacement SIM card from the device for which it is intended to one controlled by bad actors. It can be as easy as telling a customer service agent that your SIM card was damaged and you have a new mailing address. A new SIM card will be mailed to the new address, inserted into a phone, and your online accounts will do the bidding of whoever holds that phone.

Terpin is suing for $24 million in actual damages plus $200 million in punitive damages. Another zero on the punitive side seems appropriate to me. A copy of his complaint is here.

“We dispute these allegations and look forward to presenting our case in court,” is AT&T’s only comment. When $224 million is on the line, you can bet your legal team will dispute the allegations, and hope to negotiate a much smaller settlement.

Phishing Casts a Wide Net

You may think you have nothing to fear because you are much too small a fish for such sophisticated, elaborate phishing gear. You’re right, but that’s not what will be coming after you and your small savings account. Every novel, effective hacking tool begins with an expensive prototype applied to only the richest targets. Then it is “downcycled” into automated malware that costs virtually nothing to reproduce and sells for a few dollars to thousands of would-be cybercrooks. The result is a massive wave of attacks that rolls indiscriminately across the Internet, sweeping up little fish as well as whales.

In other words, your turn will come.

Note that Terpin’s attackers relied heavily on the assistance of his carrier’s employees, the customer service agents we all expect a company to provide. Security researcher Brian Krebs astutely notes, “In this view of security, customer service becomes a customer disservice.”

How You Can Protect Against SIM Swapping

Krebs suggests switching to an Internet-based virtual phone service, such as Google Voice, that does not offer human customer service agents who can be bamboozled or corrupted into helping hackers steal your credentials and money. It’s really not a bad idea; I have used Google Voice ever since it debuted in 2009, and I can’t say I’ve missed live help. Here is what to do:

Create a Google account if you don’t already have one. If you have a Gmail, Google Photos, or Google Drive account, that's fine.

Select a Google Voice phone number. Go here for the step-by-step procedures for doing so from a PC, an Android device, or an iOS device.

Download and install the Google Voice app on your mobile phone. Configure it as instructed by the app. That process will link your Google Voice number to your carrier’s number, so that calls and texts to or from your phone are handled by Google Voice.

Go to your profile at all of your major online accounts and replace your carrier’s mobile phone number with your Google Voice number. The latter will henceforth be used for authentication code transmissions.

Now you are free of your carrier’s greatest security risk, its employees. No one has ever sweet-talked or bribed a Google employee into resetting a password, because password resets are handled only by software.

The Big Four carriers, with Project Verify, want us to go in the opposite direction, deeper into their clutches. I am not inclined to accept their invitation.

More trustworthy alternatives exist. Payfone.com has been offering to enterprise customers multifactor authentication services very similar to those envisioned for Project Verify since 2007. SQRL – Secure, Quick, Reliable Login – has been postulated by Steve Gibson for at least as long.

Your thoughts on this topic are welcome. Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 17 Sep 2018

For Fun: Buy Bob a Snickers.

Prev Article:
Let My Phone Company Be My Online Identity – Are You Kidding?

The Top Twenty
Next Article:
Geekly Update - 19 September 2018

Most recent comments on "[ALERT] SIM Swapping Scams"

Posted by:

Kenneth Heikkila
17 Sep 2018

I can't imagine the amount of time it would take to change my phone number at all my "major online accounts." Or maybe I can and that is what scares me.

Posted by:

17 Sep 2018

Another scary article...at&t were broken up in the 70/80's because they had become 'too big'...but have grown again into a 'gigantic mess' and need to be dissolve again. Had at&t two or three decades ago, and had 'their problems' with their 'services' NEVER again!

Posted by:

Michael Shames
17 Sep 2018

I, too, have used Google Voice since about 2010 and have used Project Fi for the last three years (they are largely integrated, at this point). Very pleased with both services. I echo Bob's recommendation. I will note, however, that dealing with humans at Google is possible through email and chat functions. That said, they've proved to be quite competent and well-trained. I"ve a lot less concern that they'd be sweet-talked or complicit in a hack.

Posted by:

Daniel Wiener
17 Sep 2018

I've used Google Voice for the past six years, having converted what had been our land line phone number for three decades over to Google Voice, then set it to permanent "Do Not Disturb" mode so that everything goes to voice mail. Google Voice also emails me transcripts of voice messages and texts, so I can immediately see if I've received any important calls (as opposed to the endless telemarketing calls which I easily ignore).

As Bob suggested, I use my Google Voice phone number for all of my account information. I'd just as soon not have businesses contact me on my cell phone except for very specific and limited purposes. I didn't know about this new threat, but I'm glad that I'm already pretty well protected.

Posted by:

17 Sep 2018

I hope they do give him another "0". AT&T is not consumer friendly and I am not too sure why they even want consumers!

Posted by:

17 Sep 2018

I've been using Google Voice since 2010 as well. CAUTION: a problem with using Google Voice is that if your Google Voice is set to "Forward messages to linked numbers" and your cell number is linked and selected, the reset info will still be sent to whatever cell phone has the valid SIM. So, you need to change your Google Voice settings to not have anything forwarded to the cell number.

Posted by:

17 Sep 2018

I have had a GV number for several years. I still resist installing any GV app. Just another tool for Google to collect data about you. Chrome works just fine managing GV. Also, there are many other SMS apps that give you a free phone number. Many of these do not have the requirement to know your real phone number. Once established you can get other apps such as WhatsApp activated.

Posted by:

Bill R
17 Sep 2018

For a Google Voice number to be the "two" factor, it must belong to a different Google account than the primary Gmail account. Otherwise, if someone got access to the primary account they could also see any text messages sent to GV. I also think you would need to be sure Google Passwords for the first account never saves the password for the second account. Anyone please correct me if my understanding is wrong.

Posted by:

17 Sep 2018

Some questions:

* Are you ok with giving Google Voice app permissions to EVERYTHING on your phone?

* With Google being as invasive and secretive as they've been lately,how do you reconcile the text issue with the permissions issue?

* Does trusting GV app outweigh the risks of your phone's text messages?

Cybersecurity is really getting tricky these days. 😯

Posted by:

Sarah L
18 Sep 2018

So there is a problem when replacing a sim card on a mobile phone. There are no chances for problems with Google Voice? None at all?
I agree that AT&T help is hobbled by making everyone a salesperson; no one I have contacted by telephone is purely a technical help person. The technicians are great, the ones who come to my place to install broadband, but I talk to them in person, and they never try to sell me anything.

Posted by:

mike wax
18 Sep 2018

i don't understand. How does Google Voice work? Google does not have a cellular network, so how can you make a call through Google Voice?
And what does it cost?

Posted by:

Bob Kinsler
19 Sep 2018

That is why I use a flip phone, no internet connection.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- [ALERT] SIM Swapping Scams (Posted: 17 Sep 2018)
Source: https://askbobrankin.com/alert_sim_swapping_scams.html
Copyright © 2005 - Bob Rankin - All Rights Reserved