70 comments

[ 4.9 ms ] story [ 128 ms ] thread
Ah yes, of course they were only caught because the two had a falling out and then one swatted the other.
lmao, I want to know how the incident response was. Can't find an article on that. The indictments make it seem like the authorities immediately laughed and charged them both.
It’s the 21st century prisoners dilemma.

You and your partner stole a bunch of Bitcoin via SIM swapping. If you split it, you each get half. If you don’t split it, the other one will SWAT you and you both go to jail.

Not to nitpick this brilliant comment, but it's more of an iterated prisoner's dilemma over multiple thefts. If one expected the charade to go on forever then the optimal strategy is indeed TFT (https://en.wikipedia.org/wiki/Tit_for_tat) but a criminal well-advised in game theory could calculate a threshold gain beyond which it is optimal to compete.
To be even more nitpicky, it isn’t really a prisoners dilemma; defecting is not rewarded at all since both people went to prison if anyone defects. The defector did not get charged with a lesser crime or anything.
I'm a blockchain pro and there was a couple month period in 2017 when tons of people I know got SIM swapped including me. The T-Mobile call person kept asking me "Are you sure you didn't go into a store in Detroit and ask for your phone to be changed? They showed an ID!" No, I didn't do that.

Luckily I had 2-factor for everything, but I know some people who lost a lot. SMS is totally broken, use 2FA and hardware key if you can.

The craziest one was two people at another firm were sending each other a lot of money, and sent the address over Telegram. The hacker manipulated the address in the message - they checked after the (failed) transaction and the address sent was different than the address in the message received! I think the most likely cause was that the receiver's computer was rooted and the application itself was manipulated on the device, rather than the message contents changed en-route. This is why I recommend both visual and audio confirmation when sending large amounts.

I was also the victim of a T-Mobile SIM swap back in February.

My assumption is that the attackers target individuals that have a high likelihood of owning bitcoin or other digital currency. This can be easily determined by looking at data breaches, and targeting emails that are found both on a cryptocurrency breach and a personal information breach with phone number, name, address, and anything else that would help impersonate the victim.

They accessed my insecure email with SMS authentication, but everything else was locked down more securely. Also, since that day I have been getting 20 times more spam calls and texts, I'm guessing they added my number to some other targeted list.

I SIM swapped myself twice on Sprint without authorization at an Apple store. Sales reps can generate a one time code for Sprint Support that allows them to bypass some of the IVRs and prove the call is coming from an Apple Store. Sprint support won't ask for a PIN or SSN. Just the line's number. Bam!

How many people can do this? See those mom and pop "authorized resellers" at the mall? Yeah.

When someone stole my identity and opened up 8 lines they did it all at “authorized reseller” phone booths. I believe it was at a Costco.

AT&T still let them order 4 new lines on a new account even though I already had an account with 2 lines.

> This can be easily determined by looking at data breaches, and targeting emails that are found both on a cryptocurrency breach and a personal information breach with phone number, name, address

... and this is why you should never use your identity for these things.

KYC is a security liability.

Happened to one of my friends who was also on T-mobile and had some bitcoins at some point. They got into his email and coinbase account, but he was holding any bitcoin so they tried to buy some which was declined by the credit card.
Why are the phone companies not responsible for swapping the number over?

In a similar vein, I've known people who had unsigned checks stolen and their signature forged very poorly. The banks are supposed to check the signature, so why aren't the banks liable?

(comment deleted)
The phone company is giving you a phone number, it doesn't want to be responsible for providing security for your financial and private life.
Yes, it's really quite amazing to watch all companies including the US government pretty much task the mobile networks with providing plausible deniability that they verified your identity. They get to point to the mobile networks (or you) if there's a problem, and the mobile networks get to say, legally, it's not their problem...because it isn't.
> The banks are supposed to check the signature,

Actually no, not anymore after the "Check 21" act. They're not responsible for verifying any aspect of the check. Kind of a crock.

I know of a number of oil companies who had tens, if not hundreds of millions of dollars stolen in 2016. Their accountants were spear phished and their outboxes were closely monitored. When an outbound invoice was sent the email was caught and then altered to show the fraudsters bank and routing numbers. Oil companies are notoriously slow to pay (and frequently take lots of nudging to get a payment out) so the payment never showing up didn't seem out of the ordinary.

It was all kept hush hush to prevent copycat attacks. It took intervention from the FBI and a big netsec firm to even figure out how it had happened.

OK, time to write an article and submit here. That sounds way too interesting for just a comment!
(Googler, opinions on my own)

This is a nice benefit of Google Fi. Since swap attacks are not possible with it, as customers support agents aren't able to do sim swaps. Sims for Google Fi are fully tied to your Google account, and you must have access to that account to be able to register or unregister a phone.

I'm guessing this likely also applies to a Google Voice account phone number.
Unfortunately Google Fi has its own set of issues that make it unpalatable as a primary mobile phone service: https://onemileatatime.com/google-fi-review/
I believe this is around when Google Fi expanded to support iOS? I think there were some admitted growing pains around that time, and they've worked to improve it since then. Hard to say.
What happens when Google spontaneously bans your account for no reason?
Is there a guarantee that Google won't add this feature in the future? What if people lost their phones etc.?

I think the risk is too big. Use U2F, or something similar.

If you lose your phone you simply contact customer support to mail you a new SIM card (Not sure how it works with eSIM, but I assume something similar)
Having unempowered customer support agents may mean customer support agents can't take over your account, and can't be social engineered into taking over your account. But it also means people who only have a phone and lose it with the sim and also don't remember their password (perhaps because it's never prompted for) are going to have a hell of a time getting their account back.
> This is a nice benefit of Google Fi. Since swap attacks are not possible with it, as customers support agents aren't able to do sim swaps.

Are you sure that this is the case? According to https://support.google.com/fi/thread/761170 there was at least one case where support agents moved a Fi number from a locked account to a newly reopened account, without the user being able to access the locked account:

> I call Google Support and the amazing Google Support rep I spoke to (The only good one I’ve talked to so far during this whole process) stayed with me for over an hour and worked with tier 2 support in getting my Project Fi number transferred to Account 2.

A SIM swap with Fi might be harder to accomplish than with a regular provider, but it looks like there's still the risk that someone manages to convince a support agent to move the number to a different account.

What happens if the SIM is damaged, lost, or stolen?
It's insane to me that the only thing standing between me and having my life ruined is some minimum wage cell phone store employee.

Text message based 2FA needs to die.

The only solution I have found to this is to have accounts for which I never give out the account number to anyone and only leave a little bit of cash in the accounts I transfer money out of.
There are plenty of ways to ruin someone’s life with access to their phone number beyond compromising their accounts with 2FA.

What really needs to die is giving privileged access to underpaid monkeys.

> What really needs to die is giving privileged access to underpaid monkeys.

This in uncalled for.

You might reconsider this opinion once you or someone you know loses money and/or time because of some CS idiot. I’ve had my fair share of such incidents (so much that I’m paying 10x more for an enterprise-grade leased line just to not have to talk to them ever) and I no longer have any sympathy for those people.
Heh.

I started my tech career in a call center. Were there people there that shouldn't have had that job? Sure. Do those people deserved to be belittled by calling them monkeys? No fucking way. Show some damn respect for your fellow man.

I was a "CS monkey" for two years at Google. A job I was overqualified for but it was the only thing that got me into a major tech company.

(Nobody at big tech companies ever bothered to even phone screen me for SWE roles)

Also your enterprise account managers often are clueless and just ask the support team - certainly what happened in my experience.

I worked for Software Etc. for a while. I remember thinking "they pay us peanuts and they expect monkeys".

This was demonstrated by the two fat binders filled with procedures for EVERYTHING that were supposed to followed to the letter.

Or they could pay workers with privileged access more.
It also causes stupid trouble for those of us that travel alot, or split time between countries. SMS 2FA is my sworn enemy.
Yes, so much this. I want to be more secure but don't want the solution tied to my American phone number. I've even thought of getting a dual-sim phone just so I won't get locked out of my accounts when abroad and using a local sim.
Started to use Google Voice everywhere after telling my bank about it. They were OK, as long as they can call it from a landline. So I can slowly move away from SIMs.

Virtual numbers from providers like Twilio, Plivo or Signalwire help too. They have 2FA mostly and couldn't be SIM-swapped (I hope). Google account security is quite good too.

I am afraid of google killing it eventually. I wonder if there's an alternative. Interestingly, Google Voice is now part of gcloud, so there might still be some hope for it.
> minimum wage

Seems unnecessary.

I think it’s relevant and it’s not a smear against the worker, but the job.

If you’re making minimum wage, how much do you really care about your job in general? You’re probably regarded as disposable.

I understand that interpretation and I think it's valid. I also think that particular string "some minimum wage worker" has a long nose to look down and you shouldn't condescend or distrust lower compensated employees.
I always interpretted "minimium wage" as "cheap to bribe and often effectively anonymous" in the objection in security contexts as that tends to matter more than lack of attention or aptitude. More of an argument to the opposite that the company should be either treating the access to the secure data/job better or promoting more loyalty. Plus any form of validation/licensing/training (say like bonded couriers for example) essentially requires both being paid for and the marginal cost encourages raising the rate so they don't change jobs as readily means it is no longer minimum wage even if it is still low on the worker totem pole.
I 100% agree.

I also trust fast food employees to effectively sanitize, even if their position does not command a wage increase.

I stand by my initial argument with the wording and I'd rather not tangent down ethics, policy, hypotheticals.

I am just expressing a bad taste, that is all.

Seems the problem would be solved if someone would hold the phone companies accountable.

These problems seem easily solvable with MFA and a VPN, and if anyone should be an expert in networks, you would think it would be a telecom company.

This is gross negligence being passed off to the public as standard operating procedure.

It's crazy that companies are still using SMS for 2FA. TOTP solves this problem is a much more elegant way and is immune to such attacks.
You might have set up TOTP and removed SMS 2FA on Gmail but don't forget to remove your phone number as a recovery method as this can be equally devastating when exploited by SIM Swapping.
Ahh, this is a great tip. I’ll have to double check now.

Thanks.

(comment deleted)
I read these things and realize that statistically there must be 'non idiot' criminals out there. And I am guessing that they just profit day in and day out.
There are. But it only takes one mistake and you're caught. I think most of the guys that do this for a living probably live in countries like Russia where the government doesn't cooperate with US authorities and they are basically free to do whatever they want as long as it doesn't screw over their home country.
If you are smart, there are legal ways to make money without risking jail.
(comment deleted)
All that is needed is making even more money in illegal ways to tempt the smart but unethical. (Smart and "ethical" lawbreaking tends to be done for its own end.) an ideally structured system of law and market it is Not Worth It, usually for something that is in MMO terms "high aggro". Say operating a hitman for hire service or selling nuclear weapons it becomes very worth it to set up so that the majority of the small but very bad market is filled with FBI sting operations because almost all other operators are in jail.

In other less ideal situations especially with institutionalized corruption or shaky monopoly on violence such that it can not only pay better but effectively drag them into crime like to run an otherwise perfectly honest business you need goons to not be under someone's racket/pay bribes to operate and maintaining them becomes a slippery slope to collect protection money or forcing out competitors.

It’s crazy that critical infrastructure providers (cell carriers) aren’t even using U2F internally, where they can mandate the rollout.

Public utilities in the US need an overhaul.

Is there anywhere to read about cell carriers or other infrastructure providers in other nations implementing U2F? That sounds very interesting.
Using phone numbers for verification is just stupid. I've switched phones a few times over the years and just got a new number rather than keeping my old one and i got locked out of my accounts because i didn't have access to the old number anymore. Stuff like Authy and Google Authenticator exist, I think it's time companies started using them.
Even the US government uses it, such as for logging into your Social Security account.
I was shocked that login.gov even allows Yubikeys. Wish more banks would follow their lead.
Specifically login.gov implements WebAuthn.

So this should mean you can use the built-in biometric security of an iPhone or high end Android since those can also be used with WebAuthn in the built-in browser or with Firefox, or any security key, not just a Yubikey.

WebAuthn is easier (one tap login), it cannot be phished, it's privacy preserving, and yet somehow here we are in 2020 and most sites are like "Hmm, maybe we should add SMS 2FA?"

And what happens if you lose your Yubikey?
login.gov requires you to pick two second factors. So, either you had two Yubikeys (or I mention in a parallel sub-thread, any other type of FIDO Security Key or WebAuthn capable platform) or you had an entirely different second factor and that still works.
Shameless plug: my company has launched an alternative authentication modality that eliminates this issue, yet is also app-less and requires no download. It is also not limited in the ways FIDO authenticators are today, yet provides the same level of security because it can actually leverage FIDO authenticators if needed. Soft launch was last week. Email in my profile if this piques your interest and I can send more info directly.
Enforce that the source ip address is from your private companies VPN -- for all internal software.
Does using Google Voice on a Google account that doesn’t forward via SMS and is used for nothing else provide any protection against SIM swapping? I would hope that Google has better security practices than the mobile carriers and that it’s a lot harder to steal a GV number.