The court documents don’t name the store, so the reporters may not know the store. The company may have turned in the employee with the understanding they would just be “Company 1” in all court documents.
This is a timely post. I was going to do an "ask HN" on the best way to prevent a sim swap. I had heard about locking the SIM but then I heard this does not give much protection. What are your thought on best protection methods??
Just asked the same question, haha - it looks like some carriers allow you to lock your SIM from being ported to another number until you authorize it (either in person or through your accounts online). That being said, I guess if someone working at, say, Verizon was handling your switch, they might be able to switch it to a bad actor's phone before switching it to your legitimate one? Not entirely sure though -would love to hear a more informed answer.
I've worked for two UK telcos. There is no technical measure which you can apply.
Locking your SIM prevents someone from physically stealing the card and putting it in a different device - unless they know the PIN which protects it.
But that isn't the attack here.
The phone number does not belong to you - the network operator defines which SIM it points to. So a suitably authorised person at the telco can point the number to a new SIM card. That's helpful if you've lost your SIM but bad if an attacker wants to divert your number.
The best thing you can do is set a strong password on the account you have with the operator. You can also try ringing them and pretending to be you - see if they'll initiate a swap without proper authentication. If they do - move your number to a more reputable provider.
But there's nothing you as an individual can do to prevent a corrupt employee making the change without authorisation.
The best way to prevent a SIM swap is to not let your phone number be used as a trusted piece of authentication.
Sure, what this guy did was criminal. But not nearly as criminal as it should be for companies to unilaterally force customers into using snake oil authentication methods, just so they can check some new compliance boxes and pretend to be adding security.
Man... on top of the obvious moral issue with enabling this hack, I'm astounded that someone would do this for $1k per person. Putting my freedom on the line would be so much more expensive than that.
On a more technical note, is there any safeguard against SIM swaps? Something like a fingerprint scan that's tied to your SIM. I'm not familiar with phone hardware at all but I'd love to hear if someone's working on this type of thing
So you want to give your biometric info to a telecom? Are you nuts? We already have enough problems getting people to understand "IP's/SIM's/MAC's identify devices, not users".
I'm not saying it's ideal, it was just an example of something that I thought could address the issue. I agree that we should limit PII being given to companies, but I'm conflicted on how the average Joe can maintain some semblance of security as hackers get better at finding holes. If the software can identify you based on something that only you have, then that's a tall barrier to cross for hackers that also doesn't require a steep learning curve for most.
Just to reiterate, I am personally a fan of maintaining anonymity, particularly online. I'm just concerned that our increasingly aging population won't be able to keep up with security best practices and we may need some braindead solutions to keep them safe.
The telco is in charge of what SIM is mapped to a given number. There's not anything technical the customer can do there; access control is up to the telco.
The telco also needs a process to reclaim the number when you stop paying for it.
Often SIM swaps are done via porting the number to a different telco, and telcos are compelled to do ports in many jurisdictions.
If you're really worried about it, I guess you could look into what it takes to get a number block assigned to you as a competitive telco. That would likely be hard to get transfered out from under you, but the effort may not be worth it.
Also, if the price to get a sim swap is $1k (plus a % of ill gotten gains!), that's high enough to keep out untargetted attacks, IMHO, which isn't a terrible place to be.
Very informative - thanks for the explanation! I also forget that these attacks are usually very targeted (I guess I just imagine criminals swimming in money despite the old adage). I'll just have to do my best to be an unremarkable person.
Biometrics like fingerprint scans can only be used as a username, not a password.
Reusing passwords is a bad practice and having 200 different biometrics for 200 different services is not realistic. As soon as your fingerprint that you registered on your lost phone is leaked you will be in a world of trouble if you use it for other services.
(Also biometrics can change with time)
This works if you know about SIM swapping on day one of your life on the Internet, and refuse from day one. I probably have hundreds of Internet accounts, and no straightforward way to know which ones use SMS for 2-factor without trying to log in to them all. Further, many don’t use SMS for login but they do use it for password resets. So my only hope, if I want to clean house, is to sit down and try resetting my password on 400+ accounts one by one.
> For carrying the unauthorized number porting, Katz received $1,000 in Bitcoin per SIM swap (total of $5,000), plus an (unspecified) percentage of the profits earned from the illicit access to the victims' devices.
> ... I'm astounded that someone would do this for $1k per person.
It's entirely possible some of the brighter ones have gotten their co-workers username/password combinations, and are using those when doing dodgy stuff.
This is a good example of why SMS 2-factor is far less secure than TOTP or other methods. You do what everyone tells you, add 2-factor to your account, and then some rando at the local T-Mobile store enables SIM swapping for peanuts, and your whole digital life goes up in smoke.
If you have access to someone’s email account can’t you dl the totp authenticator and bypass this? Effectively that makes email the authenticator which isn’t better than a phone number and device
What do you mean by "dl the totp authenticator"? But the answer is no. Without the TOTP secret no one else can generate valid codes.
If you sync your secrets to some cloud service then yes, you are trusting that cloud service. And if you let your TOTP cloud service reset your account with an email then it probably isn't the most secure option.
But the important thing here is that the user is in control. They can memorize their secret if they want to an no one can take it from them. Or they can publish it online if they don't like security. With SMS 2FA you need to trust your telecom provider, I very much don't.
I meant “download the totp generator”. Correct me if I’m wrong but the totp generator has to linked with some account, the security of which is not managed by you, and is just as vulnerable as that account
TOTP is a completely offline protocol. Basically you scan a QR code which is a signing key that is saved to your phone. Then all your phone needs is an accurate time source, and periodically signs the current time with that key to produce a 6-digit code.
As such, no, it's not associated with anything from the source account. It is not challenge/response, and you can scan the QR code with 10 different phones and they will all produce the same codes at the same time.
No, TOTP is a cryptographic protocol for generating One Time Passcodes (OTP) based on a seed. Frequently this seed is displayed to the user as a QR code, but it is just a random string. The user will then somehow save this seed (usually by scanning the QR code with their TOTP app). When a password is required you just use the seed and the current time to generate a code. No accounts are required, just the current time and the seed.
You may be confusing TOTP with proprietary app-based 2FA solutions which just send the token in a push notification or similar.
The TOTP authenticator apps are usually initialized only once per account -- when the user first enables that 2FA for the account.
The system is designed to assume that the user doing the initializing that one time is the legitimate user.
(There's a bootstrapping problem for the authenticators, that the account provider needs to "trust once" that the user is legitimate. The best time to do that is as early as possible. Preferably when the account is set up, and before much value/dependence has been invested in the account.)
After that first initialization of an authenticator for an account, anyone trying to initialize another authenticator would have the burden of trying to prove to the account provider that they aren't just an illegitimate person trying to bypass the 2FA.
So, you probably can't just use email to do a "lost my authenticator lol", unless the account provider doesn't really care about 2FA, and has implemented it in a very weak way.
My favourite is TD Bank in Canada, who started supporting an authenticator app (but it had to be theirs) because it was more secure than SMS. Except...they also don't allow you to disable SMS as an option for 2FA. So whoever is logging in gets to choose whether to use the secure authenticator app, or SMS.
I prefer TOTP for privacy and control reasons, but I think you're overselling the disadvantages of SMS here. If you have to find and pay an inside guy to do SIM swaps, they'll be limited in the number they can do before getting caught so it really will only be suitable to do targeted attacks on targets you're pretty sure have something worth stealing.
There was a DND that talked about how sim swaps used to be a cakewalk over the phone social engineering exercise but were now kind of expensive to pull off and required a man in a physical location, with T-mobile remaining the easiest target. The black hat guy they were talking to said his first steps were finding a target worth swapping, usually some one that bragged a lot about bitcoin or some other crypto currency on twitter. And getting the phone number was usually really easy to do with a combination of OSINT and abusing the fact services will give you a partially masked phone number when you try to login.
I agree it's a threat that is not exactly easy to pull off. But my main issue with is is represents an attack vector that you can do exactly nothing to defend against yourself. If you use other forms of MFA, you are at least in charge. Sure you can lose your TOTP seed or something, but you have agency in how it is stored. SMS forces you to rely on companies that have log histories of failing to protect your phone number.
SMS MFA thwarts the vast vast vast majority of attacks that a typical user reality. Yes, you’re almost certainly a typical user. Considering usability issues related to TOTP, SMS MFA well and truly has its place. Computer nerds get so giddy about TOTP that they keep making these ‘perfect v good’ arguments. Be realistic here.
And this is where paranoids have the upper hand. Have a secondary secret phone number from another carrier exclusively for sms confirmations, using a dumb phone, which must be turned off when not expecting an automated code.
Preferably a prepaid sim bought anonymously. Extra points if bought in another country and has coverage in your area.
Does that help against an attacker determined enough to hack you that he'll pay $1000 for a SIM swap? Surely he has channels to figure out your "secret" phone number since you registered it with the service he's trying to hack into.
But it adds a layer of protection, doesn't it? Your known public phone number is one, your verification phone is another one from another carrier.
Is that really an additional layer of protection, or the same layer, slightly obscured? But probably not obscured from the attacker that managed to get your password and just needs the SMS verification code to get into your account.
You can probably figure out most people's default phone number by googling their name and going to one of those crappy white pages sites. Then try to login/do a password reset to their services and compare the masked phone number to the ones on the site. No advanced hacking or special channels required.
The trouble with compartmentalizing with a separate phone is that the company with your money probably also sold your secret phone number (that they only required for security) so it will probably also show up on that whitepages site.
You have to give this phone number to a bunch of services that you use, i.e.
all the ones that do sms confirmations. One data breach, and it isn't "secret" anymore.
> while he was a manager for a telecom firm. [...] abused his managerial position and highly privileged account at a mobile telecommunications store
Does not naming the company suggest that it's not considered liable?
> indicate five victims
Over what time period? Did the company detect and halt this quickly, and was conscientious about referring it to law enforcement?
I'm willing to agree a store/carrier/brand should be given a pass in a particular instance, but the bar for protecting against SIM-swapping has to be pretty high, considering what an attractive vulnerability that is.
With poor technology and poor regulation around some big-ticket authentication problems right now, one mechanism we do have is brand reputation.
For example, if people seem to keep hearing about SIM swaps involving carrier X or store Y, then some people are going to start thinking that brand is sketchy, and more likely to get your bank account emptied or computer accounts hacked. So then all the brands would have more incentive to be very diligent about internal controls, very cautious about partners and outsourcing, etc.
But if it's always just an unnamed phone store SIM-swapping for an unnamed carrier, or an unnamed carrier's support call center, then that brand reputation mechanism is defeated.
Telecom in New Jersey is code for Verizon Wireless[1].
If I were the Verizon Wireless CEO, I'd own it and pledge to resolve as best I can. And maybe they have, I haven't looked yet.
Edit: I had it backwards. Not AT&T, but rather Verizon. Changed. "Telecom in Georgia" would allude to AT&T. "Telecom in Kansas (or maybe Bellevue, WA now)" to T-Mobile, etc.
Retail employees would perform sim swaps at locations I worked at for about $250-300. This was circa 2006 so I’m not surprised that people do it for $1000 with inflation.
The reality is that cell phone employees are paid just above minimum wage, so asking them to protect a system that has the capacity for multiple millions of fraud by simply changing a sim is hard.
The good news is that they made it much much harder for retail employees to access your account without your consent. You almost universally need a pin or last 4 of a social to access a customer account now without a manager override.
This is a huge improvement from the time I worked entry-level retail at AT&T when I could see any customer’s full social or tax ID by typing their phone number into the point of sale!
Imagine being 18, poor as fuck, and able to see anyone’s financial information. I was moral, but I knew tons of people who just took out loans as if they were the customer committing massive fraud. It was very hard for AT&T to catch this kind of identity theft. I’m glad systems are becoming safer over time.
last 4 digits of SSN are regularly found in data leaks.
what is worst is you CANNOT change it if your data is leaked from 3rd party site.
conclusion: NEVER use phone number as 2FA, Always assume your cell number will be swapped, always use other more secure factor, especially if it has anything to do with money $$$
Do you mean never use your phone number as 2FA if other 2FA options are not available? Most major retail banks (BofA, Chase, Citi, etc) all offer mobile as the only, if not primary, 2FA option.
Unfortunately the vast majority of services only support SMS or email 2FA. I've set up a real 2FA app for every site I use that supports it, and that number is four: gitlab, github, discord, and my domain name provider. My bank, my utilities, my insurance, everything only supports SMS if they support 2FA at all. Most just don't.
Completely agree using last-4 SSN is terrible, but some light in the tunnel exists. It is possible to change it, although it is as you would expect, quite annoying: https://faq.ssa.gov/en-us/Topic/article/KA-02220
The two factor authorization using a phone number isn't such a strong protection after all, is it.
I wonder who thought it was a good idea in the first place. Maybe their real intent was to collect people's phone numbers instead of protecting their accounts.
Many people reuse passwords. Forcing SMS 2FA is something that they can feasibly do, because almost everyone can receive SMS and greatly raises the difficulty of credential stuffing (from just stuffing to needing to do a SIM swap). This solves a lot of problems for service providers.
Another benefit is that they can block duplicate accounts with the same phone number, this effectively adds a cost to account creation which can help to reduce spam.
And yes, some will then use it to spam or sell.
I don't think anyone ever thought that SMS 2FA was strong protection. It mostly benefits the service operators by reducing spam and stolen accounts.
Because SMS MFA is orders of magnitude more secure than no MFA, and there are barriers to entry for TOTP that there simply aren’t for SMS. This is an unsubstantiated conspiracy theory.
Another reason in an increasingly long list of reasons that being a T-Mobile postpaid customer is frustrating: Customers haven't been able to manage our own physical or electronic SIMs for almost two years. T-Mobile shut down the online self-service process with the claim of making it "more secure".
Meanwhile, SIM swaps continue by malicious actors with seemingly nothing that can be done to stop them. So I can't swap my own SIM without waiting on hold for an hour or two, either by chat or on the phone, but the scammers can do it with apparent impunity. (I have tried messaging T-Mobile's help group on Twitter but they seem to be the only competent support available and thus are also incredibly backlogged.)
I get that providers have to cater to the lowest common denominator but I wish there was a MVNO or similar who would allow use of authenticator keys and maximum level self service, with the understanding that if I break or lose my authentication methods, I am out of luck. Right now, my current carrier seems the worst of both choices.
You can’t receive shortcode or other SMSs for X hours after porting/doing a SIM replacement. Maybe just block everything with numbers in it, or “code” or “security” for this time.
Now if your phone goes dark, you get some notice to take action before your world falls apart.
Until carriers are hit with substantial penalties, this will continue. T-Mobile allowed a SIM swap at a retail store on my line, which I noticed in real-time. Corporate couldn’t have cared less, even though I had all the names and location and detail from the store after I investigated myself.
Worst part? They send a text saying, in effect, “we’re chabeing your SIM in 15 minutes unless you call us”
This is AFTER their supposed security improvements, but then again so are the two other hacks where customer data was leaked.
Don’t use SMS 2FA and set the most obnoxious ringtone for your carrier’s short codes. Take the most defensive approach to being a cell customer because the carriers won’t save you.
wrong question imho. TOTP is current MFA industry-standard (again imo)—and their creation, storage, and management is trivial. pick your reputable tool.
the receipt of TOTP via SMS, regardless of telephony platform, however, is generally frowned upon by security heads.
86 comments
[ 2.8 ms ] story [ 72.2 ms ] threadDoes knowing the employee did it make the company liable for damages?
Locking your SIM prevents someone from physically stealing the card and putting it in a different device - unless they know the PIN which protects it.
But that isn't the attack here.
The phone number does not belong to you - the network operator defines which SIM it points to. So a suitably authorised person at the telco can point the number to a new SIM card. That's helpful if you've lost your SIM but bad if an attacker wants to divert your number.
The best thing you can do is set a strong password on the account you have with the operator. You can also try ringing them and pretending to be you - see if they'll initiate a swap without proper authentication. If they do - move your number to a more reputable provider.
But there's nothing you as an individual can do to prevent a corrupt employee making the change without authorisation.
Sure, what this guy did was criminal. But not nearly as criminal as it should be for companies to unilaterally force customers into using snake oil authentication methods, just so they can check some new compliance boxes and pretend to be adding security.
On a more technical note, is there any safeguard against SIM swaps? Something like a fingerprint scan that's tied to your SIM. I'm not familiar with phone hardware at all but I'd love to hear if someone's working on this type of thing
We don't need to make shit worse.
Just to reiterate, I am personally a fan of maintaining anonymity, particularly online. I'm just concerned that our increasingly aging population won't be able to keep up with security best practices and we may need some braindead solutions to keep them safe.
The telco also needs a process to reclaim the number when you stop paying for it.
Often SIM swaps are done via porting the number to a different telco, and telcos are compelled to do ports in many jurisdictions.
If you're really worried about it, I guess you could look into what it takes to get a number block assigned to you as a competitive telco. That would likely be hard to get transfered out from under you, but the effort may not be worth it.
Also, if the price to get a sim swap is $1k (plus a % of ill gotten gains!), that's high enough to keep out untargetted attacks, IMHO, which isn't a terrible place to be.
You can be court ordered/forced to put your thumb on the home button.
You can’t be forced to remember a password you “forgot” ;)
The only solution is to refuse to use SMS for 2FA. If a service requires it, use a different service.
So, a little more than $1k pp
It's entirely possible some of the brighter ones have gotten their co-workers username/password combinations, and are using those when doing dodgy stuff.
There is. Some Russian banks detect when SIM identifier has changed and refuse to send SMS codes to a new SIM card.
If you sync your secrets to some cloud service then yes, you are trusting that cloud service. And if you let your TOTP cloud service reset your account with an email then it probably isn't the most secure option.
But the important thing here is that the user is in control. They can memorize their secret if they want to an no one can take it from them. Or they can publish it online if they don't like security. With SMS 2FA you need to trust your telecom provider, I very much don't.
As such, no, it's not associated with anything from the source account. It is not challenge/response, and you can scan the QR code with 10 different phones and they will all produce the same codes at the same time.
You may be confusing TOTP with proprietary app-based 2FA solutions which just send the token in a push notification or similar.
The system is designed to assume that the user doing the initializing that one time is the legitimate user.
(There's a bootstrapping problem for the authenticators, that the account provider needs to "trust once" that the user is legitimate. The best time to do that is as early as possible. Preferably when the account is set up, and before much value/dependence has been invested in the account.)
After that first initialization of an authenticator for an account, anyone trying to initialize another authenticator would have the burden of trying to prove to the account provider that they aren't just an illegitimate person trying to bypass the 2FA.
So, you probably can't just use email to do a "lost my authenticator lol", unless the account provider doesn't really care about 2FA, and has implemented it in a very weak way.
There was a DND that talked about how sim swaps used to be a cakewalk over the phone social engineering exercise but were now kind of expensive to pull off and required a man in a physical location, with T-mobile remaining the easiest target. The black hat guy they were talking to said his first steps were finding a target worth swapping, usually some one that bragged a lot about bitcoin or some other crypto currency on twitter. And getting the phone number was usually really easy to do with a combination of OSINT and abusing the fact services will give you a partially masked phone number when you try to login.
There is also that some services don't accept foreign numbers for authentication. Nor virtual phone numbers.
But it adds a layer of protection, doesn't it? Your known public phone number is one, your verification phone is another one from another carrier.
Is that really an additional layer of protection, or the same layer, slightly obscured? But probably not obscured from the attacker that managed to get your password and just needs the SMS verification code to get into your account.
The trouble with compartmentalizing with a separate phone is that the company with your money probably also sold your secret phone number (that they only required for security) so it will probably also show up on that whitepages site.
You have to give this phone number to a bunch of services that you use, i.e. all the ones that do sms confirmations. One data breach, and it isn't "secret" anymore.
Does not naming the company suggest that it's not considered liable?
> indicate five victims
Over what time period? Did the company detect and halt this quickly, and was conscientious about referring it to law enforcement?
I'm willing to agree a store/carrier/brand should be given a pass in a particular instance, but the bar for protecting against SIM-swapping has to be pretty high, considering what an attractive vulnerability that is.
With poor technology and poor regulation around some big-ticket authentication problems right now, one mechanism we do have is brand reputation.
For example, if people seem to keep hearing about SIM swaps involving carrier X or store Y, then some people are going to start thinking that brand is sketchy, and more likely to get your bank account emptied or computer accounts hacked. So then all the brands would have more incentive to be very diligent about internal controls, very cautious about partners and outsourcing, etc.
But if it's always just an unnamed phone store SIM-swapping for an unnamed carrier, or an unnamed carrier's support call center, then that brand reputation mechanism is defeated.
If I were the Verizon Wireless CEO, I'd own it and pledge to resolve as best I can. And maybe they have, I haven't looked yet.
Edit: I had it backwards. Not AT&T, but rather Verizon. Changed. "Telecom in Georgia" would allude to AT&T. "Telecom in Kansas (or maybe Bellevue, WA now)" to T-Mobile, etc.
1. https://en.wikipedia.org/wiki/Verizon_(mobile_network)
Also, once the log was audited it pointed to the individual that is facing sentencing in July, no?
Retail employees would perform sim swaps at locations I worked at for about $250-300. This was circa 2006 so I’m not surprised that people do it for $1000 with inflation.
The reality is that cell phone employees are paid just above minimum wage, so asking them to protect a system that has the capacity for multiple millions of fraud by simply changing a sim is hard.
The good news is that they made it much much harder for retail employees to access your account without your consent. You almost universally need a pin or last 4 of a social to access a customer account now without a manager override.
This is a huge improvement from the time I worked entry-level retail at AT&T when I could see any customer’s full social or tax ID by typing their phone number into the point of sale!
Imagine being 18, poor as fuck, and able to see anyone’s financial information. I was moral, but I knew tons of people who just took out loans as if they were the customer committing massive fraud. It was very hard for AT&T to catch this kind of identity theft. I’m glad systems are becoming safer over time.
Last four of a social is a terrible additional form of security.
Even four random digit pins isn’t particularly secure if they don’t have proactive monitoring of attempts.
what is worst is you CANNOT change it if your data is leaked from 3rd party site.
conclusion: NEVER use phone number as 2FA, Always assume your cell number will be swapped, always use other more secure factor, especially if it has anything to do with money $$$
I wonder who thought it was a good idea in the first place. Maybe their real intent was to collect people's phone numbers instead of protecting their accounts.
Another benefit is that they can block duplicate accounts with the same phone number, this effectively adds a cost to account creation which can help to reduce spam.
And yes, some will then use it to spam or sell.
I don't think anyone ever thought that SMS 2FA was strong protection. It mostly benefits the service operators by reducing spam and stolen accounts.
Kinda like SSNs though, I think it's way past the point when a better designed system should have been developed. Sadly, that costs a lot of money.
Meanwhile, SIM swaps continue by malicious actors with seemingly nothing that can be done to stop them. So I can't swap my own SIM without waiting on hold for an hour or two, either by chat or on the phone, but the scammers can do it with apparent impunity. (I have tried messaging T-Mobile's help group on Twitter but they seem to be the only competent support available and thus are also incredibly backlogged.)
I get that providers have to cater to the lowest common denominator but I wish there was a MVNO or similar who would allow use of authenticator keys and maximum level self service, with the understanding that if I break or lose my authentication methods, I am out of luck. Right now, my current carrier seems the worst of both choices.
You can’t receive shortcode or other SMSs for X hours after porting/doing a SIM replacement. Maybe just block everything with numbers in it, or “code” or “security” for this time.
Now if your phone goes dark, you get some notice to take action before your world falls apart.
Worst part? They send a text saying, in effect, “we’re chabeing your SIM in 15 minutes unless you call us”
This is AFTER their supposed security improvements, but then again so are the two other hacks where customer data was leaked.
Don’t use SMS 2FA and set the most obnoxious ringtone for your carrier’s short codes. Take the most defensive approach to being a cell customer because the carriers won’t save you.
the receipt of TOTP via SMS, regardless of telephony platform, however, is generally frowned upon by security heads.