How Criminals Recruit Telecom Employees To Help Them Hijack SIM Cards (vice.com) 28
An anonymous reader writes: Sources who work for some of America's major cellphone carriers tell us how criminals are trying to recruit them to get help hacking victims. Normally, criminals approach them online, offering to pay them in Bitcoin (the equivalent of $100 for example). In exchange, the employee has to log into a company portal and process a so-called SIM swap. From the report: How criminals find the employees in the first place can vary. Some SIM hijackers I spoke to told me they approach them through shared friends in real life, others told me they just comb LinkedIn, Reddit or social media sites. AT&T and Sprint did not respond to requests for comment about whether or not it had any knowledge of insiders helping criminals. A T-Mobile spokesperson said in a statement that the company is "aware of these ongoing and ever-changing attempts to take advantage of consumers across the wireless industry and we'll keep fighting to ensure our customers' safety." A Verizon spokesperson said the company doesn't share details of internal security processes or investigations, but the company "has systems in place that work to detect employee/vendor misconduct."
The 115th Rule Of Acquisition: (Score:1)
why can't the stores just move sims and not swap (Score:2)
why can't the stores just move sims and not swap them all the time??
Re: (Score:2)
Even better: Log the user who does each SIM swap and let everybody know about the new policy.
Problem solved overnight.
$100 (Score:2)
$100 doesn't seem a lot of compensation in exchange for performing a federal crime.
Re:$100 (Score:5, Funny)
Re: (Score:2, Funny)
I know! Who wouldn't do this for $1,000.00! That's like $600.00 profit! Just think what you could spend $750.00 on. I imagine a number of people might find $2,500.00 tempting...
Seriously though. I don't think the $50.00 is worth it.
Re: (Score:2)
$100 doesn't seem a lot of compensation
I assume they'll do more than one.
Re: (Score:2)
Re: (Score:3)
Not if you're passing on 20 names a week. An extra $100K per year (tax free) would be very tempting to some.
On top of that, the criminal justice system doesn't work in an additive way for white collar crime. If caught, your jail time for selling the details of 1000 people won't be significantly greater that selling the details of 10 people, particularly if you plea bargain. Sure, the court will give you a bigger restitutio
disposable employees (Score:2)
Treating employees as disposable commodity does not inspire loyalty in the employer.
and the consequences? (Score:1)
Re:and the consequences? (Score:5, Interesting)
Just my 2 cents
Re: (Score:3)
They may only know who if their software tracks the user id doing a SIM card swap but then the criminal employee could be using the log in for another employee. Or if it is a Database admin doing it directly with a query there may not be a record.
Each of these risks are trivial for a company as large as a major telecom to mitigate. Tracking the logged in user of every significant system update is obvious. Tracking the actual user id performing a task even when impersonating another user is also obvious. Logging of all database transactions in a location your database admins do not have edit rights to isn't a novel concept either.
I understand nearly all companies do not take this level of effort in their security, but large financial institutions, te
Re: (Score:2)
So then the question is, if the policies, procedures, audits and oversight are in place. How can this be something which can be part of the social engineering, bribery tool box they use multiple times against large entities? Or maybe this
It's not just cellphone carrier employees (Score:5, Interesting)
It's not just cellphone carrier companies - it's also the employees of banks, credit bureaus, doctors' offices, hospitals, HR departments, state and federal government tax departments, and just about any other organization that would have your personal information.
My Mom was targeted by an identity theft ring last year. The only point of contact between her and the bank / credit card agencies was her home phone number. The gang sent someone with a fake driver's license to a Verizon store a hundred miles away, and that person transferred my Mom's phone number to a cell phone. Once they had control of the phone number, half a dozen crooks with fake ID hit various stores to purchase big-ticket items. Any calls for verification went straight to the cell phone. The gang even got into her personal Chase bank account. The only thing that stopped them was the credit freeze that my wife and I had persuaded her to activate the year before, otherwise she'd still be cleaning up the mess with her finances.
But what amazed us was how much they knew about her. They had all the information on her credit card and bank accounts. They were able to create a fake driver's license. So where did it all come from? Our guess is that someone at a credit bureau was earning extra money on the side by passing on dossiers of elderly people with excellent credit ratings.
It doesn't matter what security measures you put in place. The weakest link will always be the person who can be bought by a crook.
How about reasonable controls? (Score:2)
As in require the employee to type some facts into the computer that only the customer knows
in order to authorize a SIM Swap.
Starting with a "Support PIN" when the CSR opens up an account it should display a message that says something like
"A PIN is required to access some support functions for this customer"
In a normal call, the employee asks the customer to provide the PIN, and the employee types the PIN and gets a Yes/No "Support Functions Unlocked" OR "Access Denied"
Next, have a secondary id
Re: (Score:2)
So you want the telcos to set up some process where, when purchasing a new phone (for instance), a customer must now provide a previously set up PIN? And then wait several hours? Good one!
While you MAY be able to do something like that if the new and old phones are on the same carrier (if you don't mind pissing off your customers), it would be illegal to do it across carriers. If requested to 'port' a number by another carrier, the carrier MAY NOT refuse the request, MAY NOT contact the customer, and MUS
Normal security (Score:2)
when purchasing a new phone (for instance),
Sorry, what has *buying a phone* to do with swapping SIM?
you just take out the SIM from the old phone, fumble a bit with the size adapter (because the new phone uses yet a different format, but hey! It's 0.2mm thinner (tm) !)
and put it into the new phone.
At worse, you've lost all your precut adapters that came with your SIM originally (because you're moving from nano-Shit to some of the saner size).
The phone shop where you bought your new phone will happily sell you a new overpriced set of adapter (made fro
Re: (Score:2)
That ensures every normal person on the telco system is a citizen/approved for that nation.
Then to background investigations on all staff.
LOL (Score:5, Interesting)
I work for a major Nordic telco. The controls are so strict youâ(TM)d need to be a total moron to agree to this unless you were offered enough money to leave the country while being set for life.