Researchers at Krebs on Security have shed new light on the nature of SIM-swap hacks, which have recently allowed thieves to steal millions in cryptocurrencies.
Previously, it was thought that most SIM-swap attacks were being executed by hackers calling up mobile phone companies and impersonating their victims.
Prior to attacks, hackers would use “social engineering” and other means to gather enough personal info about a target to convince Telecom employees to deactivate the target’s phone.
Hackers would then reactivate a “burner” phone controlled by the hacker with all the victim’s info on it.
The reactivated phone could then be used to access and steal cryptocurrencies from digital wallets connected to the Internet.
Now, police from the Santa Clara-based REACT Task Force, a California law enforcement unit dedicated to fighting cybercrime, says that many SIM-swap scams it sees are inside jobs being aided by telecom employees.
According to Detective Caleb Tuttle and Krebs:
“‘Most of these SIM swaps are being done over the phone, and the notes we’re seeing about the change in the [victim’s] account usually are left either by [a complicit] employee trying to cover their tracks, or because the employee who typed in that note actually believed what they were typing,’…(after being) tricked by a complicit co-worker at another store who falsely claimed that a customer there had already presented ID.”
According to Krebs, Christian Ferri, president and CEO of San Francisco-based cryptocurrency firm BlockStar, was robbed of $100 000 in a SIM-swap hack in June of this year.
Ferri says that detectives from his case eventually determined that a T-Mobile employee, “had built a special software tool that they could use to connect to T-Mobile’s customer database, and that they could use this software from their home or couch to log in and see all the customer information there.”
“The investigator didn’t explain exactly how it worked, but it was basically a backdoor entrance that they were reselling on the Dark Web, and it bypassed whatever security there was and let them go straight into the customer database.”
The REACT officers would not elaborate on the backdoor software described by Ferri. T-Mobile, too, reportedly declined to comment on the allegations
According to Krebs, REACT Lieutenant John Rose described SIM-security weaknesses at telecoms as “a really serious problem”:
“Having one employee who can conduct these SIM swaps without any kind of oversight seems to be the real problem…And it seems like [the carriers] could really put a stop to it if there were more checks and balances to prevent that. It’s still very, very easy to SIM swap, and something has to be done because it’s just too simple. Someone needs to light a fire under some folks to get these protections put in place.”
Thousands of legitimate SIM-card replacements occur every month, making it easy for a fraudulent swap to get lost in the haystack.
Dual-authentication, however, where more than one employee’s consent is needed to switch a SIM is an effective first step in preventing such attacks. Requiring all SIM exchanges to occur in person would also help, as few hackers are willing to physically present themselves in order to execute a crime.
Sergeant Samy Tarazi told Krebs:
“Without knowing the ins and outs of how these companies work, it’s very easy for us to say they should have two people authorizing each SIM swap. But I agree anything that makes [the criminal SIM swappers] have to show up in person to do this would ideally be the best scenario.”