In recent weeks, the wireless carriers have come under intense fire after failing to implement measures to protect their users from the growing practice of SIM hijacking. This practice involves posing as a wireless customer. Then, the criminal fools a wireless carrier to port the targeted victim’s cell phone number right away from them.
After porting the number, the attacker can then pose as the customer which in most cases results in devastating effects. Back in February 2019, one man sued T-Mobile for failing to protect his account. He sued the company after a hacker who pretended to be him ported out his phone number and successfully managed to use his identity to steal thousands of dollars worth of crypto tokens.
The FCC has for now refused to say much resulting in modest condemnation of carrier companies that have failed to protect their users. Even in the ongoing wireless industry’s location data scandals, it has remained relatively quiet. However, with Twitter CEO Jack Dorsey having his Twitter account recently hijacked due to SIM hijacking, the government now seems to have finally realized that there is a bit of a problem.
The FBI Warning
For instance, the FBI issued a warning in September to its private industry partners. In that warning letter, it noted that two-factor authentication can be bypassed as a result of the hacks. The FBI acknowledged the presence of cybercriminals circumventing multi-factor authentication using common social engineering and technical attacks.
According to the FBI’s Private Industry Notification (PIN) of September 17:
“The FBI made it very clear that its alert should be taken only as a precaution, and not an attack on the efficiency of MFA, which the agency still recommends. The FBI still recommends that companies use MFA.”
On their part, carriers do not want to say a lot about this problem publicly. They remain silent partly because it is some of their employees who are helping to facilitate these scams. These employees are engaging in these criminal activities for a little money on the side.
How it happens
The identity thieves use SIM hijacking to do almost everything starting from stealing valuable Instagram usernames and other important data and selling them for Bitcoin to clearing out bank accounts. That process is not quite complicated and in most cases, it involves the social engineering of a cellular carrier’s support employees.
Before the Dorsey hack, most carriers and government watchdogs considered SIM hijacking to be a small problem. They refrained from acting stating that it is very unique. However, they are now aware that it is a growing challenge.
However, users can take steps to help them shield themselves from these criminals. Carriers advise that users should also change their passwords frequently to minimize the chances of these hijackings. T-Mobile users can call 611 from your cellphone (or 1-800-937-8997). Once they make the call, they can tell a support staffer that they want to create a ‘port validation’ passcode.
The wireless carriers might want to spend minimal time on mindless mergers and consolidation. They may also not be interested in killing net neutrality and jacking up prices. On the other hand, they should spend more time training their employees and protecting users from security threats.