SIM Swapping is a powerful form of fraud in which criminals convince the phone company to switch your phone number to a SIM they control; once they have your phone number, they can bypass the SMS-based two-factor authentication protecting your cryptocurrency wallets, social media accounts, and other valuable systems.
A lot of SIM Swap attacks are pure social engineering: a fraudster just telephones the phone company and fast-talks a low-waged, low-level call-center employee into thinking that it’s you on the phone, and that you’re switching carriers and need to have your number ported over.
But there’s a lot of money in SIM Swapping, and so it’s cost effective for crooks to just bribe phone company employees into helping with the scam (the scammers call these insiders “plugs”).
Telco employees who reveal their employer on social media are increasingly targeted by criminals who offer them thousands of dollars to act as a reliable helper for SIM Swap scams. The internal controls and auditing on SIM swapping are incredibly loose, meaning that “plugs” can get away with it for a long time.
A few telco employees who’d been solicited by criminals talked to Motherboard about their experiences (they all turned down the fraudsters). It’s not known how many telco employees accepted these offers and are possibly helping to steal your phone number at this very second.
As I explained earlier, this is security economics 101: the phone companies assume that low-level employees who steal phone numbers only stand to gain the ability to make an anonymous call or two, or save on long-distance. But thanks to SMS-based authentication, these low-level insiders are now all that stands between you and thousands of dollars in losses.
An employee who works for AT&T told me that if a criminal finds a corrupt insider, “there aren’t enough safeguards to stop that employee,” in his opinion. The employee himself said he has not been approached, and has no direct experience with SIM swapping fraud, but said the system is designed so that some employees have the ability to override security features such as the phone passcode that AT&T (and other companies) now require when porting numbers.
“From there the passcode can be changed,” the employee said in an online chat, referring to a customer information portal that they showed Motherboard. “With a fresh passcode the number can be ported out with no hang ups.”
Dixon entertained the criminal’s proposal, given that it sounded like an easy job.
“Any T-Mobile rep can go into the account and just change the SIMs. That’s part of what T-mobile gives us access to,” Dixon told me in a phone call.
How Criminals Recruit Telecom Employees to Help Them Hijack SIM Cards [Lorenzo Franceschi-Bicchierai/Motherboard]