What could go wrong for the 71 million AT&T users whose data leaked (and how to take precautions)
Image generated by AI for the purposes of this article.
Three years ago, an account with the ShinyHunters nickname posted what they claimed to be a pack of private data up for sale with a starting price of $200,000 (and incremental offers of $30,000). The hacker stated they would sell it immediately for a million dollars.
Now, another nickname from the dark web, MajorNelson, released the info pack for free, claiming to be the same data from 2021.
What’s in the leak and what’s at stake?
The leaked data is claimed to include detailed personal information from users, such as:
- Names
- Addresses
- Mobile phone numbers
- Dates of birth
- Social security numbers (and more).
Leaking or hacking of birthdates and social security numbers (SSNs) is dangerous because these pieces of information are critical to verifying a person's identity. With access to someone's birthdate and SSN, malicious actors can commit identity theft. When that happens, threat actors can apply for credit, drain your bank accounts, or obtain services in the victim's name, leading to financial loss, damaged credit ratings, and more.
So, the next time you’re in a bar, down a couple of beers, please don’t say “Hey, I was an AT&T client back in 2021” and, ten seconds later, “I have a whole Bitcoin, bro, how cool is that!?” to a bunch of complete strangers.
In fact, don’t tell anybody anything regarding your finances. Bob’s your uncle.
SIM swap, eSIM swap
Let’s not get paranoid, but the more technology we incorporate in our lives, the more options for evildoers to steal from us. Now, since we like having and using mobile networks, Internet access, electricity, and all the other goodies of modern life, we’ll have to sort things out and take precautions.
Every good defense strategy begins by understanding your enemy’s attack strategy. In other words, we’ll have to understand what’s going on in order to take measures.
By pretending to be you via identity theft, wrongdoers might engage in what’s known as SIM swap.
On a side note: I wonder how many of those impersonations are aided by AI and its magical capabilities. Sigh…
So, what’s an eSIM fraud? In essence, it’s the same thing as SIM swap, only easier.
That’s due to the fact that eSIM (or embedded SIM), is a digital version of a traditional SIM card that allows you to activate a cellular plan without having to use a physical SIM card. It’s more convenient for bad actors, as they don’t have to take a walk to a carrier’s office. It’s all digital now.
The eSIM is built directly into your device, like a smartphone, smartwatch, or tablet. It’s a small chip that's already installed in your device and you don't need to insert or replace it. To activate it, you usually scan a QR code provided by your mobile carrier. This process links your device to your mobile account without the physical swapping of SIM cards.
“Since the fall of 2023, analysts from F.A.C.C.T.'s Fraud Protection have recorded more than a hundred attempts to access the personal accounts of clients in online services at just one financial organization”, says cybersecurity firm F.A.C.C.T.
SIM swap frauds are on the rise in 2024
Sadly, there are plenty of examples solely in 2024 regarding the SIM/eSIM swap fraud phenomenon.
Just last week, a whole family of five got their Cricket Wireless account taken over and money was stolen from the family's financial apps.
However, Mike, his wife and their family from the Chicago suburbs were locked out of their Amazon, social media, investment, and cryptocurrency accounts. The hackers managed to make unauthorized changes to the phone's content, adding apps and altering contact information. Additionally, the family lost $1,200 in cryptocurrency, $2,000 in Apple Cash and Gift Cards and narrowly prevented unauthorized bank transfers.
In February, a T-Mobile subscriber received an email from his carrier. In it, it was stated that a SIM change on his number had been completed. The problem is that he had never requested such an operation… He discovered that the eSIM on his iPhone was no longer active.
T-Mobile informed the user of the situation: a person had entered a T-Mobile store, not far from the victim's residence, impersonating them to obtain a new SIM card. It was used on the criminal's device. During a call with T-Mobile, the victim received fraud alerts from his bank, blocking attempts to buy luxury items from department stores.
The criminal had changed the security settings on the victim's banking app, nearly succeeding in purchasing items worth over $10,000.
To regain control, the victim had to personally visit a T-Mobile store, where an employee replaced the SIM without alerting the thief via text.
Often, such SIM swap frauds are enacted by carrier employees. For example, a former manager at a telecommunications company in New Jersey pleaded guilty to conspiracy charges for accepting money to perform unauthorized SIM swaps that enabled an accomplice to hack customer accounts. For carrying the unauthorized number porting, the criminal received $1,000 in Bitcoin per SIM swap, plus an unspecified percentage of the profits earned from the illicit access to the victims' devices.
Now’s the time to vent and announce my complete and utter support for harsh penalties for such acts.
In January, Sharon Hussey lost $17,000 despite using two-factor authentication (2FA) due to a SIM swap scam. She was alerted to a fraudulent phone purchase and changes to her bank account's contact info, neither of which she initiated. Her inability to receive 2FA codes, after a thief swapped her SIM card to a new phone, led to her phone service being cut and the theft of $17,000 from her Bank of America account.
The scam involved the thief convincing a Verizon store to activate a new phone with Hussey's number, gaining control over her 2FA-protected accounts. The situation was exacerbated because Hussey's reliance on 2FA inadvertently gave the thief easier access to her accounts. After initially refusing, Bank of America eventually refunded the stolen $17,000, highlighting the dangers of SIM swaps, especially for users dependent on 2FA for security.
Two-Factor Authentication (2FA) offers a significant boost in security by requiring a second form of identification, making unauthorized account access much more difficult even if a password is compromised.
However, 2FA is not without its drawbacks. Some users find the extra login step inconvenient and reliance on devices for authentication can be problematic if the device is lost or unavailable. SMS-based 2FA is susceptible to SIM swapping and interception, which can undermine its security benefits. The technical implementation of 2FA poses challenges for organizations, necessitating further infrastructure and user education.
Two-Factor Authentication (2FA) Pros:
Two-Factor Authentication (2FA) Cons:
In response to the growing threat of SIM swapping and port-out fraud, the Federal Communications Commission (FCC) has rolled out new measures starting July to enhance consumer protection. These changes require mobile service providers to verify identity thoroughly before a phone number can be moved to a new device or carrier. Additionally, the rules will make it possible for users to be immediately notified of any attempts to change their SIM card or port their number.
Protecting yourself from SIM swap fraud is a complex matter. It’s a form of art, if you like. It involves a combination of vigilance, awareness and taking proactive security measures:
To regain control, the victim had to personally visit a T-Mobile store, where an employee replaced the SIM without alerting the thief via text.
Often, such SIM swap frauds are enacted by carrier employees. For example, a former manager at a telecommunications company in New Jersey pleaded guilty to conspiracy charges for accepting money to perform unauthorized SIM swaps that enabled an accomplice to hack customer accounts. For carrying the unauthorized number porting, the criminal received $1,000 in Bitcoin per SIM swap, plus an unspecified percentage of the profits earned from the illicit access to the victims' devices.
Now’s the time to vent and announce my complete and utter support for harsh penalties for such acts.
In January, Sharon Hussey lost $17,000 despite using two-factor authentication (2FA) due to a SIM swap scam. She was alerted to a fraudulent phone purchase and changes to her bank account's contact info, neither of which she initiated. Her inability to receive 2FA codes, after a thief swapped her SIM card to a new phone, led to her phone service being cut and the theft of $17,000 from her Bank of America account.
2FA (Two-Factor Authentication) limitations
Two-Factor Authentication (2FA) offers a significant boost in security by requiring a second form of identification, making unauthorized account access much more difficult even if a password is compromised.
However, 2FA is not without its drawbacks. Some users find the extra login step inconvenient and reliance on devices for authentication can be problematic if the device is lost or unavailable. SMS-based 2FA is susceptible to SIM swapping and interception, which can undermine its security benefits. The technical implementation of 2FA poses challenges for organizations, necessitating further infrastructure and user education.
Two-Factor Authentication (2FA) Pros:
- Enhanced security: By requiring a second form of identification, 2FA makes it significantly harder for unauthorized users to access your accounts, even if they know your password.
- Reduced fraud risk: 2FA can drastically reduce the likelihood of identity theft and fraud since attackers need more than just stolen login credentials to gain access.
- Flexible options: 2FA offers various methods for the second factor, including text messages, authenticator apps and hardware tokens, allowing users to choose what suits them best.
Two-Factor Authentication (2FA) Cons:
- Vulnerability: SMS-based 2FA can be vulnerable to SIM swapping attacks or interception, potentially allowing attackers to bypass this security measure.
- Inconvenience: Some users find 2FA methods, especially SMS or app notifications, inconvenient or time-consuming, as it adds an extra step to the login process.
- Dependence on devices: 2FA methods that use phones or tokens can be problematic if the device is lost, damaged, or not immediately accessible.
What the FCC says
In response to the growing threat of SIM swapping and port-out fraud, the Federal Communications Commission (FCC) has rolled out new measures starting July to enhance consumer protection. These changes require mobile service providers to verify identity thoroughly before a phone number can be moved to a new device or carrier. Additionally, the rules will make it possible for users to be immediately notified of any attempts to change their SIM card or port their number.
How to protect yourself from SIM swap scam
Protecting yourself from SIM swap fraud is a complex matter. It’s a form of art, if you like. It involves a combination of vigilance, awareness and taking proactive security measures:
- Control your social media posting: Don’t post every aspect of your life online. Just don’t. Be cautious about sharing personal information on social media. Scammers often gather personal details to convincingly impersonate victims.
- Use strong, unique passwords: You’ve heard this before, but… For all accounts, especially your email and mobile carrier account, use strong, unique passwords and change them regularly.
- Enable Multi-Factor Authentication (MFA): Use MFA options that do not rely on SMS, such as authenticator apps or hardware tokens, for an added layer of security.
- Secure your mobile account: Contact your mobile carrier to set up additional security measures, such as a unique PIN or password that must be provided to make changes to your account.
- Keep an eye on your accounts: This is typically neglected. Regularly check your bank and other sensitive accounts for unauthorized activity. Early detection of fraud can limit damage. Having said that, be cautious of where you check your accounts. You never know who’s looking.
- Don’t fall for phishing scams: Be cautious of unsolicited calls, emails, or messages attempting to extract personal information or urging you to perform security-related actions.
- Contact carrier immediately: If your phone suddenly loses service, or you can't make calls (or send texts), contact your carrier immediately to check for potential SIM swap fraud.
- Double check: You may recieve texts from someone that's pretending to be your carrier's representative. That's why it's crucial to double check every incoming communication through another line of communication. If a carrier is messaging you about changes, don't do anything and call them (don't text!) to confirm if that is true. If your phone is hijacked, incoming coms might be from the malicious actors.
There is no such thing as a 100% secure system (or phone). But, hey, let’s not make it easy for the scammers out there! Let’s take precautions.
Things that are NOT allowed: