Couldn't T-Mobile send their own SMS's to their employees pretending to increase the payout to $600, then fire any employee that replies?
Or maybe change the terms of use for the employee line discount to allow monitoring SMS content or metadata for security threats to the companies users?
T-mobile could do many things (not sure it’s legal to pretend you want to pay for simswaps, but that’s beside the point), but first we need to establish why they would care.
I haven’t seen much evidence in the past they would.
They don't care. Source: got swapped on TMo, front-line CSR fixed it but no one else at the business cared; would not even refund my final bill. Solution: move to Google Fi. It has a word-of-mouth reputation for being resistant to this, which I believe if nothing else because Google has almost no human support to bribe/phish.
I'm pretty sure T-mobile could legally do that to their own employees. Corporate security teams are always sending fake phishing email to test their employees' gullibility and send them off to Re-education Camp.
> not sure it’s legal to pretend you want to pay for simswaps
I don't see a big difference between this, and sending fake phishing emails to employees to see if they bite, which is a fairly common practice.
In this case though, it doesn't necessarily have to be T-mobile that does it. It could be local law enforcement, and they could potentially trade immunity for information on real bribers.
I believe there are telecommunications regulations in olved that prevent them from erecting barriers during the sim swap process. This might be one of the mains reasons it's such a juicy vector.
Or, crazy idea, we do not give minimum wage paid retail sales reps the ability to control access to the online accounts of hundreds of millions of people.
What is the dollar value of getting access to a phone number belonging to a celebrity or a billionaire? I don't know the exact amount, but it is 100% more than what T-Mobile can feasibly pay all of its employees. Do you think security guards protecting the federal reserve's gold vault get paid more than the value of the gold in that vault?
“Inside job” SIM swap attacks are not necessarily new; a close friend’s T-Mobile phone got hit this way in March 2020.
The news here is the intersection of a data breach with SIM swapping: criminals are using the employee phone numbers from a recent T-Mobile breach data dump to text tons of employees at once, offering $300 per swap.
Previously, criminals would develop the inside agent either through personal connections or by applying and getting hired themselves. With the breached data, they can automate and scale.
As others have suggested, the trick is put out fake honeypot offers, to strike at the weak point of the scheme, which is that lack of trust and anonymity run both ways.
In other words, the "old way" isn't just about cultivating an insider agent, but also about establishing that the insider can trust the requestor.
What's the solution here? Can we practically expect employees at retail stores to not be permitted to change a person's phone over? What if the person who needs the swap has said their phone is lost/stolen?
I think ideally there would be some kind of verification that the customer was indeed present and that their ID had been verified, but I don't see how you can do that in the US as there aren't ID cards or similar forms of universally available ID. I also think you should be able to get a phone number without ID at all, which would preclude verification in those cases.
The issue is that people's phones are essentially the roots of trust for our digital lives. Passkeys being built into the OS are good because they push that problem away from carriers, but the fundamental issue still remains. Bootstrapping trust is hard.
Not putting phone providers in charge of access to our digital lives.
> that the customer was indeed present and that their ID had been verified
Present where? My MVNO does not have any branches. And even if they did, why should I ever have to go there? I don't go to bank branches either if I can at all help it.
Sometimes you can't help it, you need a phone today, and need to go into a store for your phone company. No, buying a phone from Walmart or Best buy and waiting for a sim or doing some eSim thing won't work, you just need to get into a branch today. If an MVNO with no branches works for you, great, but some people need to be able to go into a branch of their cell phone provider/bank/utility.
> I think ideally there would be some kind of verification that the customer was indeed present and that their ID had been verified, but I don’t see how you can do that in the US as there aren’t ID cards or similar forms of universally available ID.
Requiring government issued photo ID for identity verification is not at all an uncommon policy for various purposes in the US, and AFAIK all states have universally available ID cards (they are generally not free of charge, but they are universally available.)
ID REALLY should be paid for by taxes and 'free' for everyone obtaining their proof of identity. Now, a 'drivers' license might have an extra fee on top of that.
Maybe the free IDs could be issued by police departments? Either way this is a good time for someone to register as a voter too, WA state has a simple checkbox for that and other states can too.
I help people move to Germany. Requirements like this make it really hard for people to settle in a new place. On the other hand you can’t expect a teenager working minimum wage to identify a Thai passport.
There exist services for ID verification, usually by video call. They exhibit the same limitations though.
Easy solution: Don't use SMS for password recovery.
SMS might even be okay for 2FA, but it must always be the second factor. "Forgot my password" -> SMS code -> new password is just 1FA. Using SMS as the only factor is really, really bad.
Simply require that a SIM can only be swapped if it is disconnected from the mobile network for 48 hours. And if it isn't disconnected, the original SIM will be called/texted to ask if they really want the SIM swap to happen.
> require that a SIM can only be swapped if it is disconnected from the mobile network for 48 hours
If someone has both devices in hand, there isn't even need for a delay. The only time you need a delay is when the original device is missing. In that case, sending a message to that SIM and having a mandatory delay (ideally, customisable by the customer) seems reasonable.
That's precisely what happens with SIMs in India. When a SIM swap happens, text messages are blocked for 24 hours to allow a customer to alert the operator before one time codes resume sending to the new SIM
Whenever I go to mobile provider in Serbia to do anything related to account I have to provide government ID. They even put it in card reader to get relevant data. While SIM swap is certainly a theoretical risk, it's not a practical one around here. Having authentication on a phone or another physical device (without backup) seems to be at least two orders of magnitude higher risk of losing access to everything. Relying to Google or another third party for authentication is not without its risks too.
I just hope SMS authentication won't go away completely for other parts of world where risk balance is different than in USA. Until things change, I trust more my local birocracy to work their birocratic ways and always check ID where needed then I would trust myself not to lose some auth device.
I use Google Voice for this reason, so that you need to authenticate with my google account to modify anything related to my phone number. It's not perfect since there is still an internal forwarding number they could sim swap on, but it would require them associating the two numbers first, and I don't use my t-mobile number for anything outside being the forwarding number for google voice.
WebAuthN is an excellent alternative to passwords, but a relatively poor access recovery mechanism, given that it just kicks the can down the road to another provider at best (usually Apple or Google), and to a single physical object that's easy to lose at worst.
I use it myself, but I do also understand companies and people that don't want to make it their only way back into their account as it is.
> I don't see how you can do that in the US as there aren't ID cards or similar forms of universally available ID
You're speaking out of a position of extreme ignorance. There are ID cards - drivers' licenses and passports - that are near-universally available, and are regularly used as identification.
> Except for that one giant issue, passkeys are gonna be great.
Unlike passwords, you can have multiple passkeys associated with an account. Accessing from an iPhone? Use your Apple passkey. From Android? Use your Google passkey. Want cross-platform? Use your 1Password passkey. Etc.
There are several 'boutique' email providers (fast mail, proton, etc) that you can use instead of the big 3. You can even host your own MX server but use a relay service so you don't have to deal with IP reputation issues.
I have google fi and I'm always a little low key worried that they'll block my account which will kill my phone/docs/drive/email all at once.
It also kinda sucks having google as your email and your phone when they want to use email to verify your account settings and you can't get into your account. This happened to my wife, and they essentially have no support on the fi side and the gmail side support isn't super helpful. She was eventually able to recover her gmail account and fix her fi activation but it a huge pain and took a couple of days.
You're not wrong, but trust is an issue here as well.
If someone convinces both Person A and Person B of their legitimacy, even if they're not legitimate, this doesn't solve anything.
If Person A and Person B trust one another personally, then _idealistically_ you're vulnerable to collusion (intentional) or abuse (unintentional).
If Person B trusts Person A because of some policy or technical attestation, that means the policy or technical criteria needs to be robust against abuse.
If you're in-person at, say, a T-Mobile store, then it's not likely that Person A and Person B don't work together, but even if they don't, the first issue still applies.
I've watched T-Mobile store employees just pass an iPad to a manager and say "can you type in your code?" Depending on the employee or what process was requiring approval, the manager might or might not have asked "what are you doing?" "Can you justify this?" etc.
There should be a security code that’s only known to the owner, can’t swap it if you don’t have the code. Seems like a pretty simple and effective solution imo.
Can you really not imagine any scenario other than crypto where compromising an employee's account could have financial consequences? Thinking about that somewhat large industry other than crypto dealing with people's money...
I work in crypto and see Sim swaps happen all the time, mostly for Twitter account takeovers of famous people where they then post phishing links and steal their followers coins. T-Mobile is easily the biggest offender for this, most people reporting they use it, so this has been going on for a long time.
The other big problem with Twitter security is you can have your account taken over even if you use non-sms 2FA! If you have your phone number on your account it can be used for recovery completely bypassing 2FA. They've had this security flaw for years and still haven't fixed it.
Almost everybody supporting 2FA has this security flaw today.
The number of sites that actually let me never provide a phone number, or at least not have it be a recovery method, is tiny.
Even things like a simple time lock (e.g. SMS-OTP "2"FA recovery only being possible after 24 hours, combined with sending a blast of "careful, your account is about to be recovered by somebody that might not be you" and a way to stop that for the legitimate accountholder, would go a long way.
A lot of sites have this security flaw, turning SMS 2FA into 1FA: all you need is the phone number. Although allowing it even if you use non-sms 2FA is even worse, 100% defeating the purposes of using an alternate form of 2FA.
It's actually unbelievable how often SMS OTP is used, when it's public knowledge that it just replaces one attack vector with a worse attack vector... Cracking a password or breaking into an encrypted database is 10x harder than getting a sim swap.
My bank recently added the feature of removing SMS as an 2FA option - requiring TOTP. Now if they'd only add webauthn, but TOTP is pretty secure against phishing with a browser-integrated password manager (no autofill results in suspicion).
My bank finally added 2FA today actually. It is, of course, SMS or Email only because banks the worst online security for reasons I'll never understand.
It’s easy, it’s free for the customer, and with feature’s like iPhone’s “code autofill”, it’s the easiest UX. Swim swapping happens to such a small number of people that it’s not worth the effort for anyone involved. I hate it myself, but such is the reality.
It's not really "replacing" though. Prior to SMS OTP it would just be the password. Having password + SMS OTP is strictly better, regardless of how shitty SMS OTP might be.
Many sites do allow logging in with just an SMS OTP, no password required (even if you’ve set a password for the account). If it absolutely must be used (it shouldn’t), then SMS OTP should be a second factor, not the only factor.
> Having password + SMS OTP is strictly better, regardless of how shitty SMS OTP might be.
Unfortunately one can claim to "forgot my password" and use SMS OTP to reset it. Now it becomes a single factor authentication with a compromised phone.
Password + SMS OTP is strictly worse than a password. At least you cannot SIM swap your password.
So looks like FCC is implementing some new rules to protect against SIM swapping and that's taking effect on July 8, 2024. Though from the press release, I'm not quite sure if that'll protect the customer from a carrier employee being the bad actor.
Not even joking: there is probably a market for starting a mobile provider company that actually requires a DNA sample to change. The DNA could be collected from multiple sources simultaneously (blood, saliva, and randomly chosen fingernails) and run through a hash so that the provider never stores the DNA string itself. Some level of innovation may be required here, I know DNA itself isn't exactly a UUID, but I'm certain it could be done. VIPs would pay for this service and you could offer limited insurance for hackage.
Edit to add: there was an episode of "Forensic Files" where a suspect injected someone else's blood sample (at great personal risk) to evade a DNA test for a sexual assault charge. So just acknowledging that DNA methods can be attacked too. Hence the necessity of multiple random samples.
We really need better standards for MFA. Probably we should have a legal definition of MFA and SMS should be described as 2SA (Two-step authentication) on par with email or whatever. While MFA should be restricted to actual Yubikeys and other hardware certificate based things.
I'd also say people shouldn't be able to advertise MFA if they only support a single token per method.
It's not reasonable to expect people to have Yubikeys. iPhone Keychain is about as good as it'll get realistically, and that somewhat relies on hardware security.
Actually I maybe misspoke and I might go further than that and say that services shouldn't be allowed to make any requirements about how hardware tokens work. This means if someone wants to use a software token that should be supported.
And also I think this is why the passkey standard is bad, it sets rigid hardware requirements and the manufacturers will use this to drive planned obsolescence. If Apple and Microsoft have their way we will throw away $1000+ phones and laptops because someone found an exploit in the TPM that requires physical access.
Readit News
Or maybe change the terms of use for the employee line discount to allow monitoring SMS content or metadata for security threats to the companies users?
I haven’t seen much evidence in the past they would.
I don't see a big difference between this, and sending fake phishing emails to employees to see if they bite, which is a fairly common practice.
In this case though, it doesn't necessarily have to be T-mobile that does it. It could be local law enforcement, and they could potentially trade immunity for information on real bribers.
1. require two employees PLUS an agent on the phone to do it.
2. call the desired number and speak to whoever answers and ask if they're aware the number will be ported
3. have a 24-hour period to try to reach someone at that number before the swap occurs.
4. Offer a very large bounty ($10,000 or more) for providing evidence that a co-worker is taking bribes
T-Mobile’s New SIM Protection https://tmo.report/2022/12/t-mobiles-new-sim-protection-is-n...
I don't think I have much sympathy if you lose your job for doing something this damaging and probably illegal.
Honestly what the OP suggested is simply a sting operation.
Your reaction to it is ... more scary.
SIM swapping? No comment. Trying to catch SIM swappers? Suddenly you have feelings about it!
And Matt Levine every now and then talks about a guy making a few million a year insider insider trading a few thousand and settling.
The news here is the intersection of a data breach with SIM swapping: criminals are using the employee phone numbers from a recent T-Mobile breach data dump to text tons of employees at once, offering $300 per swap.
Previously, criminals would develop the inside agent either through personal connections or by applying and getting hired themselves. With the breached data, they can automate and scale.
In other words, the "old way" isn't just about cultivating an insider agent, but also about establishing that the insider can trust the requestor.
2. They don’t think they’ll be caught so it’s more like free money. Getting caught doesn’t factor in to the decision.
I was hit back in the late 2000’s, maybe 2008 iirc.
I think ideally there would be some kind of verification that the customer was indeed present and that their ID had been verified, but I don't see how you can do that in the US as there aren't ID cards or similar forms of universally available ID. I also think you should be able to get a phone number without ID at all, which would preclude verification in those cases.
The issue is that people's phones are essentially the roots of trust for our digital lives. Passkeys being built into the OS are good because they push that problem away from carriers, but the fundamental issue still remains. Bootstrapping trust is hard.
Not putting phone providers in charge of access to our digital lives.
> that the customer was indeed present and that their ID had been verified
Present where? My MVNO does not have any branches. And even if they did, why should I ever have to go there? I don't go to bank branches either if I can at all help it.
Sometimes you can't help it, you need a phone today, and need to go into a store for your phone company. No, buying a phone from Walmart or Best buy and waiting for a sim or doing some eSim thing won't work, you just need to get into a branch today. If an MVNO with no branches works for you, great, but some people need to be able to go into a branch of their cell phone provider/bank/utility.
Requiring government issued photo ID for identity verification is not at all an uncommon policy for various purposes in the US, and AFAIK all states have universally available ID cards (they are generally not free of charge, but they are universally available.)
Maybe the free IDs could be issued by police departments? Either way this is a good time for someone to register as a voter too, WA state has a simple checkbox for that and other states can too.
There exist services for ID verification, usually by video call. They exhibit the same limitations though.
SMS might even be okay for 2FA, but it must always be the second factor. "Forgot my password" -> SMS code -> new password is just 1FA. Using SMS as the only factor is really, really bad.
Then a corrupt employee needs something they won’t have to execute the swap.
Simply require that a SIM can only be swapped if it is disconnected from the mobile network for 48 hours. And if it isn't disconnected, the original SIM will be called/texted to ask if they really want the SIM swap to happen.
If someone has both devices in hand, there isn't even need for a delay. The only time you need a delay is when the original device is missing. In that case, sending a message to that SIM and having a mandatory delay (ideally, customisable by the customer) seems reasonable.
While I agree with you, this is already not the case in much of Europe where an ID is required to obtain a sim card.
I just hope SMS authentication won't go away completely for other parts of world where risk balance is different than in USA. Until things change, I trust more my local birocracy to work their birocratic ways and always check ID where needed then I would trust myself not to lose some auth device.
How so? Aren’t there multiple options available?
webauthn
I use it myself, but I do also understand companies and people that don't want to make it their only way back into their account as it is.
You're speaking out of a position of extreme ignorance. There are ID cards - drivers' licenses and passports - that are near-universally available, and are regularly used as identification.
Except for that one giant issue, passkeys are gonna be great.
Unlike passwords, you can have multiple passkeys associated with an account. Accessing from an iPhone? Use your Apple passkey. From Android? Use your Google passkey. Want cross-platform? Use your 1Password passkey. Etc.
It also kinda sucks having google as your email and your phone when they want to use email to verify your account settings and you can't get into your account. This happened to my wife, and they essentially have no support on the fi side and the gmail side support isn't super helpful. She was eventually able to recover her gmail account and fix her fi activation but it a huge pain and took a couple of days.
If someone convinces both Person A and Person B of their legitimacy, even if they're not legitimate, this doesn't solve anything.
If Person A and Person B trust one another personally, then _idealistically_ you're vulnerable to collusion (intentional) or abuse (unintentional).
If Person B trusts Person A because of some policy or technical attestation, that means the policy or technical criteria needs to be robust against abuse.
If you're in-person at, say, a T-Mobile store, then it's not likely that Person A and Person B don't work together, but even if they don't, the first issue still applies.
I've watched T-Mobile store employees just pass an iPad to a manager and say "can you type in your code?" Depending on the employee or what process was requiring approval, the manager might or might not have asked "what are you doing?" "Can you justify this?" etc.
The other big problem with Twitter security is you can have your account taken over even if you use non-sms 2FA! If you have your phone number on your account it can be used for recovery completely bypassing 2FA. They've had this security flaw for years and still haven't fixed it.
The number of sites that actually let me never provide a phone number, or at least not have it be a recovery method, is tiny.
Even things like a simple time lock (e.g. SMS-OTP "2"FA recovery only being possible after 24 hours, combined with sending a blast of "careful, your account is about to be recovered by somebody that might not be you" and a way to stop that for the legitimate accountholder, would go a long way.
Time-constrained 2FA codes can be broken with sim swaps or targeted phishing which are less widespread than a wide-net spam-based phishing campaign.
Now don’t get me wrong I hate SMS 2FA with a passion but still :)
Everything based on username + password alone today should be replaced by passkeys. The problems they don't solve are 2FA and account recovery.
Unfortunately one can claim to "forgot my password" and use SMS OTP to reset it. Now it becomes a single factor authentication with a compromised phone.
Password + SMS OTP is strictly worse than a password. At least you cannot SIM swap your password.
https://www.fcc.gov/consumer-governmental-affairs/fcc-announ...
https://docs.fcc.gov/public/attachments/DOC-398483A1.pdf
Edit to add: there was an episode of "Forensic Files" where a suspect injected someone else's blood sample (at great personal risk) to evade a DNA test for a sexual assault charge. So just acknowledging that DNA methods can be attacked too. Hence the necessity of multiple random samples.
I'd also say people shouldn't be able to advertise MFA if they only support a single token per method.
And also I think this is why the passkey standard is bad, it sets rigid hardware requirements and the manufacturers will use this to drive planned obsolescence. If Apple and Microsoft have their way we will throw away $1000+ phones and laptops because someone found an exploit in the TPM that requires physical access.
I am trying to escape that awful ecosystem, not dig myself further in.
https://passkeys.dev/
https://passkeys.directory/