T-Mobile USA is sending out SMS alerts to its entire postpaid customer base, warning of a SIM hijacking and port-out campaign in which bad actors are impersonating legitimate T-Mobile users. The idea is to either scam new SIM cards in the victims’ names from the carrier, or port their number (and access to their phone profiles) to another operator.
“We want to alert you that our industry is experiencing a phone number port-out scam that could impact you, and to encourage you to add our port validation feature, if you haven’t done so already,” T-Mobile said on its FAQ page about the problem.
Getting a SIM card linked to the user’s account would give the scammers access to that person’s phone number and broader communications, which they could use for a variety of activities, none of them good news for the victim. The attackers could simply make free calls or stream movies without concerns for prepaid limits or data caps, with the charges going to the subscriber; or they could exploit the access to carry out other activities, like setting up massive text-spam campaigns from the victim’s phone. They could also use the victim’s address book and contact list to mount spear-phishing campaigns or to distribute malware—the contacts would think the messages came from the legitimate user and would therefore be more trusting.
There are also deeper problems having to do with mobile banking, cryptocurrency wallets or other apps with sensitive information—the scam allows attackers to get around two-factor authentication and gain access to these accounts. This has both personal and business ramifications.
“Once the attacker gets the phone number, they can exploit weaknesses in two-factor authentication by requesting reset links via text,” said David Pearson, principal threat researcher of Awake Security, via email. “Many consumers are already reporting that attackers have used this to target their bank accounts or other sensitive financial information. What’s overlooked so far is the potential impact of such carrier-focused scams on enterprises. Once inside, the attacker would potentially look like normal, approved traffic or usage of the application, because they’re using an authenticated account.”
The phone number port-out scam/SIM hijacking problem has been around for a while, and, the carrier points out, has affected other operators as well. However, the attackers have upped the volume of attacks of late, which is what has prompted T-Mo to issue the alerts. To mitigate the problem, users can add a port-validation PIN to their account that would prevent impersonation attacks.
At least, in theory: The carrier is under fire in one lawsuit, mounted by Carlos Tapang, which alleges that the carrier allowed strangers to port his phone number to AT&T and then steal his Bitcoin (worth around $14,000 at the time)—an incident that occurred back in November. At issue is Tapang’s allegation that he had a validation PIN on his account that would be required for a port-out request.
“Tapang immediately telephoned T-Mobile,” the suit claims. “After several unsuccessful attempts to reach an operator, he was shocked to learn one of T-Mobile’s call centers had cancelled his phone number without his permission and transferred his number to AT&T.”
FierceWireless reached out to T-Mobile for comment, but the company had no response at press time.