Interesting Hack

[RonBoyd]

Yesterday, DW was unable to make any calls on her cell phone. A "No SIM card" error message was showing at the top of the screen. I, first, rebooted the phone... no joy. I, then, removed the card and put it back in and rebooted. Still no change. So I said this needs to be handled by AT&T. So we went to what we thought was the local AT&T store. (See below) Anyway, they were not qualified (or approved?) to resolve the issue. They sent us to a "Corporate" AT&T location.

What had happened was someone had added a new line to our account with a new iPhone -- switching the DW's CIM card to the new line. After an hour of an impressive amount of security checks to prove our identities, they agreed to remove this transaction.

When I got home, I had received an eMail from AT&T while we were gone. This eMail thanked us for our purchase and our new bill would change from $184 a month (3-lines & DirecTV NOW) to $424.

I, of course, checked this morning and my account has been restored to the original billing amount.

Anyway, no one at AT&T could explain how that was done. Someone was able to by-pass all of the security checks (and again, it was impressive) and make the changes to our account.

Pseudo AT&T stores: We had gone to this AT&T outlet for many years and didn't know that it was only an "authorized" dealer called Connect. They did have a small sign on the door with that name but the AT&T signs were much bigger and, of course, the Façade only showed AT&T. There is, of course, nothing wrong with that -- since it was invisible to us in the past -- but it was quite inconvenient to go 15 mile out of our way during rush hour traffic when a problem occurred.

[braumeister]

Here is how it's done:
SIM Hijacking Explained

And here is something you can do to help prevent it:
How to add a PIN to your smartphone account to prevent SIM hijacking

[RonBoyd]

Quote:

Originally Posted by braumeister Here is how it's done: SIM Hijacking Explained

Thank you. Quite informative.

Quote:

Originally Posted by braumeister And here is something you can do to help prevent it: How to add a PIN to your smartphone account to prevent SIM hijacking

AT&T requires a PIN number in addition to a password. I tell you the security checks were impressive even including scanning the bar code on our driver's licenses. I am told this procedure is required of all AT&T personnel before any changes to an account can be made. (I do know that neither store could access our account without that information. They could get to the billing data without that security, however.)

[ncbill]

Quote:

Originally Posted by RonBoyd Thank you. Quite informative. AT&T requires a PIN number in addition to a password. I tell you the security checks were impressive even including scanning the bar code on our driver's licenses. I am told this procedure is required of all AT&T personnel before any changes to an account can be made. (I do know that neither store could access our account without that information. They could get to the billing data without that security, however.)

Could it be someone opened a new line for a customer in another store transposed/mis-typed digits and so mistakenly added that new line to your account?

[bjorn2bwild]

I read an account where the SIM hijackers used a complicit inside contact, usually overseas.

This made the second layer pin security useless as well.


OK, I found it ----


https://www.nbcsandiego.com/news/nat...509097961.html

[RonBoyd]

Quote:

Originally Posted by bjorn2bwild I read an account where the SIM hijackers used a complicit inside contact, usually overseas. This made the second layer pin security useless as well. OK, I found it ---- https://www.nbcsandiego.com/news/nat...509097961.html

Wow! That is certainly scary. There is no real defense for the individual.

I will have to say that AT&T is, at least, trying. They, for example, sent me a follow-up eMail stating that in order to change the Passcode (PIN Number) that we set up (changed actually) during the process can only be changed with the assistance of an AT& Employee.

Furthermore, at the AT&T store, once we got the AT&T Fraud department on the phone, they would only talk to the in-store employee after a serious questioning. They asked him a lengthy series of questions starting with his Employee ID number and several other questions that I suspect included at least one code-of-the-day word -- perhaps both a color and a number. Well, there were answers that didn't make sense to me listening to only his side of the conversation. (This also explains why he was not that initially eager to help. Once we started the process, however, he went full in.)

What could I do personally to prevent this type of hacking? Very scary indeed.

[bjorn2bwild]

Quote:

Originally Posted by RonBoyd What could I do personally to prevent this type of hacking? Very scary indeed.

With the insider hack, I don't think there is anything the individual can do to prevent it. It's up to the carriers.
I use email for 2FA when possible.

[RonBoyd]

Quote:

Originally Posted by bjorn2bwild With the insider hack, I don't think there is anything the individual can do to prevent it. It's up to the carriers. I use email for 2FA when possible.

Most of my important accounts, if not all, already require Multi-factor Authorization and I (up to now <chuckle>) have felt pretty comfortable in that.

In any event, AT&T goes way beyond that in requiring speaking with a live person while make any changes to ones data.

My comfort level has gone down considerably.

[audreyh1]

Quote:

Originally Posted by RonBoyd Yesterday, DW was unable to make any calls on her cell phone. A "No SIM card" error message was showing at the top of the screen. I, first, rebooted the phone... no joy. I, then, removed the card and put it back in and rebooted. Still no change. So I said this needs to be handled by AT&T. So we went to what we thought was the local AT&T store. (See below) Anyway, they were not qualified (or approved?) to resolve the issue. They sent us to a "Corporate" AT&T location. What had happened was someone had added a new line to our account with a new iPhone -- switching the DW's CIM card to the new line. After an hour of an impressive amount of security checks to prove our identities, they agreed to remove this transaction. When I got home, I had received an eMail from AT&T while we were gone. This eMail thanked us for our purchase and our new bill would change from $184 a month (3-lines & DirecTV NOW) to $424. I, of course, checked this morning and my account has been restored to the original billing amount. Anyway, no one at AT&T could explain how that was done. Someone was able to by-pass all of the security checks (and again, it was impressive) and make the changes to our account. Pseudo AT&T stores: We had gone to this AT&T outlet for many years and didn't know that it was only an "authorized" dealer called Connect. They did have a small sign on the door with that name but the AT&T signs were much bigger and, of course, the Façade only showed AT&T. There is, of course, nothing wrong with that -- since it was invisible to us in the past -- but it was quite inconvenient to go 15 mile out of our way during rush hour traffic when a problem occurred.

Certainly if I got that error I would immediately think that someone had fraudulently swiped my number onto a new phone.

DH had a problem with his phone intermittently complaining about the SIM not being activated and not seeing a signal. He called in and they walked him through some kind of communications reset. Phone was fixed. I was worried he’d had his number stolen but the problem was intermittent.

[njhowie]

Thanks - interesting info. We're with MetroPCS (now part of T-Mobile), and as part of original account activation we were required to create a PIN.

[RonBoyd]

Here is another article:

https://www.consumerreports.org/digi...uthentication/ (may be behind a pay wall)

Quote:

With this method, your smartphone acts as a security key. If you choose to use a mobile app, such as Google Authenticator, you must scan a QR code presented by the site you wish to visit into the app. Once you do that, the app will continually generate the numerical codes required for log-in. You also have the option to print out an image of the QR code for safekeeping. If you lose your phone, you just scan the code into a new one. Google Authenticator is available for Android and iOS phones, but you need to have a Google account to set it up. And you have to sign up for Google 2-Step Verification before you can use it. Instead of installing an app, you can also set up a push-based system such as Google Prompt, which sends notifications to all the phones signed into your Google account when a new log-in is detected. The notifications include location information for the log-in attempt. You then have the choice of approving or denying the attempt. … Though consumers may be less aware of this option, people who work at Google, Facebook, Twitter, and cybersecurity companies have been quick to embrace it. Instead of entering a code into your computer to verify your identity, you insert a physical key. In some cases, the key and computer are linked via Bluetooth. In fact, cellular phones that run versions of the Android operating system dating back to 7.0 (Nougat) can now act as a Bluetooth-connected key.

[braumeister]

Quote:

Originally Posted by RonBoyd Quote: In some cases, the key and computer are linked via Bluetooth. In fact, cellular phones that run versions of the Android operating system dating back to 7.0 (Nougat) can now act as a Bluetooth-connected key.

That sort of thing is getting more common. As long as I'm wearing my Apple Watch, my laptop unlocks when I wake it up. Very convenient to not worry about typing in the password.

As for phones, when I created my T-Mobile account a couple of years ago I set up an 8-digit PIN that is required when porting my phone number. That's pretty good security.