How SIM Swappers Straight-Up Rob T-Mobile Stores (404media.co) 70
An anonymous reader shares a report: A young man sits in a car, pointing a cellphone camera out of the window, seemingly trying to remain undetected. As he breathes heavily in anticipation, he peers at a T-Mobile store across the road from where he is parked.
Suddenly, there is some commotion inside. An accomplice grabs something off a table where a T-Mobile employee is sitting. The accomplice, dressed in a mask and black baseball cap, then bursts out of the store and clumsily sprints towards the car. The man in the vehicle starts laughing, then giggling uncontrollably like a child. The pair got what they came for: a T-Mobile employee's tablet, the sort workers use everyday when dealing with customer support issues or setting up a new phone.
To the people in the car, what this tablet is capable of is much more valuable than iPad hardware itself. The tablet lets them essentially become T-Mobile. It can grant them the ability to take over target phone numbers, and redirect any text messages or calls for the victim to the hacker's own device, as part of a hack called a SIM swap. From there, they can easily break into email, cryptocurrency, and social media accounts.
Suddenly, there is some commotion inside. An accomplice grabs something off a table where a T-Mobile employee is sitting. The accomplice, dressed in a mask and black baseball cap, then bursts out of the store and clumsily sprints towards the car. The man in the vehicle starts laughing, then giggling uncontrollably like a child. The pair got what they came for: a T-Mobile employee's tablet, the sort workers use everyday when dealing with customer support issues or setting up a new phone.
To the people in the car, what this tablet is capable of is much more valuable than iPad hardware itself. The tablet lets them essentially become T-Mobile. It can grant them the ability to take over target phone numbers, and redirect any text messages or calls for the victim to the hacker's own device, as part of a hack called a SIM swap. From there, they can easily break into email, cryptocurrency, and social media accounts.
Is this zero day or patched? (Score:2)
Because, there will be a few dozen dumbasses trying to pull this off if it is still available, or even not obviously impossible
Re:Is this zero day or patched? (Score:5, Insightful)
Re: (Score:2)
Thanks, TOA gave me a headache and I TLDR'd it
It still begs the question, why did they even create the situation in the first place?
Re: (Score:3, Funny)
Thanks, TOA gave me a headache and I TLDR'd it
It still begs the question, why did they even create the situation in the first place?
You must be new to T-Mobile's security approach of wait for bad things to happen before implementing basic security policies/techniques.
Re:Is this zero day or patched? (Score:4, Insightful)
T-Mobile now requires a manager login and a second piece of authorization
Meh. Geofence the damn things. Auto-wipe when it leaves store premises.
Re: (Score:2, Interesting)
Re: (Score:2)
Wouldn't it be easier to just use a desktop computer connected to power with a wire? This weird trend of trying to make retail cool with tablets seems to add nothing but risk and annoyance. Watching an employee type my details in one handed on a tablet is frustrating as hell even before I knew about this kind of attack.
Re: (Score:2)
What make you think any of these "Sales Associate" zoomers can type? I suppose if your name was Asdwa some of them could pull it off with a keyboard.
Re: Is this zero day or patched? (Score:2)
If it is actually an iPad, they can have the app disable itself when leaving a geographic fencing zone and MDM wipe it as soon as they are informed of the theft. Moreover, they could implement a firewall rule that makes sure the app only works while the device is on an internal network.
There is literally nothing these things should be capable of doing if T-Mobile had a semi-competent IT staff. Smash and grab is common, having a corporate device capable of doing anything while off the network is the problem
Cool story, bro. (Score:4, Interesting)
What about passwords and keys securing the tablet? Does T-Mobile not use a timed screen lock? Yes, I understand that their software can do all these things, but I find it hard to believe that the device does not lock itself OR isn't able to be locked and cleared remotely like any other iPad.
Re: (Score:2)
Obligatory (Score:2)
https://xkcd.com/538/ [xkcd.com]
They'll just move up a level in criminal activity, into kidnapping.
Re: (Score:3)
I heard that a wrench is a great way to get passwords, but the TFA app stopped working after I smashed their phone!
Re: (Score:2)
More than likely, your gun will be used in a in-home accident, or by yourself when you suicide [nih.gov]
the "fantasy" of being the good guy with a gun, is just a fantasy
Abstract
Objective: Determine the relative frequency with which guns in the home are used to injure or kill in self-defense, compared with the number of times these weapons are involved in an unintentional injury, suicide attempt, or criminal assault or homicide.
Methods: We reviewed the police, medical examiner, emergency medical service, emergency dep
Re: (Score:3, Interesting)
A stock iPad is capable of being immediately bricked by the owner. T-Mobile had to spend time and resources in order to make this tablet less secure for this story to even make sense.
I'm a college dropout who sells comics for a living but if you take one of my devices, within a few minutes I'll have it bricked. How can a corporate communication
Re: (Score:2)
The article specifically states they may only have around 10 minutes before T-Mobile disables the tablets. It's not like they are stealing the tablets and using them for days before they are turned off. But any corporation is going to take a few minutes before getting to the right people to disable the stolen equipment. It's all about moving fast and getting as much done before it is disabled.
Re: (Score:2)
Yeah, but even that sounds a little bit silly. TFA seems to want to make it sound like this is some kind of massive fraud that's sweeping the nation. But in reality, which do you think happens more often:
A.) Crooks steal a tablet from a desk at a T-Mobile store, specifically so that they have 10 minutes or less to access a mobile carrier's proprietary backend software systems.
B.) Crooks steal a janitor's keyring so they can break into a building.
Either way, the opportunity is pretty small. Even if you use t
Re: (Score:2)
You missing the point. They get the tablet and can basically steal people's phone numbers. They can then use the stolen phone number to be able to access other things because they can bypass the terrible 2FA that uses texts. This allows them to access bank accounts or email box and continue on from there. IT isn't about free phones or numbers, it is about getting access to people's numbers to then spread out from there.
Re: (Score:2)
B.) Crooks steal a janitor's keyring so they can break into a building.
The tablets could be disabled outside working hours.
Re: (Score:2)
>, it seems to me that it would be a lot simpler to forego the Mission Impossible plan and just buy burner phones.
You forge numbers to phones whose username and password you have to some juicy bank or investment account and use that 10 minutes to do the 2FA part of the authentication, and drain their accounts dry. If you have a script access, perhaps you can get a bunch of people's money this way, but just one hit of any money is worth it, it appears.
Re: Cool story, bro. (Score:2)
Sure, but then they have to remain for 10 minutes in front or near the store if they had any competent IT person. Things like this shouldnâ(TM)t work off the corporate wired or WiFi network.
Re: (Score:2)
Yup, the villain in this story is T-Mobile. They seem to have deliberately designed their devices in a way that they can't be secure in order to help SIM swappers.
They don't even need to wipe it. Just disable its access to the T-Mobile backend, and freeze any changes that were made through it within the last ~30 minutes.
Re: Cool story, bro. (Score:2)
The villains in the story are the thieves. T-Mobile is the comic relief.
Re: (Score:2, Insightful)
Re: (Score:2)
Your pie-in-the-sky crazy talk has no place on this forum.... err, wait, am I on... oh, never mind. Carry on...
Re: (Score:2)
I just realized, how can they turn the tablet's cellular service off if they don't have their tablet?!
Re: (Score:2)
No kidding. I hear some devices are even capable of detecting their location via GPS. Perhaps some sort of neckbeard wizard could write something we should call an "app" that refuses to allow T-Mobile staff from making changes to cell phones if they aren't within a kind of "virtual GPS fence" around their store. Or maybe if the tablet isn't connected to the store's WiFi... We could even put in some sort of "fingerprint" sensor that must be used for sensitive operations...
Ha ha you and your crazy tech-driven fantasies, thanks for the chuckle!
Re: (Score:2)
Soo, T-mobile has no IT security people? (Score:3, Insightful)
Because all it should take one support call and that tablet is worthless. And it should lock itself anyways when going out of range of the in-shop WiFi.
Re: (Score:2)
Quoting from the article - you did read it?
Re: (Score:2)
You must be new here.
Re: (Score:2)
Looking at the user-numbers, nope.
I've been there, made that mistake and have learned from it (on a good day).
Re: (Score:2)
Re: (Score:2)
That doesn't sound right either. My experience on Slashdot for the last few years has been "we comment first, then read TFA never."
Re: (Score:2)
Hopefully T-Mobile considers geofencing, which, if GPS is checked every so often (like every 60 seconds), if it gets a coordinate set that isn't where it is supposed to be, then lock the tablet.
Why I don't want to use a phone number for 2FA (Score:2, Insightful)
SIM swap weakness, social engineering of mobile employees, and giving away personal information, are 3 reasons why I don't want to use a phone number for 2FA.
Re:Why I don't want to use a phone number for 2FA (Score:4, Insightful)
Absolutely. I wish that more companies would 1) offer TOTP as an option for MFA and 2) allow me to *disable* SMS for password recovery
Re: (Score:2)
Re: (Score:2)
I've gone to using a Google Voice number for shitty SMS MFA. No sim to swap, no idiot mobile employees to hoodwink, and Google already has all my personal information anyway due to a decade or two of being Google.
At least this way I can get the notification on my fucking laptop so I can copy and paste.
Hackers don't always need to swap your SIM (Score:5, Interesting)
This is a repost of something I wrote over on the T-Mobile sub of Reddit about 9 months ago, after some hacker who knew the e-mail address associated with my T-Mobile account (I assumed they got that information from the data breach) managed to somehow remotely reset my voicemail password. Since I don't have the kind of online clout necessary to really push the issue, I have no idea if in the interim T-Mobile ever patched whatever exploit was being used to reset voicemail passwords. Caveat emptor, if you use T-Mobile.
I had someone get into my email account due to the T-Mobile data breach. As near as I can piece together, it went like this:
The hacker somehow reset my voicemail password. I know this because T-Mobile sent me a text while I was asleep saying my password had been reset, and thanking me for using their automated support. Stupidly, T-Mobile sets the default voicemail password to your 7 digit phone number.
Next, the hacker used the account recovery feature from my email provider and chose the option to have the temporary passcode sent as a voice call. They then accessed my voicemail using the newly reset password to retrieve the voicemail with my email account's temporary password. I discovered this because I have an alternate email address on a different email provider set to receive account notifications.
Then, as near as I can tell, the hacker did nothing of consequence. They didn't try to get into any of the accounts associated with my email address (I still reset all my passwords anyway, obviously), nor have I noticed any unusual charges from my bank account, PayPal, or credit cards. They also didn't do anything to lock me out of my email account, and I was able to change my password and decided to remove my phone number as an account recovery option.
I called T-Mobile support later that day and they had no explanation for how a hacker was able to reset my voicemail password. The entire experience has left me feeling that it's an absolutely terrible idea to have a T-Mobile phone number associated with anything that could possibly grant access to any of your online accounts. T-Mobile's security is Swiss cheese.
Re: (Score:3)
Re: (Score:2)
Agreed, this drives me insane. Do I want 2FA on all my accounts? Yes! Do I consider a phone number/SMS to be a valid second factor? Fuck no. As soon as something starts with "Well give us your phone number so there's a backup in case you lose your code!" I'm done. I'll just rely on the longest password they'll accept from the password manager at that point.
A second factor backed by a publicly (Effectively at this point) accessible phone number as a backup isn't a security feature, it's just simply broad
Better Headline (Score:2)
They should be fined for this!! Just like a person is fined for leaving the keys in their car, or the car running and accessible to thieves
Geofencing? (Score:2)
This sounds like something that can be fixed with geofencing. I have worked with an appliance that was iOS based which had a geofenced app. Part of the app's startup process was sending its GPS signal to a server and the server sending the app an unlock key. If the app was taken out of the geofenced area, it would immediately exit. Trying to run the app out of the geofenced area would get a PIN prompt, and if that was guessed wrong after three tries, the app would erase all data. The device also was co
Sorry For the Tangent, But... (Score:2)
Overboard Theatrical Story Text (Score:4)
Re: Overboard Theatrical Story Text (Score:2)
It made for very cringy reading. Just dot points would be fine.
Re: (Score:2)
I mean, God, one of the people in the story was "giggling uncontrollably like a child"? Really? I don't think someone who is actually stealing something would do that. What's next?
So, tell us you didn't bother to watch the video in TFA without telling us.
Re: (Score:2)
I mean, God, one of the people in the story was "giggling uncontrollably like a child"? Really? I don't think someone who is actually stealing something would do that. What's next?
So, tell us you didn't bother to watch the video in TFA without telling us.
I'm posting on Slashdot. Not watching or reading TFA is expected behavior ;)
Re: (Score:2)
i mean, there are plenty of skiddies who really do behave exactly like this... it's just weird to read in text because usually they're not worth writing about.
What about basic physical security? (Score:2)
A gadget similar to this [amazon.ca] would make this particular attack impractical. At the very least, it would force would-be thieves to come armed with wire-cutters and give T-Mobile more time to disable the tablet.
Re: (Score:2)
If you are going to lock the tablet to a fixed location in the store, what about using a gadget similar to this [myoldcomputers.com] for account administration?
Re: (Score:2)
No doubt. If only there was a device that didn't have battery and required you to be connected to the network with a wire!
Re: (Score:2)
The folks described are not the standard thugs holding up liquor stores for a few bucks. These are pros, who know how to navigate through T-Mobile's service tables, and who know, how to exploit a SIM swap. If T-Mobile attaches a steel cable to this tables, they'll show up with LiPo powered angle grinders.
Incidentally T-Mobile found a much more elegant solution: within a few minutes the robbery is reported and the tablet then unable to access T-Mobile's resources. That SIM swap happens on T-Mobile's servers,
corporate or franchise store? (Score:2)
corporate or franchise store?
No remote kill switch? (Score:2)
Why does this device even work outside of the stor (Score:2)
Sound to me like T-Mobile is culpable (Score:2)
Why a tablet anyway? (Score:2)
Is there a hardware design reason I've not thought of where a portable device with a battery makes this a better choice than say a desktop? If I try and snatch a desktop and run then I rip the power cord out and it shuts off. If it shuts off I need the password to sign in again. It's not a complete security solution but... why the tablet over that? Did some idiot manager just liked the idea of buying iPads with the company's money?
Re: (Score:2)
It's so they can follow you around the store, tapping it and suggesting you buy things you're never going to buy. At least that's how it works whenever I go into a T-Mobile store.
They stole the idea from Apple, whose minions will trail you around the store like stalkers, waiting to ring up another sweet, sweet customer sale.