Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
IT Technology

How SIM Swappers Straight-Up Rob T-Mobile Stores (404media.co) 70

An anonymous reader shares a report: A young man sits in a car, pointing a cellphone camera out of the window, seemingly trying to remain undetected. As he breathes heavily in anticipation, he peers at a T-Mobile store across the road from where he is parked.

Suddenly, there is some commotion inside. An accomplice grabs something off a table where a T-Mobile employee is sitting. The accomplice, dressed in a mask and black baseball cap, then bursts out of the store and clumsily sprints towards the car. The man in the vehicle starts laughing, then giggling uncontrollably like a child. The pair got what they came for: a T-Mobile employee's tablet, the sort workers use everyday when dealing with customer support issues or setting up a new phone.

To the people in the car, what this tablet is capable of is much more valuable than iPad hardware itself. The tablet lets them essentially become T-Mobile. It can grant them the ability to take over target phone numbers, and redirect any text messages or calls for the victim to the hacker's own device, as part of a hack called a SIM swap. From there, they can easily break into email, cryptocurrency, and social media accounts.

This discussion has been archived. No new comments can be posted.

How SIM Swappers Straight-Up Rob T-Mobile Stores

Comments Filter:
  • Because, there will be a few dozen dumbasses trying to pull this off if it is still available, or even not obviously impossible

    • by TXJD ( 5534458 ) on Friday November 10, 2023 @12:33PM (#63995977)
      According to the article: "It appears remo snatching is becoming less common. In their own post, n0sec said that T-Mobile now requires a manager login and a second piece of authorization. And in a statement to 404 Media, T-Mobile mentioned its implementation of “new enhancements.” "
      • Thanks, TOA gave me a headache and I TLDR'd it

        It still begs the question, why did they even create the situation in the first place?

        • Re: (Score:3, Funny)

          by blahbooboo ( 839709 )

          Thanks, TOA gave me a headache and I TLDR'd it

          It still begs the question, why did they even create the situation in the first place?

          You must be new to T-Mobile's security approach of wait for bad things to happen before implementing basic security policies/techniques.

      • by Tailhook ( 98486 ) on Friday November 10, 2023 @01:56PM (#63996203)

        T-Mobile now requires a manager login and a second piece of authorization

        Meh. Geofence the damn things. Auto-wipe when it leaves store premises.

        • Re: (Score:2, Interesting)

          by Anonymous Coward
          Geofence? Why does it even have access to T-Mobile's systems when not connected to the store's wifi/VPN? Sure, geofencing would be an improvement, but it's a band-aid on a fundamentally broken security model.
        • by trawg ( 308495 )

          Wouldn't it be easier to just use a desktop computer connected to power with a wire? This weird trend of trying to make retail cool with tablets seems to add nothing but risk and annoyance. Watching an employee type my details in one handed on a tablet is frustrating as hell even before I knew about this kind of attack.

          • by Tailhook ( 98486 )

            What make you think any of these "Sales Associate" zoomers can type? I suppose if your name was Asdwa some of them could pull it off with a keyboard.

    • If it is actually an iPad, they can have the app disable itself when leaving a geographic fencing zone and MDM wipe it as soon as they are informed of the theft. Moreover, they could implement a firewall rule that makes sure the app only works while the device is on an internal network.

      There is literally nothing these things should be capable of doing if T-Mobile had a semi-competent IT staff. Smash and grab is common, having a corporate device capable of doing anything while off the network is the problem

  • Cool story, bro. (Score:4, Interesting)

    by LondoMollari ( 172563 ) on Friday November 10, 2023 @12:25PM (#63995953) Homepage

    What about passwords and keys securing the tablet? Does T-Mobile not use a timed screen lock? Yes, I understand that their software can do all these things, but I find it hard to believe that the device does not lock itself OR isn't able to be locked and cleared remotely like any other iPad.

    • by TXJD ( 5534458 )
      According to the article they have fixed somethings. "It appears remo snatching is becoming less common. In their own post, n0sec said that T-Mobile now requires a manager login and a second piece of authorization. And in a statement to 404 Media, T-Mobile mentioned its implementation of “new enhancements.” "
    • https://xkcd.com/538/ [xkcd.com]

      They'll just move up a level in criminal activity, into kidnapping.

    • Re: (Score:3, Interesting)

      by PubJeezy ( 10299395 )
      Yup, the villain in this story is T-Mobile. They seem to have deliberately designed their devices in a way that they can't be secure in order to help SIM swappers.

      A stock iPad is capable of being immediately bricked by the owner. T-Mobile had to spend time and resources in order to make this tablet less secure for this story to even make sense.

      I'm a college dropout who sells comics for a living but if you take one of my devices, within a few minutes I'll have it bricked. How can a corporate communication
      • by dirk ( 87083 )

        The article specifically states they may only have around 10 minutes before T-Mobile disables the tablets. It's not like they are stealing the tablets and using them for days before they are turned off. But any corporation is going to take a few minutes before getting to the right people to disable the stolen equipment. It's all about moving fast and getting as much done before it is disabled.

        • by PCM2 ( 4486 )

          Yeah, but even that sounds a little bit silly. TFA seems to want to make it sound like this is some kind of massive fraud that's sweeping the nation. But in reality, which do you think happens more often:

          A.) Crooks steal a tablet from a desk at a T-Mobile store, specifically so that they have 10 minutes or less to access a mobile carrier's proprietary backend software systems.
          B.) Crooks steal a janitor's keyring so they can break into a building.

          Either way, the opportunity is pretty small. Even if you use t

          • by dirk ( 87083 )

            You missing the point. They get the tablet and can basically steal people's phone numbers. They can then use the stolen phone number to be able to access other things because they can bypass the terrible 2FA that uses texts. This allows them to access bank accounts or email box and continue on from there. IT isn't about free phones or numbers, it is about getting access to people's numbers to then spread out from there.

          • B.) Crooks steal a janitor's keyring so they can break into a building.

            The tablets could be disabled outside working hours.

          • by jvkjvk ( 102057 )

            >, it seems to me that it would be a lot simpler to forego the Mission Impossible plan and just buy burner phones.

            You forge numbers to phones whose username and password you have to some juicy bank or investment account and use that 10 minutes to do the 2FA part of the authentication, and drain their accounts dry. If you have a script access, perhaps you can get a bunch of people's money this way, but just one hit of any money is worth it, it appears.

        • Sure, but then they have to remain for 10 minutes in front or near the store if they had any competent IT person. Things like this shouldnâ(TM)t work off the corporate wired or WiFi network.

      • by Cyberax ( 705495 )

        Yup, the villain in this story is T-Mobile. They seem to have deliberately designed their devices in a way that they can't be secure in order to help SIM swappers.

        They don't even need to wipe it. Just disable its access to the T-Mobile backend, and freeze any changes that were made through it within the last ~30 minutes.

      • The villains in the story are the thieves. T-Mobile is the comic relief.

    • Re: (Score:2, Insightful)

      by Anonymous Coward
      No kidding. I hear some devices are even capable of detecting their location via GPS. Perhaps some sort of neckbeard wizard could write something we should call an "app" that refuses to allow T-Mobile staff from making changes to cell phones if they aren't within a kind of "virtual GPS fence" around their store. Or maybe if the tablet isn't connected to the store's WiFi... We could even put in some sort of "fingerprint" sensor that must be used for sensitive operations...
      • Your pie-in-the-sky crazy talk has no place on this forum.... err, wait, am I on... oh, never mind. Carry on...

      • by kackle ( 910159 )
        Or in-store Wi-Fi fencing (assuming it doesn't use cellular service that can be turned off remotely).

        I just realized, how can they turn the tablet's cellular service off if they don't have their tablet?! :-)
      • No kidding. I hear some devices are even capable of detecting their location via GPS. Perhaps some sort of neckbeard wizard could write something we should call an "app" that refuses to allow T-Mobile staff from making changes to cell phones if they aren't within a kind of "virtual GPS fence" around their store. Or maybe if the tablet isn't connected to the store's WiFi... We could even put in some sort of "fingerprint" sensor that must be used for sensitive operations...

        Ha ha you and your crazy tech-driven fantasies, thanks for the chuckle!

      • by kmoser ( 1469707 )
        That won't stop crooks from driving close to the store and using the tablet from their car.
  • by gweihir ( 88907 ) on Friday November 10, 2023 @12:29PM (#63995965)

    Because all it should take one support call and that tablet is worthless. And it should lock itself anyways when going out of range of the in-shop WiFi.

    • Quoting from the article - you did read it?

      One sometimes overlooked technique of SIM swappers is much more physical: going into the store and seizing the tablets themselves, like the incident shown in the video obtained by 404 Media. The technique appears to have fallen out of favor as T-Mobile introduced more security protections, but still provides insight into the lengths that SIM swappers will go to.

  • by Anonymous Coward

    SIM swap weakness, social engineering of mobile employees, and giving away personal information, are 3 reasons why I don't want to use a phone number for 2FA.

  • by Powercntrl ( 458442 ) on Friday November 10, 2023 @01:15PM (#63996075) Homepage

    This is a repost of something I wrote over on the T-Mobile sub of Reddit about 9 months ago, after some hacker who knew the e-mail address associated with my T-Mobile account (I assumed they got that information from the data breach) managed to somehow remotely reset my voicemail password. Since I don't have the kind of online clout necessary to really push the issue, I have no idea if in the interim T-Mobile ever patched whatever exploit was being used to reset voicemail passwords. Caveat emptor, if you use T-Mobile.

    I had someone get into my email account due to the T-Mobile data breach. As near as I can piece together, it went like this:

    The hacker somehow reset my voicemail password. I know this because T-Mobile sent me a text while I was asleep saying my password had been reset, and thanking me for using their automated support. Stupidly, T-Mobile sets the default voicemail password to your 7 digit phone number.

    Next, the hacker used the account recovery feature from my email provider and chose the option to have the temporary passcode sent as a voice call. They then accessed my voicemail using the newly reset password to retrieve the voicemail with my email account's temporary password. I discovered this because I have an alternate email address on a different email provider set to receive account notifications.

    Then, as near as I can tell, the hacker did nothing of consequence. They didn't try to get into any of the accounts associated with my email address (I still reset all my passwords anyway, obviously), nor have I noticed any unusual charges from my bank account, PayPal, or credit cards. They also didn't do anything to lock me out of my email account, and I was able to change my password and decided to remove my phone number as an account recovery option.

    I called T-Mobile support later that day and they had no explanation for how a hacker was able to reset my voicemail password. The entire experience has left me feeling that it's an absolutely terrible idea to have a T-Mobile phone number associated with anything that could possibly grant access to any of your online accounts. T-Mobile's security is Swiss cheese.

    • This type of thing is why I hate it when "cybersecurity training" says it is best practice to always enable two-factor authentication. In many cases it actually makes the person overall less secure. They would not have otherwise provided a high-value piece of information like a cell number to a low-value or shady service.
      • by Roogna ( 9643 )

        Agreed, this drives me insane. Do I want 2FA on all my accounts? Yes! Do I consider a phone number/SMS to be a valid second factor? Fuck no. As soon as something starts with "Well give us your phone number so there's a backup in case you lose your code!" I'm done. I'll just rely on the longest password they'll accept from the password manager at that point.

        A second factor backed by a publicly (Effectively at this point) accessible phone number as a backup isn't a security feature, it's just simply broad

  • T-Mobile decision to not use any security on their tablets leads to theft!!

    They should be fined for this!! Just like a person is fined for leaving the keys in their car, or the car running and accessible to thieves
  • This sounds like something that can be fixed with geofencing. I have worked with an appliance that was iOS based which had a geofenced app. Part of the app's startup process was sending its GPS signal to a server and the server sending the app an unlock key. If the app was taken out of the geofenced area, it would immediately exit. Trying to run the app out of the geofenced area would get a PIN prompt, and if that was guessed wrong after three tries, the app would erase all data. The device also was co

  • This is why SMS is my least favorite form of MFA. Unfortunately, some services don't allow other forms of MFA. In other cases, services don't allow accounts just for technical or financial administrators to view activity without paying for a full license, so we resort to shared accounts which make MFA much tougher, especially when SMS is the only option. If T-Mobile was smart, they'd have a way of disabling that tablet as soon as it was stolen, but based on their track record I don't hold out a lot of ho
  • by GFS666 ( 6452674 ) on Friday November 10, 2023 @02:05PM (#63996227)
    Can we just take a moment to call out the totally overboard theatrical story text? I mean, God, one of the people in the story was "giggling uncontrollably like a child"? Really? I don't think someone who is actually stealing something would do that. What's next? Laughing Manically like some dime store novel Mad Scientist as his accomplice gets into the car? "MUHAHAHAHAHAHAHAHA!!!!!"?
    • It made for very cringy reading. Just dot points would be fine.

    • by PPH ( 736903 )

      I mean, God, one of the people in the story was "giggling uncontrollably like a child"? Really? I don't think someone who is actually stealing something would do that. What's next?

      So, tell us you didn't bother to watch the video in TFA without telling us.

      • by GFS666 ( 6452674 )

        I mean, God, one of the people in the story was "giggling uncontrollably like a child"? Really? I don't think someone who is actually stealing something would do that. What's next?

        So, tell us you didn't bother to watch the video in TFA without telling us.

        I'm posting on Slashdot. Not watching or reading TFA is expected behavior ;)

    • i mean, there are plenty of skiddies who really do behave exactly like this... it's just weird to read in text because usually they're not worth writing about.

  • A gadget similar to this [amazon.ca] would make this particular attack impractical. At the very least, it would force would-be thieves to come armed with wire-cutters and give T-Mobile more time to disable the tablet.

    • by PPH ( 736903 )

      If you are going to lock the tablet to a fixed location in the store, what about using a gadget similar to this [myoldcomputers.com] for account administration?

      • No doubt. If only there was a device that didn't have battery and required you to be connected to the network with a wire!

    • by Slayer ( 6656 )

      The folks described are not the standard thugs holding up liquor stores for a few bucks. These are pros, who know how to navigate through T-Mobile's service tables, and who know, how to exploit a SIM swap. If T-Mobile attaches a steel cable to this tables, they'll show up with LiPo powered angle grinders.

      Incidentally T-Mobile found a much more elegant solution: within a few minutes the robbery is reported and the tablet then unable to access T-Mobile's resources. That SIM swap happens on T-Mobile's servers,

  • corporate or franchise store?

  • I would have thought that such tablets ought to be equipped with the capability to have them remotely reset to factory defaults in a matter of seconds.
  • Why does this device even work outside of the store? Atleast geofence or do something that it dies as soon as it goes out the door.
  • Something as simple as whole-disk-encryption and a policy of always keeping the machine locked when not in use would have prevented this douchery.
  • Is there a hardware design reason I've not thought of where a portable device with a battery makes this a better choice than say a desktop? If I try and snatch a desktop and run then I rip the power cord out and it shuts off. If it shuts off I need the password to sign in again. It's not a complete security solution but... why the tablet over that? Did some idiot manager just liked the idea of buying iPads with the company's money?

    • It's so they can follow you around the store, tapping it and suggesting you buy things you're never going to buy. At least that's how it works whenever I go into a T-Mobile store.

      They stole the idea from Apple, whose minions will trail you around the store like stalkers, waiting to ring up another sweet, sweet customer sale.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...