T-Mobile Employees Across The Country Receive Cash Offers To Illegally Swap SIMs: Report

T-Mobile employees from around the country are reportedly receiving text messages offering them cash in exchange for swapping SIMs. SIM swapping is when cybercriminals trick a cellular service provider into switching a victim's service to a SIM card that they control, essentially hijacking the victim's phone number and gaining access to two-factor authentication codes. From the Mobile Report: The texts offer the employee $300 per SIM swap, and asks the worker to contact them on telegram. The texts all come from a variety of different numbers across multiple area codes, making it more difficult to block. The text also claims they acquired the employee's number "from the T-Mo employee directory." If true, it could mean T-Mobile's employee directory, with contact numbers, has somehow been accessed. It's also possible the bad actor has live/current access to this data, though we consider that less likely due to the fact that some impacted people are former employees who have not worked at the company in months.

Still, the biggest issue here is how this person (or multiple people) obtained the employee phone numbers. We're not sure yet which employees are impacted, but based on comments online it seems at least a few third-party employees are affected, and we've independently confirmed current corporate employees have also received the message. Though we can't say for certain, this likely means the information is not the same data as what was leaked during the Connectivity Source breach [from September]. We can't, however, eliminate that possibility. As mentioned, there are reports that some of the contacted people are former employees, and haven't been employed at T-Mobile for months, so the information being acted upon is likely a few months old at the very least. That being said, we're pretty confident based on corporate employees being included that this is a different source of data being used.

Salt the lists

[silentbozo]

How hard would it be to plant a few ringers in the employee directory for the next time someone makes a dump of the employee directory? Ringers who have for example a side gig wearing a badge and a gun...

Map publishers use this trick to catch copyright infringement. A

Re:

[silentbozo]

Well, they used to, anyways.

https://www.bloomberg.com/news... [bloomberg.com]

I don't think that'll work

[rsilvergun]

There's so little money and you're so likely to get caught because of the inevitable paper trail that anyone doing this is going to be in the kind of dire straits that would cause them to make bad decisions.

People do not make good decisions when under pressure despite what 80s action films would have you believe and low pay for customer service jobs coupled with skyrocketing rents have put hundreds of thousands if not millions under some very heavy pressure in the form of homelessness or threats of homel

Re:

[Bite The Pillow]

You think the badge and a gun types care about this? They will refer you to the DA. And a DA is not going to care without an actual person asking them to enforce the law, because someone needs to be named as the one filing charges. Very rarely will the DA decide to follow up on their own, and usually only when there's a pretty obvious paper trail through someone in the country. Because otherwise it's just noise.

And, every company would need to add someone outside the company who will actually care about the

Re:

[gweihir]

And what purpose would that serve? There _are_ obviously employees that report this already. So no improvement there. And from that point, anything that can be done can be done anyways.

Re:

[AvitarX]

Or like test 10% of the employees a month and give them $25 for reporting it and additional training for not reporting it.

Now your workforce isn't vulnerable at a cost of ~$25/year/employee.

Similar to the fake fishing emails a lot of employers send.

Re: Salt the lists

[guruevi]

They are getting $300/swap. One of the people indicted for cooperating was doing several dozens per week. It is obviously more valuable to the criminals, each successful swap is worth thousands.

It's a good thing customer service reps

[rsilvergun]

Are so well paid and so well treated by their employer that they would never consider taking this risk. I'm just glad large swaths of them aren't paying so much in rent that they are facing serious risk of homelessness that would make them vulnerable to making a bad decision...

Re:

[gweihir]

Indeed. First rule for your own security people, and basically everybody that has a good position for an insider-attack? Make sure they are satisfied with their job! And that is the _only_ thing that really works. For example, things like DLP works somewhat against people accidentally exfiltrating data, they are completely useless against somebody intentionally stealing data if that person has two working braincells.

While this is obvious to anybody sane, for some reason "suits" routinely do not understand t

Re:

[Opportunist]

Doesn't just work for your employees, it is the same on a larger scale for your population. As a government, make sure people have more to lose than to gain for mugging someone for the 20 bucks in their wallet and you will find that you don't have a crime problem.

Re:

[gweihir]

That depends on the approach. Send people to prison? Does not work, criminals, whether small or large, never think they could get caught. Even the death "penalty" does not work.

On the other hand, make sure nobody has to mug anybody because it is not difficult to actually get a decent job? That has a lot better chances.

Re:

[Opportunist]

People here have a lot to lose. Even those that have nothing. They still got their freedom and they can kinda-sorta survive on dole. It is possible. There's nobody going "Either I have this fucker's 20 bucks or a roof over the head and three meals a day, either way, it's win-win".

Re:

[gweihir]

You assume criminals of this type are good at risk evaluation and planning. Observable evidence shows that is not the case. And hence this idea is not working. At all.

Re:

[Opportunist]

Weird. Because it is. Unlike most US-cities, you can walk across the ones here at any time of day, wherever you like. And the chance of returning with your wallet and all kidneys is pretty good.

Re:

[gweihir]

I would attribute that to a) cultural differences and b) most US cities are actually not that dangerous.

Re:

[registrations_suck]

Putting themselves in a position where they had to take a shitty job, and then taking a shitty job, are two prerequisite bad decisions.

I guess that's someone else's fault too, eh?

Re:

[Opportunist]

I don't care whose fault it is.

I care who solves the problem.

People who only look for culprits will never have a solution. You'll have someone to blame and feel good about yourself because it ain't you, but the problem remains.

Re:

[blahabl]

I don't care whose fault it is.

I care who solves the problem.

OK, let's go with that. So, pray tell, who should "solve the problem", i.e. provide the money needed to satisfy this form of extortion? Are you volunteering? Maybe the Tooth Fairy? Me through bigger taxes? Me through increased price of cell service? And more importantly, who will provide the money to satisfy all other extortionists going "pay me a rent or I will turn to crime" that will want a slice of that cake too, after we establish that this is a perfectly valid form of existence within society?

Re:

[Pascoea]

So, pray tell, who should "solve the problem", i.e. provide the money needed to satisfy this form of extortion?

I have a suggestion. How about their employer? https://www.macrotrends.net/st... [macrotrends.net]

Re:

[AvitarX]

T-Mobile should solve the problem.

They should do tests like this periodically and see if anyone responds, and give a small payout to those that report.

If they don't randomly and hit the vulnerable employees approximately once a year it would be very little cost (give them a small gift card less than $50).

Employees that fail to report get extra training, employees that buy in get fired.

Now the calculous isn't $300 for a potential jobloss/criminal situation vs nothing.

It's $50 for if it's a test, vs certain j

Re:

[Opportunist]

How about holding T-Mobile responsible for allowing Sim-Swapping to happen? It's way overdue.

Re:

[registrations_suck]

I only look for a solution for things that are my problem to solve.

Yeah it is

[rsilvergun]

Mean I know this is low quality bait in all but damn that's a mean spirited thing to say.

People are born into poverty all the time. My mom was a chain smoking alcoholic and it had a significant effect on my life. On the other hand she was able to hold down a job and so I have been too. Since I don't drink and smoke being a nerd and all I did not pass that down to my kid. But even taking that into a fact the incredibly high cost of college and the extremely low pay for anyone under 40 means that my kid i

Re:

[colonslash]

Sounds like we need to make the risk not worth taking. The death penalty would kill three birds with one stone:

1. 1. Get rid of immoral people
2. 2. Decrease the demand for housing, lowering the prices
3. 3. Decrease the supply of workers, raising the wages

Re:

[Ed Tice]

Well TFS says the offer is $300 which seems incredibly low. Honestly it's so low, it makes me think that it's actually a virtue test being carried out by their employer. Seriously who would risk losing their job and going to jail for less than a week's pay?

Re: It's a good thing customer service reps

[guruevi]

Every organization at every level is vulnerable to these things, criminal enterprises make a lot more money than legitimate ones. We are talking about attacks that can empty peopleâ(TM)s bank accounts, savings and investments while opening lines of credit, sometimes worth a million in one fell swoop. You are going to pay the sales clerk $120k/year to defend against this attack?

SMS-Based MFA Has To Go

[organgtool]

TOTP and hardware-based tokens are more secure but many service providers don't support them. And the ones that do sometimes require using a particular provider. And the TOTP seeds sometimes can't be viewed and backed up, which means that if you drop your phone in a puddle, you're going to have a real fun time recovering ALL of your accounts. All of these issues can be resolved from a technical perspective, but no one seems to care because it requires a bit of effort and there's absolutely no profit in it. There used to be a time when we could rely on legislators to mandate basic security measures, but...

Re:

[Anonymous Coward]

There used to be a time when we could rely on legislators to mandate basic security measures, but...

When was that?

Re:

[organgtool]

From the beginning of Congress until about several years ago when we became so tribal that we'd rather torpedo legislation than pass it and potentially make "the other side" look good in the process.

Re:

[organgtool]

Our current Congress is on track to be one of the most ineffective in almost a century. And while that's not quite since the "beginning of Congress" as I stated, with the current state of affairs I see nothing that convinces me that we'll turn a corner anytime soon. While dysfunctional congresses have come along every so often, lately it's beginning to look like the new normal.

Re:

[gweihir]

And the relevancy to the story is?

Re:

[organgtool]

If companies were forced to offer TOTP or hardbase-based tokens for MFA, the market for illegal SIM swaps would practically vanish overnight.

Re:

[gweihir]

Probably not. There are other attack vectors that can be used after a SIM swap. The SMA "authentication" path is just the most easy one and hence the one done most often.

As to hardbase-tokens, that is on the users. Large bank here tried to get corporate users hardware tokens a while back, but they would charge $20 or so for each of them (which is basically what they cost the bank overall including configuration). Nobody was interested.

Re:

[Seclusion]

TOTP and hardware-based tokens are more secure but many service providers don't support them.

I've been modded troll for saying telephones and SMS are broken. Someone can hijack your telephone number, assume your identity, gain access to your accounts and these companies all act like it's OK because they're following industry standards.

TOTP and security fobs are great, until someone convinces your service that uses them, that you lost yours and that they should let them identify in some other less secure method... Instead, lets put an end to SMS and phone number hijacking, even if that means aband

Re:

[AmiMoJo]

Usually when you set up 2FA with TOTP codes you get a set of recovery codes that you keep safe, in case you lose access to the TOTP ones.

The better solution for most people though is Passkeys. Can't be stolen like cookies or phone numbers, don't need to muck about with TOTP codes etc. Sites don't even need to keep you logged in via cookies as they can just log you back in the next time you visit, seamlessly and automatically.

For the paranoid, 2FA is still important, but for most people and for most websites

Re:

[HiThere]

The time when we could (sometimes) rely on legislators to mandate basic security was back when they understood how basic security worked. In these areas only (some) tech specialists do.

Re:

[Ed Tice]

Because those things can't be backed up, almost every authentication system around has a way to let you replace your second factor and those tend to be a big security hole. But you're right, there's not much that can be done. And it's not just if you drop your phone. I've had it happen when I moved to a new device and thought I had updated all 2FA but found out there was some authentication that I had forgotten about and have had to jump through hoops that were a PITA for me but wouldn't have stopped an a

Re:

[kbahey]

Because those things can't be backed up

TOTP hashes can be backed up.
Just use an application that can do that ...

On Android, FreeOTP+ [google.com] has an export/import feature.
This is the way most people can use it, without technical knowledge.

And from the command line, there is oathtool [ubuntu.com]. I wrote a simple wrapper script that reads a file that contains the hashes, and returns the one time password.

Re:

[Ed Tice]

Fair enough but the big-name TOTP apps don't let the hashes be backed up.

Re:

[The-Ixian]

You can always back up a TOTP seed by just screenshotting the QR code and printing it.

Re:

[kbahey]

TOTP seeds sometimes can't be viewed and backed up, which means that if you drop your phone in a puddle, you're going to have a real fun time recovering ALL of your accounts.

They can be backed up ...

See this comment [slashdot.org] for details.

How?

[awwshit]

> Still, the biggest issue here is how this person (or multiple people) obtained the employee phone numbers

Probably in the same manner they get SIM swaps completed.

Re:How?

[keltor]

Imagine if employees used this thing called "Outlook" that does this thing called an "Offline Address Book". And imagine if you could get a hold of one of these files and there were tools to convert them to CSV!!!

Re:

[gweihir]

Or even, say, scroll the list while filming it with a HD camera. Good thing HD cameras are clunky and expensive and nobody has one. Oh, wait...

Re:

[Ed Tice]

Who says the messages are only gong to T-Mobile employees? You could just spam the world and non T-Mobile employees would ignore it. Although this does seem to be only going to them since I haven't heard of non-T-Mobile employees getting the messages. But you could get the list many ways including scraping LinkedIn or something

T-Mobile, the stupid security carrier

[schwit1]

T-Mobile supports TOTP 2FA for account logins BUT doesn't allow you to disable SMS for 2FA. Every time you login it asks what 2FA method you wish to use, TOTP or SMS.

If T-Mobile really cares to stop this...

[SigIO]

...they will text phish their own employees and publicize the busts. Most of the disgruntled will find a better way to make a buck rather than risk getting caught.

Re:

[Ed Tice]

Based on the low offer of $300, my hypothesis was that this was an internal phishing test and they are seeing how people react. Those who take up the offer will get fired. Those who don't report the attempt will get extra training. Those who report will get a thank you for being vigilant.

Re: If T-Mobile really cares to stop this...

[guruevi]

Low offer? Itâ(TM)s $300 per swap. You can perform easily a dozen or so per week without ever getting noticed, it is what these employees do day in and day out as people buy new phones they swap the sim on pretty much every sale and a successful sales person would hopefully sell a few per day just to make back their own salary.

An extra $3k/week or even per month is not insignificant to like 99% of the population.

Re:

[Ed Tice]

That's interesting, thanks. It wasn't clear to me that this was an offer for multiple swaps. If it is, you're right. Especially if the perpetrators were willing to come in and buy a phone and then kick back the $300 on top. The person would also look like a top sales rep.

Re:

[guruevi]

That is exactly how it works, last time one of them got caught by reviewing the amount of returns they had. So they would have a stellar sales record but a higher-than-average percentage of their sales would see returns (so you buy the phone, you swap the sim, you return the phone when the deed is done).

Re:

[Ed Tice]

Again interesting. And why the criminals would return the phones is astonishing. Gives them a second chance to get caught. Assuming they are going after high-value targets, one would think that they would be making well more than $300 plus the cost of a phone. But I guess most criminals are hampered by greed and that might be good for the rest of us.

Re:

[guruevi]

Even if they get caught, they get instantly released because this is a non-violent crime and even violent criminals are release on current no-bail policies. Literally nobody cares, if they get caught, it's one of the middle men that has pissed someone off for thousands of dollars and is easy to catch. The Mexican drug cartels are too much paperwork.

Re:

[Ed Tice]

They care because then the person doing the SIM swap gets investigated and they lose an asset.

Its a trap...

[ctilsie242]

When employees of a company get an offer to do something, this can be one of three things:

A "legit" offer, where one does something, gets money, and that's that. However, there tends to be no honor among thieves.

A criminal firm just logging that, and will blackmail someone who takes the offer, stating they will turn them to the workplace and LEOs unless they pay up.

Or, it could be someone working for the company who is looking for people who would say yes to the deal, to weed them out.

I remember something

Re:

[Ed Tice]

There is no honor among thieves, but if you find someone who will do an illegal act for a small amount of money, any good criminal would cultivate that relationship. $300 for a SIM swap is a bargain.

Employee directory... "somehow" accessed

[93 Escort Wagon]

To get access to the employee directory, you really only need to subvert one individual who has access to that directory.

Re:

[Gravis Zero]

Right... because T-mobile is so strict about security. [theverge.com] *eye roll*

Simple deterrent

[gnasher719]

T-mobile should just send similar messages to itâ(TM)s employees from time to time, so doing a sim swap suddenly becomes very, very risky.

Web-services don't offer passkey/TOTP

[NotEmmanuelGoldstein]

... gaining access to two-factor authentication codes.

Google Android offers PassKey and internal TOTP 2FA. Free software (And OTP, Aegis, 2FAs) provides TOTP with encrypted back-ups. Windows/Linux provides passkey/TOTP 2FA via KeePassXC and Chrome/Firefox. Considering this form of identity theft has happened over many months, it's unconscionable for businesses to use SMS as the 2FA. But most web-services don't offer passkey/TOTP; phone accounts, Facebook, BlueSky and Slashdot don't. Google and Microsoft (which attempt to be always logged-in) and Discord ar

here's a suggestion

[argStyopa]

...maybe we actually start treating China as an actual enemy?

Need better education

[stabiesoft]

I mean if anyone is willing to risk jail for 300, we really need to improve financial literacy in High School. I'm thinking 10K for that kind of risk minimum.

Re:

[cellocgw]

Not a valid proposal. The percentage of criminals who do a risk/reward analysis is roughly 1/(Avrogados' Number) ; the percentage of criminals who think there's any chance they'll be caught is similarly small .

Re:

[stabiesoft]

These are not current criminals, criminals are offering a small amount to employees to do their bidding. For a paltry amount the employee gets to become a criminal with all its consequences for life. Hence the educational aspect to help them understand what a bad deal they are being offered. 300 bucks to be a felon for life.

Why is this a surprise ?

[nehumanuscrede]

They have the access and the means so of course they're going to be targets.

Same with the wait staff at your favorite restaurant.
They get paid by organized crime to carry palm sized card scanners which allows them to obtain your credit card details after you hand it to them.
( Which is why I pay cash only when I eat out these days. I got tired of my card getting compromised. )

Now imagine a telecom who outsources many of their Network Admin jobs overseas where they can pay them pennies on the dollar.
How diffi