May 18, 2018

T-Mobile is investigating a retail store employee who allegedly made unauthorized changes to a subscriber’s account in an elaborate scheme to steal the customer’s three-letter Instagram username. The modifications, which could have let the rogue employee empty bank accounts associated with the targeted T-Mobile subscriber, were made even though the victim customer already had taken steps recommended by the mobile carrier to help minimize the risks of account takeover. Here’s what happened, and some tips on how you can protect yourself from a similar fate.

Earlier this month, KrebsOnSecurity heard from Paul Rosenzweig, a 27-year-old T-Mobile customer from Boston who had his wireless account briefly hijacked. Rosenzweig had previously adopted T-Mobile’s advice to customers about blocking mobile number port-out scams, an increasingly common scheme in which identity thieves armed with a fake ID in the name of a targeted customer show up at a retail store run by a different wireless provider and ask that the number to be transferred to the competing mobile company’s network.

So-called “port out” scams allow crooks to intercept your calls and messages while your phone goes dark. Porting a number to a new provider shuts off the phone of the original user, and forwards all calls to the new device. Once in control of the mobile number, thieves who have already stolen a target’s password(s) can request any second factor that is sent to the newly activated device, such as a one-time code sent via text message or or an automated call that reads the one-time code aloud.

In this case, however, the perpetrator didn’t try to port Rosenzweig’s phone number: Instead, the attacker called multiple T-Mobile retail stores within an hour’s drive of Rosenzweig’s home address until he succeeded in convincing a store employee to conduct what’s known as a “SIM swap.”

A SIM swap is a legitimate process by which a customer can request that a new SIM card (the tiny, removable chip in a mobile device that allows it to connect to the provider’s network) be added to the account. Customers can request a SIM swap when their existing SIM card has been damaged, or when they are switching to a different phone that requires a SIM card of another size.

However, thieves and other ne’er-do-wells can abuse this process by posing as a targeted mobile customer or technician and tricking employees at the mobile provider into swapping in a new SIM card for that customer on a device that they control. If successful, the SIM swap accomplishes more or less the same result as a number port out (at least in the short term) — effectively giving the attackers access to any text messages or phone calls that are sent to the target’s mobile account.

Rosenzweig said the first inkling he had that something wasn’t right with his phone was on the evening of May 2, 2018, when he spotted an automated email from Instagram. The message said the email address tied to the three-letter account he’d had on the social media platform for seven years — instagram.com/par — had been changed. He quickly logged in to his Instagram account, changed his password and then reverted the email on the account back to his original address.

By this time, the SIM swap conducted by the attacker had already been carried out, although Rosenzweig said he didn’t notice his phone displaying zero bars and no connection to T-Mobile at the time because he was at home and happily surfing the Web on his device using his own wireless network.

The following morning, Rosenzweig received another notice — this one from Snapchat — stating that the password for his account there (“p9r”) had been changed. He subsequently reset the Instagram password and then enabled two factor authentication on his Snapchat account.

“That was when I realized my phone had no bars,” he recalled. “My phone was dead. I couldn’t even call 611,” [the mobile short number that all major wireless providers make available to reach their customer service departments].”

It appears that the perpetrator of the SIM swap abused not only internal knowledge of T-Mobile’s systems, but also a lax password reset process at Instagram. The social network allows users to enable notifications on their mobile phone when password resets or other changes are requested on the account.

But this isn’t exactly two-factor authentication because it also lets users reset their passwords via their mobile account by requesting a password reset link to be sent to their mobile device. Thus, if someone is in control of your mobile phone account, they can reset your Instagram password (and probably a bunch of other types of accounts).

Rosenzweig said even though he was able to reset his Instagram password and restore his old email address tied to the account, the damage was already done: All of his images and other content he’d shared on Instagram over the years was still tied to his account, but the attacker had succeeded in stealing his “par” username, leaving him with a slightly less sexy “par54384321,” (apparently chosen for him at random by either Instagram or the attacker).

As I wrote in November 2015, short usernames are something of a prestige or status symbol for many youngsters, and some are willing to pay surprising sums of money for them. Known as “OG” (short for “original” and also “original gangster”) in certain circles online, these can be usernames for virtually any service, from email accounts at Webmail providers to social media services like InstagramSnapchatTwitter and Youtube.

People who traffic in OG accounts prize them because they can make the account holder appear to have been a savvy, early adopter of the service before it became popular and before all of the short usernames were taken.

Rosenzweig said a friend helped him work with T-Mobile to regain control over his account and deactivate the rogue SIM card. He said he’s grateful the attackers who hijacked his phone for a few hours didn’t try to drain bank accounts that also rely on his mobile device for authentication.

“It definitely could have been a lot worse given the access they had,” he said.

But throughout all of this ordeal, it struck Rosenzweig as odd that he never once received an email from T-Mobile stating that his SIM card had been swapped.

“I’m a software engineer and I thought I had pretty good security habits to begin with,” he said. “I never re-use passwords, and it’s hard to see what I could have done differently here. The flaw here was with T-Mobile mostly, but also with Instagram. It seems like by having the ability to change one’s [Instagram] password by email or by mobile alone negates the second factor and it becomes either/or from the attackers point of view.”

Sources close to the investigation say T-Mobile is investigating a current or former employee as the likely culprit. The mobile company also acknowledged that it does not currently send customers an email to the email address on file when SIM swaps take place. A T-Mobile spokesperson said the company was considering changing the current policy, which sends the customer a text message to alert them about the SIM swap.

“We take our customers privacy and security very seriously and we regret that this happened,” the company said in a written statement. “We notify our customers immediately when SIM changes occur, but currently we do not send those notifications via email. We are actively looking at ways to improve our processes in this area.”

In summary, when a SIM swap happens on a T-Mobile account, T-Mobile will send a text message to the phone equipped with the new SIM card. But obviously that does not help someone who is the target of a SIM swap scam.

As we can see, just taking T-Mobile’s advice to place a personal identification number (PIN) on your account to block number port out scams does nothing to flag one’s account to make it harder to conduct SIM swap scams.

Rather, T-Mobile says customers need to call in to the company’s customer support line and place a separate “SIM lock” on their account, which can only be removed if the customer shows up at a retail store with ID (or, presumably, anyone with a fake ID who also knows the target’s Social Security Number and date of birth).

I checked with the other carriers to see if they support locking the customer’s current SIM to the account on file. I suspect they do, and will update this piece when/if I hear back from them. In the meantime, it might be best just to phone up your carrier and ask.

Please note that a SIM lock on your mobile account is separate from a SIM PIN that you can set via your mobile phone’s operating system. A SIM PIN is essentially an additional layer of physical security that locks the current SIM to your device, requiring you to input a special PIN when the device is powered on in order to call, text or access your data plan on your phone. This feature can help block thieves from using your phone or accessing your data if you lose your phone, but it won’t stop thieves from physically swapping in their own SIM card.

iPhone users can follow these instructions to set or change a device’s SIM PIN. Android users can see this page. You may need to enter a carrier-specific default PIN before being able to change it. By default, the SIM PIN for all Verizon and AT&T phones is “1111;” for T-Mobile and Sprint it should default to “1234.”

Be advised, however, that if you forget your SIM PIN and enter the wrong PIN too many times, you may end up having to contact your wireless carrier to obtain a special “personal unlocking key” (PUK).

At the very least, if you haven’t already done so please take a moment to place a port block PIN on your account. This story explains exactly how to do that.

Also, consider reviewing 2fa.directory to see whether you are taking full advantage of any multi-factor authentication offerings so that your various accounts can’t be trivially hijacked if an attacker happens to guess, steal, phish or otherwise know your password.

One-time login codes produced by mobile apps such as Authy, Duo or Google Authenticator are more secure than one-time codes sent via automated phone call or text — mainly because crooks can’t steal these codes if they succeed in porting your mobile number to another service or by executing a SIM swap on your mobile account [full disclosure: Duo is an advertiser on this blog].

Update, May 19, 3:16 pm ET: Rosenzweig reports that he has now regained control over his original Instagram account name, “par.” Good on Instagram for fixing this, but it’s not clear the company has a real strong reporting process for people who find their usernames are hijacked.


64 thoughts on “T-Mobile Employee Made Unauthorized ‘SIM Swap’ to Steal Instagram Account

  1. G.Scott H.

    @BrianKrebs

    Did you know that NIST changed their stance on deprecating SMS for 2FA use? I think this occurred about June 2016. I just found out myself. In the final publication of NIST SP 800-63-3 makes no mention of SMS except in the definitions. In NIST SP 800-63B section 5 paragraph 5.1.3.1 the use of SMS and voice for 2FA is identified as Restricted and only over PTSN, no VOIP allowed. So a carrier’s SMS app is OK since it can be tied to a device via the SIM card, but Google Voice, Facebook messenger, or other cross platform SMS services is not OK even though they are not VIOP proper. I have a suspicion that the carriers persuaded NIST to make this change. In light of the accounts of this article, carrier based SMS still does seem any more secure that non-carrier based, probably less secure. True comparison is difficult considering all the variables in implementation and differing levels of social engineering risk which all SMS options suffer.

    1. G.Scott H.

      correction: date above of approximately June 2016 was the deprecation of SMS announcement. It was about a year later in 2017 that the stance was changed to Restricted use of SMS. Restricted use requires the organization to make special consideration of known risks. It also means NIST can change their mind and state it has improved or declined in robustness.

  2. Diego Pulido

    I recently was a victim of something very similar: T-Mobile account hacked + Instagram handle stolen.

    I was @diego on Instagram, and after my account got hacked, this username was given to a famous Mexican actor called Diego Boneta.

    I wrote a Medium post explaining what happened:

    https://medium.com/@ixdiego/diegooninstagram-2d2881b3aa33

    1. BrianKrebs Post author

      Nice story, Diego. Did you ever find out whether the mobile account tied to your Instagram account may have suffered a SIM swap or port out scam? Was your phone at any point not working before, during or after the account theft?

  3. Lee

    A similar situation happened to me, except on a Verizon owned device. I detected T-Mobile carrier specific apps + a few other points of interest, which I’ll keep private for now. An easy tell, however, was that my phone had a SIM lock, which puzzled me as I never set one. Verizon informed me they do not SIM lock (tho a SIM PIN is available). Upon arrival to a retail store, the reps immediately said I had brought a locked (not paid off yet) phone from T-Mobile to Verizon. To skip ahead, the suspect T-Mobile packages were under priv-app i.e. not even a factory reset would prevent regaining control of my phone.

    The Verizon retail store thought I was hacked, but didn’t have the access necessary to move forward, and sent me to the corporate store as “they are the only ones that can help.” Luckily (or so I thought), the person who sold me the phone (a rep at the corporate store) was present. I was told, in less than 5 minutes, that it was a “lemon” phone i.e. the manufacturer shipped the phone to Verizon instead of T-Mobile – and that the phone was Verizon with T-Mobile flashed firmware, but “totally fine” and “it happens.” When I asked if he had ever seen that before, he told me “no,” but that he remembered me and that he set up the phone properly. Then he handed the phone back to me, and told me to factory reset.

    I was shocked that a “tech support corporate team” would think a reset would fix a “lemon, slipped past QA phone” because 1) Verizon wanted such a phone on their network? and 2) most tech support staff know that priv-app = runs as system i.e. a factory reset won’t wipe out an OS’ read only partition. I asked the corporate staff if they genuinely thought that was a good idea.

    The employee that sold me the phone, asked to take another look. As I eagerly watched to see what he thought, he instead breezily scrolled through the phone, turned off the bluetooth snoop log, changed the USB mode to “media” from “charge only,” put the phone on Verizon public wifi (which I specifically had disabled), started/stopped the SIM service, and said “definitely a lemon.”

    He not once walked over to a computer or showed any concern. I was shocked, and knew it was futile to argue about what he just did. When I asked “oh why did you make those changes that I set-up when I bought the device? And why go on Verizon wifi if we don’t know where the TMobile data is going?” – he replied: ” that’s a developer tool, we’re trained to turn those off” and “your data is fine, I confirmed the phone is activated to Verizon.” As a female, it’s always insulting (whether you’re a developer or not), when someone assumes, based on gender, that you shouldn’t be using features made available to any phone user. This also raised another red flag to me that social engineering was potentially used for reconnaissance to hack the phone.

    The easy route of looking into my device/account history and Verizon agent interactions was not enacted… instead the more complicated path of me asking about known vulnerabilities, and Verizon “verifying” was elected. For example, I asked, if I should be concerned about dual SIM capability, a mounted SD card (further analysis revealed Kali Linux breadcrumbs), the TMobile apps routing to non-VZW OAM servers, etc.

    I was told by the corporate agent that “phones are very safe – they never get hacked.” When I made sure to impress upon the rep that I wanted help to move forward and skip past how the non-standard packages and configs came to exist on the phone, and specifically wanted to understand, at present, how the phone was communicating, the rep said I needed to call Verizon. Exactly the opposite of what Verizon on the phone and retail said, but I digress…

    Instead of talking in circles, I then left and pulled logs, screenshots, and documentation of remote calls – in an attempt to try another angle to have corporate tech support take even a moments look into my account from a Verizon user admin account. The next rep said he wasn’t aware of a Verizon integrated messaging bug that caused remote calls. Yes, I had gone out and found a Verizon approved workaround for a bug they claimed caused remote calls. The technical support staff on the phone were not aware, and further had no information or known issues about he other “phantom” problems I encountered.

    The nightmare didn’t end there… In order to get a new device without filing an insurance claim or buying a new phone, I had the responsibility of backing up the phone without rooting it.

    I spent hours upon hours on the phone with every department imaginable at Verizon, and was told it was not their problem since the device was “obviously sent to them by mistake and slipped through QA of the manufacturer.” Everyone agreed the device had non-standard configurations and apps, and multiple reps that said I was hacked (without me soliciting the response) said they didn’t have the resources to address, and passed me off. Three times I was routed over to someone in security who could “definitely help”… only to reach exhausted technicians who said they only provided business support and weren’t sure how a B2C user was forwarded to them.

    This post is definitely more of a “long, rambling trail of tears” than a comment, but the important takeaway for all of your readers is this: If your billing statement is fine and your phone shows online, then customer service reps are frequently trained to open/close a ticket quickly and provide warranty assurance that there is no problem. I hate to say it, but if you suspect something is off, and the service provider acts like they don’t care… stop trying and file a report with your local police department / immediately ask for the procedures to cancel your contract and transfer service. It’s sad, but bad behavior seems to be rewarded quickly.

    If you’re curious why I say that, read on…

    Eventually I found a rep to act as my advocate, who told me what to say to get past a few hoops. When it was agreed that I needed a new device (a new number was not even offered), I was required to first coordinate with the manufacturer – which Verizon coordinated… by forwarding the call and then promptly dropping off. This was too bad/frustrating, as the manufacturer negated *every point* that the Tier 2/3 Verizon reps made. In general, not a single Verizon rep bothered to read any notes allegedly made in the tickets with my account or bothered to update the tickets accordingly over time.

    While the manufacturer was more pleasant/diligent in their limited analysis, they first required I work with Google Play Store before determining who was at fault for the issue. Again, the conversation that everyone set was how to pass the burden of analysis off to someone else. Unlike Verizon, the manufacturer relayed the issue to Google before passing me off – saving me the nightmare of repeating myself for the 100th time and/or trying to figure out another way of asking the right questions vs. saving my time/sanity to cut to the chase.

    After the manufacturer hung up, Google required that before looking into any issue, that the issue had to be recreated… by me, on a new phone. I had to create an entirely new Google account…. and then get back to them, and the manufacturer. At this point, any sane person would simply drop their carrier, but at this point you still have no assurance where the data is or where it went.

    One new rep finally showed empathy upon hearing that I simply wanted to enact reasonable information security practices – such as proper incident management to ensure others didn’t suffer from unreported vulnerabilities. Ironically, the rep that provided the most useful help was a retail store employee (NOT corporate).

    Situations like this is why I do not agree with SMS for 2FA. I am an advocate of a TOPS device instead.

    Te story doesn’t end there… When I went to use the new device to assess if my prior issues were local to the “lemon device” or indicative of another problem, I immediately noticed that the phone’s co-processor was compromised, bypassing encryption, and stealing my passwords…

    When I returned to Verizon to inquire if they could provide more support now that I “sufficiently demonstrated” the problem was not isolated to a “lemon device – sent to VZW instead of TM,” the rep wanted to factory reset the phone instead of investigating the number, targeted hacking, and a number of other data points. I played along, after all, I wanted their help, and after the reset *surprise* the exploited and/or unwanted configs/apps persisted! 🙂

    I can understand that reps are limited in what they can do, but shame on every corporate store employee who does not recognize that every user they lazily blow off, tears a hole in the quality and security of their service. Practicing good cyber hygiene should be as routine for corporate employees as putting on clean clothes before work everyday.

    I’ll leave it to your imagination if I tried yet another brand new device – whether Apple or Android – or if I raised the concern about physical social engineering (when I switched devices the first time, a security guard followed me quite a distance and asked details about the phone, yet they didn’t care about this) and left Verizon.

    I hope that all of the media attention recently to SS7, VPNFilter, cryptomining campaigns, and ransomware lead to a top-down culture message from all of our service providers – specifically that when a customer calls, he/she NEEDS your honest help. When reps hold back information, it only perpetuates the problem and causes others to suffer the same fate. It is also quite appalling the number of “Front line” support agents that are not armed with up-to-date information.

    I will take a “less secure” provider/device with empathetic and consistent support with a sense of urgency ANY DAY!

Comments are closed.