18
May 18

T-Mobile Employee Made Unauthorized ‘SIM Swap’ to Steal Instagram Account

T-Mobile is investigating a retail store employee who allegedly made unauthorized changes to a subscriber’s account in an elaborate scheme to steal the customer’s three-letter Instagram username. The modifications, which could have let the rogue employee empty bank accounts associated with the targeted T-Mobile subscriber, were made even though the victim customer already had taken steps recommended by the mobile carrier to help minimize the risks of account takeover. Here’s what happened, and some tips on how you can protect yourself from a similar fate.

Earlier this month, KrebsOnSecurity heard from Paul Rosenzweig, a 27-year-old T-Mobile customer from Boston who had his wireless account briefly hijacked. Rosenzweig had previously adopted T-Mobile’s advice to customers about blocking mobile number port-out scams, an increasingly common scheme in which identity thieves armed with a fake ID in the name of a targeted customer show up at a retail store run by a different wireless provider and ask that the number to be transferred to the competing mobile company’s network.

So-called “port out” scams allow crooks to intercept your calls and messages while your phone goes dark. Porting a number to a new provider shuts off the phone of the original user, and forwards all calls to the new device. Once in control of the mobile number, thieves who have already stolen a target’s password(s) can request any second factor that is sent to the newly activated device, such as a one-time code sent via text message or or an automated call that reads the one-time code aloud.

In this case, however, the perpetrator didn’t try to port Rosenzweig’s phone number: Instead, the attacker called multiple T-Mobile retail stores within an hour’s drive of Rosenzweig’s home address until he succeeded in convincing a store employee to conduct what’s known as a “SIM swap.”

A SIM swap is a legitimate process by which a customer can request that a new SIM card (the tiny, removable chip in a mobile device that allows it to connect to the provider’s network) be added to the account. Customers can request a SIM swap when their existing SIM card has been damaged, or when they are switching to a different phone that requires a SIM card of another size.

However, thieves and other ne’er-do-wells can abuse this process by posing as a targeted mobile customer or technician and tricking employees at the mobile provider into swapping in a new SIM card for that customer on a device that they control. If successful, the SIM swap accomplishes more or less the same result as a number port out (at least in the short term) — effectively giving the attackers access to any text messages or phone calls that are sent to the target’s mobile account.

Rosenzweig said the first inkling he had that something wasn’t right with his phone was on the evening of May 2, 2018, when he spotted an automated email from Instagram. The message said the email address tied to the three-letter account he’d had on the social media platform for seven years — instagram.com/par — had been changed. He quickly logged in to his Instagram account, changed his password and then reverted the email on the account back to his original address.

By this time, the SIM swap conducted by the attacker had already been carried out, although Rosenzweig said he didn’t notice his phone displaying zero bars and no connection to T-Mobile at the time because he was at home and happily surfing the Web on his device using his own wireless network.

The following morning, Rosenzweig received another notice — this one from Snapchat — stating that the password for his account there (“p9r”) had been changed. He subsequently reset the Instagram password and then enabled two factor authentication on his Snapchat account.

“That was when I realized my phone had no bars,” he recalled. “My phone was dead. I couldn’t even call 611,” [the mobile short number that all major wireless providers make available to reach their customer service departments].”

It appears that the perpetrator of the SIM swap abused not only internal knowledge of T-Mobile’s systems, but also a lax password reset process at Instagram. The social network allows users to enable notifications on their mobile phone when password resets or other changes are requested on the account.

But this isn’t exactly two-factor authentication because it also lets users reset their passwords via their mobile account by requesting a password reset link to be sent to their mobile device. Thus, if someone is in control of your mobile phone account, they can reset your Instagram password (and probably a bunch of other types of accounts).

Rosenzweig said even though he was able to reset his Instagram password and restore his old email address tied to the account, the damage was already done: All of his images and other content he’d shared on Instagram over the years was still tied to his account, but the attacker had succeeded in stealing his “par” username, leaving him with a slightly less sexy “par54384321,” (apparently chosen for him at random by either Instagram or the attacker).

As I wrote in November 2015, short usernames are something of a prestige or status symbol for many youngsters, and some are willing to pay surprising sums of money for them. Known as “OG” (short for “original” and also “original gangster”) in certain circles online, these can be usernames for virtually any service, from email accounts at Webmail providers to social media services like InstagramSnapchatTwitter and Youtube.

People who traffic in OG accounts prize them because they can make the account holder appear to have been a savvy, early adopter of the service before it became popular and before all of the short usernames were taken.

Rosenzweig said a friend helped him work with T-Mobile to regain control over his account and deactivate the rogue SIM card. He said he’s grateful the attackers who hijacked his phone for a few hours didn’t try to drain bank accounts that also rely on his mobile device for authentication.

“It definitely could have been a lot worse given the access they had,” he said.

But throughout all of this ordeal, it struck Rosenzweig as odd that he never once received an email from T-Mobile stating that his SIM card had been swapped.

“I’m a software engineer and I thought I had pretty good security habits to begin with,” he said. “I never re-use passwords, and it’s hard to see what I could have done differently here. The flaw here was with T-Mobile mostly, but also with Instagram. It seems like by having the ability to change one’s [Instagram] password by email or by mobile alone negates the second factor and it becomes either/or from the attackers point of view.”

Sources close to the investigation say T-Mobile is investigating a current or former employee as the likely culprit. The mobile company also acknowledged that it does not currently send customers an email to the email address on file when SIM swaps take place. A T-Mobile spokesperson said the company was considering changing the current policy, which sends the customer a text message to alert them about the SIM swap.

“We take our customers privacy and security very seriously and we regret that this happened,” the company said in a written statement. “We notify our customers immediately when SIM changes occur, but currently we do not send those notifications via email. We are actively looking at ways to improve our processes in this area.”

In summary, when a SIM swap happens on a T-Mobile account, T-Mobile will send a text message to the phone equipped with the new SIM card. But obviously that does not help someone who is the target of a SIM swap scam.

As we can see, just taking T-Mobile’s advice to place a personal identification number (PIN) on your account to block number port out scams does nothing to flag one’s account to make it harder to conduct SIM swap scams.

Rather, T-Mobile says customers need to call in to the company’s customer support line and place a separate “SIM lock” on their account, which can only be removed if the customer shows up at a retail store with ID (or, presumably, anyone with a fake ID who also knows the target’s Social Security Number and date of birth).

I checked with the other carriers to see if they support locking the customer’s current SIM to the account on file. I suspect they do, and will update this piece when/if I hear back from them. In the meantime, it might be best just to phone up your carrier and ask.

Please note that a SIM lock on your mobile account is separate from a SIM PIN that you can set via your mobile phone’s operating system. A SIM PIN is essentially an additional layer of physical security that locks the current SIM to your device, requiring you to input a special PIN when the device is powered on in order to call, text or access your data plan on your phone. This feature can help block thieves from using your phone or accessing your data if you lose your phone, but it won’t stop thieves from physically swapping in their own SIM card.

iPhone users can follow these instructions to set or change a device’s SIM PIN. Android users can see this page. You may need to enter a carrier-specific default PIN before being able to change it. By default, the SIM PIN for all Verizon and AT&T phones is “1111;” for T-Mobile and Sprint it should default to “1234.”

Be advised, however, that if you forget your SIM PIN and enter the wrong PIN too many times, you may end up having to contact your wireless carrier to obtain a special “personal unlocking key” (PUK).

At the very least, if you haven’t already done so please take a moment to place a port block PIN on your account. This story explains exactly how to do that.

Also, consider reviewing twofactorauth.org to see whether you are taking full advantage of any multi-factor authentication offerings so that your various accounts can’t be trivially hijacked if an attacker happens to guess, steal, phish or otherwise know your password.

One-time login codes produced by mobile apps such as Authy, Duo or Google Authenticator are more secure than one-time codes sent via automated phone call or text — mainly because crooks can’t steal these codes if they succeed in porting your mobile number to another service or by executing a SIM swap on your mobile account [full disclosure: Duo is an advertiser on this blog].

Update, May 19, 3:16 pm ET: Rosenzweig reports that he has now regained control over his original Instagram account name, “par.” Good on Instagram for fixing this, but it’s not clear the company has a real strong reporting process for people who find their usernames are hijacked.

Tags: , , , , , ,

64 comments

  1. Unfortunately this doesn’t surprise me, I have seen alot in the 11 years I have worked stopping fraud. I am curious if the guy mentioned if he got “par” back? T-Mobile also needs to make an example of this employee and make sure this kind of misuse doesn’t happen again. I hope to hear more from you Brian about this employee and hopefully there will be some legal retribution.

    • No, and I think he’s even messaged Instagram about this several times to no avail.

      • I think he got it back. Google search for @par instagram handle results in Paul Rosenzweig (@par) Instagram account.

        https://www.instagram.com/par/?hl=en

      • And he probably won’t be getting it back. This is one of the catches of free services such as Instagram, Facebook, Gmail, etc. Because they provide the services gratis they, legally, don’t owe you anything. However, if you paid for the service, that is a whole other story legally. Take the example of a registered trade name, trade mark, or domain name registration. There is much more control over that sort of property , and because it is a paid service, more responsibility towards the customer by the service provider. For the most part…

        • He seems to have got it back. The ‘par’ account on Instagram now refers to Paul Rosenzweig, and the ‘par54384321’ one appears to no longer exist. Probably only because of the exposure generated by this post, but then that is often also the case with many paid services, not just with free ones, since most people will not sue a company to enforce their rights.

        • Bad PR will cause even companies that offer a free services to given in to any demands

      • My Instagram account that had more than 40,000 followers was stolen because t mobile employee on the other side of the country did a sim switch. The Instagram username was Muslim.

  2. The Sunshine State

    Krebs is the Internet Security O.G.

  3. At this time Rosenzweig is using the IG account par54384321. The OG ‘par’ account is set to private with only 13 followers and the bio “partrick kirby wearing crocs”. Seems like an awful lot of effort.

  4. Robert.Walter

    I didn’t reread it but I think the SIM PIN main raison de l’existence, is to lock the card to a code on the card, so that just swapping it into a different device is not enough to use it. Far as I know SIM PIN does not lock to a device.

    Also, I was wondering how the TMo employee became aware of the victim’s IG and SC handles; it would seem like more than a trivial thing to do. Was the device out of the possession of PR for a bit when unlocked? There is more to protect against here.

  5. I have no 2FA on Instagram. Just a random 20 character unique password. This is more secure than adding a phone number (in the case of Instagram). This is because for a password reset you only need one factor. This factor could be the phone number.

    In addition to this security nightmare, Instagram don’t let you recover your account, so I guess, par is lost.

    • This is NOT more secure than 2fa. No matter how secure and long your password is it can be leaked in a security breach of the server it is stored on. Most hacked passwords are obtained this way these days unless a hacker has a specific reason to target your account. The right move would be to pressure companies to use an authentication app like google authenticator or authy rather than SMS. In that case the hacker would need your actual phone, not your phone number.

      • “The right move would be to pressure companies to use an authentication app like google authenticator or authy rather than SMS.”

        Well great, then that leaves the millions of people like me who lack smartphones with nothing.

        • Or… you could pick up a cheap used older one, and use it wifi only so no monthly charge

        • It can work on PC or MAC using an emulator software, but of course that defeats the purpose a bit.

  6. Troy Frericks

    This is ammunition to support the concept that SMS is not ‘something you have’.

    Although better than nothing, we have to stop thinking that ‘something you know’ and SMS is Two Factor Authentication… and continue the quest for the adaption of genuine 2FA.

    Troy.
    #

    • While I completely agree, it must be said that the net impact of SMS ‘2FA’ on hacking/fraud has still been enormous and it’s still worth taking up if there is no other 2FA available.

  7. Part of the blame goes to cloudy-services which mandate a phone number before allowing any 2FA use.
    I have multiple U2F devices and TOTP/HOTP devices available, but I won’t give out a phone number to any free cloudy service. That means no 2FA for me.

    • I use Sideline to give a software-defined second phone number to my phone and THAT’S what’s given out to peeps like that insist on a number.

  8. Where does this leave users of Ting, which ostensibly uses T-Mobile but also switches seamlessly to AT&T depending on signal strength?

    • Ting? Ting only uses T-Mo, as far as I know from having been told by their reps. But even if they use AT&T too, the SIMs are Ting SIMs, not T-Mo SIMs.

      My postpaid phones (personal and company phones) are VZW but I also have an old AT&T phone that I activated on a Ting account, running on a Ting SIM.

    • After you initially set up gmail 2-step verification with your mobile number, you can add the Google Authenticator, printed backup codes and/or a USB YubiKey key, after which you can delete your phone number from the config. But you better have 2 out of the 3 non-phone methods, configured so you won’t lock yourself out later.

      Without a phone number in your gmail 2-step config, the gmail login choice “try another method” or thereabouts will display only the methods you’ve configured, so your phone number (only the last 2 digits, actually) won’t be on the list since it’s no longer part of the configuration.

      I recommend keeping only these methods after you configure gmail 2-step: Google Authenticator, YubiKey and paper backup code (stored in safe).

      When you configure a new phone, the Google Authenticator must be reconfigured (iPhones used to sometimes restore the configured Google Authenticator from encrypted backups in iTunes but sadly hasn’t worked for me for several months). This means you might need your old phone to access its Google Authenticator in order to use gmail’s “Change Phone” feature in the 2-step Google Authenticator config area. BUT if your old phone is damaged, lost or stolen, this won’t work; ergo, you’ll need to use a paper backup code or USB YubiKey to log into the security config area of gmail then use the “Change Phone” feature in the Google Authenticator area. But you won’t need this if you have access to a browser in which you previously specified “trust this device” (or equivalent) when logging in with password+2-step code; in such a case you’ll only be prompted for your gmail password when accessing the security configuration area that includes 2-step configuration, making setting Goog Authenticator on a new phone simple.

      I’ve dealt with this on hundreds of devices.

      NOTE: Protonmail didn’t offer 2-step verification when it first came out but does now.

      BEST PRACTICE (so far, anyway) with 2-step: If a site lets you remove your mobile phone from the 2-step process after the initial config, do it, e.g, gmail. Some sites let you configure your login prompt with only Google Authenticator without an option to present your phone number even if it’s still present in your account settings — not ideal but better than prompting options that include your phone number (some sites with 2-step let you reset the password using your phone number through different screens, e.g., DashLane’s lost phone option).

      Multiple 2-step options are important so you can delete your phone number from the 2-step config and still have a way to access your account when one of the methods is unavailable.

      • correction to my long post:

        I’ve only used DashLane’s obscure Lost Phone page to send a text to a phone in order to disable 2-step temporarily in order to reconfigure Google Authenticator; I haven’t used it to reset the password. Also, DashLane offers two alternative 2-step products beside Goog Authenticator but you can only choose one of them.

  9. Grey Peterson

    All this effort for a username. Risking possible jail-time for a username. I just don’t get people sometimes.

  10. I just called T-Mobile support and they told me there was no way they could establish a SIM lock for me. They also told me that if a SIM swap was requested the person making the request would need to verify their identity and know the service PIN on the account. I was told the service PIN requirement was added recently for SIM swaps.

  11. Why is it that companies up their security after these kinds of problems happen? This is not 1995 anymore. Better security should be baked into these applications from the start.

    On the other hand, I find it unfortunate that peoples’ happiness is chained to their username of some stupid website. How shallow.

  12. What actual laws have been broken? Is this fraud at an FBI level of interest?

  13. Unfortunately some services (looking at you, Twitter) either don’t let you use another 2FA option than SMS, or they require SMS 2FA in order to enable a secondary 2FA option that’s not SMS (so the SMS 2FA option, while not default, is still there). IIRC Facebook used to do the latter, but I don’t think they do anymore.

    A good solution to avoid SMS 2FA hijacks is to get a Google Voice number, and use that for 2FA for services that require SMS. That number is tied to your Google account, and that’s much harder to hijack and port out. I also use mine for apps like Whatsapp, which only require a phone number (the password to protect the account is optional and I don’t think many people use it), although some messaging apps have started to block VoIP numbers like GV. Nevertheless, use it where it works.

  14. Also, I have a question about this incident. Instagram’s and Snapchat’s SMS password reset text is completely dumb and insecure, but do banks also do that since he mentioned he could have had his bank accounts drained)? Man, we’re in worse shape than I’d thought.

    Again, a GV number would seem like a good workaround for the idiotic security practices of these companies and apps.

    • I’d call it a security issue if bank did password reset purely based on OTP from 2FA method (as SMS only). Please keep in mind that banks usually have got much more factors to verify if you are who you say you are (like for example your PIN card number, personal details, etc.). Moreover the username which you use to login to your online banking is not (usually) publicity displayed as your login on social media.
      + don’t forget that banks implement algorithms to detect suspicious transactions and block them. Password reset just before full account drain seems a little suspicious to me. The likelihood of this attack scenario is less possible if we’re talking about online banking.

  15. The location services mentioned in a previous article is the likely reason the thief didn’t try to drain the bank accounts. Just . . . accept your location via device and car are known, and it can serve good purposes, such as prevent fraud.

    The stealing of the username can be reported to the fbi, I believe, as impersonation.

  16. About 2 months ago i was driving amd texting as usual when i received a message saying, “welcome to simple mobile, yoir service will expire in 1 month” I was like what the heck is a simple mobile and proceeded to call t-mobile and had no service, I couldn’t even call 911 my phone was completely shut off. Luckily I was near a t-mobile store, it took about an hour to get my number back. I’ve had this t-mobile number for almost 11 years. Long story even longer LOL if can happen to anyone so take the extra precautions to secure your accounts

    • Driving and texting as usual. Really?

      • Maybe he’s a policeman, so it’s legal for him?

      • Maybe he’s a policeman, so it’s legal for him.

        Or maybe he just understands that it’s often no more dangerous than looking for a new CD, or eating a cheeseburger, or a bunch of other things we all do in our car every day.

  17. Sim swap is old thing.
    Nothing new about it.
    We all remember sim swaps was so huge in uk back in the days

  18. “We take our customers privacy and security very seriously …”

    Can we all agree that any spokesperson who says this should be publicly flogged?

  19. Paul Rosenzweig

    Update: The account was restored!

    I think largely thanks to this article, Instagram has restored my account.

  20. Project Fi, Google’s carrier, makes you sign into your Google account so they would have to deal with that 2fa also.

  21. i would recommend verizon as a new carrier they are the hardest to sim in the game rn as i have been told from a few of my friends or go to project fji but its very pricey like 200$ a month id recomend verizon as a business which gives you extra protection as well

  22. Jakob Engblom

    The pin for the sim is mandatory I thought? it is there to authorize that you are the owner of the sim card. Every one I have ever got come with a pin and puk printed on the envelope. Guess it is intended to prevent people stealing your mobile subscription. It is a good thing to have, even if it means having two passwords/codes to enter on each phone restart

    As usual the US seems to do things in an odd way not consistent with the rest of the world.

  23. “Rather, T-Mobile says customers need to call in to the company’s customer support line and place a separate “SIM lock” on their account, which can only be removed if the customer shows up at a retail store with ID”

    What are the magic words to get T-Mobile to place this account “SIM lock?” They seem to be clueless, partly because the term “sim lock” is often used to describe phones which are locked to a particular carrier.

  24. So we need a port-out PIN, and a SIM lock PIN, and a SIM swap PIN? How many other PINs do we need?

    T-Mobile says this an industry wide problem, but almost all the reports seem to point to T-Mobile and not to other members of this industry.

    After T-Mobile sent me an SMS about this “industry wide” problem and encouraged me to set up the port-out PIN, I called their customer service to do that (via 611). The rep had no idea what a port-out PIN was. Another rep also had no idea what it was. The third rep set one up to be a random 6 digit number I provided. But a couple months later I ported my number to ATT, and the so-called port-out pin I set was not needed to do it.

    T-Mobile seems to be defective in both competence and integrity.

  25. I know I may have mentioned this before but why don’t these applications take into account an user’s IMSI, SIM or even IMSI?

    Once an application is installed on the user’s device and the login for the 1st time the application passes the either or all of the details to the server. From that point the application will pass these details as part of its communication. Should someone perform a SIM swap these credentials will change and the next time someone tries to log onto that account they will be rejected and prompted to for a password etc.

    I am aware that some mobile SP’s already use this.

  26. I swap my sim cards daily to utilize unlimited tethering from a rooted phone on an MSP that blocks all forms of tethering on non-jailbroken iPhones. I wonder what will change with my routine if my MSP follow suit

  27. I don’t think anybody has mentioned this yet.

    The key to phone security may be to **never use your real mobile phone numbers**.

    There are many viable VOIP services/apps that let us reliably call from iOS or Android. These apps use totally different phone numbers.

    Most services I use can successfully send an SMS to the VIOP number, but some companies use a “short format” of SMS, and my VIOP providers aren’t able yet to receive the short format SMS.

    This way, if you keep your SIM-card mobile number a secret and only use the VOIP numbers, effectively the port-out attack service is removed.

    The single-point-of-failure is then the mobile phone provider. If you purchase the phone with cash, and use an alias name, it would take someone with resources to find the IMSI of the phone you carry.

    I don’t think the code to implement a “Google Authenticatior” style of 2FA. And NIST deprecated SMS 2FA some years ago. Companies who continue to use SMS for authentication really are making a half-hearted attempt to do security.

  28. I just called T-Mobile and asked them to enable “SIM lock” on my account and they had no idea what it was. Is there more information about how to enable it?
    Thank you.

  29. Ditto to what the last commenter said. I called T-Mobile and they have no clue about this. They said SIM passcode on my account is all they can do for me.