August 7, 2019

Incessantly annoying and fraudulent robocalls. Corrupt wireless company employees taking hundreds of thousands of dollars in bribes to unlock and hijack mobile phone service. Wireless providers selling real-time customer location data, despite repeated promises to the contrary. A noticeable uptick in SIM-swapping attacks that lead to multi-million dollar cyberheists.

If you are somehow under the impression that you — the customer — are in control over the security, privacy and integrity of your mobile phone service, think again. And you’d be forgiven if you assumed the major wireless carriers or federal regulators had their hands firmly on the wheel.

No, a series of recent court cases and unfortunate developments highlight the sad reality that the wireless industry today has all but ceded control over this vital national resource to cybercriminals, scammers, corrupt employees and plain old corporate greed.

On Tuesday, Google announced that an unceasing deluge of automated robocalls had doomed a feature of its Google Voice service that sends transcripts of voicemails via text message.

Google said “certain carriers” are blocking the delivery of these messages because all too often the transcripts resulted from unsolicited robocalls, and that as a result the feature would be discontinued by Aug. 9. This is especially rich given that one big reason people use Google Voice in the first place is to screen unwanted communications from robocalls, mainly because the major wireless carriers have shown themselves incapable or else unwilling to do much to stem the tide of robocalls targeting their customers.

AT&T in particular has had a rough month. In July, the Electronic Frontier Foundation (EFF) filed a class action lawsuit on behalf of AT&T customers in California to stop the telecom giant and two data location aggregators from allowing numerous entities — including bounty hunters, car dealerships, landlords and stalkers — to access wireless customers’ real-time locations without authorization.

And on Monday, the U.S. Justice Department revealed that a Pakistani man was arrested and extradited to the United States to face charges of bribing numerous AT&T call-center employees to install malicious software and unauthorized hardware as part of a scheme to fraudulently unlock cell phones.

Ars Technica reports the scam resulted in millions of phones being removed from AT&T service and/or payment plans, and that the accused allegedly paid insiders hundreds of thousands of dollars to assist in the process.

We should all probably be thankful that the defendant in this case wasn’t using his considerable access to aid criminals who specialize in conducting unauthorized SIM swaps, an extraordinarily invasive form of fraud in which scammers bribe or trick employees at mobile phone stores into seizing control of the target’s phone number and diverting all texts and phone calls to the attacker’s mobile device.

Late last month, a federal judge in New York rejected a request by AT&T to dismiss a $224 million lawsuit over a SIM-swapping incident that led to $24 million in stolen cryptocurrency.

The defendant in that case, 21-year-old Manhattan resident Nicholas Truglia, is alleged to have stolen more than $80 million from victims of SIM swapping, but he is only one of many individuals involved in this incredibly easy, increasingly common and lucrative scheme. The plaintiff in that case alleges that he was SIM-swapped on two different occasions, both allegedly involving crooked or else clueless employees at AT&T wireless stores.

And let’s not forget about all the times various hackers figured out ways to remotely use a carrier’s own internal systems for looking up personal and account information on wireless subscribers.

So what the fresh hell is going on here? And is there any hope that lawmakers or regulators will do anything about these persistent problems? Gigi Sohn, a distinguished fellow at the Georgetown Institute for Technology Law and Policy, said the answer — at least in this administration — is probably a big “no.”

“The takeaway here is the complete and total abdication of any oversight of the mobile wireless industry,” Sohn told KrebsOnSecurity. “Our enforcement agencies aren’t doing anything on these topics right now, and we have a complete and total breakdown of oversight of these incredibly powerful and important companies.”

Aaron Mackey, a staff attorney at the EFF, said that on the location data-sharing issue, federal law already bars the wireless carriers from sharing this with third parties without the expressed consent of consumers.

“What we’ve seen is the Federal Communications Commission (FCC) is well aware of this ongoing behavior about location data sales,” Mackey said. “The FCC has said it’s under investigation, but there has been no public action taken yet and this has been going on for more than a year. The major wireless carriers are not only violating federal law, but they’re also putting people in harm’s way. There are countless stories of folks being able to pretend to be law enforcement and gaining access to information they can use to assault and harass people based on the carriers making location data available to a host of third parties.”

On the issue of illegal SIM swaps, Wired recently ran a column pointing to a solution that many carriers in Africa have implemented which makes it much more difficult for SIM swap thieves to ply their craft.

“The carrier would set up a system to let the bank query phone records for any recent SIM swaps associated with a bank account before they carried out a money transfer,” wrote Wired’s Andy Greenberg in April. “If a SIM swap had occurred in, say, the last two or three days, the transfer would be blocked. Because SIM swap victims can typically see within minutes that their phone has been disabled, that window of time let them report the crime before fraudsters could take advantage.”

For its part, AT&T says it is now offering a solution to help diminish the fallout from unauthorized SIM swaps, and that the company is planning on publishing a consumer blog on this soon. Here are some excerpts from what they sent on that front:

“Our AT&T Authentication and Verification Service, or AAVS. AAVS offers a new method to help businesses determine that you are, in fact, you,” AT&T said in a statement. “This is how it works. If a business or company builds the AAVS capability into its website or mobile app, it can automatically connect with us when you attempt to log-in. Through that connection, the number and the phone are matched to confirm the log-in. If it detects something fishy, like the SIM card not in the right device, the transaction won’t go through without further authorization.”

“It’s like an automatic background check on your phone’s history, but with no personal information changing hands, and it all happens in a flash without you knowing. Think about how you do business with companies on your mobile device now. You typically log into an online account or a mobile app using a password or fingerprint. Some tasks might require you to receive a PIN from your institution for additional security, but once you have access, you complete your transactions. With AAVS, the process is more secure, and nothing changes for you. By creating an additional layer of security without adding any steps for the consumer, we can take larger strides in helping businesses and their customers better protect their data and prevent fraud. Even if it is designed to go unnoticed, we want you to know that extra layer of protection exists.   In fact, we’re offering it to dozens of financial institutions.”

“We are working with several leading banks to roll out this service to protect their customers accessing online accounts and mobile apps in the coming months, with more to follow. By directly working with those banks, we can help to better protect your information.”

In terms of combating the deluge of robocalls, Sohn says we already have a workable approach to arresting these nuisance calls: It’s an authentication procedure known as “SHAKEN/STIR,” and it is premised on the idea that every phone has a certificate of authenticity attached to it that can be used to validate if the call is indeed originating from the number it appears to be calling from.

Under a SHAKEN/STIR regime, anyone who is spoofing their number (and most of these robocalls are spoofed to appear as though they come from a number that is in the same prefix as yours) gets automatically blocked.

“The FCC could make the carriers provide robocall apps for free to customers, but they’re not,” Sohn said. “The carriers instead are turning around and charging customers extra for this service. There was a fairly strong anti-robocalls bill that passed the House, but it’s now stuck in the legislative graveyard that is the Senate.”

AT&T said it and the other major carriers in the US are adopting SHAKEN/STIR and do not plan to charge for it. The company said it is working on building this feature into its Call Protect app, which is free and is meant to help customers block unwanted calls.

What about the prospects of any kind of major overhaul to the privacy laws in this country that might give consumers more say over who can access their private data and what recourse they may have when companies entrusted with that information screw up?

Sohn said there are few signs that anyone in Congress is seriously championing consumer privacy as a major legislative issue. Most of the nascent efforts to bring privacy laws in the United States into the 21st Century she said are interminably bogged down on two sticky issues: Federal preemption of stronger state laws, and the ability of consumers to bring a private right of civil action in the courts against companies that violate those provisions.

“It’s way past time we had a federal privacy bill,” Sohn said. “Companies like Facebook and others are practically begging for some type of regulatory framework on consumer privacy, yet this congress can’t manage to put something together. To me it’s incredible we don’t even have a discussion draft yet. There’s not even a bill that’s being discussed and debated. That is really pitiful, and the closer we get to elections, the less likely it becomes because nobody wants to do anything that upsets their corporate contributions. And, frankly, that’s shameful.”

Update, Aug. 8, 2:05 p.m. ET: Added statements and responses from AT&T.

99 thoughts on “Who Owns Your Wireless Service? Crooks Do.

  1. Eric

    If it were not for the fact that far too many sites were using SMS as a cheap way to implement 2FA, the SIM swap thing wouldn’t be a problem.

    The flip side of this is that the vast majority of people are lazy and don’t want to purchase a real key. Using SMS as 2FA caters to these people as well.

      1. Trwk

        Non-SMS keys include the widely used Google Authenticator app on a smart phone, a USB Yubi Key you plug into your computer then push its button, Symantec’s VIP Access smart phone app (not that great, really), the Google smartphone app itself for some authentication (ill-advised, though, since it itself is a mad tracking app), paper backup codes (print 10 one-time codes then reprint), a land line non-text voice call (can’t be SIM-card attacked), a physical RSA key (has a little LCD screen on it displaying pseudo-random synced short-term codes).

        BUT if you use any of these you still need to remove your phone number from accounts as a 2FA backup method.

        1. Bob Brown

          Yup. I’ve been carrying a YubiKey on my key-ring for nearly a decade and use it any place that’s equipped for it, including my password manager program. Sadly, my Big Regional Bank does not know about two-factor authentication.

            1. Virr

              That is an empty threat
              When I last looked I could not find bank with a local branch in my city (or a reasonable drive) that support two factor other then SMS text message.

              1. Wastrel

                My credit union uses 2-factor authentication for online banking.

              2. Joe

                There are fewer and fewer reasons to restrict yourself to needing a “local branch”.

        2. Moike

          The weakness of keys is how to replace a lost key, such as a house fire that destroys all keys, so the app is very important as a fallback as you note instead of SMS.

          1. Joe

            Yubikey secrets can be backed up offline. Store in safety deposit box at bank. Or perhaps a good fire proof safe.

            1. Virr

              Only for secrets generated off the key and loaded onto it.
              If you generate the PGP on the yubikey, or use it for U2F/FIDO2, no backup possible.

              My solution has been a second Yubikey stored securely in addition to one on my key ring.

              (an event to destroy both at the same time probably means I’m not going to care anyway)

              1. Joe

                Challenge Response secrets and OTP from yubikey can be backed up. Just backup the key when you first generate the key, it’ll save a lot of headache.

              1. Joe

                Geez, that is horrible. Yeah, safety deposit boxes for hardware tokens aren’t worth the rent. It is just an option if you’ve already one for other reasons.

          2. Eric

            That indeed is an interesting problem.

            For my password safe, I can configure multiple Yubikey to open the safe. For FIDO, that doesn’t work – you effectively need to register a 2nd key.

            At the end of the day, there does need to be a recovery procedure for people that have lost all of their keys. For a local bank they can simply have you show up with ID of some sort. But for some place that only has an online presence, that’s problematic. That’s how we end up with these idiotic knowledge based questions (“what is the make and model of your first pet”). I don’t answer those things truthfully either – I make up something with each of them, and store the questions/answers in the password database.

        3. Christoph

          Unfortunately, none of the time-based OTP methods you list really tie the 2FA to the message being authenticated.
          So if you authorize a 10 or a 100 Dollar payment, the OTP code will be the same.

          1. Joe

            That might be a concern for MITM… where the attacker can already change the message on the fly.

            But OTP is used for authentication of the session, not the individual actions within the session. MITM needs to be mitigated separately through certificate pinning and other methods. That is what ensures each request within the session is checked for integrity.

            Some banks at least would allow the customer to set dollar limits that trigger alerts.

    1. Tom

      Banks use SMS as 2FA without any consent from the wireless carriers. If the bank authenticates a customer with for a wire transfer with SSN and the carrier authenticates a customer for a SIM change it isn’t even 2FA–its one factor done twice at two different locations.

      And the idea that the phone company should be held responsible for a customer keeping $25 million in Bitcoin accessible via his wireless account is beyond stupid.

      1. SkunkWerks

        I dunno about “beyond stupid”.

        The banks are at fault for using SMS the way they are- but to be fair there’s plenty of other companies that have adopted this standard as well.

        This is in some senses no different from the broad adoption of KBA as a security standard that we’ve seen over the past decade that a lot of companies are only just now coming around to how woefully inadequate it is.

        The phone company is- regardless- at fault for not running this service in a way that makes it secure.

        I mean, I know from a practical standpoint, no one is going to complain if their grocery lists for the last two years get leaked via a sim swap- none of which means SMS shouldn’t be at least somewhat more secure than this lawlessness currently makes it- regardless of what banks are using it for.

        Both of these things are wrong enough separately for a lot of great reasons.

  2. rip

    Make the carriers pay a $0.05 charge per call origination (perhaps after 100/month).

      1. John

        That is true. So I suggest making the telcos broadcast the robo calls to all phones owned by members of Congress and the BOD and Executive management for the network carrying the robo call.

        Sharing the pain might get some results.

  3. KoSReader600000

    Gasp, these cell phone carriers tell the big lie! For example, AT&T says it will not sell or data then turns around and sells it to multiple real time locations services like “Securus “which sells it to many different companies including sleazy collection agencies.


    “Our Privacy Commitments…We Will not sell your personal information to anyone, for any purpose Period. ” -AT&T

    Page 58 of EFF lawsuit.




    [links broken]

  4. R. Benwell

    Mr Krebs,

    Good bless you, and thank you for your voice of Truth in a wilderness of sponsored or fake reporting. Freedom of speech is seldom represente so well. Keep up the great work!

  5. Osiris

    It’s amazing that Google would give up…

    > “…Google said “certain carriers” are blocking the delivery of these messages because all too often the transcripts resulted from unsolicited robocalls, and that as a result the feature would be discontinued by Aug. 9…

    This… is good…

    > “…stop the telecom giant and two data location aggregators from allowing numerous entities – including bounty hunters, car dealerships, landlords and stalkers – to access wireless customers’ real-time locations without authorization…”


    > “…”The carrier would set up a system to let the bank query phone records for any recent SIM swaps associated with a bank account before they carried out a money transfer,” wrote Wired’s Andy Greenberg in April. “If a SIM swap had occurred in, say, the last two or three days, the transfer would be blocked. Because SIM swap victims can typically see within minutes that their phone has been disabled, that window of time let them report the crime before fraudsters could take advantage…”

    Solution… an FCC that is for the people. We know what’s out there now in Pai’s regime…

    > “…Unfortunately, Sohn said, the FCC has allowed the wireless carriers to adopt this approach voluntarily. And – shocker – most of them haven’t, or else they are charging a premium for it…”

    We know what’s up with this, and who is responsible for it. Mr. McTurtle.

    “…”The carriers instead are turning around and charging customers extra for this service. There was a fairly strong anti-robocalls bill that passed the House, but it’s now stuck in the legislative graveyard that is the Senate.”…”

  6. Nobby Nobbs

    Thanks for another timely report, Brian!

    Any suggestions as to how we can make this an issue in the upcoming elections?

  7. dude

    Foreign intelligence services (FIS) have been using these techniques for years. They are more targeted and their intentions are not necessarily criminal in nature. But if they wanted to keep tabs on the movements of a certain person who works for a certain agency or branch of service, too easy. Thanks Brian for shining the light on this!

  8. anothercopy

    Being a european its hard to imagine the robocall nightmare. Maybe I receive 1 unsolicited call a year which is from my bank trying to sell me something ?
    Is keeping your phone private – giving fake number where not needed etc helping in that case or are the numbers enumerated or sold by the carriers in US ?

    1. Rik

      I’m not sure which part of Europe you’re from, but in the UK we get loads, especially about PPI claims and car accidents that we’ve not been in.

      1. Davey Boy

        We don’t get any unsolicited calls to our BT landline. We are ex-directory, use BT’s Call Protect and subscribe to the Telephone Preference Service. The latter makes it illegal for anyone to call without permission, while BT Call Protect maintains a blacklist of repeat offenders.

    2. Moike

      In the EU, having the caller pay a significant mobile charge discourages the ‘throwaway spam’ that requires 10 million calls to result in 1 sale.

    3. Responder

      No, you can’t prevent robocalls by trying to keep your US phone number private. That doesn’t work; possibly because the auto dialers are dialing all sequential numbers within valid US area codes. Robocall volume has decreased some since shaken/stirred arrived in May but we still get the calls. While reading this article today I received one spoofing a New York number and the recorded voice sounded like it was speaking Mandarin.

    4. Christoph

      The blocklist in my cable box is growing by one or two numbers a week.
      Luckily, not mich spoofing thet I could see, but the “You have been drawn as a winner of …” calls about balance out with the Microsoft Support scammers.

  9. Louis Leahy

    Yet more examples of why authentication should not depend on user devices and instead should be device independent to secure networks against attacks. We have designed such a system to prevent the interceptions highlighted so well by Krebs in this article and in the previous article on login aggregation risks.

    1. Michael

      Nobody in this house uses it because it applies to Verizon WIRELESS. We pay Verizon, but for LANDLINEs.

      It chaps my butt every time I start reading a how-to-thwart-robocalls article and come to a screeching halt a couple of paragraphs in, at the word “app”. Without exception, the articles I have read applied only to phones that can load an app.

      Coincidentally, just yesterday I received 6 copies of a robo-scam call in just 3-4 hours.

      1. ijac

        Michael for your landline try nomorobo I have it and it works great.Here is the web site I am not affiliated with them at all just use there service and it is free.

        1. Robert

          My landline doesn’t work with nomorobo. 🙁 Well, not unless I pay more to my already overcharging provider Comcast. I need a higher level of service for that to work.

          I’d cancel the line entirely except their weird bundle discounts make it cheaper to keep the line than to disconnect. So I just unplugged the phone.

          After about 2 months, I briefly needed to plug it back in. Got 3 robocalls in the first hour. Apparently 2 months of never completed calls isn’t enough to convince the robocallers to remove that number from their lists.

          1. acorn

            I run/installed my own hobby satellite dish setup with no monthly subscription cost. Think of it as somewhat similar to what is received-viewed over TV antenna, but more broadcasts.

          2. Bob

            I had one of those deals once where having tv/internet/phone was cheaper than tv/internet. I never plugged a phone into it and never knew what the phone number was.

      2. Chip Douglas

        I have had spoofed calls on my landline that used my name and landline number in CID. Several times I got a call that identified the call as “illegal scammer”, which tells me one of the scammer’s buddies was screwing with his spoofing equipment for a joke. I am looking forward to shaken/stirred taking effect for my landline which should eliminate most spoofed calls.

        1. SeaPea

          A while back I was researching this and came across a company that provides spoofing as a service. Run calls through them and they will “professionally” spoof your calls for a fee.

    2. Snake

      Thanks for mentioning this. Unfortunately, a lot of the reviews for Call Filter suggest that it isn’t ready for prime time…only blocking some calls, going haywire and blocking everything, etc. Plus you have to pay if you want useful features like labeling calls as suspected spam/fraud or showing the name associated with the number.

      On a positive note for those using iPhones, one reviewer mentioned a great new feature coming in IOS 13. You can set it to automatically silence all callers not in your contacts. You’ll still get a voice mail (if they leave one), and the number will show up in your missed calls log.

      1. acorn

        “You’ll still get a voice mail (if they leave one)…”

        I called my provider and voicemail has been turned off. Voicemails, from my experience, are mostly spam voicemail. Not worth my time to check them, I can call back for important missed calls.

      2. Ron

        Android has had that feature for some time now. Just turn on Do Not Disturb except for people that are in your Contacts list.

  10. Moike

    Does the future belong to IP-based phones such as Purism? Then the wireless providers no longer manage an identity – they become a generic pipe to the Internet.

    1. JCitizen

      Skype VOIP blocks all calls no matter who I call. I have to dial 1 to get through, or key in the phone number of the person I wish to speak to. It doesn’t bother me at all, because I like that feature. I have the same thing as a service on my land line, but it costs 6 bucks a month. Still worth it!

  11. Jim

    I’m retired from the fire service, there, we had a saying,” never say never”. It can happen. The same with security, cloning will someday occur, it depends on the target, and the reward.
    Excellent article and good analyzing of probable outcomes. I would agree with most of them.

  12. Matt

    I setup a GOOGLE account some time ago, changed the GOOGLE voice caller ID to Tom Cruise so when I called anyone that would show on the caller ID.

    Last month started getting Robocalls and scam calls asking for Tom Cruise. I knew right away it was stolen from GOOGLE.

    1. GhostRinger

      More likely that someone you called added you to their contact list and/or shared it with an app.

    2. Tom

      When you entered your name Google Voice loaded it into the Line Inventory Database so your name is visible in enhanced caller ID.

  13. Me

    Excellent story, Brian. Thank you for pointing out the incessant problem that is permeating our American culture. Greed + Lack of oversight = Rampant Corruption. This makes America great for crooks & no one else.

  14. Chip Douglas

    Why use the major cell service providers?
    All cell service providers use the big guys networks which they rent at wholesale prices but they don’t necessarily use their administrative/billing departments. Using a small obscure provider takes you out of the grasp of AT&T, Verizon, etc. much like using an operating system other than Windows reduces your chance of being targeted by malware. Why make yourself a target of the scammers by doing business with the major cell companies that refuse to provide real protection to their customers? Typically you can get the same service for less money and they have agreements to carry your calls all across the county. Most people should be able to move their cell service with no appreciable loss of features and keep their number.
    At the very least this may be a good short term plan until the FCC and the big cell providers get their act together.

    1. Joe

      It is not the administrative or billing departments.

      The small, obscure carriers still use the 4 major carrier’s network. They just lease the service.

      So location data is still available to be sold to 3rd parties. Robocalls are not affected either, since they don’t have any better spam filtering.

      1. DMK

        I’m on Virgin, and I sometimes get 2 or 3 calls a day. I make a contact out of them and add them to call blocking. I’ve got Spam, Spam1, Spam2, Spam3, Spam4, etc. Exhausting 🙂

        1. SeymourB

          I have a single contact and keep adding phone numbers to that contact. As an added bonus I set that contact to use a silent ringtone. Only time I notice is when I set my phone to silent/vibrate.

          1. c. smythe

            I been doing that too, for years! You are 1st clever dude Ive heard of in long time.

          2. Joe

            This doesn’t work anymore, as I haven’t received a spam call from the same number twice. Hence this discussion about call spoofing.

  15. IJAC

    The calls that nomorobo misses that are spoofed I answer thank you for calling technical support with a accent.They ask if this is a business and I say yes they hang up.Lately I’ve been getting spoofed calls from my electric company and the number changes every time.I kind of enjoy messing with these scammers sometimes when I am in the mood.

  16. John

    Regarding robocalls, some kind person has posted a silent ringtone on the internet. Made that my default and gave my contacts my old ring tone. I still get robocalls but don’t know it until I look.

  17. acorn

    From the article, Gigi Sohn, “There was a fairly strong anti-robocalls bill that passed the House, but it’s now stuck in the legislative graveyard that is the Senate.”

    There is a bill by the Senate, referred to the House: S.151 – TRACED Act. Includes STIR/SHAKEN, etc.

    1. Tom

      There isn’t in single person in telecom who believes SHAKEN/STIR will have any impact (except the people getting paid to be vendors for implementation, of course).

    2. Readership1

      I’m shocked, SHOCKED! that Sohn and this author omitted a basic fact that runs counter to their negativity about the FCC and the current administration.

    3. SkunkWerks

      Has it come up for a vote yet?

      Is it likely to any time this decade?

      There’s ~plenty~ of bills being sat on in the senate right now. The mere fact that they’re “present” really doesn’t mean as much as is being made out here.

    4. acorn

      Just reading another article related to the matter:
      H.R.3375 – Stopping Bad Robocalls Act passed U.S. House in July, sent to Senate.

  18. Robert

    Do none of you use apps such as Hiya to block these calls? How many phone calls do people still make vs using Facetime or Signal another App based calling method? The younger generations don’t use traditional POTS calling much. If you are using SMS to authenticate vs an App then your application provider (yes you security incompetents at LinkedIn, you can’t use MS Authenticator even?) or you are doing it wrong. Also the nonsense about these “Real Keys” is just that, you are going to carry around an adapter and your Yubikey so you can use your iPad or phone? You might want to reassess your adversary to see if you really need that vs an authenticator app (Google, MS Authenticator, Duo etc..) Sure if you leave your phone unlocked often and unattended or a long timeout then you might want that physical key but for the majority (99.99%) the app is a better choice.

    1. acorn

      “apps such as Hiya…”

      1. I use Truecaller for some of the more common caller identification (users input the name).
      2. “Call Blocker” by AppsBuyOut, for Android at least, for no-ring- silent blocking. Though, I’m still testing them after using them for months to years or so, as they stopped blocking mostly on a previous phone and in the last two days I’ve switched to another phone.

    2. Joe

      Yubikeys don’t need an adapter for the vast majority of smart phones on the market. Sorry, Apple makes your security decisions for you, so you cannot use NFC.

      Yubikey NEO works on Android as a physical token. Can even be one of the factors to unlock Keepass on your phone directly.

      Authenticator apps on your phone are nice…. but locking the phone with a simple PIN can easily be bypassed when someone steals your phone after shoulder surfing you. Biometrics have their own problems and aren’t as secure.

      If you want to use an authenticator app, there are some open source ones that allow you to lock it with a separate password/pin too.

      Oh, and not all keys need to work with the phone directly. Some display OTP right on the key itself.

  19. BlueCritter

    re: landlines
    I use a defense in depth strategy. First, Nomorobo catches a lot of spam. Second, if I am watching TV, the number and caller-id displays on the TV. Third, I have voice announce caller-id on my phone. That is particularly effective to identify Private Caller that masks caller-id.

    1. Joe

      That’s a lot of integrated devices. I would worry about those 3rd parties having that caller info too.

    2. SeaPea

      I believe in defense in depth (or as I like to say “belts and suspenders”) also.

      After setting my mother with AT&T’s Call Protect, I was able to include NoMoRoBo in the settings as a backup.

      I have NMRB only and it works quite well but Call Protect doesn’t even have the single ring that NMRB needs to carry out its mission.

  20. Dave Krasinski

    Brian- Nice work as usual. Lots of topics here, all relating to wireless carriers but different spectrums.

    On the SIM swap – often times these aren’t actually physical SIM swaps as they are Phone Ports. There are some nuances to how these happen and how they show up. I do have a tired and true solution similar to the African example to stop this in the US. We can determine if a Port as occurred immediately after it happens. If the ported numbers is involved in a transaction or is the intended recipient of a OTP, this can be detected 100% of the time. There are US fraud shops doing these “port/hijack” checks before contacting the recently ported phone. Doing so eliminates alot of the ATO fraud resulting for Ports and Sim swaps. It’s realtime, inexpensive, and frankly necessary for anyone using OTP to authenticate a customer. You’ve highlighted the risks of not doing this and delivery the OTP to the fraudsters. Anyone who is interested in learning more, let’s connect on LinkedIn first then we can connect offline.

    For the Mobile Location Data- AT&T actually pulled all of its data out of the Mobile Network Operator ecosystem earlier this year. The other 3 remaining wireless carriers are still participants. So, it can once be said, ATT was sharing info. I don’t believe this to be the case any more.

    As far as STIR/SHAKEN goes. This protocol is to detect number spoofing but not necessarily robocalls. Robocalls can still happen if a number is not spoofed. That said, all of the major carriers have released “Spam Blocking apps” to help alert their customers of Robocallers/Spam/Fraud etc. They used to be paid services but all but Sprint made them “Free” apps earlier this year. The FCC voted to push the carriers to take it a step further and make these apps “default” vs the current opt-in. This should take effect for all US wireless customers within a few months. Again, these will be free services.

  21. nomore robo

    My cell phone’s area code is associated with a state I used to live in. I no longer have any connection to that state, no friends or family or do any business there. So it’s with great amusement when I see incoming calls using that area code on the premise that I’m going to answer them. That has made it very easy for me to ignore spam calls.

  22. mrpuck

    Great news for those of us on iPhone and iPad cellular. IOS 13 will have a feature to silence calls from people not in your contacts list. They will go straight to voicemail. You will still need to clean out your voicemails, but this is a nice feature.

    1. Worthitall

      My Android phone already has this. It is called the “Do Not Disturb” setting. I have my phone set to DND, and to only allow notifications from folks in my contacts list. I never hear from spammers anymore.

  23. FL

    If you don’t know about the Irregulators lawsuit against the FCC, you should take a look. Could be an interesting future article.

    See also this article on 4G charges –

    And this on one on why 5G is a scam –

  24. Roy Patterson

    Sounds like the fish on the end of a line, flipping and flopping because it’s got a hook in it’s mouth.

  25. OH

    PRO TIP- Lock your SIM card with a PIN or passcode.

    The method in which you do this depends on both your carrier and phone model. I was easily able to this on my Android phone (carrier is T-Mobile) by accessing the “Set SIM Card Lock” option within my security settings, turning on “Lock SIM Card”, and then changing my PIN from the default.

    Seriously… with all of publicity around SIM swap attacks, why do mobile phones not require you to lock your SIM during the initial OS setup? That’s like your bank not requiring you to set a PIN for your new debit card.

    1. BrianKrebs Post author

      If your carrier allows this, then by all means do it (most do). The challenge with SIM swaps is the insider problem. Employees need to be able to swap customer SIMs, which is a fairly common request when the customer upgrades to a newer phone or loses their device. Unfortunately, most people working at these stores aren’t paid very much, and are sometimes susceptible to being bribed.

  26. XB70

    Does setting a (personalized) SIM PIN stop the wireless company from doing a SIM swap, unless you input your personal SIM PIN? Or do they have a process to do a swap anyway–recovery process of some type to get around your personalized SIM PIN, which would obviate setting a personal SIM PIN?

    1. XB70

      What I am referring to is a PUK (Personalized Unlocking Key)–see this link:
      If the carrier installed the SIM, or sent the phone to you with a SIM pre-installed, it may have recorded the PUK and have it in its system, available to phone store employees. If so, can that be used to get around any personalized SIM PIN?

    2. XB70

      SIM cards are issued with a PUK (personal unlocking key). If your phone/number came from a cell phone carrier, they probably have the PUK for your SIM in their database. Can an employee access the PUK to get around your personally set SIM PIN, obviating setting a (personal) SIM PIN to prevent SIM swapping?

      1. XB70

        I just logged into my carrier and found the PUK for my SIM. So if I (or anyone, like an employee at a store, or an impersonator?) attempt to access the SIM three times and fail three times, the PUK can be used to access the SIM, do a swap, it seems like. If the SIM comes from the carrier, then will have the PUK. Anyone? Sounds like for carrier-issued SIMs, even if the user personalizes his/her SIM PIN (changes it from the publicly available carrier default), a bad actor (employee duo) can still do a SIM swap using the carrier held PUK.

  27. Taz

    MySudo numbers cannot be transferred by phone companies. Requires the user’s cryptographic key. Switching company has no role in porting.

    Buy Sims all the time – but never pay attention to them. If someone gets into the cell carrier’s system and transfers the Sim phone number – has zero effect. Just knocks my LTE data off for awhile and we have backups.

    Always feared a bribing scandal….AT&T made that fear real. The risk has always been the employees + cell carrier automation systems.

Comments are closed.