Hackers target SIM cards
By Jordan Robertson, Bloomberg Business
Wireless carriers including AT&T and South Africa's Vodacom Group
are facing a new threat: the illegal hacking of SIM cards, the small plastic
chips that verify the identity of customers on mobile networks.
Globally, carriers are expected to rack up $3.6 billion in
losses from account fraud this year, nearly triple the amount in 2011,
according to the Communications
Fraud Control Association. "Attackers are definitely getting more
advanced," says Lawrence
Pingree, a mobile-security researcher at Gartner. "It's almost like
stealing at a bank - going right in and doing it in person. It's
very personal."
The scammers who targeted Keith
Carter were pretty sophisticated. On Aug. 12, the Atlanta resident
answered a call from someone purporting to be an AT&T representative. The
caller, who already knew Carter's address and other personal information,
promised him a discount on his bill in exchange for completing a customer
survey. It all seemed aboveboard to Carter, who provided the last four digits
of his Social Security number - the information the thief needed to access
Carter's AT&T account and reassign his SIM card to another smartphone.
The next day, Carter's iPhone had no service. Overnight,
however, his account began accumulating charges for calls to Cuba, Guinea and
Gambia. Carter got a new SIM card, yet the international calls continued - the
final tally came to $2,600. He plans to dispute the charges and drop his
carrier. "I thought when I got the new SIM card that the old one would be
disassociated with it, but clearly this bad boy is still rockin' and
rollin'," he says.
AT&T declined to comment on Carter's case but said such
scams are being driven by groups that profit from selling stolen cellular
services through online marketplaces.
"We're working to educate our customers on how to
protect their information," said the company in an e-mail. Sprint and
T-Mobile US said they hadn't seen this type of attack. Verizon Wireless
declined to comment.
In South Africa, criminals are hacking SIM cards of Vodacom
customers whose bank accounts have also been compromised through other means,
so they can intercept text alerts that banks send to verify transactions, says
company spokesman Richard
Boorman. That gives them cover to make several withdrawals.
While Boorman says the attacks are "extremely
rare," the carrier now sends text messages requiring confirmation of
SIM-card swaps, which are routine when a customer upgrades a phone.
Mari and Candace
Sawyer, two sisters who own a dessert catering business in Atlanta, say
AT&T isn't doing enough to safeguard customers. Shortly after noon on Sept.
3, a man called their mother's phone and asked for Mari, who holds the family's
account. He had personal information, and the call appeared to come from
AT&T's customer-service line. Because it seemed legitimate, Mari supplied
the last four digits of her Social Security number.
The caller wasn't from AT&T. The number had been
spoofed, a process where a call is routed through a service that makes it
appear to come from somewhere else. By 10 p.m., all four phones on the family
plan were dead and hundreds of calls to Gambia appeared on their account.
More info here >>>
