DOJ accuses Verizon and AT&T employees of participating in SIM-swap identity theft crimes

The DOJ has indicted three former Verizon and AT&T employees for alleged membership in a crime-ring known as the "The Community"; the indictment says the telco employees helped their confederates undertake "port-out" scams (AKA "SIM-swapping" AKA "SIM hijacking"), which allowed criminals to gain control over targets' phone numbers, thereby receiving SMS-based two-factor authentication codes.

Once in possession of these codes, attackers could take control of targets online accounts, including their banking and cryptocurrency exchange accounts (and also web-based email accounts that could serve as a gateway to many other systems). The returns could be massive, and several cryptocurrency users suffered losses in the millions.

SIM-swapping benefits from the overall lax security at phone companies, but the DOJ says that the insiders made it much easier to undertake these attacks against high-value targets. According to the DOJ, sometimes the insiders simply reached into the system and changed ownership of phone numbers; other times, they provided confederates with the information needed to trick customer service reps at the telcos into making the switch.

Insiders have been implicated in SIM-swapping since the beginning, and criminals cultivated "plugs" (insiders) who would augment their low wages with bribes to help with SIM-swaps. The indictment paints a picture of plugs who made a few hundred dollars for helping with frauds that netted millions.

The security economics are pretty straightforward here: phone numbers used to be low value, then they were repurposed to protect high-value assets, and the assumptions about how far attackers would go to steal phone numbers remained the same, while the actual lengths increased considerably. Read the rest