The DOJ has indicted three former Verizon and AT&T employees for alleged membership in a crime-ring known as the "The Community"; the indictment says the telco employees helped their confederates undertake "port-out" scams (AKA "SIM-swapping" AKA "SIM hijacking"), which allowed criminals to gain control over targets' phone numbers, thereby receiving SMS-based two-factor authentication codes.
Once in possession of these codes, attackers could take control of targets online accounts, including their banking and cryptocurrency exchange accounts (and also web-based email accounts that could serve as a gateway to many other systems). The returns could be massive, and several cryptocurrency users suffered losses in the millions.
SIM-swapping benefits from the overall lax security at phone companies, but the DOJ says that the insiders made it much easier to undertake these attacks against high-value targets. According to the DOJ, sometimes the insiders simply reached into the system and changed ownership of phone numbers; other times, they provided confederates with the information needed to trick customer service reps at the telcos into making the switch.
Insiders have been implicated in SIM-swapping since the beginning, and criminals cultivated "plugs" (insiders) who would augment their low wages with bribes to help with SIM-swaps. The indictment paints a picture of plugs who made a few hundred dollars for helping with frauds that netted millions.
The security economics are pretty straightforward here: phone numbers used to be low value, then they were repurposed to protect high-value assets, and the assumptions about how far attackers would go to steal phone numbers remained the same, while the actual lengths increased considerably.
The two former AT&T contractors in Tucson, Arizona were Robert Jack and Jarratt White.White allegedly received bribes from one of the criminals who was part of "The Community," according to a criminal complaint. White, according to the feds, helped the criminals steal more than $2 million from several victims by performing 29 fraudulent SIM swaps. White communicated with the criminals via Telegram, according to the document.
Jack, who was an associate of White, allegedly performed twelve fraudulent SIM swaps in May of 2018. White allegedly paid Jack $585.25 for his help in the SIM swapping conspiracy, according to the complaint.
AT&T Contractors and a Verizon Employee Charged With Helping SIM Swapping Criminal Ring [Lorenzo Franceschi-Bicchierai/Motherboard]
(via Techdirt)