A T-Mobile store in California. | Image Credit – Wave7 Research
Earlier this year, we reported that law firm Greenberg Glusker secured $33 million from T-Mobile on behalf of SIM swap attack victim Joseph “Josh” Jones. T-Mobile allegedly sought to keep the wider details confidential, but the judgment has been made public.Jones was a crypto bigshot and a T-Mobile customer from October 2014 until March 2020. On February 21, 2020, a seventeen-year-old Canadian hacker and his online accomplice stole cryptocurrency “worth nearly $37 million at the time and worth around $53 million today” from Jones by taking control of his T-Mobile number.
The SIM swap attack allowed the attackers to receive any communication, including One-Time Passwords (OTPs) meant for him. This enabled them to access and drain his cryptocurrency account.
T-Mobile did nothing to secure Jones’s account in the week following the attack. Seven days after the attack, the cybercriminal even left a note in the internal system, which read: “My name is . . . I stole $45 mil from you lolol[.]”
T-Mobile had known about SIM swap attack since 2016, but prevention wasn’t a priority
T-Mobile had known about SIM swap attacks affecting its customers since 2016. By March 2018, it knew that the attacks caused financial harm to customers.SIM swap attacks involved a combination of tricking and bribing employees to get into T-Mobile‘s systems. From 2016 through February 2020, 27,000 T-Mobile customers were victims of such attacks.
The SIM swap community saw T-Mobile as an easy target. The attack on Jones wouldn’t have been attempted if he had a different provider, according to one of the hackers.
Publicly available systems and programs were used to perpetrate the crime. The process was freely discussed in Discord chats.
T-Mobile was an easier SIM Swap target than other providers because no further authentication, such as a PIN or even the last 4 digits of a target’s Social Security Number, was required to access or to move within the system, as I understood was the case with other providers.
–SIM Swapper who stole crypto from Jones
T-Mobile had fewer guardrails than other carriers, and its employees received little training to recognize, prevent, disable, or report such attacks. Once authenticated by T-Mobile, hackers were able to stay logged in for weeks at a time. The company didn’t even check for location red flags.
T-Mobile granted extremely broad rights to all retail employees, so the credentials of any such employee would do, whether they had worked there for years or for just a few hours. Once into the system, there were no apparent limitations on my access to Mr. Jones’s customer account.
–SIM Swapper
T-Mobile employees were aware of the attack on Jones as it was being carried out, but did nothing to stop it. That’s because they had known that the same bad actor was previously involved in similar attacks.
No attempts were made to disable the SIM card associated with those attacks. Even though T-Mobile‘s policy said that a SIM deactivated due to fraud couldn’t be reused, tools existed to reverse the deactivation. The hacker took advantage of that. T-Mobile had no procedure for permanently deactivating a SIM card associated with fraudulent activity.
T-Mobile defended itself by claiming that at that time it had 53 million customers but only around 100 employees working on fraud prevention.
T-Mobile had a SIM Block feature, but it was only available to customers who had already been victims of SIM swaps. Employees weren’t allowed to offer it to customers who inquired about it. The company didn’t educate customers about preventing unauthorized SIM Swaps and discouraged employees from spreading awareness about SIM fraud.
Jones was previously encouraged by T-Mobile to set up a security passcode, warned about a number port-out scam, and requested to consider using an alternative to text-for-pin authentication. However, a security password couldn’t have necessarily prevented the attack.
It was concluded that “it was foreseeable that T-Mobile’s acts and omissions would result in theft of Jones’s cryptocurrency.” However, since Jones didn’t do everything in his power to prevent the damage, T-Mobile was only held liable for 50 percent of his damages. As a result, the Arbitrator awarded $26,569,963.60 to Jones.
T-Mobile has, in recent times, beefed up its defence against SIM swap attacks. The company disabled self-service SIM swaps in 2022 and reenabled them only recently.
This may partially explain why the company didn’t want the details of the $33 million award to be made public. Regardless, customers should rest easy knowing that such attacks are improbable now, but if something does happen, they can always count on the government to make T-Mobile compensate.
“Iconic Phones” is coming this Fall!
Rediscover some of the most unique and memorable phones of the last two decades! “Iconic Phones” is a beautifully illustrated book that we’ve been working on for over a year – and it’s coming out in just a couple short month!
LEARN MORE AND SIGN UP FOR EARLY BIRD DISCOUNTS HERE
#court #document #TMobile #didnt #customers #public
