SIMJacking, the attack where a hacker replaces the SIM card that is associated with your phone in the carrier’s database with the attacker’s SIM card number and then has access to all of your phone calls and text messages, is becoming more popular – because it is profitable.
At this point, the carriers have not been successful at stopping it (although they could virtually instantly – more on that later). And, as a result of that, the lawsuits keep coming.
The most recent one is a suit against AT&T for $1.8 million – really pocket change for a company with global revenue last year of $170 billion – but they do not want to create a precedent of liability.
In many cases, the attack works because the attacker bribes a company employee to bypass the security mechanisms in place.
In this particular lawsuit, Seth Shapiro says that he lost $1.8 million – his life’s savings – in cryptocurrency and fiat currency ($) due to this attack.
“AT&T failed to implement sufficient data security systems and procedures and failed to supervise its own personnel, instead standing by as its employees used their position at the company to gain unauthorized access to Mr. Shapiro’s account in order to rob, extort, and threaten him in exchange for money,” the lawsuit alleges.
Last year AT&T was sued for $220 million and T-Mobile was also sued last year.
In the case of this lawsuit, Shapiro was SIMJacked FOUR TIMES. They did find the corrupt employees who helped the attacker. One was paid about $4,000; the other was paid $585. I think they should ask for a raise. Of course, they are likely going to be in jail for a while, so they would not be able to use it anyway.
The challenge for Shapiro is the user agreement that all customers sign. It requires arbitration over a lawsuit and that process is heavily weighted in favor of the carrier.
Motherboard has created a SIMJacking protection document, available here. The key message is to not use your phone for authentication. Yes, it is convenient, but, unfortunately, until the carriers get their act together, it is not very secure and you, ultimately, pay the price.
In Shapiro’s case, assuming he wins anything at all in arbitration, it will likely take years to get whatever he does get back. Likely that will not include legal fees.
Add to that an FCC which is totally useless. In part this could be because of limitations in what the law allows them to do to the carriers. More likely, the bureaucracy is horribly broken.
If you don’t want to lose your money then it is incumbent on you to protect yourself. Make that tradeoff between security and convenience. Select financial institutions that allow you to implement controls. For example, I have set my ATM card to only allow me to withdraw $300 a day. If someone compromises my ATM card and PIN, they best they can do is steal $300 a day. Is that annoying on rare occasion? Sure. But it is less annoying than having a hacker empty my account.
One last thing. The carriers also trade security for convenience. Whether it is a $1.8 million suit or a $220 million suit, they will likely settle for a lesser amount. Much (or all) of which is covered by insurance. So do they care if there are a few lawsuits? Probably not. If the regulators fined them a billion dollars (or $5 billion like the FTC recently fined Facebook), it BEGINS to hurt. Facebook’s PROFIT for just one quarter in 2018 was almost $7 billion, so that fine, if not covered by insurance, would mostly wipe out the profit for one quarter. Bad, but not fatal.
The carriers could make it much harder to do a SIM swap – but customers would complain. Rather than educating the customers, they take the easy path out. They could implement better controls for SIM changes, but unless those controls are forced on them by law, they won’t do it. Years ago there was a problem with hackers getting you to change your long distance carrier on your land line (remember those days?). FINALLY, the FCC crammed controls down the throats of the phone companies and the problem, magically, went away.
But the important thing is that consumers need to educate themselves. The carriers do not care. They are big enough to win and even in the rare case where they don’t win totally, they can absorb it. How much time and effort is it going to take YOU to get your money back. If you lose a few thousand dollars are you willing to dedicate a year of your life to getting it back? They are counting on the answer being no.
This means that it is UP TO YOU to protect yourself.