Wireless carriers including AT&T and South Africa’s Vodacom Group are facing a new threat: the illegal hacking of SIM cards, the small plastic chips that verify the identity of customers on mobile networks. Globally, carriers are expected to rack up $3.6 billion in losses from account fraud this year, nearly triple the amount in 2011, according to the Communications Fraud Control Association. “Attackers are definitely getting more advanced,” says Lawrence Pingree, a mobile-security researcher at Gartner. “It’s almost like stealing at a bank—going right in and doing it in person. It’s very personal.”
The scammers who targeted Keith Carter were pretty sophisticated. On Aug. 12 the Atlanta resident answered a call from someone purporting to be an AT&T representative. The caller, who already knew Carter’s address and other personal information, promised him a discount on his bill in exchange for completing a customer survey. It all seemed aboveboard to Carter, who provided the last four digits of his Social Security number—the information the thief needed to access Carter’s AT&T account and reassign his SIM card to another smartphone.
The next day, Carter’s iPhone had no service. Overnight, however, his account began accumulating charges for calls to Cuba, Guinea, and Gambia. Carter got a new SIM card, yet the international calls continued—the final tally came to $2,600. He plans to dispute the charges and drop his carrier. “I thought when I got the new SIM card that the old one would be disassociated with it, but clearly this bad boy is still rockin’ and rollin’,” he says.
AT&T declined to comment on Carter’s case but said such scams are being driven by groups that profit from selling stolen cellular services through online marketplaces. “We’re working to educate our customers on how to protect their information,” said the company in an e-mail. Sprint and T-Mobile US said they hadn’t seen this type of attack. Verizon Wireless declined to comment.
In South Africa, criminals are hacking SIM cards of Vodacom customers whose bank accounts have also been compromised through other means, so they can intercept text alerts that banks send to verify transactions, says company spokesman Richard Boorman. That gives them cover to make several withdrawals without tipping off the account’s owner. While Boorman says the attacks are “extremely rare,” the carrier now sends text messages requiring confirmation of SIM-card swaps, which are routine when a customer upgrades a phone.
Mari and Candace Sawyer, two sisters who own a dessert catering business in Atlanta, say AT&T isn’t doing enough to safeguard customers. Shortly after noon on Sept. 3, a man called their mother’s phone and asked for Mari, who holds the family’s account. He had personal information, and the call appeared to come from AT&T’s customer-service line. Because it seemed legitimate, Mari supplied the last four digits of her Social Security number.
The caller wasn’t from AT&T. The number had been spoofed, a process where a call is routed through a service that makes it appear to come from somewhere else. By 10 p.m., all four phones on the family plan were dead. Hundreds of calls to Gambia subsequently appeared on their account.
The sisters did some digging online and discovered they were the victims of a scam. They filed a complaint against AT&T with the Federal Communications Commission for failing to alert them about SIM-card swaps. Emily Edmonds, an AT&T spokeswoman, declined to comment on the complaint. She directed questions to the FCC, which didn’t return a message amid the government shutdown. “It’s not right to drive by an accident where someone’s hurt, and it’s not right if your SIM card gets hacked and you don’t do something to prevent it from happening to someone else,” says Mari.