20.5k unique visitors in the last 3 days

T‑Mobile US Has Known Since 2005 That SIM Swap Fraudsters Use Social Engineering to Steal Employee Credentials

The MNO continued to fight victims of SIM swap crime in court despite 27,000 unauthorized SIM swaps between 2016 and February 2020.

In November 2023, the US Federal Communications Commission (FCC) imposed new rules on US telcos to reduce the number of SIM swap frauds. Some might argue those rules were overdue given that a legal battle has revealed that the second-largest mobile network operator (MNO) in the USA has known since 2005 that fraudsters were targeting the login credentials of employees to execute unauthorized SIM swaps.

New information has come into the public domain via a USD33mn SIM swap arbitration award against T‑Mobile US earlier this year. T‑Mobile US tried to keep the details of the case secret but Greenberg Glusker, the lawyers who acted for Joseph Jones, the victim of that particular SIM swap fraud, successfully petitioned the Los Angeles Superior Court to make the details public. Jones had built up considerable wealth by investing in cryptocurrency only to see millions vanish from his online account on February 21, 2020. I have briefly covered this case already but representatives of Greenberg Glusker have now drawn my attention to some startling facts they uncovered through their research.

  • T‑Mobile US knew that 27,000 customers had fallen victim to unauthorized SIM swaps from 2016 to February 2020, the month when Jones’ account was taken over.
  • T‑Mobile’s Senior Director of Corporate Investigations and Digital Forensics, Jim Steele, admitted that he knew cryptocurrency investors had “often” been “targeted” by SIM swappers.
  • Steele also admitted that T‑Mobile has been aware since at least 2005 “that fraudsters were targeting T‑Mobile store employees via social engineering and posing as T‑Mobile tech support in order to steal those credentials”.
  • An internal T‑Mobile report written in 2019 stated bad actors were “phishing credentials” for T‑Mobile employees so they could “monetize SIM Swaps”.
  • An earlier internal report counted 478 customer accounts that were attacked using the credentials of a single employee.
  • An internal slide deck written in 2018 acknowledged that the “mission” of SIM swappers who used compromised credentials was to “steal… cryptocurrency”.
  • Despite all this, T‑Mobile employed fraud analysts to monitor live SIM swap activity without giving them the authority to disable employee credentials that were repeatedly abused.
  • The SIM used to take control of Jones’ service had previously been used for 18 other unauthorized SIM swaps. Eight of those SIM swaps occurred earlier on the same day of the Jones incident. A fraud analyst had already identified SIM swaps using this SIM during the two-and-a-half hours before the Jones SIM swap, but the SIM remained live.
  • The fraud analyst discovered and reversed the Jones SIM swap within 16 minutes of it occurring, but that was already too late. Jim Steele separately admitted that it can only require “as little as 15 seconds of access for a fraudster to transfer all of the funds from a bank account”.

7 days after the SIM swap occurred, T‑Mobile US had still not revoked credentials used by the criminals who stole from the Jones’ account. There were seven separate instances of unauthorized access to Jones’ account in the week following the initial SIM swap. On the final occasion, somebody changed the username associated with the account to ‘SIM Swapper 1’. They then left a note saying:

I stole $45 mil from you lolol

Is this what it takes to get the attention of security staff working for T‑Mobile US? Do criminals need to literally log on to the telco’s internal systems and leave messages that mock the company’s weak security before somebody does something about it?

‘SIM Swapper 1’ later said he was only interested in stealing from Jones because Jones was a customer of T‑Mobile US.

My reasons related primarily to the ease in which we could perform the SIM Swap. It was extremely easy to conduct a SIM Swap on T‑Mobile’s network using publicly available systems and programs. I had modified a system that allowed my computer to be authenticated by T‑Mobile and to maintain the authentication for extended periods, even weeks at a time. T‑Mobile was an easier SIM Swap target than other providers because no further authentication, such as a PIN or even the last 4 digits of a target’s Social Security Number, was required to access or to move within the system, as I understood was the case with other providers. Once I was into the T‑Mobile system using this method, it was as if I were an unsupervised T‑Mobile employee in any store in the United States, even though I was sitting in my residence in Canada.

He went on to say:

Within the SIM Swapping community, many people were aware of readily available programs and systems that could be used to get into the T‑Mobile system. This process was openly discussed in Discord chats. Using these programs and systems to access T‑Mobile’s system was much easier than other processes that were being used for SIM Swapping at other phone service providers, such as having to pay [bribe] an employee to do a SIM Swap. The ease of complete access while using these tools was also unique to T‑Mobile… AT&T had an entirely different authentication system that was more difficult to access, requiring for example the login credentials of a manager to access certain information. As another example, AT&T’s system would still require the entry of the last 4 digits of a customer’s Social Security Number or the customer’s PIN number to access certain information, while T‑Mobile’s did not require the entry of any additional information once the system was accessed.

‘SIM Swapper 1’ also explained how T‑Mobile lacked even basic geolocation controls that all businesses should use to prevent unauthorized access to systems.

In the JONES SIM SWAP, T‑Mobile’s system did not detect or check immediately to notice that the employee’s credentials had been used in a different location… Had I needed to be in the same state as the employee, I could have done that, but it would have required additional work, and again, T‑Mobile made it easy on me…

No flags were raised by T‑Mobile’s internal systems despite credentials for store staff based in Idaho and Texas being used to access the account of Jones, who lived in California. ‘SIM Swapper 1’ also revealed that staff would reliably divulge information that should have been kept secret.

It was notorious in the SIM Swapping community that the ‘social engineering’ that was required to get employees to turn over their credentials was very simplistic and almost always worked on the first attempt. On the rare occasions that an employee refused to cooperate, the SIM Swapper could simply hang up and call another store. From what I learned online, the typical success rate was 90 to 100% and it rarely, if ever took more than 20 minutes to get credentials, even if more than one call was required. Many of T‑Mobile’s store employees are just kids… T‑Mobile employees had no practice of asking for any sort of identification to authenticate that the caller was a real T‑Mobile employee, to explain why the number that was calling from did not show up as a T‑Mobile number, to provide a number that the employee could call back, or to give more information about the fabricated department that the caller claimed to work in.

My experience in the JONES SIM SWAP was consistent with the above. The ‘social engineering’ involved in the JONES SIM SWAP was very simplistic. We were not asked to provide any sort of identification or authentication to prove that there was a real T‑Mobile employee on the other end of the phone, or why the incoming phone number did not show up as a T‑Mobile number that an employee could use to call back. We simply did a random search of the T‑Mobile store locator, called a random store’s number, and talked to the employee who picked up the phone.

It is worth examining the details of the Jones case not because of what we can learn about anti-fraud controls — no competent professional needs such a basic education on how to stop crime — but because of what it says about the attitudes of people running T‑Mobile US, and the people who run American telcos more generally. T‑Mobile US had an appallingly lax approach to securing customer accounts. They had senior staff who understood how lax their business was; junior staff lacked adequate training; senior staff knew who would be targeted by criminals; junior staff literally monitored criminals as they repeatedly hijacked customer accounts; but the telco still chose to pay expensive lawyers to conduct a protracted fight against a genuine victim instead of admitting their failings.

A few readers have complained I am too hard on American telcos. I disagree. Based on my experience of working with telcos in a wide variety of countries, both rich and poor, the failings of T‑Mobile would be unconscionable in most other businesses, and most other countries. I fear the resistance to my criticisms are symptomatic of a deeper crisis in American business culture. That some Americans assert I am too critical of US telcos is a sign that the entirety of the US industry is suffering from skewed norms. Others will disagree with me, but attention should be paid to who is paying those people, and how much they are paid. It is not hard to find sycophants if you pay well, and the US comms sector pays some people extremely well. The Jones case shows how the amounts being paid to the most expensive advocates of US telcos have no correlation to the quality of the work being done inside those telcos.

I might be a tad more sympathetic to the US mobile network operators if it were not for some personal experience of how their behaviors have evolved. Long ago, I worked for T‑Mobile UK, which was then a sister company to T‑Mobile US. Our revenue assurance team was proactive about sharing our experience of controls with RAFM functions across the rest of Deutsche Telekom’s group. That willingness to share information became the cornerstone of my career and provided me with the initial audience for this website. It also generated so much attention that a special German team was eventually sent from group head office to ‘audit’ how our effectiveness compared to that of our siblings. It is a sign of the political nature of such audits that the two auditors declined my offer to be personally briefed on the work I did, but were sat in the audience as I gave a presentation about my work at a third-party conference held in London the following week. There were no surprises when the audit concluded our UK firm was ranked in equal first place with our counterparts in Germany. The other group companies were ranked as being behind us to varying degrees, apart from one exception. As my manager had previously made clear to me, T‑Mobile US was exempt from group scrutiny. My American counterparts were not to be contacted even for informal sharing of knowledge, despite the CEO of T‑Mobile UK being an American who had previously led an American telco. I continue to believe that American internal control expectations would be significantly higher if American telcos had not been run in isolation from their peers in other countries.

Ivory towers are an obstacle to communications in both directions. An epidemic of scams has forced the FCC to take some faltering steps towards mandating consumer protection controls and this has prompted a slight erosion of the towers built around American telcos. However, there is no real dialogue between the US and telcos in other countries. There has been a noticeable uptick in Americans telling other nationalities what to do, or recounting anecdotes that are meant to show how successful American telcos have been at reducing crime. However, there are few signs of American businesses acting upon advice received from abroad. On the contrary, criticism of the failings of American telcos prompts a mixture of indifference and hostility. I was on the receiving end when a representative of USCellular, an operator currently merging with T‑Mobile US, attempted to censor me by telling Dario Betti, the CEO of the Mobile Ecosystem Forum (MEF), to change an article published several weeks earlier.

That article highlighted a straightforward conflict of interest: it is implausible that the big US mobile operators will be punished for scam calls traced to their networks when those operators also pay the wages of the people tracing the calls. That is just human nature. That is just like the bias of T‑Mobile US fighting their own customers because they do not want to be honest about how poorly their business was run. The criticism of this conflict of interest should stand because people who work for telcos do not just work for telcos. They live in the same society as the people around them, and they have a responsibility to that society too. Weak business leaders such as Dario Betti feel the need to be liked by everybody, and they also seek revenue wherever they can get it. This makes them unsuited to tackling the brutal realities created by criminal activity within the comms sector and the ways that crimes are covered up in practice. I rebuffed Betti’s attempts to censor the article. Soon afterwards he cut the feed of Commsrisk content to MEF’s website, then waited several weeks before clarifying he would no longer pay me to maintain Commsrisk. I resigned immediately upon receiving that news; I had only taken the job with MEF because Betti had said he wanted MEF to become the new publisher of Commsrisk. Like the example of how T‑Mobile US behaved in the Jones case, my story is about the pernicious influence that American business culture can have on people who lack integrity.

I have no doubt there will be many more stories about wrongdoing emanating from US mobile network operators in the next few years. They pay for their advocates to fly around the world, arguing that other countries need to do a better job of protecting American citizens from fraud, as part of a process of distracting attention from their own failings. Meanwhile, there has been an enormous surge in scam calls originated by simboxes located within the USA, using SIMs obtained from US mobile operators. This is happening despite other countries having considerably more experience at eliminating simboxes and reducing the supply of SIMs to criminals. The same kinds of weaknesses in the internal control environment that resulted in SIM swaps will also make it easy to obtain the SIMs which are being used in simboxes. The propensity to cover up failings rather than prioritize their resolution will similarly delay the introduction of new controls to protect the public.

Somebody with a proper understanding of the internal operations of telcos needs to represent the interests of ordinary Americans who fall victim to crimes. That it took 5 years for the American public to be told of the egregious consumer protection failings in a case involving substantial losses for a multimillionaire shows how hard it will be to find people willing to talk candidly about the need for US telcos to do better.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email