T-Mobile has launched an internal investigation into an apparently unauthorized SIM swap that resulted in a customer’s Instagram credentials being stolen. For those who aren’t aware, a SIM swap is generally used when a customer’s current SIM card is damaged or when they need to switch to a SIM of a different size. What makes this case interesting is that the customer in question is Paul Rosenzweig, a software engineer who had followed all of the carrier’s security advice. That previously included setting up a SIM PIN, which prevents users from accessing any mobile data, text messages, or calls from a stolen device. However, that did nothing for Rosenzweig since the thief in question simply called around to T-Mobile retail locations until a representative willingly performed the SIM swap. A SIM PIN only protects data on the actual device that has a customer’s current SIM in it.
What makes this breach interesting is that security problems stacked, leading to Rosenzweig’s Instagram account being stolen. Although the T-Mobile employee in question is responsible for the SIM being ported out, Instagram’s security failed as well. Worse, Rosenzweig’s Snapchat account was also affected. That’s down to how those services’ authentication works, highlighting what may be a problem in those types of systems. In fact, it was those breaches that ultimately led to Rosenzweig noticing that his phone no longer had service, since he had been at home using Wi-Fi when it happened. After receiving an email that his Snapchat password and Instagram username had changed, Rosenzweig enabled two-factor authentication for Snapchat and didn’t receive a text message to confirm. Although the software engineer was able to get both of his accounts back, this shows how damaging an unauthorized SIM swap can be.
As a result of this breach, T-Mobile is now advising customers to call customer support and set up a SIM lock for their accounts. That will effectively ensure that anybody trying to perpetrate a SIM swap attack needs to go into a retail location physically and present identification before one will be performed. Consumers using other wireless carriers will want to make an effort to call customer support and determine whether a similar security feature is available for their own accounts.