AT&T rolls out Wireless Account Lock protection to curb the Sim-swap scourge

Move is aimed at curbing a form of abuse that costs subscribers dearly.

See full article...

 

[Lord Bayaz]

These criminals are really clever. One wonders what they could accomplish if they devoted their minds to constructive things.

 

[RickRoyLeonPrisZhoraRacha]

These criminals are really clever. One wonders what they could accomplish if they devoted their minds to constructive things.

AT&T or the sim swappers? Because ATT got breached (again) and now you better have your credit freeze on.

 

[Fatesrider]

These criminals are really clever. One wonders what they could accomplish if they devoted their minds to constructive things.

Given their proclivities, I'd guess chaos and disorder. Those who don't play by the rules are breaking them, after all.

Psychopaths be that way.

 

[lp0_on_fire]

Someone successfully SIM swapped my T-Mobile iPad line a few years ago, to what end I have no idea. I couldn't have told you the phone number if you put a gun to my head.

It seemed like a wild shot in the dark that they were targeting a bitcoin high roller and not a child's Apple Watch or a MDM modem that reports the level of the toilet tank on a train.

 

[GaitherBill]

Had my SIM locked on Verizon for years.

 

[ColdWetDog]

Huh. Don't see it in the app. Maybe they'll update it later. Or, given it's AT&T, maybe not.

 

[Philippe23]

Or maybe we should stop using SMS as MFA.

 

[bikeoid]

If it's irrevocably locked unless using the app on the device, how do they handle lost / stolen devices? The AT&T site didn't say.

 

[Person_Man]

So if someone hacks into your at&t app, then it's useless (if I understand correctly)? There probably should be some other form of protection in addition considering how frequently account credentials wind up on the dark web.

 

[Ryan B.]

Or maybe we should stop using SMS as MFA.

Genuine question: is there any way to avoid it as an end user? I have been under the impression that the other party (the account provider) needs to implement an alternative, more secure scheme, and that's only gonna be a handful of nerd-friendly services.

 

[flerchin]

Beats (ha!) a wrench attack.

 

[Lunakki]

Genuine question: is there any way to avoid it as an end user? I have been under the impression that the other party (the account provider) needs to implement an alternative, more secure scheme, and that's only gonna be a handful of nerd-friendly services.

Right, it's up to the service/account provider. I once had an account compromised because my bank turned on SMS "MFA", didn't tell me, and did it in such a way that you could get access to the account purely through SMS (you could reset both the password and pin using just a code sent through SMS). I think there wasn't any way to disable it either. So if anybody was able to gain access to my texts, they could get into my bank account, and there was nothing I could do about it except switch banks (which I did).

It's frustrating, for sure.

 

[adespoton]

Genuine question: is there any way to avoid it as an end user? I have been under the impression that the other party (the account provider) needs to implement an alternative, more secure scheme, and that's only gonna be a handful of nerd-friendly services.

There's no way to avoid it without the providers implementing it. That said, Apple and Google both provide authentication services that are worlds-better than SMS (by using their own encrypted IM solution or using account-based 2FA or by using Passkeys). They provide APIs that are freely available for providers to implement. But as long as SMS exists, providers already using it for 2FA will continue to do so.

 

[nanobaka]

Once again they only offer this to post-paid subscribers. Prepaid folks are left behind again.

 

[SirOmega]

How does this work when you get a new phone? Or if your old one breaks or is stolen/lost? How do you turn this off, in order to move to a new device, and then turn it back on, if you don't have access to a device?

 

[bigmig]

If it's irrevocably locked unless using the app on the device, how do they handle lost / stolen devices? The AT&T site didn't say.

My question exactly. At a minimum it seems like you'd want to be able to approve from multiple devices before enabling it. Unless there's a backdoor that employees can use to override...which seems like it would sort of defeat the purpose?

 

[equals42]

SMS is not a good MFA. These wouldn’t be targets if dumb ass companies weren’t using texts as 2FA. (Unless you’re a celebrity/royal the paparazzi are trying to get dirt on.)
I don’t have a single bank or investment account that offers anything useful. I think Fidelity has a weird hardware token that is only from one company and it sucks. I keep asking them to let me use Yubikey type devices and TOTP but it’s like pissing into the wind.

 

[21five]

My question exactly. At a minimum it seems like you'd want to be able to approve from multiple devices before enabling it. Unless there's a backdoor that employees can use to override...which seems like it would sort of defeat the purpose?

How does this work when you get a new phone? Or if your old one breaks or is stolen/lost? How do you turn this off, in order to move to a new device, and then turn it back on, if you don't have access to a device?

If it's irrevocably locked unless using the app on the device, how do they handle lost / stolen devices? The AT&T site didn't say.

There is a “show your government issued ID in store” recovery process. (This was mentioned during the in-app activation, it doesn’t seem to be in the help documentation.)

It’s unclear whether that process involves additional verification steps with a small set of authorized employees that can deactivate it.

 

[rhavenn]

Just to be clearer than the article, at the moment, you HAVE to have the AT&T app on your phone to turn this on. You can NOT do it from their website and, well, I'm not installing their app.

 

[21five]

Once again they only offer this to post-paid subscribers. Prepaid folks are left behind again.

AT&T Prepaid accounts can use Wireless Account Lock. The instructions are on a separate tab of the same help page: https://www.att.com/support/article/wireless/000102016/

 

[Alexstarfire]

How does this work when you get a new phone? Or if your old one breaks or is stolen/lost? How do you turn this off, in order to move to a new device, and then turn it back on, if you don't have access to a device?

It's on your account, not your device. Granted, not having your device makes it harder to access the app, but that's not the only way to access the app. Any other android/iOS device would be able to access it.

I would hope you could access it via their website as well, but it only mentions the app here.

 

[majortom1981@aol.com]

Huh. Don't see it in the app. Maybe they'll update it later. Or, given it's AT&T, maybe not.

It's there. On the mattress app (not active armor). At the bottom of the home page.

 

[ranphi]

Given their proclivities, I'd guess chaos and disorder. Those who don't play by the rules are breaking them, after all.

Psychopaths be that way.

So they're all Republicans then? Figures.

 

[fuzzyfuzzyfungus]

I'm curious if this will actually work. Consumer-facing logins often have pretty weak recovery mechanisms because people lose their credentials all the time and it's bad for business, outside of niche paranoid markets, to just tell people too bad, so sad, we weren't joking when we said only you had the decryption key.

If your fundamental problem is that you basically don't verify your customers to any acceptable level; it seems like a real possibility that they are just turning this into a "pretend to be a confused user until they give you access to the lock/unlock switch; then SIM swap" process.

 

[ScifiGeek]

It's on your account, not your device. Granted, not having your device makes it harder to access the app, but that's not the only way to access the app. Any other android/iOS device would be able to access it.

I would hope you could access it via their website as well, but it only mentions the app here.

Looking at link provided in another post:

https://www.att.com/support/article/wireless/000102016/

"You can only turn Wireless Account Lock on or off using the myAT&T app. The app needs to be installed on a device that is active on your Wireless account. Download the myAT&T app now"

It has to be on the app, of another wireless device already connected to that wireless account. IOW you need multiple devices on that account.

So it kind of sucks for people that only have one wireless device (like me).

So it's right back to convincing people you are who you say you are, to get things straightened out if the phone is lost/stolen.

 

[bigmig]

So it kind of sucks for people that only have one wireless device (like me).

Perhaps those of us with only a single line aren't really the types of customers that AT&T wants.

(In fairness, I'm on a family plan, so I assume I could probably have one or more other family members install the app to approve changes, assuming they had the appropriate permissions.)

 

[clewis]

SMS is not a good MFA. These wouldn’t be targets if dumb ass companies weren’t using texts as 2FA. (Unless you’re a celebrity/royal the paparazzi are trying to get dirt on.)
I don’t have a single bank or investment account that offers anything useful. I think Fidelity has a weird hardware token that is only from one company and it sucks. I keep asking them to let me use Yubikey type devices and TOTP but it’s like pissing into the wind.

USAA is the only bank I have that doesn't exclusively use SMS 2FA. But they have other issues. My "password" is a 4 digit number plus the 6 digit token I get from an app on my phone. If I disable 2FA, my password is a 4 digit number.

This covers 1 for-profit bank, 2 credit unions, 1 brokerage, 4 retirement accounts, and 1 college 529 account.

 

[jasonmicron]

A separate scam from 2022 gave unauthorized access to a T-Mobile management platform that subscription resellers, known as mobile virtual network operators, use to provision services to their customers. The threat actor gained access using a SIM swap of a T-Mobile employee, a phishing attack on another T-Mobile employee, and at least one compromise of an unknown origin.

I don't know if it was this exact circumstance, but Jack Rhysider had a guest on his podcast that explained, in detail, how this would be carried out - by one of the perpetrators. I think the episode of Darknet Diaries was called "Hot Swaps" or something similar.

It is a vile, but equally impressive operation. And this is just my memory (so, hazy) and very high level:

The guest said this only worked at T-Mobile when they were doing it. You had a driver, another guy in a remote location with as many browser tabs open as possible to bank / crypto sites with the user's name and password ready (oh yeah, you already had to know their login credentials), a person being a "reader", and a fourth person as the "runner".

The "Runner" would go into a t-mobile store and talk with the sales guy until they saw them open up an "admin" area or something on the device (basically allowing the employee to port a number to a new device). He would then grab it and run to the car, and the "Driver" speeds off. The clock is ticking.

They have about 10 minutes before t-mobile IT will block out the employee's now stolen pad from their network and undo everything that follows. The "runner" will port the intended victim's number to a device they have in the car (the SIM swap is now done).

The "hacker" (the remote guy with the tabs open) will now start logging into as many sites as possible and the MFA is allowed (SMS only of course, relayed by the "reader") using the swapped phone. Once in, the account password is changed and the hacker moves on to the next site. Rinse, repeat. Again, they would have only around 10 minutes in total.

I highly recommend listening to the podcast episode if you haven't already.

 

[Secondfloor]

How does this work when you get a new phone? Or if your old one breaks or is stolen/lost? How do you turn this off, in order to move to a new device, and then turn it back on, if you don't have access to a device?

Hey, I know you’ve only been here 23 years, but did you know Ars articles are typically condensed versions of information, and they almost always provide links to the source material for further reading?

 

[Madestjohn]

Hey, I know you’ve only been here 23 years, but did you know Ars articles are typically condensed versions of information, and they almost always provide links to the source material for further reading?

Ohhh Catty

random upvote

 

[TheFLP]

Once again they only offer this to post-paid subscribers. Prepaid folks are left behind again.

AT&T Prepaid accounts can use Wireless Account Lock. The instructions are on a separate tab of the same help page: https://www.att.com/support/article/wireless/000102016/

Or if, like me, you have an ancient prepaid plan from the candy-bar phone era,[1] the app is useless to you. Do this instead:

1. Sign in at https://paygonline.com (yes, there's an "o" missing ).
2. Click on Profile & Settings.
3. Click on Account Info & Preferences.
4. Scroll down to Wireless Account Lock.
5. Click Turn On.

They'll send a six-digit PIN to your phone (yes, by SMS ). Enter this into the web site, and you're locked.

The app is clearly not required here, so the security seems to rely on (1) my paygonline.com login and (2) the PIN. Whether this is protecting me from social engineering attacks on AT&T support reps, I have no idea.

[1] You can use it with a smartphone for voice; you just need a separate data plan.

 

[DanNeely]

There is a “show your government issued ID in store” recovery process. (This was mentioned during the in-app activation, it doesn’t seem to be in the help documentation.)

It’s unclear whether that process involves additional verification steps with a small set of authorized employees that can deactivate it.

That's probably as good as they can do; but forging govt ID is possible (and almost certainly at a better quality level than a fake ID to get booze), and to pwn a crypto whales account definitely worth doing.

The real problem is that SMS 2FA should not be enabled for crypto (or really anything financial). The bare minimum should be an authenticator app; and for people with large accounts a dedicated stand alone key device.

Edit: On second thought, a fakeID probably doesn't even need to be as good as the ones used to buy booze. Penalties in the US for selling to kids are business ending high; almost all bars/etc take them very seriously. Short of regulations that make the phone company liable for megabuck losses suffered due to sim swapping attacks I doubt the average phone sales clerk is going to be nearly as diligent.

 

[dimathiel]

That's probably as good as they can do; but forging govt ID is possible (and almost certainly at a better quality level than a fake ID to get booze), and to pwn a crypto whales account definitely worth doing.

The real problem is that SMS 2FA should not be enabled for crypto (or really anything financial). The bare minimum should be an authenticator app; and for people with large accounts a dedicated stand alone key device.

Edit: On second thought, a fakeID probably doesn't even need to be as good as the ones used to buy booze. Penalties in the US for selling to kids are business ending high; almost all bars/etc take them very seriously. Short of regulations that make the phone company liable for megabuck losses suffered due to sim swapping attacks I doubt the average phone sales clerk is going to be nearly as diligent.

Our govt issued ID has biometric authentication built in when used for these types of transactions. Is the US that far behind?

 

[Wheels Of Confusion]

Our govt issued ID has biometric authentication built in when used for these types of transactions. Is the US that far behind?

Because of the dual "conservative" pillars of wanna-be Libertarians and premillennialist Religious Zealots, Republicans hate and I mean loathe the idea of any kind of "National ID" right up until you mention the word "immigrants." So we've never had truly national IDs.

 

[Madestjohn]

Because of the dual "conservative" pillars of wanna-be Libertarians and premillennialist Religious Zealots, Republicans hate and I mean loathe the idea of any kind of "National ID" right up until you mention the word "immigrants." So we've never had truly national IDs.

Except in cases where it might aid in voter suppression

 

[cneth]

SMS is not a good MFA. These wouldn’t be targets if dumb ass companies weren’t using texts as 2FA. (Unless you’re a celebrity/royal the paparazzi are trying to get dirt on.)
I don’t have a single bank or investment account that offers anything useful. I think Fidelity has a weird hardware token that is only from one company and it sucks. I keep asking them to let me use Yubikey type devices and TOTP but it’s like pissing into the wind.

Fidelity enabled support for Google Authenticator/etc MFA last year. Still no Yubikey, tho. I worked with a bank that used RSA keys some years ago - but they phased them out for SMS. Sigh.

 

[pseudonymouscoward]

SMS is not a good MFA. These wouldn’t be targets if dumb ass companies weren’t using texts as 2FA. (Unless you’re a celebrity/royal the paparazzi are trying to get dirt on.)
I don’t have a single bank or investment account that offers anything useful. I think Fidelity has a weird hardware token that is only from one company and it sucks. I keep asking them to let me use Yubikey type devices and TOTP but it’s like pissing into the wind.

Fidelity doesn't support just any TOTP but they do support Symantec VIP. I've been using it on my Fidelity account for more than a year.

 

[ergonomicBagel]

AT&T Prepaid users have the toggle in the paygonline.com’s Account Settings. Just flipped it on.

 

[charltjr]

I'm still surprised and a bit depressed by how few providers support anything other than SMS.

Here in the UK, PayPal, Amex, the UK government tax service, and a few financial providers I use let you use a proper MFA authenticator app but so many still just send text messages. Own the phone number, own the account.