topic Re: malicious sim swapping in Security

malicious sim swapping

Elvira77 — Wed, 03 Apr 2024 15:12:43 GMT

What measures EE takes to prevent malicious sim swapping when hackers pretend to be customers aiming to breach the 2FA mechanism?

I tried to ask the company directly, but there is no suitable category to ask in writing, only to call or send a letter. I find it strange that you cannot chat with or email a representative. I am a new customer to EE.

Re: malicious sim swapping

Chris_B — Wed, 03 Apr 2024 15:35:53 GMT

@Elvira77 there is no email option that you can use as emails are too slow to deal with customer issues. Your account should be password protected and you’ll be asked certain letters of your password when you call customer services you can also be asked a few other questions like how much was your last phone bill? What phone are you currently using? How many lines are your account to name a few. Fail one question and the account is locked. That’s when you will need to go to a store with in date photo ID. I also requested that only numbers on my account can actually be used when calling customer services. So if a different number is used customer services should also not deal with that caller.

Not to mention that you should also receive a text if this was to happen. Thats when you call customer services ASAP as number ports take up to 24 hours to complete so you do have time to call. Any text about a a potential number port. i.e. it will probably start with sorry to see you’re leaving” should be a call to customer services ASAP.

Re: malicious sim swapping

bristolian — Wed, 03 Apr 2024 16:15:46 GMT

Can you expand on what you mean by malicious SIM-swapping?

In order to receive SMS sent to a mobile number, you need access to either the physical SIM, or the phone that has the eSIM within it.

Some requests such as attempts to request a replacement SIM, will trigger a text message to the existing line. That text message should - as already mentioned - trigger an immediate call to CS if the request is not genuine.

Re: malicious sim swapping

Elvira77 — Wed, 03 Apr 2024 16:55:32 GMT

That answered my question, thanks both.

Just getting a bit agitated when I learn about all those novel scams and hacks that are taking place, so I wanted to know I was in safe hands.

Just an additional one that stems from learning the detail: super secure passwords are complicated and I guess nobody remembers them all unless being somewhere far on the autism spectrum. If I cannot provide the details of my password, without having access to them at that moment, can I still get in touch with the customer services about individual matters? I could do it with my previous one, answering their other questions, but they ceased to provide mobile services, hence I found myself in your club.

Cheers!

Re: malicious sim swapping

Chris_B — Wed, 03 Apr 2024 17:05:42 GMT

@Elvira77 The chances are when you call customer services you’ll be doing this from a smart phone and there are many ways to have password saved on your device that are saved very securely this could even be via an app that requires a password to access it. You don’t need to have it written down at home kept in a safe place.

Re: malicious sim swapping

bristolian — Wed, 03 Apr 2024 17:04:54 GMT

CS need to verify the identify of a caller before discussing account-specific information. The password is the usual means, but other questions are available.

Re: malicious sim swapping

NW69 — Mon, 15 Jul 2024 17:23:24 GMT

so - exactly this happened to me - and EE CS staff could not/would not step in and stop the port happening. I called as soon as the hack became clear to me (via a text message saying "sorry to see you go") - and EE staff told me they would not be able to stop it. By now, there really ought to be a way of the mobile service providers being able to talk to each other quickly to block unwanted porting activity. Sure enough, around 24 hours later, I lost access to my phone and the hackers (stupidly) tried to buy loads of Apple gear on my account. Stupidly because it was such a high value basket then my credit card couldn't handle it and my payment method on my Amazon account was declined. I remain extremely disappointed that EE still haven't done anything pro-active to stop SIM swap fraud. Their behaviour is (at best) 100% negligent.

Re: malicious sim swapping

Christopher_G — Mon, 15 Jul 2024 17:40:22 GMT

Hi @NW69

Welcome to the community.

I'm really sorry to hear of your experience. When you report something like this to our Mobile Care team, an investigation should be opened with our Number Porting team, so that it can be investigated and blocked, if possible.

What happened after this? Was the number transferred back? Is everything sorted now?

Chris

Re: malicious sim swapping

NW69 — Mon, 15 Jul 2024 18:08:00 GMT

Hello @Christopher_G - I have no idea if an investigation was opened up but I definitely reported it to the call centre as soon as I became aware - and unfortunately the staff were really not that clued up as to what to do. If an investigation has been opened, EE are not being transparent about the process and have failed to report back on what exactly and how it happened and share information with me (the victim of the fraud.) I've asked how exactly someone was able to undertake a SIM swap hack on my account but EE clearly don't want to share what to me would clearly be quite useful information at least in terms of understanding what happened. My only assumption at this point is the lack of information or reticence/unwillingness to share is because EE knows that its systems are open to fraudulent activity, potentially perpetrated by its own staff even (what else can I assume at this stage?) and doesn't wish to publish or share that fact openly any further. I'm slightly astounded by the number of topics covering SIM swap hack or SIM swap fraud in this EE Community forum alone.

All I do know is that my Amazon account was hacked for starters (as mentioned above) and I had to change all my online identities for fear of other breaches elsewhere. I had no compensation given by EE for what happened. I do now have my EE number back and on an EE sim card. I don't mean to sound impolite, but I wonder if you're not the best informed about what EE can and will do when an unsolicited number port takes place.

You may detect a hint of bitterness in my note here - and you'd be very right. The incident upset my (digital) life for a couple of weeks and caused huge amounts of stress - which was only exacerbated by EE's behaviour. It was only by virtue of me having a work phone on a different network and number, that I was able to take action in the first place.

regards

@NW69

Re: malicious sim swapping

James_B — Tue, 16 Jul 2024 08:02:22 GMT

Hi @NW69,

I absolutely understand how you are feeling about this incident - having your identity stolen is and incredibly stressful experience.

The fact that the number transfer has been reversed indicates that the agent you spoke to took the correct action and raised this off to our fraud team to resolve.

As a next step, I'd recommend speaking to the team again on 150 who can complete a security review on your account and add in extra security measures to prevent anyone who knows your personal details/security information from trying to takeover your account again.

James

Re: malicious sim swapping

loobyloo5 — Mon, 02 Sep 2024 14:39:33 GMT

This happened to me also but with Three though weirdly number was moved to EE. Three were just as if not more useless than EE so I've closed my account with them and moved here, I'm hoping EE can provide me with a more secure set up that someone cannot, within 3 hours, make my life a nightmare.

Re: malicious sim swapping

Elvira77 — Thu, 09 Jan 2025 10:28:06 GMT

Hello,

This is a follow up on my query, if anyone is around to address this.

The hacks and scams are getting ever more elaborated, with massive data leaks and AI collating data from various resources to get a better picture of the victims, before the final hit.

All those details mentioned here look as good, but only until you find the weakest point. Like 24 hours for swapping. I personally don't use my device all the time, like some people cannot pull their eyes off the screen. There are weekends when I don't touch the phone. 24 hours won't protect me. I should be no slave to the phone to keep checking it every few hours.

Characters of password: if my cookie sessions were stolen, passwords won't protect me. Even password manager had a data leak in the not so distant past.

One way of securing the SIM against malicious swapping would be locking it with additional pin code that is noted nowhere else. It is a simple number, not a super secure password I would need to access somewhere else first to give you particular characters, and when I am out and about, that would be impossible as I don't interlink all my data across all my devices. I isolate certain things to have a better control.

With spoofing being ever easier these days, it is not too difficult to make your phone look like you are the actual owner of the number, to the provider, so another not so guaranteed security measure busted.

My question is: is there a chance to lock the sim card in the operator's accounts (not just locally in my phone), to prevent unauthorised swap? I think Americans have it. Do we have it too, in the UK? Then the only weakest link would be your own databases, if this detail got breached. Nobody is immune against attack.

Re: malicious sim swapping

NW69 — Thu, 09 Jan 2025 11:29:08 GMT

James B and Chris G … you should both be aware that EE’s CS team advised me that EE cannot stop a number port once it is in train.

One of you advised that … “Not to mention that you should also receive a text if this was to happen. Thats when you call customer services ASAP as number ports take up to 24 hours to complete so you do have time to call. Any text about a a potential number port. i.e. it will probably start with ‘sorry to see you’re leaving’ should be a call to customer services ASAP.

I called CS team as soon as I got one of those texts (I could not have reacted any quicker - within a minute !!!) - and EE CS team did nothing to stop the port (or could do nothing to stop the port.)

For a claimed industry-leading operator, EE are still very much on the backfoot here. The only positive thing I can say is that EE seem gradually to be rolling out 2FA at last.

Re: malicious sim swapping

Elvira77 — Thu, 09 Jan 2025 12:17:34 GMT

So since my lengthy comment disappeared today, here we go again.

I keep learning about weaknesses in cyber security and I am getting more concerns. Some suggestions here are not robust enough. There are continuous and widespread data breaches, our data of all sorts pouring to the dark web (forget data brokers, they are toddlers in comparison to this), and AI collates the data to get a more complex picture about the victims before the final hit.

1. making sure that only the call from the relevant number is taken seriously by the EE team is not sufficient as numbers can be easily spoofed these days. Besides, if you lost your phone and got a new one, this option is redundant.

2. as mentioned earlier, all the passwords, last 4 digits of bank account or any other info asked during the checking - all these data can be harvested by malware and who knows what your operator needs, they can easily provide everything. These scams are getting more elaborate than ever before. Me tailoring my CVs to particular positions also led to repeated success instead of just throwing a generic CV around like a spam.

3. even a password manager got a leak in the recent past, so that also can be breached, let alone passwords saved in the browsers. There was a fake google authenticator app in the wild recently and also over 30 google extensions were injected with a malicious code, extracting data from browser of over 2 million people (that is known of).

I could go on and on. Just assume your data is already there and it is just a matter of time before you will be a target.

What I see viable in addition to all these options is a separate pin code, easily remembered, set up in the operator's accounts, (not the one in the phone to lock the sim). That one will only be vulnerable if the operator's database got breached. If you ask me for particular characters of my complex password, which got leaked, that won't help, and if I am in a hurry, I would need to access my other device first to see what the password was. That is hard to do when I am away from that device. I isolate my devices and data on them, not having everything linked with everything.

Is there anything of this sort in EE, a special code that prevents anyone from using all other leaked data to target individuals' account?

Re: malicious sim swapping

Peter_W — Thu, 09 Jan 2025 15:37:26 GMT

Good afternoon @Elvira77.

Welcome back to the EE Community, and thanks for your suggestions here to.

This isn't an option we offer at present, but I'd like to reassure you that we recognise security around SIM swaps is massively important.

If you need a replacement for a lost or stolen SIM, this can only be sent to the address registered on your account, and is sent pre-activated.

The alternative here would be to visit one of our retail stores with a form of valid photo ID.

If a customer has an inactive SIM, for example if they need a new size SIM, as well as completing standard account security we also send out a one time PIN to the existing SIM linked with your number.

If the customer can't confirm this to us, we will not activate the SIM, and they would need to look at the lost and stolen option for a replacement instead.

Peter

Re: malicious sim swapping

Elvira77 — Thu, 09 Jan 2025 17:18:26 GMT

Thanks for such a speedy response.

I still have questions (that pesky inquisitive mind of mine):

You wrote: "If you need a replacement for a lost or stolen SIM, this can only be sent to the address registered on your account, and is sent pre-activated."
If someone is after me, they might intercept this letter and get a full access to an already activated sim card. Is it really that safe? Is the original sim card deactivated before this replacement is sent out so at least I would have some time to figure out something is going on? If lost or stolen, I would expect this to be a logical chain of events. But then there is a delay when one cannot access accounts for a number of days. So either this card is sent as a priority with the next day delivery, or second class that it takes a few days, there are pros and cons to both.

"The alternative here would be to visit one of our retail stores with a form of valid photo ID." fakes are pretty good these days, so even this can be misused several different ways. And even if you had my photo id with facial algorithm stored in your database (which you don't) for verification purposes, even if it could be a viable option for the majority of people, some individuals after an accident with disfigured facial features might have a problem with this. But that is just a side note. Those with faces full of fillers that they look like nothing of their prior selves, those need to sort themselves out LOL.

I am not sure I understand that part with one-time pin you send out. How is it used exactly? You say they have an inactive sim, but then you send a code to the existing sim. You mean before the original sim is deactivated and the inactive sim is already sent out?
That ins't the case I meant originally.

How the customer authenticate that it is really them, outside of potentially breached various details they usually need for authentication. Something only this person knows that is not recorded by a key logger, or stored in some common database (except of yours), the final piece of puzzle that would make all the efforts of scammers fail. No sim card should be sent out, especially not activated, without this piece, if the customer sets it up. I think we should have this option. And if I was that pedantic, this pin code should be stored in a separate database, not with the usual customers' details that also get breached one organisation after another. If the scammers have everything else about me, but lack that one code, they are doomed. And the EE customer service should under no circumstance disclose it to anyone. They shouldn't even have access to it without extra verification and with a limited access time, like bank accounts log out after a few minutes of inactivity.

How about that?

Re: malicious sim swapping

Peter_W — Thu, 09 Jan 2025 18:14:00 GMT

Hi again @Elvira77, the process for inactive SIMs is what would happen if someone still had a working SIM but then requested a new one to be activated to replace this.

As I mentioned, this would be for situations like a customer upgrading their phone and needing a different SIM size, and it's possible for them to order an inactive replacement online.

In sending a PIN to the existing active SIM, this way we are able to verify that the person we're speaking with is the person that uses the number.

Peter

Re: malicious sim swapping

Isit1997again — Tue, 15 Apr 2025 18:24:58 GMT

You said

“If you need a replacement for a lost or stolen SIM, this can only be sent to the address registered on your account, and is sent pre-activated.

The alternative here would be to visit one of our retail stores with a form of valid photo ID”

clearly this is not the only truth here if sim swapping is taking place.

The point of this thread was to ask what ee is doing to protect us. You have offered no insight or reassurance.

Original posters pointed out that 24 hour warning is the weak point, because it makes no difference if we contact you as you already initiated a one way process.
Why is the process one way? When are you changing it?

Re: malicious sim swapping

loobyloo5 — Tue, 15 Apr 2025 21:12:33 GMT

No, you don't need access to the physical or esim, you merely need to contact the phone provider explaining that you've lost your phone/sim and can they switch your number to another SIM - in my case the only security they needed ( not EE) by the way was my date of birth and they took it over, the first I knew was receiving an email saying thanks for changing your email password show up on my phone and then I realised I had no phone number on my phone and then several weeks of pain ensued trying to get it back. I have now registered a password with EE that would be needed to get a new SIM

Re: malicious sim swapping

loobyloo5 — Tue, 15 Apr 2025 21:15:22 GMT

Snap though mine was with Three, I did complain and was referred to ombudsman and received a proper apology and a financial award