grep jason_ - Identity Theft Vectors (Cell Phone SIMs)

I am in no way claiming to be a security expert, but security has always been a huge interest of mine. From time to time I run into things in our big wide world that are glaring security holes or poorly implemented solutions. I wanted to take time to document these in a more formal manner on my blog rather than just social media bursts in the hopes it will help in some small way to bring more attention to security (electronicĀ & physical) in our day to day lives.Today, our focus is on a potential Identity Theft vector I ran across today. The following events took place at a local AT&T Wireless store.

Thursday, April 10, 2012. 10:30am. I needed something from the AT&T store, so I drove down to the local AT&T store that is close to where I work. Upon arriving I was greeted at the front door, and had my name put on the customer service wait list. Fortunately it was pretty early in the day so I got right up to a rep to discuss what I needed. Below is how the conversations went.

Conversation with AT&T Customer Service Representative

me: Hello, I replaced one of my phones with a new one, and it takes a micro sim instead of the normal sim, so I need to get a replacement.

CS REP: Absolutely, noĀ problem, can I please have your phone number.

me: Sure.
not having it memorizedĀ becauseĀ I use Google Voice, I reach in my pocket and pull out a post-it note with the number written on it and proceed to read it to the rep right off the post-it note

me: It is 408--*.

Rep does some typing and clicking on the computer

CS REP: Thank you, I will be right back.

Rep goes into back room for around 2-5 min and then returns

Rep scans the new SIM card and proceeds with some more clicking and typing

CS REP: Do you have the phone with you?

me: No, I don't have it with me right now.

CS REP: No problem.

A little more typing and clicking on the computer, and the rep walks around from behind the counter and hands me the shiny new SIM.

CS REP: You're all set, thanks for choosing AT&T.

I leave the store

Aside from the oddity of it being a very good customer serviceĀ experienceĀ at a cell phone store, you may have noticed that I was never asked for a single bit of detail about the account! I not only was asked for just the phone number on the account, I didn't even know the number and had to read it to them from a post-it note. The entire time I was talking to the rep, I kept thinking the next thing they ask has to be something to confirm this account is mine. Nope, not once. Could this happen again, or did all the stars just happen to align right for me that one time? Not sure, but I would imagine itĀ wouldn'tĀ take much in the way of social engineering to do this again.

This isn't exactly identity theft as we are used to hearing about, but nowadays your cell phone is rapidly becoming your identity, and if someone gains control of it, you could be in real trouble. Think about things like 2 factor authentication that sends your OTP codes to your phone.

Hope you enjoyed this little story, and let me know if you have had similar experiences.

I will be sending a note to AT&T about this matter, not to get anyone in trouble, but just to remind them to be vigilant with customer data.