[geekifier]

It is an open secret that criminal groups also pay unscrupulous T-Mobile employees to assist with SIM-swap attacks. I am not sure at what scale this happens, as those instances _should_ be easy to trace and prosecute. But I have seen evidence of criminals reaching out and offering "side work" on the T-mobile subreddits, as an example.

In those cases, hardware keys for employees would not help.

[londons_explore]

> those instances _should_ be easy to trace and prosecute

I suspect that the employees aren't merely doing a sim swap attack with their work login credentials. Like you say, they'd clearly get fired/prosecuted for that.

Instead, I suspect criminal X buys a nice thing delivered to employee Y's house. Then, criminal X phones the helpdesk repeatedly till they get connected to employee Y during working hours. Then, they claim to own the phone number of victim Z, but have lost the phone, their id and everything else. But they manage to tell employee Y the answer to two of the secret questions "What is your gender", and "Did you use the internet in the last month?". The employee uses this, together with their judgement to proceed, according to company policy, and issue a new eSIM.

Later, when anyone finds out, the call is listened to, and the employee can legitimately say they were just following policy.

[vain_cain]

Out of high school I've worked a couple of years for A1 telecom(in Croatia) in customer service. When someone called, all I was required to ask is their OIB(Personal identification number) and they could literally ask me for anything if it's a residential user.

Want to cancel 20 numbers that still got 2 years until the contracts expire? Sure, let me do that for you. Want to change sim? Sure, just give me the new sim number. Want to add 5 tariffs to your plan? Sure, do you want phones with that?

That was 6 years ago but I still got friends I talk to there, and not much has changed.

[jabroni_salad]

On darknet diaries the stories told are a little more straightforward.

They just walk in to the store, steal a tablet out of the manager's hands, run away with it, and make all the changes they can with the logged-in session until corporate locks out the device.

[erksa]

People sell this as a service and supposedly have numbers on how long from a provider tablet is stolen until the device gets locked out. If I remember correctly T-mobile was/is considered to have the "longest" time from when the device is stolen, there for the most valuable.

[yborg]

Maybe T-Mo should consider using hardwired terminals again if they can't figure out how to geofence their POS tablets. This also might help with employee job satisfaction since they are less likely to be assaulted at work.

[DrewADesign]

I imagine getting someone job-fair hired under assumed credentials and ghosting after one full shift of abusing their access, or giving a very poorly paid CSR just enough cash to make it worth the risk is probably more straightforward, but I don't know anything about that stuff. Most restaurants/bars I worked at had hourly staff working under 'borrowed' SSNs and names for years, though.

[bitcoinmoney]

Why do you need a gift to the employee?

[forkerenok]

IIRC, on Darknet Diaries podcast they shared that one of the approaches is that someone comes to a location that services T-Mobile customers and has T-Mobile terminal (not necessarily a T-Mobile brand boutique shop). They come with a random request and wait for an employee to sign into the terminal and then pull it out of their hands and run away. They then run against the clock (whatever time it takes to report theft to central T-Mobile office and block the device) to perpetrate the fraud.

I guess a second factor confirmation on every modifying request would solve the issue?

[sally_glance]

I remember a that or a similar episode! And it was apparently even more intricate, the robber being only the lowest member of a whole food pyramid of criminals - after the robbery his only task was to grant remote access to someone who knew the terminal software (probably that would be the paid insider), while in some secret chatroom a third guy already started running an auction of who would get his sim swap processed while the guy who organised the whole thing was relaxing somewhere at the beach watching his percentage of the profits rolling in.

I was kind of amazed and shocked at the same time how there already seems to be an established sim-swap-as-a-service economy with specialized roles and plenty demand to warrant expansion...

[FinnKuhn]

not sure if a yubikey or similar would help here because they would probably just steal that as well, no?

[perlgeek]

There are fingerprint-unlocked hardware keys. Not perfect, but also not trivial to get around in the time it takes to report the key as stolen.

[silisili]

Not only sim swaps, but also phone unlock codes IIRC.