AT&T subscribers have been hit by a scam in which criminals hijack the SIM card in mobile phones to make international calls. With experts warning of more serious swindles to come, one would expect the carrier to move aggressively against the scammers. Instead, it's response leaves you wondering whether AT&T is ready to protect customers.
A SIM card contains the data needed to authenticate subscribers on a wireless network. Crooks who have been able to transfer that information to another card have used it for online banking fraud and for making overseas phone calls.
The scam is less about technology and more about tricking people. Conmen call their potential victims, convince them they are from their wireless providers and then ask for the last four digits of their social security number. Before making the call, the scammers do their homework and get the victim's name, address and other personal information the carrier would likely have.
Once they get the four digits, the tricksters call the carrier and have it transfer the authentication data to a SIM card on their mobile phone. Such transfers are routine when a person buys a new phone.
When the scam is completed, the victim's phone goes dead. While he tries to figure out what happened, the swindlers have time to make international calls or break into the person's online banking account.
The latter has been done successfully in South Africa, where banks require people to type in a one-time personal identification number sent to a mobile phone before completing a money transfer. For the fraud to work, the criminals would need the user ID and password the victim uses to log into his account. Those credentials are often purchased in advance on an underground marketplace.
Banking fraud often occurs in places where the phone is the primary computing device. Many countries in Africa were never wired for the Internet, so the phone is often used for banking and making purchases, activities mostly done on PCs in the U.S.
Nevertheless, AT&T subscribers have been victimized by some form of the scam. Two cases in Atlanta included a man who ended up with more than $2,600 in international calls on his bill, and a family whose account was charged for hundreds of calls, according to Bloomberg.
In the latter case, sisters Mari and Candace Sawyer have filed a complaint with the Federal Communications Commission, accusing AT&T of failing to tell customers about the SIM-card fraud.
AT&T ignored my request for comment, but told Bloomberg it was "working to educate our customers on how to protect their information from social engineering." The carrier gave no details on what happened to the victims.
While the carrier is "working to educate," the fraudsters are just getting started. Security experts do not believe the criminals behind SIM-card fraud only want to make international calls at the expense of hapless U.S. subscribers.
What we're seeing is experimentation to see what works. "I very much get the feeling that these are guys who are importing a fraud technique (from Africa) and trying to adapt it to the U.S. to see how they can make money," Marc Rogers, principal researcher for mobile security vendor Lookout, told me.
AT&T and other wireless carriers intend to make it as easy as possible for people to buy stuff with their mobile phones and share the profits with retailers. But as I said before, people are not going to trade credit cards for a mobile phone until they feel they are protected against fraud.
The first thing carriers must do to build trust is to make it clear to all subscribers that they won't be held liable if they are victims of fraud. The banks do it with credit cards and carriers need to do the same when people get flimflammed on any transaction the carrier has an interest in.
I guarantee that if AT&T covers losses, then security will go beyond just educating customers.
AT&T and its competitors have to show they get it when it comes to security and put in place measures that build trust. Until then, no one should take them seriously when it comes to mobile commerce.