T-Mobile rep gets bamboozled into a SIM swap... all to steal a cool Instagram handle

T-Mobile rep gets bamboozled into a SIM swap... all to steal a cool Instagram handle
Oh, the times we are living in. The good old days of number transfer scams are somewhat exhausted, it seems, as carriers are more "woke" to the problem now, and have put safeguards against unauthorized number porting. When you are trying to steal that coveted three-letter OG Instagram account, however, all bets are off.

That's exactly what happened to one Paul Rosenzweig, a fairly well-versed in account security software engineer, who did all the port-out scam precautions that T-Mobile now requires, like extra port validation pins or passwords. Still, he got bamboozled out of a sought-after Instagram account name by another method - SIM swapping. When you lose your damage your SIM card, or you got a phone that uses a different card size, you can ask your carrier to activate a new one, and that's exactly what Mr Rosenzweig suffered from.

The person who wanted access to his social media accounts, simply called a few T-Mobile stores in the region, and managed to get one employee to activate Rosenzweig's number on a phone they control, effectively rerouting all security code confirmation text messages to it. The victim didn't notice he lost signal at first, as he was at home browsing on Wi-Fi, but he did get a reset email from Instagram, and went to his account to relink his original email to his profile again. 

When the next morning Snapchat sent him a password reset email notification, too, the proverbial bulb lit up in his head. He set a two-factor authentication for Snapchat, but, since Instagram allows changes to your profile to be effected with a link sent to your handset as well, a landgrab of his user name was already carried out. Instead of the short "par" moniker he had, an OG teen dream to acquire, his user name was now the automatically generated "par54384321."

Long story short, Instagram in the end did the right thing, and assigned his original user name to him, but he was still hoodwinked out of it from another phone number scam angle, thanks to lax security strategies at both his carrier, and Instagram, so word to the wise. "My phone was dead. I couldn’t even call 611," advised Paul Rosenzweig, indicating that the port-out scam precautions should now move to the next fraud pasture, in a constant game of whack-a-mole for carriers. Anyone willing to pay for a cool Insta handle? Someone is selling.

source:  KrebsonSecurity



1. libra89

Posts: 2290; Member since: Apr 15, 2016

This is crazy to do all of this over a username...

2. EC112987

Posts: 1216; Member since: Nov 10, 2014

A lot had to go right for the name to be stolen.

3. matistight

Posts: 996; Member since: May 13, 2009


4. hallucinogenius

Posts: 21; Member since: Sep 14, 2013

Some employee messed up. At the store level they aren't allowed to make changes or even discuss an account unless they have you in the store with them and can verify your photo ID. They even have periodic corporate security training to prevent this type of fraud.

5. Zomuu

Posts: 2; Member since: May 21, 2018

Can you guys get their response on that locationsmart article you guys posted. That's more important.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.