Jones was a crypto bigshot and a T-Mobile customer from October 2014 until March 2020. On February 21, 2020, a seventeen-year-old Canadian hacker and his online accomplice stole cryptocurrency "worth nearly $37 million at the time and worth around $53 million today" from Jones by taking control of his T-Mobile number.
The SIM swap attack allowed the attackers to receive any communication, including One-Time Passwords (OTPs) meant for him. This enabled them to access and drain his cryptocurrency account.
T-Mobile discovered and reversed the swap within 16 minutes, but by that time, the damage had already been done.
T-Mobile did nothing to secure Jones's account in the week following the attack. Seven days after the attack, the cybercriminal even left a note in the internal system, which read: "My name is . . . I stole $45 mil from you lolol[.]"
T-Mobile had known about SIM swap attack since 2016, but prevention wasn't a priority
T-Mobile had known about SIM swap attacks affecting its customers since 2016. By March 2018, it knew that the attacks caused financial harm to customers.
SIM swap attacks involved a combination of tricking and bribing employees to get into T-Mobile's systems. From 2016 through February 2020, 27,000 T-Mobile customers were victims of such attacks.
The SIM swap community saw T-Mobile as an easy target. The attack on Jones wouldn't have been attempted if he had a different provider, according to one of the hackers.
Publicly available systems and programs were used to perpetrate the crime. The process was freely discussed in Discord chats.
T-Mobile was an easier SIM Swap target than other providers because no further authentication, such as a PIN or even the last 4 digits of a target’s Social Security Number, was required to access or to move within the system, as I understood was the case with other providers.
–SIM Swapper who stole crypto from Jones
T-Mobile had fewer guardrails than other carriers, and its employees received little training to recognize, prevent, disable, or report such attacks. Once authenticated by T-Mobile, hackers were able to stay logged in for weeks at a time. The company didn't even check for location red flags.
Recommended Stories
T-Mobile granted extremely broad rights to all retail employees, so the credentials of any such employee would do, whether they had worked there for years or for just a few hours. Once into the system, there were no apparent limitations on my access to Mr. Jones’s customer account.
–SIM Swapper
T-Mobile's Terms & Conditions used language that sought to exonerate it from unauthorized breaches. Preventing SIM swaps wasn't a priority for T-Mobile.
T-Mobile employees were aware of the attack on Jones as it was being carried out, but did nothing to stop it. That's because they had known that the same bad actor was previously involved in similar attacks.
Does this shake your confidence in T-Mobile?
It was already shaken.
83.33%
Yes.
16.67%
No because they have improved defenses since.
0%
No attempts were made to disable the SIM card associated with those attacks. Even though T-Mobile's policy said that a SIM deactivated due to fraud couldn't be reused, tools existed to reverse the deactivation. The hacker took advantage of that. T-Mobile had no procedure for permanently deactivating a SIM card associated with fraudulent activity.
T-Mobile defended itself by claiming that at that time it had 53 million customers but only around 100 employees working on fraud prevention.
T-Mobile had a SIM Block feature, but it was only available to customers who had already been victims of SIM swaps. Employees weren't allowed to offer it to customers who inquired about it. The company didn't educate customers about preventing unauthorized SIM Swaps and discouraged employees from spreading awareness about SIM fraud.
Jones was previously encouraged by T-Mobile to set up a security passcode, warned about a number port-out scam, and requested to consider using an alternative to text-for-pin authentication. However, a security password couldn't have necessarily prevented the attack.
It was concluded that "it was foreseeable that T-Mobile’s acts and omissions would result in theft of Jones’s cryptocurrency." However, since Jones didn't do everything in his power to prevent the damage, T-Mobile was only held liable for 50 percent of his damages. As a result, the Arbitrator awarded $26,569,963.60 to Jones.
T-Mobile has, in recent times, beefed up its defence against SIM swap attacks. The company disabled self-service SIM swaps in 2022 and reenabled them only recently.
This may partially explain why the company didn't want the details of the $33 million award to be made public. Regardless, customers should rest easy knowing that such attacks are improbable now, but if something does happen, they can always count on the government to make T-Mobile compensate.
"Iconic Phones" is coming this Fall!
Rediscover some of the most unique and memorable phones of the last two decades! "Iconic Phones" is a beautifully illustrated book that we've been working on for over a year - and it's coming out in just a couple short month!
"Iconic Phones: Revolution at Your Fingertips" is a must-have coffee table book for every phone lover out there. Covering the stories of more than 20 fan-favorite phones, it takes you on a memorable journey through the technological revolution that shaped our lives. Sign up now to secure an early discount price!
Anam Hamid is a computer scientist turned tech journalist who has a keen interest in the tech world, with a particular focus on smartphones and tablets. She has previously written for Android Headlines and has also been a ghostwriter for several tech and car publications. Anam is not a tech hoarder and believes in using her gadgets for as long as possible. She is concerned about smartphone addiction and its impact on future generations, but she also appreciates the convenience that phones have brought into our lives. Anam is excited about technological advancements like folding screens and under-display sensors, and she often wonders about the future of technology. She values the overall experience of a device more than its individual specs and admires companies that deliver durable, high-quality products. In her free time, Anam enjoys reading, scrolling through Reddit and Instagram, and occasionally refreshing her programming skills through tutorials.
A discussion is a place, where people can voice their opinion, no matter if it
is positive, neutral or negative. However, when posting, one must stay true to the topic, and not just share some
random thoughts, which are not directly related to the matter.
Things that are NOT allowed:
Off-topic talk - you must stick to the subject of discussion
Offensive, hate speech - if you want to say something, say it politely
Spam/Advertisements - these posts are deleted
Multiple accounts - one person can have only one account
Impersonations and offensive nicknames - these accounts get banned
To help keep our community safe and free from spam, we apply temporary limits to newly created accounts:
New accounts created within the last 24 hours may experience restrictions on how frequently they can
post or comment.
These limits are in place as a precaution and will automatically lift.
Moderation is done by humans. We try to be as objective as possible and moderate with zero bias. If you think a
post should be moderated - please, report it.
Have a question about the rules or why you have been moderated/limited/banned? Please,
contact us.
FCC OKs Cingular\'s purchase of AT&T Wireless
Things that are NOT allowed:
To help keep our community safe and free from spam, we apply temporary limits to newly created accounts: