Trac Brands Fraudulent Activity

Haven't searched for news reports on this apparent security breach but noticed the alert notification on NET10 landing page this morning.

There were a lot of reports of numbers being transferred to metropcs Might have been something to do with coinbase as those being hacked were also users of that

From late to November thru December, there were a bunch of reports of hi-jacked numbers, mostly from Straight Talk and Total Wireless-- a few reports from Tracfone specifically. Almost without exception, the numbers were ported to Metro PCS. In some instances, the port only partially completed, and was never active on Metro (just in stasis/holding).

It's curious why that pattern would repeat over and over. One possibility raised is that the numbers were being used to take advantage of Metro promos that required a port-in: Metro is supposed to have verification processes in place to prevent fraudulent port-in applications, but that obviously wasn't being observed.

Tracfone actually had better security against unauthorized port-outs than a lot of MVNOs, IF the customer has set up an online account (which requires setting a user-specified security PIN.) Some affected users claimed they had set this security PIN, which implies that the TF companies weren't being careful about observing the requirement to use it, or that there had been a database breach.

A lot of the reporting users mentioned their coinbase accounts were hacked-- but a lot never mentioned hacking of outside accounts, or even whether they had such accounts. Makes it hard to tell if the specific customers were targeted, or not.

The Tracfone companies were not prepared to handle this with any pre-established process. Folow ups have been very poor, and Metro often seems to say ST/Total/Trac hasn't contacted them about retrieving a specific number.

What does seem apparent to me: it was an organized job, since the numbers almost always went to Metro. There's probably someone inside Metro or the Tracfone Group involved. (There's some speculation that timing, right at the Verizon purchase closing, might point towards an affected/disgruntled employee or contractor with no fear of consequences.)

The changes to porting security look like they ought to put a stop to most of this. I've already seen some disgruntled users, not affected by a fraudulent port-out, that are not happy about the difficulty of getting credentials for an authorized port-out. Just allow more time than usual to work through the steps if you need to port out, and I think it won't be a problem.

Not that I'd probably find the time to read through them all and I very much appreciate the summary/TLDR version but I am curious what resources you follow to read reporting/affected user reports.

The reddit subforums, r/StraightTalk, r/TotalWireless, and r/NoContract are good places to see discussion (and rants, deserved) about this issue. (tip-of-the-hat to the moderators and a couple of active members that make r/StraightTalk a good resource & interesting reading, even though I've never had a line on Straight Talk.)

FWIW, some of the suspicions about what might have been behind this issue are purely my own guesses, not necessarily offered on those subreddits-- so, the usual grain of salt, and blame only me if I'm wrong.

From WSJ

Attackers have commandeered thousands of TracFone customers’ phone numbers in recent weeks, forcing new owner Verizon Communications Inc. VZ -3.57% to improve safeguards less than two months after it took over the prepaid wireless provider.

TracFone offers prepaid wireless service under several brands, including Straight Talk, Total Wireless and its namesake brand. Some customers of Straight Talk said they found their phone lines suddenly disconnected around the December holidays.

“We were recently made aware of bad actors gaining access to a limited number of customer accounts and, in some cases, fraudulently transferring, or porting out, mobile telephone numbers to other carriers,” TracFone said in a notice posted on its website this month.

In some cases, customers said they discovered their lines had been moved without their permission to Metro, a unit of T-Mobile US Inc. A T-Mobile spokeswoman said the company investigated and found “no fraud or data breach of any sort” on its side. The company added that such unauthorized transfers “are unfortunately an industrywide issue.”

Verizon, which acquired TracFone in late November in a $6.25 billion deal, said it had added security protections to the recently acquired services to prevent such fraudulent transfers. For instance, the prepaid operators will now send customers a text message notification when a transfer request is made.

A Verizon spokeswoman said the attack appeared to affect about 6,000 TracFone customers, a fraction of Verizon’s roughly 24 million prepaid lines. “We have no reason to think that this was caused by anybody on the inside,” the spokeswoman said.

“You’ve got the bad actors out there constantly trying to find points of weakness,” Matt Ellis, Verizon’s finance chief, said Tuesday in an interview. “We’ve addressed that weakness.”

The fix came too late for Enid Hagerty, an information-technology project manager in Michigan who noticed on Christmas Eve that her PIN-protected Total Wireless account was no longer under her control. The independent contractor had to tell clients in an email not to rely on the phone number until the problem could be worked out.

“My blood pressure was in my eyeballs. I was so furious I wasn’t getting the answers,” she said. “That was my lifeline to everything for 20 years.”

She said she later regained control of the number but is using a different service provider.

Other customers of various TracFone brands said unknown attackers appeared to use their commandeered phone numbers to target cryptocurrency accounts.

Control of a mobile phone line can be an attractive entry point for scammers looking to break into a victim’s bank account. Cryptocurrency wallets secured with mobile-phone authentication are another common target.

A 2020 Princeton University study of identity-verification measures among five prepaid cellphone carriers—including Verizon and TracFone—found all of the providers “used insecure authentication challenges that could be easily subverted by attackers.”

The Federal Communications Commission last year began accepting public comments to help shape rules aimed at preventing malicious takeovers of cellphone numbers through SIM swapping and port-out fraud.

It isn’t yet clear who is responsible for the TracFone attack, said Allison Nixon, chief research officer at information-security company Unit 221B. But she said that the stories from victims targeted in the attack fit a pattern that is often caused by the work of a small group of well-practiced phone-number thieves.

“We’re at the stage where we’ve bred superbugs at this point,” she said. “I’m watching them become more mature and there are new people coming into this community and learning their ways.”