Cell Phone Fraud Double Whammy

Could you function without your smartphone? 

Is it possible to go about your day without a persistent broadband connection and the litany of apps that connect us to our social, professional, and financial lives?   

Has it even been 5 minutes since you glanced down at your phone to read a text (though please not while walking, into a fountain), or to check a reminder ping from your bank that your monthly payment is due, a 2FA authentication request, or an unsolicited ad for an extended car warranty?   

To all of these questions, fraudsters such as Henry Perez are counting on us to say: “probably not”. 

For better or worse, our cell phones are an inexorably linked, deeply intertwined component of our lives.  To be sure, we enjoy its myriad of functions, we rely on its stable performance, but we perhaps too readily assume its security.  While mobile computing advances have certainly introduced convenience and entertainment to our everyday, it’s also provided a direct vector for fraud to invade and disrupt our lives.   

Henry Perez and his ilk found fraud “success” by exploiting 1) weak or unfollowed cell service provider policies and 2) our collective over-reliance of mobile phone numbers as an assumed valid and safe secondary authentication method.   

Henry’s scheme got off the ground by first taking control of a victim’s mobile phone account.  He and his co-conspirators would use stolen personal information to impersonate legitimate account holders with a cellphone service provider.  The fraudsters would call the provider’s customer service line, request an account reset, and cite a consumer’s stolen identity data to gain access and ultimately take control of the phone accounts.   

-- We at UVeritech as well as countless other security entities have for years now been shouting to the world that “validating data” is not the same as “authenticating identity”.  By now, it should be immediately assumed that any information can be obtained by any individual, and so simply using “knowledge” to enable account access is a complete security failure.  At minimum, any organization that holds or controls accounts must link a person to their purported ownership of that data, and not just assume that one’s knowledge of personal data is enough to allow access.  – 

Once Henry’s gang gained access to a victim’s mobile phone account, the criminals were able to pull off a double whammy of fraud and theft: 

1) Stolen mobile goods sold by provider 

2) Downstream access to other financial accounts leveraging 2FA / MFA authentication 

Primary Fraud objective: Stolen mobile goods sold by provider 

Per the government’s charge, Henry’s objective was to obtain new and valuable electronic mobile devices, by charging these purchases to victims’ accounts, using the victim’s linked account payment method.  When the fraudsters made unauthorized changes to the victim’s accounts, any fraud alerts were of course sent to a conspiracy member who controlled the account and number, rather than to the legitimate account holder.   

Over the course of the conspiracy, Henry’s group successfully obtained more than $530,000 worth of devices, such as iPhones, iPads, and AirPods.  In addition, conspirators arranged for the fraudulently ordered devices to be shipped to more than 50 different addresses spanning 10 different states.  As a cherry on top of this audacious crime sundae, it was also reported that Henry Perez became so emboldened by his success, that he was brazen enough to enter the physical stores and personally pick up the fraudulently obtained devices.   

Secondary Fraud Benefit: Exploiting and Defeating Two / Multi-Factor Authentication 

During Perez’s crime spree, more than 300 of his victims across the United States lost access to their accounts, but their cell phone service remained active and exploited by the fraudsters.  Any and all inbound SMS / texts were received and controlled by Henry Perez’s group, effectively unlocking other account stashes to plunder.   

How many of your financial accounts now require a MFA text confirmation every time you log into their site?  This added level of “transactional friction” was introduced because, frankly, we are lousy with passwords.  We use an obvious code such as “password123” or we use our dog’s name.  We use this same password on multiple sites, as well as leave it stickied on our work monitor.  These passwords are snatched by hackers via website and database breaches, or in effective phishing campaigns. 

As such, now that a single password is no longer good enough security, companies and websites have introduced another hurdle for criminals to scale – sending a one time, time sensitive code only to the genuine account holder.  But how do we / customers actually receive this code?  The IRS had been and still does snail mail PIN codes (in fact, mandatory for identity theft victims).  But since modern society wouldn’t tolerate this lag, the codes are transmitted instantly to our PCs or mobile phones via email or SMS text. 

To bring this secondary fraud scenario full circle, with 1) a victim’s bank, utility, shopping site, etc account info (obtained via breach) and 2) control of the victim’s cell phone, Henry Perez or any moderately capable fraudster could access their victim’s online accounts and receive / validate the follow up MFA SMS text.  And once inside an account, fraudulent purchases could be made, its saved funds could be looted, or the account could be set up to house a synthetic identity, for later lucrative bust out.   

Henry Perez’s crime wasn’t particularly sophisticated, but it was one that hinged upon companies not instituting base, fundamental identity document checks, not adhering to identity validation policies, and society’s overall reliance on an unsecure platform for a security backstop.   

Before companies institute a Know-Your-Customer (KYC) program, based on validating known customer data or information, they must first authenticate a customer’s identity via a government issued ID credential document, and always link that identity / that person to the data that is being referenced or cross-checked.