I certainly didn't appreciate how much SIM cards are the keys to our modern lives until mine got stolen. Interestingly, my thieves took a different tack: they actually stole the physical SIM card! You might ask how this could happen: I was traveling internationally and had a friendly guy at an official kiosk in the Heathrow arrivals hall swap out my SIM card for a local SIM. He palmed my SIM and gave me back a dud without me noticing. He then shipped it back to Atlanta where collaborators used it to blindly called credit card support numbers. Some of these credit card numbers were hits — places where I had existing accounts and where they recognized my phone number. They social-engineered their way to get the CC companies to divulge more information about me — including the CC numbers themselves — allowing them to increase my credit limits and open new cards. They then went on a $40k shopping spree.
Of course I didn't notice until I came home. The dud card he gave me worked for 24 hours (I still don't understand how). And even after it stopped working, it took me quite some time to piece together everything that happened — I didn't realize that the SIM card I had wasn't mine for quite some time. Fortunately they did the equivalent of an identity theft smash-and-grab. It was relatively easy to identify and reverse, and they didn't compromise any tech 2FA services.
Interestingly Heathrow police didn't care as the "theft" was only a $5 SIM card and not a "high enough value item" to warrant investigation.
> Interestingly Heathrow police didn't care as the "theft" was only a $5 SIM card and not a "high enough value item" to warrant investigation.
What about the part that's "being a part of a criminal conspiracy to steal $40k?" I guess that's not something for the airport police to deal with though.
In light of the extended Fraud on your account, I believe
that due to the 7 day lapse between you collecting the SIM
and returning to the USA, then your details could have been
compromised anywhere. In all probability, this occurred in
the USA as this is where the accounts have been set up and
believed the fraudsters would have had to have been in order
to benefit from the crime.
The fact that you bought a SIM card in the UK is purely
circumstantial I’m afraid, therefore we would not
investigate this further.
Of course I was shouting "THEY HAD TO SHIP IT BACK TO THE U.S. FOR IT TO WORK" as well as providing the call logs documenting calls from the Atlanta region (where I don't live and hadn't visited), but it fell on deaf ears and I gave up. That response made me feel like a tin-hatted conspiracy theorist, though: yes, I am certain I was defrauded through an international criminal conspiracy.
I understand your frustration, but I also think they have a point.
What you're telling us is all based on your educated guesses as to how they might have pulled this. There are things that feel a bit weird and I'm guessing you have no evidence to prove them, such as the scammer shipping the real SIM back to Atlanta in time before you realise the issue.
How did you realise the SIM card you were handed was fake? Couldn't it be that they instead duplicated your SIM whilst you weren't looking?
IMHO the police (or FBI or whatevs) in the US should conduct the investigation as that's were the fraud happened. They'll evaluate if it's worth it contacting their counterparts in the UK to move forward. However I also think it is good that you've given a heads up to the UK local authorities.
Do you remember what company was offering the local SIMs? I've seen mostly Lebara, but not in Heathrow...
The SIM ICCID that I physically had in my hands upon return was different than the ICCID that ATT had on file for me. I also watched the dude do it right in front of me, but of course SIM cards are quite easy to palm. It was the "Tourist Services" kiosk and I bought a £20 Lebara card. He very kindly taped the ATT card down to the Lebara cardboard packaging, and I wasn't able to remove that tape without damaging it so I'm quite certain that it wasn't swapped elsewhere.
I did also report it to both my local police and the FTC and the FBI but never could gain traction as nobody thought it was their jurisdiction. I eventually gave up once my credit was repaired.
Just playing devil's advocate, the ICCID on file would also be different if they had managed to compromise your account and change the sim associated with it.
That might be reasonable. It also makes the scam OP is guessing happened a pretty good criminal scam, since the police will refuse to investigate it...
I mean, what possible additional evidence could one plausibly have that the guessed scam is indeed what happened?
Which is the scary thing about all these SIM-theft things. It clear happened, there's really no way for the victim to know how/where/what/when/who.
It certainly took me quite some time to put all the pieces together — and I'd wager very few folks defrauded like this are able to realize exactly what happened.
Anyway, thanks for sharing. This is not exactly an obvious fraud.
I think one way to prevent it, aside from remembering to not let your SIM off your hands is to mark/paint your SIM and make it unique and easily recognizable.
Then you can deal with it immediatelly, even if you forget the rule to not give your SIM temporarily to others. (You'll probaly not forget, but people who may not have your experience and still want to protect themselves against this, may.) Also the attackers will not probably attempt to swap unique looking SIM in the first place.
Other ways are to use phones with 2 SIM card slots or simply use a local carrier with decent international roaming support or (of course) carry a paperclip to just do it yourself.
fun fact about sims. they run a java operating system which can be accessed via binary SMS messages (apdu messages) - invisible to your phone, with the right sim pin, they can get filesystem access in this 'os' and steal your private keys and phone identification numbers, effectively allowing them to mitm / clone your phone and calls/sms etc.
that being said it's just plain silly how important these crummy devices are, and how little information and warnings they come with.
set a good sim pin, that will save u from this type of trouble. of course, it won't save u from physical phone / sim access.
You can setup a SIM PIN, but I hadn't enabled it and I bet few folks do as it's not connected to the device lock code and not on by default: https://support.apple.com/en-us/HT201529
Phones' PINs aren't connected to SIMs. I have to enter my PIN on reboot, even if I removed my SIM. Putting the SIM in a phone without a PIN results in nothing being required.
Edit: Thanks for correcting me- I guess my SIM does not have a PIN.
SIM cards themselves can have a PIN attached to them too, usually with a lockout after 3 unsuccessful attempts. The card is supposed to be secure against tampering, but since it's running an OS which receives very little scrutiny and runs lots of legacy tech, there are likely all kinds of exploits to reset / root the SIM and bypass any PIN protection. It's still useful against casual theft though.
While there have been a few very scary hacks that could compromise a currently-unlocked-and-running SIM, I don't think there is anything you can do to a powered-down SIM without the PIN.
A SIM card has its own PIN, completely independent from the phone's pin. If I put my SIM in someone else's phone, it will ask for my PIN, even when they don't have a PIN set.
Of course I didn't notice until I came home. The dud card he gave me worked for 24 hours (I still don't understand how). And even after it stopped working, it took me quite some time to piece together everything that happened — I didn't realize that the SIM card I had wasn't mine for quite some time. Fortunately they did the equivalent of an identity theft smash-and-grab. It was relatively easy to identify and reverse, and they didn't compromise any tech 2FA services.
Interestingly Heathrow police didn't care as the "theft" was only a $5 SIM card and not a "high enough value item" to warrant investigation.
tldr: Don't let anyone ever touch your SIM cards.