By CCN.com: Hackers, many in their teens, have drained the accounts of more than 50 Californian victims in a $35 million SIM swap heist.
Officials estimate that in total, $50 million has been stolen in related attacks around the US since the beginning of 2018. The online scammers have targeted California in particular with the San Francisco Bay area seeing the bulk of the attacks.
SIM swapping is the process of porting a mobile number to another SIM card without users knowledge or consent. Thieves are then able to fake identification to gain access to sensitive portals like an email or a bank account.
Seth Shapiro, a consultant in the blockchain space, had his life savings stolen last year after hackers gained access to his phone at a conference in Manhattan. According to an NBC Bay Area report:
He later learned from detectives that a group of hackers had seized control of his cellphone, striking from hundreds of miles away by using a technique called “SIM swapping”
A perpetrator associated with Shapiro’s theft was caught red-handed and sentenced to ten years in prison for the first ever SIM swap fraud case in US history. Joel Ortiz, a 21-year-old man from Boston plead guilty last month in Santa Clara for his role in the crime.
Ortiz’s attorney Dennis Dawson later outlined to reporters the severe punishment handed down to his client upon sentencing:
[Ortiz] got a harsh deal for a nonviolent offense because the court system wanted to make an example of Ortiz as the first defendant to be sentenced strictly for a SIM-swap cryptocurrency theft in the United States.
Authorities have only recovered $75 000 of Shapiro’s money to date. He believes the rest has either been spent or lost in the web of cryptocurrency anonymity.
Despite NBC’s claim, SIM-swapping scams are not new and have been around since the first mobile phones came to market. The recent uptick in incidents lies largely at the feet of social media. A whole host of personal information is now readily available online making it far easier for scammers to fool (or bribe) mobile provider employees.
The irony in Ortiz’s case is that he regularly used the same media he chose for his social engineering tricks. Videos of the hackers’ exploits soon surfaced on YouTube. Their extravagant displays of success included amongst other things, pouring expensive champagne over $50 000 watches in Las Vegas night clubs and Los Angeles Airbnb rentals to the tune of $150 000.
Police used the same platforms to track Ortiz down before he caught a flight out from the west coast. Prior to the caper, Ortiz was living with his mother in public housing in Boston. At LAX, however, police found the youngster kitted out in expensive clothing carrying wads of cash.
Most SIM swap scams involve hackers hijacking your two-factor authentication (2FA) codes. As recently reported by CCN.com, even crypto engineers are subject to SIM swap attacks. If you’re still using SMS-based 2FA, you’re just asking to be robbed. SMS authentication is tied to the SIM card making this kind of fraud possible. The first sign of attack typically arrives when your mobile phone suddenly loses all signal.
App-based 2FA is a far smarter alternative. While not impossible to hack, application authenticators are exceedingly more secure. In this scenario, the attacker either needs to steal your phone or trick you into passing on sensitive information directly.
In Seth Shapiro’s case, the blockchain consultant had supposedly stored $2 million worth of cryptocurrency in a mobile wallet. Anyone who stores his life savings in a mobile wallet probably shouldn’t be advising in the blockchain space, to begin with. There are far more secure hardware solutions for that.