07
Nov 18

Busting SIM Swappers and SIM Swap Myths

KrebsOnSecurity recently had a chance to interview members of the REACT Task Force, a team of law enforcement officers and prosecutors based in Santa Clara, Calif. that has been tracking down individuals engaged in unauthorized “SIM swaps” — a complex form of mobile phone fraud that is often used to steal large amounts of cryptocurrencies and other items of value from victims. Snippets from that fascinating conversation are recounted below, and punctuated by accounts from a recent victim who lost more than $100,000 after his mobile phone number was hijacked.

In late September 2018, the REACT Task Force spearheaded an investigation that led to the arrest of two Missouri men — both in their early 20s — who are accused of conducting SIM swaps to steal $14 million from a cryptocurrency company based in San Jose, Calif. Two months earlier, the task force was instrumental in apprehending 20-year-old Joel Ortiz, a Boston man suspected of stealing millions of dollars in cryptocoins with the help of SIM swaps.

Samy Tarazi is a sergeant with the Santa Clara County Sheriff’s office and a REACT supervisor. The force was originally created to tackle a range of cybercrimes, but Tarazi says SIM swappers are a primary target now for two reasons. First, many of the individuals targeted by SIM swappers live in or run businesses based in northern California.

More importantly, he says, the frequency of SIM swapping attacks is…well, off the hook right now.

“It’s probably REACT’s highest priority at the moment, given that SIM swapping is actively happening to someone probably even as we speak right now,” Tarazi said. “It’s also because there are a lot of victims in our immediate jurisdiction.”

As common as SIM swapping has become, Tarazi said he and other members of REACT suspect that there are only a few dozen individuals responsible for perpetrating most of these heists.

“For the amounts being stolen and the number of people being successful at taking it, the numbers are probably historic,” Tarazi said. “We’re talking about kids aged mainly between 19 and 22 being able to steal millions of dollars in cryptocurrencies. I mean, if someone gets robbed of $100,000 that’s a huge case, but we’re now dealing with someone who buys a 99 cent SIM card off eBay, plugs it into a cheap burner phone, makes a call and steals millions of dollars. That’s pretty remarkable.

Indeed, the theft of $100,000 worth of cryptocurrency in July 2018 was the impetus for my interview with REACT. I reached out to the task force after hearing about their role in assisting SIM swapping victim Christian Ferri, who is president and CEO of San Francisco-based cryptocurrency firm BlockStar.

In early July 2018, Ferri was traveling in Europe when he discovered his T-Mobile phone no longer had service. He’d later learn that thieves had abused access to T-Mobile’s customer database to deactivate the SIM card in his phone and to activate a new one that they had in their own mobile device.

Soon after, the attackers were able to use their control over his mobile number to reset his Gmail account password. From there, the perpetrators accessed a Google Drive document that Ferri had used to record credentials to other sites, including a cryptocurrency exchange. Although that level of access could have let the crooks steal a great deal more from Ferri, they were simply after his cryptocoins, and in short order he was relieved of approximately $100,000 worth of coinage.

We’ll hear more about Ferri’s case in a moment. But first I should clarify that the REACT task force members did not discuss with me the details of Mr. Ferri’s case — even though according to Ferri a key member of the task force we’ll meet later has been actively investigating on his behalf. The remainder of this interview with REACT pivots off of Ferri’s incident mainly because the details surrounding his case help clarify some of the most confusing and murky aspects of how these crimes are perpetrated — and, more importantly, what we can do about them.

WHO’S THE TARGET?

SIM swapping attacks primarily target individuals who are visibly active in the cryptocurrency space. This includes people who run or work at cryptocurrency-focused companies; those who participate as speakers at public conferences centered around Blockchain and cryptocurrency technologies; and those who like to talk openly on social media about their crypto investments.

REACT Lieutenant John Rose said in addition to or in lieu of stealing cryptocurrency, some SIM swappers will relieve victims of highly prized social media account names (also known as “OG accounts“) — usually short usernames that can convey an aura of prestige or the illusion of an early adopter on a given social network. OG accounts typically can be resold for thousands of dollars.

Rose said even though a successful SIM swap often gives the perpetrator access to traditional bank accounts, the attackers seem to be mainly interested in stealing cryptocurrencies.

“Many SIM swap victims are understandably very scared at how much of their personal information has been exposed when these attacks occur,” Rose said. “But [the attackers] are predominantly interested in targeting cryptocurrencies for the ease with which these funds can be laundered through online exchanges, and because the transactions can’t be reversed.”

FAKE IDs AND PHONY NOTES

The “how” of these SIM swaps is often the most interesting because it’s the one aspect of this crime that’s probably the least well-understood. Ferri said when he initially contacted T-Mobile about his incident, the company told him that the perpetrator had entered a T-Mobile store and presented a fake ID in Ferri’s name.

But Ferri said once the REACT Task Force got involved in his case, it became clear that video surveillance footage from the date and time of his SIM swap showed no such evidence of anyone entering the store to present a fake ID. Rather, he said, this explanation of events was a misunderstanding at best, and more likely a cover-up at some level.

Caleb Tuttle, a detective with the Santa Clara County District Attorney’s office, said he has yet to encounter a single SIM swapping incident in which the perpetrator actually presented ID in person at a mobile phone store. That’s just too risky for the attackers, he said.

“I’ve talked to hundreds of victims, and I haven’t seen any cases where the suspect is going into a store to do this,” Tuttle said.

Tuttle said SIM swapping happens in one of three ways. The first is when the attacker bribes or blackmails a mobile store employee into assisting in the crime. The second involves current and/or former mobile store employees who knowingly abuse their access to customer data and the mobile company’s network. Finally, crooked store employees may trick unwitting associates at other stores into swapping a target’s existing SIM card with a new one.

“Most of these SIM swaps are being done over the phone, and the notes we’re seeing about the change in the [victim’s] account usually are left either by [a complicit] employee trying to cover their tracks, or because the employee who typed in that note actually believed what they were typing.” In the latter case, the employee who left a note in the customer’s account saying ID had been presented in-store was tricked by a complicit co-worker at another store who falsely claimed that a customer there had already presented ID.

DARK WEB SOFTWARE?

Ferri said the detectives investigating his SIM swap attack let on that the crooks responsible had at some point in the attack used “specialized software to get into T-Mobile’s customer database.”

“The investigator said there were employees of the company who had built a special software tool that they could use to connect to T-Mobile’s customer database, and that they could use this software from their home or couch to log in and see all the customer information there,” Ferri recalled. “The investigator didn’t explain exactly how it worked, but it was basically a backdoor entrance that they were reselling on the Dark Web, and it bypassed whatever security there was and let them go straight into the customer database.”

Asked directly about this mysterious product supposedly being offered on the Dark Web, the REACT task force members put our phone interview on hold for several minutes while they privately huddled to discuss the question. When they finally took me off mute, a member of the task force instead answered a different question that I’d asked much earlier in the interview.

When pressed about the software again, there was a long, uncomfortable silence. Then Detective Tuttle spoke up.

“We’re not going to talk about that,” he said curtly. “Deal with it.”

T-Mobile likewise declined to comment on the allegation that thieves had somehow built software which gave them direct access to T-Mobile customer data. However, in at least three separate instances over the past six months, T-Mobile has been forced to acknowledge incidents of unauthorized access to customer records.

In August 2018, T-Mobile published a notice saying its security team discovered and shut down unauthorized access to certain information, including customer name, billing zip code, phone number, email address, account number, account type (prepaid or postpaid) and/or date of birth. A T-Mobile spokesperson said at the time that this incident impacted roughly two percent of its subscriber base, or approximately 2.5 million customers.

In May 2018, T-Mobile fixed a bug in its Web site that let anyone view the personal account details of any customer. The bug could be exploited simply by adding the phone number of a target to the end of a Web address used by one of the company’s internal tools that was nevertheless accessible via the open Internet. The data provided by that tool reportedly also included references to account PINs used by customers as a security question when contacting T-Mobile customer support.

In April 2018, T-Mobile fixed a related bug in its public Web site that allowed anyone to pull data tied to customer accounts, including the user’s account number and the target phone’s IMSI — a unique number that ties subscribers to their specific mobile device.

A DISCONNECT AT THE CARRIER LEVEL

I wanted to hear from the REACT team what they thought the mobile carriers could be doing to better detect and prevent SIM swaps. I received a range of responses.

“This is a really serious problem among the carriers, the ease with which SIM swaps can occur,” Lt. Rose said. “If you’re working at a mobile phone store and making $12 an hour and suddenly someone offers you $400 to do a single SIM swap, that can seem like a pretty sweet deal if you don’t also have any morals or sense of conscience. ”

Rose said mobile phone stores could cut down on these crimes in much the same way that potential victims can combat SIM swapping: By relying on dual authentication.

“Having one employee who can conduct these SIM swaps without any kind of oversight seems to be the real problem,” Rose said. “And it seems like [the carriers] could really put a stop to it if there were more checks and balances to prevent that. It’s still very, very easy to SIM swap, and something has to be done because it’s just too simple. Someone needs to light a fire under some folks to get these protections put in place.”

Sgt. Terazi said a big challenge for mobile stores is balancing customer service with account security. After all, he said, customers legitimately request SIM swaps all the time — such as when a phone is lost or stolen, or when the customer upgrades to a phone that requires a SIM card of a different size.

“There are probably tens of thousands of legitimate SIM swaps a day or week, versus a couple of fake ones,” Tarazi said. “Ultimately, these attacks rely on the human element and the ability of an employee to override whatever security is in place.”

Tarazi added that in many cases there’s a vast disconnect between a mobile company’s corporate offices and security policies at the local store level.

“These are multi-billion companies, and in any big company it’s fairly common that the left hand doesn’t know what the right hand is doing,” he said. “Without knowing the ins and outs of how these companies work, it’s very easy for us to say they should have two people authorizing each SIM swap. But I agree anything that makes [the criminal SIM swappers] have to show up in person to do this would ideally be the best scenario.”

TWO-FACTOR BREAKDOWN

Asked what he would have done differently about his attack, Ferri said he’d have set up his Google accounts to use app-based two-factor authentication, instead of relying merely on his mobile phone to receive that second factor via text message.

“I had app-based two factor set up on my [cryptocurrency] exchange accounts, but not Gmail,” he said. “Also, I’d probably use something like Google Voice for anything that requires a phone number for a second factor.”

In fact, this is the precise advice offered by Joel Ortiz, the alleged SIM swapper mentioned earlier who was arrested this year by the REACT Task Force. According to published reports, Ortiz taught many other SIM swappers how to perfect their techniques — and how to avoid being victimized themselves by rival SIM swappers. I included the specifics from Ortiz’s advice in my Aug. 16 column, Hanging Up On Mobile in the Name of Security.

Det. Tuttle said in a typical SIM swap attack the perpetrators have studied their target in advance, much the same way bank robbers might spend a few days observing the comings and goings at a specific bank branch before making their move.

“Usually, once a SIM swap is done they’ve already done enough research and social engineering on victims to know what accounts the victim has — whether it’s Gmail or Dropbox or whatever,” Tuttle said. “The next thing they do is go to these accounts and use the ‘forgot password’ function and request a password reset link via SMS to gain access to those accounts. From there, they start looking for cryptocurrency exchange passwords, private keys, and reseed codes to steal cryptocurrencies.

Tuttle said it’s important for people to use something other than text messages for two-factor authentication on their email accounts when stronger authentication options are available. He advises people instead use a mobile app like Authy or Google Authenticator to generate the one-time code. Or better yet, a physical security key if that’s an option.

“Let’s say I have a Coinbase account and I have it set up to require a password and a one-time code generated by Authy, but my Gmail account tied to that Coinbase account doesn’t use Authy and just uses SMS for two-factor,” Tuttle explained. “Once I SIM swap that person, I can often also use that access to [request a link via SMS] to reset his Gmail password, and then set up Authy on the Gmail account using my device. Now I have access to your Coinbase account and can effectively lock you out of both.”

Dave Berry, a task force member and investigator with the Santa Clara County District Attorney’s office, said cryptocurrency enthusiasts should be storing most of their crypto funds in hardware wallets, and storing private keys needed to spend or transfer those funds on a device that doesn’t touch the Internet. Printing out and properly securing a set of one-time codes that can be used if a mobile device is lost or stolen is a good idea as well.

But most of all, Berry said, people should stop using SMS when more robust two-factor options are available.

“There may be some inconvenience factor there, but if you don’t have any two-factor going over text message, you really do limit the potential damage that way,” Berry said.

ROBBING HOODS

Sgt. Tarazi says one big problem is that it’s still not common knowledge that SMS-based two-factor can leave users with a false sense of security.

“Text-based two-factor is still the industry standard way of doing it, because it’s super convenient and you don’t need to be computer savvy to figure it out,” Tarazi said. “I would say most people who aren’t following the SIM swapping problem have no idea their phone and associated accounts can be taken over so easily. It’s not like the person who leaves a laptop in plain view in the car, and when the laptop gets stolen you say well someone just encouraged the thief in that case. In this case, the victim didn’t download malware or fall for some stupid phishing email. They just end up getting compromised because they followed the industry standard.”

Lt. Rose notes that this dynamic helps some SIM swapping thieves justify their crimes.

“We see this a lot, where by their own words they’ll blame victims for not protecting themselves properly, saying it’s the victim’s fault he got robbed,” Rose said.

On top of that, Rose said many crooks involved in SIM swapping tend to adopt the view that they are stealing from fabulously wealthy individuals who will still be well off after they’re relieved of some of their crypto assets — as with the case of bitcoin entrepreneur Michael Terpin, who lost $24 million in cryptocurrencies after getting hit by an unauthorized SIM swap earlier this year (allegedly at the hands of a crooked AT&T retail store employee).

But Detective Tuttle said Terpin’s example is an outlier.

“It’s not just stealing millions from millionaires,” Tuttle said. “Most of the victims are not in that category. Most are people who are having their life’s savings or their child’s college savings stolen. They’re victims who have families and 9-5 jobs, and who got into the crypto space because they were investing and trying to make ends meet. We only tend to hear or read about these attacks when they result in millions of dollars in losses. But the reality is there’s a lot of other thefts involving much more diminished amounts that are really negatively impacting peoples’ lives.”

For Erin West, deputy district attorney with the Santa Clara DA’s office, this dynamic is a major factor driving the work of the REACT task force. West says she believes her group is a having a strong deterrent effect, and that the individuals who persist in carrying out these crimes are all keenly aware of the group’s work.

“We’re out there arresting these people and finding new leads every day,” West said. “We’re zealously prosecuting them, and we expect this will have a deterrent effect because we’re fortunate enough to have federal partners that we can now do this on a national level and make arrests out of state. Rest assured that if a victim in touched in Santa Clara county, we will find you and prosecute you no matter where you are.”

Tags: , , , , , , ,

44 comments

  1. “We’re not going to talk about that,” he said curtly. “Deal with it.” An arrogant, rude government employee. How surprising!
    I have thought about using bitcoin for purchases, but not “investing”. I’m not sure I want to do that now.

    • Agreed. That official’s response could have been a little more tactful. I do, however, believe the reply shows a couple of things:

      1. An indirect way of confirming the “software problem” does in fact exist, and both the REACT Team AND T-Mobile know it, and,.

      2. By not directly acknowledging the existence of the “software issue”, the REACT Team likely avoids any potential, adverse legal action T-Mobile might try to bring against them.

      Just my 3-cents take on the subject.

    • “I have thought about using bitcoin for purchases”

      There is absolutely no need to do that for any legal goods.

    • I disagree with your opinion. “Arrogant” is simply your opinion. There is nothing necessarily arrogant about a direct statement that tells the questioner to back off. If you think the officer should have been more polite, then that is fine. But inferring a character trait from such limited data could be considered arrogant on your part.

      We don’t know the backstory to why the officers responded in that manner. If they felt they needed to protect information and thought Brian was being intrusive then the response may well have been appropriate from their point of view.

      • About the only thing I remember from the linguistics classes in college is that stress and pitch are phonemes; they have linguistic meaning. The printed word can’t really convey this.

  2. I have a few anecdotes for how this is supposed to work..

    About 6 months ago I got a new phone. I needed a different SIM because the size was different, so I went into the Verizon store. They asked for the account PIN (which my wife had set, and I didn’t know off the top of my head). Since I could not produce that, they could send an SMS to the old still-working phone which I could read back to them, and then they would proceed with the swap.

    A few months later, my wife got a new phone, and this again needed a new SIM of a different size. In this case I bought a new SIM from BestBuy, and logged into the Verizon site to register the new SIM for the phone number. And that worked too – that let me get the new phone working.

    • Yes I did that too with AT&T, but I believe that requires more steps and the perp to have more knowledge on the victim. Overall I believe it is much harder to do a SIM swap online, and probably more dangerous for the perpetrator. I wouldn’t be too fearful over that, cautious yes.

  3. Where i can buy those kind of tools?
    I know you can buy cc online but a lot ripper online stores now. I hate rippers.
    I have no luck still to find anything good, anyone can recomend good business forums? Many i registeted are scams
    This sim swap is old method or new?

  4. 3’Ricky 3’Xza 3’Joel 3 EVERY 1 GETTIN LOCKED N DOIN TIME..

  5. The Sunshine State

    Very good , informative article

  6. “Also, I’d probably use something like Google Voice for anything that requires a phone number for a second factor.” Doesn’t work in many cases, have already tried that. Apparently many of the higher-end systems that use this form of 2FA will check the GV number and determine that it is NOT in fact a mobile number, and will refuse to accept it. I have encountered this several times, once on a credit card site, a crypto-currency wallet, and an investment management site. I even contacted the wallet site’s help desk and asked them to send a text message to the number to confirm that it could receive texts, and they said, “Nope, its not a mobile phone, its a forwarder.”

    • Correct. Yahoo, for one, rejects the Google Voice phone number saying, “sorry, we can’t use VOIP numbers at this time.”

      They send a security code via SMS.

      (Yahoo? yup, I’ve been a flickr customer for many years.)

  7. “a Google Drive document that Ferri had used to record credentials to other sites”
    What an idiot…

    • I know someone else who records their many credentials in a Google doc. The excuse is that their Google password is long and complex and they use 2FA. That’s the strongest security that Google recommends. Until Google recommends something stronger, I don’t expect him to change.

      • They would be better off using an encrypted spreadsheet and then storing that on Google Drive. LibreOffice is great for that, as it uses AES-256 encryption, and is platform independent. With a strong password (15 characters or better) that should make it a spreadsheet secure except possibly from State actors, as long as it is stored in ODS format…

  8. How does app-based two-factor protect you? What is it that prevents the thief from setting it up on the SIM-swapped phone?

    • To steal the time based code that is generated by a proper app, such as the Authy or Google Authenticator, the bad guy needs to steal your physical phone. Moreover, even if they steal it and reset the OS on it, those apps still won’t reveal your 2FA codes. All this makes it orders of magnitude more difficult for them to do. Swapping SIM won’t do the trick. That’s the beauty of that method.

      Although having said that, I’m sure there are some other 2FA apps that don’t do it right, I.e. by linking it to a SIM or doing some other “convenient” thing. That is why I always try to stay away from anything other than those two apps I named above.

      • From what I understand, Authy does this in a fashion I wouldn’t trust. With Authy you create an account, and it is possible to move Authy between phones as long as you follow their “secure phone changing process” but that’s exactly what we’re trusting T-Mobile with right now.

        Google Auth is per device, so even if you get access to my Google account, you won’t be able to see my list of 2FA sites or generate a 2FA code for any of them. Duo Security is similar in that even though you have a “Duo Account”, your 2FA list is per device.

  9. Two things need to be said.

    First, Brian has been talking about, being rightfully incredulous about, and wondering how we can stop the following:

    —-the weak link in all of information technology misuse will remain, for the forseeable future, humans. Specifically employees inside whatever company/bank/investment/insurance/etc/etc you deal with in your life. Not sure there’s an answer here for us all except to say: pray that AI comes faster than we think it will, for it will give us better security that biological humans prone to greed & corruption.

    The second thing that needs to be said is: physical key tokens, i.e. the Yubikey. Yubikey is a physical key, basically uncrackable or impossible to get around (at least until quantum computers come online, which is still 10-15 years off, if ever), and Google has been offering the ability on their Gmail accounts, for over 18 months, to those who want it toset it up their email account with a Yubikey. And it is free.

    2FA authentification using a physical key like Yubikey for your email accounts at least gives us all a fighting chance to be warned (assuming one has all their bank, investment, retirement, etc accounts set up with “alerts-to-your-email” for both logins & any amount of monies moving in and/or out of them) when someone has accessed your sensitive accounts.

    Also note: Google makes it crystal clear that if you choose to set up an email with a Yubikey, and you choose to back it up with another Yubikey only (which, honestly, is what you should do if you want the highest level of security), that if in some strange event both of those keys are lost, then there is no way that the gmail account can ever be recovered, nor accessed again. You are plain out of luck. But so is everyone else. Including Google itself. Think about the power of this. The email account is gone forever and NO ONE can get access to it (if the keys are lost).

    We all know the misgivings many have about Google, the data they slurp about us. But this is one area (Yubikey-hardened, uncrackable login email accounts) where Google has been heads & shoulders above everyone else. Google itself used to have problems internally with employees & their email accounts getting compromised. Since requiring all their employees to use a Yubikey, there has not been one incident since (approaching 2 years now).

    Stop relying on SMS, stop relying on your phone, especially any software-based authenticator, when it comes to having a dedicated, secure email account for your financial holdings & getting alerts to that email account.

    Set up a Gmail account up on Google with Yubikeys (its free except for you buying your own Yubikeys, about $19 each, at, say, Amazon). When setting the Yubikey-gmail account up, specifically choose to only use Yubikeys for backup on the account (no phones, no anything else for backup). Then from that day forward only use that uber-hardened Gmail account to check daily to make sure no alerts and/or account access alerts have occurred at any of your other important online accounts. And rest a bit easy knowing that the only way access can be gained to the Yubikey account is through one of the two keys you set up. You could have a general login like “user” with a password of “password”, and if that Gmail account is/was setup with two Yubikeys, there’s no getting in it (Google included) even if the whole world knows you use “user” for a login name, and “password” as the account password. This is the power of physical keys, like the Yubikey.

    • Yubikeys are indeed wonderful. But it’s wrong to say that cracking your account is impossible. As the Yahoo breach demonstrated, if the hackers can steal the login cookie generator and generate fake login cookies, they can login to any account with no authentication of any kind. The cookie bypasses all login security, because it deems that you are already logged in.

    • What are the security downsides of the authenticator apps on a phone? I agree that something such as a yubikey is a better solution, but the trade-off between ease-of-use and security seems to be met very well with software TOTP solution. I’m also making an assumption that the security of the software authenticator is as good as the physical security of my phone, so if I have that wrong, then I would like to know.

    • Google now has their own branded hardware token, called Titan. Like Yubikey, it follows U2F standards, which many tokens use. So not just Yubikey, although they are popular.

      Note: it is not uncrackable. It still requires good implementation. Google still has backup codes that are generated when you switch to 2FA. Those are short codes that still must be protected. Even having a backup Yubikey, you should print out the codes and store in a safe.

  10. Brian, that’s a bummer if what people are saying above is true about some services blocking Google Voice service from being used for 2FA.

    I was so happy to read your suggestion about switching to it. But if it’s not accepted that kinda defeats the purpose.

    Can you confirm this?

    And also it would be nice if there was a resource that shows which sites accept 2FA phone numbers as Google voice and which ones that don’t. We can maybe publicly shame them then.

    • Hi Dennis,

      I have read and have been told at security conferences I’ve attended that 2FA phone numbers (back up phone numbers) are full of problems and holes. Didn’t Google, at least internally, move against them over a year ago. I thought Google Voice was purposely trash-canned by Google for a good reason.

      Reading Brian’s great article, it boggles my mind a bit that this Ferri was that lax and/or lazy concerning 2FA his email accounts, and his phone. And he his head of a crytpo-exchange no less? Wow….just a real big wowzers.

      The crytocurrency crowd worldwide is not that large at the moment, and nearly everyone involved with it knows what has to be done if you want to harden the security on your cryptocurrencies, having them, and/or dealing with them in any way.

      It’s called hardware perimeter hardening. And one of the big ways is with physical keys, while also using offline wallets while utilizing multiple backed-up USBs for those currencies storage. And all other accounts (phone, email, bank, etc) linked in some with those currencies, now and/or in the future, are to definitely, again, be hardened by using physical 2fa key tokens where possible.

      • I think it’s important to view the activity in this crime space as a glimpse of what’s to come, as something that will soon be visited on a broader range of victims — if indeed it is not already. Forewarned is forearmed, yes?

  11. No, he is not the idiot. But a businessman. Who likes a convenient method to handle his passwords. You have more then one? Just as usual, he forgot one thing, it’s accessable to others. Same with all web based documents. If it’s a special documents, you have to set special rules for that doc each time it’s opened. And closed. Even as an encrypted doc, you have to be locatable. To use it. Even worse, he didn’t save it to his local drive. That way, only he “had access to it”. But a well written piece of news.
    By the way, some parts of the investigation are secret, unless you are directly known by the investators, but, you are “news”. The modern memes are news bad. That part could be part of it.

  12. Here is the future: “no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name.”
    This will solve all needs for passwords, 2FA and all else.

  13. With regards to the mention in the article about needing (or not) ID to get a replacement SIM, here in the UK there was an item recently in a consumer program where they tested and found in most cases shops didn’t check a lot at all when someone pretended to be the owner of a phone and asked for a replacement.
    So it’s defintley a core part of the issue although I didn’t know at the time about the specific target of stealing crypto currency via a sim swap attack.

  14. Nice article Brian. Thanks for digging into this. Now off to finally get Yubikeys…

  15. QUESTION: I use 2FA on all my accounts, using a time-based code generated on a mobile authenticator app. But some of these accounts also use a mobile number as a secondary reference (for example, at original time of creation of the account). So what I deduce from Brian’s blog is that I should delete all my mobile numbers as referenced in these accounts? That is, to rely solely upon the 2FA authenticator app for all my logins (plus the printed backup codes that some of those accounts offer) and never leave any mobile numbers on record within those accounts? Could someone confirm — is that the recommended best practice, to delete all mobile phone numbers from mission-critical accounts, wherever practical?

    • Based on the recommendations of many prominent people in the infosec space, that’s what I’ve done where possible.

      My typical set up is a hardware key anywhere that supports it, with 2fa auth app as a secondary method (Primarily for mobile because iOS doesn’t currently support any hardware keys that I’m aware of).

      Unfortunately, the banking industry really hasn’t caught up to the current best-practices in online auth. I find it really annoying that my twitter account has a more secure login than pretty much all of my financial accounts. The brokerage where my retirement funds live won’t allow me to remove the SMS 2fa option even if I have a security key enrolled, and my credit union doesn’t support *any* version of 2fa.

      But then what do you expect from an industry that still widely relies on frickin’ fax machines (A rant for another day.)?

  16. Malvados me violan mis derechos humanos .no es cometerlo es continuar Esta Vida es corta hay que hacer el bien no esperes manana porque no sabes si lo tendras att t m. Que desilucion se deverian de avergonzar. H…. Dios te bio.

  17. I think we are venturing into a realm (and issues) where SMS is being used for things it was never intended.

  18. Does anyone know if SIM swapping was used in this theft of $24 million of crypto?

    https://bgr.com/2018/08/15/crypto-news-man-sues-att-stolen-coins/

  19. I had a friend fall victim to a SIM swap, and he is indeed a pretty normal 9-5er who got into bitcoin back in the day just because he’s a techy person. They also told him that someone (a couple, in fact), had shown up in person and presented fake IDs. Interesting to hear that this is probably not the case.

Leave a comment