Eight Americans and an Irishman have been charged with wire fraud this week for allegedly hijacking mobile phones through SIM-swapping, a form of fraud in which scammers bribe or trick employees at mobile phone stores into seizing control of the target’s phone number and diverting all texts and phone calls to the attacker’s mobile device. From there, the attackers simply start requesting password reset links via text message for a variety of accounts tied to the hijacked phone number.
All told, the government said this gang — allegedly known to its members as “The Community” — made more than $2.4 million stealing cryptocurrencies and extorting people for restoring access to social media accounts that were hijacked after a successful SIM-swap.
Six of those charged this week in Michigan federal court were alleged to have been members of The Community of serial SIM swappers. They face a fifteen count indictment, including charges of wire fraud, conspiracy and aggravated identity theft (a charge that carries a mandatory two-year sentence). A separate criminal complaint unsealed this week charges three former employees of mobile phone providers for collaborating with The Community’s members.
Several of those charged have been mentioned by this blog previously. In August 2018, KrebsOnSecurity broke the news that police in Florida arrested 25-year-old Pasco County, Fla. city employee Ricky Joseph Handschumacher, charging him with grand theft and money laundering. As I reported in that story, “investigators allege Handschumacher was part of a group of at least nine individuals scattered across multiple states who for the past two years have drained bank accounts via an increasingly common scheme involving mobile phone SIM swaps.”
This blog also has featured several stories about the escapades of Ryan Stevenson, a 26-year-old West Haven, Conn. man who goes by the hacker name “Phobia.” Most recently, I wrote about how Mr. Stevenson earned a decent number of bug bounty rewards and public recognition from top telecom companies for finding and reporting security holes in their Web sites — all the while secretly operating a service that leveraged these same flaws to sell their customers’ personal data to people who were active in the SIM swapping community.
One of the six men charged in the conspiracy — Colton Jurisic, 20 of, Dubuque, Iowa — has been more well known under his hacker alias “Forza,” and “ForzaTheGod.” In December 2016, KrebsOnSecurity heard from a woman who had her Gmail, Instagram, Facebook and LinkedIn accounts hijacked after a group of individuals led by Forza taunted her on Twitter as they took over her phone account.
“They failed to get [her three-letter Twitter account name, redacted] because I had two-factor authentication turned on for twitter, combined with a new phone number of which they were unaware,” the source said in an email to KrebsOnSecurity in 2016. “@forzathegod had the audacity to even tweet me to say I was about to be hacked.”
Also part of the alleged Community of SIM swappers is Conor Freeman, 20, of Dublin, Ireland; Reyad Gafar Abbas, 19, of Rochester, New York; Garrett Endicott, 21, of Warrensburg, Missouri.
The three men criminally accused of working with the six through their employment at mobile phone stores are Fendley Joseph, 28, of Murrietta, Calif.; Jarratt White, 22, and Robert Jack, 22, both from Tucson, Ariz. Joseph was a Verizon employee; White and Jack both worked at AT&T stores.
If convicted on the charge of conspiracy to commit wire fraud, each defendant faces a statutory maximum penalty of 20 years in prison. The charges of wire fraud each carry a statutory maximum penalty of 20 years in prison.
Last month, 20-year-old college student and valedictorian Joel Ortiz became the first person ever to be sentenced for SIM swapping — pleading guilty to a ten year stint in prison for stealing more than $5 million in cryptocurrencies from victims and then spending it lavishly at elaborate club parties in Las Vegas and Los Angeles.
A copy of the indictment against the six men is here (PDF). The complaint against the former mobile company employees is here (PDF).
Great reporting as usual!
Now we shall see a bunch of yet-to-be-caught folks commenting here to defend these criminals.
Yep, just waiting on “Readership1” to comment lol.
I was simswapped in March under very smiliar circumstances…the investigation is ongoing. Amazing that you can take all the requisite precaution on your side and your mobile provider can just give it all away…and then direct you only to their PO Box or fax for follow up requests for information…where there is no verification of receipt , and thus far no response. Problems on all sides of this situation.
Just goes to show that 2 factor authentication that relies on SMS isn’t actually 2 factor authentication.
If you had an app on your mobile device generating codes that have to be entered as the second factor, they can sim swap all they want and the app won’t generate the same codes to let them into your accounts.
The pain of getting your number back is still there, but at least the identity theft part is lessened because they wouldn’t gain access to every account that uses SMS for 2FA.
Exactly this. I’ve been telling people, even many vendors that SMS isn’t real 2FA. When you consider the basic definitions of “possession” or “something you have” factor… it does seem to the untrained eye that the cell phone is the physical possession.
But a phone number is NOT a phone!
A phone number is only temporarily linked to a phone, but some back office database operated by a 3rd party controls that link.
I know a few people who you could explain that fact many different ways, but they will insist on not understanding what the point is, because they already made their mind up on how things ought to be. Imagine if that’s the case for board members running a telecom. High-powered business types who only got that far because they were ‘decisive & bold’ and never once questioned anything they decided to go ahead with
KREBSONSECURITY: WHO IS THE PHONE CARRIER?
Says right there, 1 verizon, 2 at&t employees. That covers the majority of the US in those two companies.
They all should serve 15-20 years in fed prison. SIM swappers are the worst of the worst. I will pray to the internet gods that the federal judge doesn’t go easy on them.
While they are all pretty young offenders, these are big boy crimes that deserve big boi prison time. Hopefully, they can get out and lead successful lives and not fall back into the cybercrime underground.
Yeah, I don’t know if I agree with you there. I wouldn’t compare SIM swapping to being the “worst of the worst” and worthy of 15-20 years in prison. This isn’t murder or rape sentences. There have been high profile hackers that have only received 5-8 years for hacks on NASA and federal governments which should have received way harsher punishment considering the information that was stolen. These are just some idiots swapping SIMs and stealing phones/accounts. They absolutely should get prison time, but 15-20 years? That seems like a pretty steep punishment for the crime if you ask me.
I think 15 years is too light of a sentence. These criminals ruined many peoples lives, stole their life savings, and generally show no remorse for the damage they cause to individuals and society.
They are guilty of much more than just “swapping SIMs and stealing phones/accounts”
I agree that it’s a terrible crime and I’m not downplaying the victims by any means. I just think cyber-attacks on federal government agencies which disclose highly sensitive information are a little higher profile attacks than SIM swapping. Developing and selling ransomware or other MaaS (Malware as a Service) and selling it to the public is a little higher than SIM swapping. Both of those cases, generally, the attackers get less than 15-20 years, when in reality, they probably should get much more. Common thieves don’t get 15-20 years, why should SIM swappers be on par with murder/rapist sentences?
SIM swappers earn a lot of money, and they’re also the stupidest type of “hacker” I’ve ever met.
Why do so many companies that allow TOTP (apps that generate codes) not allow you to cancel phone texting and/or email for backup? Of course the crooks will say they do not have the app.
Google is one of the few accounts where you can turn off all backup methods of 2FA beyond an authenticator app. Most banks still will fall back to text message to a phone or an email if you tell it you don’t have the app for your code. There is no way to shut that off.
Yeah, that’s so annoying. I can only hope they are running analytics that are showing that once TOTP 2FA is enabled, there is no legitimate use for SMS or email 2FA as a backup.
For banks, the fraud team ‘should’ be looking harder at any 2FA done with these methods once TOTP had been activated and used.
I prefer the list of backup codes I can print and store in a safe.
Agree totally. I have this issue with Amazon; can’t remove my mobile number from my account. Worst, Amazon selects SMS as the default 2FA everytime I sign in. I have to manually tell the login page to use an alternative means (phone call or Auth App are the other options) for 2FA. Sometimes, by the time I do that, I already received a SMS verification code. I hate that. You’d think a big company like Amazon would do better.
You should be able to change the order of 2fa on your amazon account and make TOTP primary. when i set mine up i was using email delivery of one-time-passwords, and when I added TOTP, all I had to do was make TOTP the primary and the delete the email otp.
Have you tried 2FA with Facebook? It’s a joke. I set it up with an app that generates a one-time password but then Facebook goes ahead and texts me the code! What the heck; that’s not the point at all.
Any idea if SIM-swapping is a worldwide problem ? From most accounts I’ve seen up to now, it mainly seems to happen in the United States.
I only read one article about Brazil (I think), and one African country.
One would think that such a juicy fraud would be happening all over the world, unless there’s something specific, in the countries where it’s happening, that allows it.
Oh, it is worldwide.
China and India especially. Europe too.
This is a US based website though, so you get a US centric view here.
Case for Russia too. While SIM swap operation requires subscriber internal passport, false letters of attorney reportedly used. An operator’s employee bribing too. Moreover typically SIM swap made in remote timezone so victim highly possible missed swap notification. Mobile operators now suspend bank SMS for 24 hours after swap, but not for web services.
Stop me if you’re heard this one before…
“Thou shall not steal.”
Thank you, thank you; I’ll be here for all of eternity.
I want to double-check my cell carrier Consumer Cellular’s security measures regarding SIM swaps. . . What should I look for or ask customer support so I can ascertain my potential exposure? And what safeguards can consumer adopt (if any exists. . .) to lower our risk of becoming a victim?
Request that your mobile service provider require a code of some sort before allowing any changes to your account, including a SIM card switch.
Prepaid accounts tend to have terrible security, but postpaid accounts should have the ability to lock out non-employees from changing anything.
But there’s a catch; employees are generally able to do whatever they want, especially at stores. They can bypass codes and passwords. And because they have this privilege, they’re under scrutiny. Ultimately, that’s how these criminals were caught, when employees got squeezed.
Call them and ask what other security you can add on your account. It really just depends on your provider. I know with the more popular ones you can set a PIN that MUST be required to complete any change to the account.
You can contact your carrier if your mobile account is postpaid. Most carriers offer no protection for prepaid accounts.
Ask for a PIN or password to secure your account against changes being made by non-employees. A few carriers even allow a second password or PIN to protect against attempts at a SIM swap.
Unfortunately, carrier employees and authorized agents — particularly in stores and mall kiosks — can get around many accounts safeguards, by virtue of their trusted role in direct customer service. Some criminals exploit this trust by tricking or blackmailing (or bribing) these employees and agents to take part in various scams.
I hope Colton gets 10 years in prison
KREBS ON SECURITY: WHO IS THE PHONE CARRIER?
The phone carrier where three of the accused worked? That info is in the story. Two worked at AT&T and the other at a Verizon store.
YOU FORGOT TO RESPOND IN ALL CAPS!
Yes, thank you Brian.
LOVE YOUR REPORTING ON SIM SWAPPING.
I’ll take “Yelling” for 500, Alex
Sami, is truglia going to get 10?
Whar about AT&T ?
Oh, it is worldwide.
China and India especially. Europe too.
A long sentence with actual hard labor is what these miscreants deserve, eased only if they double-down in their redemption efforts inside those prison walls by working with Federal authorities against other such criminals.
What about SQRL? Anybody know enough about the technology to say whether it would be immune to SIM swaps? https://en.wikipedia.org/wiki/SQRL
Just a disclaimer… SQRL is from Steve Gibson of GRC… and this protocol doesn’t seem to be in actual use anywhere important. Certainly not anything related to SIM swapping.
The work on SQRL hasn’t been completed yet (very close though it seems according to Steve) so that is why you do not see it in use anywhere. I’m not sure if that will change even when it is released but from what I have heard it is a very interesting option that should be explored at least.
That is the downside to individuals trying to roll their own protocol. Not even a group of open source collaborators… just one guy’s idea without much of any support.
There are way better authentication mechanisms in commercial use today… and I wouldn’t even bother trying to find a home grown protocol like SQRL.
If a site used SQRL instead of authentication relying on phone/text verification then it should be immune to a SIM swap.
Immunity could be lost if the site has a phone/text-based account recovery feature.
If systems related to the SQRL client (or less likely, the server) can be compromised by an attacker doing a SIM swap then SQRL could be defeated. Example: the user has the master key/secret stored in a location that can be accessed by using a SIM swap to access the third-party service (e.g., Dropbox, Google Drive, email box, etc.).
“Halo” is Garrett’s alias, and Reyad goes by “Rey”. They were both members of OGUSERS, before the first VICE article aired. After VICE, they left the OGUSERS forum and community.
Well, at least these young men have a nice future to look forward to, where they’ll be Sex with In Mate (SIM) swapped from the cell block to the yard.
Good riddance, kiddos!
I’m from Connecticut originally , Ryan Stevenson gives that state a real bad name
New “Simless” phones are coming out, I wonder if they will make this crime easier or harder
Recently the federal TSP retirement savings program started offering two-factor authentication using email or cell phone. Neither seems safe to me, given this article by Brian. I am thinking of just staying with my very long password. Brian and others: What do you think?
That is how I feel too; but now some credit card companies are forcing me to give a wireless number and use text messages to access accounts online. I tried to use land line numbers, but to no avail – I’m not happy about it, because so far my complex passwords have done the job. Of course some companies get compromised and the clear text password is given away anyway.
SMS based 2FA certainly has its issues but it is still much much stronger than just a password by itself. If you are using SMS based 2FA then at least the bad guys will have to target you and have a connection at the cell carrier. Without any form of 2FA all they need is your password.
Always use 2FA/MFA when its available, even if it is only SMS based.
If you have the option to disable SMS based 2FA and enable a stronger form of 2FA then that is your best choice but as many have stated in the comments this is often not an option.
Either way, any form of 2FA is better than no 2FA/MFA.
Multi-factor authentication is better than single factor like a password. With the caveats that it is properly implemented and not all factors are equal. If SMS (text) one time password is implemented it will be better than just a password. But if in the implementation, the same SMS number is used to send a reset code or link then it collapses to single factor.
SMS is probably the next weakest authentication to the passphrase/password/pin. There are a number of viable attacks on the SMS channel, SIM swapping is but one of them.
The rub is that the codes typically used ove the SMS channel use nearly the same server software that a hardware or software TOTP token uses. Either the software or hardware TOTP solution is is far more secure than the SMS channel. The cost to implement compared to the SMS code is negligible.
Email could be used instead of SMS. That’s a wildcard. Old traditional legacy email is not secure enough for authentication. But most email these days uses encrypted connections end to end.
Thank you all very much for your replies. I will add the cell phone authentication to my TSP account.
This happened to me recently. The attackers gained access to my phone account, either by socially engineering or accomplice inside the organisation. Either way it is bad news for the telco employee.
From their they sim swapped my number to their phone and managed to gain access to my Bank account; details of which were visible on my telco account. Luckily I was on to it straight away and managed to regain control of my number and accounts.
This happened within a couple of hours, and in Australia.
Interesting that none of them are over 30. Is there some stigma now attached to working a regular job. If you have that much knowledge in your head, why turn to the dark side? It boggles the mind…
Just on a side note to some of the comments, 2FA is fine, as long as there is a backup authentication method. If there is no backup authentication method, it can get expensive to recover a loss of authentication.
Recently, I learned the lesson the hard way at work with Web Hosting Manager (no backup authentication on that) and changing phones. Google Authenticator didn’t grab the bar code correctly, some hosting provider error occurred or I screwed up the process somehow. We had to pay the hosting company a pretty penny to get them to disable 2FA from their end.