People who lost millions in cryptocurrencies to hackers that hijacked their cellphones are collaborating to educate the public and strike back against Telecom companies they say aren’t doing enough to prevent the hacks, Motherboard reports.
Crowdfund Insider has reported on numerous cryptocurrency thefts involving the fraudulent commandeering of victims’ cell phones.
In a SIM-swap attack, a hacker first identifies a person they believe holds a lot of cryptocurrency.
Holders of so-called “altcoins” (small-cap cryptocurrencies) may be more susceptible to these kinds of attacks because most altcoins are not supported by any of the hardware wallets (offline storage devices) currently available on markets.
Traders with big positions also often store their crypto on exchanges so they can make big moves when called for. Those accounts can be easily accessed online and are generally regarded as vulnerable to hacks.
After a hacker has identified a potentially crypto-rich target, the hacker calls the target’s cellphone provider and provides enough personal information to successfully impersonate the individual and have that person’s cell phone data transferred to a phone possessed by the hacker.
Now the hacker can use that phone, including its two-factor authenticator, to access and clean out a victim’s crypto accounts.
One such victim, Robert Ross, who works in Silicon Valley, was robbed in this way of a million dollars in crypto from two crypto accounts he kept at the Gemini and Coinbase exchanges.
Ross says he watched his phone go dark on a Friday night last October as hackers were going to work:
“I immediately said to myself oh my god I’m under attack…I freaked out and I didn’t really know what to do.”
He says the stolen crypto comprised the majority of his life savings.
Within two months, alleged hacker Nicolas Truglia was arrested at his posh Manhattan apartment and extradited to California to face charges of robbing Ross.
Ross has now launched a new website caching stories about SIM-swap crypto thefts in the hopes of educating the public while putting pressure on telecom companies to up their security protocols.
One of the stories on the website describes a January 2018 theft of $24 million in crypto from the ICO-promoter, Michael Terpin.
According to that story, Terpin believes Truglia was also responsible for that theft. Terpin is suing Truglia for $72 million in damages.
Citing a considerable uptick in SIM-swap hacks, the Santa Clara, California-based REACT Task Force, a law enforcement unit dedicated to fighting cybercrime, recently announced it was pivoting most of its investigative powers to focus on these types of crimes.
REACT task force members reportedly traveled to New York to participate in the arrest of Truglia.
Notably, according to reporting at Krebs on Security, REACT officers now believe many of the SIM-attacks they have investigated involved inside jobs aided by telecom employees.
According to Detective Caleb Tuttle and Krebs:
“‘Most of these SIM swaps are being done over the phone, and the notes we’re seeing about the change in the [victim’s] account usually are left either by [a complicit] employee trying to cover their tracks, or because the employee who typed in that note actually believed what they were typing…(after being) tricked by a complicit co-worker at another store who falsely claimed that a customer there had already presented ID.”
REACT Lieutenant John Rose described SIM-security weaknesses at telecoms as “a really serious problem”:
“Having one employee who can conduct these SIM swaps without any kind of oversight seems to be the real problem…And it seems like [the carriers] could really put a stop to it if there were more checks and balances to prevent that. It’s still very, very easy to SIM swap, and something has to be done because it’s just too simple. Someone needs to light a fire under some folks to get these protections put in place.”
Thousands of legitimate SIM-card replacements occur every month, making it easy for a fraudulent swap to get lost in the haystack.
Police and victims are nonetheless calling for telecoms to up security, and to perhaps require people claiming to have lost their phones to come into retail outlets and resolve the issue in person.
According to Motherboard, most telecoms have provisions in their terms of service that prevent them from being sued in class action suits.