On June 11, it came to light that California resident Richard Yuan Li had been charged with conspiracy to commit wire fraud for his role in a number of SIM swap attacks that targeted at least 20 individuals. Not only that, but as part of his elaborate money swindling scheme he also attempted to extort 100 Bitcoin (BTC) from an unknown physician in exchange for keeping their private, sensitive information from being released online.
According to numerous reports, Li’s nefarious deeds can be traced all the way back to 2018 — and lasting until around mid-2019 — when he along with a group of co-conspirators tried to defraud many unsuspecting individuals of their hard-earned savings using SIM swap attacks. In this regard, a SIM swapping involves the rerouting of a person’s SIM card to a phone that is in possession of a hacker, thus allowing them to gain access to an individual’s personal information such as emails, bank account details, cryptocurrency wallet, etc.
Furthermore, over the course of the past few years, SIM swap attacks have seen a dramatic spike. For example, back in May 2018, crypto investor Michael Terpin fell victim to a $23.8 million SIM swap attack that was perpetrated by 18-year-old Ellis Pinsky of Irvington, New York. Similarly, investor and two-time Emmy award winner Seth Shapiro filed a lawsuit against American telecom giant AT&T, alleging that the firm’s employees had masterminded a nefarious SIM swap scheme that resulted in him losing $1.8 million in various crypto assets.
SIM swapping due to poor ID verification protocols?
SIM swapping has become a significant threat for users of major networks in the United States, especially as more and more individuals are starting to rely on their mobile devices to work remotely. In this regard, a large number of Americans are having their lifetime savings and invaluable data stolen from under their eyes solely because mobile operators are seemingly failing to take reasonable steps to prevent their employees from repeatedly conspiring with criminal hackers.
In this regard, John Pierce, a trial lawyer and the global managing partner of Pierce Bainbridge, told Cointelegraph that while criminal prosecutions are starting to take place, accountability in civil cases is absolutely crucial to deter this kind of misconduct. Not only that, he also believes that a major reform in data security practices is needed from the side of most cellphone service providers.
To gain a more in-depth understanding of why SIM-swap-related incidents have been increasing sharply over the past three to four years, Cointelegraph reached out to Mark Grabowski, an associate professor of cyberlaw at Adelphi University as well as a regular columnist for the Washington Examiner. In his view, the reason is that people are now using their smartphones to facilitate their everyday digital activities rather than personal computers, which are considerably more secure. He added:
“In addition to infecting smartphones with malware, criminals are illegally spoofing users’ phone numbers (faking the number that an incoming call is from), porting their numbers (moving the number from a user’s phone to another phone controlled by the criminal) and even cloning SIM cards, the computer chips that identify a phone, to access users’ data and steal money.”
While the federal Wireless Telephone Protection Act of 1998 protects customers from their personal data being shared with third-party sources, Grabowski opined that the lax ID verification protocols that are being used by most cell phone carriers these days make customers vulnerable to a variety of different hack attempts.
Earlier this year, several members of Congress sent a letter to the Federal Communications Commission urging it to mandate that wireless carriers provide stronger protections for customers to truly lock down their accounts, such as requiring an in-person visit to a store before a phone number can be ported to another device or carrier.
Cell phone providers should step up?
Cybersecurity is an ever-evolving domain wherein attackers continually seek to modify their gameplans in order to keep up with the latest trends. For example, hackers at one point were using SMS messages to gain access to people’s cell phones by attacking the Signaling System No. 7, or SS7, communications protocol. Now, hackers have become more sophisticated in their ways and have learned how to crack passwords using a variety of different means. As a result, many companies have responded by adding two-factor authentication protocols to bolster their security.
Talking about how easy it is for miscreants to carry out a SIM swap attack, Mark Herschberg, an instructor at the Massachusetts Institute of Technology as well as chief technology officer of cybersecurity company Averon, told Cointelegraph that while initiating such an attack is certainly not easy, if the wallet has enough value in it then it’s worth it for the hackers, adding: “Attackers are very efficient in finding the optimal effort to reward approaches.”
Additionally, talking about ways in which this rising issue can be combated successfully, Herschberg pointed out that there are newer technologies that allow for silent 2FA authentication to take place with no action on the part of the user. In his view, this method is more secure and can help detect SIM swaps more efficiently — thus allowing a transaction to be flagged by a network operator if one’s SIM has been changed recently.
Battle with AT&T rages on
In perhaps one of the most widely covered SIM swap court cases, a U.S. district judge released an order on May 20 rejecting AT&T’s bid to dismiss Shapiro’s lawsuit in which he claims that the company acted in an extremely negligent manner and failed to prevent miscreants from making their way with $1.8 million worth of crypto. In a conversation with Cointelegraph, Shapiro stated:
“We’re not simply alleging that AT&T employees were involved in my theft: they were named in an indictment by the Department of Justice, from a case built by the Department of Homeland Security (US v Freeman). So the federal government has already proven that AT&T employees are stealing from its customers.”
Furthermore, it is worth mentioning that in the past, AT&T has been handed a number of major defeats in cases quite similar to Shapiro’s. Back in 2018, for example, California resident Robert Ross lost $1 million worth of crypto after a hacker was able to gain control of his AT&T phone. Similarly, North Carolina resident Jason Williams was also at the receiving end of a major SIM swap attack in which he lost a bulk of his crypto savings.
Elaborating on how network operators have been trying to deflect responsibility when it comes to such SIM swap incidents, Shapiro added that for years, big-name players such as AT&T have allowed its employees to destroy the lives of its customers — subjecting them to theft, extortion and other major crimes — instead of taking action to solve such problems: “The Department of Justice indicted two AT&T employees in my case. In that month alone, one of those AT&T employees committed 29 illegal SIM swaps; the other committed at least 12 and AT&T did nothing to stop them.”
Commenting on the subject, Pierce said that AT&T has sought to focus the blame on the hackers that collaborated with AT&T employees to carry out attacks and downplay the relationship between the control of a victim’s cellphone number and the ability to gain access to the victim’s accounts through two-factor authentication:
“AT&T’s motion to dismiss Mr. Shapiro’s lawsuit argued that Mr. Shapiro’s allegations did not meet various technical legal requirements to establish legally cognizable claims against it — most of which the court resolutely rejected. Mr. Shapiro’s court now joins a growing chorus of other federal courts that have allowed civil lawsuits by SIM swap victims to proceed against AT&T.”
Making the call
While some suggest that this recent increase in SIM swapping incidents could be directly linked with the desire of the masses to adopt cryptocurrencies, it appears as though there is not enough evidence available to support this correlation. For example, as with ransomware attacks, SIM swapping simply provides hackers with another avenue to strike a large payday.
However, what should be understood is that in order to prevent SIM swap attacks from becoming commonplace, cellphone users need to become more technically savvy and adopt privacy protocols such as “offline two-factor codes” that can allow users to perform verification checks without them having to rely on their cell phone carrier. An even better alternative could be making use of a physical security key, which would make it nearly impossible for miscreants to gain access to an individual’s personal data.