SIM Swapping Becomes Increasingly Popular in California, Police Make It “High Priority”

On November 7, a security news and investigation blog KrebsOnSecurity published an interview with REACT Task Force, a California-based law enforcement group dedicated to fighting cybercrime.

As per the article, members of REACT consider “SIM swapping” one of its “highest priorities” in a bid to fight cryptocurrency fraud. Here is how fraudsters use 99 cent SIM cards bought off eBay to steal millions worth of crypto with just one call.

“SIM swapping”: what is it?

SIM swapping is the process of making a telecom provider like, say, T-Mobile, transfer the victim’s phone number to a SIM card held by the attacker — usually bought off of eBay and plugged into a “burner” phone, as Samy Tarazi, a sergeant at the Santa Clara County Sheriff’s office and a REACT supervisor, told KrebsOnSecurity:

“We’re talking about kids aged mainly between 19 and 22 being able to steal millions of dollars in cryptocurrencies [...] we’re now dealing with someone who buys a 99 cent SIM card off eBay, plugs it into a cheap burner phone, makes a call and steals millions of dollars. That’s pretty remarkable.”

According to the Motherboard investigation, SIM swapping “is relatively easy to pull off and has become widespread.” It also suggested that “hundreds of people across the US have had their cell phone number hijacked in this so-called ‘Port Out Scam.’”

Indeed, in California, where the REACT team is based, SIM swapping appears to be a new craze among crypto fraudsters. Tarazi told KrebsonSecurity:

“It’s probably REACT’s highest priority at the moment, given that SIM swapping is actively happening to someone probably even as we speak right now.”

He added, however, that “there are only a few dozen individuals” responsible for committing those crimes:

“For the amounts being stolen and the number of people being successful at taking it, the numbers are probably historic.”

So how exactly does having access to someone’s phone number help to steal crypto?

Once the hackers get access to the victim’s phone number, they use it to reset his or her passwords and break into their accounts, including email and accounts on cryptocurrency exchanges. Consequently, they get access to crypto funds stored on hot wallets.

The tactics employed by criminals to perform SIM swapping may vary. As per Motherboard, fraudsters often use the so-called “plugs”: telecom company insiders who get paid to do illegal swaps. An anonymous SIM hijacker told the publication:

“Everyone uses them […] When you tell someone [who works at a telecoms company] they can make money, they do it.”

A different anonymous source a the telecom provider Verizon told Motherboard that he had been approached via Reddit, where he was offered bribes in exchange for SIM swaps. Similarly, a T-mobile store manager was reportedly messaged by fraudsters on Instagram after posting a picture of himself and tagging it #T-mobile. He was told that he could make up to $1,000 per week for transferring customers’ phone numbers on new SIM cards.

Another Verizon employee claimed that the hacker, who also found him on Reddit, promised that they would make “$100,000 in a few months” if he would cooperate — all he had to do is “either activate the SIM cards for [the hacker] when [he was] at work or give [the attacker his] Employee ID and PIN.”

Indeed, Caleb Tuttle, a detective at the Santa Clara County District Attorney’s office, highlighted three common SIM swapping scenarios in an interview with KrebsOnSecurity:

  1. The attacker bribes or threatens a mobile store employee into assisting in the crime;
  2. Current and/or former mobile store employees intentionally abuse their access to customer data;
  3. Mobile store employees trick unsuspecting associates at other branches into swapping a victim’s existing SIM card with a new one.

SIM-swapping allows thieves to bypass even two-factor authentication, especially if it involves SMS backup, as Wired points out. Detective Tuttle’s comment for KrebsOnSecurity seems to confirm this: he advises people to use something other than text messages for two-factor authentication on their email accounts. Specifically, he mentions the Authy mobile app or Google Authenticator as possible alternatives:

“Let’s say I have a Coinbase account and I have it set up to require a password and a one-time code generated by Authy, but my Gmail account tied to that Coinbase account doesn’t use Authy and just uses SMS for two-factor. Once I SIM swap that person, I can often also use that access to [request a link via text message] to reset his Gmail password, and then set up Authy on the Gmail account using my device. Now I have access to your Coinbase account and can effectively lock you out of both.”

Sergeant Tarazi also urges the public to recognize the potential danger of SMS-based two-factor authentication, although it has become a common security solution for online services.

“[...] most people who aren’t following the SIM swapping problem have no idea their phone and associated accounts can be taken over so easily. [...] In this case, the victim didn’t download malware or fall for some stupid phishing email. They just end up getting compromised because they followed the industry standard.”

Who are the targets?

People who are active in the cryptocurrency community, mostly: they might work at cryptocurrency-related startups, participate as speakers at blockchain conferences, or discuss their crypto investments on social media.

REACT Lieutenant John Rose explains that it is much easier and safer for SIM swappers to steal crypto funds alone, even if they discover passwords for traditional bank accounts during the hack:

“Many SIM swap victims are understandably