Beware: SIM Hijackers Steal Over $5 Million in Bitcoin in First Reported Crime

[Elmer1]

Forget cryptojacking, SIM hijacking now seems set to become even more lucrative for criminals looking to cash in with bitcoin from the burgeoning space.

]A 20-year old college student from BostonMassachusetts was arrested in California earlier this month on charges of being part of a gang that hacked cellphone numbers before stealing over US$5 million in bitcoin and other cryptocurrencies.

According to Motherboard, the number of cell phone numbers that the Bostonian named Joel Ortiz and his accomplices hacked using a technique referred to as SIM swapping or hijacking was about 40. With SIM hijacking, mobile operators are tricked into transferring the phone number of a target to a SIM card that’s under the control of the criminal. Upon obtaining the number the criminals can then reset passwords before accessing online accounts of their victim.


Read more about this news https://www.ccn.com/sim-hijackers-steal-over-5-million-in-bitcoin-in-first-reported-crime-of-its-kind/

[1714673577]

1714673577

[1714673577]

1714673577

[1714673577]

1714673577

[1714673577]

1714673577

[stompix]

The first time I can say I'm happy to be with Orange..

When I got my sim damaged I had to go in person to a store with my id card and my PUK code in order to give me a new one and on top of that I've had to wait until they've verified that indeed that was the original sim

Took me 2 hours of waiting and I've cursed them with every damn word in my fucktionarry but now reading this I'm quite happy things are like that.

[HeRetiK]

SIM hijacking is a serious issue and is an attack vector that has been known for years. It's why the usage of mTAN by banks has been critized as highly insecure in the past. I'm not sure about the actual success rate of said attacks, but they have existed for quite a while now [1]. Reading stompix' post it seems like at least mobile providers finally got the memo though.

The lesson: Don't rely on text messages for 2FA! Use an app or a dongle instead!

(German source only, sorry)
[1] https://www.heise.de/security/meldung/Online-Banking-Neue-Angriffe-auf-die-mTAN-2851624.html

[umar22pk]

That’s alarming to all to secure their account & password, because they can be victim as well.
For that it is necessary to use one time password along with 2 way authentication, it will be more usefull if you used hardware wallet.

[BitcoinNewbie15]

SIM hijacking is a serious issue and is an attack vector that has been known for years. It's why the usage of mTAN by banks has been critized as highly insecure in the past. I'm not sure about the actual success rate of said attacks, but they have existed for quite a while now [1]. Reading stompix' post it seems like at least mobile providers finally got the memo though.

The lesson: Don't rely on text messages for 2FA! Use an app or a dongle instead!

(German source only, sorry)
[1] https://www.heise.de/security/meldung/Online-Banking-Neue-Angriffe-auf-die-mTAN-2851624.html

This attack was happening a few years back to youtubers. A lot of high profile youtubers were getting their account hacked because they had T-Mobile and their security policies weren't very strict. Hackers would just call customer support, pretend to be the youtuber, and boom they get their simcard. 2FA through text is the least secure method for 2FA. As you said, use an app like authy or google authenticator. Infinitely more secure.

What's a 2FA dongle though? I have never heard of a dongle for 2FA before, but I would love to get one.

[HeRetiK]

This attack was happening a few years back to youtubers. A lot of high profile youtubers were getting their account hacked because they had T-Mobile and their security policies weren't very strict. Hackers would just call customer support, pretend to be the youtuber, and boom they get their simcard. 2FA through text is the least secure method for 2FA. As you said, use an app like authy or google authenticator. Infinitely more secure.

It's freaking scary how much you can achieve by simply calling customer support. I always get a bit uneasy when I get in touch with customer support that seems to handle support requests a tad bit too informal for my taste. Sure it's convenient, but also... you know... insecure.

What's a 2FA dongle though? I have never heard of a dongle for 2FA before, but I would love to get one.

Yubikey for example:
https://www.yubico.com/products/yubikey-hardware/

I have no personal experience with this hardware, but recently read an article about how Google has shifted away from app-based 2FA to Yubikeys. Apparently they've been using them internally for 1-2 years by now, with good results. Not sure how widely supported they are though.

[o_e_l_e_o]

It always amazes me that people who have so much money stored in cryptocurrency are so technically inept and bad at security.

If your 2FA can be reset/hacked by the same method that would reset/hack your logins/passwords, then it isn't 2FA. Use one that isn't linked to or backed up on your SIM, email, etc. Some hardware wallets such as the Ledger have a 2FA app available for them.

[joshuarose]

Forget cryptojacking, SIM hijacking now seems set to become even more lucrative for criminals looking to cash in with bitcoin from the burgeoning space.

]A 20-year old college student from BostonMassachusetts was arrested in California earlier this month on charges of being part of a gang that hacked cellphone numbers before stealing over US$5 million in bitcoin and other cryptocurrencies.

According to Motherboard, the number of cell phone numbers that the Bostonian named Joel Ortiz and his accomplices hacked using a technique referred to as SIM swapping or hijacking was about 40. With SIM hijacking, mobile operators are tricked into transferring the phone number of a target to a SIM card that’s under the control of the criminal. Upon obtaining the number the criminals can then reset passwords before accessing online accounts of their victim.


Read more about this news https://www.ccn.com/sim-hijackers-steal-over-5-million-in-bitcoin-in-first-reported-crime-of-its-kind/

I heard that it is not convenient to store bitcoin for a long time, and maybe only 2FA Google authentication protection authority can eliminate this crime

[superman99]

Information is terrible !!!
They can steal information from our sim.
Their actions are condemning. High-tech security and privacy activists need to take action to reverse the bad behavior!

[HeRetiK]

Information is terrible !!!
They can steal information from our sim.
Their actions are condemning. High-tech security and privacy activists need to take action to reverse the bad behavior!

Those attacks do not involve stealing information from SIM cards. They don't even require access to the victim's mobile phone (neither physically nor via malware). It's a question of lacking security procedures from the side of mobile operators. Those were social hacks, not technical ones.

Security researches have warned about the risks of SMS based 2FA for almost a decade. Most mobile operators did next to nothing to alleviate these risks. Banks continue using mTANs. Websites and many users continue relying on SMS based 2FA. For some unfathomable reason apparently even tech companies still rely on SMS based 2FA in some cases, with obvious results: https://www.reddit.com/r/announcements/comments/93qnm5/we_had_a_security_incident_heres_what_you_need_to/

People need to start listening to security researches instead of viewing them as paranoid nerds. But they never do until shit hits the fan.

/rant

[hatshepsut93]

Forget cryptojacking, SIM hijacking now seems set to become even more lucrative for criminals looking to cash in with bitcoin from the burgeoning space.

SIM hijacking has absolutely nothing to do with cryptojacking, they are completely different kinds of attacks and the only thing they have in common is the word "jacking". So, why should we forget cryptojacking?

This attack is not new, it has been around for years and people who are into security know that mobile authentification is weak and things like google authentificator should be used instead.

[audaciousbeing]

Forget cryptojacking, SIM hijacking now seems set to become even more lucrative for criminals looking to cash in with bitcoin from the burgeoning space.

]A 20-year old college student from BostonMassachusetts was arrested in California earlier this month on charges of being part of a gang that hacked cellphone numbers before stealing over US$5 million in bitcoin and other cryptocurrencies.

According to Motherboard, the number of cell phone numbers that the Bostonian named Joel Ortiz and his accomplices hacked using a technique referred to as SIM swapping or hijacking was about 40. With SIM hijacking, mobile operators are tricked into transferring the phone number of a target to a SIM card that’s under the control of the criminal. Upon obtaining the number the criminals can then reset passwords before accessing online accounts of their victim.


Read more about this news https://www.ccn.com/sim-hijackers-steal-over-5-million-in-bitcoin-in-first-reported-crime-of-its-kind/

This is purely not the fault of the phone holder because there is no way to control what someone who steal your phone can do with it. The fault is actually from the service provider with how much they pride themselves as using state of the art facilities, they could be tricked into giving personal information in  such a cheap way and not asking for more information to clarify before giving such information. I wish those who suffer the losses should sue them for the losses as they should be the one held responsible for such vulnerability. I also wish the way they attach it to crypto currency is just to make a statement as it surely more than that, people have their phone numbers linked to their bank accounts which means some other people would have suffered huge amount of loss from that end too. The people involved should be prosecuted and made to face the law but also those who made it possible in this case the service providers should also be made to pay.

[bitfocus]

SimJacking is a serious crime and takes high knowledge and long preparation - serious type of crime.

[o_e_l_e_o]

This is purely not the fault of the phone holder because there is no way to control what someone who steal your phone can do with it.

It partly is, though. We know SMS verification is inherently insecure, and has been for years. Continuing to use it is akin to using the same simple password for every account you own.

If you have enough IT knowledge to buy and store crypto, then you definitely have enough to use proper 2FA.

[Marlo Stanfield]

Forget cryptojacking, SIM hijacking now seems set to become even more lucrative for criminals looking to cash in with bitcoin from the burgeoning space.

]A 20-year old college student from BostonMassachusetts was arrested in California earlier this month on charges of being part of a gang that hacked cellphone numbers before stealing over US$5 million in bitcoin and other cryptocurrencies.

According to Motherboard, the number of cell phone numbers that the Bostonian named Joel Ortiz and his accomplices hacked using a technique referred to as SIM swapping or hijacking was about 40. With SIM hijacking, mobile operators are tricked into transferring the phone number of a target to a SIM card that’s under the control of the criminal. Upon obtaining the number the criminals can then reset passwords before accessing online accounts of their victim.


Read more about this news https://www.ccn.com/sim-hijackers-steal-over-5-million-in-bitcoin-in-first-reported-crime-of-its-kind/

This isn't really new information to be honest. People have been having issues with 2FA being easily broken by similar cases for quite a long while now. Which is probably why you mostly see token based 2FA rather than the old style.

[williamcastaneda]

SimJacking is a serious crime and takes high knowledge and long preparation - serious type of crime.

yeah, they may have studied with a short time and this is dangerous

[rabia_laskor]

This is sad. Seems like the hackers are coming up with new ways to make money out of people's hard earned coins. The telecom companies need to be more cautious because such incidents will defame their names on the process.

[davis196]

I'm glad I live in a country ,where phone numbers can't be just transferred from one SIM card to another.
I was reading some other posts here,claiming that smartphones are the most secure place to store cryptocurrencies,because the crypto wallet installed on the phones has no connection to the phones's operating system nore to internet.What a joke?

[Wendigo]

It's the mobile operators' fault for allowing the SIM transfers. It's relatively easy to social engineer one's way around a customer support agent over the phone if some credentials of the victim are known and, after gaining access to the phone number, the intruder can go to town resetting all victim's accounts. SIM transferring should only be allowed by visiting the company's offices and doing it in person after verification of the identity of the SIM owner. I have heard a lot of horror stories about SIM hijacking - mainly famous influencers' Twitter accounts getting hacked via social engineering and lax security protocols of the mobile operators.

[Kenneth_Bianchi]

The power of SIM cards is incredible these days. Banks are using them for verification, crypto wallets have them with 2FA, and more and more sensitive information is being stored on people's phones.

It's hard to believe that you can lose so much if you lose your phone. A thief can use that phone to access your information and take out massive loans in your name. Or they could get your bitcoin keys, bank password, anything you use to keep money. People need to be more careful about what they leave lying around inside their phones.

But yeah, it's definitely the operators' fault. That's just plain stupid, transferring SIMs that easily.