SIM swapper sent to prison for 2FA cryptocurrency heist of over $20m – Naked Security
A Florida man who was part of a cybercrime gang who went after cryptocoin wallets has been sentenced for his part in a cyberheist that allegedly netted the participants more than $20,000,000.
The scammers, including one Nicholas Truglia, 25, got control of various online accounts belonging to the victim by using a trick known in the trade as SIM swapping, also known as number porting.
Migrating your phone number
As you’ll know if ever you’ve lost a phone, or damaged a SIM card, mobile phone numbers aren’t burned into the phone itself, but are programmed into the subscriber identity module (SIM) chip that you insert into your phone (or perhaps, these days, that you install electronically in the form of a so-called eSIM).
So, a crook who can sweet-talk, or bribe, or convince using fake ID, or otherwise browbeat your mobile phone provider into issuing “you” (meaning them) a new SIM card…
…can walk out of the mobile phone shop [a] with your number in their phone, and [b] with your SIM card invalidated and thus unable to connect to the network to receive calls or get online.
Simply put, your phone goes dead, and theirs starts receiving your calls and text messages, notably including any two-factor authentication (2FA) codes that might get sent to your phone as part of a secure login or a password reset.
The SIM-swap problem, namely that the right to reissue replacement SIM cards is vested in too many different people at too many different seniority levels in too many mobile phone companies to control reliably), is why the US public service no longer recommends SMS-based 2FA for general use, and has disapproved it for government staff.
Bring on the cryptocoins
In this case, it seems that someone in the cybergang went after login details for the victim’s accounts, shared them with numerous other participants, and then got Truglia to act as a receiver for cryptocurrency funds drained from the victim.
Truglia then apparently disbursed the stolen funds back out to numerous other cryptocoin wallets owned by the other participants, keeping an unknown cut as his share of the deal.
The US Department of Justice (DOJ) notes that “[the] Scheme Participants stole over $20 million worth of the Victim’s cryptocurrency, with the defendant keeping at least approximately $673,000 worth of the stolen funds.”
Truglia received an 18 month prison term plus three years of supervised release to follow it, forfeited $983,010.72 right away, and has been ordered to pay back a whopping $20,379,007.
Quite how he will do that without the co-operation of the others in the scam, who seem to have divided most of that $20 million between themselves, and what happens if he doesn’t manage to convince them to do so, is not mentioned in the DOJ’s report.
What to do?
- Limit the amount of cryptocoinage you keep online and directly accessible. So-called cold wallets that can’t be accessed remotely will protect you from password and 2FA-stealing scams where remote criminals access your accounts directly.
- Consider switching away from SMS-based 2FA if you haven’t already. One-time login codes based on text messages are better than no 2FA at all, but they clearly suffer from the weakness that a scammer who decides to target you can attack your account without attacking you directly, and thus in a way that you yourself can’t reliably defend against.
- Use a password manager if you can. We don’t know how the criminals acquired the victim’s passwords in this case, but a password manager at least makes it unlikely that you will end up with passwords that an attacker could guess, or figure out easily from public informtion about you, such as your dog’s name or your child’s birthday.
- Watch out if your phone goes dead unexpectedly. After a SIM swap, your phone won’t show any connection to your mobile provider. If you have friends on the same network who are still online, this suggests that it’s probably you who is offline and not the whole network. Consider contacting your phone company for advice. If you can, visit a phone shop in person, with ID, to find out if your account has been taken over.