Ms. Maguina, who runs an event logistics business with her husband in Doral, Fla., said she was on her way to sleep on July 5 when she noticed that her phone signal had failed. By the time Ms. Maguina’s service was restored, she said, an unauthorized user had changed her password for trading platforms Binance and Coinbase and initiated a transaction that emptied accounts of about $80,000 worth of crypto at the time. Was.
“It was like someone was coming into your house through a window or a back door,” Ms. Maguina said. “You feel like you can’t do anything.”
Criminals have a history of stealing money from wealthy or well-known crypto investors via SIM swaps, or switching phone numbers from one device’s customer identification module to another. But according to cybersecurity experts, lawyers and law-enforcement officials, the crypto boom among mom-and-pop investors has prompted hackers like Ms.
Attacks on small investors have sparked legal battles with cellphone carriers, prompted customers to change plans and prompted some telcos to change security measures. Law-enforcement agencies in jurisdictions are trying to team up in response to a wider pool of potential victims. The Federal Communications Commission is respecting rules for wireless carriers aimed at limiting SIM-swap fraud, in which they propose tighter restrictions on switching numbers between devices and carriers.
Some wireless companies say federal regulations could make matters worse for consumers.
AT&T Inc said Monday that the agency’s proposed rules could give hackers a blueprint for attacks and add friction to legitimate customers who need to switch devices or carriers. AT&T said customers make hundreds of thousands of such requests a month. A fraction of 1% of them—potentially thousands in total—are frauds, the company said.
“Carriers must be agile and innovative in fighting fraud and not be tied to prescriptive requirements involving specific techniques or methods,” AT&T said.
The company warned against certain measures taken by the FCC, such as notifications to phone users of SIM-swap requests and a possible 24-hour delay for executing them.
SIMs swap when customers move their numbers to new phones, while the “porting out” function switches numbers for different carriers. Hackers can impersonate phone users with different types of account information or personal data, said lead author Kevin Lee. A 2020 Princeton University study on SIM swaps.
This process “cannot take more than 10 minutes, excluding subscriber-hold music and the like”, said Mr. Lee, whose team works for prepaid plans offered by AT&T, T-Mobile US Inc. The Authority was able to take advantage of the measures. Verizon Communications Inc. Mr. Lee said most customers of firms that dominate the home wireless market have postpaid plans that may have various security measures.
AT&T told the FCC it uses data-analytics tools to measure the risk of postpaid customers’ SIM-swap requests. A Verizon spokesperson said postpaid customers are required to use a one-time passcode when trying to switch to another carrier. A representative said T-Mobile allows customers to request a SIM swap by phone using their account PIN, one-time passcode or two-factor authentication. The firm stopped using logs showing recent incoming or outgoing call numbers in its authentication process after the Princeton study.
Chief executive Ahmed Khattak said US Mobile, a New York-based upstart carrier with about 150,000 customers, has restricted SIM swaps by phone and directed customers to its app, where it can access their Internet-protocol addresses and biometric data. can check.
“A lot of these hacking things are happening because of social engineering,” he said, referring to hackers defrauding or co-opting wireless employees.
Criminals use hijacked phone numbers to access victims’ financial or social-media accounts, often based on text messages to spoof multifactor authentication measures. In 2019 a British man allegedly stole $784,000 from a crypto-infrastructure firm in New York using a SIM swap, according to an unresolved indictment this month. The man allegedly took the phone number of an executive, accessed internal computer systems and transferred money from customers’ digital wallets.
The hackers’ apparent shift toward individual investors adds a layer of complexity to the upcoming investigation, said David Berry, an agent with the React Task Force, a Bay Area investigative group focused on cybercrime.
“If you come [prosecutors] With a loss of $1 million, you’ll get their attention,” he said. “If you come to them with a loss of $10,000 or $20,000, you can’t.”
Such losses could be huge for investors like Richard Harris, an independent contractor in Philadelphia.
“It felt like someone took my 401(k) or my Social Security,” he said.
Mr Harris sued T-Mobile in July, alleging that the company’s practices did not meet federal standards and allowed a hacker to take his phone number in 2020 and steal about $15,000 worth of bitcoin at the time. Allows, and now many more.
T-Mobile declined to comment on the lawsuit but offered to take the matter to arbitration. Like Verizon and AT&T, the company requires arbitration to resolve disputes in its terms of service, which often lead to closed-door settlements.
Amid growing complaints, the FCC in September proposed mandatory rules for wireless companies to verify users’ passwords or send one-time passcodes. The rules would also require companies to tighten procedures for changing lost or stolen passwords and restrict data disclosed by employees on phones or in stores.
An FCC official, who warns that consumer data breaches could give fraudsters the information they need for SIM swaps, said rules could take several months to form.
Wireless industry trade group CTIA called for flexibility in rules and urged financial institutions and social-media companies to verify users in a similar way.
Coinbase, the largest US-based cryptocurrency exchange, uses machine-learning models to predict risk for users who request password changes, restricting trades on suspicious accounts, a company official said. are, a company official said. The official added that real-time SIM-swap data from carriers will help Coinbase’s screening process, but not all providers share information quickly. He declined to take his name.
The official said that Coinbase’s account-acquisition rate has remained consistent as the platform has gained users, declining to provide a detailed number. The world’s largest crypto exchange, Binance, did not respond to a request for comment.
Since Ms. Maguina’s phone number was taken on July 5, the price of bitcoin has risen by more than 70% to nearly $59,000 as of Saturday.
“I don’t follow it anymore. I don’t need to make it any worse,” said the 53-year-old.
Never miss a story! Stay connected and informed with Mint.
download
Our App Now!!
,