Hackers Circle as Individual Investors Pour Cash Into Crypto

Rosa Maguina invested a significant portion of her savings in crypto earlier this year, joining other individual investors who were trying to strike while bitcoin was hot. The money disappeared after a hacker hijacked her phone number for just two hours.

Ms Maguena, who runs an event logistics business with her husband in Doral, Florida, said she was about to fall asleep on July 5 when she noticed her phone had lost its signals. By the time Ms. Maguena’s service was restored, she said, an unauthorized user had changed passwords for the Binance and Coinbase exchanges and began transactions that emptied her accounts of cryptocurrency valued at about $80,000 at the time.

“It was like someone coming through the window or the back door into your house,” Ms. Maguena said. “You feel like there’s nothing you can do.”

Criminals have a history of stealing money from wealthy or well-known crypto investors through SIM swaps, or switching a phone number from one device subscriber identity module to another. But the crypto boom among illiterate investors has prompted hackers to circle targets like Ms. Maguena, according to cybersecurity experts, lawyers and law enforcement officials.

The attacks on small investors sparked legal battles with cell phone companies, prompted customers to change their plans and prompted some carriers to adjust security measures. Law enforcement agencies attempt to work as a team across jurisdictions in response to a wide range of potential victims. The Federal Communications Commission is sharpening rules for wireless carriers aimed at curbing SIM swap fraud, and is proposing stricter limits on how numbers can be swapped between devices and carriers.

Some wireless companies say the federal rules could make things worse for consumers.

AT&T a company

He said Monday that the agency’s proposed regulations could give hackers a blueprint for attacks and increase friction for legitimate customers who need to switch devices or carriers. AT&T said customers place hundreds of thousands of such orders per month. The company said a tiny percentage of 1% of them – potentially thousands – are fraudulent.

“Carriers must be flexible and innovative in combating fraud and must not be based on mandatory requirements associated with specific technologies or methods,” AT&T said.

The company has warned of some of the measures introduced by the Federal Communications Commission, such as notifications to phone users of SIM swap requests and a possible 24-hour delay in their implementation.

Customers make SIM swaps when they take their numbers to new phones, while the related act of “transfer” transfers the numbers to different carriers. Kevin Lee, lead author of a 2020 Princeton University study on SIM swaps, said hackers can impersonate phone users with different types of account information or personal data.

said Mr. Lee, whose team was able to exploit the licensing procedure for prepaid plans offered by AT&T and T-Mobile US. a company

and Verizon Communications a company

Mr. Lee said most corporate customers, which dominate the domestic wireless market, have postpaid plans that can have various security measures.

AT&T told the FCC that it is using data analytics tools to measure the risk of SIM swap requests for postpaid customers. A Verizon spokesperson said it requires postpaid customers to use a one-time passcode when trying to switch to another carrier. A representative said that T-Mobile allows customers who request a SIM swap over the phone to use their account PIN, one-time passcode, or two-factor authentication. The company discontinued the use of records showing the numbers of recent incoming or outgoing calls in the authentication process after the Princeton study.

The CEO of US Mobile, which is based in New York and has about 150,000 customers, has banned SIM swapping over the phone and directed customers to its app, where it can scan IP addresses and biometric data, CEO Ahmed Khattak said.

“A lot of these hacks happen because of social engineering,” he added, referring to hackers who deceive or take advantage of wireless employees.

Criminals use hijacked phone numbers to gain access to victims’ financial or social media accounts, often spoofing text message-based multifactor authentication procedures. A British man in 2019 allegedly stole $784,000 from a crypto-infrastructure company in New York using a SIM swap, according to the indictment unsealed this month. The man allegedly seized an executive’s phone number, gained access to internal computer systems and transferred funds from a customers’ digital wallet.

Ahmed Khattak, CEO and founder of US Mobile.


Photo:

US mobile

David Perry, an agent with the React Task Force, a Bay Area investigation group focused on cybercrime, said the apparent shift of the hacker toward individual investors added a layer of complexity to subsequent investigations.

“If you come to [prosecutors] With a $1 million loss, you’d get their attention.” “If you come at them with a $10,000 or $20,000 loss, you might not.”

However, these losses can be huge for investors like Richard Harris, an independent contractor in Philadelphia.

“I felt as if someone had taken my 401(k) or my Social Security,” he said.

Mr. Harris sued T-Mobile in July, claiming the company’s practices did not meet federal standards and allowed a hacker to take over his phone number in 2020 and steal nearly $15,000 worth of bitcoins at the time, and more now.

T-Mobile declined to comment on the lawsuit but requested that the case be moved to arbitration. Like Verizon and AT&T, the company requires arbitration to resolve disputes in its terms of service, often resulting in closed settlements.

If you come to [prosecutors] With a million dollar loss, you’ll get their attention. If you come to them with a loss of $10,000 or $20,000, you might not.


– David Berry, agent at React Task Force, an investigative group focused on cybercrime

Amid growing complaints, the Federal Communications Commission (FCC) in September proposed regulations requiring wireless companies to verify users’ passwords or submit one-time passcodes. The rules will also require companies to tighten procedures for changing lost or stolen passwords, and to restrict data that employees can disclose over the phone or in stores.

The rule could take several months to be established, an FCC official said, which warns that consumer data breaches can give fraudsters the information they need to swap out a SIM card.

Wireless industry trade group CTIA called for flexibility in regulations and urged financial institutions and social media companies to similarly strengthen the way users are verified.

A company official said Coinbase, the largest US-based cryptocurrency exchange, is using machine learning models to predict the risks to users requesting a password change, and to restrict trades to suspicious accounts. The official added that real-time SIM exchange data from carriers would aid in the Coinbase vetting process, but not all providers share the information quickly. He declined to name it.

The official said Coinbase’s account acquisition rate has remained flat as the platform has gained users, and declined to provide detailed figures. Binance, the world’s largest cryptocurrency exchange, did not respond to a request for comment.

Since Ms Maguena’s phone number was hacked on July 5, the price of bitcoin has risen more than 70% to around $59,000 a piece as of Saturday.

“I don’t follow him anymore,” said the 53-year-old. “You don’t need to make this worse than it is.”

write to David Uberti at david.uberti@wsj.com

Copyright © 2021 Dow Jones & Company, Inc. all rights are save. 87990cbe856818d5eddac44c7b1cdeb8

.

Leave a Comment