A California college student named Joel Ortiz became the first person to be convicted for a SIM swapping crime, that allowed him to hijack the phone numbers of more than 40 people and steal about $5 million in cryptocurrency. The 20-year-old pleaded guilty of the accusations made against him, and now faces a sentence of a decade in prison. While Ortiz was the first, he will definitely not be the last, as more people have been arrested for the same crime in the recent months, and the California court decision does not leave a lot of room for hope for them either.
SIM swapping involves scamming a mobile phone operator to port the victim’s number to the SIM of the attacker, convincing them that he is the customer he alleges to be. For this to work, the attacker has to first gather key information about the victim’s identity, so the confirmation process with the telephone company goes seamlessly. The reason behind all this is to get passed the two-factor authentication that the victim has set up for accessing cryptocurrency wallets or bank accounts, as all 2FA SMS messages will be delivered to the attacker’s SIM once the swapping is done. The victim on the other side will stay baffled and out of the network entirely, not realizing what happened for a while.
As it arises from the allegations, Ortiz did this successfully against at least 40 people, compromising their cryptocurrency wallets and stealing all their money in an instant. This goes to show that SIM swapping shouldn’t be as easy as it currently is, and while some telecommunication providers add a layer of protection by requiring the victim to confirm the swapping action by pressing “1” on their device, it has been proven that the fraud can be extended to cover this step as well through social engineering. However, arrests and prison sentences seem to already have an adverse effect on the rise of SIM swapping schemes, as relevant reports have recently declined in number. As the Deputy District Attorney in Santa Clara Country stated: “Each arrest that we made sent shockwaves through that community.”
So, if our accounts’ safety relies on the carrier tech support, then what can we do to protect ourselves from SIM swapping? Some providers like AT&T offer customers the option to turn on an extra security confirmation step based on a passcode. Others like T-Mobile offer a port-validation feature that requires the new carrier’s confirmation for the number porting to take place.
Have you ever fallen a victim of SIM swapping? Let us know of your experience in the comments section below, and don’t forget to share this story through our socials, on Facebook and Twitter.