Rosa Maguina invested a large part of her savings in cryptocurrencies earlier this year, joining other individual investors who were trying to attack while bitcoin was all the rage. The funds vanished after a hacker hijacked his phone number for just two hours.
Ms. Maguina, who runs an event logistics business with her husband in Doral, Florida, said she was about to go to sleep on July 5 when she noticed her phone lost signal. When Ms. Maguina's service was restored, she said, an unauthorized user had changed their passwords for the Binance and trading platforms.
and initiated transactions that emptied his cryptocurrency accounts valued at around $ 80,000 at the time.
"It was like someone came through the window or the back door of their house," Maguina said. "You feel like there is nothing you can do."
Criminals have a history of stealing money Wealthy or well-known crypto investors through SIM swaps, or by changing a subscriber identity module phone number from one device to another. But the rise of cryptocurrency among family investors has led hackers to increasingly surround targets like Ms. Maguina, according to cybersecurity experts, lawyers and law enforcement officials.
Attacks on small investors have sparked legal battles with mobile phone operators, prompted customers to change plans, and prompted some telcos to modify security measures. Law enforcement agencies are trying to team up in all jurisdictions in response to a growing pool of potential victims. The Federal Communications Commission is refining the rules for wireless carriers with the goal of limiting SIM swapping fraud, proposing stricter restrictions on how numbers change between devices and carriers.
Some wireless companies say federal rules could make things worse for consumers.
AT&T INC.
On Monday he said the agency's proposed regulations could give hackers a blueprint for attacks and add friction for legitimate customers who need to switch devices or providers. AT&T said customers make hundreds of thousands of such requests a month. A fraction of 1% of them, potentially numbering in the thousands, are fraudulent, the company said.
"Operators must be agile and innovative in the fight against fraud and must not be anchored by prescriptive requirements tied to specific technologies or methods," AT&T said.
The company warned against some measures launched by the FCC, such as notifications to phone users of SIM swap requests and possible 24-hour delays in executing them.
Customers perform SIM swaps when they bring their numbers to new phones, while the related act of "transferring" the numbers to different providers. Hackers can impersonate phone users with various types of account information or personal data, said Kevin Lee, lead author of a 2020 Princeton University study on SIM swaps.
The process can take "no more than 10 minutes, barring music on hold and the like," said Lee, whose team was able to take advantage of authorization measures for prepaid plans offered by AT&T.
T-Mobile USA INC.
and
Lee said that most of the companies' customers, who dominate the national wireless market, have postpaid plans that may have different security measures.
AT&T told the FCC that it uses data analytics tools to measure the risk of SIM swap requests from postpaid customers. A Verizon spokesperson said it requires postpaid customers to use a one-time access code when trying to switch to another provider. T-Mobile allows customers who request SIM exchanges over the phone to use their account PIN, a one-time access code or two-factor authentication, a representative said. The company discontinued the use of logs showing recent outgoing or incoming call numbers in its authentication process following the Princeton study.
US Mobile, a New York-based upstart operator with around 150,000 customers, has banned SIM swaps over the phone and directs customers to its app, where they can verify their Internet protocol addresses and biometric data, the president said. executive Ahmed Khattak.
"A lot of this hacking stuff is happening because of social engineering," he added, referring to hackers who cheat or co-opt wireless employees.
Criminals use hijacked phone numbers to access data social media accounts, often duplicating text message-based multi-factor authentication measures. A British man in 2019 allegedly stole $ 784,000 from a crypto infrastructure company in New York using a SIM swap, according to an indictment revealed this month. The man allegedly seized an executive's phone number, accessed internal computer systems, and transferred funds from a client's digital wallet.
Ahmed Khattak, CEO and Founder of US Mobile.
Photo:
US Mobile
The apparent shift from hackers to individual investors has added a layer of complexity to subsequent investigations, said David Berry, an agent with the React Task Force, a Bay Area investigative group focused on cybercrime.
"If you come to [prosecutors] with a loss of $ 1 million, you will get their attention, "he said. "If you come to them with a loss of $ 10,000 or $ 20,000, you may not."
However, these losses can be huge for investors like Richard Harris, an independent contractor in Philadelphia.
"I felt like someone had taken my 401 (k) or my Social Security," he said.
Harris sued T-Mobile in July, claiming that the company's practices did not meet federal standards and allowed a hacker to take over his phone number in 2020 and steal nearly $ 15,000 worth of bitcoins at the time. , and more now.
T-Mobile declined to comment on the lawsuit, but made a motion to take the case to arbitration. Like Verizon and AT&T, the company requires arbitration to resolve disputes over its terms of service, often leading to closed-door settlements.
"If you come to [prosecutors] With a loss of $ 1 million, you will get their attention. If you come to them with a loss of $ 10,000 or $ 20,000, you may not."
Amid mounting complaints, the FCC in September proposed regulations that force wireless companies to verify user passwords or submit one-time access codes. The rules would also require companies to toughen procedures for changing lost or stolen passwords and restrict the data employees can release over the phone or in stores.
An FCC official, warning that consumer data breaches can give scammers the information they need for SIM exchanges, said regulation could take several months.
Wireless industry trade group CTIA called for flexibility in regulations and urged financial institutions and social media companies to similarly tighten the way they verify users.
Coinbase, the largest US-based cryptocurrency exchange, uses machine learning models to predict risks for users requesting password changes, restricting trading from suspicious accounts, a company official said. Operators' real-time SIM exchange data would help Coinbase's selection process, the official added, but not all providers share information quickly. He refused to name them.
The official said that Coinbase's account acquisition rate has remained constant as the platform has gained users, refusing to provide detailed numbers. Binance, the world largest cryptocurrency exchange, did not respond to a request for comment.
Since Ms Maguina's phone number was taken on July 5, the price of bitcoin has risen more than 70% to about $ 59,000 each as of Saturday.
"I don't follow him anymore," the 53-year-old said. "I don't need to make this worse than it is."
Write to David Uberti in david.uberti@wsj.com
Copyright ยฉ 2021 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8
