“law enforcement has even confirmed that AT&T employees profited
from working directly with cyber terrorists and thieves in SIM swap frauds“

[UPDATED 22 AUG 2018 – ARREST MADE … scroll down]

Michael Terpin is suing AT&T [aka formerly SBC], claiming the company’s failure to protect his cellphone data led to hackers stealing $24 million in cryptocurrencies.

In a lawsuit filed by Los Angeles litigation firm Greenberg Glusker on August 15, Terpin claimed that AT&T’s employees have been complicit in a SIM swap fraud. In this type of scam, criminals pose as the owners of their victims’ mobile phone numbers, convincing telecom providers to grant them access to their phones.

This allows them to access the victim’s accounts at various services, which includes cryptocurrency wallets.

The lawsuit claims that Terpin’s account has been hacked twice in seven months, saying “most troubling, AT&T has not improved its protections even though it knows from numerous incidents that some of its employees actively cooperate with hackers in SIM swap frauds by giving hackers direct access to customer information and by overriding AT&T’s security procedures.”

Terpin is seeking $23.8 million in compensatory damages and a further $200 million in punitive damages, according to the suit.

The lawsuit also claims that security issues are nothing new to AT&T, which has been already accused of failing to protect its clients.

“In recent incidents, law enforcement has even confirmed that AT&T employees profited from working directly with cyber terrorists and thieves in SIM swap frauds,” the plaintiff contended.

In a statement, Terpin said that “mainstream adoption of cryptocurrency cannot take place as long as phone company employees are handing over critical unauthorized access to the heart of everyone’s digital lives.”

When reached for comment, AT&T director for corporate communications Jim Greer told CoinDesk that “we dispute these allegations and look forward to presenting our case in court.”

He declined to elaborate on the company’s objections to the allegations.

from: https://www.coindesk.com/

*

*

Hanging Up on Mobile in the Name of Security

Brian Krebs on Security

An entrepreneur and virtual currency investor is suing AT&T for $224 million, claiming the wireless provider was negligent when it failed to prevent thieves from hijacking his mobile account and stealing millions of dollars in cryptocurrencies. Increasingly frequent, high-profile attacks like these are prompting some experts to say the surest way to safeguard one’s online accounts may be to disconnect them from the mobile providers entirely.

The claims come in a lawsuit filed this week in Los Angeles on behalf of Michael Terpin, who co-founded the first angel investor group for bitcoin enthusiasts in 2013. Terpin alleges that crooks stole almost $24 million worth of cryptocurrency after fraudulently executing a “SIM swap” on his mobile phone account at AT&T in early 2018.

A SIM card is the tiny, removable chip in a mobile device that allows it to connect to the provider’s network. Customers can legitimately request a SIM swap when their existing SIM card has been damaged, or when they are switching to a different phone that requires a SIM card of another size.

But SIM swaps are frequently abused by scam artists who trick mobile providers into tying a target’s service to a new SIM card and mobile phone that the attackers control. Unauthorized SIM swaps often are perpetrated by fraudsters who have already stolen or phished a target’s password, as many banks and online services rely on text messages to send users a one-time code that needs to be entered in addition to a password for online authentication.

Terpin alleges that on January 7, 2018, someone requested an unauthorized SIM swap on his AT&T account, causing his phone to go dead and sending all incoming texts and phone calls to a device the attackers controlled. Armed with that access, the intruders were able to reset credentials tied to his cryptocurrency accounts and siphon nearly $24 million worth of digital currencies.

According to Terpin, this was the second time in six months someone had hacked his AT&T number. On June 11, 2017, Terpin’s phone went dead. He soon learned his AT&T password had been changed remotely after 11 attempts in AT&T stores had failed. At the time, AT&T suggested Terpin take advantage of the company’s “extra security” feature — a customer-specified six-digit PIN which is required before any account changes can be made.

Terpin claims an investigation by AT&T into the 2018 breach found that an employee at an AT&T store in Norwich, Conn. somehow executed the SIM swap on his account without having to enter his “extra security” PIN, and that AT&T knew or should have known that employees could bypass its customer security measures.

Terpin is suing AT&T for his $24 million worth of cryptocurrencies, plus $200 million in punitive damages. A copy of his complaint is here (PDF).

AT&T declined to comment on specific claims in the lawsuit, saying only in a statement that, “We dispute these allegations and look forward to presenting our case in court.”

AN ‘IDENTITY CRISIS’?

Mobile phone companies are a major weak point in authentication because so many companies have now built their entire procedure for authenticating customers on a process that involves sending a one-time code to the customer via SMS or automated phone call.

In some cases, thieves executing SIM swaps have already phished or otherwise stolen a target’s bank or email password. But many major social media platforms — such as Instagram — allow users to reset their passwords using nothing more than text-based (SMS) authentication, meaning thieves can hijack those accounts just by having control over the target’s mobile phone number.

Allison Nixon is director of security research at Flashpoint, a security company in New York City that has been closely tracking the murky underworld of communities that teach people how to hijack phone numbers assigned to customer accounts at all of the major mobile providers.

Nixon calls the current SIM-jacking craze “a major identity crisis” for cybersecurity on multiple levels.

“Phone numbers were never originally intended as an identity document, they were designed as a way to contact people,” Nixon said. “But because of all these other companies are building in security measures, a phone number has become an identity document.”

In essence, mobile phone companies have become “critical infrastructure” for security precisely because so much is riding on who controls a given mobile number. At the same time, so little is needed to undo weak security controls put in place to prevent abuse.

“The infrastructure wasn’t designed to withstand the kind of attacks happening now,” Nixon said. “The protocols need to be changed, and there are probably laws affecting the telecom companies that need to be reviewed in light of how these companies have evolved.”

Unfortunately, with the major mobile providers so closely tied to your security, there is no way you can remove the most vulnerable chunks of this infrastructure — the mobile store employees who can be paid or otherwise bamboozled into helping these attacks succeed.

No way, that is, unless you completely disconnect your mobile phone number from any sort of SMS-based authentication you currently use, and replace it with Internet-based telephone services that do not offer “helpful” customer support — such as Google Voice.

Google Voice lets users choose a phone number that gets tied to their Google account, and any calls or messages to that number will be forwarded to your mobile number. But unlike phone numbers issued by the major mobile providers, Google Voice numbers can’t be stolen unless someone also hacks your Google password — in which case you likely have much bigger problems.

With Google Voice, there is no customer service person who can be conned over the phone into helping out. There is no retail-store employee who will sell access to your SIM information for a paltry $80 payday.

In this view of security, customer service becomes a customer disservice.

Mind you, this isn’t my advice. The above statement summarizes the arguments allegedly made by one of the most accomplished SIM swap thieves in the game today. On July 12, 2018, police in California arrested Joel Ortiz, a 20-year-old college student from Boston who’s accused of using SIM swaps to steal more than $5 million in cryptocurrencies from 40 victims.

Ortiz allegedly had help from a number of unnamed accomplices who collectively targeted high-profile and wealthy people in the cryptocurrency space. In one of three brazen attacks at a bitcoin conference this year, Ortiz allegedly used his SIM swapping skills to steal more than $1.5 million from a cryptocurrency entrepreneur, including nearly $1 million the victim had crowdfunded.

Ortiz reportedly was a core member of OGUsers[dot]com, a forum that’s grown wildly popular among criminals engaging in SIM swaps to steal cryptocurrency and hijack high-value social media accounts. OG is short for “original gangster,” and it refers to a type of “street cred” for possession of social media account names that are relatively short (between one and six characters). On ogusers[dot]com, Ortiz allegedly picked the username “j”. Short usernames are considered more valuable because they confer on the account holder the appearance of an early adopter on most social networks.

Discussions on the Ogusers forum indicate Ortiz allegedly is the current occupant of perhaps the most OG username on Twitter — an account represented by the number zero “0”. The alias displayed on that twitter profile is “j0”. He also apparently controls the Instagram account by the same number, as well as the Instagram account “t”, which lists its alias as “Joel.”

Shown below is a cached snippet from an Ogusers forum posting by “j” (allegedly Ortiz), advising people to remove their mobile phone number from all important multi-factor authentication options, and to replace it with something like Google Voice.

WHAT CAN YOU DO?

All four major wireless carriers — AT&T, Sprint, T-Mobile and Verizon — let customers add security against SIM swaps and related schemes by setting a PIN that needs to be provided over the phone or in person at a store before account changes should be made. But these security features can be bypassed by incompetent or corrupt mobile store employees.

Mobile store employees who can be bought or tricked into conducting SIM swaps are known as “plugs” in the Ogusers community, and without them SIM swapping schemes become much more difficult.

Last week, KrebsOnSecurity broke the news that police in Florida had arrested a 25-year-old man who’s accused of being part of a group of at least nine individuals who routinely conducted fraudulent SIM swaps on high-value targets. Investigators in that case say they have surveillance logs that show the group discussed working directly with mobile store employees to complete the phone number heists.

In May I wrote about a 27-year-old Boston man who had his three-letter Instagram account name stolen after thieves hijacked his number at T-Mobile. Much like Mr. Terpin, the victim in that case had already taken T-Mobile’s advice and placed a PIN on his account that was supposed to prevent the transfer of his mobile number. T-Mobile ultimately acknowledged that the heist had been carried out by a rogue T-Mobile store employee.

So consider establishing a Google Voice account if you don’t already have one. In setting up a new number, Google requires you to provide a number capable of receiving text messages. Once your Google Voice number is linked to your mobile, the device at the mobile number you gave to Google should notify you instantly if anyone calls or messages the Google number (this assumes your phone has a Wi-Fi or mobile connection to the Internet).

After you’ve done that, take stock of every major account you can think of, replacing your mobile phone number with your Google Voice number in every case it is listed in your profile.

Here’s where it gets tricky. If you’re all-in for taking the anti-SIM-hacking advice allegedly offered by Mr. Ortiz, once you’ve changed all of your multi-factor authentication options from your mobile number to your Google Voice number, you then have to remove that mobile number you supplied to Google from your Google Voice account. After that, you can still manage calls/messages to and from your Google Voice number using the Google Voice mobile app.

And notice what else Ortiz advises in the screen shot above to secure one’s Gmail and other Google accounts: Using a physical security key (where possible) to replace passwords. This post from a few weeks back explains what security keys are, how they can help harden your security posture, and how to use them. If Google’s own internal security processes count for anything, the company recently told this author that none of its 85,000 employees had been successfully phished for their work credentials since January 2017, when Google began requiring all employees to use physical security keys in place of one-time passwords sent to a mobile device.

Standard disclaimer: If the only two-factor authentication offered by a company you use is based on sending a one-time code via SMS or automated phone call, this is still better than relying on simply a password alone. But one-time codes generated by a mobile phone app such as Authy or Google Authenticator are more secure than SMS-based options because they are not directly vulnerable to SIM-swapping attacks.

The web site twofactorauth.org breaks down online service providers by the types of secondary authentication offered (SMS, call, app-based one-time codes, security keys). Take a moment soon to review this important resource and harden your security posture wherever possible.

from: https://krebsonsecurity.com/2018/08/hanging-up-on-mobile-in-the-name-of-security/

*

*

SIM Swapping: How Hackers Stole Millions Worth of Crypto Via Victim’s Telecoms Operator

18 AUG 2018

On Aug. 15, American investor Michael Terpin filed a $224 million lawsuit against AT&T. He believes that the telecoms giant had provided hackers with access to his phone number, which led to a major crypto heist.

Michael Terpin is a Puerto Rico-based entrepreneur and CEO of TransformGroup. He is also a co-founder of an angel group for Bitcoin (BTC) investors named BitAngels and of a digital currency fund, the BitAngels DApps Fund.

Terpin claims that he lost $24 million worth of cryptocurrencies as a result of two hacks that occured over the course of seven months: The 69-page complaint he filed with California law firm Greenberg Glusker mentions two seperate episodes, dated June 11, 2017 and Jan. 7, 2018. In both cases, as per the document, AT&T, of which Terpin was a longtime subscriber since the 1990s, failed to protect his digital identity.

Now, Terpin is seeking $200 million in punitive damages and $24 million in compensation from the telecommunications corporation.

SIM swapping scam: What does a telecoms provider have to do with crypto savings?

“What AT&T did was like a hotel giving a thief with a fake ID a room key and a key to the room safe to steal jewelry in the safe from the rightful owner,” the complaint states, arguing that Terpin fell victim to a SIM swap fraud, also known as SIM hijacking or a “port out scam.”

SIM swapping is a process of leading a telecoms provider like, say, T-Mobile transferring the target’s phone number to a SIM card held by the attacker. Once they receive the phone number, hackers can use it to reset the victims’ passwords and break into their accounts, including accounts on cryptocurrency exchanges.

Occasionally, that allows thieves to bypass even two-factor authentication, as Motherboard writes. According to their investigation, SIM swapping “is relatively easy to pull off and has become widespread,” adding that “cryptocurrency accounts are common targets.”

The tactics employed by criminals to perform such hacks may vary. Sometimes, they trick customer representatives into believing they are the targets and make them hand over their data. However, as per Motherboard, fraudsters often use the so-called “plugs”: telecom company insiders who get paid to do illegal swaps. An anonymous SIM hijacker told the publication:

“Everyone uses them […] When you tell someone [who works at a telecoms company] they can make money, they do it.”

An anonymous source at Verizon told Motherboard that he had been approached via Reddit, where he was offered bribes in exchange for SIM swaps. Another Verizon employee claimed that the hacker promised that they would make “$100,000 in a few months” if he would cooperate — all he had to do is “either activate the SIM cards for [the hacker] when [he was] at work or give [the attacker his] Employee ID and PIN.”

More related to the Terpin case, Motherboard’s dialogue with an AT&T employee suggested that their system’s design reportedly allows some employees to supersede security features, such as the phone passcode that AT&T requires when porting numbers:

“From there, the passcode can be changed […] With a fresh passcode, the number can be ported out with no hang ups.”

How was Terpin hacked?

As mentioned above, Terpin was hacked twice: in June 2017 and in January 2018.

First, in the summer of 2017, he found out that his AT&T number had been hacked when his phone suddenly went dead, according to the complaint. He then learned from AT&T that his password had been changed remotely “after 11 attempts in AT&T stores had failed.”

After gaining access to Terpin’s phone, the attackers used his personal information, including calls and text messages, to break into his accounts that use telephone numbers as a means of verification, including his “cryptocurrency accounts” — although it doesn’t specify the type of those accounts. The hackers also reportedly hijacked Terpin’s Skype account to impersonate him and convince one of his clients to send them cryptocurrency.

AT&T reportedly cut off access to the hackers only after they managed to steal “substantial funds” from Terpin. The document also states that after the incident, on June 13, 2017, Terpin met with AT&T representatives to discuss the attack and was promised by AT&T that his account would be moved to a “higher security level” with “special protection,” akin to the ones used by celebrities:

“AT&T further told Mr. Terpin that the implementation of the increased security measures would prevent Mr. Terpin’s number from being moved to another phone without Mr. Terpin’s explicit permission, because no one other than Mr. Terpin and his wife would know the secret code.”

Nevertheless, half a year later, on Saturday, Jan. 7, 2018, Teprin’s phone reportedly turned off again — he got attacked yet another time. The complaint claims that “an employee in an AT&T store cooperated with an imposter committing SIM swap fraud,” despite extra security measures being taken back in June 2017:

“As AT&T later admitted, an employee in an AT&T store in Norwich, Connecticut ported over Mr. Terpin’s wireless number to an imposter in violation of AT&T’s commitments and promises, including the higher security that it had supposedly placed on Mr. Terpin’s account after the June 11, 2017 hack that had supposedly been implemented to prevent precisely such fraud.”

This time the thieves allegedly stole about $24 million worth of cryptocurrency, even though he tried to contact AT&T “instantly” after his phone stopped working. AT&T allegedly “ignored” his request, leaving the hackers enough time to get enough information about Terpin’s crypto accounts to move his funds to their own accounts. The plaintiff complaint argues that Terpin’s wife also tried calling AT&T at the time, but was put on “endless hold” when she asked to be connected to AT&T’s fraud department.

The Teprin case could be a legal precedent for SIM swapping scams

As the complaint sums up, emphasising the potential scale of port out scams:

“AT&T is doing nothing to protect its almost 140 million customers from SIM card fraud. AT&T is therefore directly culpable for these attacks because it is well aware that its customers are subject to SIM swap fraud and that its security measures are ineffective. AT&T does virtually nothing to protect its customers from such fraud because it has become too big to care.”

When Gizmodo contacted AT&T for a comment on the story, the company reportedly denied the accusation, stating that they are ready to stand their ground:

“We dispute these allegations and look forward to presenting our case in court.”

Terpin told Gizmodo that such crypto heists are commonly performed by “college kids who go online in these Discord groups.” He also insisted that in his case, the thieves used an AT&T employee:

“The one thing that’s been a link between [the crypto hacks] is that in every case they’ve had an insider[…] [Trading cryptocurrencies] is safe as long as nobody gives out your digital identity.”

He added that he contacted the FBI, Homeland Security and the U.S. Secret Service, and they’ve identified the AT&T employee who allegedly participated in the attack.

Terpin also claimed that he doesn’t give out his phone number anymore, relying on Google Voice instead.

from: https://cointelegraph.com/news/sim-swapping-how-hackers-stole-millions-worth-of-crypto-via-victims-telecoms-operator

[UPDATE 22 AUG 2018]

Alleged SIM Swapper Arrested in California

Xzavyer Clemente Narvaez was arrested Aug. 17, 2018 by investigators working with Santa Clara County’s “REACT task force,” which says it’s targeting those involved in “the takeovers of cell phone, email and financial accounts resulting in the theft of cryptocurrency.”

Prosecutors allege Narvaez used the proceeds of his crimes (estimated at > $1 million in virtual currencies) to purchase luxury items, including a McLaren — a $200,000 high-performance sports car. Investigators said they interviewed several alleged victims of Narvaez, including one man who reported being robbed of $150,000 in virtual currencies after his phone number was hijacked.

A fraudulent SIM swap occurs when a victim’s cell phone service is redirected from a SIM card under the control of the victim to one under the control of the suspect, without the knowledge or authorization of the victim account holder.

When a victim experiences a fraudulent SIM swap, their phone suddenly has no service and all incoming calls and text messages are sent to the attacker’s device. This includes any one-time codes sent via text message or automated phone call that many companies use to supplement passwords for their online accounts.

Narvaez came to law enforcement’s attention following the arrest of Joel Ortiz, a gifted 20-year-old college student from Boston who was charged in July 2018 with using SIM swaps to steal more than $5 million in cryptocurrencies from 40 victims.

A redacted “statement of facts” in the case obtained by KrebsOnSecurity says records obtained from Google revealed that a cellular device used by Ortiz to commit SIM swaps had at one point been used to access the Google account identified as Xzavyer.Narvaez@gmail.com.

That statement refers frequently to the term IMEI; this is the International Mobile Equipment Identity number, which is a unique identification number or serial number that all mobile phones and smartphones have.

Prosecutors used data gathered from a large number of tech companies to put Narvaez’s phone in specific places near his home in Tracy, Calif. at the time his alleged victims reported having their phones hijacked. His alleged re-use of the same mobile device for multiple SIM hijacks ultimately gave him away:

“On 7/18/18, investigators received information from an AT&T investigator regarding unauthorized SIM swaps conducted through an AT&T authorized retailer. He reported that approximately 28 SIM swaps were conducted using the same employee ID number over an approximately two-week time period in November 2017. Records were obtained that included a list of IMEI numbers used to take over the victims’ cell phone numbers.”

“AT&T provided call detail records pertaining to the IMEI numbers listed to conduct the SIM swaps. One of those IMEI numbers, ending in 3218, was used to take over the cell phone of a resident of Illinois. I contacted the victim who verified that some of his accounts had been “hacked” in late 2017 but said he did not suffer any financial loss. Sgt. Tarazi analyzed the AT&T location data pertaining to that account takeover. That data indicated that on 7/27/17, when the victim from Illinois lost access to his accounts, the IMEI (ending in 3218) of the cell phone controlling the victim’s cell phone number was located in Tracy, California.”

“The specific tower is located approximately 0.6 miles away from the address 360 Yosemite Drive in Tracy. Several “NELOS” records (GPS coordinates logged by AT&T to estimate the location of devices on their network) indicate the phone was within 1000 meters of 360 Yosemite Drive in Tracy. AT&T also provided call detail records pertaining to Narvaez’ cell phone account, which was linked to him through financial services account records. Sgt. Tarazi examined those records and determined that Narvaez’ own cell phone was connected to the same tower and sector during approximately the same time frame that the suspect device (ending in 3218) was connected to the victim’s account.”

Apple responded to requests with records pertaining to customer accounts linked to that same suspect IMEI number. Those records identified three California residents whose Apple accounts were linked to that same IMEI number.

Verizon provided call detail records pertaining to the IMEI number ending in 3218. From the statement of facts:

These records that this phone had in fact been used to access the two Verizon numbers listed above, and at the same time was connected to a Verizon celltower located approximately 1.3 miles away from 360 Yosemite Drive in Tracy, CA. This cell tower was the closest Verizon tower to 360 Yosemite Drive.

“Records obtained from DMV indicated the 2018 McLaren was purchased from a car dealership in Southern California. Sale records obtained from the dealership indicated the payment for the vehicle was made by Tiffany Ross, primarily using bitcoin, accepted by the merchant processor BitPay on behalf of the dealership. The remainder of the price of the vehicle was financed through the trade-in of a 2012 Audi R8. The buyer/s listed email address was a Gmail address. Records also indicated the Audi R8 had been purchased in June 2017 by Xzavyer Narvaez. The entire balance for that vehicle was paid using bitcoin.”

“A different Gmail address was listed under the buyer’s contact information. Google provided records indicating both e-mail addresses used to pay for the vehicles belonged to Xzavyer Narvaez.”

“BitPay provided records that identified the Bitcoin transactions in which the vehicles were purchased. Investigator Berry utilized the Bitcoin blockchain, which is the distributed public ledger of all historical transactions on the Bitcoin network, to trace the flow of the bitcoins used to purchase the McLaren back to an address attributed to the cryptocurrency exchanger Bittrex.”

“Bittrex verified that funds from Bittrex to the output address identified in the blockchain that led to the purchase of the McLaren came from Narvaez’ account, and verified the address utilized for the deposit of bitcoin into that account. The Bitcoin blockchain currently indicates that Narvaez’ Bittrex deposit address has had more than 157 bitcoin flow through it, in 208 transactions, between 7/12/18 and 3/12/18. Based on the current market value of a bitcoin, 157 bitcoins are currently worth approximately S1,000,000.”

Narvaez faces:

• four counts of using personal identifying information without authorization;
• four counts of altering and damaging computer data with intent to defraud or obtain money, or other value;
• grand theft of personal property of a value over nine hundred and fifty thousand dollars.

He is expected to issue a plea on Sept. 26, 2018. A copy of the charges against him is here (PDF).

Federal authorities also have been active in targeting SIM swappers of late. One day after Narvaez was apprehended, police in Florida arrested a 25-year-old man accused of being part of a group of about nine people that allegedly stole hundreds of thousands of dollars in virtual currencies from SIM swap victims. That case drew on collaboration with Homeland Security Investigations, which acted on a tip from a concerned mom in Michigan who overheard her son impersonating an AT&T employee and found bags of SIM cards in his room.

All of the major wireless companies let customers protect their accounts from SIM swapping by selecting a personal identification number (PIN) that is supposed to be required when account changes are requested in person or over the phone. But one big part of the problem is that many of these SIM swappers are working directly with retail mobile store employees who know how to bypass these protections.

If you’re concerned about the threat from SIM hijacking, experts say it might be time to disconnect your mobile phone number from important accounts. We discussed options for doing just that in last week’s column, Hanging Up on Mobile in the Name of Security.

from: https://krebsonsecurity.com/2018/08/alleged-sim-swapper-arrested-in-california/

*

*

California Police Arrest Teenage ‘SIM Swapper’
Who Allegedly Stole Crypto From Cell Phones

from: https://cointelegraph.com/news/california-police-arrest-teenage-sim-swapper-who-allegedly-stole-crypto-from-cell-phones