A SIM-swap thief would have raised $ 1 million in encryption from Robert Ross, who was saving money to pay his daughters' college fees.
According to the New York Post, Ross "watched helplessly" on October 26 when his phone went blank. Within a few seconds, $ 500,000 was emptied from his Coinbase account and another $ 500,000 was taken from a Gemini account. That was his entire life saving, West said.
Erin West, the deputy district attorney for Santa Clara County in California, told reporters that 21-year-old Nicholas Truglia of Manhattan agreed to be extradited. The Santa Clara officials plan to take it in December. According to court documents, he was charged with 21 counts of crime against six victims, including identity theft, fraud, embezzlement, crimes that "involve a model of related criminal conduct" and attempted mass theft.
Truglia allegedly hacked Silicon Valley executives' phones from his apartment in a skyscraper on West 42nd Street.
Ross is apparently a Truglia success, although officials claim he has been hunting for half a dozen other Silicon Valley cryptogenin players, including Saswata Basu, CEO of the 0Chain fixed chain storage service; Myles Danielsen, vice president of Hall Capital Partners; and Gabrielle Katsnelson, co-founder of the SMBX startup.
The vice DA West is part of the REACT task force of Santa Clara, which pursues the cases of exchange of SIM throughout the national territory. The team also includes federal agents. On November 14, the team flew to New York with a search warrant. They arrested Truglia and searched his skyscraper, managing to recover $ 300,000 from a hard drive.
The rest of the missing money could be more difficult to track down, however, due to the nature of the public blockchain ledger. Although you record transactions, keep senders and recipients anonymous.
CNBC cited West:
In some ways, it's useful because we can see where the money is going – that's the beauty of the blockchain. It's public, but what we still can not see is who holds those accounts.
In August, we wrote what was reportedly the first time an alleged SIM-swap fraud ripped off the cryptocurrency – in this case $ 5 million in Bitcoin.
This will not be the last time: West said that the cryptocoupling robbers of the SIM-swap are a "new wave of crime".
It's a new way of stealing money: they are aimed at people who believe they have cryptocurrency.
How SIM cards work
As we have explained, SIM exchanges work because phone numbers are actually linked to the phone's SIM card – in fact, the SIM is short for the subscriber's identity form, a special system-on-a-chip card that securely stores the cryptographic secret that identifies your phone number on the network.
Most mobile phone shops out there can quickly issue and activate replacement SIMs, causing the old SIM to die and replacing the new SIM card with your phone number … and your identity.
This is useful when you lose your phone or buy a new one: your service provider will be happy to sell you a new phone, with a new SIM, with your old number. But if a SIM-swap scammer can get enough information about you, it can simply pretend to be yourself and then social engineers who exchange your phone number with a new SIM card that is under their control.
Check your phone number means that the thief also controls communications with your sensitive accounts, such as bank accounts: it's all under the control of a thief when you've been victimized by a fraudulent SIM card changer.
Banks have traditionally sent the authorization codes needed when using 2FA or 2SV, which is two-factor authentication or two-step verification, via SMS to complete a financial transaction. Fortunately, this is becoming less common: the 2016 National Institute of Standards and Technology of the United States (NIST) has published new guidelines that prohibit SMS-based authentication in 2FA. In addition to the security risks of mobile phone portability, security issues related to SMS delivery include malware that can redirect text messages and attacks on the mobile phone network, such as the so-called SS7 attack.
By stealing your phone number, criminals have also stolen access to your 2FA codes – at least, until you can convince account providers that someone else has hijacked your account.
Scammers have made the most of this window of opportunity for:
- Change as many profile settings on your account as they can.
- Add new account recipients of payments belonging to accomplices.
- Pay the money from your account where it can be quickly withdrawn in cash, to never be seen again.
By changing the settings on your account, it makes it more difficult for the bank to find out that fraud is happening, or to convince your bank that something went wrong.
And that's how everything feels when you're the one who dried up, West told reporters:
You're sitting at your house, your phone is in front of you and suddenly you realize that it's not a service because the bad guy has taken control of your phone number.
Did he have accomplices?
Prosecutors believe that Truglia was working with a crew. Apparently, he has also worked with "friends" who presumably can not hold their hands for themselves when it comes to cryptogen. Prosecutors did not mention if his alleged conspirators were the same guys that he thought tortured him a few months ago to get a boost with account data tied to $ 1.2 million in bitcoins, but this is really the first time the name of Truglia turned it into the press.
According to the New York Post, in September Truglia called the cops to four friends who, he claimed, tried to steal his bitcoins. He said his friends had requested login for his cryptocurrency accounts while "he kept his head under water in the bathtub, punching him in the stomach and throwing hot wax on him".
Really? Well, maybe … The defense attorney for his "friends" claimed that they were all lies and that since then Truglia had claimed. Starting on November 6, they were still headed for a court date on March 14, to find out if they had been indicted.
What Truglia said at the time:
It is quite common for people to turn to people who have a lot of cryptocurrency.
If the charges are lessened, we will guarantee "no one would know better than you."In the meantime, how do you protect yourself from an increasing number of cryptographic robbers?
What to do
The following are some tips to deal with the growing trend of scammers who use SIM exchanges to drain accounts. It does not matter that they pursue the digital currency instead of the non-governmental one: the precautions we can take to avoid becoming victims remain unchanged.
Here they are:
- Pay attention to phishing emails or the fake websites that criminals use to acquire your usernames and passwords first. In general, SIM card scammers need to access your text messages as a last step, which means they have already figured out account number, username, password and so on.
- Avoid obvious answers to questions about account security. Consider the idea of using a password manager to generate absurd and inconclusive answers to the kind of questions criminals might otherwise solve from your social media accounts. Criminals might assume that your first car was a Toyota, but they are less likely to understand that it was one
- Use real-time antivirus (on-access) and keep it up-to-date. A common way for criminals to understand usernames and passwords is through keylogger malware, which remains low until you visit specific web pages such as the bank login page, then goes into action to record what you type while you are logging in. A good anti-virus in real time will help you to block dangerous web links, infected e-mail attachments and malicious downloads.
- Be suspicious if the phone returns to "emergency calls only" unexpectedly. Check with friends or colleagues on the same network to see if they also have problems. If necessary, borrow a friend's phone to contact your mobile service provider for help. Be prepared to attend a store or service center in person if you can, and take ID and other evidence to support you.
- Consider switching from SMS-based 2FA codes to codes generated by an & # 39; authentication app. This means that criminals must steal your phone instead of just your phone number.
That said, Paul Ducklin of Naked Security advises not to consider switching from SMS to app-based authentication as a panacea:
The malware on your phone may be able to force the authentication app to generate the next token without you noticing it – and scammers may even call you and try to get you to read your next passcode, often pretending to be "fraud control".
If in doubt, do not give it!