Just how much do you trust your mobile carrier? If cryptocurrency investor Michael Turpin is to be believed, you shouldn’t trust them at all. Turpin is suing AT&T for $23.8 million and an additional $200 million in punitive damages as a result of criminals carrying out SIM swap fraud by accessing his cellphone account. The SIM swap scam (according to Turpin) saw millions in cryptocurrency tokens being lifted from his account by the criminals who then transferred the tokens to an international crime syndicate. AT&T – his mobile carrier at the time of the fraud is disputing these allegations.
What is a SIM swap scam?
In simple terms a SIM swap scam occurs when a phone number is transferred to another SIM card (other than the owners) without his or her approval. This data can then allow criminals to hijack other digital accounts.
SIM swap scams are increasingly profitable for criminals with the growing dependence on phone-based authentication, used especially by many banks for internet banking. A large number of banking customers are linking their mobile number with their bank accounts, who then receives authentication codes via text message for access to their banking details. Criminals identify “lucrative victims” and target them through social engineering and phishing attacks to collect their personal information. This provides the groundwork for various forms of identity theft and SIM fraud.
The method that scammers use seems, on the face it to be remarkably simple. They identify an employee of a mobile carrier and contact with them with a simple business proposal. They will supply personal information of an account holder, including SSN and home address and the number of a new SIM card. The employee then would log on to the mobile carriers’ in-house employee customer service system and look up the customers details and transfer the account holder’s existing number to the number of the new SIM card. The employee would then be paid a fee in the range of $100.
Alternatively, the criminal will ask the employee for their Employee ID and PIN and then access the customer service systems themselves.
Finding cooperative employees can be as simple as combing through Reddit or social media sites such as LinkedIn. In some cases, the employee might be approached by friends shared with the would-be criminal.
The lure of easy money
Although the lure of easy money can be almost impossible for many of the mobile carrier employees to resist, most are aware of the risks.
A Verizon employee reportedly told the media that a criminal approached him via Reddit offering bribes in exchange for SIM card swaps. The employee refused, because (quite understandably) they preferred “to stay out of jail.” This employee also noted that the internal system logs every time an employee accesses an account.
So, it appears that at least some mobile carriers have basic safeguards systems in place to deter SIM swap scam.
However, common sense would suggest that a safeguard system which logs access would not be of much use within a real-world timeframe. By the time the criminal activity is noted it would almost certainly be too late to prevent the fraud from affecting a customer.
SIM card swaps increasingly common
Recent reports indicate that there are hundreds of people across the U.S. alone that have been victims of the SIM swap scam. Otherwise known as a ‘Port Out Scam’ the practice has resulted in hacked social media and email accounts. However, monetary losses have also been reported. A 20-year-old college student stands accused of being part of a syndicate that stole in excess of $5 million by hijacking phone numbers of people invested in blockchain and cryptocurrency. Mr. Turpin is by no means alone it seems – the newsworthiness of his story seems to be based on the value of the cryptocurrency loss.