The 2 SIM cards smartphone close-up. Two SIM cards for installation in a smartphone.
Eric Council recently pleaded guilty to charges of conspiracy to commit aggravated identity theft in the United States District Court for the District of Columbia. The charges were related to his participation in a sophisticated hacking of the X, formerly known as Twitter, account, of the Securities and Exchange Commission (SEC) in which false posts were done in the name of then-SEC Chairman Gary Gensler indicating that the SEC had approved Bitcoin exchange-traded funds (ETFs). This announcement sent the price of Bitcoin to quickly increase by more than $1,000 and allowed Council’s co-conspirators to make a quick profit off the false announcement which was shortly refuted by the real Chairman Gensler who posted that the SEC’s X account had been hacked. Whereupon the price of Bitcoin promptly dropped by more than $2,000, but by then the damage had been done.
Exchange traded funds, operating like a mutual fund, are a simple way for people to invest in assets such as gold, junk bonds or, in this case cryptocurrencies, without having to directly purchase the individual assets themselves. In a somewhat ironic development, the SEC actually did approve 11 exchange traded funds for Bitcoins the very next day.
The X account of the SEC was protected not only by a username and password, but also by dual factor authentication by which whenever the account was to be used, a code would be sent to the account holder’s cell phone to confirm the identity of the user and to protect from unauthorized use by someone who had managed to obtain the username and password. However, as was shown in this case, such dual factor authentication can be defeated through a technique called SIM swapping.
A Subscriber Identity Module, more commonly known as a SIM card, is an integrated circuit that stores information used to authenticate subscribers on mobile devices, such as a cell phone. The SIM card is able to be transferred between different devices, and often is, when people update into a newer cell phone. SIM Swapping is the name for the crime where someone convinces your phone carrier to transfer your SIM card to a phone controlled by the criminal.
As more and more financial transactions, such as online banking, are now done through cell phones, identity thieves with access to their victims’ SIM cards are increasingly becoming able to intercept security codes sent by text messages for online banking as part of dual factor authentication and thereby provide the identity thief with the opportunity to empty their victims’ bank accounts and cause other financial havoc.
In this case, another member of the conspiracy identified the authorized user for the cell phone number used for dual factor authentication of the @SECgov X account and provided Council with the personal information necessary for Council to prepare a fake ID card on his portable ID card printer which Council used when he went to the AT&T store to convince the AT&T employee that he needed a replacement SIM card which was provided to Council who then bought an iPhone and inserted the SIM card into it which was then used to hack the @SECGov X account.
Council is scheduled to be sentenced on May 16, 2025 and faces a maximum sentence of five years in prison, a $250,000 fine and up to three years of supervised release.
The X account of the SEC was protected not only by a username and password, but also by dual factor authentication by which whenever the account was to be used, a code would be sent to the account holder’s cell phone to confirm the identity of the user and to protect from unauthorized use by someone who had managed to obtain the username and password. However, as was shown in this case, such dual factor authentication can be defeated through a technique called SIM swapping.
A Subscriber Identity Module, more commonly known as a SIM card, is an integrated circuit that stores information used to authenticate subscribers on mobile devices, such as a cell phone. The SIM card is able to be transferred between different devices, and often is, when people update into a newer cell phone. SIM Swapping is the name for the crime where someone convinces your phone carrier to transfer your SIM card to a phone controlled by the criminal.
As more and more financial transactions, such as online banking, are now done through cell phones, identity thieves with access to their victims’ SIM cards are increasingly becoming able to intercept security codes sent by text messages for online banking as part of dual factor authentication and thereby provide the identity thief with the opportunity to empty their victims’ bank accounts and cause other financial havoc.
In this case, another member of the conspiracy identified the authorized user for the cell phone number used for dual factor authentication of the @SECgov X account and provided Council with the personal information necessary for Council to prepare a fake ID card on his portable ID card printer which Council used when he went to the AT&T store to convince the AT&T employee that he needed a replacement SIM card which was provided to Council who then bought an iPhone and inserted the SIM card into it which was then used to hack the @SECGov X account.
Council is scheduled to be sentenced on May 16, 2025 and faces a maximum sentence of five years in prison, a $250,000 fine and up to three years of supervised release.
HOW DO YOU PROTECT YOURSELF FROM SIM SWAPPING?
The best thing you can do to protect your SIM card from SIM swapping is to set up a PIN or password to be used for access to your mobile service provider account. This will help prevent a criminal from calling your carrier posing as you and convincing your mobile carrier to swap your SIM card to the criminal’s phone merely by providing personal identifying information or answering a security question.
AT&T will allow you to set up a passcode for your account that is different from the password that you use to log into your account online. Without this passcode, AT&T will not swap your SIM card.
Verizon enables customers to set up a PIN or password to be used for purposes of authentication when they contact a call center.
T-Mobile will allow you to set up a passcode that is different from the one you use to access your account online. This new passcode is used when changes to your account are attempted to be made such as swapping a SIM card. This code will not only protect you from criminals attempting to call T-Mobile and swap your SIM card, but will also prevent someone with a fake ID from making changes to your account at a T-Mobile store
Read the full article here