By: Heather Wilson
A Subscriber Information/Identity Module, or SIM, is the heart of your phone. It contains, among other information, your phone number, contacts, and billing codes. The average phone user hardly ever thinks about their SIM card—but they should.
The frequency of SIM swapping, SIM hacking, or port-out scams (also known as “SIM swaps”) is increasing and the impact is greater than ever before. In SIM swapping cases, the original phone will lose all service until a new SIM is obtained from the carrier. This enables the hacker to use the victim’s phone number to bypass two-factor authentication often used to add security to bank or social media accounts. The hackers use a combination of phishing and corruption to obtain the requisite data. Some obtain fake identification cards and go to various cell phone shops attempting to convince the staff the hacker is the owner of the SIM and that they need it swapped to a new phone. In other cases, the hackers convinced or bribed telecommunications workers to act as accomplices by utilizing the employee’s specialized access to get the numbers they need. Others have exploited security flaws in the cell-phone companies network to obtain the information they need.
Michael Terpin, a Bitcoin entrepreneur and investor, recently lost nearly twenty-four million dollars in cryptocurrency in a SIM Swap attack. The hacker enticed AT&T employees to assist with the swap. Terpin has filed a civil suit against AT&T, alleging negligence by the company for not properly safeguarding against this long-running issue. In fact, many SIM hackers were exploiting an enormous security bug in T-Mobile’s web service in which hackers could easily access and change subscribers’ account data. Terpin also filed suit against Nicholas Truglia, another actor in Ogusers, believed to have carried out the SIM swap on Terpin.
In 1998, 18 U.S.C. § 1029 (addressing fraud and related activity in connection with access devices) was updated following a SIM scam that targeted then-Congressman Sam Johnson. His SIM card was hacked, resulting in the hacker racking up thousands of dollars in phone calls. Cloning of Congressman Sam Johnson’s phone sparked action by Congress to update criminal fraud statutes to better fit this specific crime. In 2000, Congress put out a report on SIM hacking, also known as phone cloning. Cloning was frequently used in the 1990s and 2000s to rack up long-distance calls for “free”. The hacker would make an exact copy of the victim’s SIM card, allowing the victim and hacker to use the same phone number simultaneously. In these cases, the amount at issue was usually under $1,000. Congress ultimately amended and broadened18 U.S.C. § 1029to better encompass this new crime.
Though phone cloning is slightly different than SIM swapping, both are used to defraud the original user. In SIM swapping cases, the victim loses cellular capability when the hacker takes over. The hacker can then use two-factor authentication to log in to the victim’s bank or cryptocurrency accounts, wiping out millions of dollars in just a few minutes. Despite this distinction, because both activities are a form of fraud, law enforcement has been able to charge persons under 18 U.S.C. § 1029.
The greatest source of intelligence for investigators has been Ogusers, an online community of hackers that use SIM swapping techniques to harass and defraud their victims. Besides theft of cryptocurrency, hackers target social media accounts. The hackers seek out usernames that are in high demand for their commonality or length (like @rainbow or @t). These usernames are then sold on the black market for thousands of dollars apiece; like @t, which sold for $40,000 in bitcoin. These victims have far less recourse than those who have suffered tangible monetary loss, but their damage has the potential to be just as detrimental. Many of these accounts have spent years building up a user base for their business, only to have the account stolen through a SIM swap.
A recent FBI investigation of Ogusers led to federal charges against two men, Ahmad Wagaafe Hared and Matthew Gene Ditman, both accused of using SIM swapping. These men are being charged with: 18 U.S.C. § 1030(b) – Conspiracy to Commit Computer Fraud and Abuse; 18 U.S.C. § 1030(a)(7) – Threatening to Damage a Protected Computer; 18 U.S.C. § 875(d) – Interstate Communications with Intent to Extort; 18 U.S.C. § 1029(b)(2) – Conspiracy to Commit Access Device Fraud; and 18 U.S.C. § 1028A(a)(1) – Aggravated Identity Theft. This appears to be the first federal case prosecuting this type of crime. Hared is estimated to have stolen over one million dollars in cryptocurrencies. He and Ditman used a myriad of techniques to conduct the SIM swap, including bribing cell phone carrier employees to obtain the information they needed.
Last week, 20-year-old Joel Ortiz pled guilty and was sentenced to ten years in a California prison following his indictment on 28 state charges, including computer fraud and identity theft. Mr. Ortiz used a SIM swapping scam to bypass two-factor authentication and steal over five million dollars in various forms of cryptocurrency. Mr. Ortiz lived in Boston, Massachusetts but had exploited the SIM card of a fairly well-known cryptocurrency investor. He was arrested as he attempted to leave the country on a vacation to Europe, purchased with his stolen funds. Mr. Ortiz is one of the first people to be charged with SIM swapping.
Though the Wireless Communication Act and 18 U.S.C. § 1029 are an umbrella for these types of cases; the Federal government needs to take steps to hold the cellular telephone companies accountable for the relaxed security that allows these hacks to happen. Mr. Terpin’s lawsuit against AT&T is just a start. The court’s ruling will set a precedent for how to handle SIM swap cases in the future. Furthermore, it is time to update 18 U.S.C. § 1029, or develop a new statute that better encompasses the growing threats to personal cyber-cellular security. Regardless, until the major companies are held accountable, SIM hacking and cloning will continue to be an issue for consumers around the globe.