The phone went dark, then $1m was sucked out in SIM-swap crypto-heist

A SIM-swap robber allegedly lifted $1 million in crypto-coin from Robert Ross, who was saving to pay for his daughters’ college tuition.
According to the New York Post, Ross “watched helplessly” on 26 October as his phone went dark. Within seconds, $500,000 drained out of his Coinbase account, and another $500,000 was suctioned out of a Gemini account. That was his entire life savings, West said.
Erin West, the deputy district attorney for Santa Clara County in California, told reporters that 21-year-old Nicholas Truglia, of Manhattan, has agreed to be extradited. Santa Clara officials plan to pick him up in December. According to court documents, he’s been charged with 21 felony counts against six victims, including identity theft, fraud, embezzlement, crimes that “involve a pattern of related felony conduct,” and attempted grand theft.
Truglia allegedly hacked the phones of Silicon Valley executives from his cushy West 42nd Street high-rise apartment.
Ross was apparently Truglia’s one success, though officials allege that he went after a half dozen other Silicon Valley cryptocoin players, including Saswata Basu, CEO of the block-chain storage service 0Chain; Myles Danielsen, vice president of Hall Capital Partners; and Gabrielle Katsnelson, the co-founder of the startup SMBX.

Deputy DA West is part of the Santa Clara REACT task force, which pursues SIM-swapping cases nationwide. The team also includes federal agents. On 14 November, the team flew to New York with a search warrant. They arrested Truglia and searched his high-rise, managing to recover $300,000 from a hard drive.
The rest of the missing money might be harder to track down, though, due to the nature of the blockchain public ledger. Though it records transactions, it keeps senders and receivers anonymous.
CNBC quoted West:

In some ways, it’s helpful because we can see where the money is going – that’s the beauty of the blockchain. It’s public, but what we still can’t see is who holds those accounts.

In August, we wrote up what was reportedly the first time an alleged SIM-swap fraudster had ripped off cryptocurrency – in that case, $5 million in Bitcoin.
This won’t be the last time: West said that SIM-swap cryptocoin-heists are a “whole new wave of crime”.

It’s a new way of stealing of money: They target people that they believe to have cryptocurrency.

How SIM-swap scams work

As we’ve explained, SIM swaps work because phone numbers are actually tied to the phone’s SIM card – in fact, SIM is short for subscriber identity module, a special system-on-a-chip card that securely stores the cryptographic secret that identifies your phone number to the network.
Most mobile phone shops out there can issue and activate replacement SIM cards quickly, causing your old SIM to go dead and the new SIM card to take over your phone number… and your identity.
That comes in handy when you lose your phone or get a new one: your phone carrier will be happy to sell you a new phone, with a new SIM, that has your old number. But if a SIM-swap scammer can get enough information about you, they can just pretend they’re you and then social-engineer that swap of your phone number to a new SIM card that’s under their control.
Control over your phone number means the robber also controls communication with your sensitive accounts, like bank accounts: it’s all under the control of a thief when you’ve been victimized by a fraudulent SIM swapper.
Banks have traditionally sent authorization codes needed when using 2FA or 2SV – that’s two-factor authentication or two-step verification – via SMS to complete a financial transaction. Fortunately, this is becoming less common: The United States National Institute for Standards and Technology (NIST) in 2016 published new guidelines forbidding SMS-based authentication in 2FA. Besides the security risks of mobile phone portability, problems with the security of SMS delivery have included malware that can redirect text messages and attacks against the mobile phone network such as the so-called SS7 hack.
By stealing your phone number, the crooks have also stolen access to your 2FA codes – at least, until you manage to convince your account providers that somebody else has hijacked your account.
Crooks have made the most of that window of opportunity to:

• Change as many profile settings on your account as they can.
• Add new payment recipient accounts belonging to accomplices.
• Pay money out of your account where it can be withdrawn quickly in cash, never to be seen again.

By changing settings on your account, they make it more difficult both for the bank to spot that fraud is happening and for you to convince your bank that something has gone wrong.
And this is how that all feels when you’re the one being drained, West told reporters:

You’re sitting in your home, your phone is in front of you, and you suddenly become aware there is no service because the bad guy has taken control of your phone number.

Did he have accomplices?

Prosecutors believe that Truglia was working with a crew. Apparently, he’s also worked with “friends” who allegedly can’t keep their hands to themselves when it comes to cryptocoin. Prosecutors didn’t mention whether his alleged conspirators were the same guys who he claims tortured him a few months ago to get at a thumb drive with account data linked to $1.2 million in bitcoin, but that is indeed the first time Truglia’s name made it into the press.
According to the New York Post, in September, Truglia called the cops on four friends who, he claimed, tried to steal his bitcoin. He said that his friends demanded logins for his cryptocurrency accounts while “holding his head underwater in the bathtub, punching him in the stomach and throwing hot wax on him.”
Really? Well, maybe… The defense attorney for his “friends” claimed that it was all lies and that Truglia had since recanted. As of 6 November, they were still headed for a court date of 14 March, to find out whether they’ve been indicted.
What Truglia said at the time:

It’s pretty common for people to target people who have a lot of cryptocurrency.

If the charges stick, we’ll grant him a “nobody would know that better than you.” In the meantime, how do you protect yourself from a growing number of cryptocoin robbers?

What to do

What follows are some tips for dealing with the rising trend of fraudsters using SIM swaps to drain accounts. It doesn’t matter that they’re going after digital instead of nondigital currency: the precautions we can all take to avoid becoming victims stay the same.
Here they are:

• Watch out for phishing emails or fake websites that crooks use to acquire your usernames and passwords in the first place. Generally speaking, SIM swap crooks need access to your text messages as a last step, meaning that they’ve already figured out your account number, username, password and so on.
• Avoid obvious answers to account security questions. Consider using a password manager to generate absurd and unguessable answers to the sort of questions that crooks might otherwise work out from your social media accounts. The crooks might guess that your first car was a Toyota, but they’re much less likely to figure out that it was a 87X4TNETENNBA.
• Use an on-access (real time) anti-virus and keep it up-to-date. One common way for crooks to figure out usernames and passwords is by means of keylogger malware, which lies low until you visit specific webpages such as your bank’s login page, then springs into action to record what you type while you’re logging on. A good real-time anti-virus will help you to block dangerous web links, infected email attachments and malicious downloads.
• Be suspicious if your phone drops back to “emergency calls only” unexpectedly. Check with friends or colleagues on the same network to see if they’re also having problems. If you need to, borrow a friend’s phone to contact your mobile provider to ask for help. Be prepared to attend a shop or service center in person if you can, and take ID and other evidence with you to back yourself up.
• Consider switching from SMS-based 2FA codes to codes generated by an authenticator app. This means the crooks have to steal your phone rather than just your phone number.

Having said that, Naked Security’s Paul Ducklin advises that we shouldn’t think of switching from SMS to app-based authentication as a panacea:

Malware on your phone may be able to coerce the authenticator app into generating the next token without you realising it – and canny scammers may even phone you up and try to trick you into reading out your next logon code, often pretending they’re doing some sort of “fraud check”.
If in doubt, don’t give it out!