A 33-year-old businessman from Toronto got jumped by a sextortionist who got at his phone’s sex tapes via SIM-swap fraud.
CBC News on Sunday reported that the victim, Randall Baran-Chong, knew trouble had come knocking when he got a message last week from his phone carrier about his phone service being cut off.
Baran-Chong said that around 3:30 a.m., he started to get emails warning about changes made to his Microsoft account: his password had been reset, and his email address had been removed as a verification method.
I knew things were about to go badly.
What followed: the attacker locked down his laptop, bought an Xbox video game gift card and charged it to Baran-Chong’s credit card, accessed his personal files, and threatened him with sextortion: all possible because whoever it was had stolen his mobile phone number.
How the crooks swing a SIM swap
As we’ve explained, SIM swap fraud, also known as phone-porting fraud, works because phone numbers are actually tied to the phone’s SIM card – in fact, SIM is short for subscriber identity module, a special system-on-a-chip card that securely stores the cryptographic secret that identifies your phone number to the network.
Most mobile phone shops out there can issue and activate replacement SIM cards quickly, causing your old SIM to go dead and the new SIM card to take over your phone number… and your telephonic identity.
That comes in handy when you get a new phone or lose your phone: your phone carrier will be happy to sell you a new phone, with a new SIM, that has your old number.
But if a SIM-swap scammer can get enough information about you, they can just pretend they’re you and then social-engineer that swap of your phone number to a new SIM card that’s under their control.
By stealing your phone number, the crooks start receiving your text messages along with your phone calls, and if you’ve set up SMS-based two-factor authentication (2FA), the crooks now have access to your 2FA codes – at least, until you notice that your phone has gone dead, and manage to convince your account providers that somebody else has hijacked your account.
Baran-Chong tried to do just that, but he wasn’t able to get his number back until the following day.
The fraudster had managed to transfer Baran-Chong’s phone number to that of a prepaid customer with another carrier. According to CBC News, the fraudster apparently used “a password retrieval process involving text message verification” to gain access to Baran-Chong’s Microsoft account, which was tied to his computer’s operating system and to a cloud-based file backup service.
By the time Baran-Chong regained control of his accounts, the extortionist already had plenty of time to go through his cloud account content and threaten to release it.
Pay up, or I’ll drop the sex tapes
In one message, the fraudster threatened that if Baran-Chong didn’t send two bitcoins (about $25,000), they’d “[drop] your sex tapes to all of your coworkers, investors and relatives.”
Baran-Chong said that his cloud account had years’ worth of photos and videos. That includes tapes of what he said was consensual sex. He said that the women involved have already been informed of the breach.
Another threatening message included a scan of his passport, which he says he saved when applying for a travel visa, along with screen captures of the intimate videos the fraudster was threatening to release.
Baran-Chong said that he hasn’t paid the ransom. Nor have the videos been sent to anybody he knows – at least, not yet. But it’s like living “under the sword of Damocles,” he said: “It’s going to hang over my head for the rest of my life.”
LEARN MORE ABOUT HOW SIM SWAPS WORK
Twitter hack section starts at 31’07, SIM swapping at 33’00”.
Click-and-drag on the soundwaves below to skip to any point in the podcast.
Audio player above not working? Download MP3, listen on Soundcloud or on Apple Podcasts, or access via Spotify.
The thin silver lining
There are two upsides to this attack: for one thing, the scumbag who did this to him also provoked Baran-Chong’s entrepreneurial creativity, he told CBC News:
The entrepreneur in me is saying, ‘This person may have helped me start a new business,’ because I’m going to tell my story. I know the holes in the system, and there are two things I’m determined to do: to create a business that protects anyone who is in this situation, and second is to create the legislation, the first of its kind in the world, starting with Canada, to essentially create a digital identity bill of rights.
We should be protected. Don’t let the bullies win.
This is the second time this has happened to Baran-Chong. He says that his number was briefly stolen in June, but that no data was accessed after that first attack. The other silver lining is that his carrier, Rogers, is going to add some protection to stop these attacks.
After the first attack Baran-Chong did add a four-digit PIN to his account. The second time around, Rogers has offered to contact Baran-Chong if anybody tries to transfer his number again, and CBC News reports that Rogers is rolling out a text message notification service if there’s a request to port a customer’s number, but as it stands, “Canadian cellphone users have limited options for safeguarding their number.”
What to do?
Limited options doesn’t mean none, and we have tips that can help to protect you. We’ve handed them out far too often. Unfortunately, they’re still fresh as daisies, since SIM swap fraud is still going strong, with crooks aiming high and low: recent celebrity SIM-jacking victims include British food writer and activist Jack Munroe, as well as Twitter CEO Jack Dorsey. Twitter actually turned off SMS texting soon after the @Jack-hijack, given that it was one of the possible ways Dorsey’s Twitter account got taken over by racist/anti-semitic/bomb-hoaxing hijackers in August 2019.
Here’s our advice on how to avoid having your sex tapes whisked out from under you, or your bank account balance melt, or your Bitcoin wallet drain, as you stand by helplessly and watch it all go:
- Watch out for phishing emails or fake websites that crooks use to acquire your usernames and passwords in the first place. Generally speaking, SIM swap crooks need access to your text messages as a last step, meaning that they’ve already figured out your account number, username, password and so on.
- Avoid obvious answers to account security questions. Consider using a password manager to generate absurd and unguessable answers to the sort of questions that crooks might otherwise work out from your social media accounts. The crooks might guess that your first car was a Toyota, but they’re much less likely to figure out that it was a
87X4TNETENNBA
. - Use an on-access (real-time) anti-virus and keep it up-to-date. One common way for crooks to figure out usernames and passwords is by means of keylogger malware, which lies low until you visit specific web pages such as your bank’s login page, then springs into action to record what you type while you’re logging on. A good real-time anti-virus will help you to block dangerous web links, infected email attachments and malicious downloads.
- Be suspicious if your phone drops back to “emergency calls only” unexpectedly. Check with friends or colleagues on the same network to see if they’re also having problems. If you need to, borrow a friend’s phone to contact your mobile provider to ask for help. Be prepared to attend a shop or service center in person if you can, and take ID and other evidence with you to back yourself up.
- Consider switching from SMS-based 2FA codes to codes generated by an authenticator app. This means the crooks have to steal your phone and figure out your lock code in order to access the app that generates your unique sequence of login codes.
Having said that, Naked Security’s Paul Ducklin advises that we shouldn’t think of switching from SMS to app-based authentication as a panacea:
Malware on your phone may be able to coerce the authenticator app into generating the next token without you realizing it – and canny scammers may even phone you up and try to trick you into reading out your next logon code, often pretending they’re doing some sort of “fraud check”.