How One Man Lost His Life Savings in a SIM Hack

Long-time Slashdot reader smooth wombat quotes CNN: Robert Ross was sitting in his San Francisco home office in October 2018 when he noticed the bars on his phone had disappeared and he had no cell coverage. A few hours later, he had lost $1 millionâ¦

"I was at home at my desk and I noticed a notification on my iPhone for a withdrawal request from one of my financial institutions, and I thought, 'That's weird. I didn't make a withdrawal request,'" Ross recalled. "Then I looked back at my phone and I saw that I had no service...."

Ross was the victim of a SIM hack, an attack that occurs when hackers take over a victim's phone number by transferring it to a SIM card they control. By taking over his cellphone number, a hacker was able to gain access to his email address and ultimately his life-savings, Ross said in an interview with CNN Business...

An arrest was made in Ross' case, and the suspect has pleaded not guilty... He is suing AT&T for what he alleges was a failure by the company to protect his "sensitive and confidential account data" that resulted in "massive violations" of his privacy and "the theft of more than $1 million," according to the lawsuit.

Re:

[Captivale]

Trolls once again proving that coronavirus is serious, but TDS is much more dangerous and virulent.

Re: Sucker

[saloomy]

What I hope institutions learn is that a SIM isn't a security device. Two factor requires something you have and something you know. The bank should be liable. Just as it would be liable if the attacker stole his credit card and spent money

Re:

[Kjella]

What I hope institutions learn is that a SIM isn't a security device. Two factor requires something you have and something you know. The bank should be liable. Just as it would be liable if the attacker stole his credit card and spent money

SIMs don't just unlock by themselves. The problem is they hack the device you have, which means they have access to the numpad you input what you know. The third alternative is something you are, but /. would freak if they bio-locked your accounts.

Re: Sucker

[NateFromMich]

SIMs don't just unlock by themselves. The problem is they hack the device you have, which means they have access to the numpad you input what you know. The third alternative is something you are, but /. would freak if they bio-locked your accounts.

What in the world are you talking about? This had nothing to do with the SIM card in his phone, or his phone itself.
The phone company pointed his phone number to a new SIM in a different (thieving) person's phone, the same as if you'd bought a new SIM yourself or moved your number to a new phone company. This allowed them to then start receiving his text messages from his bank, or wherever he had set that number up as a two factor.

Re: Sucker

[teg]

What I hope institutions learn is that a SIM isn't a security device. Two factor requires something you have and something you know. The bank should be liable. Just as it would be liable if the attacker stole his credit card and spent money

This wasn't a bank, but crypto currency. If someone had managed to pull the same thing with a bank, the attacker would have defrauded the bank - not him. So no loss for him, unless he had help facilitate it.

Can the bank undo that?

[Joe_Dragon]

Can the bank undo that?

Re:

[aeropage]

And... more ownership. Thanks.

Re:

[Oligonicella]

Fundamental vacuum going on.

Re:

[arglebargle_xiv]

This wasn't a bank, it was a cryptocurrency exchange. So it literally was manufactured money, and since it wasn't a real bank, no, it can't be undone.

Re:

[aeropage]

Opportunities for legalized counterfeiting and "fractional reserve banking" everywhere, yes.

Re:Can the bank undo that?

[Dunbal]

The bank is going to hide behind "how are we supposed to be able to tell between you or someone else using your phone if you're providing identical data - never give your password to anyone!". No one hacked the bank, they hacked the dude and his phone. The fun part is sometimes I get shit and have to explain to my bank why I receive $20k or so I transferred to MYSELF thanks to money laundering laws, but these fucking criminals never seem to have a problem transferring millions, no questions asked.

Re:

[NateFromMich]

The fun part is sometimes I get shit and have to explain to my bank why I receive $20k or so I transferred to MYSELF thanks to money laundering laws, but these fucking criminals never seem to have a problem transferring millions, no questions asked.

That's a really good point. It takes me days to get my money when I send it between my accounts.
OTOH, they said he was using an iPhone, so he's likely kind of technically challenged. Probably just didn't notice that he hadn't had a phone signal for a couple days.

Re:

[Oligonicella]

Wow! Your bank sucks. I can transfer money from one account to another and walk over to the ATM to get some of it.

Re:

[Cederic]

What I don't understand is how the bank avoids "I did not authorise this transaction. You made the mistake, return my funds."

Just because the bank has no reasonable way to tell it wasn't legitimate doesn't meant that the person whose identity was stolen authorised them to give away the money.

Re:

[arglebargle_xiv]

The phone company will do the same thing, they followed procedure for account management and it's not their fault if a bank decided to overload their billing mechanism for authentication purposes. This will be an interesting test case. Could end up in a legal three-way shit fight between the customer, the bank, and the telco over who's liable. All will argue they acted appropriately, which technically they did.

Re:

[arglebargle_xiv]

Ah, sorry, didn't read far enough ahead: It wasn't real money, and there wasn't a bank involved at all, it was cryptocurrency and an exchange. So he's screwed. Welcome to the world of BTC, where everything pretends to work like it does in real banking and uses names from real banking, but nothing does.

Re:

[KingBenny]

yea, life is easy for criminals ... its really strange why people still work, right ?

Re:Can the bank undo that?

[93 Escort Wagon]

There is no bank. This is another cryptocurrency story.

From TFA: "Ross had approximately $1 million stored in two exchanges when he was attacked, according to a report by investigators."

Re:

[DontBeAMoran]

Everyone repeat after me: exchanges are not wallets.

Re:Can the bank undo that?

[Waccoon]

"Life savings" and "cryptocurrency" mix together as nicely as toothpaste and orange juice.

Re:

[msauve]

"Can the bank undo that?"

You're making assumptions. Maybe he took reasonable precautions,, maybe not. We'll eventually find out. But it's _way_ too soon to place blame.Perhaps his password was "password", in which case it's on him.

Re:

[teg]

"Can the bank undo that?" You're making assumptions. Maybe he took reasonable precautions,, maybe not. We'll eventually find out. But it's _way_ too soon to place blame.Perhaps his password was "password", in which case it's on him.

It's important to note that the heist was not taking money from a bank. This was cryptocurrency held by some "exchanges". If you want to participate in these Ponzi schemes, you take a much, much higher risk than if you were using traditional banks and financial instruments.

Re:Can the bank undo that?

[bdh]

It's important to note that the heist was not taking money from a bank. This was cryptocurrency held by some "exchanges". If you want to participate in these Ponzi schemes, you take a much, much higher risk than if you were using traditional banks and financial instruments.

Every SIM hacking story I've seen falls into one of three categories.

Either (a) the victim called the bank/eBay/Visa and got their account frozen, usually after $5K-$10K was taken or charged, and got re-imbursed, (b) they got an email from the bank/eBay/Visa telling them there had been suspicious activity on their account, that's why it was frozen, and by the way, you're not answering your phone, or (c) they had lots, possibly everything, in Bitcoin, lost it all in seconds or minutes, and are suing their phone company for the losses.

Bitcoin exchanges are not banks, and also, telephone numbers are not secure tokens. Use RSA. Get a Yubikey. Use 2FA at the very least. Relying on your phone number, which is something that is not under your control, and which is provided by vendors who don't even claim it's secure, is fraught with peril.

I've talked with my banks about SIM attacks. They all have procedures in place to minimize losses from something like this, and one of those procedures is that don't allow you to empty out your life's savings electronically. Well, if your life savings are only $2K or in that range you can, but if you have $300K in RRSPs, TFSAs (yes, I'm Canadian), or investment funds, you can't just convert that to cash and sent it to the Cayman Islands in 30 seconds from your computer. Even if you had that $300K lying around in cash for some reason, you can only send a daily limit of something like $10K or whatever.

Banks know that they have to cover the cost of fraud, so they limit the amount at risk. Bitcoin exchanges were practically designed to be untraceable. People who keep their life savings in a liquid, untraceable financial instrument like that are the prime target for SIM hackers, specifically because the victims have already done most of the work for them.

If a SIM hack swipes $10K from my bank, or changes $10K to my Visa, I take the issue up with my bank and Visa. If a SIM hack takes $10K from my Bitcoin exchange (if I had one), I can't take it up with the exchange, so I sue the middleman, the phone company. The thing is, the phone company never made me any guarantees that my phone number was secure, and suitable as a security token.

Re:

[RespekMyAthorati]

Use RSA. Get a Yubikey. Use 2FA at the very least.

Trouble is, if the bad guys can clone your phone (thanks to lax security on the part
of the cell provider), he gets everything including RSE, 2FA etc.
And few exchanges support Yubikey.

Re:

[bdh]

Trouble is, if the bad guys can clone your phone (thanks to lax security on the part of the cell provider), he gets everything including RSE, 2FA etc.

I don't know about RSE, but a cloned 2FA doesn't give anything away. The app is keyed to the hardware of the phone, not (just) the phone number. If you cloned my cell phone and ran my 2FA app, it wouldn't work.

This is something that users of Google Authenticator have complained about, actually. They get a new phone, have the same phone number and Google account, but the Google Authenticator won't give 2FA tokens out. Other OTP systems, like Authy, have mechanisms so that you can port it to another device

Re:

[AmiMoJo]

The problem is not his bank, it's the receiving bank. His bank can request the money back but the receiving bank is going to want to investigate and not be out of pocket. They accepted the transfer in good faith and it's not their job to check it. Chances are the money has already been withdrawn or moved on again so they would lose out if they refunded.

Re:

[MrL0G1C]

I'm sure they would in the UK, they have the power to do it and I've heard of it happen in the past. US? IDK.

Questions?

[stikves]

I am not victim shaming, however for future deterrence:

- Why is someone parking their entire assets in a single financial institution (or at least major part of it)? Always try to diversify, even in terms of accounts
- Why is such a large amount is in liquid assets? Even a simple broker will take 3 days to transfer funds from equities.
- Why did the financial institution not disallow large transfers before adding additional security measure?

I do not have any references, however the only kind of institution I

Re:Questions?

[The Rizz]

From TFA, the money was in 2 cryptocurrency accounts.

Re: Questions?

[shitzu]

So he would have lost it sooner or later anyway, in one way or another. No harm, no foul.

Re: Questions?

[Type44Q]

Mod +1: Ponzi.

Re:

[Powercntrl]

From TFA, the money was in 2 cryptocurrency accounts.

The guy ceased to have possession of his money the moment he used it to purchase cryptocurrency.

Re:

[Anonymous Coward]

Apparently the victim had crypto-currency, so you're probably a lot more safe than he is. That said, reducing your attack surface as much as is practical is a good thing. That's why I'll do the "touch-tone teller" with my bank, but not online banking at all--and by no means am I technically illiterate. It's because I know how the sausage is made.

Re:

[cusco]

In the 1990s I got my first and only online bank account. Since I was learning about web sites and their structure I looked at the URL and was surprised to see my account number (there were a lot of 3s). Out of curiosity I changed the number and to my shock I was IN someone else's account and able to do anything I wanted! I took some screenshots, emailed the site admin, and immediately canceled my online account.

Just when I was considering doing online banking again in 2015 Morgan Chase Bank was found to

Re:

[mobby_6kl]

Well how many accounts do you propose that people keep their stuff in? I've essentially got four: regular bank account, broker, government-approved pension account, and employee share purchase account. The (rapidly shrinking) majority of assets is with the broker, but any one of these getting cleaned out would suck horribly.

You can sell shares/ETFs instantly at market price. Although yeah transferring the funds out takes a while and they should have some extra steps for withdrawing large amounts. I actually

Re:

[MMC Monster]

Yes, this was definitely a couple crypto accounts that were hacked.

I've got serious money in ETrade. While I don't think they're any more secure than another financial institution, I do know that any transfer would take more than a day to complete, and verification emails will be sent out during that time period.

Also, a transfer out would mean that the receiving account location would be known.

As for why do I have all my money in ETrade and not multiple institutions (ie: Fidelity, Vanguard, etc.)? I figur

Two important points in the linked article

[ItsJustAPseudonym]

I saw these important points in the linked article:

When you forget your email passwords or have trouble accessing your online bank accounts, many services send you a text message with a code to help verify your identity — a form of multi or two-factor authentication. When a hacker gets access to your phone number, they get the keys to the castle.

Yup, don't give your cell-phone number to your email provider or your online bank account, if the authentication is that simple-minded.

An AT&T (T) spokesperson said the company advises against using mobile phone numbers as the single source of security and authentication.

Yup. Then there's Sprint, for the win:

Sprint (S) appears to have the most comprehensive solution, requiring customers to complete two-factor authentication in order to SIM swap. The customer must first give a PIN number or answer a security question and then provide a one-time passcode that is sent to their device via text message.

Re:

[ItsJustAPseudonym]

Well, those are THREE points.

Re:

[gosso920]

Well, I certainly didn't expect the Spanish Inquisition...

Re:

[Cipheron]

No, it's only two points. It's either/or for the PIN or security question, so that only counts as one. Then you get a passcode sent to you current phone.

Re:

[Kaenneth]

I recall from earlier tellings that AT&T has similar policies; but an employee didn't actually follow them in this case.

Re:Two important points in the linked article

[JaredOfEuropa]

How about the most important point: verification codes sent by SMS do not in any way shape or form qualify as proper 2 factor authentication, as this story and countless others have proven. A banking app on your phone, protected by PIN or fingerprint, and authorized once by some out-of-band mechanism, is reasonably secure (for smaller transactions) because the authorization is tied to your physical phone rather than your phone number. SMS messages are not tied to your phone and do not qualify as "something you have"; spoofing SIMs to get around SMS verification does take some effort, but once the criminals have verified that you're a high value target, it's well worth it.

Sue the bloody bank for not providing adequate security.

Re:

[cusco]

It was a crypto-currency exchange, security is a bit much to expect.

Re:

[nine-times]

Yup, don't give your cell-phone number to your email provider or your online bank account, if the authentication is that simple-minded.

That's easy to say, especially after the fact, but a lot of online services default to using SMS for MFA, and some may not give another option. You can't really blame people for using the authentication methods provided to them.

I think the real issue here is that we need better identity management and authentication. Passwords aren't really working. Password + SMS isn't working. Passwords + MFA token is kind-of almost sort-of working for now, but not really.

Re:

[ShoulderOfOrion]

I avoid the SMS-only 2FA online services like the plague, because it's clear they understand nothing about security. Invariably the 'secure SMS' service they provide is some third-party hack installed by overworked, clueless coders because their management heard '2FA SMS good' at some Las Vegas retreat.

What's needed is for websites to get serious and use the public/private key systems like PGP that already exist. Yes, it's more complicated. Good security always is.

Re:

[NormalVisual]

It's not even that complicated. Even something like TOTP, with all the disadvantages it has, would be better than this SMS silliness, and is pretty much trivial to implement.

Re:Two important points in the linked article

[stabiesoft]

T-Mo also has an option to require a pin to transfer a sim, I have it enabled. They are very reticent to do it, why??? Probably because people lose the pin often and moan they can't change the Sim.

Re:

[RespekMyAthorati]

Most banks will enable pin-only changes if you ask for it.
It should be the default.

Of course, as others have pointed out, the victim
here was using a bitcoin exchange, and not a bank.

"Security" people who don't know NIST standards

[Beryllium Sphere(tm)]

NIST has specifically warned against SMS authentication for exactly this reason for years.

Re:

[thegarbz]

Yup, don't give your cell-phone number to your email provider or your online bank account, if the authentication is that simple-minded.

The problem is that provides you no alternative or in some cases no service. If the choice is between a slightly less secure 2FA and no 2FA the latter usually not the more sensible option.

Worse still depending on the bank it may preclude you from services altogether. One of my banks requires the mobile, for login, transfers, and all sorts of things. It's not an option to not use mobile numbers for identification.

Another bank sent me an RSA token but then didn't revoke it or replace it when RSA suffered thei

Re:

[ceoyoyo]

The problem is that "2FA" isn't two factor authentication. Two-factor authentication requires that you have A *and* B, not A *or* B. The 2FA implemented by most web sites uses authentication method B as a backup if you forget your password.

Someone logged in and committed identity theft

[hax 109]

https://www.youtube.com/watch?... [youtube.com]

poor bank security

[bloodhawk]

So seriously what fucking bank has such piss poor security that they rely on the phone number or email? you can steal both of those from me and you won't get access to a single fucking thing finance related for me. any bank that relies on a text message or email is a bank you need to get the fuck away from.

Re:

[segfb235]

Generally american banks that have terrible security. Like you used to hear about people having password protected bank accounts.

Re:

[93 Escort Wagon]

There was no bank. The money was stolen from two cryptocurrency exchanges.

Re:

[JaredOfEuropa]

In that case, meh. If I would have any significant amount of cryptocurrency, I would store it in my own wallet with the keys stored offline, on an encrypted USB stick kept in the safe. Even if criminals don't manage to gain access to your account on the exchange, chances are that the exchange itself will abscond or claim "we were hacked, sorry".

Re:

[The Rizz]

TFA says it was a cryptocurrency exchange.

Re:

[bloodhawk]

Just as bad, you would have to be a serious moron to store any significant value of coin without proper MFA (and email or SMS are NOT secure MFA methods).

Bookmark TFA

[Solandri]

To throw in the face of anyone contending that messages/calls sent to your phone somehow constitute 2FA.

Re:

[phantomfive]

If you allow unlocking of the account with just the phone, then it's technically two different 1FAs. Hackers will use the weakest of the two entry routes.

I Changed my Date of Birth

[aberglas]

In Australia at least, to change your service provider (i.e. take control of a phone number) you just need to provide your date of birth, which is, of course, widely known. That probably made a lot of sense in the days before SMS was used for security purposes. A SIM stealer could at most be a nuisance.

I had my stuff stolen, and started thinking a lot about security, and so changed my date of birth that is recorded with my provider. That would make it much more difficult to steal my phone number and hence SMS verification.

Note that there are various passwords and PINs, but it is only the Date of Birth that is used to change providers, and so that must be changed. It becomes a password with about 17 bits of entropy.

Re: I Changed my Date of Birth

[Anonymouse Cowtard]

I did this 20 years ago but 01/01/1970 just isn't very secure.

Re:

[aaarrrgggh]

That can run into other issues in the US, as some of the password recovery things link to credit union data.

Re:

[NotEmmanuelGoldstein]

... changed my date of birth that is recorded ...

How? Modern accounts require photo-Id., making security through obfuscation, difficult. Some providers check the photo-Id. against state records meaning there is no need to ever change that personal detail.

It's getting so that ...

[PPH]

... most companies beg for, if not insist upon getting your phone number. So they get my land line. Try SIM swapping this [etsystatic.com]. But increasingly, people don't even have land lines anymore.

Re:

[PPH]

Yeah. But my landline contains no usable information. No banking info or apps. No lists of Bitcoin exchanges. No useful information at all. And my bank (for example) having dealt with customers over landlines for decades doesn't depend on my phone number being any sort of identification or authentication. Because they realize that I might be calling them from an office phone, hotel phone or payphone. And the technology to support caller ID is relatively recent anyway.

Also, my bank never calls with any sens

Re:

[angel'o'sphere]

But increasingly, people don't even have land lines anymore.
In many countries, Asia, Africa, Oceania they never had land lines, they got phone and internet with mobiles. I mean: the general population, obvious government and rich had land lines, and they had phone boxes etc.

Hackers take over a victim's phone number

[notdecnet]

“Ross was the victim of a SIM hack, an attack that occurs when hackers take over a victim's phone number by transferring it to a SIM card they control”

No hackers do not take over a victems phone number. What happens is they contact the telecom company and using personal information persuade the operative to transfer the victems phone number to a new phone. Using something called a Porting Authorisation Code (PAC). This PAC provided because the dumb asses don't want to go to the inconvience of using a new number. Keep the email and phone number private for financial transactions and never give them out to third parties.

Re:

[Carrot007]

They do, sort of.

Porting is like effort and take a random ammount of time, no crim is gonna do that! They just get a new sim allocated to the existing number.

Often can be done online after picking up a sim in a store.

So what they had was enough info to use the persons mobile account.

Mine at least will not let me login unless I repond to a text code to the cxurrent sim. If it's broken that's a trip instore or the long way of posting one to me.

Still not very secure though.

Main problem with articles like these

Re: Hackers take over a victim's phone number

[aRTeeNLCH]

Same here in Switzerland. And I thought that worldwide the networks know the current device the SIM is in through the IMEI number, ... I wonder why they don't just check their logs to see if the lost SIM story checks out...

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[phantomfive]

No hackers do not take over a victems phone number. What happens is they contact the telecom company and using personal information persuade the operative to transfer the victims phone number to a new phone

I'm having trouble seeing how this is different than taking over a victims phone number.

Google Voice with 2fa is the answer

[TheNarrator]

Get all your texts through Google Voice. If you use 2-factor-authentication using Authy it's going to be very hard to do account takeover, specifically because Google doesn't have customer service to call up and social engineer.

it was more than likely an AT&T employee

[FudRucker]

that did it, who else would have better access to the network than an AT&T employee, and AT&T is a faceless corporation that loves gouging and prying open people's money, or somebody that know's the victim, this was not a random hack, somebody was somewhere where they can see whats going on before targeting the victim

READ, people!

[Fringe]

Can we de-reputation the commenters that didn't actually read the article and referenced a "bank", asking if the "bank" could undo this? No bank was involved, just "exchanges."

This guy had no savings; he had crypto-currencies, either as an investment or a tax shelter. But he did not have it parked in an approved, FDIC-insured savings account.

And that "million dollars"? Let's do a bit of math: If he bought his "one million dollars" value in bitcoin today, that's about 188 bitcoin, which in 2009 was... wa