back to article 22-year-old Brit accused of Twitter SIM-swap heists charged with $784k cryptocurrency theft

A Briton accused of carrying out SIM-swapping attacks to compromise high-profile Twitter users' accounts has been charged with stealing $784,000 in cryptocurrency. Joseph James O'Connor, 22, currently languishing in a Spanish prison, has been charged by US federal prosecutors with stealing Bitcoin, Ethereum, and Litecoin from …

  1. Pascal Monett Silver badge

    Sim-swapping

    I was pretty sure I was immune to that, since my mobe is Luxembourg-based and Luxembourg is a stickler for administrative procedure. Someone calls to say their phone is lost ? No problem sir, what is the number ? There, the phone is blocked. You can now go buy a new one. Sorry ? Transfer to a new sim ? Sorry sir, your phone is lost, go buy a new one. You have another one ? Good for you, have a nice day.

    At least, that is how I imagined things, right up until this article made me do a bit of googling and I found this article from no less than Europol.

    So it would appear that it could eventually happen to me after all.

    Except that, when I check out the particulars, first the miscreant has to get my private information. I'm fairly sure that not being on any social media is going to vastly reduce my possible exposure to unsecured cloud repositories or other such data breach shenanigans. Malicious apps simply do not get to my PC (thank you NoScript) and I don't surf with my mobe. As for the sites where I have activated 2FA, I can count them on the fingers of one hand - none of them are well-known to the hackers and they have no idea I'm subscribed there.

    So let's imagine, for the sake of it, that a data breach has occured and, for some strange reason, some of my personal details are contained within. My phone number should not be in there but, let's imagine it is. Going to step 2, let's imagine that the miscreant actually did persuade my mobile operator to enact the swap (which I still have trouble to believe happening in Luxembourg).

    Step 3 says that the miscreant can now get my texts and calls, which is perfectly reasonable, and to my online banking. BZZZZZZT ! Fail. I have never used my mobe for online banking - I'm not stupid. The only apps I have installed on my mobe are Brave, to have rapid Internet access, a voice recorder and the three security authenticator apps I need to log in online with my customers.

    No banking details in sight.

    Now I will admit that I'm wondering about my GMail account, but since I only use it sparingly on my mobe, maybe the problems will be minimal. Although I would really like to know how the miscreant can get all the details from a virtual swap. Do mobile operators have a complete copy of the contents of my phone sim ?

    That would be a breach of privacy, wouldn't it ?

    1. Natalie Gritpants Jr

      Re: Sim-swapping

      Thank you for sticking your head over the parapet.

    2. Doctor Syntax Silver badge

      Re: Sim-swapping

      AFAICS the fraudster's benefit of the SIM swap is access to the 2FA number for that part of banking security theatre. However does it help that you don't have a social media account? Have you got a shadow FB account based on what's been siphoned out of the contacts files of people who have your phone number(s)?

      1. James O'Shea Silver badge

        Re: Sim-swapping

        I don't let banking apps use the phone # for 2FA. Even if the thief could get on the phone, and good luck with that, they couldn't access most accounts as they wouldn't have the 2FA factors necessary.

      2. Pascal Monett Silver badge

        Re: access to the 2FA number

        My bank in Luxembourg does not do 2FA. I have an OTP token, so sim-swapping will not give him that either.

        As for a shadow FB account, well how can I know ? It's obviously possible with the devious piece of crap call The Zuck.

        Does that mean I can sue him if it ever happens ?

        1. Slx

          Re: access to the 2FA number

          Two of my banks use push notifications to an app and the phone’s biometrics to authenticate transactions.

    3. James O'Shea Silver badge

      Re: Sim-swapping

      So what would happen if someone stole one of my phones?

      1 They'd have to be quick about doing something with it, as Apple's new 'device left behind' feature in Find My will scream at me if the damn things got too far away. Or they'd have to steal both phones. And both iPads. And the Apple Watch. As soon as I detect that one or more is gone, I'd light up Find My and go looking for them... or just remote erase the things. If found, it's trivial to reimage them by plugging into a computer and downloading the last saved backup. I back up the various devices nightly. Doesn't everyone?

      2 The facial recognition on one phone and one iPad are turned off. The fingerprint recognition on the others are turned off. I have 12 digit passcodes, with capital letters, common letters, and numbers. Different passcodes for each. Yes, it's a pain, but working out how to unlock the things before I remote erase them would be more of a pain for the thief. The watch is on my wrist when it's not charging at night. I'm fairly sure that I'd notice if the watch went missing.

      How about trying a SIM-swap? Well, if they did, one device would drop off the net... and Find My would scream. And the attempted thief would have a problem, as my backups are to my local computers, not to iCloud. They could restore the apps, but not the various settings, including passcodes, because iCloud knows what apps I have but not anything else. Also, I have my Discover card linked to Apple's wallet thingy... and as soon as the phone drops off the net, the wallet thingy would scream. I might/might not notice Find My screaming. It's hard to miss the wallet notifying me that my Discover card is not linked anymore. I get on the non-SIM-swapped phone and yell at the telco pretty much immediately. The thief isn't going to have much time to even download the various apps before the SIM-swap is reversed, if necessary by my canceling the phone. If they somehow get the their phone to access my AppleID, I can remote erase their phone. And they'll have a problem signing in to my AppleID; first, they have to know the ID, then they have to know the 15-digit passcode, uppercase letters, lowercase letters, numbers, symbols. And then they have to get the access code for turning on a new device; Apple sends a six-digit code, all numbers, to trusted devices. Which the new device isn't, yet. They can't get on the phone easily, before I can nuke them. They can't access any of my Apple stuff, easily, before I can nuke them. They can't get to pretty much anything else, not even my Kindle books; that's a different account and a different 10-digit passcode. And if they somehow get the AppleID, I can nuke them _easily_ and with extreme prejudice. Meanwhile, I get the telco to SIM-swap back.

      I don't use webmail unless I have to, and never on a phone. My email passwords are in my Keychain... but that's locked up unless my AppleID is available, and if they somehow get my AppleID on their phone I'll nuke them in under a minute. The Keychain on the iDevices allows access to certain accounts, but does not tell the user the actual passcode. They'd have to figure out which accounts to access, and fire up the Keychain, and do it before I dropped a bucket of instant sunshine on their ass. Using most email on the iDevices would demand 2FA, which they won't have, and the Keychain, which they won't have. 'Most email' includes Apple's mail, Google's mail (which I no longer use, so they are welcome to try to access than non-existent account...) Zoho's mail, and a lot more. The only email that I have that doesn't require 2FA is AT&Stupid, and as I only use the AT&Stupid email to talk to AT&Stupid, lots of luck getting anything useful out of that.

      And, oh... I have iDevices on two different telcos, always have. One telco is currently T-mob, the other is currently AT&T. I used to use Sprint, before they got eaten by T-mob, and Verizon; I dumped Verizon after one encounter too many with Verizon non-support. Believe it or not, Verizon makes AT&Stupid look good. Verizon support is worse than Comcast. Let that sink in for a minute, there's something worse than a cableco! Both T-Mob and AT&Stupid require a PIN before they can do anything to the account, including making a SIM-swap. T-Mob is six or more digits, AT&Stupid is four. I picked my PINs to be hard to guess. And not to be the minimum, except with AT&Stupid because they max out at 4. They're _stupid_. But they're not as customer-hostile as Verizon.

      1. elaar

        Re: Sim-swapping

        "So what would happen if someone stole one of my phones?"

        It's not about stealing phones, but congratulations on your massive array of Apple branded products.

    4. Mike 137 Silver badge

      Re: Sim-swapping

      "I have never used my mobe for online banking - I'm not stupid"

      Here in the UK, despite its known fragility, one of our banks has just enforced the use of SMS authentication for all card not present transactions both online and by phone. The really big joke is that the POS terminals of many businesses using other banks don't yet support it, so phone transactions fail.

      Consequently one is either force to transact online (which, as BAA customes found out, is much more vulnerable than we've been led to believe) or one has to pay by bank transfer, which can be seriously cumbersome.

      Being cynical, I have a horrid suspicion that we're being driven by the banks to rely on online transactions because it facilitates liability transfer when things go wrong - "the problem was with your computer sir - can you prove it's fully secure?"

    5. doublelayer Silver badge

      Re: Sim-swapping

      You're at times confusing SIM swapping with phone theft. If someone successfully SIM swaps you, they just get to send and receive calls and SMS as if they had your phone. They would not have access to other data on the phone. Having or not having banking apps on the phone makes no difference to the effectiveness, but if you use SMS to log in, then it could. SIM swapping is almost always used when they already have passwords to things and they need SMS for a second factor (including a fallback). The other use is intercepting other communications going to you, E.G. a verification request from someone else. That's all it does.

    6. Terry 6 Silver badge

      Re: Sim-swapping

      Nice. You're secure. So's a hermit. But it's not how the real world works ( possibly even in Luxembourg). So your comment is not a reflection of reasonable practice. You can't uninvent that stuff.

    7. DS999 Silver badge

      What personal information is needed?

      If it is the sort of personal information friends of yours have (name, phone number, home address, perhaps birthday) then some of them will have that information in the contacts list in their phones, and some of them will have allowed Facebook to upload their contact information.

      So it is 100% certain that Facebook has that sort of data on you. What it really comes down to is whether the information that would be needed for a SIM swapping attack has been supplied by you to other companies and whether they've had data breaches (whether reported or not or known or not)

    8. Anonymous Coward
      Anonymous Coward

      Re: Sim-swapping

      It is true you need an gmail address to set up an Android phone for google, but there is nothing to prevent you from using a dedicated email address created just for that phone.

      That way no sensitive info is going to be sent to that dedicated gmail account.

  2. Version 1.0 Silver badge
    Joke

    So what's "FA" mean?

    Did he use 2FA so that everyone he hacked believed that they were secure? I expect this will need to evolve to protect everyone more efficiently ... running some checks I'm seeing that 8FA is very secure although it does take a while.

    1. Andy Non
      Joke

      Re: So what's "FA" mean?

      4FA is bad enough, having to wait for the postman to bring a letter with code numbers in it and don't even get me started on needing to submit a sample of my dog's DNA.

      1. jason_derp

        Re: So what's "FA" mean?

        You laugh but delivering numbers via post is a legitimate method of accessing online government services in my country.

        1. DS999 Silver badge

          Re: So what's "FA" mean?

          That is used in the US too. For instance, I have to do a state biennial filing for the corporations I own. They will send a reminder card in the mail to the address of the corporation's registered agent that has a code you need to enter to do the filing. It is possible to do the filing without that, but it would be more of a pain so this streamlines the process.

          A similar system is used for paying property taxes and auto registration fee. Again, it is possible to do it without the code but the code streamlines the process - though in this case it is used more as a "avoiding accidentally paying someone else's property tax" rather than as a security measure. Because for sure I don't want any security in place that would prevent someone else from paying my property taxes if they want to!

          When you fill out a tax return you can specify a PIN number that the IRS will require before they will talk to you about it, I guess as a security measure to prevent someone who has your name, address and SSN from being able to call them up and order copies of tax returns or who knows what else.

      2. Winkypop Silver badge

        Re: So what's "FA" mean?

        Codes via Post

        Some years ago Google did this to verify ownership of Google Map businesses. The mail they sent took way longer than the time window allowed to add the code and verify.

    2. Peter D

      Re: So what's "FA" mean?

      Sweet FA is fucking useless.

  3. This post has been deleted by its author

    1. DS999 Silver badge

      Re: Some potting processes must be flawed

      SMS is not secure, so any steps involving it are not sufficient to guarantee that the legitimate owner of the number is the one receiving those texts.

      If you don't see them, your number can be ported without your knowledge. Other SIM swapping attacks rely on insiders who are bribed or blackmailed.

    2. doublelayer Silver badge

      Re: Some potting processes must be flawed

      SIM swapping attacks don't use the porting system. They stay on the same network you're already on and just try to change the SIM card the number is connected to. What does the process look like if you've lost your phone and you're switching your number to a backup device? That's the system they have to sneak through.

      1. Slx

        Re: Some potting processes must be flawed

        I've only ever replaced a SIM twice - lost one and another was just faulty.

        First time was a physical SIM swap in a store, which required photo ID (passport / driving licence) and a printout of a bill.

        Second time, they physically posted the SIM to the registered address and were very reluctant to do it in-store.

        You'd need pretty robust internal security systems to prevent a rogue employee doing something though.

        eSIMs certainly make it easier or at least faster, as you're removing any physical steps.

  4. Dante Alighieri
    Big Brother

    Not using online banking apps - advice please (genuine question)

    So, I don't use my mobile for mobile banking. I refuse to register for online banking nor "apps" for credit cards I use.

    Does this protect me or leave a new attack surface if someone finds some details/intercepts post and starts to register a mobile app.

    In short - do I register to set up security and not use it or do I leave it unregistered/unconfigured and use that as a defence.

    Recent CC change was meant to extend expiry date - it didn't despite helpful phone contact - website says "easy to sort on the app"

    I do not trust my mobile. Google, Facebook, WeChat, Alipay all fighting for my data [complicated reasons involving transoceanic passages ;) ] truthfulness of data - welcome to the 8th & 9th circles...

    Thanks for your comments

    1. Slx

      Re: Not using online banking apps - advice please (genuine question)

      It depends on what technologies your bank is using. Some of their multi-factor security's good, some if it is awful.

      If you're just using passwords / SMS authentication it's pretty weak.

      Any particular reason why you'd be reluctant to use an app with an authentication step ?

      One of my banks uses an app with a push notification and authentication through either biometrics or a long pin, which must be entered on the device before you can access your accounts online (on the web or in the app)

      If you are making a funds transfer, it still requires the little 'calculator' device and runs an app on the chip on your debit card, with a challenge / response code. It's old fashioned, clunky but it's entirely offline, which I like as an extra step.

      1. Falmari Silver badge

        Re: Not using online banking apps - advice please (genuine question)

        @Slx “Any particular reason why you'd be reluctant to use an app with an authentication step?”

        That question is not relevant too Dante Alighieri’s question. For whatever reason Dante Alighieri has not registered for online banking in any form.

        The question posed, is there a risk of a bad actor setting up online banking in Dante Alighieri’s name and would Dante Alighieri be liable for any losses.

        If so, would registering for online banking protect Dante Alighieri. Hence the interesting question for which I don't know the answer,

        @ Dante Alighieri “In short - do I register to set up security and not use it or do I leave it unregistered/unconfigured and use that as a defence.”

    2. elaar

      Re: Not using online banking apps - advice please (genuine question)

      Mobile App banking done correctly is far more secure than any other form of banking.

      The FirstDirect banking app for example is matched to both phone AND SIM. If either change you have to speak to them direct and answer numerous security questions to get it reactivated.

      Then even when that's done, you still need another password to login/authorise any payment.

      So, in the case of a SIM-swap, the person would also need to know my telephone password, 3 question/answer passwords, and then my digital password to do anything useful. Good luck there....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like