How to stay safe from online scams.
Use a unique mobile phone number and email for your banking. Never give this out or use it for registering with any other service.
A 20-year-old Florida man has been sentenced to 30 months behind bars for his role in a SIM-swapping ring that stole nearly $1 million in cryptocurrency from dozens of victims. Jordan Persad, of Orlando, was also ordered to pay $945,833 in restitution. He pleaded guilty to conspiracy to commit computer fraud on May 1. …
Given that the criminals could (and potentially did - not completely clear from the article but mentions seizures and restitution in US$) go to an exchange and sell crypto for USD, yes it has real cash value. Any mainstream crypto (Bitcoin, Ethereum, Token etc) has very high trading volumes on exchanges and (relatively to 'smaller' tokens) less volatility. Trading $1million is actually small fish as a trading amount on a big exchange, and particularly if done in smaller batches would not significantly change the crypto-to-USD exchange rate. Of course the higher the nominal value, and the less the market cap of the token, the more difficult / lossy it might be to convert to harder currency.
But that's the same if you're dealing with any other fiat currency that is issued by a smaller / marginal or sanctioned country. In the end 'real cash value' simply means 'can you buy stuff that you want with it'? (even if 'stuff you want' is other currency)
At first I thought that was a mis-transcription or something, meaning he bought login creds on the darknet; but it's actually there in the plea agreement, a direct statement. Looks like some morons really log passwords. (A few days ago I read about someone logging *failed* login attempts, here on The Reg; don't remember the actual article. [No, it was not BOFH.])
And yet I still have to give five-minute explainers to people on why they should not reuse passwords. Sigh.
《I they logged credit card information. Enough that when I had to redo a transaction, I pulled everything from the logs.》
Isn't logging the CC number, card holder's name, expiry date and CVE a complete breach of the card provider's merchant terms of service? In some jurisdictions seriously illegal, I suspect.
Glad I use a prepaid debit card with sod all on it, if this is typical of the shenanigans in which online merchants engage.
Pretty sure it's a PCI violation, anyway.
Even logging usernames is a risk, because it's easy for touch-typists to get the focus wrong and accidentally submit their password as their username. Sometimes client-side validation can prevent that mistake (by blocking submission if the username isn't in the correct format, for example), but it still happens too often.
There again having unique, strong passwords helps, because the effort of matching the incorrectly-submitted password to an account is higher. (Often it'll be an account that successfully logs in shortly after, but at least a unique password won't help with naive credential-stuffing attacks.)
Logging failed login attempts does make sense. I spotted someone trying to log into an immortal account on my MUD that way once, and I'm sure it's a common way to look for brute-force attempts on more important systems.
Don't log the incorrect password, though; if it's a legitimate user who made a typo, you just recorded something very close to their password.
Likewise, if the username doesn't exist, it might be a bad idea to log the incorrect username. Ever accidentally typed your password into the username field?