Regular readers of Scamicide are familiar with Scattered Spider which is the name of a hacking group largely made up of teens and young men in their twentys in the United States and the UK who have managed, primarily through social engineering rather than sophisticated technologically based hacking to perpetrate massive ransomware attacks against companies such as Caesars Entertainment and MGM resorts. Last week, Noah Michael Urban, a 20 year old Floridian became the first member of Scattered Spider to be convicted and sentenced for his crimes related to a variety of crimes including, most notably stealing more than $13 million of crytocurrencies from at least 59 victims. Along with financial penalties, he was sentenced to serve 10 years in prison, which is most notable since the prosecutors had only requested an 8 year prison sentence.
The method he used to steal cryptocurrencies from his victims’ cryptowallets was through SIM swapping. A Subscriber Identity Module, more commonly known as a SIM card, is an integrated circuit that stores information used to authenticate subscribers on mobile devices, such as a cell phone. The SIM card is able to be transferred between different devices, and often is, when people update into a newer cell phone. SIM swapping is the name for the crime where someone convinces your phone carrier to transfer your SIM card to a phone controlled by the criminal. Sim swapping is a way for a criminal to defeat dual factor authentication where to access an account, in addition to a password, a security code is required. The new security code is created each time the holder of an account goes to access his or her account and it is generally sent to the cell phone of the account holder which is why if the criminal is able to swap the victim’s SIM card to the criminal’s phone, he or she can get access to the account.
In order to do a SIM swap, the criminal uses harvested information to answer security questions asked when the criminal, posing as the real account holder when the scammer contacts the cell phone service provider posing as the account holder and asks to do a SIM swap into a new phone. Much of this harvested information came from data breaches done by Scattered Spider.
The best thing you can do to protect your SIM card from SIM swapping is to set up a PIN or password to be used for access to your mobile service provider account. This will help prevent a criminal from calling your carrier posing as you and convincing your mobile carrier to swap your SIM card to the criminal’s phone merely by providing personal identifying information or answering a security question.
TIPS
I have written in the past about how to avoid SIM swaps by setting up a passcode or PIN on your mobile service carrier account to avoid a scammer being able to access the account merely by answering a security question.
AT&T will allow you to set up a passcode for your account that is different from the password that you use to log into your account online. Without this passcode, AT&T will not swap your SIM card. Here is a link with instructions as to how to set up the passcode. https://www.att.com/esupport/article.html#!/wireless/KM1051397?gsi=9bi24i
Verizon enables customers to set up a PIN or password to be used for purposes of authentication when they contact a call center. Here is a link with information and instructions for setting up a PIN with Verizon. https://www.verizonwireless.com/support/account-pin-faqs/
T-Mobile will allow you to set up a passcode that is different from the one you use to access your account online. This new passcode is used when changes to your account are attempted to be made such as swapping a SIM card. This code will not only protect you from criminals attempting to call T-Mobile and swap your SIM card, but will also prevent someone with a fake ID from making changes to your account at a T-Mobile store. Here is a link to information and instructions for adding a new passcode to your account. https://www.t-mobile.com/customers/secure
Sprint customers can establish a PIN that must be provided when doing a SIM swap, in addition to merely answering a security question, the answer to which may be able to be learned by a clever identity thief. Here is a link to information about adding a PIN to your Sprint account. https://www.sprint.com/en/support/solutions/account-and-billing/update-your-pin-and-security-questions-on-sprint-com.html
And if you are particularly paranoid, like me, you can arrange with your cell phone service carrier that your SIM card cannot be switched except in person by you.
If you are not a subscriber to Scamicide.com and would like to receive free daily emails with the Scam of the day, all you need to do is to go to the bottom of the initial page of http://www.scamicide.com and type in your email address in the tab that states “Sign up for this blog.”