Two Massachusetts men have been arrested for using “SIM swapping” attacks to help them steal cryptocurrencies from victims and take over access to social media accounts.
On Thursday, federal agents arrested(Opens in a new window) 21-year-old Eric Meiggs and 20-year-old Declan Harrington for the suspected crimes, which involved duping cellular providers into handing over access to victims’ mobile phone numbers.
Getting access to the numbers opened the door for Meiggs and Harrington to break into online accounts at Google, Yahoo, and Facebook, among others. That’s because phone numbers often serve as a crucial communication channel for password reset links or one-time codes to grant access to an account.
Meiggs and Harrington allegedly took advantage of this flaw to target at least 10 victims in the US. According to federal investigators, the goal was to hijack email accounts belonging to executives at cryptocurrency companies in an effort to gain access to their digital wallets.
It isn’t entirely clear how Meiggs and Harrington tricked cellular providers into transferring the phone numbers. However, the indictment(Opens in a new window) notes SIM swapping can often involve cybercriminals posing as the victim, reporting a lost or damaged phone, and requesting that their number be transferred to new phone. In some cases, the criminals bribe employees at a mobile provider to gain access.
In total, Meiggs and Harrington attempted to steal more than $550,000 in cryptocurrency from victims, starting in November 2017. In one of their exploits, they allegedly took over someone’s Facebook account, and successfully requested $100,000 worth of cryptocurrency from one of the victim’s Facebook contacts.
The two suspects also coerced certain victims into giving up access to popular Instagram and Tumblr internet handles. In one case, Meiggs SIM-swapped a victim’s phone number. Then he demanded the victim give up access to a Tumblr account in order to get the number back.
Federal agents are linking Meiggs and Harrington to the crimes based on communications they made on Google, Twitter, and phone calls with the victims. They’ve been charged with computer fraud and abuse, wire fraud, and aggravated identity theft.
To protect yourself from SIM swapping, you can consider telling your cellular provider to add a PIN number or passcode to your mobile phone account. It’s also good idea to set up two-factor authentication with your important internet accounts. But avoid relying on the SMS-based method to send one-time passcodes. This verification method is vulnerable to SIM swapping, as Twitter’s CEO recently learned. Instead, use a mobile app(Opens in a new window), such as Google Authenticator, to create the one-time passcodes.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
Source By https://www.pcmag.com/news/feds-arrest-2-for-stealing-crypto-via-sim-swapping-scams