SIM Swap Scams Targeting Cryptocurrency Investors featured image

SIM Swap Scams Targeting Cryptocurrency Investors

by John DiGiacomo

Partner

Data Breach

SIM swap scams are nothing new, and are back in the news with high profile SIM swap attacks on Twitter’s CEO.

Telecommunications providers such as Verizon, AT&T, T-Mobile, and Sprint have been aware for over ten years that unauthorized third parties regularly attempt to obtain access to customer subscriber accounts to gain control over a customer’s SIM card.

Hackers Gaining Account Control

By gaining control over a customer’s SIM card, a hacker can then take control of a subscriber’s telephone number. Once the hacker has control over the subscriber’s telephone number, he or she can use two-factor authentication, which often sends a text message to the subscriber’s mobile phone, to reset the passwords associated with the subscriber’s email account, bank account, cryptocurrency exchange account, and investment accounts.

In an age where telecommunications providers like Verizon, AT&T, T-Mobile, and Sprint outsource their customer support obligations to third parties, hackers know that employees at these companies do not always follow company protocol. In some cases, the companies themselves may not follow industry best practices to secure subscriber accounts from unauthorized access.

Hackers have become adept at finding and exploiting weaknesses in cell provider security. And some providers may even allow known exploits to continue to be used by hackers even after their security and fraud departments have identified them.

SIM Swap Scams Targeting Cryptocurrency Investors

The most recent of these scams targets cryptocurrency investors, such as those who invest in Bitcoin or Ethereum.

Hackers mine data, often from Twitter, LinkedIn, Reddit, and other sources to identify those individuals most likely to have cryptocurrency. Once they have identified a target, they obtain personal information concerning the target in a number of ways. They may pretend to be the target and obtain an account number at an authorized retailer, or they may obtain account information from a prior data breach at a telecommunications provider.

Once this information is in their possession, they call the telecommunications provider’s customer support number. From here, they often attempt to convince the customer support representative that they’ve forgotten their secure PIN number and need to perform a SIM swap with just an account number or some other information. If they are successful, they obtain control over the target’s accounts and either ransom them for payment in cryptocurrency or simply steal cryptocurrency from the target’s account.

Telecom Arbitration Clauses

Telecommunications providers know that these SIM swap scams are happening, yet many appear to not take the threat, or their duties to secure personal and personally identifiable information, seriously.

Since most cell phone subscribers agree to an arbitration clause when signing up for an account, telecommunications providers force these subscribers into arbitration in an attempt to keep these grossly negligent vulnerabilities hidden from the public.

If you are the victim of a SIM swap scam, contact a data breach attorney immediately.

Revision Legal offers a wide array of legal services related to data breach and Internet law matters.  We can be reached by using the form on this page or by calling us at 855-473-8474.

Extra, Extra!
Recent Posts

Online Personal Data Privacy: Fight Over Universal Opt-Out Mechanisms

Online Personal Data Privacy: Fight Over Universal Opt-Out Mechanisms

Internet Law

Almost half of the States in the U.S. have enacted some version of an online personal or consumer data privacy statute. The statutes all use a similar framework that requires data collectors and processors to provide notices, obtain consent, and comply with mandates and prohibitions. For example, all of the online data privacy statutes require […]

Read more about Online Personal Data Privacy: Fight Over Universal Opt-Out Mechanisms

9th Circuit Partially Invalidates California’s Age-Appropriate Design Code Act

9th Circuit Partially Invalidates California’s Age-Appropriate Design Code Act

Internet Law

The Ninth Circuit Court of Appeals — located in San Francisco — partially struck down California’s Age-Appropriate Design Code Act (“CAADCA”). See Cal. Civ. Code §§ 1798.99.28 et seq. The CAADCA was passed in 2022 by the California State Assembly. The CAADCA was enacted to protect the online privacy of children — persons under the […]

Read more about 9th Circuit Partially Invalidates California’s Age-Appropriate Design Code Act

Put Revision Legal on your side