SIM Swapping is a Growing Problem for Crypto-Investors
Wireless Carriers like AT&T, T-Mobile, Sprint, and Verizon Make it too Easy for Fraudsters to Steal Your Crypto-Currency and Tokens.
Chicago-based Stoltmann Law Offices has been retained by victims of SIM-Swapping or SIM-Jacking schemes to pursue arbitration and litigation claims against wireless carriers like AT&T, T-Mobile, Verizon, and Sprint, for negligence and violations of various federal and state statutes.
SIM-Swapping or SIM-Jacking is a fraudulent device used to gain access to a user’s cellular phone
It is a form of identity theft and a dangerous tool which leads well-scripted fraudsters into your email and financial accounts. Wireless telecommunications providers like AT&T, T-Mobile, Verizon, and Sprint have legal obligations under both state and federal law to protect your personal, confidential information. Here is how this scam unfolds. Victims are usually “cased” in advance. Many of these scams involve crypto currency investors who attend conferences or are on crypto-currency related mail or email lists. The crooks first obtain as much information about you as possible through public, legal means and easily obtain your email addresses, mailing address, and cell phone numbers. They set up a script, almost like a play sheet, so that they can act fast once they gain access to your device. Then they contact your wireless carrier, like AT&T for example, pretending to be you. They usually have enough information about you (like your phone number and mailing/billing address) to convince the lightly trained AT&T employee that nothing is awry. There is always some story, like the you dropped your phone in the lake, or drove over it in the driveway. The crook already bought a replacement phone and informs the AT&T customer service representative that he needs the new phone activated with your phone number. With the click of a mouse, your phone is deactivated and the crook’s phone now functions with your phone number.
The crook now gets to work very quickly. They begin with your email, which you have wisely protected with 2-factor authorization. The problem is, if you want to change the password to your email, Google will send you a text message with a special security code. Now, that text message goes to the imposter’s phone, not yours. He is in your Gmail account and will search your email for virtual wallet, crypto, and token information. He will do the same thing to your financial and bank accounts, many of which will send a similar message or alert to the cell phone number on file. Once they are in, they transfer funds to accounts controlled either by them or their team of scam artists and your money, crypto, or tokens are gone.
This SIM-Jacking Scam is Well Known to Authorities and is Well-Publicized
There have been numerous criminal indictments against hackers using the SIM-Swap method to access victims’ cellular phones and rob them blind. On July 12, 2018, authorities in California arrested Joel Ortiz, a 20-year old college student, at Los Angeles International Airport for allegedly hacking at least forty phone numbers which allowed him to steal at least $5 million in cryptocurrency. Ortiz was alleged to have been part of a broader ring of hackers and other crooks who seek to infiltrate people’s social media accounts, email accounts, and other internet accounts, like cryptocurrency digital wallets. Ortiz was charged with thirteen counts of identity theft, thirteen counts of hacking, and two counts of grand theft, according to the criminal complaint filed against him on July 11, 2018. The investigation into Ortiz’s criminal enterprise was conducted by the Regional Enforcement Allied Computer Team, a task force of multiple California police departments focused on cybercrime. On January 25, 2019, Ortiz accepted a plea deal offered by the District Attorney for Santa Clara County, California and was sentenced to ten years in prison. The guilty plea and ten year sentence was lauded as a significant warning shot to hackers and SIM Jackers like Mr. Ortiz.
On November 13, 2019, the United States Attorney for the District of Massachusetts secured a grand jury indictment against Eric Meiggs and Declan Harrington, alleging conspiracy to commit computer fraud and abuse and wire fraud, wire fraud, violations of the Computer Fraud and Abuse Act, and aggravated identity theft. Meiggs and Harrington are alleged to have been part of a well-known hacking scheme using the SIM-Jacking, intending to infiltrate people’s social media accounts, email accounts, and other internet accounts like cryptocurrency digital wallets.
The Indictment alleges that one of the members of the conspiracy SIM swapped a victim’s cell phone number to a phone controlled by Declan Harrington. On the same day, the indictment alleges, one or more members of the conspiracy caused password reset information and codes to be sent via text message to the phone controlled by Harrington, including a text from Google. The indictment further alleges, on the same day one or more members of the conspiracy then accessed, without authorization, the victim’s Gmail account and changed the password for the account. The indictment alleges further, that one or more members of the conspiracy obtained from the Gmail account the victim’s private key for a cryptocurrency wallet and used that private key to steal over $165,000 worth of cryptocurrency.
Another well published example involving SIM swapping involves a crypto-investor who had $25 million in crypto-currency assets stolen by hackers, according to a lawsuit filed against AT&T. In many instances, these hackers make more than one attempt to gain access to a phone before they are successful. In that case it is alleged that this victim’s SIM was “swapped” only six months earlier, and AT&T knew it, and was then swapped again six months later. The second time, however, the hackers struck proverbial gold, stealing $25 million in cryptocurrency.
Despite What They Say in their Wireless Customer Agreements, Wireless Providers can be Liable for Damages in Connection With these Hacking Scams
Cellular service providers like AT&T, Verizon, T-Mobile, and Sprint can be liable for losses their customers sustain as a result of these hacking scams for several reasons. First, these hacking schemes are well known to the service providers. These attacks are prevalent, well reported, and as such, are a “known risk” to customers. As such, these service providers are on notice that their customers are being hacked so they have an obligation to act and do something about it, like improve their security protocols to prevent criminals from accessing their customers’ phones. Put the technical jargon aside for a moment, these are actually simple scams. The harsh reality is:
- A hacker calls AT&T and pretends to be a customer;
- One of them, or a co-conspirator, tells the provider, like AT&T or Verizon, he dropped his phone in a lake, or a toilet, or ran over his phone in the driveway with his car;
- One of them, or a co-conspirator, tells the provider like Sprint or T-Mobile, he already has another phone at the ready; and
- The provider transfers the victim’s phone number to a phone in the possession of a criminal.
This Scheme Does Not Involve Some High-Level Computer Hacking Or Infiltration
Various state and federal laws also require “common carriers” to protect customer information, known as Customer Proprietary Information (CPI) and Customer Proprietary Network Information (CPNI). See Federal Communications Act, 47 U.S.C. §§ 222(a) and 222(c)(1). Section 222(a) of the Federal Communications Act requires every telecommunications carrier to protect customer CPI. The Federal Communications Act further requires that, “[e]xcept as required by law or with the approval of the customer, a telecommunications carrier that receives or obtains customer proprietary information by virtue of its provision of a telecommunications service shall only use, disclose, or permit access to customer proprietary network information in the provision of (A) telecommunications services from which such information is derived, or (B) services necessary to or used in the provision of such telecommunication services…” See 47 U.S.C. § 222(c)(1). At the state level, for example in Illinois, the Illinois Personal Information Protection Act requires that every “data collector…shall implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.” 815 ILCS 530/45. Violations of these statutes carry civil penalties and also form the basis for negligence claims.
Most, if not all, wireless service providers have binding arbitration clauses in their customer agreements. AT&T, for example, uses a clause binding customers to pursue claims through arbitration with the American Arbitration Association (AAA). These claims proceed under the Consumer Rules, meaning AT&T has to pay for the arbitration proceeding (except the $200 filing fee). The Consumer Rules also greatly limit discovery and further mandate your case will almost certainly be decided by one arbitrator. These telecom giants like Verizon hire expensive and experienced lawyers to defend them in these cases. Do not make the mistake of believing you can handle this case on your own without hiring a lawyer with experience with these cases and arbitration generally.
If you or someone you know was a victim of a hacking scam through your wireless device and have been damaged as a result, please call Stoltmann Law Offices, P.C. at 312-332-4200 for a no-obligation free consultation. We are a contingency fee firm which means we do not get paid until you do.