Victims are falling victim to a well-known trick – this time targeting digital currency
For a technology based on security and traceability, cryptocurrency exchanges seem on occasion to be, well, rather insecure.
A security breach at South Korean crypto-exchange Coinrail saw a reported $37 million stolen from investors back in June and since then, exchanges Bithumb and Bancor have fallen victim to hackers too.
A recent report from CipherTrace concluded that $761 million was stolen from exchanges during the first six months of this year alone.
However, last week, a new type of cryptocurrency theft hit the headlines: SIM hijacking, which according to California prosecutors enabled 20-year-old student Joel Ortiz to steal over $5 million from around 40 crypto investors.
SIM hijacking isn‘t by any means new, but this is believed to be one of the first cases in which it has been leveraged to steal cryptocurrency.
Ortiz is alleged to have hijacked his victims’ phone numbers by using details garnered from social media, which allowed him to claim he was the rightful owner of ‘lost’ phones, answer security questions, and acquire replacement SIM cards.
With these SIM cards, he and his accomplices are claimed to have been able to reset their victims’ passwords and access their online cryptocurrency accounts, which were promptly emptied. One investor alone reportedly lost more than $1.5 million.
Ortiz, who was arrested in July, now faces 13 counts of identity theft, 13 counts of hacking, and two counts of grand theft.
And while his case may be the first major one to come to court, he is believed to have been far from alone.
The phone industry is aware of the problem of SIM card swaps, also known as port-out scams.
Back in February, T-Mobile texted all of its US customers warning that it had ‘identified an industry-wide phone number port-out scam’, through which a number of customers had had their personal bank accounts emptied.
T-Mobile urged subscribers to add more security measures to their accounts, in particular by creating a port validation passcode, without which an attempt to port the number would be invalid.
Ortiz was also a prominent member of the online marketplace OGUsers, where criminals trade stolen social media accounts.
Investors are advised, therefore, to avoid discussing the fact that they hold cryptocurrencies on social media, and should certainly never post their phone number online.
However some believe that the phone industry should be doing more to protect customers, too.
“This is entirely the responsibility of mobile service providers,” says Hermann Finnbjörnsson, CEO of crypto asset trading and investing analysis platform Svandis.
“Non-crypto services rely on cell phone authorisation as well, like traditional banks. Mix private information, like address and date of birth, with access to a cell phone number, and the average consumer could be stripped of everything.
“The mobile providers need to have much better processes in place to catch SIM-card stealers.”