A few weeks ago, a report highlighted how hackers were gaining access to Instagram accounts by stealing a phone number and reassigning it to a different SIM card. Now, authorities have made an arrest as part of a multi-state SIM card hacking ring…
Court records unearthed this week by Brian Krebs (via The Verge) show that Florida authorities arrested a man last month after discovering he had stolen SIM cards from victims in seven states.
Authorities learned of the scheme when a mother overheard her son acting as an AT&T employee and alerted law enforcement. Law enforcement arrived at the house and searched the son’s room, the documents reveal, and discovered “a list of names and phone numbers, along with SIM cards and cell phones.”
Ultimately, authorities were able to trace SIM cards to seven victims in seven states. The victims had their identities stolen as part of the scheme, while also losing “hundreds of thousands of dollars” worth of cryptocurrency.
Officers interviewed the son, who said that the ring consisted of “about” eight other people, including a man named Ricky Handschumacher – who who discussed and organized the SIM-hacking through Discord conversations:
Officers said Handschumacher and others in on the plan would steal personal information, then either impersonate or pay off a cellular service employee to receive a new SIM card with the target’s stolen information.
Using that, they could crack any passwords tied to the phone number, including cryptocurrency accounts. Police say Handschumacher told them he had laundered more than $100,000 through cryptocurrency exchanges, although he has pleaded not guilty to the charges.
SIM-impersonation, also referred to as SIM-jacking or SIM-hacking, is an incredibly easy way for “hackers” to gain access to online accounts such as cryptocurrency wallets and online banking. It’s one of the reasons two-factor SMS authentication is considered the weakest form of two-factor, and has pushed some companies – such as Instagram – to promise additional forms of two-factor.
Read more in the full Krebs on Security piece right here.