SIM swap hack can empty your financial accounts - here's what you need to know

Monday, February 25, 2019

How many times have you had an authorization code texted to you so you can sign into an account? Well there's a new high tech scam that you need to know about.

SAN FRANCISCO (KGO) -- How many times have you had an authorization code texted to you so you can sign into an account? Dozens of times... hundreds?

Well you'll never look at those texts the same way again.

There is a new high tech scam that you need to know about. This is no nickel and dime stuff.

Rob Ross is a tech entrepreneur and he is telling me about the October 26 incident that changed his life.

"I looked at my phone and there was a request for a withdrawal on my lock screen," he told me. "I thought, 'I did not make a request for a withdrawal.' As I look up at my computer, I was being logged out of Gmail and I am like, 'why am I being logged out of my computer?' and I look back at my phone and I notice there was no service."

Within 20 minutes, the cash Rob held in two separate crypto-currency accounts, Coinbase and Gemini, had been drained.

"It was $1 million," Rob says.

A lifetime of savings... gone.

Rob had been hit by hackers in a SIM swap attack.

When signing into a financial account, for instance PayPal, and you forget your password -- or have two factor authentication. You'll be asked where you want a secure code sent. A mobile number is common andinstantly a code is texted.

Lamorinda Technology's Edward Zeidan says if bad guys take control of the process, they get the code.

"There is a little chip inside your phone called a SIM," he says, "and they convince your cellphone company that you have a new phone and to redirect the calls and texts to your new phone."

They convince by conning a service rep, offering bribes or having an inside accomplice.

Erin West is one of the country's foremost experts on SIM swap crimes. She tells me, "It is a major epidemic." She is a Santa Clara County Deputy District Attorney and is currently prosecuting SIM swap scams tied to five different teams operating in the U.S. She says this is a new crime in the Valley.

Erin and the REACT computer crime team based in Santa Clara County have found it is not just the crime that is new and unique -- so are the defendants.

"They are often very young, have had no jobs before and are all of a sudden millionaires," she tells me. "They spend it at clubs, they spend it on $50,000 watches, they spend it on Gucci clothes. They are flagrant and obnoxious."

So far, the thieves are concentrating on cryptocurrency accounts, but that could change.

There is no way to completely protect yourself from this crime, but Rob suggests you set up a separate phone account, like Google Voice and have your authentication codes sent there. Or you can get an authentication app -- that is what Edward uses.

Erin says if you are a SIM swap criminal, you might want to rethink your plan.

"If you have victimized people in Santa Clara County, we will track you down and find you," she says. "We will come to your mom's house, we will find you in your basement and we will take back the assets you have stolen from our victims."

See more information about StopSIMCrime here.

Take a look at more stories and videos by Michael Finney and 7 On Your Side.

Report a correction or typo