California law firm Greenberg Glusker says it secured a $33 million arbitration award against T-Mobile over the wireless carrier’s mishaps related to a SIM swap attack.
A SIM swap (or SIM swapping) attack occurs when threat actors contact the victim’s wireless carrier and convince its employees to transfer the victim’s phone number to a SIM card under the threat actor’s control.
Given that phone numbers are typically associated with various online accounts, control over a phone number can allow threat actors to change the login information for those accounts and take them over.
According to Greenberg Glusker, the SIM swap incident that was the subject of the legal battle with T-Mobile was caused by numerous security failures at the wireless carrier, and the ruling clearly shows that telecom providers need to improve their customer protections.
Greenberg Glusker notes that the ruling was kept under wraps since the fall of 2023 and T-Mobile attempted to keep details of its security failures sealed. The company revealed that the incident occurred after a threat actor accessed T-Mobile’s systems and abused them for SIM swapping.
The law firm’s petition to confirm the arbitration award, filed with a Los Angeles court and shared with SecurityWeek, reveals that the attack targeted Joseph “Josh” Jones and resulted in the theft of over 1,500 Bitcoin and roughly 60,000 Bitcoin cash – at the time valued at $38 million.
The theft was carried out on February 21, 2020, after a T-Mobile employee ported Jones’ phone number to a SIM card in the attacker’s control.
Because his account at T-Mobile had heightened security, including an eight-digit PIN that should have prevented any changes, Jones believed that the attackers might have used a backdoor on T-Mobile’s systems to take control of the account.
Law enforcement’s investigation into the hack revealed that a 17-year-old diagnosed with ADHD was behind it. He was reportedly linked to Nima Fazeli and Joseph O’Connor, who hijacked dozens of Twitter accounts in 2020, as well as other individuals involved in hacking.
SecurityWeek emailed T-Mobile for a statement on the arbitration award but received no response by the time of publication.
“SIM swapping has been an unchecked security flaw for years. Carriers like T-Mobile have known about it and failed to take basic precautions. This award makes it clear: they must do better,” Greenberg Glusker’s Paul Blechner said.
The Twitter hack that occurred in 2020 is one of the most infamous SIM swap attacks to date. Hackers targeted 130 accounts and hijacked 45 of them, including those of Bill Gates, Jeff Bezos, Joe Biden, Elon Musk, and Mike Bloomberg.
In 2022, a US man was sentenced for stealing $20 million in cryptocurrency using SIM swapping, and in 2023 bankrupt cryptocurrency firms FTX, BlockFi, and Genesis disclosed data breaches after risk and financial advisory firm Kroll was targeted in a SIM swapping attack involving T-Mobile.
SIM swapping is an attack technique that threat actors have been using for over a decade, and a 2020 study found that all wireless carriers in the US are vulnerable to it. In 2023, the FCC announced new rules meant to combat SIM swapping, and Aduna last month announced a partnership with AT&T, T-Mobile, and Verizon to strengthen customer protections.
Related: T-Mobile Shares More Information on China-Linked Cyberattack
Related: SEC Says X Account Hacked via SIM Swapping
Related: Man Sentenced to Prison for Stealing Millions in Cryptocurrency via SIM Swapping
Related: Los Angeles SIM Swapper Sentenced to 8 Years in Prison
About The Author
Original post here
