Original author: Andrew Adams, Coindesk
Original compilation: Wu Shuo Blockchain
This article introduces an indictment recently announced by the US Department of Justice regarding a SIM card hijacking case, and believes that the defendants in the case, Powell and others, are not the attackers of the FTX hacking incident. At the same time, the article also introduces the business risks of SIM card hijacking and the possible regulatory pressure on the encryption industry. Wu said that he had previously published related articles about SIM card hijacking.Unpreventable: Why are so many encrypted Twitter accounts stolen and posting phishing links? How to prevent itIts attack principles and preventive measures are introduced.
Recently, the U.S. Department of Justice quietly unsealed an indictment. Some mainstream and crypto media quickly reported the matter, saying it solved the mystery of a $400 million cryptocurrency theft that had previously been stolen from FTX, the collapsed cryptocurrency exchange, holds.
However, the indictment is not the key to ending the mystery. It underscores the fact that cryptocurrency companies, both onshore and offshore, face growing regulatory and economic concerns. In particular, the SIM card hijacking fraud incident against FTX in November 2022 can almost be regarded as the most basic hacking method-this method relies on stealing identities and impersonating financial account holders, mainly Attack companies that offer customers and account holders privacy protections that are becoming increasingly outdated, such as two- or multi-factor authentication (i.e., “2FA” and “MFA”).
Federal regulators in the United States are increasingly concerned about the potential harm of systems that rely on privacy protection programs that are vulnerable to SIM card hijacking attacks. The Federal Communications Commission is developing new rules, and recent cybersecurity regulations from the U.S. Securities and Exchange Commission (SEC) are likely to force companies to improve their privacy protections against this particular threat. Especially after the SEC itself experienced the SIM card hijacking incident not long ago, it may have become more determined to strengthen regulations in this area.
New Allegations and FTX Hackers
On January 24, 2024, the U.S. Attorneys Office for the District of Columbia unsealed an indictment titled United States v. Powell et al. It is said thatRobert Powell, Carter Rohn and Emily Hernandez collaborated to steal the personally identifiable information (PII) of more than 50 victims.
The trio then used this stolen information to create fake IDs with the goal of defrauding telecommunications providers into transferring the identity theft victims mobile phone account number to a new device in the possession of the defendants or an unnamed coconspirator. The three defendants sold stolen PII to him.
The scheme relied on reassigning the victims phone number to a physical phone controlled by the criminal, which required the victims number (essentially the identity) to be transferred or ported to a Subscriber Identity Module (or SIM), card are actually saved on the criminals new device. This is known as a SIM hijacking scheme.
Through the SIM card hijacking scheme described in United States v. Powell, the defendants and unnamed conspirators deceived wireless telecommunications providers into reassigning mobile phone numbers from legitimate users SIM cards to those controlled by the defendants or those unnamed conspirators SIM card. The SIM card hijacking then allowed the Powell trio and others to access the victims electronic accounts at various financial institutions and steal funds from those accounts.
The primary benefit of SIM hijacking for defendants is the ability to intercept messages from those financial accounts on new, fraudulent devices designed to verify that the person accessing the account is the legitimate account holder. Typically, if no fraud is involved, this authentication will result in an SMS text message or other message being sent to the legitimate user, who then verifies attempted access to the account by providing a code contained in the text message or message. However, in this case, the secret code was sent directly to the scammers, who used it to impersonate the account holder and withdraw the funds.
Although Powells indictment does not name FTX as a victim, the allegations of the largest SIM-jacking fraud incident described in the indictment apparently refer to a hack incident that occurred at FTX around the time the company publicly declared bankruptcy - date, The timing and amount match the publicly reported hack, and media reports have included confirmation from people within the investigation that FTX was the Victim Company-1 described by Powell. When the FTX hack occurred, there were many speculations about the perpetrators: insiders, government regulators operating behind the scenes?
The headlines of many articles reporting on Powells indictment claimed that the mystery had been solved: Three defendants carried out the FTX hack. But in fact, the content of the indictment suggests the opposite. While the indictment exactly names the three defendants and details their alleged theft of personally identifiable information (PII), the transfer of phone numbers to fraudulently obtained SIM cards, and the sale of stolen FTX access codes , but the indictment notably omits any mention of these three defendants when describing the actual theft of FTX funds.
Instead, it states that the conspirators gained unauthorized access to FTX accounts and that the conspirators transferred more than $400 million in virtual currency from FTXs virtual currency wallets to virtual currency wallets controlled by the conspirators. The indictment The common practice in drafting a petition is to mention the name of the defendant in relation to the acts committed by the defendant. Here, it was the unnamed conspirators who took the final and most important step. The mystery of who these conspirators might be remains and will likely continue until new charges emerge or a trial reveals more facts.
Regulators and business risks
The FTX case highlights the growing awareness among prosecutors and regulators of the simplicity and pervasiveness of SIM card hijacking schemes. Reading the Powell indictment is no different than reading the federal indictment and reading one of the hundreds of credit card theft charges pursued by federal and state prosecutors each year. As far as fraud goes, SIM card hijacking is cheap, low-tech, and formal. However, if you are a criminal, this method works.
SIM cardThe effectiveness of hijacking is largely the result of vulnerabilities in telecommunications anti-fraud and authentication protocols and the relatively weak anti-fraud and authentication procedures used by default by many online service providers, including financial services companies. Most recently, in December 2023, the Federal Communications Commission issued a report and order taking steps aimed at addressing SIM card hijacking vulnerabilities at wireless service providers. The report and order include requiring wireless providers to use secure customer authentication methods before performing the SIM swaps described in Powells indictment, while trying to maintain the relative convenience that customers enjoy when legally changing phone numbers on their devices. Faced with SIM card hijacking actors exploit basic multi-factor authentication (MFA) and the growing awareness of the convenience of less secure two-factor authentication (2FA), particularly via insecure SMS messaging channels, this balancing act will continue to pose a challenge to telcos and the service providers who rely on them, including encryption companies ) brings challenges.
Cryptographically secure
Wireless service providers are not the only group facing increased scrutiny related to the charges in Powells indictment. This case also has lessons and warnings for the crypto industry.
Even though the defendants in the Powell case were not the ones who actually accessed and drained FTX wallets, they allegedly provided the authentication codes to do so, which were obtained through a relatively basic SIM card hijacking scheme. In the context of the SEC’s emerging cybersecurity regime, this case highlights the need for exchanges operating in the United States to develop processes for assessing and managing cybersecurity risks, including the “hack” committed in the FTX case. Given that the SEC itself has recently been the victim of a SIM-jacking attack, we can expect its enforcement arm to pay more attention to SIM-jacking attacks against exchanges.
This could put offshore exchanges that avoid oversight by the SEC or other regulators at a disadvantage. The SEC’s requirements for regular public disclosure of information about cybersecurity risk management, strategy and governance, coupled with external audits, ensure that customers and counterparties understand the steps these companies take to mitigate the risk of an incident like FTX. Offshore companies may take a similarly transparent approach to cybersecurity disclosures, but this would require a willingness on the part of these companies to be transparent, and these companies may be somewhat resistant to the concept of transparency – as FTX has shown. Crypto companies and projects can expect to face greater pressure from regulators and the market to adopt, disclose, demonstrate, and maintain far greater security than merely preventing underlying fraudsters (like the defendants described in the Powell case) from carrying millions of The level of cyber security practices that dollar escapes.
IOS
Android