Cops Accuse 20-Year-Old College Student of Stealing More Than $5 Million in Bitcoin by Hijacking Phone Numbers

California authorities say a 20-year-old college student hijacked more than 40 phone numbers to steal $5 million in Bitcoin, including some from cryptocurrency investors at a blockchain conference Consensus. Motherboard, which broke the story citing court documents: This is the first reported case of an alleged hacker who was using SIM swapping (also known as SIM hijacking or Port Out Scam) specifically to target people in the blockchain and cryptocurrency worlds.

Joel Ortiz was arrested at the Los Angeles International Airport on his way to Europe, according to sources close to the investigation, who said Ortiz was flashing a Gucci bag as part of a recent spending spree they believe was financed by the alleged crimes. He is facing 28 charges: 13 counts of identity theft, 13 counts of hacking, and two counts of grand theft, according to the complaint filed against him on the day before his arrest.

Re:SIM Lock

[b0s0z0ku]

No. It should be implemented by default. Having people pay for security that should always be present is essentially extortion.

Re:Phone company liability...

[dissy]

No doubt the phone companies whose processes were criminally negligent in allowing a person like this to engineer transfer of the number will also be brought to trial and punished.

Ha ha ha. I crack myself up!

Something you may find even more hilarious, or sadly hilarious perhaps.

When the company I work for was sold, our new parent company wanted to bring our phone system into their fold, and into their main account.
At the very end of the transition we had a big conference call with everyone involved with the cut-over, myself as the POC here, the technical POC at HQ, one of the HQ phone company reps, and a couple people who specialize in Cisco VoIP in case anything went wrong.

They asked me if I was ready for them to pull the trigger on porting our 100 DIDs (aka our outside phone numbers) over to their phone co, so I replied by asking if I should conference in our own phone company rep to authorize the port.

Their reply: That won't be necessary, we will initiate it on our end.

Over the next 10 minutes each number was moved (I assume they were doing each one by hand instead of scripted/automated) and said I should start verifying the ones on our critical list as still functional.
From a technical stand point, all went well and worked.
From a procedural stand point, what the fucking hell?!?

No authorization, no informing our phone co this was happening, nothing in place to prevent it, and most disturbing, nothing from the phone co to me to even say it happened.

I called them up after the conference call anyway to ensure service was terminated. I was told *that* part was automated!
Once the numbers are ported off-network the current bill will be prorated for the rest of the month, the account closed at the end of the month, and that I'd be contacted within 30 days after termination to arrange for returning their CPE to them...

This is all just SOP when it comes to porting numbers around.
The only response they seem to have if done by mistake is to port the numbers back, after the fact, and presumably after any damage is done.

Re:Phone company liability...

[bws111]

That is the process that the FCC says must be followed. Customer contacts new carrier, new carrier contacts old carrier, old carrier may not refuse request, transfer must be completed by midnight the same day. If the old carrier required authorization from you that could result in them either refusing the transfer (not allowed) or failing to meet the transfer deadline.

The idea is to make it easy for customers to switch carriers without being given the run-around, having to jump through hoops, or being given the hard sell from the old carrier. Of course, where there is convenience there is always the possibility of fraud.