Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cops Accuse 20-Year-Old College Student of Stealing More Than $5 Million in Bitcoin by Hijacking Phone Numbers (vice.com)

Posted by msmash on from the security-woes dept.

California authorities say a 20-year-old college student hijacked more than 40 phone numbers to steal $5 million in Bitcoin, including some from cryptocurrency investors at a blockchain conference Consensus. Motherboard, which broke the story citing court documents: This is the first reported case of an alleged hacker who was using SIM swapping (also known as SIM hijacking or Port Out Scam) specifically to target people in the blockchain and cryptocurrency worlds.

Joel Ortiz was arrested at the Los Angeles International Airport on his way to Europe, according to sources close to the investigation, who said Ortiz was flashing a Gucci bag as part of a recent spending spree they believe was financed by the alleged crimes. He is facing 28 charges: 13 counts of identity theft, 13 counts of hacking, and two counts of grand theft, according to the complaint filed against him on the day before his arrest.

12 of 71 comments (clear)

  1. Phone company liability... by jholder · · Score: 2

    No doubt the phone companies whose processes were criminally negligent in allowing a person like this to engineer transfer of the number will also be brought to trial and punished.

    Ha ha ha. I crack myself up!

    --
    -- John
    1. Re:Phone company liability... by dissy · · Score: 5, Insightful

      No doubt the phone companies whose processes were criminally negligent in allowing a person like this to engineer transfer of the number will also be brought to trial and punished.

      Ha ha ha. I crack myself up!

      Something you may find even more hilarious, or sadly hilarious perhaps.

      When the company I work for was sold, our new parent company wanted to bring our phone system into their fold, and into their main account.
      At the very end of the transition we had a big conference call with everyone involved with the cut-over, myself as the POC here, the technical POC at HQ, one of the HQ phone company reps, and a couple people who specialize in Cisco VoIP in case anything went wrong.

      They asked me if I was ready for them to pull the trigger on porting our 100 DIDs (aka our outside phone numbers) over to their phone co, so I replied by asking if I should conference in our own phone company rep to authorize the port.

      Their reply: That won't be necessary, we will initiate it on our end.

      Over the next 10 minutes each number was moved (I assume they were doing each one by hand instead of scripted/automated) and said I should start verifying the ones on our critical list as still functional.
      From a technical stand point, all went well and worked.
      From a procedural stand point, what the fucking hell?!?

      No authorization, no informing our phone co this was happening, nothing in place to prevent it, and most disturbing, nothing from the phone co to me to even say it happened.

      I called them up after the conference call anyway to ensure service was terminated. I was told *that* part was automated!
      Once the numbers are ported off-network the current bill will be prorated for the rest of the month, the account closed at the end of the month, and that I'd be contacted within 30 days after termination to arrange for returning their CPE to them...

      This is all just SOP when it comes to porting numbers around.
      The only response they seem to have if done by mistake is to port the numbers back, after the fact, and presumably after any damage is done.

    2. Re:Phone company liability... by Yalius · · Score: 4, Informative

      Want to know what's worse?

      Per FCC regulations, your phone company can NOT initiate a confirmation contact once a port-out has been initiated. If the account #'s, names, and security information are correct in the port-out request initiated by the new phone company, the old provider has no legal authority to question or verify the legitimacy of the port-out request and must complete the port-out within 24 hours or show good reason it could not technically be completed. And they are not allowed to contact you for any reason regarding the number port.

    3. Re:Phone company liability... by bws111 · · Score: 3, Insightful

      That is the process that the FCC says must be followed. Customer contacts new carrier, new carrier contacts old carrier, old carrier may not refuse request, transfer must be completed by midnight the same day. If the old carrier required authorization from you that could result in them either refusing the transfer (not allowed) or failing to meet the transfer deadline.

      The idea is to make it easy for customers to switch carriers without being given the run-around, having to jump through hoops, or being given the hard sell from the old carrier. Of course, where there is convenience there is always the possibility of fraud.

    4. Re:Phone company liability... by JackieBrown · · Score: 2

      You know what's worse? We were cheering this portability change because we didn't want to be owned by our phone overlords.

      That said, I prefer this and the possibility of fraud. Honestly, let's say the old company had to confirm the phone number change. How well do you think that line would be staffed? How much money and resources do you really expect a company to provide to say farewell to business.

      Whenever I cancel a subscription, I usually get sent to a queue that feels like it must be manned by 3 people to cover the entire country. The goal - I'm sure - is to hope I get frustrated, hang up, and continue my subscription.

  2. Wrong approach... by b0s0z0ku · · Score: 3, Interesting

    He should have run the scam from abroad and used the money to buy residence in a non-extradition country... In all seriousness: he used his own phone and expected not to be caught?

    Two more points:
    (1) $1 million bail is more than many murderers get. This shows the priorities of the state -- fortunes of tech squillionaires are worth more than human lives.
    (2) The phone companies that apparently make SIMs stupidly easy to port-out should share the blame.

  3. SIM Lock by nuckfuts · · Score: 2

    After domain names started to be worth big money, registrars came up with an added protection against people stealing your domain registration. IIRC they call this "Domain Lock, or "Registrar Lock" or something like that. So perhaps cellular service providers need to implement some form of "SIM Lock".

    1. Re:SIM Lock by b0s0z0ku · · Score: 3, Insightful

      No. It should be implemented by default. Having people pay for security that should always be present is essentially extortion.

  4. Re:I could use some filling-in by fadethepolice · · Score: 3, Interesting

    It's pretty easy to wash bitcoins. I'm thinking this person did not do that. Since they did not actually purchase the bitcoins, there is no tie to them on the blockchain. Send the bitcoins anonymous online converter and convert the bitcions to ethereum, I ran through the process once just to see how it worked, but can't remember the name of the service at the moment. They are out there though. They generate a temporary wallet then send the coins back to you on a wallet you provide, which you then never have to use again. Then convert the ethereum (or litecoin, whatever) to Monero. After that use a separate online converter to convert your Monero back to bitcoin. Transfer the bitcoins to a hardware wallet. At that point you have generally removed all blockchain connections. You want to do all of this on new virgin equipment and networks not connected to you in any way. I'm way more interested in how the bitcoins were obtained in the first place. How can you access a coinbase or similar account with someone's phone number?

  5. Re:and that is why the bitcoin exchanges banking l by bobbied · · Score: 2

    and that is why the bitcoin exchanges need to be covered by banking laws. Now much info will they giveup? or will they hide over seas?

    Sure they should... None... Yes.

    The issue with any of the crypto is also their strength, they are not centralized and are uncontrollable by law.

    So, if you dabble in crypto, it's like trading gold bullion in the wild west. Yea, you can buy *anything* you like with it, but if it gets stolen, it's gone. Smart money doesn't hold crypto online very long or use exchanges except when necessary, but you offline it ASAP. Just like you don't carry more bullion than you need for your trip and hide the rest.

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  6. Re:I could use some filling-in by parkinglot777 · · Score: 2

    I'm way more interested in how the bitcoins were obtained in the first place. How can you access a coinbase or similar account with someone's phone number?

    Do you really want to know? You may read this blog about how he lost the control of his coinbase account due to the people in telecom company. 2FA doesn't help if the registered phone number to the account is changed.

  7. Phone Company "security"... LOL! by Locke2005 · · Score: 5, Interesting

    My housemate, who had land line phone service in his name, moved out. I called up the phone company, and told them I needed to put the phone in my name. They told me that for security reasons my ex housemate had to do that himself. So I asked them, "So, if I hang up and call you right back claiming to be him, you'll put the phone in my name?" There reply was, "Yes." I did, and they did.

    --
    I've abandoned my search for truth; now I'm just looking for some useful delusions.