Samy Bensaci, an 18 year old hacker has been arrested in Montreal, Canada and accused of stealing $50 million in digital currencies with SIM swap hack. The technique he used is a system that requires careful planning, as well as theft and scams at various levels.
What is a SIM swap (or Port Out) hack?
The SIM swap technique became famous a few months ago when the very founder of Twitter, Jack Dorsey acknowledged that his account had been stolen using this system.
The swapping SIM consists of using a duplicate SIM card from the victim’s phone, to steal all their data. If you have a duplicate SIM card and you know the victim’s email address, you can ask for a password change. Gmail sends you an SMS verification code to the mobile and the cybercriminal receives this SMS, because it has a copy of the SIM card. Google takes the identification as good, and the hacker can change the password and take control of the account.
The key to this technique is how the hacker gets this duplicate card. You can go to a phone shop, call helpdesk or use online services to ask for it, but for this you need some personal information. The operators usually ask for your ID or other identifying information to give you a copy of your SIM card, if you claim that it has been broken or you have lost it.
Here comes the skill: The hacker obtains this data through phishing the victim, or a family member or friend who can supply the hacker adequate information, or the hacker tries to trick the store clerk into making a copy without giving him the requested data, or using false data. Another way would be having an accomplice who works for an operator.
How did he pick his victims?
The technique that Samy Bensaci used to acquire duplicate SIM cards has not been made public. What is known is that with this data in his possession (he got several people’s data), he accessed their email and bank accounts, and obtained the keys to the cryptocurrency wallets. In total he stole around $50 million.
It has been discovered that they all had something in common: they all attended 2018 Consensus, a conference on cryptocurrencies that took place in New York. Surely there he contacted them and obtained their email addresses, names and some other information that was useful to him.
He is forbidden to use any device with internet connection
Samy Bensaci has been bailed with CA $200,000 until the trial is held, but he is forbidden to use devices that have internet connection (“any computer, tablet, mobile phone, game console, including PS3, PS4, Xbox, Nintendo Switch, or any other device capable of accessing the Internet”),his passport was seized by the authorities so that he can’t leave the country, and he is ordered to live in the custody of his parents in North Montreal by the Ontario Court of Justice. The court also prohibited him from owning or exchanging any form of cryptocurrency.
Bensaci has been described by a police source as one of the “main suspects” in an American investigation into a very active circle of pirates, who robbed dozens of people in the United States and Canada as of spring 2018.
How to protect yourself from a SIM swap scam?
You must protect your personal data from hackers, since it is needed to get hold of a copy of your SIM card. Your date of birth, phone number, passwords are enough for such scam, so you can hide these information on your social media accounts, use two factor authentication on all your accounts wherever possible.
Than you should also recognize the signs of fraud, for example if your phone line stops working or you get a SMS that your number has been put into service with another supplier or you are getting password or e-mail change mails, than you might be a victim of SIM swap hack. Contact the authorities and inform them.