While mainstream media reports are making this kid sound like a mastermind, the truth is, this trick takes virtually no skills whatsoever.
That’s why it’s so disturbing.
19 year old Yousef Selassie was arrested and charged with first-degree grand larceny and identity theft when authorities traced 75 victims back to him as he began to spend his earnings.
“He sought them out based on the industries they were involved in” said Brooklyn Assistant DA James Vinocur, explaining how Yousef targeted people in tech believing they were more likely to own high amounts of cryptocurrency.
A search of his residents found 9 phones, 3 flash drives, and 2 laptops – all containing evidence against him. He plead not guilty.
Authorities say he used a “SIM swap” to pull it off, and when you hear how easily this is done, it will shock you.
- Get a blank SIM card (available on Ebay and hundreds of other sites)
- Put it into a cellphone.
- Call the target’s cellphone provider.
- Pretending to be the target or someone close to them, say you recently lost your phone, you ordered a new one, and need it activated.
- They will ask for the SIM card’s ID number.
- If everything went correctly, your phone is now on the victims account, you control their phone number, you receive their calls and texts.
- Using the ‘I lost my password’ feature everything from crypto exchanges to online banking has, have them text a code to reset it.
- Since the text messages now go to you, you’re now able to reset the passwords to whatever you wish.
- That’s it, you have full access to everything.
Or, pretend to be elderly, make every step take way longer than usual, make the customer service rep frustrated and by the time they figure out what you need them to do, they’ll rush to get you off the line.
Who’s to blame?
The solution? This can be tough, because sometimes we forget what we chose as our passwords or pins. I’ve never had to do this process myself, and I have no idea what answers I gave to the security questions when I signed up… 8 years ago now.
But frankly, if I forgot, it’s my fault. So perhaps a foolproof system where the customer service reps cannot change SIM information without first entering information given by the customer is the way to go.
If they forgot, a verification code will have to be mailed to the customer’s home address. It could be sent overnight (for a fee) and people will have to accept this is being done in the name of protecting their data.
These days, so much of our lives are on our phones. It’s a change that happened without much thought behind it, but most people don’t feel like losing their phone is the same as losing their wallet with their credit cards in it. But really, it’s exactly like that.
Could someone call a bank and get someone else’s login information by saying they are their personal assistant? Would the bank reps forgive not knowing a few pieces of personal information? Hell no.
Now keep in mind, through someones cellphone you can access that same account! That’s why cellphone providers need to operate with the same security standards as the bank.