Cellphones have become a necessity for many people throughout the world, allowing convenience and interconnectivity in the palm of our hands – but they’ve also opened the door to a new type of theft. On April 26, the Cleveland Field Office of the FBI issued a warning to residents to be wary of the problem of SIM swapping – hackers essentially taking over your cell phone by “cloning” the Subscriber Information Module (SIM) and making their phone the copy of yours. The FBI advisory noted that the Internet Crime Complaint Center, the conduit for cyber complaints received 320 complaints of SIM swapping with about $12 million in losses from January 2018 to December 2020. Alarmingly, in 2021 the IC3 received 1,611 SIM swapping complaints with losses adding up to more than $68 million.
SIM Swapping
SIM swappers target vulnerabilities in the way we set up, provision, and establish cell phone accounts, through providers (T-Mobile, Verizon, AT&T, etc.) and third parties (Apple, Best Buy, third party affiliates) to trick, or bribe, employees to link the hackers’ phone to the targets’ phone number. This not only allows the hacker to send and receive phone calls and text messages as if they were the actual subscriber, but also to access any user IDs, passwords, or other account access stored on the SIM chip.
The hackers have increasingly used various online forums, social media, and other tools to target cryptocurrency investors and traders, as well as those who have high net worth. By SIM swapping, the hackers can then access the targets’ crypto wallets, transfer funds and escape detection. While security conscious investors often insist on complicated passwords with what is called “Multifactor Authentication” or MFA – the second “factor” is often a six digit passcode which is texted to the authenticated phone of the user. Problem is, if the SIM swapper has taken over the phone, they have taken over both factors in the multifactor authentication scheme.
Consumer Liability
From a legal perspective, if a personal savings, checking or investment account is accessed without authorization and unauthorized transactions made, the consumer has little to no liability under the federal Electronic Funds Transfer Act (called Regulation E.) 12 CFR Part 1005. For commercial transactions, UCC 4A (ORC 1304.58) relieves banks of liability for unauthorized transactions if they can demonstrate that they used “commercially reasonable security” to validate and authenticate the transaction. While Multifactor Authentication is required under the Federal Financial Institution Examination Council (FFIEC) guidance’s, the experience with SIM swapping demonstrates that a simple text message to the subscriber may not be “commercially reasonable.”
For crypto wallets or other accounts, these regulations likely do not apply. Moreover, both phone companies and cryptocurrency exchanges have mandatory arbitration provisions in their terms of service which may serve to prevent the victim of SIM swapping from being able to sue either the phone company or the exchange in court. There have been dozens of lawsuits and arbitration proceedings filed against both phone companies and crypto exchanges winding their ways through either the courts or through arbitration proceedings.
Much of the problem is due to the fact that Regulation E applies to “electronic funds transfers” which may or may not include the transfer of cryptocurrencies. The regulation was drafted decades ago to deal with misdirected or fraudulent wire transfers between banks (and stolen ATM cards) and crypto exchanges are in a middle position of being subject to some state regulations related to financial institutions (such as Ohio’s regulation of “money transmitters” Ohio Rev. Code § 1315.01(G)) but not being fully fledged (and regulated) financial institutions. Some states, like New York, specifically regulate crypto-exchanges but does not provide the kind of consumer protection that the federal banking laws do. Similarly, the Federal Communications Commission regulates cell phone companies (as well as access to Consumer Proprietary Network Information (CPNI), but does not specifically deal with SIM swaps.
Consumers Should be Prepared
There are a few things that consumers should do to mitigate the problem of SIM swapping, as well as to be prepared in the event of SIM swapping. These include:
- Be cautious in your selection of cell providers. Some providers have a better reputation for prevention of SIM swapping than others. Particularly if you are going to be engaging in large volume financial transactions authenticated through your phone, research your cell carrier beforehand.
- When you set up your phone service (and for a short period of time thereafter) you may have the ability to “opt out” of their mandatory arbitration provisions. This does not mean that you can’t later arbitrate disputes with the phone company – simply that you cannot be compelled to do so. Opting out provides some flexibility, but usually has to be done within 10 days of providing new service – or sometimes even shorter time.
- Establish strong authentication with both Multifactor Authentication and callbacks, passphrases, or other security on accounts which have high dollar value transactions. Contact the provider (e.g., crypto exchange) and ask about enhanced security.
- SIM swapping usually “bricks” the victim’s phone – either temporarily or permanently, since only one phone can have the same electronic ID at any time. If you notice that your phone stops working unexpectedly, immediately notify the carrier (from another phone) and demand that they disable the account while they investigate.
- Read the contract with your crypto-exchange. Again, if you have the ability to opt out of the mandatory arbitration provision, do so. Also, find out what the exchange’s security policy is and ask how they are dealing with the problem of SIM swapping.
- If there is unauthorized access to your accounts, act quickly to notify the providers that you have been the victim of SIM swapping. Change your cell phone number (and/or provider) quickly, and work with the provider to recover. Terminate any linked accounts and/or change passwords and user IDs from a secure computer. Contact consumer protection agencies like the Ohio Attorney General’s Office, your local department of Consumer Protection or the FBI, but don’t expect that they will be able to solve the problem. If you need to recover stolen funds, you may have to retain counsel to pursue either the hacker or the provider for recovery.
If you’ve fallen victim to similar cybercrimes and wish to seek recovery, or you have further questions and concerns regarding the content of this article, please contact KJK Cyber Security and Data Breach Attorney Mark Rasch (MDR@kjk.com; 301.547.6925) or Brett Krantz (BK@kjk.com; 216.736.7238).