A former manager at a telecommunications company in New Jersey pleaded guilty to conspiracy charges for accepting money to perform unauthorized SIM swaps that enabled an accomplice to hack customer accounts.
SIM swapping is an unauthorized porting of a targeted person's phone number to another physical SIM card or eSIM chip controlled by the attacker. These types of attacks are usually conducted via social engineering attacks against customer support agents or through insiders at mobile companies.
This attack aims to take control of the target's phone number to receive SMS-based one-time passwords (OTPs) sent as part of two-factor authentication protection on online accounts.
Receiving these codes allows attackers to take over the target's accounts using stolen credentials, typically acquired through phishing or other data leaks.
Telecom service providers have now implemented measures to prevent such arbitrary number porting events without the involvement or authorization of the owner.
However, the former IT manager, Jonathan Katz, abused his managerial position and highly privileged account at a mobile telecommunications store to overcome security measures and perform unauthorized number ports.
An announcement and court documents published earlier this week by the U.S. Department of Justice (DoJ) explain that Katz (aka "Luna") performed the SIM swaps between May 10 and 20, 2021, while he was a manager for a telecom firm.
Court documents from December 2021, released following Katz's arrest, indicate five victims in Wyoming, New Jersey, California, and Tennessee.
Katz's actions enabled his accomplice to hijack victims' mobile phone numbers and subsequently gain access to accounts, including email, social media, and cryptocurrency wallets.
For carrying the unauthorized number porting, Katz received $1,000 in Bitcoin per SIM swap (total of $5,000), plus an (unspecified) percentage of the profits earned from the illicit access to the victims' devices.
For his actions, Katz faces a statutory maximum of five years in prison and a fine of up to $250,000 or twice the financial gain or loss from the crime.
The sentencing is scheduled for July 16, 2024.
Comments
Mahhn - 3 months ago
fingers crossed he gets 20+ years and has to pay for damages.
Thanks for the story
GT500 - 3 months ago
Those damages could be way more than he'd ever be able to pay in his life, so it might scare people who are thinking of committing the crime, but it won't actually help return the majority of what victims lost.
lesjames2018 - 3 months ago
I live in Australia
And people can do that online for free
As long as the know your mobile number
They just sign up for a new mobile plan online and enter the mobile number in
Then in less than an hour
Or sometimes minutes
They now have your mobile number
No I'd is needed to confirm that the number was your old number