10 Year Prison Sentence for US SIM Swapper; Another Indicted

Joel Ortiz, an American SIM swap fraudster who stole USD5mn in cryptocurrency, has accepted a plea deal which includes a 10 year prison sentence, reports Motherboard. His Californian prosecutors believe that Ortiz is the first American to be convicted of a crime for SIM swapping.

Ortiz was arrested in July 2018 at Los Angeles International Airport before he could board a flight to Europe. Originally from Boston, Ortiz studied at the University of Massachusetts, majoring in information technology. The colorful story of how Ortiz hijacked 40 phone accounts is covered in some detail by another Motherboard article, including the time he sent a direct message to the daughter of one his victims which read: “TELL YOUR DAD TO GIVE US BITCOIN”.

The Ortiz case was pursued by California’s REACT task force, a group of law enforcement officers who have specialized in chasing SIM swappers who steal cryptocurrency. REACT supervisor Samy Tarazi stated there had been a fall in the number of SIM swaps reported to them, but they nevertheless expect the severe sentence will send a “strong message” to anyone thinking of perputrating a similar crime.

Further confirmation that US authorities are cracking down on SIM swap fraudsters arrived on Friday of last week, with the indictment of Dawson Bakies, a 20 year old accused of using SIM swaps to take control of 18 online accounts belonging to three Manhattan-based victims. Bakies is said to have performed no less than 50 SIM swaps in total. Manhattan District Attorney Cyrus R. Vance Jr. issued a press release which stated Bakies is the first SIM swapper to be prosecuted by the New York authorities.

Today my Office is putting the small handful of sophisticated ‘SIM Swappers’ out there on notice… We know what you’re doing, we know how to find you, and we will hold you criminally accountable, no matter where you are. We’re also asking wireless carriers to wake up to the new reality that by quickly porting SIMs – in order to ease new activations and provide speedy customer service – you are exposing unwitting, law-abiding customers to massive identity theft and fraud…

It is a shame that Vance went for the soft target by chastising telcos for providing “speedy customer service”. Does he think customers would prefer a slow service? People lose phones and SIMs all the time, and they get upset if they are denied their phone service for a prolonged period. The Bakies case confirms that SIM swappers are targeting victims who are especially vulnerable not because of the lack of controls around phone services, but because of the lack of controls surrounding their cryptocurrency accounts.

As alleged, BAKIES intentionally selected and targeted victims known to be active in cryptocurrency, due in part to the inherent difficulty in tracing the theft and transfer of cryptocurrency.

One good thing about this case is the rapid response of law enforcement to SIM swaps that happened only a few months ago.

According to the indictment and documents filed in court, between October 2018 and December 2018, BAKIES fraudulently ported the cell phone numbers of at least 50 different individuals across the United States to multiple iPhones in his possession. BAKIES then circumvented two-factor authentication security measures to access the victims’ online accounts, by requesting that recovery codes be sent to the phone numbers already associated with those online accounts – phone numbers which he now controlled.

Telcos can and should do more to prevent SIM swaps. At the same time, law enforcement must act swiftly to investigate these crimes, capture the criminals, and ensure they are punished. It is good to see the way US authorities have accelerated their efforts. Unfortunately, too little is said about the most important enabler of this kind of crime – the ridiculous ease with which the public can obtain new passwords for cryptocurrency accounts, bank accounts, and other online services.

Imagine if telcos took the wildly unpopular decision to delay every SIM replacement by two whole days. This would give fraud victims a window to restore control of their service, but it would not discourage criminals tempted by the hugely profitable opportunity to raid online accounts. Criminals would do SIM swaps, but they would start targeting people when they travel overseas because the victim will be slower to react to the loss of their phone service. How much should telcos increase the difficulty of an ordinary citizen obtaining a replacement SIM when there are cryptocurrency investors who think it sensible to save their account passwords to documents stored on Google Drive?

Instead of concentrating all attention on the replacement of SIMs we also need enhanced delays and checks to be imposed before online accounts reissue passwords. The telco industry has long told other businesses not to rely so heavily on the sending of sensitive messages to mobile phones, but few have heeded these warnings. The greatest single issue in online security is the chronic over-dependence on the weak form of identity verification offered by passwords, but instead of addressing the root cause, it seems many have decided they will pass the burden of customer identification to telecoms service providers instead.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.