You Should Be Afraid of SIM Swaps

If you live in the Minneapolis/St. Paul area, and you’re hangry, you might order in from Tono Pizzeria + Cheesesteaks. Get a pepperoni pie, maybe, or, if you don’t mind the diabetes, a cheesesteak with bacon on top, over a bed of fries. Tono has four locations in the city, and they’re on DoorDash, which is where the problem began.

“[Shaz] The way DoorDash works for merchants is that you’re given access to administrative portal.”

Shaz Khan is the co-founder and owner of Tono.

“[Shaz] And you’re able to log in alongside any authorized users that you have on there in order to see the metrics of your business.

And so what had happened was I went in there once, and I noticed that there was an obscure email address that I didn’t know. And I noticed that my role in the organization had been switched from business owner to, you know, account manager, or something of a lesser access. And this rogue email was the one that had been given kind of the business admin access.”

Shaz contacted customer service.

“[Shaz] And after a series of painstaking phone calls with DoorDash, come to find out that this is kind of a known threat and known attack where by, you know, I’ll say an attacker, for lack of a better term, attempts to convince somebody on the support team at DoorDash that they are indeed an authorized administrator of that particular merchant, and to be given access to the account.”

Customer service failed to suss out the unauthorized user, but the app itself has measures to prevent the worst case scenario. Even as an admin in Tono’s DoorDash account, the unauthorized user had no means of initiating a transfer of money from the business to themselves.

“[Shaz] However, access was given, visibility was given. you know, some couple of digits of a bank account, the name of a bank, and they’re able to take that information, corroborate it with your name, which is on the account, which they can see because they’re now the Business Admin.”

DoorDash was responsive in helping remedy the situation.

“[Shaz] So we removed this fraudulent account, which was, of course, a fake email address, or one that isn’t easily identifiable. [. . .] I ended up talking to a number of people at DoorDash, and then finally closing the gap on this, and putting locks on the account, such that, you know, this should “never happen again.” You know, the amount and number of users on my merchant panel shall not change, and things of that nature”

Everything was cleared up and secured, and Tono went on operating as usual.

“[Shaz] I thought that’s where the story had ended.”

A few months after the DoorDash incident, Shaz got a call from his bank.

“[Shaz] And the bank tells me that, you know, someone was trying to pretend to be me and inquire regarding the account, that particular account. And immediately, I didn’t put two and two together, I said, “Oh, that’s strange.” But just out of an abundance of caution, you know, change all of the security questions and whatnot that exist in the system, just in case, over the phone, over the internet, et cetera.”

Everything cleared up, Shaz went back to his life.

“[Shaz] And another week passes by, and they give me another call.”

The same thing: somebody trying to access his business’ account by pretending to be him.

“[Shaz] And I told them, “You know, this is now starting to be– it’s starting to feel a little targeted” [. . .] And so, I said, “All right, you know, if in the future, anyone calls you in regards to this account, or any account that’s associated with me, then I want you to take a look at the phone number that’s calling. If it’s not my phone number, then simply hang up and call me.”

The teller noted Shaz’ request in his account file. Not much more they could do. It was a Friday, everybody returned to their weekend.

But it was only the following Monday when Shaz woke up and opened his phone to check his email…

“[Shaz] suddenly, I have a couple messages pop up using their native app that says that the number port is complete.”

A transfer of his phone number to a different phone.

“[Shaz] Usually, if you’re porting your number from device to device, you’ll get a text message, you’ll get some kind of authorization saying, I really want to do this. “Yes, it’s really me.” None of that happened. Just the app told me that it was complete, and suddenly, my signal dropped out. [. . .] And initially, somehow, I just kind of knew innately, intuitively what just happened. [. . .] You know, I’ve heard about things like this. Never been really a victim of it, and the implications, I knew very well.”

“[Haseeb] So every cell phone company have tens of thousands, or hundreds of thousands stores.”

Haseeb Awan is the Founder and CEO of Efani, a company that provides cell service specifically designed to protect against SIM swaps.

“[Haseeb] then they have like offshore call centers and everything, all of them have access to every account. What happens is that a lot of those people will charge a bribe, or get social engineered, because they’re not very well prepared for hackers. “

It’s no wonder customer service workers are unprepared for hackers. It’s low-level work with high turnover rates – so companies hardly invest any more than necessary in getting these employees up to speed. Cybersecurity is usually glossed over, if not entirely left out, so hackers pounce. They call up agents, and use some classic social engineering. (Check out our episode from earlier this year on vishing, if you’re curious just how easy it is.)

“[Haseeb] If I’m Haseeb, someone can pretend to be me, get into my account and transfer my number to a SIM card they already control. Once they get a SIM card, every call that I’m supposed to get, they will get access to that.”

Your phone, now, is effectively your hacker’s. Your physical device is still on your bedside table, perhaps, but it’s blank — all of its contents transferred to your attacker. That includes every phone call meant for you. Every text from a friend or family member. Every two-factor authentication code triggered for your most sensitive online accounts.

“[Haseeb] they use that to access my bank account to steal all the money from me, steal confidential information, and then do extortion.

[Nate] What’s the worst that can happen in cases like this? Like, what’s the worst that you’ve seen out there?

“[Haseeb] Well, I have seen people losing, doing suicide, you know. I don’t know if you can think about something worse than that. And the reason for that is because their confidential information was breached, their picture, their private text messaging, their lives were destroyed, and they ended up taking their life. And what’s the second worst? People losing everything they have, losing their licenses, losing their reputation, losing their– all the money in the bank. [. . .] their life will be gone in like half an hour. “

“[Shaz] I’m freaking out now because I have no cell service, and I have a very strong feeling that someone is stealing my phone number.”

Panicked, Shaz called his telephone carrier — Verizon — to recover his account. (From a different phone, of course.)

“[Shaz] The most frustrating part was that, you know, you’re put into this process where a customer support agent who is probably reading off of a script is trying to answer your questions, but trying to validate who you are as well.”

It was ironic — having to answer the very same knowledge-based authentication questions that his attacker had already successfully used to pretend to be him. Then, of course…

“[Shaz] I have to prove I’m me. And they can’t do that without sending me a message. And I said, “Well, hey, I don’t have my phone number. Clearly, the attacker does. And if you texted them, they’re just going to know what I’m doing. So don’t do that.””

In what turned out to be a very lucky break, Shaz happened to have another person on his plan.

“[Shaz] So that saved a ton of time in this very unfortunate situation. [. . .] if you’re on a standard cellular carrier and you’re the only person on your plan, and this happens to you, the only way to prove your identity is to drive to a store, get in line, wait your turn, show them your ID, tell them what happened, and then they can verify your identity.

Well, the amount of time it takes to do that, assuming that you can do drop everything you’re doing, and just run and do that right now, and that’s assuming that you know what’s happening right away is going to buy the attacker a lot of time to figure out where, how to get into your email, how to get into your bank account, et cetera, et cetera.”

To avoid that, Shaz brought the other person on his account into the call with the agent.

“[Shaz] I told them, you know, “Well, authorize, send the authorization request, the identity validation to the other lines on my account.” And so they did that, and I was able to, you know, three-way, that person on the call and then click on the link and tell me the code, and they can hear it. [. . .] And so they were able to restore access to my device, have me reboot that particular device, and I see my access once again.”

Haseeb Awan didn’t always care so much about SIM swaps, until a series of events that turned his life around.

“[Haseeb] The first time, I was just sitting on my computer, and I got an email that, “Haseeb we’re sorry to see you go.”

His phone carrier.

“[Haseeb] “What do you mean?” you know. And I thought it’s like random email that I got. And, but I looked at it, looked legitimate

It wasn’t a phish — his phone service really was gone. Not only that: because he still had WiFi, he could sit and watch as email after email flooded his inbox.

“[Haseeb] password attempt change on this account. Password change attempt on this account.

[. . .] What do you do? You go and chat and you cannot get access to any company account, because you need a phone for that. So I ran into a store and they say we can’t do anything because we have no idea. You’re not a customer anymore.

[. . .] I went to police and I was very quick and, because I knew what happened immediately. So within an hour, a couple of hours, I spoke to Fraud Department, and they said, “Oh, we have– we can’t do anything because the number have been transferred.”

The agents he spoke to didn’t know how to help him, at first, because they didn’t even know what a SIM swap was.

“[Haseeb] They don’t even know that this even exists. So after I convinced them, I told them, they will put a block on it. And after like maybe one or two days, I was able to get my cell phone number back.”

He’d caught a break — by acting fast, he prevented the attackers from doing any severe damage. All was fixed.

“[Haseeb] I told them that this is– should not happen again. So they said, “Oh, that’s perfectly OK. No problem at all.”

“[Haseeb] The second time, I think I was on a camping or something. [. . .] I was like in an area where there could be no signal coverage. I lost my cell phone coverage. And I didn’t realize for maybe like half a day or something that I was actually out. [. . .] I actually couldn’t believe it. Like, how can this happen again?”

After two SIM swaps, it’s hard to imagine that it could’ve gotten any worse for Haseeb. Yet, amazingly, this was only the beginning.

“[Haseeb] The third time it happened, and basically, it caused kind of a mental health issue to me, where I couldn’t walk into, go into a basement. Because as soon as I lose cell phone service, I will be paranoid. [. . .] I would just panic. And then I started getting up at like two o’clock at night, like after one hour, two hours, because I thought my cell phone coverage is gone. And I stopped using Wi-Fi. It was very tough time for me.”

If SIM swap stories ever make the news, almost uniformly, they focus on people who lost a lot of money. Like Michael Terpin, the CEO and crypto investor who lost a full 24 million dollars to a hacker who was only 15 years old at the time. But SIM swaps also take a psychological toll. Getting cut off from the grid all of a sudden, not knowing why, not being able to call for help. Even when it’s over, you never know if your attackers — whoever they are — will come back again.

“[Haseeb] I went from angry to defeated, to hopeless, to basically, it was a very tough time. It’s very hard to explain it. But still, it gives me sometimes kind of anxiety.”

Haseeb was swapped four times in a period of 18 months. Like a never-ending nightmare.

“[Haseeb] And the fourth time, I was like, literally, I’m just trying to give up on my cell phone.”

Even after he got his number back, and tried everything he could to secure it, hackers would just return later. Because they could. Because there was nothing he could do to stop them. No amount of password resetting, or MFA, or anything was changing that.

“[Shaz] So I go on there, online, and of course, I changed everything once again. You know, I turn off the number port code, I reset everything, I reset passwords, I reset two-factor authentication.”

Shaz Khan was aware enough — or, perhaps, paranoid enough — to know that his attack wasn’t over once he got his number back.

“[Shaz] Because at this point, I don’t know where the gap was, where the security hole was.”

He began digging for evidence of what could’ve caused the breach. It didn’t take long to find a big, flaming clue.

“[Shaz] And so I look on my account history and I see that somebody in another time zone in the United States had first thing in the morning in that time zone, had walked into a retail Verizon store, purchased a gift card at some time prior, used that gift card to purchase, you know, I don’t know, some kind of Android device, and pretended that they were me.”

The store, it seemed, was located in Florida. A long way from Minneapolis.

“[Shaz] I looked up the receipt on the portal of what agent had, at Verizon had authorized this device purchase through that gift card, and I started calling. I asked the agent on the phone that I was speaking to, once I thanked them for helping me, to connect me with that store.”

Verizon doesn’t allow customer service agents to connect callers to specific store locations, but Shaz had no choice. He called again and again, spending four, five, six hours trying to get somebody to help.

“[Shaz] And so, you know, we’re hours into this ordeal, and one of these agents connects me somehow. I don’t even know how, because all other agents told me it’s not possible, but they connect me to that store. And when they did, I asked to speak to the manager, and the manager would very weirdly not identify himself.”

The employee on the other end of the line was quite obviously hostile. For no explainable reason.

“[Shaz] So he gives me one letter for his name. And I say, “OK, well, apparently, that’s your name. Do you know, such and such?” which was the name of the representative on the receipt that I was able to download from my Verizon portal. They said, “Yeah, they’re here.” I say, “Well, can I speak to them?” “No, you can’t.” “

“[Nate] And who’s usually behind these attacks in your experience?

“[Haseeb] It’s generally a ring, because they operate in a gang. And so they have connections, some persons are working as– in a store, so they will say, OK, one person will work in a store, one person will work, I do the SIM swapping. One person will do after SIM swapping. So they operate in a gang, got three to five normally, and they share information to clear the maximum damage.

[Nate] When you say working in a store, you mean like an actual legitimate phone carrier store, one of these people in a crime ring would be working there?

“[Haseeb] That’s right. So they get a job there.

[Nate] Wow. Could you expand on that, just because that’s a relatively significant thing to say? Have you ever had experience with this kind of thing?

“[Haseeb] Yes, I did. So we went through a lot of investigations, and a lot of people pretended that they got social engineered. But actually, they were bribed before. So the easiest way for that is people will say, “Oh, I got a social engineered. I didn’t know that.” But in actual, he’s part of the gang, and he can just say, “I got mistaken.”

“[Shaz] I said, “Well, somebody just walked in pretending to be me, and you let this happen. You signed off on this, because I know there’s a manager override that was performed in order to make this number port. [. . .] And you know, they were kind of dancing around my request and saying that, “Oh, no, this person brought an ID in and the employee didn’t do anything wrong.””

The manager with no name wouldn’t give a straight answer. The call went nowhere.

“[Shaz] And of course, I never got a hold of that person again, and nobody knows anything about it.”

With no help from Verizon, Shaz had the choice to either give up, or pursue his case on his own. So he went searching for clues.

“[Shaz] I called my bank, and I said, “Hey, did you get any suspicious calls in the last couple of hours?” And they said, “Yeah. Actually, we got a call from your number.” Now, remember the previous Friday, I know a lot has happened here, but the previous Friday, I just asked that bank, “Hey, if you get a call from someone pretending to be me, hang up and call me back in my phone number.” Well, they actually got a call from my phone number. “

At this point, if Shaz was banked with a big, brand name like Chase or Wells Fargo, he probably would’ve been screwed.

“[Shaz] Because larger banks that have, you know, way too many customers and they’re national, they’re not going to know who you are. And so if they call in and they convince somebody that they’re you, I mean you’re exposed now.“

But in a second, extremely lucky break, he happened to use a small, regional bank with such a small support staff that they actually knew him by the sound of his voice. So when the hacker called in from Shaz’ personal phone number — with all the other personal information they had already stolen about him, in hand — and tried to reset his authentication information, the bank teller nonetheless turned them away.

“[Shaz] They seem to be very perplexed as to why that was.”

His money was safe. What about his online accounts?

“[Shaz] I looked in my text logs, and I saw that there was a bunch of text messages that had been received. And the sender of those were five digit numbers. Well, five digit number senders are typically one-time passcode authentication services.”

Passcodes tied to sensitive accounts. The hackers had managed to breach one of his email addresses. The wrong one, though — one that he didn’t actually use.

“[Shaz] But that particular domain allows me to see where the last login attempt was.”

The IP address appeared to come from overseas. Hamburg, Germany. A long way from that retail store in Florida, where an anonymous manager overrode the number port on Shaz’s phone. Which could only mean one thing.

“[Shaz] It wasn’t just some dummy, who got ahold of a person’s address and phone number and, bank name, and then try to, like, connect all of this together. This was part of a more sophisticated crime ring involving multiple people.”

Shaz collected his findings, and opened up an identity theft case with his local sheriff’s office.

“[Shaz] the scary part about this is when I’m speaking to the officer [. . .] And so he pauses me telling him kind of what transpired. Because I’ve got timestamps, I’ve got a timeline, I’m telling him everything in order. And he says, “Mr. Khan, do you have any enemies?” And that’s just, that’s a question I hear in movies. Like, I’m not used to hearing something like that, you know, he’s asking me if any business deals went sour, if anyone I know might want to hurt me.

I mean, I’ve heard of things like this, but that’s just, it’s a scary thing to hear. So I’m like, “Listen, I don’t know what other information these people have or who they are at this point. But what I can tell you is that I’m fearful now because I’m paranoid. And I don’t know what’s next. I don’t know what they’re going to attempt to next. I don’t know what they know. Do they know my address? Are they going to show up? Am I going to wake up with a gun to my head? You know, what’s happening here?” “

On Friday, October 14th, 2022, the Southern District of New York ruled in favor of Michael Terpin, a multimillionaire blockchain investor. Ellis Pinsky — who was just 15 years old when he took part in a plot to SIM swap Terpin — was ordered to pay back the full amount stolen: 24 million dollars, minus 2 million he’d already returned. Two months later, Pinsky’s partner — Nicolas Truglia, himself barely 20 years old at the time of the attack — was sentenced to 18 months in prison.

In court documents and quotes to the press, Terpin often sounds annoyed. “Despite their wholesome appearances,” read the court filings, “Pinsky and his other cohorts are in fact evil computer geniuses with sociopathic traits who heartlessly ruin their innocent victims’ lives and gleefully boast of their multi-million-dollar heists. Pinsky is reputed to have used his ill-gotten gains to purchase multi-million-dollar watches and is known to go on nightclub sprees at high end clubs in New York City, and Truglia rented private jets and played the part of a dashing playboy with young women pampering him.”

You can understand the frustration. Only 18 months’ prison time, and getting his money back hardly makes up for all the lawyer fees, and the time, effort and anxiety involved in losing 24 million dollars. But actually, Terpin can count himself lucky. Getting any recourse in a SIM swap is an achievement.

For one thing, you have to know who your attackers are in order to sue them. Neither Shaz nor Haseeb figured out who they were being targeted by, despite both of them being very motivated to find out, and tech-savvy enough to try.

And what if it turns out that instead of Florida, or Germany, their attackers were located in Russia? Or China? They could sue in absentia — maybe even win the case — but it’d be to no effect.

And then, of course, there’s the cell phone company. The company that provided the weak security that allowed hackers to break in, and employed the people who were either duped by or actively participated in the attack.

Michael Terpin was awarded his money back from the teenagers who stole it five years ago. But when he tried suing AT&T for damages, the story went a little differently.

According to his suit, in order to keep him on as a customer, an AT&T employee assured him that two-factor authentication would properly secure his account. In reality, though, the company had no intention of securing his data.

A judge for California’s central district court sided with the defense, and their claim that “overly optimistic” promises are not the same as intentional misrepresentation. Basically, AT&T told Terpin something that didn’t turn out to be true, but they hadn’t lied. His case was tossed out.

“[Nate] have there ever been any kind of settlements?

“[Haseeb] I have not heard about anyone who was able to recover their money. [. . .] if you get SIM swapped by a carrier, the maximum you’re getting is a letter of apology that’s automated. “I’m so sorry, we lost all your money.”

Shaz’s police investigation is still ongoing. He hasn’t sued Verizon, probably for his own good. But he still has a sour taste in his mouth. Like they should do something.

“[Shaz] I was still discontent with the fact that this even happened. How could this happen with a multi-dollar billion corporation, Verizon, right? [. . .] I had to spend hours and hours and hours on the phone and to basically get nowhere and get shoved around by a manager who seemed very shady, and like they were involved, with zero answer, zero accountability. And when I finally made some complaints on the fraud line with Verizon, they offered me a whole total sum of $50 off of my next bill. Thank you, Verizon.”

Latest episodes

You Should Be Afraid of SIM Swaps

Hosted By

Ran Levi

Co-Founder @ PI Media

Special Guest

Shaz Khan

Co-Founder at Tono Pizzeria + Cheesesteaks

Haseeb Awan

Founder & CEO at EFANI Secure Mobile