Handschumacher and “at least” eight others would make phony SIM card swap requests, sometimes in collusion with carrier store employees, to tie service to a new phone that the intruders controlled. That, in turn, made it easy to rob a victim’s virtual wallet — if an account required two-factor authentication using text messages, the ring members could see the necessary code in time to use it.
The first evidence of the group surfaced in Michigan, where a mother overheard her son pretending to be an AT&T employee. Discoveries in that state led to identifying Handschumacher and the rest of the ring, which used Discord and Telegram chats to conduct business. It’s not certain how long the ring had been active, but it scored as much as $470,000 in a single heist. The group had even toyed with compromising the accounts of bitcoin magnate Tyler Winklevoss, although they don’t appear to have followed through.
Handschumacher has pleaded not guilty, although he reportedly confessed to participating in the ring and laundering over $100,000 in digital currency using his phone.
Regardless of the outcome of the case, the arrest suggests that SIM hijacking is becoming more of a problem in the US. It also underscores the importance of moving away from SMS in two-factor authentication. While SMS is far superior to relying solely on a password, it’s still vulnerable to tricks like SIM hijacking. Apps and other alternative verification methods can prevent attackers from easily compromising your accounts using other devices, even if they have control over your phone number.