Close-up of a smartphone with two SIM cards ready for installation.
getty
Eric Council has recently entered a guilty plea in the United States District Court for the District of Columbia, admitting to charges of conspiracy to commit aggravated identity theft. These charges stemmed from his involvement in a complex hacking incident targeting the X, previously known as Twitter, account of the Securities and Exchange Commission (SEC). Fire false tweets were made under the name of then-SEC Chairman Gary Gensler, falsely claiming that the SEC had authorized Bitcoin exchange-traded funds (ETFs). This misleading information caused Bitcoin’s price to surge by over $1,000, facilitating quick profits for Council’s accomplices. However, the real Chairman Gensler quickly debunked the tweet, confirming that the SEC account had been compromised, after which Bitcoin’s value plummeted by more than $2,000, although the damage was irreversible at that point.
Exchange traded funds function similarly to mutual funds, offering individuals a straightforward method to invest in assets like gold, junk bonds, or cryptocurrencies, without requiring direct purchase of the underlying assets. Ironically, the SEC approved 11 Bitcoin exchange-traded funds the day following the incident.
The SEC’s X account was secured not just with a username and password but also with dual factor authentication. This method sends a code to the user’s cell phone whenever access to the account is required, ensuring identity verification and protection against unauthorized access. However, as this case illustrates, dual factor authentication can be bypassed using a technique known as SIM swapping.
A Subscriber Identity Module, commonly referred to as a SIM card, is an integrated circuit that retains subscriber information necessary for authentication on mobile devices like cell phones. SIM cards can be transferred between different devices, particularly when users upgrade to new phones. SIM swapping is a criminal act where an individual persuades a phone carrier to shift the victim’s SIM card to a device controlled by the hacker.
With an increasing number of financial transactions, including online banking, being conducted via cell phones, identity theft is on the rise. Criminals who gain access to their victims’ SIM cards can intercept security verification codes sent via text messages, compromising online banking security. This enables identity thieves to drain their victims’ bank accounts and cause significant financial distress.
In this particular case, another conspirator identified the legitimate user associated with the cell phone number designated for dual factor authentication of the @SECgov X account. They supplied Council with the vital personal information needed to create a counterfeit ID on his portable printer. Armed with this fake ID, Council approached an AT&T store, successfully convincing the employee to issue a replacement SIM card. He subsequently purchased an iPhone and inserted the newly acquired SIM card, facilitating the hack of the @SECGov X account.
Council’s sentencing is set for May 16, 2025, where he could face a maximum sentence of five years in prison, a fine of $250,000, and up to three years of supervised release.
To guard against SIM swapping, the most effective measure is to establish a PIN or password for accessing your mobile service provider account. This precaution helps deter a criminal from impersonating you to your carrier and persuading them to transfer your SIM card merely by providing personal information or answering security questions.
AT&T allows users to set up a passcode for their accounts that differs from their online login password. The SIM card cannot be swapped without this passcode.
Verizon permits customers to create a PIN or password for authentication when contacting customer service.
T-Mobile provides the option to set up a passcode distinct from the one used for online account access, which must be used when making account changes like swapping a SIM card. This security measure not only protects against criminals attempting to change the SIM card via a phone call but also inhibits anyone with fraudulent identification from making modifications at a T-Mobile location.
