Man loses $1M in life savings and more on the Apple crime blotter

AppleInsider

A pair of pre-coronavirus Apple store thefts, an iPad stolen at a wrestling meet, gym locker losses, and more from the Apple crime blotter.

The Orland Park Apple Store in Illinois

The latest in an occasional AppleInsider series, covering the world of Apple-related crime.

Man who lost life savings in phone hack sues AT&T

A California man who says he lost $1 million in a SIM swapping hack has filed a lawsuit against AT&T. According to WMC Action News, the man received an iPhone notification of a withdrawal request from one of his financial institutions, at which point he lost service on the phone. That night, the thieves emptied his accounts of the majority of his life savings.

The hack was traced to then-21-year-old social media star Nicholas Truglia, who was later charged with numerous computer crimes. Now, the Californian is suing AT&T, whose phone services he was using at the time.

New Yorkers arrested for stealing from Illinois Apple Store

Before coronavirus shut down the nation's Apple Stores, two men from New York were arrested for stealing from an Apple Store in suburban Chicago in late February. The Chicago Tribune reports police say the two men stole $9,600 worth of Apple watches and $2,400 worth of AirPods from the Orland Square Mall in Illinois. They were charged with felony theft and resisting police.

Man who stole Apple Watch snuck out of Apple Store by pretending he was on his phone

A serial shoplifter in Leicester, in the U.K., successfully stole an Apple Watch from an Apple Store by acting like he was making a phone call. According to Leicester Live, the theft occurred last November but was described in court in early March. The man was arrested after selling the watch on Facebook, and it led to his tenth lifetime conviction for theft.

54 iPhones stolen from store in India

An authorized iPhone shop in Bengaluru, India, was robbed of 54 phones. Furthermore, as the thieves also stole the digital recorder from the store's CCTV setup, police have not been able to solve the crime. The Times of India writes employees discovered the theft the following morning.

Duncan Hunter, ex-Congressman whose improper purchases included Apple items, sentenced to 11 months

Former Congressman Duncan Hunter of California, who resigned in January after he pled guilty to improperly using campaign funds, was sentenced March 17 to 11 months in prison and an additional three years of parole. CNN reports Hunter pled guilty in December to charges that he misused more than $200,000 in campaign funds.

According to Hunter's original indictment, the illegal purchases included two visits to the Apple Store.

iPad stolen from dad at wrestling meet

A Michigan man who was attending his son's high school wrestling competition found his iPad Mini had been stolen from him. According to The News Herald, the man got up to take a picture, but when he returned to his seat the iPad was gone. It remains missing, but the man's wife eventually received an alert that the device had been turned on.

Man says MacBook and Apple Watches were stolen from gym locker, but police doubt story

An Illinois man claims that $26,000 worth of items, including two MacBook Pro computers and two Apple Watches, were stolen from his gym locker. But according to Patch, a police report casts doubt on at least part of the man's story.

The man says he had been shopping, having purchased the Apple products from a Best Buy as well as a $16,000 Rolex watch, all of which he had for some reason placed in a gym locker that he said he believed had been locked. Surveillance footage, however, did not show anyone arriving or leaving with a Best Buy bag.

MacBooks, iPads stolen from student union at U.K. university

Police are looking into a theft of iPads and MacBooks from the radio station at the student union at Newcastle University, in the U.K. According to Chronicle Live, the break-in occurred Feb. 2, and the perpetrators are not believed to be students at the university.

Man in Nigeria accused of stealing iPhone from American

A 25-year-old college student in Nigeria has been charged with posing on Facebook as a Florida-based contractor and fraudulently obtaining, via FedEx Shippers, an iPhone 7 from an American woman. Nigerian publication The Guardian states the man is also accused of stealing nearly $6,000.

Man arrested for stealing iPhone from car dealership

An Indiana man was arrested March 4 and charged with burglarizing a car dealership. According to Muncie Star Press, the man is accused of stealing five vehicle key fobs, as well as an iPhone that belonged to the dealership. He's been charged with burglary, theft and unlawful entry of a motor vehicle.

Have an Apple crime story for us? Email AppleInsider and tell us about it.

wonkothesane

About this 1m$ theft: can someone explain how this is supposed to work? I understand that you need to bribe someone at the service provider to conduct the sim swap. But then what? I’m the thief and now I have your phone number. That doesn’t mean I have your iCloud password, banking pins etc. 

neilm

One of the things that taking over someone's cell phone number makes possible is effectively hijacking 2FA, assuming that that the thief has already obtained other personal info. Getting a bank account number is as simple as looking at a check the target has written. Obviously there's got to be more to it than just that — I'm not an expert in defrauding people...

YP101

I think person who lost the phone save his all password include bank in iPhone password. Which you can unlock with your pin number or bio matric.

Soli

wonkothesane said:

About this 1m$ theft: can someone explain how this is supposed to work? I understand that you need to bribe someone at the service provider to conduct the sim swap. But then what? I’m the thief and now I have your phone number. That doesn’t mean I have your iCloud password, banking pins etc. 

You can look up the various ways in which this works, but I'm guessing that once they had access to SMS messages coming to what should've been his phone they could then reset the password with the financial service being fairly certain that it was him since he was getting the password reset link or code to his phone.

I've been pushing for companies that I use for financials to include use of an authenticator app as a 2FA option. Password managers makes this really simple to use.

wonkothesane

Soli said:

wonkothesane said:

About this 1m$ theft: can someone explain how this is supposed to work? I understand that you need to bribe someone at the service provider to conduct the sim swap. But then what? I’m the thief and now I have your phone number. That doesn’t mean I have your iCloud password, banking pins etc. 

You can look up the various ways in which this works, but I'm guessing that once they had access to SMS messages coming to what should've been his phone they could then reset the password with the financial service being fairly certain that it was him since he was getting the password reset link or code to his phone.

I've been pushing for companies that I use for financials to include use of an authenticator app as a 2FA option. Password managers makes this really simple to use.

I just checked how this would work for my account. If it would be through phone banking I’d need to provide a “secret phrase” (which I had to determine upon setting up the bank account) plus answer some personal questions  in order to  get a new password. If I would go through online banking I’d have to provide my account ID (not account number) and launch a procedure either through a authentication app or by snail mail. Alternatively, I can show up at the bank’s counter with proper ID and request reset of password. Under no circumstances something like “click here To get your new password sent to you by sms” would be viable. 

I feel there must be more to this fraud sceme that provided the attacker with more data. 

chasm

While unmentioned in the story, I assume he's also planning to or has sued the actual thief, Nicholas Truglia?

Soli

wonkothesane said:

Soli said:

wonkothesane said:

About this 1m$ theft: can someone explain how this is supposed to work? I understand that you need to bribe someone at the service provider to conduct the sim swap. But then what? I’m the thief and now I have your phone number. That doesn’t mean I have your iCloud password, banking pins etc. 

You can look up the various ways in which this works, but I'm guessing that once they had access to SMS messages coming to what should've been his phone they could then reset the password with the financial service being fairly certain that it was him since he was getting the password reset link or code to his phone.

I've been pushing for companies that I use for financials to include use of an authenticator app as a 2FA option. Password managers makes this really simple to use.

I just checked how this would work for my account. If it would be through phone banking I’d need to provide a “secret phrase” (which I had to determine upon setting up the bank account) plus answer some personal questions  in order to  get a new password. If I would go through online banking I’d have to provide my account ID (not account number) and launch a procedure either through a authentication app or by snail mail. Alternatively, I can show up at the bank’s counter with proper ID and request reset of password. Under no circumstances something like “click here To get your new password sent to you by sms” would be viable. 

I feel there must be more to this fraud sceme that provided the attacker with more data. 

I don't think anyone sends a password in an SMS. The scam works by spoofing your phone so that other tactics can be used to trigger an SMS to be sent to the device which the sending company believes is still trusted.

They may already have your password but need to spoof the SMS in get around 2FA, or they may need to figure out the answers to your security questions (hopefully no one here uses real answers or the same answers for the same or similar questions across websites), or others methods of attack in which they have to obtain information while also using the SMS link or temporary code as part of the authentication chain.

• https://www.wired.com/story/sim-swap-attack-defend-phone/

That's a $220 million dollar lawsuit against AT&T. As mentioned in the article, you can put a PIN on your SIM card, but there are potential pitfalls for that so I currently don't recommend that as an option for the general user.

flydog

wonkothesane said:

About this 1m$ theft: can someone explain how this is supposed to work? I understand that you need to bribe someone at the service provider to conduct the sim swap. But then what? I’m the thief and now I have your phone number. That doesn’t mean I have your iCloud password, banking pins etc. 

it’s not a “hack,” but for some reason the media keeps using this word.  It’s like saying someone “hacked” a car, when all they did was steal it. 

Most banks send a text to your number to authenticate your login or when you password. If someone swaps your sim into their phone and knows your email address, they can simply change your password and them empty your bank account. 

linkman

Just how does a bank authorize a $1 million transfer overnight? I can't get $500 from my bank without jumping through some serious hoops and I've found it impossible to do a wire transfer of more than $800.

zinkdifferent

wonkothesane said:

About this 1m$ theft: can someone explain how this is supposed to work? I understand that you need to bribe someone at the service provider to conduct the sim swap. But then what? I’m the thief and now I have your phone number. That doesn’t mean I have your iCloud password, banking pins etc. 

With the cloned SIM on your iPhone, you now can reset the iCloud account password (“don’t have access to this phone” - so it sends you a text message, which you can now receive). You can then use the iCloud account to restore from, which contains all the Keychain setting passwords. Boom!