JOLIET, Ill. (CBS) — All of a Joliet man’s Bitcoin went poof, gone, vanished, after a hacker got into his accounts and drained the cryptocurrency.
It all happened because the fraudster hijacked his phone number.
CBS 2’s Morning Insider Tim McNicholas asked the man’s provider for an explanation.
Cryptocurrency can be a gamble. But this was a hand that Phil Michno really didn’t expect.
“I’ve always heard this kind of stuff happen,” Michno said. “And of course you think. ‘Ah that’s not – that’s going to happen to somebody else.’”
In late May, Phil noticed his phone wasn’t working. So he used another phone to call his provider, Boost Mobile.
“They tell me that, oh, we see that you transferred to T-Mobile,” Michno said.
That was news to him. But then came another surprise – he couldn’t get onto his account with a cryptocurrency exchange called Coinbase.
The company would later tell him in an email, “Attackers were able to access your account through sim swap and steal his 3 bitcoin.
By the way, 3 bitcoin is worth more than $100,000.
“Almost all my friends and all my acquaintances say that couldn’t be done,” Michno said.
Not only can it be done, it’s happened to dozens of other people the exact same way. It turns out a fraudster somehow got enough of Michno’s personal information to convince Boost to switch his number to another phone.
That allowed the bad guy even more information, like the security passcodes used to login to banks – or in this case, a cryptocurrency exchange.
Other victims have flooded Reddit with their complaints and even sued Coinbase, but the company insists the breach is never on their end.
That brings Michno to his next question – “Why did boost mobile give my number of away without my authorization?”
We asked Boost about that. They sent a statement saying “port out” scams are rare among their customers, but they are an industry wide issue and they’re taking steps to prevent them.
“I’m glad to see that they’re aware of it,” Michno said, “but they need to fix the problem.”
Michno said they should also pay him back. But the company told us they’re “not liable” because the “fraud involves a hack into a separate account, unaffiliated with Boost.”
As for Michno, he replied, “That was compromised because of the incompetence of boost.”
He plans to sort it out in court.
Michno has reported this to the Joliet police and federal authorities but unfortunately, theft of digital currency is often tough to trace.
This is the full statement that Boost sent us for this story:
“At Boost, ensuring the security of our customers’ data and personal information is a high priority. While ‘Port-Out’ scams involving Boost customers are rare, our goal is to prevent them from happening at all. We know this has been highly frustrating for Mr. Michno, and our team is committed to investigating this issue and discovering how the fraud occurred.
“We are continuously evaluating and improving our processes to prevent scams from occurring. Recently, Boost implemented several procedures within our customer care operations to prevent fraudsters from manipulating the system. We appreciate Mr. Michno for bringing this to our attention and sharing his experience with us. These ‘Port-Out’ scams are an industry-wide issue and no carrier is immune. We encourage all mobile users, whether they are a customer of Boost or one of our competitors, to learn how they can prevent these scams from impacting them. Our goal remains delivering an exceptional experience for our customers.”
“Also, I wanted to share this resource from the FCC regarding these Port-Out scams. It’s a helpful tool for explaining to consumers how its done and what customers can do to protect their info.
We had some follow-up questions for Boost. Here are the questions and answers:
“You mention that Boost “implemented several procedures…to prevent fraudsters from manipulating the system.” Can you please explain what specific changes were made to increase security?”
“These changes include an increase in the information we require from a customer if they need to make changes to their account, including if they would like to request or reset their PIN number.”
“You also say you ‘appreciate Mr. Michno for bringing this to our attention.’ Did you know that this kind of fraud happened prior to his case? Also, why was his issue not investigated when he initially reached out to Boost?”
“Boost is vigilant about fraud and works to protect our customers while ensuring they can legally access their account information when needed. Boost has investigated this case and found it to be Port-Out fraud. More information on this type of fraud is available via the FCC.”
“Is Boost liable for the money that was stolen from his financial accounts because of this fraud?”
“No, Boost is not liable for the money that was stolen from his financial accounts because the financial fraud involves a hack into a separate account unaffiliated with Boost. Our customer service team encouraged the customer to continue pursuing the return of his cryptocurrency through channels with the proper oversight. While Boost doesn’t have control over a user’s Coinbase account, customers can find more information on securing their accounts via the Coinbase website, available here.
T-Mobile also sent us a statement:
“Account takeover fraud is an industry-wide problem. These are criminal attacks against wireless customers and it is in everyone’s best interest to stop them. We can’t speak to the process of other companies, but each network has its own requirements for validating intercarrier porting requests. When T-Mobile receives a complaint from a carrier that a number has been ported to our network without the customer’s authorization, we work with that carrier to return the number.
“T-Mobile offers our customers a variety of options, including PINs, to help them protect their own information. T-Mobile accounts must have a 6-15 digit PIN, and a T-Mobile number cannot be ported without verification of that PIN. We encourage customers to contact us to discuss security measures available to them. If a customer feels their account was altered against their wishes, they should contact us right away and we will work directly with them to address.”
Coinbase sent us this statement:
“Coinbase acknowledges having your personal information compromised can lead to terrible crimes with significant impact on consumers. With more and more of our personal information available online, it is increasingly important for consumers to understand how to protect their personal email accounts and cell phones from unauthorized third parties. Once a third party gains access to a consumer’s email or phone, that consumer’s other online accounts may also be at risk. That is why Coinbase regularly works to educate our customers about how to protect their personal email accounts and phones — it is the most important thing they can do to prevent unauthorized access to all of their online accounts, not just Coinbase. When a customer reaches out to report a potential breach of their account, we will lock their account as soon as possible, so no further unauthorized activity can take place.
“Coinbase thoroughly investigates all incidents of unauthorized access to a Coinbase account, including Mr. Michno’s account. We are unable to provide specific details into the activity of Mr. Michno’s case, due to customer confidentiality, but we can confirm that there was no breach of the Coinbase platform or improper employee action.
“With heightened interest in the crypto space, we are seeing an influx of support inquiries. We realize that many of our customers are experiencing delays in our customer support response time, and we acknowledge this is not the experience we want for our customers. Earlier this year, we shared the steps we’ve taken to support an increased volume of customer support requests, including exponentially increasing our support staff, improving self service within the product itself and building additional support channels such as live messaging.”