KrebsOnSecurity recently had a chance to interview members of the REACT Task Force, a team of law enforcement officers and prosecutors based in Santa Clara, Calif. that has been tracking down individuals engaged in unauthorized “SIM swaps” — a complex form of mobile phone fraud that is often used to steal large amounts of cryptocurrencies and other items of value from victims. Snippets from that fascinating conversation are recounted below, and punctuated by accounts from a recent victim who lost more than $100,000 after his mobile phone number was hijacked.

In late September 2018, the REACT Task Force spearheaded an investigation that led to the arrest of two Missouri men — both in their early 20s — who are accused of conducting SIM swaps to steal $14 million from a cryptocurrency company based in San Jose, Calif. Two months earlier, the task force was instrumental in apprehending 20-year-old Joel Ortiz, a Boston man suspected of stealing millions of dollars in cryptocoins with the help of SIM swaps.

Samy Tarazi is a sergeant with the Santa Clara County Sheriff’s office and a REACT supervisor. The force was originally created to tackle a range of cybercrimes, but Tarazi says SIM swappers are a primary target now for two reasons. First, many of the individuals targeted by SIM swappers live in or run businesses based in northern California.

More importantly, he says, the frequency of SIM swapping attacks is…well, off the hook right now.

“It’s probably REACT’s highest priority at the moment, given that SIM swapping is actively happening to someone probably even as we speak right now,” Tarazi said. “It’s also because there are a lot of victims in our immediate jurisdiction.”

As common as SIM swapping has become, Tarazi said he and other members of REACT suspect that there are only a few dozen individuals responsible for perpetrating most of these heists.

“For the amounts being stolen and the number of people being successful at taking it, the numbers are probably historic,” Terazi said. “We’re talking about kids aged mainly between 19 and 22 being able to steal millions of dollars in cryptocurrencies. I mean, if someone gets robbed of $100,000 that’s a huge case, but we’re now dealing with someone who buys a 99 cent SIM card off eBay, plugs it into a cheap burner phone, makes a call and steals millions of dollars. That’s pretty remarkable.”

Indeed, the theft of $100,000 worth of cryptocurrency in July 2018 was the impetus for my interview with REACT. I reached out to the task force after hearing about their role in assisting SIM swapping victim Christian Ferri, who is president and CEO of San Francisco-based cryptocurrency firm BlockStar.

In early July 2018, Ferri was traveling in Europe when he discovered his T-Mobile phone no longer had service. He’d later learn that thieves had abused access to T-Mobile’s customer database to deactivate the SIM card in his phone and to activate a new one that they had in their own mobile device.

Soon after, the attackers were able to use their control over his mobile number to reset his Gmail account password. From there, the perpetrators accessed a Google Drive document that Ferri had used to record credentials to other sites, including a cryptocurrency exchange. Although that level of access could have let the crooks steal a great deal more from Ferri, they were simply after his cryptocoins, and in short order he was relieved of approximately $100,000 worth of coinage.

We’ll hear more about Ferri’s case in a moment. But first I should clarify that the REACT task force members did not discuss with me the details of Mr. Ferri’s case — even though according to Ferri a key member of the task force we’ll meet later has been actively investigating on his behalf. The remainder of this interview with REACT pivots off of Ferri’s incident mainly because the details surrounding his case help clarify some of the most confusing and murky aspects of how these crimes are perpetrated — and, more importantly, what we can do about them.

WHO’S THE TARGET?

SIM swapping attacks primarily target individuals who are visibly active in the cryptocurrency space. This includes people who run or work at cryptocurrency-focused companies; those who participate as speakers at public conferences centered around Blockchain and cryptocurrency technologies; and those who like to talk openly on social media about their crypto investments.

REACT Lieutenant John Rose said in addition to or in lieu of stealing cryptocurrency, some SIM swappers will relieve victims of highly prized social media account names (also known as “OG accounts“) — usually short usernames that can convey an aura of prestige or the illusion of an early adopter on a given social network. OG accounts typically can be resold for thousands of dollars.

Rose said even though a successful SIM swap often gives the perpetrator access to traditional bank accounts, the attackers seem to be mainly interested in stealing cryptocurrencies.

“Many SIM swap victims are understandably very scared at how much of their personal information has been exposed when these attacks occur,” Rose said. “But [the attackers] are predominantly interested in targeting cryptocurrencies for the ease with which these funds can be laundered through online exchanges, and because the transactions can’t be reversed.”

FAKE IDs AND PHONY NOTES

The “how” of these SIM swaps is often the most interesting because it’s the one aspect of this crime that’s probably the least well-understood. Ferri said when he initially contacted T-Mobile about his incident, the company told him that the perpetrator had entered a T-Mobile store and presented a fake ID in Ferri’s name.

But Ferri said once the REACT Task Force got involved in his case, it became clear that video surveillance footage from the date and time of his SIM swap showed no such evidence of anyone entering the store to present a fake ID. Rather, he said, this explanation of events was a misunderstanding at best, and more likely a cover-up at some level.

Caleb Tuttle, a detective with the Santa Clara County District Attorney’s office, said he has yet to encounter a single SIM swapping incident in which the perpetrator actually presented ID in person at a mobile phone store. That’s just too risky for the attackers, he said.

“I’ve talked to hundreds of victims, and I haven’t seen any cases where the suspect is going into a store to do this,” Tuttle said.

Tuttle said SIM swapping happens in one of three ways. The first is when the attacker bribes or blackmails a mobile store employee into assisting in the crime. The second involves current and/or former mobile store employees who knowingly abuse their access to customer data and the mobile company’s network. Finally, crooked store employees may trick unwitting associates at other stores into swapping a target’s existing SIM card with a new one.

“Most of these SIM swaps are being done over the phone, and the notes we’re seeing about the change in the [victim’s] account usually are left either by [a complicit] employee trying to cover their tracks, or because the employee who typed in that note actually believed what they were typing.” In the latter case, the employee who left a note in the customer’s account saying ID had been presented in-store was tricked by a complicit co-worker at another store who falsely claimed that a customer there had already presented ID.

DARK WEB SOFTWARE?

Ferri said the detectives investigating his SIM swap attack let on that the crooks responsible had at some point in the attack used “specialized software to get into T-Mobile’s customer database.”

“The investigator said there were employees of the company who had built a special software tool that they could use to connect to T-Mobile’s customer database, and that they could use this software from their home or couch to log in and see all the customer information there,” Ferri recalled. “The investigator didn’t explain exactly how it worked, but it was basically a backdoor entrance that they were reselling on the Dark Web, and it bypassed whatever security there was and let them go straight into the customer database.”

Asked directly about this mysterious product supposedly being offered on the Dark Web, the REACT task force members put our phone interview on hold for several minutes while they privately huddled to discuss the question. When they finally took me off mute, a member of the task force instead answered a different question that I’d asked much earlier in the interview.

When pressed about the software again, there was a long, uncomfortable silence. Then Detective Tuttle spoke up.

“We’re not going to talk about that,” he said curtly. “Deal with it.”

T-Mobile likewise declined to comment on the allegation that thieves had somehow built software which gave them direct access to T-Mobile customer data. However, in at least three separate instances over the past six months, T-Mobile has been forced to acknowledge incidents of unauthorized access to customer records.

In August 2018, T-Mobile published a notice saying its security team discovered and shut down unauthorized access to certain information, including customer name, billing zip code, phone number, email address, account number, account type (prepaid or postpaid) and/or date of birth. A T-Mobile spokesperson said at the time that this incident impacted roughly two percent of its subscriber base, or approximately 2.5 million customers.

In May 2018, T-Mobile fixed a bug in its Web site that let anyone view the personal account details of any customer. The bug could be exploited simply by adding the phone number of a target to the end of a Web address used by one of the company’s internal tools that was nevertheless accessible via the open Internet. The data provided by that tool reportedly also included references to account PINs used by customers as a security question when contacting T-Mobile customer support.

In April 2018, T-Mobile fixed a related bug in its public Web site that allowed anyone to pull data tied to customer accounts, including the user’s account number and the target phone’s IMSI — a unique number that ties subscribers to their specific mobile device.

A DISCONNECT AT THE CARRIER LEVEL

I wanted to hear from the REACT team what they thought the mobile carriers could be doing to better detect and prevent SIM swaps. I received a range of responses.

“This is a really serious problem among the carriers, the ease with which SIM swaps can occur,” Lt. Rose said. “If you’re working at a mobile phone store and making $12 an hour and suddenly someone offers you $400 to do a single SIM swap, that can seem like a pretty sweet deal if you don’t also have any morals or sense of conscience. ”

Rose said mobile phone stores could cut down on these crimes in much the same way that potential victims can combat SIM swapping: By relying on dual authentication.

“Having one employee who can conduct these SIM swaps without any kind of oversight seems to be the real problem,” Rose said. “And it seems like [the carriers] could really put a stop to it if there were more checks and balances to prevent that. It’s still very, very easy to SIM swap, and something has to be done because it’s just too simple. Someone needs to light a fire under some folks to get these protections put in place.”

Sgt. Samy said a big challenge for mobile stores is balancing customer service with account security. After all, he said, customers legitimately request SIM swaps all the time — such as when a phone is lost or stolen, or when the customer upgrades to a phone that requires a SIM card of a different size.

“There are probably tens of thousands of legitimate SIM swaps a day or week, versus a couple of fake ones,” Samy said. “Ultimately, these attacks rely on the human element and the ability of an employee to override whatever security is in place.”

Samy added that in many cases there’s a vast disconnect between a mobile company’s corporate offices and security policies at the local store level.

“These are multi-billion companies, and in any big company it’s fairly common that the left hand doesn’t know what the right hand is doing,” he said. “Without knowing the ins and outs of how these companies work, it’s very easy for us to say they should have two people authorizing each SIM swap. But I agree anything that makes [the criminal SIM swappers] have to show up in person to do this would ideally be the best scenario.”

TWO-FACTOR BREAKDOWN

Asked what he would have done differently about his attack, Ferri said he’d have set up his Google accounts to use app-based two-factor authentication, instead of relying merely on his mobile phone to receive that second factor via text message.

“I had app-based two factor set up on my [cryptocurrency] exchange accounts, but not Gmail,” he said. “Also, I’d probably use something like Google Voice for anything that requires a phone number for a second factor.”

In fact, this is the precise advice offered by Joel Ortiz, the alleged SIM swapper mentioned earlier who was arrested this year by the REACT Task Force. According to published reports, Ortiz taught many other SIM swappers how to perfect their techniques — and how to avoid being victimized themselves by rival SIM swappers. I included the specifics from Ortiz’s advice in my Aug. 16 column, Hanging Up On Mobile in the Name of Security.

Det. Tuttle said in a typical SIM swap attack the perpetrators have studied their target in advance, much the same way bank robbers might spend a few days observing the comings and goings at a specific bank branch before making their move.

“Usually, once a SIM swap is done they’ve already done enough research and social engineering on victims to know what accounts the victim has — whether it’s Gmail or Dropbox or whatever,” Tuttle said. “The next thing they do is go to these accounts and use the ‘forgot password’ function and request a password reset link via SMS to gain access to those accounts. From there, they start looking for cryptocurrency exchange passwords, private keys, and reseed codes to steal cryptocurrencies.

Tuttle said it’s important for people to use something other than text messages for two-factor authentication on their email accounts when stronger authentication options are available. He advises people instead use a mobile app like Authy or Google Authenticator to generate the one-time code. Or better yet, a physical security key if that’s an option.

“Let’s say I have a Coinbase account and I have it set up to require a password and a one-time code generated by Authy, but my Gmail account tied to that Coinbase account doesn’t use Authy and just uses SMS for two-factor,” Tuttle explained. “Once I SIM swap that person, I can often also use that access to [request a link via SMS] to reset his Gmail password, and then set up Authy on the Gmail account using my device. Now I have access to your Coinbase account and can effectively lock you out of both.”

Dave Berry, a task force member and investigator with the Santa Clara County District Attorney’s office, said cryptocurrency enthusiasts should be storing most of their crypto funds in hardware wallets, and storing private keys needed to spend or transfer those funds on a device that doesn’t touch the Internet. Printing out and properly securing a set of one-time codes that can be used if a mobile device is lost or stolen is a good idea as well.

But most of all, Berry said, people should stop using SMS when more robust two-factor options are available.

“There may be some inconvenience factor there, but if you don’t have any two-factor going over text message, you really do limit the potential damage that way,” Berry said.

ROBBING HOODS

Sgt. Samy says one big problem is that it’s still not common knowledge that SMS-based two-factor can leave users with a false sense of security.

“Text-based two-factor is still the industry standard way of doing it, because it’s super convenient and you don’t need to be computer savvy to figure it out,” Samy said. “I would say most people who aren’t following the SIM swapping problem have no idea their phone and associated accounts can be taken over so easily. It’s not like the person who leaves a laptop in plain view in the car, and when the laptop gets stolen you say well someone just encouraged the thief in that case. In this case, the victim didn’t download malware or fall for some stupid phishing email. They just end up getting compromised because they followed the industry standard.”

Lt. Rose notes that this dynamic helps some SIM swapping thieves justify their crimes.

“We see this a lot, where by their own words they’ll blame victims for not protecting themselves properly, saying it’s the victim’s fault he got robbed,” Rose said.

On top of that, Rose said many crooks involved in SIM swapping tend to adopt the view that they are stealing from fabulously wealthy individuals who will still be well off after they’re relieved of some of their crypto assets — as with the case of bitcoin entrepreneur Michael Terpin, who lost $24 million in cryptocurrencies after getting hit by an unauthorized SIM swap earlier this year (allegedly at the hands of a crooked AT&T retail store employee).

But Detective Tuttle said Terpin’s example is an outlier.

“It’s not just stealing millions from millionaires,” Tuttle said. “Most of the victims are not in that category. Most are people who are having their life’s savings or their child’s college savings stolen. They’re victims who have families and 9-5 jobs, and who got into the crypto space because they were investing and trying to make ends meet. We only tend to hear or read about these attacks when they result in millions of dollars in losses. But the reality is there’s a lot of other thefts involving much more diminished amounts that are really negatively impacting peoples’ lives.”

For Erin West, deputy district attorney with the Santa Clara DA’s office, this dynamic is a major factor driving the work of the REACT task force. West says she believes her group is a having a strong deterrent effect, and that the individuals who persist in carrying out these crimes are all keenly aware of the group’s work.

“We’re out there arresting these people and finding new leads every day,” West said. “We’re zealously prosecuting them, and we expect this will have a deterrent effect because we’re fortunate enough to have federal partners that we can now do this on a national level and make arrests out of state. Rest assured that if a victim in touched in Santa Clara county, we will find you and prosecute you no matter where you are.”

Crooks who hack online merchants to steal payment card data are constantly coming up with crafty ways to hide their malicious code on Web sites. In Internet ages past, this often meant obfuscating it as giant blobs of gibberish text that was obvious even to the untrained eye. These days, a compromised e-commerce site is more likely to be seeded with a tiny snippet of code that invokes a hostile domain which appears harmless or that is virtually indistinguishable from the hacked site’s own domain.

Before going further, I should note that this post includes references to domains that are either compromised or actively stealing user data. Although the malcode implanted on these sites is not designed to foist malicious software on visitors, please be aware that this could change at a moment’s notice. Anyone seeking to view the raw code on sites referenced here should proceed with caution; using an online source code viewer like this one can let readers safely view the HTML code on any Web page without actually rendering it in a Web browser.

As its name suggests, asianfoodgrocer-dot-com offers a range of comestibles. It also currently includes a spicy bit of card-skimming code that is hosted on the domain zoobashop-dot-com. In this case, it is easy to miss the malicious code when reviewing the HTML source, as it fits neatly into a single, brief line of code.

Zoobashop is also a presently hacked e-commerce site. Based in Accra, Ghana, zoobashop bills itself as Ghana’s “largest online store.” In addition to offering great deals on a range of electronics and home appliances, it is currently serving a tiny obfuscated script called “js.js” that snarfs data submitted into online forms.

As sneaky as this attack may be, the hackers in this case did not go out of their way to make the domain hosting the malicious script blend in with the surrounding code. However, increasingly these data-slurping scripts are hidden behind fully fraudulent https:// domains that are custom-made to look like they might be associated with content delivery networks (CDNs) or web-based scripts, and include terms like “jquery,” “bootstrap,” and “js.”

Publicwww.com is a handy online service that lets you search the Web for sites running snippets of specific code. Searching publicwww.com for sites pulling code from bootstrap-js-dot-com currently reveals more than 50 e-commerce sites seeded with this malicious script. A search at publicwww for the malcode hosted at js-react-dot-com indicates the presence of this code on at least a dozen online merchants.

Sometimes, the malicious domain created to host a data-snarfing script mimics the host domain by referencing a doppelganger Web site name. For example, check out the source code for the e-commerce site bargainjunkie-dot-com and you’ll notice at the bottom that it pulls a malicious script from the domain “bargalnjunkie-dot-com,” where the “i” in “bargain” is sneakily replaced with a lowercase “L”.

In many cases, running a reverse search for other domain names where the doppelganger domain is hosted reveals additional compromised hosts, or other methods of compromising them. For example, the look-alike domain bargalnjunkie-dot-com is hosted on the address 46.161.40.49, which is the home to several domains, including payselector-dot-com and billgetstatus-dot-com.

Payselector-dot-com and billgetstatus-dot-com were apparently registered so that they appear related to online payment services. But both of these domains actually host complex malicious scripts that are loaded in an obfuscated way on a number of Web sites — including the ballet enthusiast store balletbeautiful-dot-com. Interestingly, the Internet address hosting the payselector and billgetstatus domains — the aforementioned 46.161.40.49 — also hosts the doppelganger domain “balletbeautlful-dot-com,” again with the “i” replaced by a lowercase “L”.

The malicious scripts loaded from payselector-dot-com and billgetstatus-dot.com are obfuscated with a custom HTML function — window.atob — which scrambles the code referencing those domains names on hacked sites. While the presence of “window.atob” in the source code of a Web site is not itself an indicator of compromise, a search for this code via publicwww.com is revealing and further review suggests there are dozens of sites currently compromised in this manner.

For example, that search points to the domain for online clothier evisu-dot-com, whose HTML source includes the following code snippet:

If you cut and paste the gibberish text that’s between the quotations in the highlighted portion of the screenshot above into the site base64decode.net, you’ll see this jumble of junk text decodes to apitstatus-dot-com, yet another dodgy domain custom-made to look like a legitimate function of a regular e-commerce site.

Revisiting the source code for the domain balletbeautiful-dot.com, we can see that it also includes this “window.atob” code followed by some obfuscated text. A paste of this gobbledegook in Base64decode.net shows that it decodes to…you guessed it: balletbeautlful-dot-com.

Sometimes, antivirus products will detect the presence of these malicious scripts and block users from visiting compromised sites, but for better or worse none of the sites I mentioned here currently are flagged as malicious by any of the more than five dozen antivirus tools at the file-scanning service virustotal.com.

Security firm Symantec refers to these attacks as “formjacking,” which it describes as the use of malicious Javascript to steal credit card details and other information from payment forms on the checkout pages of e-commerce sites. In September, Symantec said it blocked almost a quarter of a million instances of attempted formjacking since mid-August 2018.

Another security company — RiskIQ — has written extensively about these attacks and has attributed several recent compromises — including the hack of Web sites for British Airways and geek gear vendor Newegg — to a group it calls “Magecart.”

It’s unclear if the compromises detailed in this post are related to the work of that crime gang. In any case, I like RiskIQ’s comparison of these attacks to ATM skimmers, a type of crime that has held my fascination for years now.

“Traditionally, criminals use devices known as card skimmers—devices hidden within credit card readers on ATMs, fuel pumps, and other machines people pay for with credit cards every day—to steal credit card data for the criminal to later collect and either use themselves or sell to other parties,” RiskIQ’s Yonathan Klijnsma writes. “Magecart uses a digital variety of these devices.”

I like the comparison to skimming because online merchants are being targeted in major way right now precisely because of efforts to make it hard for thieves to make money from fraud involving counterfeit debit and credit cards. The United States is the last of the G20 nations to make the transition to more secure chip-based payment cards, and virtually every other country that has already been through that shift has seen a marked increase in online fraud as a result.

Heads up to anyone responsible for administering a Web site: There are options available to help monitor your Web site for unauthorized changes. Tools like Tripwire and AIDE can detect new or modified files, but many of these formjacking attacks involve the insertion of code in existing Web pages. Subscription services like wewatchyourwebsite.com and watchdo.gs may be more helpful here.

In case anyone’s wondering, all of the hacked sites mentioned here have been notified. In many cases, the contact details for the owners of these sites is hidden behind WHOIS privacy protection, and alerting victims via Facebook or filling out contact forms elicits no response. In other instances, the alerted site cleaned up part of the compromise but left key malicious elements intact — without even acknowledging efforts made to notify them.

I realize this post is quite a bit more technical than most at KrebsOnSecurity. I’m explaining my process for finding these sites because there appear to be so many compromised by these methods that the only feasible way to get them cleaned up quickly may be to crowdsource the effort, given that more online shops are being newly compromised each day.

I burned through several days this week following the virtual rabbit holes dug by whoever is responsible for this ongoing e-commerce crime spree, and it seems to me finding and alerting all the compromised businesses could keep an entire team of people busy for some time. But I am just one guy, and this is a thankless task.

KrebsOnSecurity would like to thank @breachmessenger for their assistance in researching this story.

Thieves are combining SMS-based phishing attacks with new “cardless” ATMs to rapidly convert phished bank account credentials into cash. Recent arrests in Ohio shed light on how this scam works.

A number of financial institutions are now offering cardless ATM transactions that allow customers to withdraw cash using nothing more than their mobile phones. But this also creates an avenue of fraud for bad guys, who can leverage phished or stolen account credentials to add a new phone number to the customer’s account and then use that added device to siphon cash from hijacked accounts at cardless ATMs.

In May 2018, Cincinnati, Ohio-based financial institution Fifth Third Bank began hearing complaints from customers who were receiving text messages on their phones that claimed to be from the bank, warning recipients that their accounts had been locked.

The text messages contained a link to unlock their accounts and led customers to a Web site that mimicked the legitimate Fifth Third site. That phishing site prompted visitors to enter their account credentials — including usernames, passwords, one-time passcodes and PIN numbers — to unlock their accounts.

All told, that scam netted credentials for approximately 125 Fifth Third customers — most of them in or around the Cincinnati area. The crooks then used the phished data to withdraw $68,000 from 17 ATMs in Illinois, Michigan, and Ohio in less than two weeks using Fifth Third’s cardless ATM function.

According to court documents, the SMS phishing and fraudulent withdrawals at cardless ATMs continued through October 2018, earning the scammers an additional $40,000. That is, until the bank zeroed in on four individuals suspected of perpetrating the crime spree. Shortly thereafter, four men were arrested in connection with the crimes.

One of them, identified as Ciprian-Raducu Antoche-Grecu, was apprehended in a Cincinnati suburb while standing at the same Fifth Third ATM where he was previously observed conducting fraudulent activity, investigators allege.

In January 2017, KrebsOnSecurity told the story of a California woman who saw nearly $3,000 drained from her account via a cardless ATM operated by Chase Bank. In that incident, the thieves didn’t even need to know her ATM PIN; the thieves were able to use a phone number and mobile device they controlled and associate it with her Chase account simply by supplying her username and password.

As the January 2017 story illustrates, cardless ATM scams aren’t new, but they are becoming more prevalent as more banks turn to cardless ATM technology as a convenience for customers. This time last year, cardless ATMs were offered mainly by the big banks, and then only at some of their ATMs. Now, many smaller regional and local banks have upgraded their cash machines to enable the new technology.

Card giant Mastercard says its polling (PDF) suggests that 78 percent of consumers would rather use a cardless ATM solution than carry a physical card. I would wager that most U.S. cardholders still haven’t even heard of cardless ATMs, let alone could say whether or not their bank offers such transactions.  Curious whether your bank supports cardless transactions? A quick online search for your bank’s name and the term “cardless ATM” should provide some clues.

In the meantime, remember never to respond to requests for personal or financial information sent via email, text message or over the phone. Phone-based phishing attacks are getting way more clever and are even snaring technology experts, as last month’s story shows. When in doubt, contact your financial institution directly either in person or by phone using the number on the back of your card.

A year after offering free credit monitoring to all Americans on account of its massive data breach that exposed the personal information of nearly 148 million people, Equifax now says it has chosen to extend the offer by turning to a credit monitoring service offered by a top competitor — Experian. And to do that, it will soon be sharing with Experian contact information that affected consumers gave to Equifax in order to sign up for the service.

The news came in an email Equifax is sending to people who took the company up on its offer for one year of free credit monitoring through its TrustedID Premier service.

Here’s the introduction from that message:

“We recently sent you an email advising you that, until further notice, we would be extending the free TrustedID^® Premier subscription you enrolled in following the September 7, 2017 cybersecurity incident. We are now pleased to let you know that Equifax has chosen Experian^®, one of the three nationwide credit bureaus, to provide you with an additional year of free credit monitoring service. This extension is at no cost to you , and you will not be asked to provide a credit card number or other payment information. You have until January 31, 2019 to enroll in this extension of free credit monitoring through IDnotify, a part of Experian.”

Equifax says it will share the name, address, date of birth, Social Security number and self-provided phone number and email address with Experian for anyone who signed up for its original TrustedID Premier offering. That is, unless those folks affirmatively opt-out of having that information transferred from Equifax to Experian.

But not to worry, Equifax says: Experian already has most of this data.

“Experian currently has and is using this information (except phone number and email address) in the fulfillment of the Experian file monitoring which is part of your current service with TrustedID Premier,” Equifax wrote in its email. “Experian will only use the information Equifax is sharing to confirm your identity and securely enroll you in the Experian product, and will not use it for marketing or solicitation.”

Even though people who don’t opt-out of the new IDnotify offer will have their contact information automatically shared with Experian, TrustedID Premier users must still affirmatively enroll in the new program before then end of January 2019 — the date the TrustedID product expires.

Equifax’s FAQ on the changes is available here.

EQUIFERIAN^®?

Talk about the blind leading the blind. It appears that in order to opt-out of the information sharing or enroll in the new Experian program, people will need to click a customized link in the email that Equifax is sending to TrustedID enrollees. I’m not aware of another method for opting our or signing up, but I’ve asked Equifax for clarification on that point.

Fundamentally, I see no problem with people using these credit monitoring services as long as they are free. Credit monitoring services can be useful in helping consumers dig themselves out of the mess caused by identity theft.

The chief danger I see in relying on credit monitoring services to stop identity theft, however, is that these services traditionally have been very good at doing that. As I’ve written ad nauseum, credit monitoring services are more useful at detecting *when* someone opens a new line of credit in your name. What this means is that while they might let you know when someone has stolen your identity, they’re not likely to prevent that from occurring in the first place.

The best mechanism for preventing identity thieves from creating and abusing new accounts in your name is to freeze your credit file with Experian, Equifax and TransUnion. This process is now free for all Americans, and simply blocks potential creditors from viewing your credit file.

Since very few creditors are willing to grant new lines of credit without being able to determine how risky it is to do so, freezing your credit file with the Big Three is a great way to stop all sorts of ID theft shenanigans. I explain in much greater detail how to freeze your files and what’s involved with that in this post from September.

Please note that if you haven’t yet frozen your credit and you’d like to take advantage of this offer from Equifax/Experian, it’s a good idea to enroll in the IDnotify first, as it’s often not possible to enroll in credit monitoring services *after* you’ve frozen your credit. That said, Equifax’s FAQ suggests this might not be the case, noting that if your Equifax credit report is frozen, the security freeze will stay in place for people who enroll in the new program.

I imagine this arrangement should help the credit bureaus steer more people away away from freezing their and toward their respective “credit lock” services, which the bureaus have marketed as just as good as a credit freeze but also easier to use.

All three big bureaus tout their credit lock services as an easier and faster alternative to freezes — mainly because these alternatives aren’t as disruptive to their bottom lines. According to a recent post by CreditKarma.com, consumers can use these services to quickly lock or unlock access to credit inquiries, although some bureaus can take up to 48 hours. In contrast, they can take up to five business days to act on a freeze request, although in my experience the automated freeze process via the bureaus’ freeze sites has been more or less instantaneous (assuming the request actually goes through).

TransUnion and Equifax both offer free credit lock services, while Experian’s is free for 30 days and $19.99 for each additional month. However, TransUnion says those who take advantage of their free lock service agree to receive targeted marketing offers. What’s more, TransUnion also pushes consumers who sign up for its free lock service to subscribe to its “premium” lock services for a monthly fee with a perpetual auto-renewal.

Unsurprisingly, the bureaus’ use of the term credit lock has confused many consumers; this was almost certainly by design. But here’s one basic fact consumers should keep in mind about these lock services: Unlike freezes, locks are not governed by any law, meaning that the credit bureaus can change the terms of these arrangements when and if it suits them to do so.

Did you receive this offer from Equifax/Experian? Are you planning to opt out or enroll? Sound off in the comments below.

The convicted co-author of the highly disruptive Mirai botnet malware strain has been sentenced to 2,500 hours of community service, six months home confinement, and ordered to pay $8.6 million in restitution for repeatedly using Mirai to take down Internet services at Rutgers University, his former alma mater.

Paras Jha, a 22-year-old computer whiz from Fanwood, N.J., was studying computer science at Rutgers when he developed Mirai along with two other convicted co-conspirators. According to sentencing memo submitted by government prosecutors, in his freshman and sophomore years at Rutgers Jha used a collection of hacked devices to launch at least four distributed denial-of-service (DDoS) attacks against the university’s networks.

Jha told investigators he carried out the attacks not for profit but purely for personal, juvenile reasons: “He reveled in the uproar caused by the first attack, which he launched to delay upper-classmen registration for an advanced computer science class he wanted to take,” the government’s sentencing memo stated. “The second attack was launched to delay his calculus exam. The last two attacks were motivated in part by the publicity and outrage” his previous attacks had generated. Jha would later drop out of Rutgers after struggling academically.

In January 2017, almost a year before Jha’s arrest and guilty plea, KrebsOnSecurity identified Jha as the likely co-author of Mirai — which sprang to notoriety after a record-smashing Sept. 2016 attack that sidelined this Web site for nearly four days.

That story posited that Jha, operating under the pseudonyms “Ogmemes” and “OgRichardStallman,” gave interviews with a local paper in which he taunted Rutgers and encouraged the school to consider purchasing some kind of DDoS protection service to ward off future attacks. At the time, Jha was president and co-founder of ProTraf Solutions, a DDoS mitigation firm that provided just such a service.

The sentence handed down by a federal judge in Trenton today comes on the heels of Jha’s September 2018 sentencing in an Alaska court for his admitted role in creating, wielding and selling access to Mirai — malware which enslaves poorly-secured Internet of Things (IoT) devices like security cameras and digital video recorders for use in extremely powerful attacks capable of knocking most Web sites offline.

Prosecutors in the Alaska case said Jha and two co-conspirators did not deserve jail time for their crimes because the trio had cooperated fully with the government and helped investigators with multiple other ongoing cybercrime investigations. The judge in that case agreed, giving Jha and each of his two co-defendants sentences of five years probation, 2,500 hours of community service, and $127,000 in fines.

Prosecutors in Alaska argued that Jha had completely turned over a new leaf, noting that he was once again attending school and had even landed a job at an unnamed cybersecurity company. Sending him to prison, they reasoned, would only disrupt a remarkable transformation for a gifted young man.

However, the punishment meted out today for the Rutgers attack requires Jha to remain sequestered in his parent’s New Jersey home for the next six months — with excursions allowed only for medical reasons. The sentence also piles on an additional 2,500 hours of community service. Further, Jha will be on the hook to pay $8.6 million in restitution — the amount Rutgers estimated it cost the university to respond to Jha’s attacks.

Jha could not be immediately reached for comment. But his attorney Robert Stahl told KrebsOnSecurity today’s decision by the New Jersey court was “thoughtful and reasoned.”

“The judge noted that Paras’ cooperation has been much more extensive and valuable than any he’s ever seen while on the bench,” Stahl said. “He won’t be going to back to school right now or to his job.”

It is likely that Jha’s creation will outlive his probation and community service. After the Sept. 2016 attack on KrebsOnSecurity and several other targets, Jha and his cohorts released the source code for Mirai in a bid to throw investigators off their trail. That action has since spawned legions of copycat Mirai botnets and Mirai malware variants that persist to this day.

Update, Oct. 27, 9;30 am. ET: A previous version of this story incorrectly stated that the courthouse in Friday’s sentencing was located in Newark. It was in Trenton. The above copy has been changed.