The SIM Swap thief was convicted in Santa Clara County court and received a ten year sentence for the crime.
Clearly, the tech centric community is sending a message. Commit a crime in our backyards and they'll prosecute to the fullest extent of the law. This is likely encouraging news to others like industry colleague Michael Terpin who continues to battle in civil court against AT&T when his account was compromised and some $24 million dollars of cryptocurrency taken from him. Terpin isn't the only person to be victimized in a SIM Swap Theft (SST).
Part of the reason is social engineering by the theif, and pure ignorance by the retail telco staffers. In my lifetime I've been forced to go to a store when an employee needed a replacement SIM card on the company's account (there are other ways to have solved it) or when my former wife, needed to upgrade or replace a phone or SIM card. Those approaches though each have their faults.
In the case of going to the store, all they wanted to see was my drivers license, something that anyone can forge, copy or create with the right tools. In the second case, I was 500 miles away from my ex-wife but by going into another store location, showing ID they were able to notify the other store where she was that the SIM was ok to provide. In both cases, there was no real effort to validate the ID, or use another factor for authentication.
This is why I'm concerned about banks using mobile numbers for verifcation. Anyone can walk in, and with the right "con" they can get your number onto their phone, forget the password, and have a reset code sent to their phone. While this is going on, as the Terpin case demonstrates, the real owner of the account, can't get the telco or the bank to really verify them.
We need better, smarter tools, when it come to customer verification. We don't need an older system that is too easily broken.