More SIM swapping stories, and news from the cybersecurity underground

The hacking of Twitter CEO Jack Dorsey last week put SIM swapping in the headlines.

But it's not just high-profile people who are being SIM swapped. We get an update on one Seattle woman whose Instagram account was stolen.

SIM swapping is when hackers impersonate you, take over your cellphone, and then hack into your financial, social media, or other accounts. Thousands of people fall victim to the scheme every year.

Earlier, we brought you the story of Ruby, a Seattle woman whose cool, "O.G." Instagram username @ruby was hijacked by SIM swappers. We'll tell you how her Instagram saga ends.

[Read about what happened to Ruby.]

We also bring you the story of a Twitter employee who was SIM swapped. Like Ruby, he lost his Instagram username. But his story ends very differently.

And we talk with the security expert working behind the scenes who we call "the Instagram whisperer."

UPDATE 9/05/19 at 10:00am: Instagram has confirmed in an email that Ruby's username has been retired. "The username is currently unavailable to others," said Stephanie Otway, an Instagram spokesperson. However, Otway said the original Ruby can recover the username if she wants.

Listen to the episode by clicking the play button above or on your favorite podcast app. SoundQs is a weekly podcast where our KUOW reporters tackle questions submitted by our listeners.

Have a question about the Seattle region for us to answer? Drop it here:

Below is the full transcript for this episode.

Deb So Anna, a couple of weeks ago we ran a story about a woman named Ruby. You remember her?

Anna Right! The one with the cool Instagram name.

Deb Yeah. And we should probably remind our listeners Ruby is a young woman in Seattle. Her cool Instagram name was @Ruby. And she had what's called an O.G. user name which is like short and simple. And her user name was so cool that lots of people wanted it. She constantly got people offering her money for it, like thousands of dollars. They bothered her about it all the time. Now, one day Ruby was sitting at her computer when she notices that something is happening with her account because she starts getting all these notifications from Instagram.

Ruby "We noticed a new log in. A log in from a device you don't usually use. This is an Apple iPhone in Chicago, Illinois." Logged into my account at 2:08 p.m. So I get that email. So I go in and I change my password at 2:08 pm, at the same minute. I'm like really fast, ok? Not fast enough because at 2:11 pm I get another email. "This is confirmation that the password for your Instagram account, @RubyDone has just been changed. So they changed my username and they changed my password.

Deb (with Ruby) They changed it to Ruby Done?!

Ruby Ruby Done! It's like a slap in the face. (Laughs)

Anna (in-studio) That is such a slap in the face. And so at the time we first talked Ruby story ended kind of unresolved. She hadn't gotten back her account and she was still waiting to hear something from Instagram. So what happened did she get back her name?

Deb Well that's a good question. It turns out there's several more twists and turns to the story. This is SoundQs, a podcast fueled by listener curiosity. I'm Deborah Wang.

Anna And I'm Anna Boiko-Weyrauch.

Deb And in this week's episode I'm going to tell you how Ruby's story ends. And also what else we found out about SIM swapping and the opaque world of cyber security.

Deb OK. Let's pick up the story. When Ruby's Instagram account was hacked it was stolen out from under her. And at almost the exact same moment she realizes that something is wrong with her phone as well.

Ruby And then my text messages stopped going through and then I got a notice on my phone that said "no SIM card." So I knew exactly how they had gotten my account. They had SIM swapped me.

Anna And now thanks to Ruby our listeners and I know what SIM swapping is. It's when somebody impersonates you and convinces your phone company to transfer your phone account to a phone they control. And so they effectively take over your phone remotely.

Deb Yeah that's it! And it happens to thousands of people every year, including, apparently, to Jack Dorsey the CEO of Twitter just last week. Here's what that meant for Ruby: the hackers were able to ask Instagram for a password reset which came via text message. And since they had Ruby's phone they got her text messages and they were able to change her password and then steal her account. And this was very frustrating for Ruby not just because she got hacked and she lost both her phone and her Instagram account. But also because it was hard for her to figure out what was going on and to get answers. AT&T quickly restored her phone service. But she filed several reports to Instagram and they never got back to her.

Anna So, just crickets?

Deb Yeah.

Anna Did she ever actually talk to a human being and Instagram?

Deb No. As far as I know it is almost impossible to talk to an actual human being at Instagram.

Anna Which must have been very frustrating.

Deb Yeah, I think it was but then our story aired. And so Ruby's story was out there in the media-sphere and we kind of called out Instagram for not being very helpful to her.

Anna Yeah I remember you quoted a security specialist who said don't ever expect a social media company to get back to you. They don't really care.

Deb Which is sort of ironic for social media companies. Well, a couple of days after our story aired. Guess what happens?

Anna Did someone from Instagram actually give Ruby a call?

Deb Yeah, they did. Well, not really a call. Ruby got an email from Instagram that said, "We hear you're having trouble with your account. Click here to log back in."

Ruby So I clicked the link and it logged me into Instagram and my user name was back again. I was just @Ruby.

Anna So Ruby got her user name back? And she partied all night long...

Deb Well actually, not exactly. You know, this account had been the source of a lot of drama and a lot of trouble for her. So she wasn't sure she wanted her account back anymore, but there it was. It was back, Right on her computer. So she thought about it for a little bit and she decided to send a poll out to her friends and ask them what they thought she should do.

Ruby And so I had a vote. "Hey, I got my user name back. Should I keep it? Yes or no?" And everyone who voted no I blocked. Which, they weren't people that I knew. They were strangers who probably shouldn't be following me anyway. And then I thought, OK, cool!

Deb to Ruby So most people said yes keep your username?

Ruby Yeah. 98% of people said yes.

Deb So Ruby bowed to the will of the people and she kept her user name. And she was once again @Ruby on Instagram.

Anna And she lived happily ever after.

Deb Yeah, for like a minute.

Ruby And so as soon as I got my original user name back I was getting like ten requests to follow me again, every day, from strangers.

Deb Yeah, that's what was happening in the old days too. She would constantly get people trying to follow her. A lot of them were shell accounts. Strangers would message her. And this was not her favorite thing. And then some weird stuff started happening. Ruby doesn't want me to get too specific about it. But I can see that some of it was really creepy. And when this stuff started happening it just convinced her that it wasn't worth it to have this account. Anna what did she do then?

Deb Well she decided to give the account back to Instagram.

Anna So she gave it back, free? Even though before people had been offering thousands of dollars for this account and she had fought for it. And then she just gives it back?

Deb Yeah. She just couldn't deal with it anymore.

Ruby I mean I don't want to have to privatize everything in my life just because I have an "O.G. username," like, who cares? I got other things going on. (Laughs)

Deb So do you feel like you're just kind of put this behind you. It's done?

Ruby Yeah. I'll always remember having such a special username but it really became too much.

Anna And what happens to the account then?

Deb Well it was dormant for a few days and then someone picked it up. The new account page just says "Lisa." So far there are zero posts.

Anna You'd think Instagram might just retire the account or something, given the fact that Ruby had been subject to I.D. theft and hacking and harassment. And she'd pretty much been pressured to give up that account.

Deb Yeah I asked Instagram about that. And I got an email back from a spokesperson who said if someone doesn't want their username back for whatever reason then it becomes available to others. That's it. There doesn't seem to be a policy of retiring accounts or anything like that.

Deb So we're going to take a break right now but we're going to dive deeper into this story. There are a lot of weird twists and turns. And there's also the involvement of a person who I call the "Instagram whisperer." We'll be back, right after the break.

(break)

Anna OK so, Deb, before we continue on with this story just one clarification. Ruby got her account back from Instagram right after our story aired, right.? So do you think it was because we ran her story that Instagram did something? Because she wasn't getting anywhere with them before that.

Deb Well, yeah that's what I thought. I mean my immediate reaction was to pat myself on the back, right?

Anna Yeah, power of the press.

Deb Absolutely. But Anna, then I found out it probably wasn't us after all. For our story, we relied very heavily on the resources of a woman named Allison Nixon. She's the head of cybersecurity research for Flash Point which is a cyber-intelligence firm. Now it's pretty clear to me that Allison had something to do with Ruby getting her account back. But she won't say exactly what she did. But it seems like there's this informal network of security experts at various companies and they know each other and they talk to each other. Allison says security people are pretty overworked. They're small teams of people who have to guard against and deal with a lot of different threats. And they create automated systems to deal with users but sometimes they don't capture everything or everyone. So sometimes it just takes a person, a real person, to goose the system. People like Allison Nixon.

Allison There might be some victim that blows up in the media and it'll be a long time before they even find out about them. And it's not because the investigators don't care. I mean the investigators care very deeply about fixing this problem. It's an information overload problem.

Anna That's so interesting it sounds like there's a secret society of security people working behind the scenes to fix things.

Deb Well it feels that way, right? But it's impossible to know because the companies themselves are so close mouthed about these processes. When things go wrong it's just like they're black boxes.

Anna So how did Allison feel about Ruby giving her account back?

Deb Well Allison wasn't happy about it but she also wasn't surprised.

Allison I've seen this happen before. They'll harass people and coerce them and try to make them give up the user name.

Deb And Allison was really hoping that Ruby would stand her ground and fight the hackers. But she knows it's really hard.

Allison It's tough for me to tell them to not give in to the harassment because I'm not the one being harassed. You know, it's not my sword to fall on. But on the other hand, I don't really like the idea of that kind of behavior being rewarded.

Anna So that's Ruby's story. But I feel like we can't just end this episode here because that's not very satisfying.

Deb OK! So I'm going to tell you another SIM swapping story that ended differently.

Anna Oh good.

Deb So when our story was being shared on social media one of my Twitter followers tagged this guy who sounded like he had a really similar story to Ruby's.

Linds Hi my name is Linds Panther and I'm the victim of a SIM swamp.

Deb Now Linds lives in Colorado and he works for Twitter. So he's in the tech space and he was a really early adopter of Instagram.

Linds So I think I was, at one time I looked, and I was user number 10,000-something on Instagram. I mean, I joined within a month of their public launch. And because I joined so early I was able to get a boutique-y user name like "Panther" which happens to be my last name.

Deb Well, Linds Panther's story is a lot like Ruby's. His AT&T account was SIM swapped and then his Instagram account was stolen. And the hackers left him with the username "Panther Go Bye-Bye."

Anna That does sound a lot like Ruby's story.

Deb Yeah, cause Ruby got left with "Ruby Done."

Anna So snarky.

Deb So Linds calls AT&T, his provider, and apparently the person he talked with insisted that nothing was wrong with his account. That it was probably just, like, poor network connections or a bad SIM card or something. And it wasn't until the next day that he went into an AT&T store and someone there realized that his SIM had been stolen. And actually he had already figured it out himself by then. So he felt vindicated when you heard that. But he also felt something else.

Linds It also scared the heck out of me. How could it be that easy for someone to go into a store call someone at AT&T and provide enough information about me to convince them that they are me and make changes on my account that is effectively used to secure my digital identity? I had never realized just how important that phone number is to your digital footprint. And how it's almost like your Social Security number online.

Anna And this is a guy who works in tech and he didn't realize how this could happen?

Deb Yeah. And this was strangely pleasing to find out because I had felt like such a dummy that I'd never heard of SIM swapping. But even someone in tech didn't know. So it made me feel a lot better about myself.

Anna OK we're all doomed, though.

Deb So Linds gets his phone account back and he locks down all his other accounts. And he files a report with the FBI. And then he starts trying to get his account back from Instagram. And just like Ruby he hits a brick wall. He can't get hold of any actual person. And then he tweets out his whole saga and a bunch of people, who are pretty high up in the tech space, offered to help him but nothing happens. In the meantime, he finds out someone's trying to sell the user name on the black market for 800 Bitcoin.

Anna So this is not looking good for Linds.

Deb Yeah, it's not looking good. But here's the twist. I reached out to Linds and I told Allison about his case. And even before I've had a chance to interview Linds, Allison reaches out to him. Now he doesn't know who she is and he's very skeptical that talking to her is going to help. But then this happens.

Linds About a week after we started talking, I receive an email from Instagram asking me to confirm my email address. Accompanied by a separate e-mail that said something to the effect of, "we heard you had problems with your account, your account content wasn't affected by this issue. Signed, the Instagram team." I confirm my email address. Log in to Instagram and it is as if nothing ever happened. All my content is there. It was the strangest experience.

Deb Wow, and the end the e-mail they sent you was pretty cryptic, it sounds like?

Linds It was very cryptic. Very cryptic. It was like even though a person had intervened to help, they still didn't want to give me the impression that a person was on the other end doing anything. There was no name associated with any of this.

Deb with Linds It's just the hand of God reaching down restoring your account.

Deb So evidently Allison had worked her magic again and helped get Linds' account restored. And unlike Ruby, Linds was really excited to get everything back. Because he had thought his account had been deleted entirely and that all of his photos and posts were gone.

Linds It never really occurred to me just how much of my life over the last nine or so years was documented on Instagram. You know, not just the photos, because I have copies of lots of those photos. But all the comments on there. The fact that I had been working for, effectively nine years at refining my Instagram feed, to give me the right content. And when somebody takes that away it feels like a very high barrier to getting back on.

Anna So it sounds like Linds has come to a positive resolution here?

Deb Yeah, all things considered this hack could have been a lot worse. Especially when you hear stories about people getting their bank accounts or their cryptocurrency accounts hacked and they lose real money. But at the same time, even though he got all his stuff back, there's still this downside, in that once you're hacked, you know you never see the world quite the same way. Everywhere you look there's a new threat. And he says it's made him a little bit more paranoid than he was before.

Anna Paranoia sounds like it's a bit too far. But certainly vigilance seems like it's a good idea.

Deb I think that's the lesson learned. Absolutely, be vigilant.

Anna If you have a question about Seattle or our region head on over to our website kuow.org/soundqs and drop us a note. Or call us at (206) 616-3805 and leave us a voicemail. Your question might be featured in a future episode.

Deb SoundQs is a production of KUOW in Seattle. Kyle Norris is our producer. Jeannie Yandel is our editor.

Anna Our production team includes Katherine Banwell, Gil Aegerter, Caroline Chamberlain Gomez, Jill Jackson and Brendan Sweeney. Michael Parker composed our theme music.

Deb I'm Deborah Wang.

Anna And I'm Anna Boiko-Weyrauch. Thanks for listening.