SIM Swapping has started emerging as a legitimate threat to personal financial information stored on users’ phones and to those people that use SMS messages for their two-factor authentication (2FA) method. The Federal Trade Commission has cited SIM Swapping as a growing trend in identity theft, and it has recently revealed itself with some high-profile examples targeting cryptocurrency users and hacked Instagram accounts.
The use of SMS messages for two-factor authentication is increasingly popular due to its convenience. However, hackers have invented clever and relatively simple methods for taking complete control over somebody’s online fingerprint by convincing service providers that they are the legitimate customer.
The Precedent for SIM Swapping
SIM Swapping is a relatively new attack vector that was identified as a threat to mobile phone users only a few years ago before some early cases started emerging. A SIM Swap is essentially where a fraudster convinces your phone carrier to switch over your phone number to a new SIM card that they control.
SIM cards are platform-agnostic and grant access to the services connected to the phone number. SIM cards effectively verify a cellphone subscription of a carrier that correlates directly to the SIM card, so without an authenticated one, a phone cannot plug into the mobile network. Attackers can hijack phone numbers this way through a variety of methods including socially engineering phone carrier representatives or even recruiting point-of-sale retail employees.
As a result, the attacker transfers the cellphone number from the victim’s phone to their new SIM card and can make calls, send text messages, and bypass two-factor authentication security that uses SMS verification as if they were the victim. This gives them complete control over the victim’s digital identity, and the reality is that there is little the victim can do to stop the attacker once the hack is in motion. Once the phone number is transferred to the attacker’s SIM card, the victim’s phone will no longer have access to its accounts, subscriptions, or other mobile capabilities.
Leveraging SIM Swapping for Crypto Thefts.
People continually connect their phone numbers to all types of subscriptions and services, including banking accounts and cryptocurrency wallets. Cryptocurrencies present a profound opportunity for hackers who are looking for fast and anonymous methods for stealing funds.
Mobile cryptocurrency wallets are largely secured with 2FA on a user’s phone. However, if an attacker gains access to a user’s phone number through a SIM swap, they can easily bypass any 2FA security that uses SMS messaging. This is known as a “Port-Out Scam” which is relatively simple and has been covered extensively by Motherboard. SIM swaps have led to several prominent cases of mobile cryptocurrency wallets being hacked in recent months.
In January this year, Michael Terpin’s mobile cryptocurrency wallet was hacked for $23.8 million following an AT&T account representative transferring his cellphone account to an international criminal organization pursued by the FBI. Turpin is now suing AT&T for $200 million in punitive damages.
More recently, a 20-year old was caught at the Los Angeles International Airport fleeing the U.S. after reportedly stealing more than $5 million in cryptocurrencies from SIM swapping at least 40 different phone numbers. The perpetrator, Joel Ortiz, intentionally targeted cryptocurrency entrepreneurs and other participants of the Consensus Conference in New York City in May.
Galiano Tiramani, CEO of TirexTrading — a large OTC trading desk — was the target of a SIM swapping attack last year. According to Tiramani:
“It turns out the hacker just called tmobile multiple times until the representative neglected to request my verbal password. He was provided with my account number, using that and some other publicly available information, he was able to transfer my number to a phone he controlled.”
Tiramani goes on:
“My public reputation as a large bitcoin trader and early adopter makes me a target for hackers. I encourage anyone with large holdings or any publicly known crypto wealth to take serious precautions when securing your funds. When your crypto is gone, it’s usually gone for good.”
Despite the hacking attempt, the attacker was unable to make off with any of Tiramani’s funds:
“I keep bitcoins stored offline when I am not actively trading them. Don’t ever opt for SMS two-factor authentication. Mobile phone providers were not designed to be used as safeguards for large stores of wealth. Always use google authenticator or another isolated 2fa solution.”
Tiramani’s experience highlights the dangers with SIM swapping as well as some opportunities to help mitigate against these types of attacks.
How to Safeguard Your Crypto Assets
One of the simplest and most effective ways to prevent SIM swappers from stealing your crypto funds is to store your cryptocurrency assets offline in a cold wallet as Galiano Tiramani did. Further, phone numbers were never meant to be a means of official identification and are not secure enough for 2FA. Authentication apps like Google Authenticator and YubiKey represent significantly better options for managing 2FA. Importantly, they tether directly to your physical device rather than your phone number and generate a new key every 30 seconds.
Using Google Authenticator for his crypto assets helped Tiramani avoid disaster, and he also identifies some other additional security measures that can be taken to prevent SIM swapping including:
- Don’t use a publicly listed phone number associated with at-risk financial accounts
- Always opt out of SMS 2FA and choose Google Authenticator 2FA
- Request that your bank and phone carrier set up a verbal password
- Make sure to enable 2FA with Google Authenticator on your Gmail account as this is likely the first target
- Consider a secondary offline device for your 2FA codes
- Do not store 2FA reset codes on a computer, instead write them down
Tiramani’s experience offers an excellent example of how to reduce an attacker’s ability to run off with your funds. However, Tiramani’s high-profile position at a large OTC trading desk makes him a target for hackers, something he is presently aware of:
“Because my business is under constant attack from hackers and fraudsters, we invest a lot of money and time into ensuring that we have proper security in place. When analyzing your own security, it’s important to look at the counterparties you deal with. Just because its a large exchange or well-known crypto business doesn’t mean its safe. Do they have insurance? Do they use a cold wallet? How is their track record? What are their policies in the event of a breach? ”
Referencing his OTC trading desk:
“In 5 years of OTC crypto trading, 5000 happy customers and 100,000+ bitcoins traded, we have suffered zero losses from hackers or security breaches. Because we deal with large trade amounts and have held large crypto holdings for many years, we have become experts in security and analyzing attack vectors.”
SIM swapping is rapidly gaining traction among hackers as a simple and effective method for stealing cryptocurrency funds. With some high-profile cases already leading to massive sums lost, mitigating the tools that a hacker has to work with will become of paramount importance. Implementing the right security measures can help protect you from a disaster that you have no control over once the gears are in motion.
