Protecting your crypto wallet from SIM swap scammers

SIM swapping is a crime that targets Two-Factor Authentication (also known as Two-Step Authentication or 2FA) verification systems by finding a weakness in the second factor in the verification process of receiving a text message or call on a mobile device. This kind of attack is known as an account takeover or ATO.

SIM swapping is a kind of financial fraud that takes advantage of a cellphone service provider’s ability to port a phone number to a device containing different subscriber identity modules (SIM). Under normal circumstances, porting a phone number to a new device with a different SIM is used when a customer has lost their phone, had their phone stolen, or when switching to a new phone or cellphone provider.

Users can be scammed using SIM-swapping methods in a variety of ways. Usually, the hacker gains personal and sensitive information about the victim from social media, phishing emails, or by obtaining data acquired in massive data breaches. Hackers often target their attacks toward cryptocurrency accounts because the stolen funds can quickly be laundered on exchanges and because the transactions are anonymous and nearly impossible to reverse.

Once a hacker has gained the personal information of their victim, they contact the user’s cellphone provider. When the attack is carried out, the hacker impersonates the victim and successfully convinces the user’s mobile provider to port the victim’s phone number to the attacker’s SIM. The victim’s phone number is most often sent to a burner phone that the hacker has set up.

If the hacker is successful in porting the victim’s phone number, then they receive all of the texts and phone calls sent to the victim’s phone, while the victim becomes disconnected from their service provider. The hacker will then use the forgot your password query on the victim’s email to send an SMS text code to the victim’s SIM-swapped phone to gain access. Once the hacker has access to the victim’s email address, they can then use the forgot your password feature on their banking, social media, and cryptocurrency accounts.

Santa Clara County Sheriff Sam Tarazi told KrebsOnSecurity, “We’re talking about kids aged mainly between 19 and 22 being able to steal millions of dollars in cryptocurrencies [...] we’re now dealing with someone who buys a 99 cent SIM card off eBay, plugs it into a cheap burner phone, makes a call and steals millions of dollars. That’s pretty remarkable.”

Cryptocurrency is not the only asset that can be stolen in a SIM swap. As MyCrypto and CipherBlade have reported, 2019 saw a transition away from stealing cryptocurrency to stealing sensitive data, such as personal information, business documents, and other data. SIM swappers can now make money by extorting their victims in addition to taking their crypto.

Santa Clara County District Attorney’s office detective Caleb Tuttle said in an interview with KrebsOnSecurity that the SIM swapping attacks happen in one of three ways. The first way to perform a SIM swap is by bribing or blackmailing a mobile store employee into assisting the crime. The second method involves current and former mobile service provider employees who abuse their access to customer data on their employer’s network. The third way is for mobile phone company employees to manipulate unwitting associates at other stores into swapping a target’s existing SIM card with a new one.

Tuttle suggests that people use something other than text messages for two-factor authentication on their email accounts. Specifically, he recommends the Authy mobile app or Google Authenticator as possible alternatives.

We have implemented Two-Factor Authentication (2FA), which is a mandatory authentication process. This provides an additional layer of security when users log in to our site and perform activities such as withdrawing funds.

2FA apps work by sending the user a six-digit code that gets refreshed every 30 seconds. To help protect our users’ identities and account information, our exchange recommends both the Authy and Google Authenticator apps. However, any other 2FA that uses a six-digit code can be used.

The SIM Swapping Bible complied by MyCrypto and CipherBlade has identified several steps a user can take to prevent to SIM swap attack. Most phone carriers have options regarding authorizing the transfer of a phone number to a new device. These options can include requiring a numerical passcode, a passphrase, or requiring an in-person presence at the mobile carrier’s store requiring a government-issued ID. The SIM Swapping Bible makes several other recommendations that include:

1. Logging into your mobile phone carrier account and changing the password to a strong, unique password.
2. Enabling 2FA or an additional PIN or passphrase.
3. Visit the phone carrier’s nearest location in person.
4. Document everything: date & time of visit, location visited, names, and employee IDs.
5. Ask the carrier to send a text, give a print-out, or send an email confirming what changes were discussed or that were made to secure the account.
6. Instruct the carrier that any request regarding a SIM, device, phone number, or account administration can only be done in-store. Instructions should be given that any changes to an account should only be made after presenting government-issued identification.
7. Request that a PIN or passphrase (or both) be added to the account when any actions regarding the account are requested.

In an article for Lifehacker, Brendan Hesse identified several steps a user can take to document account-related information that can be used to identify a person as the rightful account holder in the event of a SIM swap attack. The recommended documentation includes:

1. The month and year the account was created.
2. Previous screen names used in the account.
3. Physical addresses associated with the account.
4. Credit card numbers or bank statements that can prove who made purchases in the account.

Concerned about securing your cryptocurrency? Create an account on Ndax and start trading today, on the platform that made the security of your assets their number one priority.

THIS BLOG AND WEBSITE ARE NOT INTENDED TO PROVIDE INVESTMENT, LEGAL, ACCOUNTING, TAX, OR ANY OTHER ADVICE AND SHOULD NOT BE RELIED ON IN THAT OR ANY OTHER REGARD. THE INFORMATION CONTAINED HEREIN IS FOR INFORMATION PURPOSES ONLY AND IS NOT TO BE CONSTRUED AS AN OFFER OR SOLICITATION FOR THE SALE OR PURCHASE OF CRYPTOCURRENCIES OR OTHERWISE.