With the victim’s information, the scammer would contact the mobile carrier, impersonating the victim and claiming to have damaged or lost the SIM card.
The easiest (and usually most convenient) way to set up two-factor authentication (2FA) has always been using a SIM card since most users access the internet via a mobile phone. While it may be a no-brainer to use your SIM for authentication, recent events have revealed the dangers of using your SIM for 2FA, especially if you’re a crypto trader.
On September 9, the co-founder of the Ethereum Network, Vitalik Buterin, lost his X account (formerly known as Twitter) to a SIM swap attack, which led to the loss of nearly $700k to an NFT giveaway scam in just 20 minutes. This article focuses on the threat of SIM swap attacks, vulnerable loopholes internet users should be aware of, and how they can protect themselves.
What is SIM swap attack?
A SIM (Subscriber Identity Module) swap attack, also known as SIM jacking, is a form of identity theft that occurs when a scammer exploits a cellular service provider into transferring a victim’s phone number to a new device (owned by the scammer) in order to gain access to the victim’s bank accounts, email address, bank cards, crypto accounts, and social profiles. Why? With this, the scammer can easily bypass any two-factor authentication that is tied to your SIM.
SIM swap attack is easier than you think
SIM swap attacks require very little technical knowledge; basically, all a scammer needs is a mobile device, a good internet connection, and a little capital. Usually, the scammer does some research (on the victim’s social page) and gradually gathers personal information about his victim—not too much, but enough to convince the service provider that they’re the real owners of the SIM. The first resort for some would be the dark web, where illegal data brokers sell users information.
Another way scammers get personal information from a victim is through phishing or smishing. The scammer sends an unsuspecting email or SMS text to the victim, claiming to be from their mobile service provider and prompting them to click a link to take the necessary actions in order to secure their accounts. When the recipient clicks the link, they’ll be redirected to a page where they’ll be required to provide personal information.
With the victim’s information, the scammer would contact the mobile carrier, impersonating the victim and claiming to have damaged or lost the SIM card. The customer representatives would ask basic questions and then proceed with the port. Some of these questions may include:
· IMEI number
· Phone number
· PIN
· Billing address
· Reason for porting
· And in some cases, the last four digits of your SSN
In an interview, CertiK’s security expert Jesse Leclere stated, "SMS 2FA is better than nothing, but it is the most vulnerable form of 2FA currently in use. Its appeal comes from its ease of use: most people are either on their phone or have it close at hand when they’re logging in to online platforms. But its vulnerability to SIM swaps cannot be underestimated."
A growing threat
In a public service announcement published on February 8, 2022, the Federal Bureau of Investigation (FBI) informed mobile carriers about the increasing cases of SIM swap attacks and how scammers use this to steal money from fiat and virtual currency accounts. The report also disclosed that the FBI Internet Crime Complaint Centre (IC3) has received 1,611 SIM swapping complaints that led to a loss of $68 million.
An article from blockchain security company CertiK revealed that out of 50 attempts to do a fake SIM swap attack, 39 of them were successful, which amounts to an 80% success rate.
Mobile service providers need to do better
When Buterin recovered his T-Mobile account, he announced on Wrapcast that it was a SIM swap and the scammer had socially engineered T-Mobile itself to take over his phone number. But this isn’t the first time the mobile communication service provider, T-Mobile, has been called out or blamed for SIM swap attacks.
On July 21, 2020, Reggie Middleton, the founder and CEO of Veritaseum, filed a lawsuit against T-Mobile for allowing the loss of $8.7 million in cryptocurrency through a series of SIM-swap assaults. Middleton claimed in court filings that he was first targeted by SIM swappers in July 2017, and that despite reporting the incident to T-Mobile, the crypto firm founder claims to have been the victim of SIM swap attacks four times between 2017 and 2019.The suit claims that T-Mobile neglected its customers' complaints, which allowed scammers to capitalise on the provider’s security weakness and gain access to customers' information.
In February 2021, T-Mobile was on the news again for another SIM swap attack that led to the loss of $450k in Bitcoin. On Feb. 8, a lawsuit was filed against T-Mobile by Calvin Cheng, who claimed to be a victim of a SIM swap and lost $450k in bitcoin to the attack.
T-Mobile is not the first telecom that has been called out for poor SIM swap security; AT&T was sued in 2020 by a crypto investor, Seth Shapiro, for failing to prevent the theft of $1.8 million in crypto assets..
How can you protect yourself?
When Buterin’s X (Twitter) account got hacked, Tim Beiko took to X to provide the basic X Opsec PSA. In his post, he noted, "If you have a phone number linked to your account, even with other 2FA, it can be used to reset your password. You need to specifically disable it plus remove phone. If your Twitter account predates crypto, strongly recommend double-checking and adding strong 2FA."
Additionally, it’s always a good choice to opt in for a more secure and private social media platform like Bison Relay that doesn’t even require you to have an account. Bison Relay is a P2P social platform that uses the Decred Lightning Network to secure and encrypt messages.
Finally, the best step to protecting yourself from SIM swap attacks is by detaching any 2FA account from your SIM. A better option would be Google Authenticator, Duo, or Authy. Also, confirm that any mail or text sent to your device is from a legitimate source.
Comments ()