Rug pulls. Defi exploits. Pumps & Dumps.
You might have heard all such scams that repeatedly happen in the crypto space, leaving millions of users with worthless tokens. But have you ever heard of an attack that can steal your crypto funds using a SIM card? That’s right. Hackers are taking advantage of some loopholes in the 2FA system, and they are implementing a SIM-splitting technique to successfully steal your funds.
Though SIM card swaps are not new, it has found a new urgency in this emerging industry. Hackers are finding ways to steal your mobile identity and use it to bypass text-based two-factor authentication. If they can clone your SIM and impersonate your digital identity with their device, you can potentially lose all your assets stored in a bank and crypto wallet.
So how do you stop someone from taking over your online footprint? To address this question, we have to first understand how SIM-swapping or port-out-scam works. Then we will come up with solutions and preventive measures. Stay till the end. You can avoid being the next victim!
What is SIM-Swapping?
Sim-swapping or sim-jacking is an attack used by hackers to take control over your mobile device. You might feel you have access to your device, but all the information and data already migrated to another SIM card that an attacker controls. Sim-swapping is considered one of the most dangerous attacks because your additional layer of security cannot prevent hackers from gaining access to your internal accounts. Crypto is a different breed- when it comes to assets, attackers are using its decentralized nature to their advantage.
How sophisticated is SIM Swapping?
You might think hackers use some weird, unknown software applications to break through firewalls and steal the SIM card number, but that is not at all the case here. This criminal heist is done through social engineering. Attackers do not rely on code or any hijack tools to gain access to someone’s online accounts. They find information via darknet marketplaces and use that to impersonate their target. Once they find the victim’s SIM number and activate it, they can easily avoid 2FA and access any account they want. It is also important to note that it is not only famous influencers or high-profile targets under attack but also everyone.
But wait- how do they get my phone number in the first place?
Hackers who use SIM swapping are more successful than others- for this one simple reason- mobile service providers fall prey to social engineering. An attacker calls up service providers by impersonating the victim and pleads his case to transfer the victim’s number to his own SIM card.
As the support agents have no idea of this type of attack, they fall for whatever story the attacker created on the spot. To make his argument more valid, he provides some personal information like address and date of birth, which he bought from a third party or found online. Once the transfer of a mobile number is done, the attackers start receiving calls and texts for you. The worst part about this operation is that your old card gets deactivated, and the hacker resets access to your accounts.
How does SIM-Swapping even work in the Crypto Industry?
Scammers using SIM card swaps operate in multiple ways. Some try to access your bank account or crypto wallet using a few weak links associated with 2FA. If one wants to gain complete control, they simply link your phone number to their SIM card. In swapping SIM cards, many miss out on the fact that two parties are accessing the same number using two SIMs. So this can also be called SIM-splitting.
Some of them even deploy on a large scale and target hundreds of people. We have seen many cases where hackers bypass two-factor authentication and use hundreds of SIM cards to gain access to online accounts.
In most cases, we are seeing hackers change passwords by clicking “Try another way” until they see an alternative option, “ Get a verification code sent to your mobile.” As the victim loses control effectively, the code goes to the attacker, successfully resetting the password.
To gain access to your crypto wallet, they search for emails from any cryptocurrency exchanges like Coinbase or Kraken. They follow the same method to reset the password. Now that he has complete control over your wallet, he can directly enter his wallet address and withdraw all your crypto in an instant.
The sad part about hi-jacking your wallet is that you will have bank accounts and credit cards linked. The attacker will exploit those options as well. He only needs to enter the verification code or OTP, to process the transactions and deposit more USD. With that money, he can buy even more crypto and transfer it to his own wallet.
It doesn’t end there- the attacker can delete your emails without you having any knowledge and intercept every password, text, and withdrawal. Finally, it gets all the more disturbing if a bad actor could access a personal account- think Google or something like your password manager.
Major Crypto Hacks using SIM-Swapping
In the last couple of years, we have seen hackers aggressively use SIM-swapping to steal millions worth of cryptocurrency. Some have been caught, while others escaped leaving no digital trace. Let us take three incidents to understand how damaging SIM-swapping attacks can be.
T-Mobile Sued Over Sim Attack- lost $450k in BTC.
This incident happened just a couple of months back, when T-mobile customer Calvin Cheng lost 15 bitcoin. The Co-founder of an investment fund got a message via Telegram, offering him a better market value for his bitcoin. His information got leaked, and hackers used it for Sim-swapping. Even though T-mobile repeatedly highlighted that they follow the best authentication procedures, the case flipped against them and cost them approximately $450k.
Cybercriminals stole $100 million worth of Crypto from Influencers.
After a year-long investigation by a European law enforcement agency, eight men were arrested for abusing phone numbers and stealing millions worth of cryptocurrency from internet stars, sportsmen, and musicians. The police found out that the suspects used a SIM-swap scheme to infiltrate smartphones and control all social media accounts. By accessing their phone number, they successfully reset account credentials and drained the entire wallet.
Teen Hacker stole 1 Million from an Angel Investor.
Gregg Bennet, an angel investor with Bennett Enterprises, realized his phone stopped working, and all of a sudden, he lost 1 million dollars worth of crypto. When he contacted AT&T, he found out that his secret access code was changed without him knowing. He did not know about SIM-swapping for someone who has 16 years of experience working with startups and investment funds.
Remember- Jack Dorsey also got hacked by a sim-swap too. You are also at risk. Don’t forget that.
How to Protect Yourself Against a SIM Swap Attack?
We understand. It’s annoying to know that you can lose all your money even after having 2FA enabled, but don’t worry- we got you covered.
It is impossible to predict how a hacker is going to steal your identity, but you can protect yourself and reduce the consequences of your SIM is indeed swapped. The actionable tips you can implement right now are as follows:
- Change your password and make sure you are using special symbols, numbers, and upper-case letters.
- Create an additional PIN to add a new security layer.
- Call your service representative and instruct him or her to never transfer details via call. Also, let the representative know that a government-issued ID is required to transfer a SIM card number.
- Create a new google account, and don’t use your business phone number for verification.
These are super important to have your online identity and secure your bank accounts, social media profiles, and anything linked to your Google or Apple account.
Few Extra Measures
Upgrade your Two-Factor
This is probably the best thing you can do right now to prevent any hacker from bypassing your text-based two-factor authentication. If you are using Google Authenticator or Authy, you are only getting SMS-based security that constantly is in sync with your Google account.
To fill in the gaps, you need to have a physical authentication keychain. If you have a physical token, you can turn off your SMS, and no hacker can steal your keys. By having your digital identity locked in your keychain, you raise the stakes for hackers, and it reduces the odds of getting attacked significantly.
Try Google Voice Number
You can find your number here
Security experts suggest swapping your phone number with a Google voice number for any service that requires it. They also point out that it can add a ton of complexity to the equation, so it can be hard to follow the procedure daily.
Secure your Password Manager
Lastpass VS 1Password
If you are someone who uses a password manager to store notes, card information, and other private keys, you might want to increase security or choose a cloud-based application. LastPass and 1Password are the most accessible solutions, so check them out and see which one offers more security for your master passwords.
It is completely okay- if you feel overwhelmed right now, but you have to realize how important these preventive measures are for your digital identity and crypto funds. If you have a solid authenticator app and unique passwords set for every account, you are already making it incredibly difficult for hackers. Few special requests would be to inform your mobile carriers not to port your sim without being physically present and not attaching your 2FA to your phone number. Invest your time in adding more layers of protection and you will never be the next victim.
Born and brought up in India, Karthikeya Gutta is a crypto journalist and freelance contributor for ItsBlockchain. He covers various aspects of the industry with in-depth analysis and research. His passion towards blockchain and crypto ecosystem is mainly because he believes it can really change the world and help millions of people.
Subscribe to get notified on latest posts.