Cryptocurrency SIM Swapping is a major threat to cryptocurrency in 2019. But what can you do to protect yourself from the threat?
SIM swapping is relatively simple to understand but don’t underestimate the damage – the amount of damage it can do is very scary.
Attackers obtain information about an individual and use that information to request that user’s phone number to a SIM card that the attacker owns. Once that is done, the attacker can receive any text messages that the victim receives.
That access allows the attacker to start requesting passwords and other sensitive user data to gain access to private accounts. The most prevalent way of using a SIM swap is to gain access to two-factor authentication (2FA) credentials.
Access to 2FA gives an attacker a massive advantage when it comes to accessing and changing account details. This will eventually lead to granting them access to data and funds.
2FA is an added security measure that is commonly found on cryptocurrency exchanges and cryptocurrency wallets. Users must still know the password to an account and have the device to prove their identity.
But hacking 2FA through a SIM swap allows the hacker to receive SMS codes of the original user’s phones, therefore, hackers are more easily able to reset passwords, bypassing the necessity of the user (hacker in this case) of knowing the password to an account and having the device to prove their identity.
SIM swapping has been around for a long time – it wasn’t until this past decade, with the technological advancement of smartphones, that SIM swapping became more and more dangerous, making the crime a big threat to individuals and their privacy.
More and more data and privacy rely on smartphones and other devices for identifying and granting proper access to the owner of that data. Think about the last time you checked your bank account – how did you do it? Was it on a desktop? Or was it through a mobile phone?
This unprecedented new age of technological convenience also provides an opportunity for criminals to steal data and money from people around the globe with relative ease.
Phishing has also been used to scam cryptoenthusiasts – users were duped by emails or communications that looked official. Users, lacking proper cybersecurity and awareness, entered sensitive information like usernames and passwords. Hackers were then able to use those legitimate credentials to steal funds.
SIM swapping is even more simple – all that’s required to fool your mobile network is to convince them to carry out a SIM swap, granted you pass their security questions, which could easily be done.
Once they do this, they’ve won. One-time passwords can be texted and resets can be authorized. These tactics, once the bane of Financial institutions and their bank accounts, are now targeting cryptocurrency users. With bank accounts, if funds are stolen, funds can be returned via insurance protection or rolling back the transactions. With cryptocurrency, that protection does not exist.
But have SIM swappers been held accountable. Well, the first instance of a SIM swapper in the cryptospace was in July 2018. Joe Ortiz, a 20-year-old, who had allegedly hacked around 40 victims, was arrested by California Police. Ortiz and a number of unidentified collaborators targeted cryptocurrency users and hacked a number of victims at the Consensus conference in New York earlier that year. Ortiz pleaded guilty to theft in the amount of $5 million and accepted a plea deal of 10 years in prison for his crimes. Authorities have deemed this the first conviction of a crime of SIM swapping.
Xzavyer Narvaez was arrested in August of 2018 for SIM swapping. Narvaez was careless with his stolen money, using it to buy sports cars over a 2-year period. Narvaez’s cryptocurrency account processed around 157 Bitcoins between March and July 2018, valued at over $1 million dollars at the time.
Just last week, California prosecutors indicted 21-year-old Ahmad Hared and 23-year-old Matthew Ditman with conspiracy to commit computer fraud and abuse, access device fraud, extortion and aggravated identity theft through SIM swapping. They face a potential 5-year jail sentence and hefty fines.
A question is starting to loom – should service providers share the blame? Michael Terpin, a US investor, fell prey to a SIM swap. Terpin filed a $224 million dollar lawsuit against AT&T, a US telecoms provider, for negligence that led to the loss of around $24 million in cryptocurrency holdings.
In Terpin’s 69-page report with the US District Court in Los Angeles against AT&T, he accuses AT&T of cooperating with the hacker, gross negligence, violation of statutory duties, and breaking the commitments of its privacy policy.
There are steps that can be taken by a telecoms service provider. SIM swaps could still happen, but SMS communications be blocked for a short amount of time to protect the user – this is being done in Russia for mobile operators. Further, telecom companies could implement strict identity checks and request users to confirm more explicit details and information before a SIM swap is carried out.
Most importantly, users must be aware of the unique challenges that they face, be aware of it, and protect themselves as best they can.
What do you do to help beef up your security? Do you use a second phone for 2FA? Do you use a burner phone? Or do you not use 2FA yet? Has this changed your mind to start thinking about your security? Maybe it’s time that you rely on something like Ledger. Purchase one here. Let us know on our Facebook page!
