Lives today are digital. They are dependent on the passing of data between various networks, unhindered, and unencumbered. Our phones act as the hub of our digital lives, to the extent that devices are now available with the sole purpose of tracking our phones if they are ever lost. Several studies have shown, unsurprisingly, that users are becoming more reliant on mobile devices not only for communication, but for tracking personal performance, finances, and health.
As a device rarely further away than our arm 24/7 (Did you check where yours is?) mobile phones are increasingly being used as a secondary verification for our online identities, or as the last line of defense against identity theft. Our data has been compromised in numerous ways over the past few years, and perhaps the evilest is SIM Swapping.
SIM Swapping is a well-known attack vector but continues to be effective due to improper training and predictability of human behavior. Victims of SIM Swaps wake up to find their phones with “No Service.” Calls do not work, and data services are gone. Email accounts are locked, and logins no longer function. Access to online services like banks, investment management, cloud services, and anything requiring a login and password becomes inaccessible. The attacker has not only taken control of the online accounts but has changed the passwords to prevent anyone else from using them.
A recent report detailed the five major mobile US carriers, AT&T, T-Mobile, Tracfone, US Mobile, and Verizon, as using “ . . . authentication challenges that could easily be subverted by attackers.”
How Does a SIM Swap Work?
Fraud prevention in the current system is done using 2FA or “Two Factor Authentication.” This requires a user to enter a one-time code sent to their device via SMS text. Users often are prompted to do this after trying to access online accounts from a new computer or IP address. However, this security measure is entirely ineffective if a hacker has access to the phone receiving the one-time code.
To execute a successful SIM Swap, a hacker must acquire enough information about a person to impersonate them on a call to their cellular provider. The hacker is then able to convince the representative to switch the user’s phone number to a different SIM card. This switch will port the account to the new card rendering the original phone completely useless. Hackers have used this technique for years, and have gone as far as bribe telecom employees to switch over SIM access for a few hundred dollars. The attacker then uses this new phone to log into and change all usernames and passwords.
While this type of attack is not new, cryptocurrency users have recently become targets due to the irreversible nature of their transactions. Most recently, 19-year-old Yousef Selassie allegedly stole over $1 million in cryptocurrency from SIM Swaps alone. Others have seen much more significant losses, namely a $24 million loss by crypto investor Michael Terpin, who is now in a lawsuit with AT&T over inefficient security measures.
Preventing an Attack
Attack prevention is often a multi-tiered approach. First, disable any SMS text 2FA logins: Google, Bank, Credit Card, Social Media, Email, Crypto Exchange, Smart Fridge, etc. Immediately install and set up a 2FA app like Google Authenticator or Authy on your phone. Services like Microsoft and Steam have unique versions for their websites. These 2FA services will create a security measure independent of cell service or Wifi. Instead of receiving a text message, a user must enter a unique six-digit code that refreshes every minute. Once the correct code is entered, the user has access to the website.
This is important.
If you upgrade your phone or update the OS, these backup codes will be required to restart your 2FA. Without them, you will have to contact the companies with which you set up the 2FA and submit documentation proving your identity before they can manually reset it. Not ideal in a market with as high volatility as crypto.
A more drastic measure is to have a separate cell phone whose only purpose is to operate the 2FA app. Install Google Authenticator or Authy, then turn off the phone until you need to use either app. This way, if your daily driver is stolen or misplaced, you still have access to your 2FA. The security-conscious even go so far as to have a separate laptop or computer, which is used only for crypto trading and has a 2FA backup. Are these steps overkill? Perhaps, but the recovery from these attacks can be lengthy and expensive.
Not even those in the technology sector are immune to such attacks. The CEO of Twitter, Jack Dorsey, was famously the victim of a SIM Swap in 2019 that saw his Twitter account taken over.
The director of the security firm Flashpoint, Allison Nixon, has stated that a SIM Swap “ . . . requires no skill, and there is literally nothing the average person can do to stop it.”
Is It Worth It?
Taking responsibility for security protocols can be a daunting task. The online world can be a strange and intimidating place, especially when it concerns cryptocurrency and online data. The steps outlined here are simple, yet effective ways to protect against those who seek to profit from lackadaisical users. As we move towards a more connected society, those who do not defend themselves have no one else to blame if they fall victim.
Feature by FomoHunt.