SIM-swapping – theft of cryptocurrency and personal data, how to protect?

Tying an account to a SIM-card has long become a standard of security in banks and various financial services, including cryptocurrency ones. It seems that two-factor authentication reliably protects data and assets.

But in reality this is not the case: in April, a student from California received 10 years in prison for stealing cryptocurrencies using SIM cards. 21-year-old Joel Ortiz was able to steal about $ 7.5 million in cryptocurrencies through the so-called SIM-swapping (exchange of SIM cards) – a fraudulent scheme, in which attackers gain access to the victim's information, and then contact the cellular operator and ask to re-release the card, posing as another person. With the help of SIM-swapping, millions of dollars are stolen by cryptocurrencies.

How much does SIM-swapping threaten cryptocurrency holders and how to secure their crypto assets?

What is dangerous about SIM swapping?

The first series of major thefts of cryptocurrencies using SIM-swapping occurred even in the winter of 2016 in the USA. The victims kept cryptocurrencies on various exchanges, using two-factor authentication, when you need to get a code on the phone to access the new device.

First, fraudsters will find out the phone number and personal data of the victim (through open sources or through employees of operators for a part of the reward). After that, they block the SIM card – all you have to do is to call support service, introduce yourself and report the loss of the phone. Then you need to get the number to transfer to your SIM card. This can be done in different ways: by deceiving the manager, by colluding with the employees of a telecom company, or simply hitting a compliant customer service representative.

Having obtained the necessary data, the fraudsters establish control over the number. This gives them access to most Internet and banking services that use two-factor authentication and to which Simka is tied. Including cryptographic and online wallets.

“It is important to understand that SIM-swaping is not only and not so much about cryptocurrencies. Precedents with the abduction of cryptocurrency – a special case, which received a resonance. In general, the threat is much more global and affects all aspects of personal data protection , ”noted Ekaterina Malyarova, PhD in Law, teacher of the BCL supplementary education program.

How common is SIM swapping?

No one knows the exact data. Cellular operators of Russia did not respond to our request.

Most high-profile cases of SIM swapping occurred in the United States. We are talking about several thousand precedents per year. Apparently, the main goal of American hackers is active members of the crypto community, holders of large sums in cryptocurrencies. According to bitcoin entrepreneur Joby Wicks, he does not know a single person from the American crypto community who would not have a number stolen. California police even took the cases of SIM-swapping for special control, and according to the CipherTrace report , SIM-swapping is a trend among fraudsters in 2018.

The intruders are mostly young hackers between the ages of 19 and 25. In July 2018, police arrested a 20-year-old college student, Joel Ortiz, who stole about $ 7.5 million in cryptocurrency using a SIM swap, of which he stole $ 5.2 million from a businessman from Cupertino. In total, the fraudster robbed about 40 people. In April of this year, a California court sentenced him to 10 years in prison.

Also in 2018, for SIM-swaping arrested:

• Javier Narvaez, 19, accused of stealing around $ 1 million;
• 21-year-old Nicholas Truly, accused of hacking the sims of several large entrepreneurs from Silicon Valley and stealing large sums from wallets at Coinbase and Gemini;
• 25-year-old Joseph Handshumacher, accused of stealing 57 BTC;
• 23-year-old Joseph Harris and 21-year-old Robert Childers, who are accused of stealing through a SIM swap of $ 14 million from the cryptocurrency company Crowd Machine;
• 20-year-old Dawson Bakis, charged with 50 cases of fraud using SIM-swapping.

“This attack vector is quite old, before it was used to steal funds through online banking. SIM cards are very poorly protected and easily cloned. It is also easy to make a copy of the SIM card at the operator itself , ”said Edward Bark, co-founder of the cryptocurrency exchange EXMO.

There are no references to such arrests in Russia yet, but if you or your acquaintances are faced with a SIM swapping, write about it in the comments.

Is it possible to return the stolen funds?

If someone steals money from your bank account, you will most likely be able to return it. If a scammer has access to your crypto wallet, you are unlikely to be able to make up for the losses. Indeed, in the case of SIM-swapping, it is not clear who should be responsible for the loss of funds – the operator, the exchange or the purse owner himself? As far as we know, so far no stock exchange or operator has compensated the victims for their losses.

“I believe that the key role in the process of ensuring the safety of SIM card holders should be assigned not to the owners, but to mobile operators. Studies show that in a significant number of cases SIM-swapping becomes possible due to internal information leaks, as well as the participation of employees of telecom companies in these attacks , ”said Ekaterina Malyarova.

Edward Bark, co-founder of the EXMO cryptocurrency exchange, in case of proven theft using SIM swapping advised “ to contact the operator, since the attacker used all the data that the user (though not intentionally, but through carelessness) provided him ”.

In August 2018, the entrepreneur and CEO of TransformGroup, Michael Turpin, who was the victim of fraudsters, decided that the operator should answer. He sued $ 224 million against telecommunications company AT & T. Turpin blamed the provider for letting hackers get hold of his number. In a 69-page lawsuit, Turpin claims that he lost $ 24 million due to two hacker attacks using SIM swapping. Now the entrepreneur requires AT & T to return the stolen funds and pay compensation in the amount of $ 200 million.

The same law adheres to the American law firm Silver Miller, which filed arbitration claims against AT & T and T-Mobile on behalf of several victims who lost $ 621,000, $ 400,000 and $ 250,000 in cryptocurrency because of SIM-swap. Silver Miller blames operators for creating favorable conditions for fraud.

How else can scammers get access to victim's cryptocurrency via SIM cards?

Unfortunately, SIM-swapping is not the only threat emanating from SIM cards.

Intercept SMS with a password . To gain access to accounts, it is not always necessary to steal a number. Using the Signaling System 7 (SS7) protocol, fraudsters can intercept codes and text messages in SMS. Back in 2017, Positive Technologies conducted experiments on intercepting SMS and connecting to Coinbase accounts, which showed how easy it is to log into other people's accounts.

Message forwarding . Fraudsters can also hack the user's personal account on the operator’s site and set up forwarding of all messages to another number.

Simple theft . In the end, you can simply steal a SIM card or phone. As long as the victim notices the loss, attackers can withdraw all means.

How to avoid becoming a victim of SIM-swapping?

The simplest and most obvious advice is not to tie your account to a SIM card. But, unfortunately, many services require a mobile phone number without fail. In this case, keeping your assets and personal data safe will be helped by adhering to the recommendations listed below.

Do not publicly indicate the phone number to which accounts on crypto platforms are attached . Do not share this number with anyone and do not publish it anywhere. This should be a separate phone number, purchased specifically for binding to an account on the stock exchange or a crypto-wallet. Do not link to this number accounts of social networks, mail or other exchanges. One account / wallet – one number.

A phone with a SIM card should be stored separately, in a protected place . You must use this number once every 2–3 months and do not forget to replenish it, so that the operator does not block it or give it to another person.

Set an additional password . To block the SIM, it is enough to call the operator and call the name. But most operators provide the ability to set an additional password. Then, if someone applies for blocking a SIM card or re-issuing it, they will ask not only their full name, but also their password.

Do not use two-factor authentication . Instead, if the platform allows, use a special program for two-factor authentication. For example:

• Google Authenticator
• Authy,
• Microsoft Authenticator
• Duo,
• Authenticator plus.

These applications are tied to the smartphone, not to the number, and generate temporary codes (30 seconds long) for logging into the account. To be safe, write down somewhere a copy of the keys to the authentication application in case you lose or break the phone. Remember that authentication using the application must also be put on other services associated with the account on the exchange. For example, to the mailbox.

Instead of applications, you can also use the physical authentication method – USB hardware and NFC security keys, for example, Yubikey.

“Do not use two-factor authentication via SMS, using TOTP codes for authentication instead, do not send your phone number to strangers and do not publish it in open sources ,” advised cryptocurrency holders, Eduard Bark, co-founder of the cryptocurrency exchange EXMO.

• Disable call forwarding . This will make it much harder for scammers to get quick access to your data.
• Keep funds on cold autonomous wallets , and the wallets themselves – in a safe or other place inaccessible to unauthorized people and hacker attacks.
• Keep your personal data . If fraudsters have your passport data, scan or copy of a passport, their chances to deceive the gullible employees of the cellular operator will increase dramatically.
• Keep anonymity . You do not have to be paranoid, but you shouldn’t say once again which stock exchange you hold money on, how many bitcoins you have and how you bought a lambo after the next bull rally.
• Be vigilant . Trite do not leave the phone unattended. If the connection suddenly disappears and you cannot reach anywhere, do not delay the call to the operator and block the number.

It is important to understand that none of these methods is a guarantee of the safety of assets and personal data. To protect your funds, you must use the entire arsenal of protection against crypto fraudsters.

Edward Bark also advised :

“To avoid loss of funds due to SIM swapping or other types of fraud, we recommend including mandatory full account protection (choosing this position means that when changing profile settings, withdrawing funds or authorization, in addition to the standard login and password for additional protection, used unique one-time codes via Google Authenticator), do not use the same passwords for mail and personal account, do not open suspicious emails and do not follow unfamiliar links. In addition, we have a very strong antifraud department that controls the user’s behavior, and if suspicious activity is detected, it can temporarily suspend the output and request some data from the user for his additional identification. ”

Have you or your acquaintances been faced with SIM swapping? Write in the comments.

Publication date 04/05/2019
Share this material on social networks and leave your opinion in the comments below.