There’s No Crying in Crypto - A SIM Port Attack Chronicled

A funny thing happened to me on the afternoon of June 28th, 2019. Not funny ha-ha but funny like out of the ordinary and crappy. The day started out like any other. I was wrapping up a pretty busy Friday lunch shift at the restaurant I work at (yes I have a day job). It was about 2:30pm and lunch service was winding down. I decided to take a moment to check my phone as most of us obsessively do whenever we have a free moment. Except when I picked up my phone I noticed “No Service” displayed in the top left-hand corner where the name of my service provider usually is. “That’s weird,” I said to myself and I turned my phone on and off. When it powered back on there was no change. I decided to check my texts; I could only send them over Wi-Fi. So I go to my what’s app and text my boyfriend and I ask him to send me the number for my service provider’s customer service. “Babe something weird is going on with my phone.” then I check my email accounts to see if they have refreshed since I am on Wi-Fi. My heart sinks. I can’t access my email accounts. I see in small type on the bottom my phone screen that I need to re-enter my passwords. Then I immediately start to check all my financial apps and my worst fears are confirmed. I’m logged out of my Coinbase account from both the mobile app and the browser. My mind immediately goes to the story I read about a month back about a guy who lost 100k from his Coinbase account in a SIM card port scam. I call my service provider in a panic. I tell them I think I’ve been hacked. The first rep I spoke with tells me he doesn’t see anything abnormal and to just read him the IMEI # and power the phone off and on, I do it, nothing. I tell him that’s not it, I KNOW something fishy is going on because I’m logged out of all 3 of my email accounts. He places me on hold and I disconnect the call because:
1. I am still at work
2. He doesn’t know what he is talking about.
It takes about 40 minutes for me to wrap up the remainder of my shift to head down to the office and call customer service again from a landline.

The second time I call I get a woman, I explain to her what happened and that I suspect that someone is conducting fraudulent activity on my account. She asks me for my first and last name, address, last 4 digits of my social security number and my passcode. I give her all the required info and she places me on hold. When she returns to the line she asks me did I lose my phone and if I am in Atlanta, GA. I respond, “No, I am in Brooklyn, NY”! I haven’t visited Atlanta in 2 years. She then goes to explain that someone entered a retail store produced a photo ID claiming to be me, said their phone was stolen and was able to request a sim card and port over my information. “Are you fucking kidding me?” “What about the passcode?” The rep responds they didn’t need a passcode since they knew the last 4 digits of my social security number and had the photo ID. Now I’m beyond pissed, “What is the point of having the passcode if people can bypass it?” So now what? She responds: “Well you have to go into a store and get a new SIM card.” “Thanks,” I say and hang up.

Now I’m hightailing it over to the nearest store on a steamy afternoon in June with no phone service. I’m panicked, hot and stressed. So many thoughts are racing through my mind but I’m still trying to stay positive. When I arrived at the store thankfully it was empty and the air conditioning was blasting. As I explained the details to the in-store attendant I asked her how the perpetrators were able to access my account without the required passcode. She reiterated what the phone rep said about not needing the passcode with photo ID so I followed up asking what could I do to prevent this from happening again? to which she flatly responded “nothing”. The entire process was handled quickly and in less than 10 minutes I had a new SIM card but at this point, it had been about 4hrs since I first noticed the “No Service” displayed on my phone.

On my walk home I start the process of recovering passwords so I can gain access to my Coinbase and email accounts. I spent the rest of my Friday evening assessing my losses and hoping the worst was over. Besides taking all of the Litecoin and Bitcoin I had in my Coinbase account, they also attempted to access my Binance and Bittrex accounts. The next few days I was kind of in a fog, there was, of course, the monetary loss but I also felt victimized and embarrassed. Why would someone try to clean me out? I’m not a bitcoin millionaire, there is no Lambo over here, hell, I don’t even have a garage to park it in! I am a single mother of a teenaged daughter. I created this brand to empower Black women like myself, and get them to embrace this new wealth-generating asset class. My feelings were hurt, this was a personal attack, and if the person was able to get a SIM card with a photo ID then that person must’ve been a woman. One of the same women that I created this platform for.

Besides feeling embarrassed, and confused. I had no idea how much they knew. Did they have my whole social security number? Did they read any sensitive emails? I felt and still feel EXTREMELY violated. And what about my social media followers? How should I handle that? Will they be turned off to the idea of investing in cryptocurrency if they knew I had been a victim of identity theft and had my info and crypto stolen? I had all these unanswered questions but I had to suck it up and start repairing the damages because like the baseball saying goes: there’s no crying in crypto.

Creating a more secure online profile was fairly time-consuming. I had to go down this rabbit hole of fortifying email accounts with multi-layer security, linking and unlinking banking info, changing and updating passwords, informing companies of the attack and other tedious tasks. Truth be told, these are all steps I could have and should have done to protect myself before the attack. Please learn from my missteps, there are a few simple things that I could have done to make my accounts less vulnerable to this sort of hack.

Losing money is awful, but what feels even worse, is the lingering feeling of violation that plagues me every day. The silver lining in this situation is that now I can share my story, and the steps I have taken since, which if utilized can keep your crypto safe.

Whenever I am speaking with potential first-time investors, one of my signature phrases is: “do not invest more than you can afford to lose.” Thankfully I followed my own advice, so the amount of cryptocurrency that was stolen from me did not affect my ability to provide for my daughter and I. However, it did affect my sense of security and overall faith in humanity, which unfortunately, you cannot put a price tag on…

How to Secure Your Crypto Accounts From A SIM Port Scam

Sign up for a free encrypted email account

Have a separate recovery email account as well

Designate the encrypted email account just for crypto and linked banking accounts

Do not link this account to your phone

Do not leave crypto on the exchange /any exchange!

Have accounts with multiple crypto exchanges

Store crypto in a hardware wallet like Tresor or Ledger

Have a file or a handwritten document with passwords stored inconspicuously

Store passwords in a separate place from the actual wallet

Shanah Walton

Written by

p/k/a Bitcoin Bombshell, Crypto Coach and Enthusiast

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade