’Tis the season to be SIM swapped

Not too long ago your anonymous author was sitting at his computer at home witnessing some strange events. An alert popped up on his phone that an Authy request to recover the 2 Factor Authentication (2FA) account for his number was invoked. Minutes later he had lost control of his Gmail account and his phone went into No Service mode… He was being hacked.

Not knowing exactly what the hell was going on, he proceeded to piece things together while locking down all of his online accounts and regaining access to compromised services. It was not until the the next morning when he realized what had happened.

The author was hit with a “SIM swap” attack where the phone provider is convinced into switching your phone number to a new SIM. The “SIM swap” process to switch your phone number to a new SIM card literally takes minutes. The author personally witnessed this in person as he had his phone number swapped back in-store.

The author does not want to go into too much detail but this is something that is going on right now in the crypto space where individuals and their online crypto funds are actively being targeted. There have been many credential leaks so here are some precautions you can take and things you need to be aware of so you don’t have a fucked up holiday season.

Your phone is waiting to be hijacked

• Assume your phone number could be compromised. The security of your phone number is dependent on a 3rd party (your phone company). Your phone company’s call center is likely outsourced to countries with cheaper labor like the Philippines who run off of call scripts. Assume they can easily be social engineered.
• Ask your phone provider about their security options, for example, disable allowing account changes over the phone or have your phone number locked to your SIM card. Some phone companies will allow you to set a password/PIN on your account that must be provided before making changes online, over the phone, or in person. If you have this option, use it.

Authy

• Don’t use Authy. This centralizes 2FA which makes it a central point of failure in the event of a compromise. Having 2FA keys with a 3rd party defeats the purpose of 2FA as well.
• Turn off “Allow Multi-Device” in Authy.
• Don’t use the Chrome extension for Authy.

Gmail, Yahoo and other email services

• Disable password recovery via SMS/phone service. Disable all password recovery options for maximum security. Watch this video to see how easily your account is compromised with SMS recovery (ignore the phishing part).
• One time use recovery passwords are fine but keep them printed and offline.
• Make sure your stored emails or online shared drive services do NOT contain any extra information such as passwords or social security numbers.

Online services

• Use different email addresses where possible. This limits the ability for hackers to run their automated “Forgot my password” links.
• Set up 2FA on logins and any withdrawals.
• Make note of which online services use SMS as a 2FA method. Assume these can be compromised despite your best efforts.
• Make note of which online services do not allow you to change your email address.

Universal Second Factor (U2F)

• Get a U2F device such as a Yubikey and use it. It is better security than software tokens. This article outlines the difference between Time-based One-Time Password (TOTP) as used in Google Authenticator and U2F.
• Ask your favorite online services to support 2FA and/or U2F.

Passwords

• Use a password manager with random passwords but be aware of where your password manager saves its database.
• Memorize a handful of passwords (such as your PC login).

Other things to note

• Hacking groups work in teams and plan their attack.
• Hackers will try and hit while you sleep. It is fortunate that your intrepid author does not sleep.
• Assume hacking groups are building up social profiles on yourself. This includes your interests, the times you are usually online and who you interact with.
• Hacking groups use automated scripts so if those resources are exhausted or lead nowhere they will try to social engineer your contacts.
• Hacking groups are experts at social engineering. They have done this thousands of times.
• Encrypt your hard drive.
• Limit your online public persona. This can attract unwanted attention which can make you a target. Ask yourself before posting, do you really need those Twitter points?
• Disable or delete any online accounts you no longer use.
• People in crypto are specifically being targeted. Traditional forms of phishing include identity theft, creating fake bank accounts, creating fake credit card numbers, initiating online bank transfers. Comparatively, attacking exchange funds is less labor intensive.

In the event of a hack

• Send online support requests to exchanges to have your account disabled. There are support forms on their web sites. They will do this as a precaution as they have experienced this many times before.
• If you regain control of you phone number, have the phone provider check if a number port is in progress. If this is initiated it means that your number could be transferred to another phone provider. Cancel any active number ports.
• Consider investing in identity monitoring services and place a fraud alert on your credit report.
• File a FBI report. They have resources to co-ordinate and investigate these reports.

Some links with further information

• Coinbase blog — On Phone Numbers and Identity
• Kraken blog — Security Advisory: Mobile Phones
• BitGo-Phasing Out SMS for 2FA
• TREZOR blog — Secure Two-Factor Authentication With TREZOR — U2F
• Augur sub-Reddit — Many of us who participated in this forum had our 2FA compromised! Please protect yourself

Wishing you all a happy and safe Christmas and New Years!