How To Safeguard Your Bitcoin From SIM Swapping?
Bitcoin, the first Cryptocurrency, brought an evolutionary transition to the Financial and Technological space. Simultaneously, one of the major challenges it faced was Security. Ever since, Cryptocurrency businesses and exchanges have been working meticulously to make the network safe. In contrast, as a user, you should not entirely rely on Crypto platforms to secure your account.
Many elements add up to making a network safe, and it is always a work in progress. It is crucial to take measures and stay updated to keep your assets secure. Therefore, using a phone number for identity authentication or giving Bitcoin to a third party, such as a Cryptocurrency exchange or other Crypto-related business, is said to compromise Security. The combination of these two activities has resulted in a rising number of SIM swap attacks leading to the theft of Bitcoin and other Cryptocurrencies.
In this blog, we will discuss everything that you need to know about SIM Swapping and the measures you must take.
What is SIM Swapping?
Hackers are devising new ways to steal mobile identities and use them to circumvent two-factor verification using text messages. If someone can clone your SIM and use their smartphone to simulate your digital identity, you could lose all of your bank balance and Crypto wallet assets. A SIM Swap, also known as SIM Jacking, is a simple, low-cost method for attackers to control a victim’s wireless phone account or mobile device.
You may believe that you have control over your smartphone, but through SIM swap, all of your information and data is transferred to another SIM card which is now under the attacker’s control. To carry out an attack, the hacker follows a social engineering method, wherein they learn and understand how mobile wireless providers authenticate identity. Often, all that is needed is the victim’s phone number.
Studies based on SIM Swap
An empirical study published in January 2020 by a collaborative group of professors and PhD students at Harvard University’s Department of Computer Science and Princeton University’s Center for Information Technology Policy proved the increased possibility for SIM swapping.
In a summary on Twitter, Arvind Narayanan, an associate professor at Princeton and one of the paper’s authors, stated, “The attacker calls your carrier, pretends to be you, and asks to transfer service to a new SIM — one that the attacker controls.” “That’s bad enough but hundreds of websites use SMS for 2-factor authentication, putting your accounts at risk.”
The study examined the authentication protocol of five major U.S. wireless carriers — AT&T, Verizon, Tracfone, T-Mobile, and US Mobile. The authors discovered that all five carriers employed authentication methods that were deemed inadequate after attempting a SIM swap on ten distinct prepaid accounts for each carrier.
Narayan further said, “Taken together, these findings help explain why SIM swaps have been such a persistent problem.”
Narayan revealed that SIM swaps were so common that his phone’s SIM card was swapped during the study. When reported, his carrier’s customer service department was unable to verify him even after identifying the attacker. With the help of his study, he was able to regain control of his wireless account by leveraging a flaw in his carrier’s protocol.
In this case, Narayanan was fortunate for doing it swiftly. Once an attacker gains control of a victim’s wireless account, he can use a myriad of methods for creating mayhem. According to the study, this is due to insecure authentication methods that users use for accessing digital assets online, such as SMS — or call-based two-factor authentication (which becomes insecure once an attacker gains access to your wireless account) and Security questions involving easily accessible public information.
Furthermore, the research uncovered 17 websites where user accounts can be infiltrated by simply swapping SIM cards. T-Mobile considered the study’s publication and shortly notified the authors that it had stopped using “recent numbers’’ for client authentication.
Major Bitcoin Hacks through SIM Swapping
Since last year, there has been a rise in SIM swapping cases. Many Crypto owners have faced SIM swaps, particularly during Bitcoin’s bull run. Many SIM swap targets usually fall into the following categories: a celebrity with a prominent social media presence or someone with a significant quantity of Bitcoin.
In December 2019, Laura Shin, a Cryptocurrency writer and podcaster, released a podcast episode on her own SIM swap experience. Shin was not robbed, but her experience is striking. Despite covering the topic in 2016 and actively safeguarding her accounts years prior, she was yet vulnerable to SIM swap.
The other story involves T-Mobile being sued for a $450,000 BTC loss due to a SIM attack. Calvin Cheng, a T-mobile client, lost 15 Bitcoin in a similar event a few months ago. A Telegram message was sent to the co-founder of an investment fund, offering him a higher market value for his Bitcoin. His personal information was leaked, and hackers used it for SIM swapping. Despite T-mobile’s claim to use the finest authentication techniques, the case flipped and cost them about $450,000.
SIM Swaps Targeting Bitcoin
The fact that Bitcoin transactions are recorded on the Blockchain and cannot be reversed makes Crypto owners more enticing SIM swap targets than conventional wireless carrier consumers. Even if it is traceable through Blockchain analysis, authorities have a considerably more difficult time seizing stolen Bitcoin.
According to Appenzeller, most people will not be targeted for a SIM swap, but if someone has “say, $10,000 in a bitcoin wallet, SIM swapping clearly becomes economically enticing to hackers.”
Moreover, unlike other online banking accounts, very few Crypto exchanges, including Coinbase, Gemini, and Binance.US are covered by the Federal Deposit Insurance Corporation (FDIC). As a result, it insures deposits in member banks of up to $250,000. This sounds reasonable, especially given Bitcoin’s worth as a decentralized and immutable asset. However, it also implies that Security should never be taken for granted.
There have also been cases of more advanced malware attacks that defeat application-based 2FA without requiring a SIM switch. These include the use of imposter phishing websites, like the one used in the recent Binance attack, as well as the more nefarious DNS hijacking or poisoning, such as operation sea turtle, which is generally employed by nation-state actors for surveillance.
The good news is that technology and basic measures can protect you from SIM swaps and more advanced phishing assaults.
The Rising Voice on Sim Swapping
Meanwhile, more and more people are speaking up. On January 9, 2020, a letter signed by six US lawmakers was delivered to Ajit Pai, the chairman of the Federal Communications Commission (FCC). The letter included a statement from investigators with the REACT Task Force on overall SIM swap harm in support of improved protection for wireless users against SIM swap fraud. The letter read, “They know of more than 3,000 SIM swap victims, accounting for a $70 million dollars in losses nation-wide.”
It also claims that SIM swap hacking has advanced in sophistication. In addition to outright bribery, attackers are now hacking directly into wireless carrier systems by either convincing or coercing store employees to execute malware in the form of remote desktop protocols on their computers. The lawmakers and authors of the letter recognized SIM swaps as a serious national Security threat. According to the claim, many federal agency personnel use varying levels of 2FA.
As per the theory, an organized group of hackers or nation-state actors could gain access to public officials’ email accounts. They could use the access to cripple them in several ways, such as issuing a fake emergency alert from the Federal Emergency Management Agency’s alert and warning system.
How to Avoid a SIM Swap?
- First and foremost, you should never respond to phone calls, text messages or emails requesting personal information.
- Restrict the amount of information you share online, such as full name, phone number, address, etc. Make your online profiles more private.
- Make sure that your password includes a strong mix of characters such as symbols, numbers, and upper-case characters.
- Store your Bitcoin in a Hardware wallet. It is crucial to secure your private keys with a hardware wallet and multisig.
- Do not use browser-based wallets.
- In addition to your digital wallet, use a password manager along with multiple encrypted USB backups.
- Avoid using phone-based 2FA; instead, use hardware-based 2FA for web applications.
- Use app-based authenticators such as Authy and Google Authenticator.
- Avoid keeping your Bitcoin on an Exchange.
- Thoroughly read and review the Security policies of your wireless carrier and other online accounts.
- Make a note of crucial account webpages in your bookmarks.
- Set up a Google alert for the terms “SIM Swap,” “hacker,” and “court case.”
- Do not use public WiFi or computers for financial transactions.
Cryptocurrency is a complex market; given its Security hurdles, it can feel overwhelming. However, it is critical to invest time in adding more layers of protection inorder to safeguard your identity and Crypto funds. Then, the hackers will have a hard time breaking in, and you will never be the next victim.
Disclaimer: The author’s views and opinions are for informational purposes only and do not constitute financial, investment, or other advice.