SIM Jacking attacks are on the rise for crypto holders
Here are the top 3 steps you should take to protect yourself
You wake up to an email from Coinbase notifying you that your withdrawal has been confirmed.
“That’s strange,” you think. You didn’t move any coins last night.
You start to call Coinbase to ask what happened, but realize your cell phone isn’t working. You usually get four bars of service at home, but today you just see four vacant dots “….”
That’s weird. You borrow a roommate’s cell phone and call your cellular provider. You find your way through the cell provider’s tangle of phone numbers, options, and security challenges. After several long minutes listening to a poor-quality version of Beethoven’s 5th while on hold, you’re finally talking to a real person.
They explain you called in yesterday, and requested your SIM card be swapped to your new phone. Dutifully, they completed the request. But you explain you didn’t buy a new phone, or call your cell company. It wasn’t you. You login to Coinbase, and realize the worst. It’s all gone.
You’ve been SIMJacked.
What is SIM Jacking?
Simply put, SIM Jacking is when someone impersonates you to your cellular provider in order to steal your cell phone number. The individual (or individuals) who SIMJacked you could be your next door neighbor, but more likely they are halfway across the world, operating as a heat seeking missile in search of unprotected assets.
Your cell phone number is a key to your digital life. Your email, social accounts, messaging platforms, all use cell phone numbers as a password recovery option. Because of the irreversible nature of crypto transactions, SIM Jackers have increasingly been targeting users of cryptocurrency, using SMS text-based account recovery methods to log into exchanges, seize your funds, and move them to their own wallets.
This 2018-era attack has 3 easy steps:
- A hacker convinces a phone company to switch someone’s phone number to a SIM the hacker controls.
- The hacker uses the phone number to log into the victim’s Coinbase account, or another exchange.
- The hacker then transfers crypto to an address they control.
The first warning signs include a loss of cell service, and out of the blue account recovery notifications, as recently detailed by a BitGo engineer who lost $100,000 in a SIMJacking attack.
A more current, more nefarious attack that we’ve seen in 2019 is SIM Jacking coupled with extortion. Here’s how it works.
- The hacker convinces a phone company to switch someone’s phone number to a SIM the hacker controls.
- The hacker rummages around through the victim’s digital life, trying to find something embarrassing. Embarrassing could mean anything from nude pics, to business records, to evidence of an affair.
- The hacker threatens to release this information publicly, and extorts the victim for as much money as they think they can get.
One crypto community member recently pointed out to me that victims of these extortion campaigns are often female, and targeted because of it. Presumably, the threat of ruining a career, combined with salacious information about relationships or private pictures, can be used to extort them.
Prominent members of the crypto community have been SIMJacked recently. Preethi Kasireddy, a former partner at Andreessen Horowitz and technologist at Coinbase, recently tweeted, “This is actually the 3rd time this has happened (T-MOBILE).” Cassandra Shi, a former employee of the Ethereum Community Fund, tweeted in May, “I am getting sim swapped…. And my telegram account is comprised.”
There have been reports of dozens of prominent crypto community members SIM Jacked over the last few weeks.
The canary in the cypherpunk coal mine
This massive problem is a barrier to mainstream adoption of cryptocurrencies.
As blockchain moved from the fringes of society to the early adopters, we saw a tenfold increase in the legitimate usage of crypto assets. As blockchain moves from the early adopters to the early majority, we will again see a tenfold increase in usage of crypto assets.
Each time blockchain usage grows, there are more targets for scammers looking to make a quick buck. The problem is growing, and it doesn’t help that existing cellular carriers are not equipped to handle it (or even publicly acknowledge its seriousness) in any way.
In some ways, this is a math problem. The major consumer carriers likely get thousands of SIM forwarding request per day, and only a dozen of SIM porting attacks. By employing clever social engineering tactics — or perhaps having a contact on the inside at a call center in your community — a hacker can make thousands, maybe millions, of dollars in one day.
It is also a responsibility problem. Many social media, email, and messaging platforms have offloaded the liability of authentication measures to cell phone providers. This is a huge issue because being the source of authentication, and identity to an extent, is not what service providers enter into contract with clients for. They generally just provide cell phone service and data.
In other ways, it is an incentive problem. A cellular provider might employ someone for only $9,000 per year in an offshore call center. Their employees may have low morale or perhaps even have a low opinion of their customers. With a large enough reward, those same employees may be willing to collude and sell access to the cellular database.
This is also a training problem. Cellular phone representatives are mostly operating off of scripts, and are not always equipped to handle the latest social engineering techniques.
Lastly, there is a transparency problem. Cellular providers are not required to report SIM Porting attacks to the FCC, nor are they regulated in any meaningful way as to protect their customers from these attacks.
These problems compound with the growing usage of crypto, making a perfect storm for crypto thieves.
How to take the proper precautions in three steps
1. Demand additional security from your cell carrier
Kasireddy, mentioned above, recently tweeted: “This is actually the third time this has happened (T-MOBILE). I added pin codes and that didn’t work. I even asked them to not make any changes to my account unless I show up in person, but the social engineering is beyond me at this point.”
If you hope that your cellular carrier is going to protect you, then I’ve got some solemn news for you: It likely can’t. Still, requests for help and added pressure can bring awareness.
A cellular provider can offer to add “special instructions” in the notes field of your account to prevent SIMJacking, such as notes requesting that the account owner be physically present in a store location to change a SIM card. However, speculation in the crypto community is that those notes are not enforced, and are frequently overlooked. Further speculation in the crypto community is that these SIM swap attacks are so profitable, there is sufficient incentive for inside jobs to occur within a phone company’s rank and file.
Ideally, consumers wouldn’t have to rely on speculation to understand why these attacks keep happening, but many cellular carriers have not yet been transparent about this problem. The unfortunate reality is that unless you are willing to change your phone number, you will not be able to guarantee the prevention of such a hack.
That said; if you are you willing to switch your phone number, there is hope. As much of a headache as it can be, this is an option worth considering.
Consider switching to Google Fi or Google Voice Using Google Voice, you can set up a phone number which will forward to the one provided by your cellular carrier. From there, you never give out the cellular carrier number, thus preventing any would-be SIMJackers before they ever get started.
2. Limit your downside exposure
Another strategy is to limit your downside exposure to SIM Jacking attacks. First, disable “phone based account recovery” from as many of your cloud accounts as possible. Note that account recovery is different from two factor authentication.
- 2FA (two factor authentication) requires two factors, usually entering an email, plus a code texted to your phone, to login.
- Account recovery is how your login credentials are reset if you forget your login info.
Check your 2 factor authentication settings. If you use Authy, make sure that you have multi-device setting disabled, as hackers have used multi-device to hijack your Authy after SIM Jacking.
Next, disable phone based account recovery on your primary email provider. Your primary email provider is the first thing a SIMJacker will try to break into, as it contains the keys to many of your online accounts. You’ll want to change phone based account recovery to be 2 factor based recovery, or email based recovery.
The third thing you’ll want to do is disable phone based account recovery on your other social accounts. Here is a checklist you can run through.
Lastly, make sure your crypto is in a safe place. Many bits have been spilled on this topic already, and I encourage the intrepid reader to look into this topic, but the TLDR is “hardware wallets are great.”
Hudson Jameson, a ‘cat herder’ at the Ethereum Foundation notes: “Make sure you have a plan if you are SIM swapped. My SIM swapper logged into my Facebook messenger and told my friends I had been kidnapped. When I was eventually able to call my spouse after my cell service was reactivated, my wife was incredibly upset, but had great opsec skills and told me, ‘I’m about to ask you two questions to make sure you are actually Hudson.’ After answering those questions she knew it was me. If you have enough cryptocurrency that you could be a kidnapping risk (or even if you aren’t) think about having some kind of word or phrase that would indicate you are speaking against your will or are in trouble.”
He continues, “Whenever I was SIM swapped, my spouse announced on Twitter that my phone was hacked or stolen. After that Harry and Taylor from MyCrypto spread the word around Twitter and a bunch of important chat rooms. I was working at the Ethereum Foundation and had a start up, Oaken Innovations. Oaken immediately cut off all of my accesses and got in touch with my spouse. The Ethereum Foundation had an emergency security meeting and cut off all of my access. If you are a part of a devops team or have employees, have a plan in place for if they get SIM swapped so an attacker doesn’t gain access to your systems.”
Kraken’s Security Advisory about Mobile Phones is also a good read.
This can seem like a lot (and it is). One way to tackle this monumental to-do list — and to have some fun — is to have a SIM Jacking Party. Invite four friends over, and try to break into each other’s online accounts. Think creatively, see what you discover, and patch up any security holes by the end of the night.
3. After an attack, exercise damage control:
If you’ve been attacked, hopefully you want through the checklist above- After all, an ounce of prevention is worth a pound of cure. If you have completed the earlier checklists, you will be in a much better situation.
The crypto community also shared this advice with me:
- Contact your cellular provider — in person is better — and get your phone number back.
- Do not respond to your attacker. Turn off read receipts. Go dark, and make them think you are unreachable.
- Demand that your cellular provider disable porting in your account without you being physically present in the store.
- Get your email back.
- Call each social account, and cloud accounts like Dropbox (start with the most important ones) and get your access back. Here is a checklist you can run through.
- Get a new SIM Card, and keep the old one in case you need it for evidence
- Make sure you don’t repeat passwords, and start using tools like 1Password
- Reach out to decision makers and legal officials. Ron Patiro, West Coast Lead for ConsenSys, recently tweeted, “If you are in the US and have been simswapped, I recommend emailing Samy from the Regional Enforcement Allied Computer Team at starazi@rtf.sccgov.org. Stay secure and 2FA!”
Cellular carriers, we are counting on you to change.
As a society, the use of our phone numbers have evolved over time from being used to just make phone calls, to many many use cases — personal, social and financial.
As Joyce Lai, an attorney at ConsenSys, puts it, “Mobile carriers need to understand that they need to do a better job at securing people’s phone numbers. Phone numbers simply aren’t what they used to be 20 years ago. It’s used for much more than talking to someone. In fact it’s probably rarely used for talking.”
I personally have spent 4 hours in the phone tree, and on Twitter, haggling with my cellular provider to take this seriously. I do not know if my experience is representative of others, but sentiment from prominent members of the community on social media would seem to indicate that it is.
It is time for cellular providers to update their antiquated OpSec practices, and to take this problem seriously.
I propose we start by demanding cellular providers:
- Provide public monthly transparency reporting on SIM Jackings, including the volume of attacks, root causes and remediation efforts
- Create an internal disciplinary process to hold employees who allow customers to be SIMJacked accountable.
- Create a fund and insurance help to victims of SIM Jacking, so that victims can move on with their lives.
If you take this problem as seriously as I do, demand that your cellular provider take this seriously, and leave if they don’t. Let’s bring the community together, and get this issue solved.
About the Author
Kevin Owocki is the founder of Gitcoin.co, an Ethereum-based network for growing open source software with incentivization mechanics. He has a BS in Computer Science, 10 years of engineering leadership experience in startups and Open Source Software, and is a community organizer in the Boulder Colorado Tech Scene.
Kevin believes strongly that Open Source Software Development should be sustainably funded. Gitcoin a one-stop shop that gives Software Developers the skills & connections to survive and thrive in this new blockchain ecosystem.
You can find out more about Gitcoin at https://gitcoin.co and Kevin at https://owocki.com