Author

Topic: My SIM swap attack: How I almost lost $71K, and how to prevent it (Read 306 times)

legendary
Activity: 2590
Merit: 3015
Welt Am Draht
If you use sim-based 2FA your entire financial future may hinge on how engaged some bored call centre worker on 10 bucks an hour is feeling that afternoon. That's not reassuring.

What's bizarre is how many companies don't offer alternatives when they should know the risks perfectly well. In the UK quite a few banks are now moving to making all internet banking and online shopping transactions require SMS only confirmation. There are probably hundreds of thousands of people who have no signal at home and they're not being offered landline or email as an alternative.

I quite often never get a text message arriving, or if it does it's several minutes after the window has expired. It's seriously clunky and needs to be given the boot.

legendary
Activity: 3038
Merit: 1169
There are a lot of holes in the system that hackers might see especially with an undeniably weak wallet that let you store your Bitcoin and other cryptocurrencies that will be a big problem if the wallet is an online site, Hackers can sure attack anything that is connected with the worldwide web, there is no perfect online service and we should always treat them that way, And always use the site with caution because you will never when they will attack, It is better to be prepared and ready, And if it happens to you, It should become a lesson you will never forget.
full member
Activity: 593
Merit: 100
BBOD The Best Derivatives Exchange
One month ago, I was part of a coordinated attack on blockchain executives. (I am one of the co-founders of https://provide.services). It was shockingly easy for them to take over my accounts, despite being security conscious. They attacked dozens of others around the same time across T-Mobile, AT&T and likely others.

I hope this story and the lessons learned helps you protect your crypto!

https://hackernoon.com/my-sim-swap-attack-how-i-almost-lost-dollar71k-and-how-to-prevent-it-tj39q3aju
This is one of the most common attacks in many years, and there is no correct way to stop it. Professional hackers can break all security. They always have new attacks to remove all layers of security to hijack the accounts of the users they want. The best way to ensure the security of your account, turn on all the security layers provided by the system.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
I recently need to change my SIM because my new phone is not support old SIM type. I go to store of my mobile provider with ID and old SIM, and all they ask from me is my mobile number. I get new (cloned) SIM in less then 2 minutes, and I must admit that I was shocked in the manner in which this procedure is conducted. I am not talking here about some less known mobile provider, but big EU company who should protect their users much better then just giving replacement SIM cards to anyone who ask that.

Because of this experience I would never use my mobile phone number as extra protection in any service, especially not those associated with cryptocurrency.
full member
Activity: 1624
Merit: 163
If I remember correctly, this also happened to a Youtuber too, I think it's h3h3. A person is able to change his number which holds his youtube account. It's scary how easily numbers could be change without the owners knowning. I mean, how low is there security for them to just sim swap without any proof of ownership? that is just absurd.
copper member
Activity: 242
Merit: 18
Proof-of-Stake Blockchain Network
This is scary, but informative. Attacks coming in different form. The network providers will have to do better in securing their users against sim swapping and other related attacks. Users should also try to secure themselves against the attacks. users are the greatest weakness to all attacks.

Banks, exchanges, phone companies will have to work together to prevent all this kind of attacks. Because, more attacks will keep coming, especially as the blockchain horizon widens.
Ucy
sr. member
Activity: 2674
Merit: 403
Compare rates on different exchanges & swap.
Essentially for those who won't click and read, don't allow your passwords and 2fa to be tied to a phonenumber. Your cell provider who employees unknowing teenagers will easily bend rules and print Sims with phone numbers without proof of ownership.

Is it that easy to print SIM thesedays? Don't the network companies ask for stuff like biometric ID? It is either they  are Bribed to clone the SIMs  or some very influential people are doing the cloning.
Good advice though on not allowing ones passwords and 2fa to be tied to a phone number.
legendary
Activity: 2702
Merit: 4002
Essentially for those who won't click and read, don't allow your passwords and 2fa to be tied to a phone number. Your cell provider who employees unknowing teenagers will easily bend rules and print Sims with phone numbers without proof of ownership.
Sorry for your loss.
It is not limited to your service provider but using the phone to verify your accounts weakens the protection of it rather than enhancing it.
There are many reports about SIM Swapping and other ways that hackers can use to access your text messages and then access your account directly.
hope that the user will publish a summary of this story, as randomly clicking on URLs is also a technical threat.
jr. member
Activity: 58
Merit: 4
Quote

No really the best way to advertise your business...just saying!


This was a coordinated attack on blockchain leaders. I am also a strong proponent of the agile methodology who strives to be "less wrong" versus "right" (read: close-minded), and believe that failure is something to be socialized and a learning experience for as many as possible. The real question is what you do from failure? I'm starting here hoping that others learn and are better protected, but also am using my position to work on better tech to solve this. That's the long tail though. This is the start.

If leaders don't use their position to help others, are they really a leader?
legendary
Activity: 2030
Merit: 1569
CLEAN non GPL infringing code made in Rust lang
You should only keep spare change in a phone wallet anyway, never important amounts. Phones are vulnerable in a multitude of ways beyond this particular attack, they are almost as bad as a pc running windows.

Perhaps a hardware wallet would be wiser for less modest amounts, but for truly large amounts a cold wallet (seed words written with your own hand in a piece of paper) is a must, with the proper protocol (offline computer live linux wallet creation, etc).
legendary
Activity: 2912
Merit: 6403
Blackjack.fun
You lost me at:

(I am one of the co-founders of https://provide.services).

No really the best way to advertise your business...just saying!
copper member
Activity: 546
Merit: 1
This is so sad to hear, I believe this will be an eye opener for everyone seeing this news. Have learnt one or two from this and I do hope I don't fall victim of such. 100% protection of assets and wallet is not guaranteed anywhere but hopefully our funds are in safu regardless of where it is. Haha
legendary
Activity: 3556
Merit: 9709
#1 VIP Crypto Casino
Essentially for those who won't click and read, don't allow your passwords and 2fa to be tied to a phonenumber. Your cell provider who employees unknowing teenagers will easily bend rules and print Sims with phone numbers without proof of ownership.

This is bad news to be honest, I suggest if anybody uses online wallets etc to never text anybody about their involvement in bitcoin. There’s so many tech gifted people around willing to misuse their ‘talents’. You never know who is following your footsteps via text or call.

Basically the one & only rule has always been do not leave large amounts of bitcoin on online wallet providers where your phone number is linked. In fact don’t leave any significant amount online full stop.
hero member
Activity: 2184
Merit: 531
Essentially for those who won't click and read, don't allow your passwords and 2fa to be tied to a phonenumber. Your cell provider who employees unknowing teenagers will easily bend rules and print Sims with phone numbers without proof of ownership.

It's much more important to keep your phone safe. Holding money and passwords on the phone makes it as valuable as your wallet. Would you leave your wallet at a store for people to open and play around with?

I'm more interested in screening of employees at that store. It's time for them to start keeping cards locked in a cabinet with only 1 person holding the key.
jr. member
Activity: 58
Merit: 4
One month ago, I was part of a coordinated attack on blockchain executives. (I am one of the co-founders of https://provide.services). It was shockingly easy for them to take over my accounts, despite being security conscious. They attacked dozens of others around the same time across T-Mobile, AT&T and likely others.

I hope this story and the lessons learned helps you protect your crypto!

https://hackernoon.com/my-sim-swap-attack-how-i-almost-lost-dollar71k-and-how-to-prevent-it-tj39q3aju
Jump to: