Author

Topic: [PSA] SIMSWAPPING - Your phone is a weapon against you! (Read 246 times)

jr. member
Activity: 33
Merit: 59
How do I change my username
It is one of those topics that has been mentioned a few times, although it is not as common as other attack vectors on people’s crypto (or other nature) due to it being a bit more suttle and complex to perform that those for example performed through phishing
Ah my bad, didnt see those threads

You need a Google account to sign up for Google voice, meaning that your Google voice phone number is only protected by your email password, and we all know how bad people are at choosing random and secure passwords and not reusing the same password across several sites. Similarly, with a little bit of social engineering and guessing answers to security questions, your Google account can also be broken in to. This problem is made far, far worse if the same Google account includes the email address you have used to sign up for whatever exchange, wallet or service your Google voice number is the 2FA for. It your Google account becomes compromised, the attacker can reset your password with an email to that account, while also using your Google voice to pass your 2FA. It combines both your factors (password and phone number) in to one account, and so it is no longer 2FA at all.
I've taken your suggestion in to account and added a quote featuring your response in the thread, thank you for your input!
legendary
Activity: 2268
Merit: 18748
Google Voice is a google-run service which essentially allows you to have your own VOIP USA based number (Currently only available in USA), a google voice number can't be sim swapped, thus making it the safest to register for services.
I disagree with you here.

You need a Google account to sign up for Google voice, meaning that your Google voice phone number is only protected by your email password, and we all know how bad people are at choosing random and secure passwords and not reusing the same password across several sites. Similarly, with a little bit of social engineering and guessing answers to security questions, your Google account can also be broken in to. This problem is made far, far worse if the same Google account includes the email address you have used to sign up for whatever exchange, wallet or service your Google voice number is the 2FA for. It your Google account becomes compromised, the attacker can reset your password with an email to that account, while also using your Google voice to pass your 2FA. It combines both your factors (password and phone number) in to one account, and so it is no longer 2FA at all.

I think the safest option all round is to not use your phone number for 2FA or recovery on any account, and if you absolutely must use a phone number for something crypto related, then buy a prepaid SIM with cash that isn't linked to any of your personal details, and don't use it for anything else or tell anyone else the number.
legendary
Activity: 2338
Merit: 10802
There are lies, damned lies and statistics. MTwain
It is one of those topics that has been mentioned a few times, although it is not as common as other attack vectors on people’s crypto (or other nature) due to it being a bit more suttle and complex to perform that those for example performed through phishing.

See for example:

 [BEWARE] Sim Port Attack
 My SIM swap attack: How I almost lost $71K, and how to prevent it
 10 años de cárcel por robar 7,5 Millones de $ en criptomonedas - Sim Swapping -> In  Spanish (by me): 7,5M $ stolen through sim swapping.
  [2018-08-15]U.S. investor sues AT&T for $224 million over loss of cryptocurrency
  Sim Swapped... -> Checkout the alleged quantity.
jr. member
Activity: 33
Merit: 59
How do I change my username
SIMSWAPPING
I saw many other threads on here detailing various scams, security issues etc.
Oddly enough I didn't see one which is most prominent in the crypto community, simswapping.
This guide will give a basic overview of what simswapping is and how to protect yourself.

Chapter I - Introduction to sim-swapping
Lets start by answering one of the first questions that come to mind, what is a "Sim Swap"?.
Sim swapping, otherwise known as a port-out scam is when a malicious attacker uses a complex process of social engineering to swap a victim's phone number to their own phone. Sim swapping usually involves either social engineering an employee of a telecom company, or by using a "plug" (an insider employee in the telecom company who is in kahoots with the malicious attackers and performs the swaps for them with loose or no verification checks).
This method of fraud has skyrocketed in popularity over the past few years, especially in the crypto community, as so many people put blind faith in multi-billion dollar telecom companies to keep their financial assets safe.

Chapter II - Why it is so dangerous?
Sim-swapping is so dangerous because people blindly put faith in telecom companies to secure their accounts.
This blind faith has become too common place because both the telecom companies and companies have created a false sense of security around phone numbers.
It is now far too common that companies require people to use their phone number as a recovery tool for accounts, and it is far too common that people use SMS/Phone # based 2-Factor-Authentication and believe that they are completely secure. The Sim swappers prey on this ignorance and false sense of security that people give themselves bu using shitty broken account protection systems.

It's far too easy to assume that only people who have little to no knowledge of cybersecurity are the only people that fall victim to this scam, people who don't have too much to lose. The reality of the situation is that this is a relatively new method of fraud, not many people are too aware of it to begin with. People have literally lost millions of dollars to this ingenious scam (Articles linked in appendix). Telecom companies and these Sim swappers are in a constant arms-race, and so far, Sim swappers are winning.

Chapter III - How to protect yourself from sim-swapping
Sadly, most telecom companies do not provide the tools required to protect yourself from simswappers, a case study on how even requesting extra security features on your mobile account will not protect you from being simswapped. There are multiple different ways to protect yourself against simswapping. Lets start with the easiest to do. Stop using SMS-Based 2-Factor Authentication, and do not use a real phone number to register for sensitive services, there are better alternatives to each. For stronger, localised 2Factor Authentication, use a program such as Google Authenticator, Authy or any other trusted 2Fa service rather than SMS-Auth. But in some instances, this is not possible, there will be sites which don't allow the use of alternative 2FA applications, or they may require a phone number to verify your account, which could later be used as a means of account recovery, these glaring vulnerabilities can be circumvented by using "Google Voice". Google Voice is a google-run service which essentially allows you to have your own VOIP USA based number (Currently only available in USA), a google voice number can't be sim swapped, thus making it the safest to register for services. There are still analogue services which prevent 2FA apps other than SMS and prohibit VOIP numbers from being used for registration, and there will always be cracks in the infrastructure of telecom companies allowing hackers to exploit their services to be used against their customers. We as a global community of crypto enthusiasts, security freaks and just every day people need to take a stand against services and companies which refuse to give us the security and peace of mind that we deserve as their consumers!

EDIT, thanks o_e_l_e_o for the suggestion, google voice may not be too suitable of a candidate for this.
I think the safest option all round is to not use your phone number for 2FA or recovery on any account, and if you absolutely must use a phone number for something crypto related, then buy a prepaid SIM with cash that isn't linked to any of your personal details, and don't use it for anything else or tell anyone else the number.

Appendix
Simswapping ring who stole millions arrested - https://krebsonsecurity.com/2019/02/more-alleged-sim-swappers-face-justice/
Single simswapper steals millions in crypto (xzayver narvaez) - https://krebsonsecurity.com/2018/08/alleged-sim-swapper-arrested-in-california/
Man requests extra security after first simswap, gets simswapped again and sues ATT for $224m - https://krebsonsecurity.com/2018/08/hanging-up-on-mobile-in-the-name-of-security/
Insider employees assist simswappers - https://www.vice.com/en_us/article/d3n3am/att-and-verizon-employees-charged-sim-swapping-criminal-ring
Single simswapper steals $5m+ in crypto (joel ortiz) - https://www.vice.com/en_us/article/gyaqnb/hacker-joel-ortiz-sim-swapping-10-years-in-prison
Jump to: