Topic: Unfortunately, this problem is increasing yearly (Read 332 times)

During sim swaps it is a standard practice or requirement that users provide important information about their old sim like your name, DOB, mother's maiden name, 5 frequently dialled numbers, last airtime recharge etc. So how can scammers successfully claim that they are the bonafide owner of the sim if they don't have these information? Only one thing makes sense... They might be getting help from someone in the Telecom company. Well, this is a major problem for people (ignorant ones and traders) that still keep their assets on CEX, but having your assets in a non custodial wallet would safe you from this kind of hack.

It happens everywhere
India:
https://indianexpress.com/article/technology/tech-news-technology/sim-swapping-how-to-avoid-being-a-target-8026237/
South Africa:
https://www.bleepingcomputer.com/news/security/south-africa-wants-to-fight-sim-swapping-with-biometric-checks/
South Korea:
https://cryptonews.com/news/sim-swaps-other-crypto-related-crimes-set-to-rise-in-south-korea-says-sk.htm

It's just the fact that it makes more waves there because of the sums involved, pretty hard to find somebody with 1 million in his bank account or Binance account in Elkhalil compared to NYC.


That's not what's happening here, how would you secure your 2FA with a number you don't even know it exists in the first place?


No, it doesn't, that a local setting for your phone, the new sim that will be issued to the attacker in this case will not ask for a PIN.

If there is one thing you can do is to set an alarm on your phone when it loses signal, when the attacker is at the desk asking for a new sim the moment that one is activated by the mobile operator, so even before going in the attacker phone yours will be disabled so your phone will lose access to the network, that's the moment you try a code like #xxxx or whatever and if doesn't work then you call instantly your mobile operator from another phone and disable the number.
Since the sim swaps can only happen during working hours and not at night and swift reaction can prevent a loss.

I have been doing your advice since I started using crypto. I only use authenticator like google authenticator (when it's used by many people before until there's a new authenticator that is more reliable than google authenticator) instead of using my mobile number for verification and such. It's not that my identity is linked to my mobile number but still, I never use my mobile number especially at this time where th government in my country requires us to register our sim which needs our personal detail and ID. It's better to use sms as it is for messages and non-related to crypto information.

If this guys who are the main actors in doing this shady acts were discovered then we should have eard about something concerning them being caught, or handed to the police for tarnishing their company's reputation, this will also serve as a strong warning to many if the organizations to double up their security measures and checks in other not to create an open means for scammers to use their services and products for their evil acts.


Don't store any sensitive informations on your sim card because if anything should go wrong with it, the all access to your assets are gone, well i believe in some countries, their mobile phones do come with network already on it and there's no need of applying sim card again.

So, I suppose that those 75 ETH and 0.7 BTC are stored in an exchange wallet because SMS 2FA is involved. Storing that much of fund in exchange is already very risky, the hack wouldn't happened in the first place if those fund were stored in a hardware/cold wallet. Exchange are only supposed to be used for exchanging cryptos, not storing a huge amount of crypto in a long time.

This is a big problem, we may not have any idea that the SIM registered with our ID card is being used by someone else without our knowledge. Earlier purchasing a SIM was a very difficult matter but nowadays a SIM can be easily registered with any ID card. We should refrain from buying SIM or sharing our ID number with other people and if ever our SIM is lost then we should go to the nearest customer care and block the lost SIM so that someone else can use it in our absence. If our lost SIM is used by someone else and if that SIM is used for any criminal act, then the administration will tag our ID number and directly identify us as a criminal, so we must be careful before falling into such a danger.

I guess aside from being aware of the sim attacks, the platforms should also enforce that they should force their users to use other way of 2FA aside from SMS.

Since the proliferation of this attack, an alternative is much better and that's through email and as well as the usage of the 2FA apps.

Just last night, someone called me out of nowhere and has got my number offering me a job but it was an obvious scam job. So, in theory, that these hackers can be everywhere and have the source of our numbers so it's easy for them to penetrate and attack random people and if they're lucky enough, if the sim card that they're able to copy was used for transactions in banking and crypto, that's where the danger is.

This may be a rumor, do to my own opinion, they cannot transfer a person's number to a new sim card without the owner's permission. Because even that a person has lost his sim card and he want to the MTN office to have his information swiped before they can his swipe, they will ensure that his personal information is accurate.
The only way to obtain someone's SIM without his permission is through cloning.

 

In my country, there is something called sim cloning, where some tech guys can just pay some money and your sim card can be cloned while you are even using it, and they can just easily access your bank account or get your OTP code. It's something that's very common. Crypto enthusiasts should always remember one important rule of holding Bitcoin, which is "not your key, not your coin. Even while using some of those crypto platforms, the person should not just use their SIM card as the only means to receive an OTP; they can bind it to more than one 2FA, such as SMS, email, and Google 2FA. That is how I make sure I don't only use one 2FA on all of my accounts, which I use for financial transactions or trading.

Honestly, I find SMS 2fa inconvenient -- at least in the long run.

It's merely easy to setup because of how widely used SMS services have been hence, people are so much more familiar with it + no backups are needed (instead you trust your service provider which as mentioned have caused trouble multiple times) so there is little to no learning curve.

But here's the thing, I have used services where you don't have a choice other than SMS 2fa. Oh god, SMS getting delayed or lost is pretty much inevitable even with good signal on my phone. I move around from places to places as well and there were areas where the signal is just poor. On my TOTP app, I don't need to rely on network providers and I always get my code the moment I open my app.

I'd choose TOTP any day. It's more convenient for my use case and most importantly, has better security.

why would at&T tolerate this behavior of those people that's bad for business, anyway or maybe hackers have gather your information somewhere and change, at the same time avoid giving information via phone, a lot of people in my country give information when someone pretends that they are employee of the company or telecom, someone try to do this to me, asking what is my email address, i return the question to him, saying you have my records, in your computer why are you asking it again, also like birthdate , it ended up that he is not working in the company, also avoid using your mobile phone when signing up to a certain site which you don't have any clue, those are just farming information, have you wonder someone called you from a store, and you have no clue why they have your number? I would say, there will come a time that you have no choice, but to use those exchange,  so just securing your phone, never click some links, and your good, never entertain calls , you have no business, i received lots of calls last year from unknown exchange, I just ignore them, until now still safe, thank god.

But this is a two way problem like people handing out their numbers risks their privacy while service providers are not adding additional security measures like 2FA with passwords and for me TOTP is better then simple OTP but the problem again is people are keeping them on save devices.They will have authenticator app downloaded in the same device which also possess risks of theft but we need to keep it safe.

Thats why better to activate all authentication not just number or 2fa or email but all of it. Unless one of them are not met then transaction would be void. I think Binance has something like this and its a good security measure. If one of the following has been stolen at least they needed more info to make it complete.

Im not sure if those are trusted authentication but its better to have more options when it comes to security measure.

The average Joe uses a 2fa. While we should be careful of using the sms 2fa we should be more careful when using authenticator app from. Why it is so is because unless you are 100% access to your phone all day, the Google authenticator does have a feature that allows you to lock the app. So even though you have the app for security, it is not secure as anyone that gets a hold of it can have easy to your assets and steal them.

I believe that sim swap attacks can only work when the operators allow the malicious people to use a sim without proper verification. Sometimes the telecommunication companies appoint so naive team members in their operations who really aren't good in technology and because of those people the hackers can apply their social engineering skills to accomplish their goals of sim swap attacks. Those hackers try their best to convince the telecom operators by saying that they have lost their sim card or their sim card was stolen and that's why they want to have another sim card. They can only do that when they have full details of the victim which they already got using their social engineering skills.

I also believe that storing your coins on an exchange is risky and sim swap attacks may work on all of exchanges because when a criminal gets access to someone sim then that person also gets access to the email addresses of the account owner and that malicious person can easily steal coins from those exchanges by log into the exchanges from the same sim number and email addresses. Most people rely on Google authenticator and at the same time most of them have registered their exchange's account on the same email address.

The hackers know these things and when they are confirmed that everything will work according to their plans then they just execute their plans and steal the coins from the exchanges. I would recommend everyone to use other authentication software instead of Google authenticator. And, if you really want to be safe from sim swapping attacks then never ever share your details with the ones online and also never tell anyone about your crypto investments because sometimes we ourselves leak most of the information and the hackers can then use that information to steal us.

With all of these charges against them, they will not be punished if there is no real evidence to back up their claim. They'll get away with it and defraud more individuals.  It's also possible that the Telecoms company will want to protect its brand and will not allow such news to spread like wildfire.


This is still the most convenient and user-friendly way to access your wallets while trading cryptocurrency on such exchanges. In situations like this, comfort should not take precedence over security.

Sim swap has been long since it has been in existence, but the use of mobile phone number for Authentication for crypto has redirect their attention to crypto and this is why we hear of multiple hack even when you have your phone number with you and I'm not sure if these Telecommunication companies take account of what happen to people funds, they most likely lock up and act as if these breaches don't happen.

There is one thing that commonly lead to sim swap, here in Nigeria, telecommunication have limitation in which their sim will be kept off from phone without use, if they found out in their system that your sim card is offline for 6 months, they will assumed that your sim is not longer in use and they will have to recirculate the same sim for another person, the same number but under different identity. I don't know why they do that, but maybe their terms state it on their privacy and condition. This is one of the ways which sim card are circulate back to users.

Last year, the wife of the former president of Nigeria Sim card was some how reproduce and sold to another person, the person behind the new sim was using it to receive money from people after finding out that high profile people were calling the number in different occasions but he was later caught and arrested and when they did investigations, it was sim swap but this was done in the company without knowing the sim was registered under the President wife.


The solution for centralized users can use Google Authy for extra security instead of phone number or simply avoid the use of centralized exchanges, if you escape sim swap, you might not escape exchange hack.

Sim swap has a different procedure, which includes requesting the sim user’s personal information, including their NIN number and some personal information. I don’t think there will be a problem if you redirect your personal information to another sim in the name of Sim Swap.

These recommendations are excellent and will provide us with the utmost level of protection we require, as holding bitcoin in exchanges is not recommended because only exchanges will request such personal information.

Electrum and other open-source wallets do not require phone numbers in order to access or keep your bitcoin.

It's really an unfortunate one indeed, I think the owners should sue the sim company until the perpetrator fished out. The victim should work with the exchanges and the sim company to come to the root of this. I believe the exchange will have the IP and wallet address used for the operation. This is just my suggestion. I think every Crypto investor needs to be super careful as this attacks comes in different shades and forms.

Many person store their Crypto on exchange for easy swapping , selling or doing any kind of transaction with it. I believe such people should have taken caution with the news of attack flying here and there. Anyone falling victim, chose to be victimized.
 

Someone from inside doing these. What are the points of using SMS verification for security purposes if that telecom company doesn't want to enhance its security measures? They need to identify these people who are bypassing the security and letting those scammers get account-to-user accounts.

I personally use Google auth and Authy for one-time passwords. Here is some hardware and app-based one-time password option that can be used instead of using your phone numbers.

app:
   

• Google Auth.
• Aegis
• Authy
• 2FAS
• Microsoft Auth.

Hardware:

• YubiKey
• Nitrokey