Topic: Unfortunately, this problem is increasing yearly (Read 311 times)

During sim swaps it is a standard practice or requirement that users provide important information about their old sim like your name, DOB, mother's maiden name, 5 frequently dialled numbers, last airtime recharge etc. So how can scammers successfully claim that they are the bonafide owner of the sim if they don't have these information? Only one thing makes sense... They might be getting help from someone in the Telecom company. Well, this is a major problem for people (ignorant ones and traders) that still keep their assets on CEX, but having your assets in a non custodial wallet would safe you from this kind of hack.

It happens everywhere
India:
https://indianexpress.com/article/technology/tech-news-technology/sim-swapping-how-to-avoid-being-a-target-8026237/
South Africa:
https://www.bleepingcomputer.com/news/security/south-africa-wants-to-fight-sim-swapping-with-biometric-checks/
South Korea:
https://cryptonews.com/news/sim-swaps-other-crypto-related-crimes-set-to-rise-in-south-korea-says-sk.htm

It's just the fact that it makes more waves there because of the sums involved, pretty hard to find somebody with 1 million in his bank account or Binance account in Elkhalil compared to NYC.


That's not what's happening here, how would you secure your 2FA with a number you don't even know it exists in the first place?


No, it doesn't, that a local setting for your phone, the new sim that will be issued to the attacker in this case will not ask for a PIN.

If there is one thing you can do is to set an alarm on your phone when it loses signal, when the attacker is at the desk asking for a new sim the moment that one is activated by the mobile operator, so even before going in the attacker phone yours will be disabled so your phone will lose access to the network, that's the moment you try a code like #xxxx or whatever and if doesn't work then you call instantly your mobile operator from another phone and disable the number.
Since the sim swaps can only happen during working hours and not at night and swift reaction can prevent a loss.

I have been doing your advice since I started using crypto. I only use authenticator like google authenticator (when it's used by many people before until there's a new authenticator that is more reliable than google authenticator) instead of using my mobile number for verification and such. It's not that my identity is linked to my mobile number but still, I never use my mobile number especially at this time where th government in my country requires us to register our sim which needs our personal detail and ID. It's better to use sms as it is for messages and non-related to crypto information.

If this guys who are the main actors in doing this shady acts were discovered then we should have eard about something concerning them being caught, or handed to the police for tarnishing their company's reputation, this will also serve as a strong warning to many if the organizations to double up their security measures and checks in other not to create an open means for scammers to use their services and products for their evil acts.


Don't store any sensitive informations on your sim card because if anything should go wrong with it, the all access to your assets are gone, well i believe in some countries, their mobile phones do come with network already on it and there's no need of applying sim card again.

So, I suppose that those 75 ETH and 0.7 BTC are stored in an exchange wallet because SMS 2FA is involved. Storing that much of fund in exchange is already very risky, the hack wouldn't happened in the first place if those fund were stored in a hardware/cold wallet. Exchange are only supposed to be used for exchanging cryptos, not storing a huge amount of crypto in a long time.

This is a big problem, we may not have any idea that the SIM registered with our ID card is being used by someone else without our knowledge. Earlier purchasing a SIM was a very difficult matter but nowadays a SIM can be easily registered with any ID card. We should refrain from buying SIM or sharing our ID number with other people and if ever our SIM is lost then we should go to the nearest customer care and block the lost SIM so that someone else can use it in our absence. If our lost SIM is used by someone else and if that SIM is used for any criminal act, then the administration will tag our ID number and directly identify us as a criminal, so we must be careful before falling into such a danger.

I guess aside from being aware of the sim attacks, the platforms should also enforce that they should force their users to use other way of 2FA aside from SMS.

Since the proliferation of this attack, an alternative is much better and that's through email and as well as the usage of the 2FA apps.

Just last night, someone called me out of nowhere and has got my number offering me a job but it was an obvious scam job. So, in theory, that these hackers can be everywhere and have the source of our numbers so it's easy for them to penetrate and attack random people and if they're lucky enough, if the sim card that they're able to copy was used for transactions in banking and crypto, that's where the danger is.

This may be a rumor, do to my own opinion, they cannot transfer a person's number to a new sim card without the owner's permission. Because even that a person has lost his sim card and he want to the MTN office to have his information swiped before they can his swipe, they will ensure that his personal information is accurate.
The only way to obtain someone's SIM without his permission is through cloning.

 

In my country, there is something called sim cloning, where some tech guys can just pay some money and your sim card can be cloned while you are even using it, and they can just easily access your bank account or get your OTP code. It's something that's very common. Crypto enthusiasts should always remember one important rule of holding Bitcoin, which is "not your key, not your coin. Even while using some of those crypto platforms, the person should not just use their SIM card as the only means to receive an OTP; they can bind it to more than one 2FA, such as SMS, email, and Google 2FA. That is how I make sure I don't only use one 2FA on all of my accounts, which I use for financial transactions or trading.

Honestly, I find SMS 2fa inconvenient -- at least in the long run.

It's merely easy to setup because of how widely used SMS services have been hence, people are so much more familiar with it + no backups are needed (instead you trust your service provider which as mentioned have caused trouble multiple times) so there is little to no learning curve.

But here's the thing, I have used services where you don't have a choice other than SMS 2fa. Oh god, SMS getting delayed or lost is pretty much inevitable even with good signal on my phone. I move around from places to places as well and there were areas where the signal is just poor. On my TOTP app, I don't need to rely on network providers and I always get my code the moment I open my app.

I'd choose TOTP any day. It's more convenient for my use case and most importantly, has better security.

why would at&T tolerate this behavior of those people that's bad for business, anyway or maybe hackers have gather your information somewhere and change, at the same time avoid giving information via phone, a lot of people in my country give information when someone pretends that they are employee of the company or telecom, someone try to do this to me, asking what is my email address, i return the question to him, saying you have my records, in your computer why are you asking it again, also like birthdate , it ended up that he is not working in the company, also avoid using your mobile phone when signing up to a certain site which you don't have any clue, those are just farming information, have you wonder someone called you from a store, and you have no clue why they have your number? I would say, there will come a time that you have no choice, but to use those exchange,  so just securing your phone, never click some links, and your good, never entertain calls , you have no business, i received lots of calls last year from unknown exchange, I just ignore them, until now still safe, thank god.

But this is a two way problem like people handing out their numbers risks their privacy while service providers are not adding additional security measures like 2FA with passwords and for me TOTP is better then simple OTP but the problem again is people are keeping them on save devices.They will have authenticator app downloaded in the same device which also possess risks of theft but we need to keep it safe.

Thats why better to activate all authentication not just number or 2fa or email but all of it. Unless one of them are not met then transaction would be void. I think Binance has something like this and its a good security measure. If one of the following has been stolen at least they needed more info to make it complete.

Im not sure if those are trusted authentication but its better to have more options when it comes to security measure.

The average Joe uses a 2fa. While we should be careful of using the sms 2fa we should be more careful when using authenticator app from. Why it is so is because unless you are 100% access to your phone all day, the Google authenticator does have a feature that allows you to lock the app. So even though you have the app for security, it is not secure as anyone that gets a hold of it can have easy to your assets and steal them.

I believe that sim swap attacks can only work when the operators allow the malicious people to use a sim without proper verification. Sometimes the telecommunication companies appoint so naive team members in their operations who really aren't good in technology and because of those people the hackers can apply their social engineering skills to accomplish their goals of sim swap attacks. Those hackers try their best to convince the telecom operators by saying that they have lost their sim card or their sim card was stolen and that's why they want to have another sim card. They can only do that when they have full details of the victim which they already got using their social engineering skills.

I also believe that storing your coins on an exchange is risky and sim swap attacks may work on all of exchanges because when a criminal gets access to someone sim then that person also gets access to the email addresses of the account owner and that malicious person can easily steal coins from those exchanges by log into the exchanges from the same sim number and email addresses. Most people rely on Google authenticator and at the same time most of them have registered their exchange's account on the same email address.

The hackers know these things and when they are confirmed that everything will work according to their plans then they just execute their plans and steal the coins from the exchanges. I would recommend everyone to use other authentication software instead of Google authenticator. And, if you really want to be safe from sim swapping attacks then never ever share your details with the ones online and also never tell anyone about your crypto investments because sometimes we ourselves leak most of the information and the hackers can then use that information to steal us.

With all of these charges against them, they will not be punished if there is no real evidence to back up their claim. They'll get away with it and defraud more individuals.  It's also possible that the Telecoms company will want to protect its brand and will not allow such news to spread like wildfire.


This is still the most convenient and user-friendly way to access your wallets while trading cryptocurrency on such exchanges. In situations like this, comfort should not take precedence over security.

Sim swap has been long since it has been in existence, but the use of mobile phone number for Authentication for crypto has redirect their attention to crypto and this is why we hear of multiple hack even when you have your phone number with you and I'm not sure if these Telecommunication companies take account of what happen to people funds, they most likely lock up and act as if these breaches don't happen.

There is one thing that commonly lead to sim swap, here in Nigeria, telecommunication have limitation in which their sim will be kept off from phone without use, if they found out in their system that your sim card is offline for 6 months, they will assumed that your sim is not longer in use and they will have to recirculate the same sim for another person, the same number but under different identity. I don't know why they do that, but maybe their terms state it on their privacy and condition. This is one of the ways which sim card are circulate back to users.

Last year, the wife of the former president of Nigeria Sim card was some how reproduce and sold to another person, the person behind the new sim was using it to receive money from people after finding out that high profile people were calling the number in different occasions but he was later caught and arrested and when they did investigations, it was sim swap but this was done in the company without knowing the sim was registered under the President wife.


The solution for centralized users can use Google Authy for extra security instead of phone number or simply avoid the use of centralized exchanges, if you escape sim swap, you might not escape exchange hack.

Sim swap has a different procedure, which includes requesting the sim user’s personal information, including their NIN number and some personal information. I don’t think there will be a problem if you redirect your personal information to another sim in the name of Sim Swap.

These recommendations are excellent and will provide us with the utmost level of protection we require, as holding bitcoin in exchanges is not recommended because only exchanges will request such personal information.

Electrum and other open-source wallets do not require phone numbers in order to access or keep your bitcoin.

It's really an unfortunate one indeed, I think the owners should sue the sim company until the perpetrator fished out. The victim should work with the exchanges and the sim company to come to the root of this. I believe the exchange will have the IP and wallet address used for the operation. This is just my suggestion. I think every Crypto investor needs to be super careful as this attacks comes in different shades and forms.

Many person store their Crypto on exchange for easy swapping , selling or doing any kind of transaction with it. I believe such people should have taken caution with the news of attack flying here and there. Anyone falling victim, chose to be victimized.
 

Someone from inside doing these. What are the points of using SMS verification for security purposes if that telecom company doesn't want to enhance its security measures? They need to identify these people who are bypassing the security and letting those scammers get account-to-user accounts.

I personally use Google auth and Authy for one-time passwords. Here is some hardware and app-based one-time password option that can be used instead of using your phone numbers.

app:
   

• Google Auth.
• Aegis
• Authy
• 2FAS
• Microsoft Auth.

Hardware:

• YubiKey
• Nitrokey

SIM swapping can happen when someone who works for your mobile service provider isn't well-trained or well-paid. This can lead to security issues sometimes.

The company that provides your SIM card should take responsibility because they are in charge of their employees. In the end, the company is more responsible than the individual employee, especially if the employee has to do shady things to make extra money outside of their job. This problem often occurs when someone loses their SIM card.

One way to prevent this is by setting a PIN for your SIM card on your phone. I do this, and it asks me for my PIN whenever I restart my phone. I think even a mobile service representative would need to know my PIN to access my SIM card. Does this protect against SIM swapping? I thought it did, but I'm not entirely sure.

That's the inimical aspect of centralized entities, we are worried about centralized exchanges risk as if it's not enough another has surface from the telcom service providers. This attack transient sim card swapping deep diving to ATM card swapping too in my countryside, so it's ain't something peculiar only to the USA.

It's very easy to rob a person of his money through phone number as it can be easily clone apart from swapping. I do use two factor authentication code system where I have to receive an OTP through my verified email after inputting my personal password. It can't be that possible to clone a Google email compared to a sim card number.

All these Cex have a unique use not disputing their importance in someway buy they ain't reliable as place for storing cryptos. I do use Cex exchange like binance for certain transactions and trades but it's never an option to storing my funds any day any time. A Cex is a Cex no matter what.

It's unfortunate but could be avoided completely if they opted out for 2FA via apps like Google Authenticator instead of receiving it via SMS but most exchanges encourage setting up 2FA as one of the mandatory security procedures to withdraw their cryptos.

IMO, sim swap attacks are far more dangerous to the traditional banking system than cryptos because if someone is able to swap sims they can gain access to the respective bank accounts at ease and every money will be drained before the actual owner notices that is why the users need to be aware where they use their personal information like giving national ID to random verification, etc.

But in this case, it's done by the telecom employees which can't be avoided no matter what but they will face the consequences cause it is a felony and most likely they will end up in prison for decades.

Is this a problem peculiar to U.K. and U.S. citizens? There are quite a lot of people around the world from different nationalities who use exchanges as a bank, they are either lazy, have no knowledge of crypto or they don't want to take the responsibility of being their own bank. Sim swap attack is definitely a problem, but there are other problems for people who use exchanges as banks, problems such as hack, data leak and assets confiscation.

Other than the easiest factor most of the people used to prefer it because they know if the app of Google authenticator or phone is gone and they have no backup keys like account login details then it will becomes almost impossible for them to retrieve the funds. So yeah people prefer to use easy, simple and secure way.

But as op mentioned in his post that the best practise is not to hold your assets on exchanges for longer period of time. Is the best advice because FTX exchange really made life's of many miserable just due to some mistakes. But those who took extra measures are in good conditions because they knew the science behind not your key not your coin.

AT&T is a big company and to be honest I do not really think that company is behind such scams instead someone must have get access to to upper level of brain that they are able to lure AT&T staff into such scams.

I did not knew about sim swap before but your post really made me read about it. Like you said AT&T might be behind it (of course you did not directly called their names) as they are the ones who will retrieve a new sim card with same number and recover it for you too. It means they can do it then after reading an article I came to know that the author of that article says, hackers or scammers try to contact those AT&T type cellular companies.

And they ask to change the sim card and they make any excuse to ask them to recover their sim while they already had all the details about the person whom they are going to scam. Well once the personal details are leaked then those scammers would easily convince the service providers that they are the real owner of the sim number. But in reality they are not.

Point is we should definitely not trust on cellular otps, or centralized exchanges and I am agreed with you on that. But we should also try not to share all our essential information with anyone because personal details causes most of the damage.
https://www.avast.com/c-sim-swap-scam

The issue of Swap SIM attacks is a concern that extends beyond the cryptocurrencies, affecting traditional banking and any accounts reliant on SMS based 2FA

The heart of the problem lies with the centralized exchanges. Remember "Not your keys, not your crypto" holds true even in this context. Entrusting your assets to these platforms puts you at risk without doubt

One potential solution could be to transition away from SMS based verification in favor of one-time password codes. OTPs are typically more secure than SMS, as they are generated independently and are less susceptible to interception. However, it's worth noting that even this approach has its own set of challenges.

In the event of a Swap SIM attack, your email account could also be compromised. For instance, Google recently introduced a feature that backs up your 2FA secrets from the Google Authentication APP to the cloud. While this might be convenient for users, it does introduce a new layer of vulnerability. In this scenario, even OTPs may not provide foolproof protection.

To address these issues, it's essential for both users and service providers to remain vigilant. Service providers, need to continually assess and improve their security measures to stay ahead of emerging threats like Swap SIM attacks.

I agree, and if it's ever useful to anyone, it's good to know that there's a reliable open source alternative to Google Authenticator which is FreeOTP.

I've been using it for years and never had a single problem. I remember that a recent update of Google Authenticator gives users the option of saving their 2FA keys in the cloud, it's not mandatory but I think people should be carreful with this app. A mistake or mishandling can happen very quickly.

It's unfortunate whenever I come across news like this. The truth about the matter is that since there is a centralized risk, issues like this will be inevitable.

- The problem is not only about users but developers themselves need look at other alternatives for two-step authentication.

- Self-custody still rules it anyway. Even if it involves risks but the benefits outweighs the shortcomings for sure.

A lot of these problems would've been mitigated if only people used one-time codes from authenticator apps like Google Authenticator and Aegis; but unfortunately SMS 2FA is still the most user-friendly option out there. And again unfortunately, not every service supports one-time code 2FA — understandably so because of SMS-fa being far easier customer support-wise.

Unfortunately, Sim swapping attacks are still growing rapidly, in this month of August I have got bad news about two U.S based family friend losing over 45 ETH and 0.7BTC because of sim swap attacks.

What I have been able to gather is, the telco guys working inside AT&T and other telecommunication companies are the ones bypassing all security measures, now not even your sim SMS 2FA codes can safe your ass from these guys.

Sim swapping is more easier for them, because, remember, if we lost SIM card or it get damaged we can easily retrieve by their help, they will redirect your number into another new SIM card, and you are back online, This makes telecommunications dangerous when it comes to crypto.

Let's stop deceiving ourselves, there is no solution to this attack than

1. Separate your crypto away from your SIM card number.

2. Stop using your phone number to get verification codes for crypto exchanges and other crypto-related platforms.

3. Stop storing crypto on exchanges, e.g coinbase, crypto.com and Binance exchange.

There is a big problem with people in the UK and US when it comes to crypto, they like storing their coins on exchanges, thinking that those 2FA codes and one time passwords for transactions will save them, which is not impossible for SIM swap attacks.

This was also why most people living in the U.S. and the U.K are the biggest victims of FTX, why these people refers storing crypto on platforms and exchange is worrisome, they are their own problem because crypto was never built to be kept on any exchange.