img

How Not To Lose All Your Crypto in a Sim-Swapping Attack

Posted on 4/26/2021 by Mark

How Not To Lose All Your Crypto in a Sim-Swapping Attack

Cryptocurrencies are a criminal’s wet dream. Highly liquid, highly portable, and accessible to anyone armed with an Internet connection, assets like Bitcoin have become the Holy Grail for blackmailers, scammers and hackers around the world. 

A cybercriminal will do anything to part you from your hard-earned Dogecoins – whether that means impersonating Elon Musk under his tweets or threatening you with personal details obtained in the data breach of a certain wallet manufacturer.

What’s a SIM-swapping attack?

Your SIM card is a little passport for your phone: it contains information that ties you to your mobile network. Without one, you can’t send/receive messages and calls, or trade with 125x leverage on a 4G connection. 

Just like a passport, your SIM card comes with a unique number. People use it to reach you. If you upgrade your device, you can simply pop the SIM card into your new one to keep that same number.

Isn’t technology wonderful?

So wonderful, in fact, that you can use that number as an additional layer of security (alongside your username and password) when logging into online accounts. Or, in some cases, you can even reset your password by receiving an SMS

And so can criminals! All it takes is a phone call to the mobile provider saying “hey! This is [your name], I lost my phone and would like my number [your number] ported to a new SIM card.”

If the criminal can convince the provider that they’re you (and a good social engineer will convince them), your SIM card stops working. All your messages are still sent to your number, but they belong to the criminal now. If that number is tied to your e-mail and exchange accounts, then there’s a good chance they can now gain access to them. It can happen to the CEOs of Twitter or Transform Group, so it can absolutely happen to you. Let’s talk about how you can protect yourself.

Ditch SMS 2FA

What do Santa Claus, the Tooth Fairy and SMS 2-factor authentication have in common? 

They’re all things that grown adults should stop believing in. Seriously. Using your phone number as an additional layer of security just introduces additional vulnerabilities. Mobile network employees can be malicious. They can be bribed. Blackmailed. Phished.

Where possible, you should make the switch to Time-based One-Time Passwords (TOTP). Apps like Google Authenticator (or, better still, FOSS alternatives like Aegis) use a shared secret between you and the service to generate disposable codes based on the current time. 

The only way for an attacker to get the shared secret (allowing them to compromise your account) is by physically accessing your phone.

Compartmentalize 

A lot of services (looking at you, almost every single bank in existence) are allergic to features like TOTP-based 2FA. In this case, you don’t have a choice. You should start thinking about compartmentalization, which is good privacy practice anyway.

Compartmentalization refers to the segregation of the data in your digital life. For example, you may use one email account/phone number/username for Twitter, another set of information for your car insurance website, and another entirely for each crypto exchange login. The principle is simple: minimize the amount of information that any single party can collect about you.

Remember that, for a SIM swap attack to be worthwhile, the attacker must already know some information about you: what websites you use, which email address you sign in with, and, of course, your phone number.

This information is normally collected via phishing, or by buying information from data breaches. For example, if you fill in a form for a chance to win 500 BTC and provide your data, that flags you as a potential victim. Similarly, if your number is visible on Telegram and you belong to dozens of cryptocurrency communities, you make yourself a target.

Something else to consider: if Exchange #1 is hacked and its user data exposed, criminals know that there’s a possibility that you use those same details on Exchange #2. Setting up pay-as-you-go SIMs and new email addresses can be a time-consuming activity, but spending a day doing so will pay dividends for your online security for years to come.

Don’t store your money on an exchange

New to crypto? Welcome! Your priority after buying your first digital currency should be to learn about cold storage.

Seasoned crypto user? If you don’t keep at least some funds in cold storage, you’re doing it wrong and you, too, should make this your utmost priority. 

Cryptocurrency exchanges are goldmines. If bad actors can get past their security, they can escape with billions of dollars in value. That’s a risk inherent to every service that exists on the Internet, and you’re powerless to prevent it if the exchange owner fails.

Which is why many users store their crypto totally offline. By using something like a hardware wallet, you retain full custody of your funds, and ensure that no hacker can reach them as the private keys stay away from Internet.

Of course, that means that you can’t trade, stake or earn interest on your holdings. You should only keep what you deem to be strictly necessary for such activities on a third-party platform.

That’s different for everyone, so there isn’t a correct answer to the proportion of funds that should be kept in cold storage vs. exchanges. A good starting point, though, might be to ask yourself the following question: just how fucked am I if this platform gets hacked tomorrow.