On Monday (May 20), Sean Coonce, an engineering manager at crypto custodian BitGo, revealed that last week he became the victim of a SIM swap attack (he referred to this as a “SIM port hack”) as the result of which his Coinbase account got “drained” and he lost “north of $100,000.” So, he decided to “increase awareness about these types of attacks” by providing a detailed account of what had happened, and what he had learned from this very unfortunate incident.
A SIM swap (or hijack) attack or hijacking is a type of scam that involves taking over someone else’s mobile phone number via social engineering methods such that the attacker gains access to the victim’s phone number through a different SIM card (either one that he has already, or one that he obtains as a replacement from the carrier). Once this has been done, the hacker can “intercept any one-time passwords sent via SMS or telephone calls sent to the victim,” thereby being able to circumvent any security features of accounts (be they bank accounts, social media accounts etc.) that rely on SMS or telephone calls.”
In his blog post, Sean explained what “authorized SIM porting” is, describe the anatomy of a typical “SIM port attack”, provided a timeline of the events of last week, and finished by listing the lessons he had learned from this painful and embarrassing experience.
Here is what typically happens in this type of attack:
- You are targeted by the hackers, which means that they “gather personally identifiable information about you.” (Naturally, one of this pieces of information is your mobile phone number.)
- The hackers use this information to pretend to be you when they contact your mobile phone service provider (such as T-Mobile).
- Once they have convinced a customer service agent that they are the rightful owner of that account, they gain sympathy by making up a story about the SIM card currently associated with that number being either damaged, lost, or inaccessible (for example, as the result of losing the phone it was in).
- They ask the customer service agent for a replacement SIM card (that is associated with that phone number). This means that your existing SIM card is no longer registered with your mobile phone number and is, instead, associated with the new SIM card given to the hackers by your mobile service provider.
- The hackers then ask for a password reset on your primary email account, which causes a verification code to be sent by SMS to the mobile phone owned by the hackers.
- The hackers then set a new password for your primary email account, and take it over, which means that they now have access to “any lucrative online services that you manage via that email address.”
This is Sean’s timeline of the events “leading up to and through the attack”:
And finally, Sean would like to offer the following pieces of advice:
- Do not treat your account at a custodial crypto exchange (such as Coinbase) as a bank account. In other words, make sure that your crypto funds are stored on a “hardware wallet/offline storage/multi-sig wallet” whenever “you are not transacting.”
- Instead of relying on SMS-based Two Factor Authentication (2FA), which can be easily hacked as explained above, either use “hardware based security” (e.g. a YubiKey device from Yubico) or an “Authenticator” app (such as Google Authenticator).
- Share online as little “personally identifiable information.”
- Use a secondary email address(secured with some kind of hardware-based 2FA) for “your critical online identities (bank accounts, social media accounts, crypto exchanges, etc.)” and do not “use this email address for anything else and keep it private.”
- Use an offline password manager to store your passwords.
Sean should be applauded for his openness and honesty. His invaluable advice deserves to receive a wider audience since despite the increasing frequency of SIM swap attacks over the past few years, it seems that many/most people are still not doing enough to protect their online accounts, and this type of attack can make a victim of even very smart people.
For example, on January 27, Dovey Wan, a prominent member of the crypto community who is a founding partner of crypto-focused investment firm Primitive Ventures, reported that she had become a victim of a SIM swapping hack:
After a portfolio founder’s sim got stolen, mine got hacked too – sim swap has become so easy targeting crypto player@ATT @TMobile to be blame 🤬they are the few carriers on earth allow sim swap without in person KYC. Such policy shouldn’t exist at all https://t.co/sH6hJWjqKa
— Dovey Wan 🗝 🦖 (@DoveyWan) January 27, 2019
In a follow-up tweet, she gave this advice to her followers:
“𝐂𝐄𝐋𝐋 𝐏𝐇𝐎𝐍𝐄 𝐍𝐔𝐌𝐁𝐄𝐑 𝐈𝐒 𝐘𝐎𝐔𝐑 𝐖𝐄𝐀𝐊𝐄𝐒𝐓 𝐒𝐏𝐎𝐓 𝐒𝐎 𝐓𝐑𝐘 𝐍𝐎𝐓 𝐓𝐎 𝐔𝐒𝐄 𝐈𝐓 𝐈𝐍 𝐀𝐍𝐘 𝐕𝐄𝐑𝐈𝐅𝐈𝐂𝐀𝐓𝐈𝐎𝐍 𝐏𝐑𝐎𝐂𝐄𝐒𝐒 𝐈𝐅 𝐏𝐎𝐒𝐒𝐈𝐁𝐋𝐄”
Featured Image Credit: Photo via Pixabay.com