Contrary to popular belief, using a phone number for two-factor authentication canbecome the reason why you lose all yoursavings in cryptocurrency. Especially if you store it on third-party services, such as cryptocurrency exchanges or lending platforms. Day after day, the crypto community never tires of repeating the mantra:«Not your private keys = not your cryptocurrencies».
For much of the last decade, a combination of these two practices(read - errors)led to the rise of a phenomenon calledSIM swap.
SIM swap- a relatively inexpensive method for which there is norequires special technical skills and through which attackers can gain control of all the victim’s accounts. Of course, if a potential victim uses this phone number to log into various services, be it email or even a crypto wallet. It is more likely that social engineering is at work here than the technical savvy of the hacker. Essentially, he needs to find out what methods of identity verification the victim’s mobile operator uses, and get some information about the “target” itself. And often for this it is enough to find out just a phone number.
Here it is necessary to make a reservation to the fact that in the same USAThe service of the so-called eSIM - electronic SIM cards, which do not need to be installed on a smartphone at all, is becoming increasingly popular. The mobile operator simply remotely assigns you a phone number. Whatever SIM card you use, this danger threatens everyone, and the consequences will be extremely unpleasant.
The growing popularity of SIM swap
The growing threat of spoofing fraudSIM cards were identified by a study published in January 2020 by a group of professors and graduate students at the Harvard University Computer Science Department and the Princeton University Information Technology Policy Center.
SIM sweeper is trying to steal the victim’s SIM card. : indigodefense.com
«An attacker calls your operator,pretends to be you and asks you to transfer service to a new SIM card, which is at the mercy of the attacker,” wrote Arvind Narayanan, an assistant professor at Princeton University and one of the authors of the study, “The threat is quite serious, but at the same time hundreds of websites and services use SMS notifications as two-factor authentication, which puts your accounts at risk.
The study tested the protocolauthentication of the five largest US mobile operators - AT&T, T-Mobile, Tracfone, US Mobile and Verizon. Having tried to carry out a SIM swap attack on 10 different accounts from each operator, the study authors were able to find out that all 5 of them use insecure authentication methods.
“In general, these findings help explain such a rapid spread of the threat of attack with the substitution of the SIM card,” Narayanan summed up.
Even more concerned about this problemprovoked by the fact that during the experiment it was possible to replace the SIM card of even Narayan himself. When he called the mobile operator's customer service department and reported the fraud, the operator was not even able to confirm his identity, since the attacker had already taken possession of the phone number. Ultimately, Narayan managed to regain control of his SIM card, but had to use his own research and take advantage of the vulnerability of the mobile operator’s protocol.
It was just lucky that the researcher quickly managedreturn the number. Once the hacker takes control of the victim's SIM card, his hands are literally free. As stated in the study, this is largely due to users using insecure authentication methods to access their savings online. This could be an SMS notification and/or two-factor authentication with a code or via a robocall(obviously, these methods are absolutely unsafe, because the attacker has already gained access to your phone number). In addition, most people, if they use protection with secret questions, then the answers to these questions are often quite simple to find out. As in the case of the mother’s maiden name.
In addition, the study also identified 17 websites where user accounts could be compromised by at least SIM swapping(the data set from twofactorauth.org served as the basis for this method). By the way, shortly after the publication of the study, T-Mobile contacted the authors and announced that it no longer confirms the owners of SIM cards by listing the last incoming calls.
Fraudsters mark on Bitcoin
SIM swapping has been around for several years now.However, most attacks target victims from just a few categories: celebrities with well-promoted social media accounts, like the CEO of TwitterJack Dorsey, - or those who own a significant number of cryptocurrencies. During Bitcoin’s rapid uptrend last year, several crypto owners became victims of attacks with the substitution of SIM cards.
Twitter micro-blogging CEO Jack Dorsey
For example, in December 2019, crypto journalist and podcast hostLaura Sheentold her own story about how she«lucky» become a victim of telephone scammers. Ultimately, they could not rob her, but, as she herself noted, the situation is quite ironic, because she herself carefully covered this topic back in 2016 and was seemingly ready for any attacks. In fact, all her precautions turned out to be vulnerable.
According to some assumptions, Bitcoin ownershave become a tasty morsel for SIM-swapping scammers, since cryptocurrency transactions are forever recorded in the blockchain and are technically impossible to cancel. From the point of view of investigation and search for criminals, it is much easier for the authorities to deal with ordinary mobile phone users than to try to return stolen cryptocurrencies(even though the movement of funds can be easily tracked on the blockchain).
At the same time, unlike most online banking accounts, only a few crypto exchanges –including Coinbase, Gemini, ItBit and Binance US,– protected by FDIC insurance, which insuresparticipant deposits up to $250,000. This makes some sense when considering Bitcoin's value as a decentralized and immutable asset. But this also means that you should never take the relative security of cryptocurrencies for granted.
«Millstone of Justice»
Entrepreneur, investor and founder of the first angel fund for Bitcoin enthusiasts, Bitangels,Michael Turpin, understands too well what is at stake.
As he stated in an interview with the crypto information resource Bitcoin Magazine:«The millstones of justice grind slowly».
The whole point is that Turpin waited too longjustice in the case of the theft of $224 million. He filed a lawsuit against the mobile operator AT&T after the customer service department allowed a group of hackers to take over Turpin's phone numbers from the AT&T and T-Mobile operators, to which the services were linked to gain access to cryptocurrency.
According to him, for the first time a group of attackers«deceived employees of sales points of two mobile operators in Boston».
«Less than an hour passed between these incidents, and they simply transferred them my data from both numbers».
Due to these attacks, they stole more than half of the bitcoins from the Terpin account on the cryptocurrency exchange. By the way, Terpin started these accounts even at a Bitcoin price of $ 100.
After this incident, Turpin asked bothoperators to improve the security of their systems. As it turns out, both AT&T and T-Mobile have additional services in the form of enhanced protection. However, all these measures turned out to be useless. For example, a 19-year-old employee at an AT&T retail outlet in New Jersey in January 2018 simply disclosed Turpin's account information for a $100 bribe. Thus, a group of criminals stole $24 million worth of altcoins from an entrepreneur.
That's right, that day they could get only “shitcoins”, but at that time they were worth a lot of money.
And unlike Bitcoin, the alternative cryptocurrencies TRIG, SKY and STEEM stolen from Terpin simply did not have the option to restore the wallet with a private key.
Despite the fact that Terpin survived the SIM swapmore than two years ago, he states that every week another victim of SIM fraud contacts him and asks for help to return the money.
Who most often becomes a SIM swap?
Turpin was involved in a lawsuit against a 21-year-old New York manNicholas Trulya, who at that time was accused of stealing $24 million using SIM swapping. Initially, he was tried in the case of stealing $1 million worth of cryptocurrency fromRoss White- Executive Director of StopSIMCrime.org from Silicon Valley.
SIM swap Nicholas Trulya (left) and Bitcoin entrepreneur Michael Turpin (right). : New York Post
Terpin, apparently, paid attention in timeon this matter, and in the end it was Trulya who compensated Terpin $ 75 million. As it turned out during the investigation, on the day of the attack on Terpin's phone numbers, Trulya sent messages to his whole family and friends that he managed to steal the cryptocurrency for $ 20 million, and that now he life will change forever. Terpin is sure that Trulya did not act alone, but most likely, he is part of an organized group of SIM-sweepers of 26 people.
Investigative journalistBrian Krebsput together Truglia's case and several other arrests in an attempt to formulate a profile of the average SIM swapper. According to Krebs, these are men under 25 years of age.
Difficult choice between safety and convenience
Security Analyst at WebrootTyler Moffitt, writes off the vulnerability of bitcoin owners due to insufficient security measures of mobile operators to constantly lagging legislation.
«When new technologies appear, lawsalways slow down. I think we will not see the necessary legal acts that would protect such victims for another five years. And during this time, SIM swappers will steal a lot of cryptocurrency.
Moffitt is just one of many who believe that inThe dilemma of safety and convenience is what most people will be inclined toward is convenience. He is sure that this is the principle that most companies and society as a whole have.
But how does the government view this? On January 9, 2020, a letter signed by six US legislators was sentAgit PyeChairman of the Federal Commission forCommunications (FCC). He previously held the position of General Counsel at Verizon, the largest mobile phone operator in the United States. Together with a call to strengthen protection against fraud with the substitution of SIM cards of mobile subscribers, the letter contains a statement by investigators from the REACT Task Force about the general damage that only this type of attack caused:
More than 3,000 victims of SIM swap are known who have stolen a total of $ 70 million. This is damage to the whole country.
The letter also raises the question thathacking is becoming more thoughtful. Now the attackers have learned to infiltrate the computer networks of mobile operators, deceiving or forcing employees to run malicious programs on work computers, and this is not to mention direct bribery.
Ultimately, legislators and authors of thisThe letters acknowledge that SIM swapping is beginning to pose a real threat to national security. If only because many government employees use various forms of two-factor authentication. According to this assumption, an organized group of hackers or malicious actors could gain access to the email of government officials and then use it to their own - rarely benevolent - interests.For example, you can groundlessly or with malicious intent throughout the country to launch emergency alerts on behalf of the Federal Emergency Management Agency.
Terpin sent a similar letter to the FCC in the fall of 2019 with a more specific request.
I recommend that the FCC force all US mobile carriers to encrypt passwords.
This is the key baldness in the security system.mobile operators. Unlike banks, airlines or hotels where access is allowed or denied, depending on whether a particular customer has the necessary password or key, the passwords of all users of mobile operators are at the disposal of company employees. In particular, it is designed this way, again, for the sake of convenience. Indeed, such a structure allows you to quickly restore the customer’s phone number in case of loss or damage to the SIM card and phone. However, this also reveals a very serious security problem. Especially considering that all points of sale of certain operators are franchises, which means that access extends to third parties.
He spoke on this matterGuido Appenzeller, chief product officer for Yubico, the hardware security company best known for inventing YubiKey.
«It's not just about employeestelecommunications company. Every employee at a retail point of sale - and these are third parties - can access these databases. And if you add to this the fact that the average employee of a mobile operator point of sale earns around $10 an hour, it becomes obvious why they are so easy to bribe.».
When owning bitcoins, you need to know how to protect yourself
There is an important nuance built into the conventional culture and, technically speaking, into the Bitcoin code from the very beginning.True financial freedom entails a new level of personal, financial and technological responsibility.The same goes for privacy and security.operations, but they are often sacrificed. Not so much for the sake of convenience, but for the sake of additional profit due to increased trade and lending indicators. In general, nothing motivates as much as everything...aboutthe smallest amount in bitcoins that you can very easily lose. But you should not underestimate your savings, because losing is always unpleasant.
Most people will not be victims of SIM swap. But, as Appenzeller suggests, cryptocurrency wallets for amounts from, say, $ 10 thousand will always attract hackers.
At the same time, we must remember that there are simpler ones,but thoughtful ways to steal cryptocurrency. Take at least malicious programs that can bypass two-factor authentication without the need to swap or steal the victim’s SIM card. This includes phishing sites, such as the one used during the recent hacking of the Binance crypto exchange, when hackers managed to steal $ 41 million.
The good news is that there is alreadytechnologies that will help you protect yourself from SIM swapping attacks, as well as more sophisticated phishing attacks. The strongest 2FA method available to the masses is called U2F – USB two-factor authentication. Appenzeller claims that using U2F eliminates the risk of SIM swapping, as well as«phishing and other attacks, such as man-in-the-middle attacks or downloading malware».
His company Yubico created U2F in collaborationwith Google, and has since applied technology in its flagship product, YubiKey. Thus, YubiKey can be considered the equivalent of 2FA in the form of a hardware wallet. And at the time of this writing, none of the YubiKey users were falling victim to SIM swapping.
How to avoid a SIM swap attack
Based on the above information, you canmake a list of actions that will help you avoid becoming another victim of SIM swapping. We also bring to you the opinions of several security experts and members of the Bitcoin community on this matter.
illustrations: Wired
For beginners and intermediate users of Bitcoin
Store your bitcoins in hardware wallets and stop using 2FA on your smartphone. Advice fromJameson Lopp, software engineer from the Bitcoin Core team:
«Store your private keys in hardwaredevices, preferably with multi-signature support. Do not use web wallets as they have too many vulnerabilities for attackers. Use hardware two-factor authentication in all web applications that support it. It is advisable not to use 2FA via SMS, as well as the ability to reset/recover a password for any application via phone.
If you don't move bitcoins often, then don'tstore them on exchanges. To be more convincing, you can scour the Internet for hacks and exit scams of crypto exchanges only over the last couple of years. If possible, discuss with your mobile operator how you can improve the security of your SIM card. And it is better to use 2FA in the form of an application for which you set your own login password. This is also confirmed by the advice of Tyler Moffitt:
“You can ask the operator to increase the security level of your phone number. And do not use SMS authentication. Use apps like Google Authenticator or Authy for this. ”
For those who use SIM cards for ID (most of us)
Re-read the security policy of your mobile operator and other services that you use on the Internet. You can even try to hack your accounts yourself.
“I think that the question should be raised more deeply: why do we continue to use phone numbers? Just try to log in to all your services using your phone number. If you succeed, then you are a potential victim of a SIM swap, ”said Matt Odell, Bitcoin entrepreneur and co-founder of CoinPrices.io. He is also interested in the topic of cybersecurity.
For those who think that bitcoins can be saved with just a hardware wallet
Together with Bitcoin wallets, it is always advisable to use password managers. Check regularly if you can log into your wallets without additional funds.
“I use a password manager, this is a great practice. Everyone I work with uses a password manager. ”- Guido Appenzeller
“Regarding password and key management, II use a strong password manager with several encrypted backups on USB-drives. At least one copy is at home, the other is outside the house. I always take a copy with me on trips and periodically check performance. The bulk of my stash is stored in hardware wallets, and a little more in the Bitcoin Core wallet, from which I replenish Casa, mobile applications, use the Lightning network, etc. ”, - Guy Swan, host of the Cryptoconomy podcast
Better protection while maintaining relative usability
Buy yourself at least one YubiKey, they are not so expensive.
“Buy some YubiKeys (just in case) anduse them for 2FA whenever possible. Many password managers support YubiKey 2FA, and many web applications now support U2F 2FA. These two devices can be made friends with each other. If the web application only supports TOTP codes, you can still protect such data on YubiKey using the Yubico authentication application, ”Jameson Lopp
We reflect more complex attacks
Bookmark important pages with sensitive data and use them.
“The Binance hack is a great example of how it canharm 2FA. Specifically in that situation, people simply typed Binance into the search bar of their browser every time and clicked on the first links, which turned out to be advertisements for phishing sites from attackers. Therefore, to avoid falling for such fakes, save links to pages», — Tyler Moffitt
In addition, do not forget to constantly scoop a newSIM fraud information. This will help you to be aware of the occurrence of regular attackers and not get into their network. Also, it will not be superfluous to periodically analyze innovations in the laws of your country, because it is possible that punishment and ways to solve your problem have already been provided, and even with the worst outcome, you can get at least some compensation.
</p>Read this:
ESET: hackers distribute fake version of Tor browser to steal bitcoins
What is SIM swap and how to protect yourself from it?
G7: Bitcoin failed as a means of payment and savings
$ 2 billion lost during the hacking of Mt.Gox can be returned to their owners
Bitcoin is gaining popularity in countries with financial crisis.
Blockchain will help save up to $ 400 million per year in the air cargo industry