Information Security / Three steps to protecting crypto holdings against SIM Jacking
Three steps to protecting crypto holdings against SIM Jacking
25 June 2019
Kevin Owocki, Founder at Gitcoin, shares three ways cryptocurrency holders can protect themselves against the growing threat of SIM jacking.
You wake up to an email from Coinbase notifying you that your withdrawal has been confirmed.
“That’s strange,” you think. You didn’t move any coins last night.
You start to call Coinbase to ask what happened, but realise your mobile isn’t working. You usually get full signal at home, but today you just see four vacant dots “....”
That’s weird. You borrow a roommate’s mobile and call your network provider. You navigate the provider’s tangle of phone numbers, options, and security challenges. After several long minutes on hold listening to a poor-quality version of Beethoven's 5th, you're finally talking to a real person.
They explain you called in yesterday, and requested your SIM card be swapped to your new phone. Dutifully, they completed the request. But you explain you didn’t buy a new phone, or call your network provider. It wasn’t you. You sign in to Coinbase, and realise the worst. It’s all gone.
You’ve been SIM Jacked.
Also of interest: What can we learn from the WhatsApp breach?
What is SIM Jacking?
Simply put, SIM Jacking is when someone impersonates you in order to steal your mobile number.
Your mobile number is the key to your digital life. Your email, social accounts, and messaging platforms all use phone numbers as a password recovery option.
Due to the irreversible nature of cryptocurrency transactions, SIM Jackers have increasingly been targeting users of cryptocurrency, using SMS text-based account recovery methods to log into exchanges, seize funds, and move them to their own wallets.
There have been reports of dozens of prominent crypto community members SIM Jacked in the last few weeks alone.
Also of interest: Five ways threat intelligence can supercharge security
How to take the proper precautions in three steps
1.) Demand additional security from your network provider
If you assume your network provider is going to protect you, then I’ve got some solemn news for you—it likely can’t. Still, requests for help and added pressure can raise awareness of the issue amongst carriers.
Network providers can add “special instructions” to your account notes to prevent SIM Jacking, requesting that the account owner be physically present in a store location to change a SIM card. However, speculation in the crypto community is that those notes are not enforced, and are frequently overlooked.
It is also suspected that these SIM swap attacks are so profitable, there is sufficient incentive to motivate inside jobs within a phone company’s rank and file.
As much of a headache as it can be, changing phone number is an option worth contemplating. Consider switching to Google Fi or Google Voice. Using Google Voice, you can set up a phone number that will forward to the one provided by your network. This means you never have to give out the original number, thwarting any would-be SIM Jackers before they even begin.
2.) Limit your downside exposure
Another strategy is to limit your downside exposure to SIM Jacking attacks.
First, disable “phone based account recovery” from as many of your cloud accounts as possible, and check your 2 factor authentication settings. If you use Authy, make sure that you have multi-device setting disabled, as hackers have used multi-device to hijack Authy accounts after jacking a SIM.
Next, disable phone-based account recovery on your primary email account. Your primary email is the first thing a SIM Jacker will try to break into, as it contains the keys to many of your online accounts. It’s important to change to 2 factor or email-based account recovery.
The third thing you’ll want to do is disable phone-based account recovery on your other social accounts. Here is a checklist you can run through.
Lastly, make sure your cryptocurrency is in a safe place. It’s well worth delving deeply into this topic, but the consensus is that hardware wallets are the most secure.
3.) After an attack, exercise damage control:
If the worst occurs and you fall victim to a SIM Jacking attack, here are a few steps to mitigate the damage, pulled together by the crypto community:
- Contact your provider—in person is better—and get your phone number back
- Do not respond to your attacker. Go dark, turn off read receipts, and make them think you’re unreachable
- Demand your provider disables porting in your account without you being physically present in-store
- Get your email back
- Call each social account and cloud accounts like Dropbox (start with the most important ones), and get your access back
- Get a new SIM card, and keep the old one in case you need it for evidence
- Make sure you don’t repeat passwords, and start using tools like 1Password or LastPass
- Reach out to decision makers and legal officials via all available channels
Also of interest: How can CISOs be better leaders?
Network providers, we are counting on you to change
As a society, the use of phone numbers has evolved over time. At first, they were used exclusively to make phone calls, but are now employed in numerous different use cases—personal, social and financial.
Mobile carriers must understand that they need to do a better job at securing customers’ phone numbers. Phone numbers simply aren't what they used to be 20 years ago—they’re used for much more than conversation today.
It’s time for network providers to update their antiquated operations security practices, and to treat this problem with the respect it deserves.