As technology unfolds, so too do the scams that surround it. SIM swapping is one such fraud that has caused concern in cryptocurrency circles. What is it, how does it happen and what are the implications?
What is SIM Swapping?
SIM swapping – often referred to as SIM jacking – is a form of account takeover attack through which a hacker uses social engineering to transfer a victim’s phone number to their own SIM card.
Most online accounts utilise two- factor authentication (2FA) these days. By taking control of the victims phone number, the hacker can then proceed to reset account passwords or receive 2FA verification codes.
Ultimately, financial accounts are compromised. With that, the digital and pseudo-anonymous nature of cryptocurrency has made it a target for hackers.
In the US, a cellphone user is suing AT&T – the worlds largest telecommunications company – following the loss of cryptocurrency to the value of $24 million following a SIM swapping hack. The user, Michael Terpin, is a well-known cryptocurrency investor and entrepreneur. The hackers tried and failed to change Terpin’s AT&T password at 11 AT&T stores. However, they were successful ultimately in changing that password remotely, which facilitated them in gaining access to his cryptocurrency account and stealing his funds.
Another such case came to light earlier this year when Dawson Bakies was charged with identity theft and the theft of cryptocurrency in New York – a crime that implicated 50 victims.
Whilst cybercrime oftentimes affects the less tech-savvy, curiously SIM swapping has scalped some sophisticated investors and actors in the cryptocurrency space.
Alongside experienced investor, Terpin, Sean Coonce – an Engineering Manager at digital assets security company, BitGo – also became a statistic of such an attack. Coonce lost in excess of $100,000. He took to Medium to detail specifically how the attack unfolded in an effort to inform others as to what warning signs to look out for.
A Global Phenomenon
The US seems to be particularly hard hit, with many instances of SIM swapping implicating leading mobile networks AT&T and T-Mobile. The technique has been around for quite a few years but the emergence of cryptocurrency has spawned an upsurge in its use more recently.
African countries are probably ahead of the curve in dealing with it. Due to the prevalence of mobile money on that continent, there has been a further incentive for hackers to go down this route. Having had a higher level of fraud, banks and telecoms companies have collaborated in tightening up the system, leaving it much more difficult for hackers to achieve.
African countries are ahead of Europe and US in dealing with SIM swapping fraud
Europe is not immune from this fraudulent activity either. Carlos Vico of the Spanish police’s cybercrime department told El País earlier this summer that SIM swapping is on the rise in Spain. Meanwhile, in the UK, mobile operator Three has teamed up with Callsign – an identity and authentication solutions provider – in an effort to thwart the practice.
How Does it Happen?
Caleb Tuttle, a detective with Santa Clara County District Attorney’s office in Silicon Valley, set out the three ways in which the attacks are carried out in an interview last year with computer security and cybercrime blog, KrebsOnSecurity.
In the first instance, the attacker bribes or blackmails an employee at a mobile network store. With their assistance, the number is ported and the hacker goes on to access the victim’s cryptocurrency accounts.
The second exploit involves a current or former employee of a mobile network store abusing their access to client data and the mobile network.
The last case implicates an errant mobile network employee who manipulates colleagues into swapping a customer’s existing SIM with a new one.
What Can Be Done?
It seems that the exploit could be minimised considerably if greater security is implemented by the telecoms companies.
However, there is a resistance on their part to make SIM porting more difficult. From their perspective, they want to provide their customers with a high level of customer service such that there is less friction involved for customers in porting a number to a new device.
Terpin’s case against AT&T has suffered a setback but is likely to continue with an amended suit. It’s plausible that the outcome of cases taken by him and others will affect the depth of security measures the phone companies employ to prevent SIM swapping.
In the meantime, users can better defend themselves from such attacks by using apps such as Google Authenticator and Authy – which provide an extra layer of security for 2FA. Google Voice can also be used as an alternative as it doesn’t implicate a SIM card.
Notwithstanding that, the risk can just be minimised, but not completely eliminated. If a hacker is determined enough in targeting you, it’s very difficult to prevent them from compromising your SIM and your online accounts. Until such time as we develop a robust system for online identity, such hacks in various forms are likely to continue.