Recently the FBI warned about a big increase in scams using smartphone SIM swapping to defraud victims. A SIM swap attack happens when a hacker has your SIM card information transferred from your phone onto theirs in order to access SMS 2FA. This is especially common in the cryptocurrency industry, as a lot of people use 2FA to protect their cryptocurrency when using exchanges and other services.
Let’s take a further look at exactly what SIM swapping is and how you can avoid it.
What is SIM swapping?
SIM swapping occurs when an attacker convinces your mobile phone carrier to transfer your phone number over to their SIM card. This way they receive any incoming messages, including those related to two-factor authentication checks. They can then take over your protected accounts, such as exchange logins, and any other accounts linked to your phone number. If you haven’t protected your accounts with 2FA, they can also use the phone number to generate existing and new passwords.
How does a SIM swap work?
There are two types of SIM swap fraud. The first method is most common and occurs when social engineering is directed at both the victim and the mobile phone carrier. The SIM swap attacker collects personal information about the victim, by buying them from organised criminals, with their own phishing emails, or by using social engineering to directly impersonate the victim.
The attacker then contacts the victim’s mobile phone carrier, impersonating them and claiming to have lost or damaged the SIM card associated with the victim’s number. They request that customer service activate their new SIM card, or just ask for help to switch to their new phone.
Once the SIM card swap scam takes place, the attacker receives all phone calls and SMS intended for the victim’s phone, including any one-time passwords, and the victim’s phone loses connection to the network. This enables the scammer to gain access to the victim’s private accounts that rely on calls or text messages.
The second technique is less common and occurs when an insider, usually a mobile carrier employee, works with an attacker to willingly switch over a victim’s phone number to the attacker's SIM card.
What does this have to do with cryptocurrency?
If you’re serious about cryptocurrency security, you probably already use 2FA to protect yourself and your assets. But you could unknowingly be opening yourself up to a SIM swapping attack that could see you lose all your coins. If a hacker takes over your phone, they can use SMS 2FA alerts to access your cryptocurrency accounts. Before you are able to do anything about it, they can transfer your funds to their account. Hackers can also add additional devices to your 2FA, meaning your cryptocurrency account may still be vulnerable even after your phone has been recovered.
How do you know if you’ve been affected by a SIM swap?
Here are some key warning signs:
- Your phone loses all service when your SIM is still inserted
- Your carrier tells you your phone number or SIM card has been activated on another device
- If you cannot access your credit cards and/or bank accounts, and your login credentials no longer work
How can you protect yourself from SIM swapping?
There are several ways you can protect yourself to avoid SIM swapping:
Be cautious online - be wary of social engineering attacks such as phishing emails that scammers may use to access your personal data in order to impersonate you
Improve your account security - use strong, unique passwords and questions-and-answers known only to you to improve your mobile phone’s account security
Use PIN codes - Add a layer of protection through your carrier by setting a separate PIN or passcode for your communications. Just be sure to never use an obvious PIN such as an anniversary, birthday, or address, and ideally, store PINs in a password manager.
Set up alerts- If your mobile carrier offers it, choose to receive additional notifications when a SIM card is reissued on your account. When you choose exchanges, banks, and other organisations to use online, look for those that use behavioural analysis technology to discover compromised devices and call-backs to deter identity thieves.
Improve your two-factor authentication - avoid building identity and security authentication solely around your phone number, including text messaging (SMS). Use Google 2FA or an authentication app that doesn’t rely on SMS verification.
If you suspect you have been the victim of SIM swap fraud, contact your mobile phone carrier, bank, exchanges and any other relevant organisations immediately!
It’s no secret that the Australian Taxation Office (ATO) is cracking down on crypto traders this tax season! Is your tax sorted? We've teamed up with CTC to offer our community 20% off when you sign up for their tax calculation software using our discount code COINSTOP20. Valid until 31st of July, 11:59 pm AEST.