Cryptocurrency scams and digital crime have been trending in the spotlight these past few months. Be that as it may, SIM Swapping has been ‘missing’ in a sense according to a number of reports on 2018. Two cryptocurrency analytics companies Chainalysis and CipherTrace released two different reports in 2018. The data focus mainly on major crime trends in the crypto space during 2018. It sums up some of the biggest crypto threats to surface within the preceding 12 months. But how much of a problem is SIM Swapping?
How Does SIM Swapping Work?
To be honest, the concept of SIM Swapping is fairly easy to grasp. However, the potential damage that could come to the victim is very high. In an interview with Cointelegraph, Kaspersky Labs gave an accurate definition of how SIM Swapping works. Furthermore, they also explain some of the ways in which hackers implement this cyber attack.
All a hacker would need in order to efficiently pull this off is some basic individual about their victim. With this information, the hacker is able to request for the user’s phone number to migrate to the hacker’s SIM card. If successfully pulled off, the hacker will receive any calls and SMS’ the victim receives from that point onward.
With this new added access, the hacker is then able to request for a new password via SMS. This puts sensitive data from various service providers (banks etc) at risk. If the hacker has access to your SIM card for even a day, they could potentially change the password to all accounts linked to the phone number.
Alexey Malanov, Kaspersky Labs Security researcher says:
A typical scenario can look like this: an attacker arrives at a regional department of a communication provider — like a mobile operator — with forged documents that are supposed to prove a customer’s valid identity. Or, the attacker simply gets in close contact with an employee of the department and receives a duplicate of a victim’s SIM cards. The authentic SIM card in the victim’s phone turns off at that moment, so all subsequent SMS communications and phone calls are redirected to the attacker’s phone.
Is SIM Swapping More Dangerous Than Phishing?
These SIM Swapping attacks are nothing new. However, with the technological advancements of smartphones over the years, criminals are able to access far more sensitive information on their victim. Because of this, SIM Swapping is a threat to many individuals and their privacy.
Nowadays, modern applications allow people to access and manage their accounts, effectively holding sensitive financial information on a smartphone. While this does come with an increased level of convenience, it also provides criminals with a unique opportunity to steal data.
In Chainalysis’ report, the level of Ethereum scams last year were of ‘particular concern’ these last two years. One of the major method scam artists used during this period was Phishing.
Essentially, users were duped by emails or communications that look like the real version. This leads them to provide their own sensitive information such as a username/password and email. Once the cybercriminals get access to the victim’s account, they empty all of the funds into their own accounts.
Attackers often use this method of attack to target their victim’s bank accounts. Thus, many financial institutions have increased their security checks and verification methods tenfold in order to prevent attacks of these nature. However, in most cases, whenever a user’s funds are stolen most banks will roll back the transactions. If they don’t do that, they will at least cover the circumstances with insurance protection.
With cryptocurrency, this is not the case. If a hacker gains access to someone’s cryptocurrency assets, transactions can’t be rolled back by any means. Thus, cryptocurrency wallets and private keys are a focal point for SIM Swapping attacks.
Hackers Targeting Cryptocurrency Users
It doesn’t require much information to know that the recent SIM-swapping scams that have plagued the crypto space have become a highly lucrative way to steal and launder money. Hackers use social engineering in order to trick telecommunication employees in order to execute a SIM swap.
There have even been reports of hackers using bribes or even blackmailing employees to get information. Of course, this isn’t always necessary as some employees will abuse the access they have to customer information and sell it to hackers.
Thus, due to the anonymous nature of cryptocurrency and blockchain technology, hackers are far more inclined to target crypto users than traditional fiat holders. As a result, many prominent figures in the cryptocurrency space have become targets for hackers.
In KrebsonSecurity’s interview with California-based law enforcement group Regional Enforcement Allied Computer Team (REACT) Task Force; a number of cases in which this has happened were covered. One of which being Christian Ferri, CEO of cryptocurrency firm BlockStar.
Hackers usually do plenty of social engineering and research on a person before they execute a SIM swap. Thus, once they got access to Ferri’s phone number, they quickly reset his Gmail password and used the information he had stored on a personal google document in order to steal from his crypto wallet.
Hunting the Hackers
Many hackers / social engineers using this method of attack have enjoyed a level of ‘success’ through their criminal activities. However, a wave of arrests made in 2018 brought to light the carelessness of many young criminals.
In July 2018, Californian authorities made the first arrest for SIM Swapping in the crypto space. California police arrested 20-year-old Joe Ortiz, the alleged hacker of about 40 victims. Ortiz worked with a group of still unidentified hackers to target crypto users. Many people at the Consensus conference that took place in New York in May 2018 fell victim to Ortiz. Following his court case, Ortiz pled guilty to theft of $5 million; accepting a plea deal for 10 years in prison at the end of January 2019.
Following this case, another arrest took place in California in August 2018. 19-year-old Xzavyer Narvaez was arrested for using SIM swapping in order to commit identity fraud, cyber-crime, and grand theft. Reportedly, Narvaez was reckless with his use of the money he acquired from his criminal activities. He bought various sports cars over the space of 2 years. This then became part of the evidence used by the authorities to press charges. Narvaez’s cryptocurrency wallet processed over 150 bitcoins between March-July 2018, worth over $1 million at the time.
A month later, in September 2018, 2 men aged 21 and 23 were arrested for using SIM swapping. Their plan managed to accrue $14 million from a cryptocurrency company.
District Attorney of Manhattan, Cyrus R. Vance said many of these cases send a strong message to any perpetrators of these crimes:
Today my Office is putting the small handful of sophisticated ‘SIM Swappers’ out there on notice. We know what you’re doing, we know how to find you. We will hold you criminally accountable. No matter where you are. We’re also asking wireless carriers to wake up to the new reality that by quickly porting SIMs — in order to ease new activations and provide speedy customer service — you are exposing unwitting, law-abiding customers to massive identity theft and fraud.
Are Service Providers Part of the Problem?
Michael Terpin, a U.S investor fell prey to a SIM swap attack carried out by Truglia. Following this, he made a move in August 2018; filing a lawsuit of $244 Million against the AT&T, the U.S telecoms providers for negligence; leading to the loss of $24 million worth of cryptocurrency assets. Michael is the co-founder of a group of crypto angel investors called ‘BitAngels’.
The victim of this attack described AT&T’s behaviour
like a hotel giving a thief with a fake ID a room key and a key to the room safe to steal jewellery in the safe from the rightful owner.
Terpin wants $24 million in compensation from AT&T in addition to $200 million in punitive damages.
Tackling SIM Swapping
Thanks to the amount of media coverage on the subject, the threat of SIM Swapping is made very clear to us. This makes many people aware of the looming threat to their privacy, data and even financial assets.
— FBI SanFrancisco (@FBISanFrancisco) March 7, 2019
Currently, the onus is on the mobile operators and the banks to protect the credentials and data of their users. If someone swaps a SIM, there should be a block on all SMS communications temporarily in order to protect the user. This is a common practice in many countries all over the world, including Russia.
This is a very inconvenient procedure for honest authentic users, but also a very effective one. Once a SIM card is replaced with a new one, as a rule, one cannot receive sms for a while, which can be uncomfortable. However, such action gives users time to inform their mobile operator in case they did not request to replace the SIM card. All major mobile operators in the Russian Federation currently use this measure.
Tighter Security Checks
The banking sector could also lend a hand in the prevention of theft through SIM Swapping.
Banks are able to see when the SIM card ID changes, allowing them to refuse to send any SMS with a code until the user goes through several security checks. Some of these are; voice analysis, password or code confirmation and more. Security researchers also note the power of the anti-fraud systems currently in use by banks, analysing customer behaviour through mobile or banking applications:
It is very important to analyse transactions. Obviously, the withdrawal of any amounts of money — large or small — that are unrelated to the customer’s regular account behaviour is extremely suspicious. Operators use this measure on such activities regardless of any fraudulent activity surrounding the customer’s SIM cards or passwords.
SIM swapping is more common by the day. So it’s in your best interest to make sure it doesn’t happen to you. If you have lots of sensitive information tied to your phone number, it may be a good option to invest in a second sim.
With a second sim, you can use SMS verification on some of the more sensitive information, and keep that number out of the public eye. That way, if a hacker sets his targets on you, they may only find the phone number tied to your throwaway accounts.
TIP: Use a multifactor authentication (2FA) application or device to secure your data. This will give you a second layer of protection which will reduce your reliance on SMS solutions.
Have you ever fallen victim to a SIM Swapping attack? If so, what happened? Let us know your thoughts and experiences in the comments below!