Protect Your Neck: SIM jacking and what you can do about it

Bittrex is being sued over SIM jacking, in which hackers ran off with 100 bitcoin—worth today a little over $1 million. Meanwhile, AT&T (T.NYSE) has shrugged their shoulders and told Seth Shapiro, the head of strategy for Videocoin, that they would see him in court. Shapiro accused the company of allowing employees to transfer control of his phone number to criminals in 2018, culminating in a loss of $1.7 million in cryptocurrency.

This is AT&T’s second time around at the SIM jacking issue, because earlier this year, an Los Angeles federal judge formally dismissed the company’s attempt to squash a case brought forward by Michael Terpin, a blockchain and cryptocurrency investor, who lost his holdings through his compromised Skype account.

Let’s begin by reiterating one of the main axioms of cryptocurrency investment:

You and you alone are responsible for your cryptocurrencies.

Their security is only your concern.

We introduced that axiom in June, when we originally started writing about investing in cryptocurrency, and it’s as important now as it was then. Maybe even more so.

So let’s get into it.

The common element that connects all of these stories is SIM jacking, not AT&T.

What’s SIM jacking?

It sounds like it’s straight out of a cyberpunk novel in which plucky techno-robin hoods liberate funds from big corporations and give to well, themselves, but it’s not. Big corporations are high risk targets, and while they’re not exempt, including Twitter (TWTR.NYSE) CEO Jack Dorsey among their list of targets, the easy low-hanging fruit is us—the average hodler.

First, let’s get the nomenclature out of the way:

SIM jacking is also called SIM-swapping, SIM porting, port out fraud, phone porting, and SIM hijacking. It’s an attack in which your phone number is stolen away from your SIM card to a different SIM card controlled by an attacker. The attacker then gets access to your phone number, usually through a text message, and then proceeds to use that information to access your other internet accounts.

Most customer service phone-drones deal with security at the first tier of contact with the customer. Performance (and therefore reward and punishment) are predicated on getting on the call, fixing the problem and getting off the call in under their average handle time, making security a secondary concern. It’s supposed to be concern number one for these folks, but when you’re on call number 72 for the day on hour seven of your eight hour shift, and all you have is a quicky ‘reset my password’ call, then you’re more likely to skip over some of the protocol. Especially if you’re in a second tier of tech support, and this job should have been done by the person in tier one.

Here’s how easy social engineering can be:

If that doesn’t make your butt pucker then nothing will.

Here’s a worst case scenario:

  1. An attacker gets your phone number and therefore access to your text messages and phone calls.
  2. He tries to log onto your primary Google account and clicks “Forgot password?”
  3. Gets the verification code sent to the SMS under his control.
  4. Logs in, changes the password, and finds e-mails from Coinbase and Kraken.
  5. Repeats “Forgot Password?” at Kraken and Coinbase. Gets password reset request sent to the e-mail they now control.
  6. There’s usually a 24-hour hold on most exchanges after passwords change, but once that’s complete the attacker can withdraw all your crypto from the exchange to his addresses. Maybe if he’s smart, he shapeshifts them to a privacy coin like Dash or Monero before taking them off the exchange entirely, so there’s no way of tracking them.
  7. He can then use any USD holdings you may have, including any linked credit or debit cards, or bank accounts, to buy more cryptocurrency. Which they then convert into Monero or Dash, and move into their private wallet.

Protect your neck

The first step is to set a passcode/PIN with your service provider to access your phone for any online or phone interactions. Don’t use the same passcode as your bank account, phone or anything you use online.

Don’t publish your phone number on social media, and limit the amount of personal information (birthday, elementary school names or your pet’s name) because these often the answers to questions given to identify you. If someone is determined (or bored) enough, they’ll scour the internet for this information, and use it to impersonate you.

Lastly, get either multi-factor, or two-factor authentication (2FA). The best way to get MFA/2FA is to download a password generator.  This is freeware you can get from google and microsoft and most other companies that will pre-generate a long-string completely random password. Use it to generate passwords for everything you want protected, and write them down. Store them securely. That will guarantee one solid form of authentication that only you know, and therefore can use to access. Even if the primary form of authentication (the aforementioned birthday, grandmother’s maiden name, or elementary school) is compromised, you’ll have one other piece of information that only you can bypass.

Keep in mind, that 2FA is not hackerproof. Nothing is. That’s why in the original article written for our sister site Equity Guru, we talked about getting your coins completely off of the exchange. But in case of hacking into your gmail account, the only suggestion is to create an email account specifically for your cryptocurrency dealings and do not tell anyone about it. People cannot hack into what they do not know is there, and your best defense against getting hacked is to keep your mouth shut.

If you don’t like to follow simple advice, here’s four red flags to help you recognize you’ve been SIM-jacked:

  • You get a system notification saying that you can no longer access a phone-level account (like your Apple ID or Google account) and may need to re-enter your password.
  • A customer-service rep from your phone carrier calls you and apologizes for being disconnected. Don’t ignore this. There’s a solid chance that it’s someone calling their call centre pretending to be you. They’ll call a few times, trying to find someone who’s tired or disgruntled, or maybe eager to serve, to exploit.
  • If your Mac iOS computer inquires if you’re logging in from somewhere else rather than where you are.
  • If you use any non-SMS mechanisms for two factor identification, like Microsoft Authenticator, and options like “here’s the code you requested” or “are you trying to log in” get pushed across your screen.

These are only the most common red flags, and by far not an exhaustive list.

It’s difficult to tell with any degree of certainty, but there’s a high probability that the AT&T court cases will go anywhere. People lose money to scammers, hackers and other bad-actors everyday. And it’s entirely possible that you can follow all the steps laid out here and other places, and still get robbed by a hacker who shot a back door left open by some careless user on an exchange.

Remember that you can never completely do away with risk—you can only mitigate it. The above steps to maintain your own stake and safety may seem excessive, but this is your money we’re talking about here, and the unregulated crypto-sphere is full of people that would love to take it from you.

Don’t give them a chance.

—Joseph Morton

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: