SIM swapping of late has become relatively widespread and somewhat easy to pull off.
Hackers who use this technique steal personal data and in some cases even milk millions of dollars worth of cryptocurrency from the accounts of their victims using their private keys.
What Is a SIM Swap Scam?
SIM swapping scam is a process duping a telecommunication provider to transfer a phone number to a SIM card held by a hacker.
This allows the hacker to bypass the two-factor authentication and eventually taking over the victim’s online accounts linked to that phone number by resetting the passwords; also known as port-out scam.
According to crypto watchdog Crypto Aware, cryptocurrency related hacks and scams are fast becoming the norm.
Crypto Aware estimates that close to $670 million worth of cryptocurrencies were stolen in the first quarter of this year. Further research estimates that the total amount of cryptocurrencies lost in hacks and scams since June 2011 has reached $1.6 billion.
One would ask what kind of sorcery would be needed to pull out a “perfect” SIM swap scam. Well, tactics used vary depending on the hacker.
The first and most crucial step is to lay the foundation for any SIM swap scheme by collecting as much information about their victim(s).
This is done through social engineering and is mainly aimed at profitable or high-profile individuals.
Once they gather enough information, the hacker(s) call the victim’s telecommunication provider acting as their victim purporting to have lost or damaged their SIM card.
They then ask the customer service to activate a SIM card in their possession.
Most telecom providers rarely fulfill their request until specific security questions are answered.
Some hackers do bypass this stage successfully since they did their homework and are equipped with the right data.
However, not all hackers are always successful they use the so-called “plugs”: essentially these are insiders in telecommunication companies who get paid to do illegal swaps.
Michael Terpin, an American crypto investor, is among the victims to hit the headlines as a result of a crypto heist.
The entrepreneur and CEO of TransformGroup has recently filed a $224 million lawsuit against the telecommunication giant AT&T, accusing it of fraud and gross negligence after hacker(s) used his phone number to steal $24 million worth of cryptocurrency he stored on an online exchange.
“Fool Me Once Shame on You, Fool Me Twice Shame on Me”
This is not Terpin’s first rodeo with SIM swap scammers. In June 2017 he discovered that his AT&T number had been hacked when his phone suddenly switched off.
He later found that the hackers remotely changed his password after 11 failed attempts.
AT&T was able to cut off the hackers’ access but unfortunately, they had already stolen funds from his account. Fast-forward to January 7 of this year, Terpin got hacked all over again despite extra security measures being taken.
In his lawsuit, Terpin claims the hackers had help from an insider in committing the fraud regardless of his security status being leveled to rival that of celebrities.
In the complaint filed by Terpin’s lawyers, he compared AT&T’s actions to that of a hotel allowing a thief access to a customer’s private room and jewelry safe.
One would wonder in dismay how a high-profile crypto investor stores his tokens in an online wallet secured by text message, but it’s hard to detect SIM swap fraud before it happens.
A recent investigation showed that hundreds of people across the U.S. have had their phone numbers hijacked, with hacker(s) turning their attention mainly to digital currency holders and investors.
Protect Yourself and Your Digital Currency
How do you avert a SIM swap fraud? Cybersecurity experts recommend using alternative authentication networks other than SMS and not storing your digital currency on any exchange for extended periods without trading them.
They highly advise one to store funds in offline wallets (popularly known as cold storage) and doing periodic backups for added security.
For crypto firms and even high-profile investors, the use of International Mobile Subscriber Identity (IMSI) may halt a SIM swap heist even before it begins.
Essentially, IMSI is a unique number associated with a specific GSM phone. This makes it possible to verify legitimate subscribers by checking whether SIM card and their IMSI are the same.
Unfortunately, virtual currencies have attracted a lot of new unseasoned investors who are not well versed regarding online security and are identified as easy targets by scammers.
In the end a little paranoia about the safety of your personal data, especially your phone number, may help you survive a day in the crypto world. As they say, only the paranoid survive.