Recently, USA Today reported a story called “Banks, Bitcoin, bond funds: Where is your money safe in an era of cyberattacks?”
The story outlines a type of digital heist that is becoming all too common: SIM attacks.
A SIM attack happens when a hacker or fraudster is able to get ahold of the credentials that control your phone. Once in control of your phone number, the SIM attacker can port your number to a device they control.
Digital thieves can use a SIM attack to pull off all kinds of crimes ranging from identity theft to hijacking private photos for extortion.
The damage from such an attack will vary — largely dependent on the level of security precautions you have taken in advance.
But, so far, the principal use of SIM hacks has been to commit financial crimes. While traditional banks and investment services are susceptible to SIM hacking, people buying, selling, and storing cryptocurrencies are particularly vulnerable to SIM hacking crimes.
In the case of the USA Today story, for example, one person interviewed lost $90,000 from a crypto exchange following a SIM hack.
The reason? Today, a mobile phone number has become a key piece of information used to verify identity. And crypto services, in particular, are vulnerable because there is little recourse (and oftentimes not even insurance) if fraudsters silently sweep funds to a wallet they control.
So, one strategy to protect against a SIM hack is to implement a few security best practices to reduce vulnerability and the overall chance of becoming a target.
Steps in a SIM hack
A SIM card (SIM is short for subscriber identity module) is a small integrated circuit that stores an ID and key that are used to authenticate a phone number as part of a telephone carrier’s network.
A SIM contains a 17-digit number that maps to identifying information such as country of origin, carrier, and personal ID details.
Phone carriers are able to port SIM details from one device to another. This makes things convenient when you are upgrading devices, or when trying to keep a phone number while you are switching carriers.
But the phone carriers’ ability to control SIM information also means that the digital ID associated with the phone number is vulnerable.
A basic outline of a SIM hack:
1. Using social engineering tactics, a hacker is able to convince the mobile phone carrier that they need to port your phone number to a device that they control. They might call the phone company pretending to be you and make up some story about getting a new phone, or upgrading, or some similar scenario.
2. Once in control of your phone number, the hackers will try to exploit vulnerable situations and scenarios (in the case of crypto this could be wallets, exchange accounts, or other places where funds are stored). If those services use SMS two-factor authentication (2FA) then a hacker will now be able to intercept the password reset code.
3. Using these same tactics and techniques, the hacker can also gain control of your email, social media profiles, etc., which means they would have additional identifying details.
A mobile phone was never really meant to become such an important piece of digital personal identity. And mobile phone carriers are designed and built to enable phone calls and data streaming, not as a bulletproof security apparatus between a network subscriber and an army of well-incentivized fraudsters.
That’s why SMS 2FA should be avoided at all costs.
What to know about a SIM attack
The first sign that a SIM attack is unfolding is if a phone starts to act erratic, like it is no longer able to send and receive calls. And then other services will start to get interrupted.
Another warning sign is if it feels like you are randomly asked to sign back into email or social media services.
One way to confirm a SIM attack is to try and dial the number you suspect is under attack. If your phone doesn’t ring, chances are there are problems.
The first step following a SIM attack should be to contact your phone carrier and explain what is happening. The second step is to try to access if you still have control over important accounts like email, banking, and crypto services.
Security best practices
There are steps that you can take in advance of a SIM attack to try to insulate yourself from some of the vulnerabilities. Here are a few examples:
1. Use a hardware wallet, or some other cold storage device, to store any cryptocurrency you plan on holding long term. A hardware wallet and other cold storage devices put a barrier between your crypto and the internet. They will be secured by a private key, which you will have to safeguard somewhere offline.
2. Make sure all sensitive accounts and services are protected by strong 2FA. Using products like Authy or Google Authenticator will mean that a fraudster will have to physically have control of your phone (not just a ported number) to get access to your passwords.
3. Create multiple email addresses and use burner phone numbers when setting up sensitive accounts such as bank and crypto services. Make sure you don’t circulate these other emails and phone numbers and only use them for account sign-in.
4. Make sure you subscribe to enhanced authentication (different carriers have different policies) that require additional identification before someone can access your online phone account to port your phone. For example, you can ask a certain carrier to only allow porting of devices in a retail store. Other carriers provide 2FA via mobile phone for any types of changes if you select enhanced authentication. That way, a hacker can’t port your device unless they have your physical device in the first place.
5.Use a virtual phone number that has strong authentication and 2FA that does not use SMS.
6.Don’t let any third party know details when they are helping transition your old device to a new device. Many SIM hacks are conducted by company insiders who use personal details to port your device.
SIM hacks are only becoming more common. People using their mobile phone number as a key piece of security information in combination with the fact that more and more valuable assets (like crypto) are being stored in digital domains, is providing the perfect conditions for fraud and theft.
The good news is that Abra wallets require a private key (also called a recovery phrase) to create or restore a wallet. This provides an extra layer of protection between a hacker and your assets. But it also means that you need to properly secure your recovery phrase.
Interested in learning more about SIM hacks and how to prevent them? The following resources are a good place to get started.