What is SIM Swapping and How Can You Protect Yourself?
Learn about SIM swapping attacks and how you can protect yourself against them.
SIM swapping has become a common method for cybercriminals to gain access to an unsuspecting victim’s crypto holdings.
In this guide, we delve into SIM swapping, how it works, and how you can protect yourself, your privacy, and your crypto holdings.
What is SIM Swapping?
SIM swapping, also known as SIM jacking, is a fraudulent method of gaining access to someone’s mobile number. Cybercriminals do this so they can use two-factor authentication (2FA) to gain access to essential accounts such as email, financial accounts, and crypto accounts.
SIM cards are ubiquitous in today’s mobile-first world. The word SIM is actually an acronym for Subscriber Identity Module (SIM). The device is a small chip that identifies its user. It stores information that is important for both its owner and the mobile network service provider.
A SIM card serves the double purpose of (1) storing data and (2) signaling essential information, such as its country of origin, the system carrier, and a unique user ID. The user ID allows the mobile service provider to bill the customer their mobile phone charges.
SIM cards also store contacts, which is important when changing phones. Additionally, it’s typically possible to port settings to a new device at the will of the user. Finally, in cases where there are SIM-specific applications, such as mobile money, the chip can be instrumental in retaining control of funds.
The specific number tied to a SIM card also holds another importance for the user. Mobile phone numbers are often used in **two-factor authentication (2FA) **texts.
Two-factor authentication (2FA) is a framework designed to increase security for internet users. It involves using your password to log in to your online accounts, such as social media platforms, after which a code is sent to your mobile device to authenticate your identity. This can also happen via an authentication app, such as Google Authenticator or Authy.
This framework is sometimes referred to as two-step verification or multi-factor authentication. The password is the first step (or factor) while the second is the authentication provided via SMS or through an application.
2FA has become popular because it provides users with extra security. A malicious party would have to gain access to both your password and your phone to infiltrate your online accounts.
Unfortunately, cybercriminals have realized that they can leverage a weakness in the 2FA framework to gain access to your mobile phone and subsequently your online accounts.
To do this, the hackers contact your mobile service carrier and convince them that they are you. Using your personal information, the criminals trick the mobile service employees into switching the number linked to your SIM card to one that is in their possession. This is SIM swapping.
How Do SIM Swap Hacks Work?
Unfortunately, SIM swapping is relatively easy to do. The malicious party simply calls up a network service provider. They then pretend to be their victim, report that they have lost their phone (or had it stolen), and so no longer have access to their SIM card. Using the victim’s personal information, the malicious party is able to convince the customer service representative at the network provider that they are the victim.
By doing this, the hacker is able to take advantage of a feature that network providers have access to: the ability to switch or port the number associated with a SIM card to another SIM card.
The malicious party is able to do this by using publicly available information about their victim. This information is obtained either via the victim’s social media pages or by leveraging data exposed in prior hacks or data breaches.
Once the hacker convinces the network provider to switch the number to a SIM card in their possession, the victim’s SIM card will cease to work. This means that the victim will suddenly be unable to receive calls or text messages. The hacker, on the other hand, will receive all the calls and messages that are supposed to go to the victim.
At a cursory glance, this seems more like an annoyance than a security threat. However, when we consider the fact that phone numbers are typically used to ascertain identity (often via 2FA, as previously discussed) then a significant attack vector begins to take shape.
Mobile phone numbers are used in 2FA frameworks for bank accounts, email addresses, special media platforms, and, most notably, crypto trading accounts.
Just by swapping your SIM, a hacker can gain access to your accounts, either by brute-forcing your password, leveraging social engineering to guess what your password could be, or by using previously exposed passwords.
**Once in your accounts, the hacker can wreak havoc on your financial life, including stealing money from your online payment services and crypto trading accounts. **
Examples of High-Profile SIM Swapping Attacks
SIM swapping has been implicated in a number of high-profile hacks ranging from financial to more private and personal.
In 2017, a hacker gained access to Selena Gomez’s SIM card and was able to post private pictures of her ex-boyfriend, Justin Bieber.
In another highly publicized case, Michael Terpin, a prolific cryptocurrency investor, was robbed of about 3 million in crypto tokens (worth 24m USD at the time) following a SIM swap. He went on to sue his mobile network AT&T for gross negligence, seeking damages of ten times that amount after it was revealed that network employees were involved in the criminal act.
What’s more, in 2019, Exodus’s VP of Engineering, Sean Coonce, lost $100,000 worth of cryptocurrency when he suffered a SIM swap attack that drained his Coinbase account.
How to Protect Yourself Against SIM Swapping Hacks
Avoid revealing personal details publicly, such as your birthdate and full name, on your social media accounts. If you must, leverage the privacy controls on most social media platforms to limit the people who can see such information to only your trusted contacts.
**Don’t disclose important milestones or things with sentimental value **to you on social media. Hackers can use this information to socially engineer your passwords, or when attempting to impersonate you when contacting the network provider. Examples of this include your first pet’s name, your child’s birthdate, etc.
Stay alert for phishing attempts. When hackers target you, they may contact you in some form — either text, email, or even phone call — seeking to extract the personal information or identifiers needed to carry out their mission. If you receive any contact from anyone asking for identifiers such as your ID number, your bank account number, etc, don’t ever disclose the information. Even if the phone call, text, or email seems to be coming from a trusted party always be sure to contact that party directly.
Moreover, **don’t ever share your bank account PIN and identifier number, or passwords for social media and email **with anyone. Additionally, if you have access to mobile money, do not share your PIN number with anyone. Your bank or your mobile network provider will never call or contact you to ask for these details.
Don’t store sensitive information, such as passwords or PINs, in your email account. This makes it very easy for hackers to impersonate you as you will have put all the necessary information in one place. Once the email address is compromised, so is all your important information.
Enable notifications from your bank or financial institution so you can keep track of every transaction. Ensure that notifications go through two separate channels, such as via email and text. That way you can still be notified of suspicious charges on your account even if you don’t have access to your phone. In the event that malicious parties are able to infiltrate your bank account, you can respond quickly and alert your bank or other financial institution, reducing the damage the hackers can do.
If possible, use two separate email accounts for your social media accounts and for your financial transactions.
Add a PIN number to your SIM card. Don’t make it a number that’s easy to guess, such as your birthdate or that of someone important to you. This way, even if hackers successfully impersonate you, they may be unable to gain access to the SIM card.
Use technology to help protect yourself. For example, you could leverage password managers to store your passwords and authentication applications for 2FA (instead of your phone number). When it comes to 2FA, use app-based 2FA (Google Authenticator, Duo, Authy, etc.) as opposed to SMS-based 2FA whenever possible.
Finally, if your phone suddenly loses service then be sure to immediately contact your mobile service provider. Use another person’s phone and contact customer service immediately. Stay vigilant and consistently check all your accounts for signs of tampering.
Trust Wallet: The Most Secure Mobile Crypto Wallet
Trust Wallet is the most trusted and secure cryptocurrency wallet that enables anyone with a smartphone to securely buy, trade, and store 160,000+ digital assets.
Since Trust Wallet is a non-custodial wallet that doesn’t require you to create an account using your email address or a phone number, the chance of you losing your funds held in Trust Wallet due to a SIM swap is essentially zero.
However, that doesn’t mean you should be careless when it comes to basic Internet security practices when dealing with cryptocurrency online.