Small-scale crypto investors are being increasingly targeted by hackers, according to one report published this week.
Cybercriminals are performing a fraudulent practice called SIM-swapping – within which a person’s phone number is switched to a new device. Several telecoms carriers are now embroiled in lawsuits brought by victims who feel they were not sufficiently protected.
Shielding yourself from SIM-Swapping involves limiting the personal information you put on social media and using tech like password managers and authenticator apps.
Crypto-Thieves Move on to Smaller Fish
Reporting in The Wall Street Journal details how one individual who invested their life savings in Bitcoin had their accounts emptied overnight, losing $80,000 or more in cryptocurrency value.
There’s a well-beaten path that has been trodden out over the past few years for hackers looking to target extremely wealthy, powerful people who are well known in the crypto scene and have made millions investing.
Hacking groups have also targeted crypto companies with increasing frequency. Most recently, $610m was stolen from the platform Poly Network, and further millions have been accrued by fraudsters from various hacks over the past six to seven years.
Small-time investors have been affected by these large-scale attacks in the past – but now, it seems cybercriminals are cutting out the middle man and going straight for the investors themselves via sim-swapping scams.
What is SIM-Swapping?
SIM-swapping is an increasingly common way to subsume control of someone’s mobile number. This initially involves some social engineering on behalf of the hacker in question, as they will have to ‘verify’ who they are, duping the telephone carrier into thinking they are in fact their victim.
Similar processes are regularly performed by telephone providers when they either swap customers’ numbers over to new SIM cards (i.e. a SIM Swap) or switch over a number to a different telecoms carrier (i.e. mobile ‘porting’).
SIM-swapping only takes around 10 minutes and is well worth the time for hackers. Once you have control of someone’s phone number, you have a potential way into the owner’s accounts – from social media to their bank.
This is largely due to the fact phone numbers are often invoked in security protocols, such as two-factor authentication, and can be used to receive codes to reset passwords.
Legal Battles and FCC Action
Aggrieved investors have already opened legal proceedings against various phone carriers, which The Wall Street Journal says has already caused some providers to modify their security provisions.
In February, for instance, Calvin Cheng sued T-mobile for indirectly enabling a hacker to steal $450,000 worth of Bitcoin after falling victim to a SIM-Swapping scam.
But the case – and all other of a similar nature – were dwarfed just days ago as a SIM-Swapping scam enabled a Canadian teenager to steal $36.5 million (USD) in Bitcoin.
In late September, The Federal Communications Commission proposed tightening the rules on how numbers can be swapped between phones and providers after a number of US citizens – including crypt investors – contacted them.
“The Commission and our sister agency, the Federal Trade Commission (FTC), have received hundreds of consumer complaints about SIM swapping and port-out fraud” the FCC’s document reads. “The bad actor can…change login credentials, drain bank accounts, and, increasingly, steal cryptocurrency and sell or try to ransom social media accounts.”
However, Telecoms providers have hit back, saying the proposed regulations provide hackers with the ‘Blueprint’ for future attacks.
Can I Protect Myself Against SIM-Swapping?
One way to protect yourself is to use an authenticator app for multi-factor authentication processes rather than your actual phone number. This means a hacker would have to have your actual device to break through the authentication barrier, rather than your phone number, and the codes refresh regularly.
Minimizing the amount of personal information someone can find through your public social media accounts is the first step to decreasing your risk of a SIM-Swap.
Hackers may try and obtain information about you prior to a SIM-Swap scam in order to answer security questions. Ensuring your social media accounts don’t have too much personal information on – and that any of this sort of information is only viewable by friends – is a good start.
Alternatively, speak to your carrier in order to add additional security questions that would be more impenetrable to social engineering or ask them to institute a call-back system or some other way to verify your identity that goes beyond the usual provisions.
As with all scams like this, hackers will still, at some point in this process, need to obtain at least one of your passwords for an account. Making sure they’re long enough, complex enough, and are stored in a secure password manager like LastPass – which also has its own authenticator app – is essential.
How Will I Know if my SIM's Been Swapped?
An indication someone may have swapped your SIM is a sudden loss of cell service and a lack of incoming texts and/or calls. Remember to check whether your carrier’s network is down and eliminate the possibility that there’s another explanation – like your phone’s memory being too full to receive new messages.
If there’s a possibility you could still be a victim of SIM-Swapping, contact your telecoms carrier immediately and change the details of any accounts you own with your phone number on – as well as your account passwords.