ACADEMY
  • /
  • SECURITY
Security

SIM swapping

What is SIM swapping?

To understand what a SIM swap is, we need to know about 2FA, or two-factor authentication.

2FA is a security feature that means you need to have an additional way of proving your identity in order to log into an account. This can be a hardware key (which is the safest option), a phone authenticator app, or a phone number.

Often, it’s possible to use the 2FA method on its own to restore access to an account (i.e. as a recovery method) if you forget your password, and this is where things get interesting. Out of the 2FA methods above, using your phone number is the least secure one, but it’s surprisingly common as it doesn’t require any additional software or hardware. The reason it’s risky is that mobile phone operators often aren’t aware of the risks of SIM swapping, and they consequently don’t take all the necessary precautions to prevent it.

The way that SIM swapping works is that a criminal would call your mobile phone operator’s customer support and impersonate you, saying that the old SIM card has been lost or stolen and that they need the phone number to be transferred to a new card. It’s likely that the customer support representative that they contact won’t be aware of why this could be so risky, and they would be eager to help someone they believe is a customer that needs to have their phone number restored.

How the attack unfolds

If the attacker fails to convince the customer support agent to transfer the phone number, they will simply hang up and try again, as they will probably be connected to a different agent next time, and it’s easy for them to simply keep trying until they succeed. If they do manage to get the phone number transferred, they will then proceed to gain access to your main Google account.

They will attempt to log in and click “Forgot password?,” and choose the SMS recovery method. Since they have your number now, they will receive an SMS with a verification code with which they can log into your account. Then, they will change your recovery phone number and other 2FA methods to ones that only they control, making it extremely difficult for you to regain access to your account.

Once they’ve done this, they will check your email history for emails from cryptocurrency exchanges or other crypto platforms. Then, they go to these exchanges and reset the password by using the email address that they now control.

The next step is simple: they withdraw all your crypto from the exchange to their own wallets. What’s more, if you’ve got any linked bank accounts or saved credit cards that you used to purchase crypto before, they can empty these accounts as well, using them to buy more crypto and withdraw it from the exchange.

Now that you know just how dangerous SIM swapping can be, we’ll get to what you can do to prevent them and, finally, what to do if you still do fall victim to such an attack.

Preventing SIM swapping

Since SIM swapping is essentially an exploit that targets your mobile carrier rather than you directly, it’s impossible to be completely certain that it won’t happen. However, there are still some simple but important steps that you can take to make it far less likely that such an attack would be successful.

First of all, make sure to have strong security on your mobile phone operator account, such as a strong password and 2FA. Then, in any unused fields in your contact info, you can write something like “DO NOT TRANSFER PHONE NUMBER,” as this will likely be visible to the customer support agent that the attackers would contact.

Then, visit your mobile carrier’s offices in person and instruct them that any requests relating to your account should only be accepted if you’re physically present in the office with a government-issued ID. While doing this, it’s important to document the whole process, such as the time and date, location, names and employee IDs of the people you talk to. That way, if the mobile carrier does transfer your number to a scammer, you can take legal action against them since you can prove that it’s a failure on their part to follow their own explicit commitments.

Since it’s always possible that your mobile carrier might not follow the steps you outline, it’s a good idea to minimize the consequences of a potential SIM swap if it does happen. The most important thing to do here is to avoid relying on your phone number for 2FA or account recovery.

Luckily, doing this is simple: just go to your Google Account settings and open the Security section. Then, go to the 2-Step Verification options, and if your only option is an SMS code, enable Google Authenticator or a Security Key. Once you’ve done that, remove the SMS option. That way, your phone number can’t be used to gain access to your Google account. If you still have it enabled on any other important website (such as an exchange), remember to remove it there as well and replace it with Google Authenticator or a hardware security key.

Both of these options are very secure, but a hardware security key is typically considered the best option. You can get one for less than $50, and it’s always a good idea to have at least two of them in case you lose one. If you use an Authenticator app, you will be given a set of backup codes when you first set it up for a particular website. These codes are extremely important, so make sure to back them up as securely as your seed phrase.

What to do if you had your SIM hijacked

If SIM swapping does happen to you, there are some steps that you can take to try and reduce the potential damage.

First of all, call your phone provider and explain the situation you’re in. Ask that they deactivate your phone number, meaning that neither the attacker nor you will be able to use it. When doing this, again make sure to document the employee’s name, employee ID and the support ticket number for your case. Also ask them to retain all the logs relevant to your case, as this could be helpful in the subsequent investigation.

Then, immediately access your primary email account (if that’s still possible), and change the password on it. If you can’t access your account, then start the recovery process, letting your email provider know that something is wrong. At any rate, screenshot every step of the way, as this documentation will be helpful and also enable you to keep track of everything you do.

Then, remove all other devices and apps that have access to your account through the account management page. After you’ve done this, do the same for all other accounts that are potentially compromised, starting from the most important ones. Don’t forget about non-crypto accounts: if you have any bank account or credit card linked to a compromised exchange, immediately contact your bank to freeze the funds or move them to a secure account.

Remember that the attacker can also gain access to your messaging apps (such as Telegram and WhatsApp), so be sure to log into these, go to Settings and deactivate all other active sessions, before adding a secure email as a 2FA method.

Finally, contact the authorities and provide them with all the relevant data about the lost funds. They will likely contact the exchange involved as well, but, depending on where you live, some law enforcement agencies might not have the capabilities to track the funds on the blockchain. This is why getting professional help is a good idea, as agencies such as CipherBlade specialize in this new form of crime, and their expertise can be extremely helpful both in returning lost funds and bringing the attackers to justice.