Hacking groups have also targeted crypto companies with increasing frequency. Most recently, $610m was stolen from the platform Poly Network, and further millions have been accrued by fraudsters from various hacks over the past six to seven years. Small-time investors have been affected by these large-scale attacks in the past – but now, it seems cybercriminals are cutting out the middle man and going straight for the investors themselves via sim-swapping scams.
Crypto-Thieves Move on to Smaller Fish. Reporting in The Wall Street Journal details how one individual who invested their life savings in Bitcoin had their accounts emptied overnight, losing $80,000 or more in cryptocurrency value. There’s a well-beaten path that has been trodden out over the past few years for hackers looking to target extremely wealthy, powerful people who are well known in the crypto scene and have made millions investing.
SIM-swapping is an increasingly common way to subsume control of someone’s mobile number. This initially involves some social engineering on behalf of the hacker in question, as they will have to ‘verify’ who they are, duping the telephone carrier into thinking they are in fact their victim. Similar processes are regularly performed by telephone providers when they either swap customers’ numbers over to new SIM cards (i.e. a SIM Swap) or switch over a number to a different telecoms carrier (i.e. mobile ‘porting’).
In February, for instance, Calvin Cheng sued T-mobile for indirectly enabling a hacker to steal $450,000 worth of Bitcoin after falling victim to a SIM-Swapping scam. But the case – and all other of a similar nature – were dwarfed just days ago as a SIM-Swapping scam enabled a Canadian teenager to steal $36.5 million (USD) in Bitcoin.
SIM-swapping only takes around 10 minutes and is well worth the time for hackers. Once you have control of someone’s phone number, you have a potential way into the owner’s accounts – from social media to their bank. This is largely due to the fact phone numbers are often invoked in security protocols, such as two-factor authentication, and can be used to receive codes to reset passwords. Aggrieved investors have already opened legal proceedings against various phone carriers, which The Wall Street Journal says has already caused some providers to modify their security provisions.
In late September, The Federal Communications Commission proposed tightening the rules on how numbers can be swapped between phones and providers after a number of US citizens – including crypt investors – contacted them. “The Commission and our sister agency, the Federal Trade Commission (FTC), have received hundreds of consumer complaints about SIM swapping and port-out fraud” the FCC’s document reads. “The bad actor can…change login credentials, drain bank accounts, and, increasingly, steal cryptocurrency and sell or try to ransom social media accounts.”
However, Telecoms providers have hit back, saying the proposed regulations provide hackers with the ‘Blueprint’ for future attacks. One way to protect yourself is to use an authenticator app for multi-factor authentication processes rather than your actual phone number. This means a hacker would have to have your actual device to break through the authentication barrier, rather than your phone number, and the codes refresh regularly.
Minimizing the amount of personal information someone can find through your public social media accounts is the first step to decreasing your risk of a SIM-Swap. Hackers may try and obtain information about you prior to a SIM-Swap scam in order to answer security questions. Ensuring your social media accounts don’t have too much personal information on – and that any of this sort of information is only viewable by friends – is a good start. Alternatively, speak to your carrier in order to add add