On June 25th, I became a victim of SIM swapping, targeted along with dozens of other leaders in the blockchain community. This type of account takeover (ATO) fraud, also referred to as Port-Out scam, SIM splitting, or SIM jacking, targets a weakness in two-factor authentication & two-step verification, where the second factor or step to access an account from a new device is an SMS or a call placed to a mobile telephone.
I’m a security-conscious IT professional working in blockchain for 3 years, and was stunned by the ease of the attack and how my normal security precautions failed. While the attack was frustrating and embarrassing, I believe strongly that we must learn from failure — and we must socialize to do better in the future. So I am sharing what happened, what I learned and what we can do better to prevent this kind of fraud.
How SIM Swapping happens
In my case, a bad actor went into an AT&T store and got an employee to change my SIM to a new phone, and then accessed all my accounts via the SIM and cloud.
Even though I had my SIM replaced in 45 minutes, that provided ample time to do damage. Since I have an iPhone XR, they used Face ID to access my accounts. Face ID works on the phone level, so they added their face to result in a positive pass of Face ID, and that unlocked my account names from my iCloud. Easy peasy. Keys to the kingdom.
This was unlucky timing, as only last month I upgraded my phone after the last one went through the washing machine. I had disabled iCloud on my previous phone as I don’t believe it is secure, but the new phone had it enabled somehow and I didn’t catch it.
After that, they were able to take over my Apple, Google, Coinbase and Bank of America, and were able to visibly see passwords via the iCloud keychain app for 70+ other accounts. They reset passwords to the key accounts with hijacked access to two factor authentication (2FA) by proxy of having my email and my phone to send those little 6 digit codes.
I also failed to reset up my Google Authenticator for key apps in the attack, mostly because it is such a time consuming process. I set it up for a few apps, but not Coinbase. That was straight-up laziness on my part.
The thieves attempted to steal $71K by overdrawing funds from my Bank of America to Coinbase. I caught it in time, but only because I saw a -$41,000 balance in my checking account. Fortunately, since it was covered by FDIC insurance and Coinbase imposes a waiting lockup period, I was able to recover these funds before they were transferred out of Coinbase into the ether.
How the phone company, banks, Google and Coinbase failed me
I went to the AT&T store within 15 minutes of losing my cell service. The man working there is very nice, but he was at the end of a long day and the air conditioning was out in the store. It was 84 degrees in the store. I could tell he was tired, but he closed the store and continued to help me 15 minutes after closing time. I left with a new SIM chip.
Security at the store means he was unable to see much into my account. This makes sense, but also a flag should have been set. Especially since the phone company later claimed they had already caught it. He couldn’t tell anything from the system besides my account was current. He said it was the first time he ever saw this happening where a SIM chip was burned remotely, but maybe it was the iPhone update that came out today. If he had any way of seeing this, he could have advised me to lock up all of my accounts.
This message was sent 20 minutes after Coinbase deactivated my account for the investigation.
Two days later, realizing the scope of the attack, I called the phone company, AT&T, wondering if they knew they allowed this attack. They confirmed it was SIM swapping, and said they caught it early and shut it down. They never informed me, they did not give the poor store worker any flag or information, and they certainly did not prevent someone taking my SIM. I’m not sure how they are satisfied with this result, but it was an open investigation and they could not tell me more.
They suggested the perpetrators phished my number by calling and hanging up. That confirms its a live number. I’ve also seen text messages, sent to confirm accounts. I received several of these as I was re-taking over my accounts. The attackers continued to persist their attacks.
Meanwhile, my bank allowed 9 overdrafts to process on my account. There were no phone calls, no emails, and no text messages. There was no stopping the hemorrhaging either. I called Bank of America first, but they did not want to put a stop payment on the account until I called Coinbase.
So, I called Coinbase. They opened an investigation and told me it would be 10 days longer before they would reveal any details or let me see my account. I had a small amount of cryptocurrencies in my online Coinbase wallet — less than $2,000. 15 days later I still do not know the result of where those funds ended up.
Google was predictably the best in this scenario. They detected a fraud attempt on my account and notified me that a live agent needed to personally review the account before I could access the account. That process took 3 days, but at least they were proactive.
Three weeks, 9 hours of customer support calls, and 71 password changes later—I am back in all my accounts except Coinbase which is still disabled.
SIM swapping is on the rise
These targeted attacks are on the rise. Either through social engineering, where they find people like myself who works in the blockchain industry who speaks and writes publicly about cryptocurrency. Once they track your number, they have all they need to proceed.
In August 2018, T-Mobile was hacked and the billing information of 2.5 million customers was stolen. All of those accounts are vulnerable.
During the same week of my attack, dozens of my peers were attacked as reported by ZDNet. There is an open FBI investigation.
How to avoid SIM swapping scams
Frankly, there is no perfect way to protect yourself. But you can make it harder.
- Disable iCloud, especially for your passwords. While encrypted for outside traffic, it is the easiest way to provide carte blanche to every account and horrifyingly be able to see clear text passwords.
- Avoid SMS-based two-factor authentication (2FA) for any online accounts. This is especially important for your cryptocurrency exchanges and wallet services. Other 2FA methods like Google Authenticator are OK but consider obtaining a universal second-factor (U2F) device like YubiKey, Google Titan Key, Thetis, or Kensington for greater safety.
- Set up an account PIN with your carrier. This will be required to set up a new SIM on any phone, though there does seem to be ways around this as well.
- Set up a SIM PIN with your mobile carrier. This will lock bad actors from using your SIM when they steal it. They get three chances to guess your code. SIM PPIN is found under your cellular section in your phone, and is completely different than your normal passcode to access your phone. When setting your SIM PIN note that your SIM will come with a default PIN set by your mobile carrier. This will vary by carrier, but for Sprint and T-Mobile, it should be 1234, for AT&T and Verizon, try 1111. If you guess the wrong one, you could end up locking yourself out of your phone and need to call support. I’ve also heard 0000 is the number for some carriers.
- Consider switching to Google Fi or Google Voice for 2FA. You can set up a phone number which will forward to the one provided by your cellular carrier. If you publish this number and use this number for accounts, it makes it impossible for bad actors to identify your number to steal.
- Disable your phone number as a tool for account recovery. Use a different way.
- Reduce your online footprint by leaving as little personal information online as possible. Strangers do not need to know your birth date or other personally identifiable information. Most importantly, don’t brag about your crypto holdings. Hard to do if it is your job, but no one can target you for attacks if they can’t identify you as a target in the first place.
- Create a secondary email for 2FA. Use this for critical online identities only such as bank accounts, social media, crypto exchanges, and similar services.
- Use multi signature or offline wallet to store your private keys. In “hot”, or online wallets keep only those funds that are needed for your daily activities. The most popular cold wallets include devices by Ledger or Trezor.
- Use an app to block spam calls. You can also download an app like AT&T Call Protect, that blocks callers from phishing you as a valid number. And of course, an independent 2FA like Google Authenticator where it is an option is ideal. But if you lose your phone, its non-recoverable, so you’ll have to go through a manual review to get back into your account again and set up a new one.
How we can do better
First, Face ID gives false security. Any security like it today, including thumb prints attach only at the phone level.
Yet, biometrics are the ideal way forward to account authentication. Applications need to connect directly to the Face ID or biometric scan, ideally through an immutable record on a public blockchain.
Recovery needs to be tied to biometrics, always. Trivia, like your mother’s maiden name, or secondary authentication to a compromised device is inherently flawed and vulnerable. Coincidentally, true biometrics would also serve the wider blockchain and crypto communities who need a better way to remember private keys.
Also, there needs to be some accountability and coordination from the phone companies. They have no obligation to report these hacks to the FCC, and could stand to do a better job of educating their call center agents to detect social engineering attacks — or better yet, provide better AI support to learn and adapt with these attacks in real-time.