One of the promises we make to our community is to go out of our way to ensure that they know what they can do to remain protected.
A Cautionary Tale and Tips on How to Not Panic
So today, when I came across a disturbing story about a mobile phone and crypto exploit that had been going on since 2017, I decided to dig into it a little bit with the help of Phillip Ross, a member of the BEES. Social community who digs into security protection and prevention on our BEES Social TV (YouTube).
This is the Facebook Group post I saw this morning.”
“Someone remotely changed the SIM card information on my T-Mobile phone. Then made 3 attempts to access my Yahoo & Gmail accounts. They even tried to hack into my Coinbase account…”
To which someone else immediately replied,
“This happened to me about 5 times since January, and they hacked my Binance.US account and withdrew my funds. I’ve been going back and forth with binance.us and have basically been ignored.
I emailed the Computer Crimes unit in Maryland, not much progress. I’ve gone to Metro by T-Mobile corporate, and they ‘started an investigation”.
I provided a log of store ID numbers and operator numbers who authorized these sim swap transactions inside of physical Metro locations to gain names and evidence, metro still hasn’t responded to me with substantial information.
….I’ve now secured all my crypto/asset accounts on a separate encrypted email.”
The last comment from someone else in that thread explained the “social engineering” part of this scam.
“I work for a wireless carrier….. sim swap attacks are 99.9% possible due to employees not doing their jobs correctly or not having thick enough skin when a customer goes in or calls in acting all irate”
SIM-SWAP What?
According to the US Federal Bureau of Investigation (FBI), this is the attack pattern:
- Identify the victim: Identify a victim likely to own a large amount of digital currency, particularly cryptocurrency. Identify the victim’s mobile telephone number and the mobile phone carrier.
- Swap the SIM card: Socially engineer a customer service representative from the mobile phone company to port the victim’s phone number to a SIM card and phone to control the attackers.
- Password resets: Initiate password resets on the victim’s email, cloud storage, and social media accounts (password resets usually accomplished by text messages to the victim’s telephone number).
- Access accounts: Gain access to the victim’s accounts and identify digital currency keys, wallets, and accounts that a customer may store in them. Defeat any SMS-based or mobile application-based two-factor authentication on any accounts with control of the victim’s phone number.
- Steal currency: Transfer the digital currency out of the victim’s account into accounts controlled by the attackers.
What’s missing here?
Non-Custodial Wallets are what’s missing! You’ll hear people in the community advocate for non-custodial wallets over centralized-control custodial wallets and hardware wallets.
As well, the people on this post’s thread were asked why they did not use is a hard wallet or a web-based wallet such as Metamask. In short, without rubbing salt in the wound with a trite “not your keys, not your wallet” statement, people asked these victims why they left their funds in their centralized, custodial wallet.
The first victim held most of their crypto in a hardware wallet. Their day-trading funds in Binance.US were the target. The other victim only caught the exploit because they were on their laptop when the exploit occurred and kept signing out of the change credential requests.
We recommend non-custodial wallets, and when your assets reach a level that you don’t feel comfortable with just “having around” on your phone or laptop, look into a hardware wallet.
How Are The Mobile Phone Carriers Helping Secure Things?
The carriers have made attempts to help with some of this — and some are more formal than others. Why there is no uniformity is something others need to work out, but here are three we were able to find
- T-Mobile has a feature called NOPORT when that’s enabled on your account. NOPORT makes it a requirement that a customer physically shows up at a retail store and presents a government-issued photo ID to have their number ported to a different carrier or get a new SIM card. FYI — T-Mobile does not advertise NOPORT — many people only find out about it AFTER they’ve been hacked.
- Verizon has a feature called “Number Lock.” Once that feature is enabled, that phone number can’t be ported to another line or carrier or swapped to another SIM unless the person who adds the lock removes it. This is an obvious (advertised) feature accessible in the My Verizon app. This is not an impenetrable force field, though; a Verizon employee can override it once a customer verifies themselves. It does provide an extra layer of security.
- Sprint takes a “risk-based approach” to SIM swaps. Sprint’s risk-scoring criteria by account type could require a one-time password (OTP), the OTM plus a PIN, or the OTP, PIN, and another code.
- AT&T, in most cases, asks that you create a unique passcode for your account and requests that their customers “be vigilant.”
The FBI Does recommend these precautions:
- Protect your personal information: Avoid posting personal data online, such as your mobile phone number, address, or other personal information. Bad actors often do significant information gathering before attempting to compromise a target. Do not leave important documents or information in your email account (e.g., digital currency private keys, documents with your social security number, or photocopies of a driver’s license).
- Protect your financial information: Avoid posting information online about your financial assets (including cryptocurrency), especially on any social media websites and forums.
- Take precautions with your mobile service provider: Call your mobile service provider and place a PIN on your account; only individuals with the PIN should be able to make any changes to the account. In addition, place a note on the account that mandates any change to the account in person at a physical location.
- Use unique passwords: Secure online accounts with unique passwords — preferably passphrases — and do not re-use the same password across each account.
- Use two-factor authentication apps or physical security keys: Activate two-factor authentication on every online account when possible; preferably using a standalone authentication app such as Google Authenticator instead of SMS. A physical security key is even better.
What Would BEES.Social Do (WWBSD)?
In the world of cryptocurrency, you are in charge of your destiny. Here are some things we advise along with some quotes from the chat Phillip and I had about this topic:
- Call your mobile phone carrier and demand the highest level of protection for you, your family, and your friends. Switch if you have to (if it makes sense).
- Get a Two-factor software authenticator from Google (Google Authenticator), Microsoft (Microsoft Authenticator), or Twilio (Authy: https://authy.com/). Even look at a hardware authenticator.
- We like non-custodial wallets and moving our cryptocurrency from custodial (centralized) exchange wallets to non-custodial wallets.
- According to Phillip Ross, “Look at locking down your personal web-based emails with a 28-character password and set up a non-SMS Two-Factor Authenticator, because using extra layers of security only ensures safer means on your data and assets.”
- Ross also advises, “Do not ever share your private keys EVER! Do not store any pictures of your seed phrases, passwords, or other important data on your phone. Put your seed phrase on paper always even if you do, or do not have a hard wallet drive, such as Ledger Nano “S” and “X”, or Trezor.”
- Be extremely vigilant about your personal information online. Bad actors are everywhere. Report spam, block phone numbers that are spam do not open, or answer if you have an unknown message with a website or advertisement; delete it, move past the ad, and continue to stay safe.
- Use your own data when away from your home. According to Phillip Ross, “Your hotspot plan (and only using websites that begin with HTTPS) is your best option to remain secure. Free access sites are insecure do not use these for free WIFI. It's just not worth someone pretending to be the free WiFi hotspot and stealing your information.”
- A hacker will try multiple ways and keep practicing safe browsing techniques is most important, as we know there is no technical support, but as custodians of our own wallets if you feel like things are not safe you can always uninstall Coinbase, Metamask, or Gemini. A person can always re-install with one’s seed phrase later.
If you really need help, go to one of our social channels for more information
- Telegram group (https://t.me/Bees_Social),
- Facebook (https://www.facebook.com/groups/beessocial), or
Ask for on Telegram and Facebook and you will get help from not just one, but many people. We will never ask for any of your private credentials. Check us out on YouTube (https://www.youtube.com/c/BeesSocialTV/playlists).
We are here to help everyone; especially when it comes to security.
https://medium.com/bees-social/cryptocurrency-phone-scam-sim-swapping-bfd8c385b5f9
