A Californian cryptocurrency investor recently filed a $224 million lawsuit against his mobile phone provider, AT&T, over the loss of a large amount of cryptocurrency.
Last week Michael Terpin, who co-founded BitAngels, an angel group for Bitcoin investors, is seeking $200 million in punitive damages and $24 million of compensatory damages from AT&T. Turpin was the victim of a SIM Swap Attack which allowed hackers to steal roughly $24 million from his cryptocurrency accounts. Terpin is suing AT&T for negligence, comparing the phone company’s mishandling of his private data to an example of a hotel giving a thief with a fake ID a room key.
So how was a hacker able to drain the crypto accounts of this businessman by simply gaining access to his telephone account? A SIM Swap Attack involves a scammer posing as a customer service representative of a mobile telephone company. They contact the victim and offer upgrades or discounts to their mobile service and ask to verify credentials. The unsuspecting target provides their credentials, with which the scammer then uses to contact the mobile company to fool them into cancelling and reactivating the victim’s mobile number to a SIM in the scammer’s possession. This results in the victim’s SIM being deactivated while the fraudster gains control of the mobile number.
This scam seems like a rather convoluted way to steal a victim’s phone data plan. However, what the scammer is after is not the ability to get free phone and data usage, rather they’re after something much bigger. By diverting the victim’s incoming messages, the hacker can use the compromised phone number to verify and complete two-factor authentication checks. A two-factor authentication check is simply a method of confirming a user’s identity by using a combination of two different factors, such as an email address and phone number. Two-factor authentication is commonly used to verify online accounts, and is widely used by cryptocurrency exchanges. But aside from using a hacked phone number to provide two-factor authentication confirmations, the compromised number can also be used to trick services into verifying or resetting passwords.
Traditionally, SIM Swap Attacks have been used to drain bank accounts or to hold the victim ransom by threatening to release private information or data attached to the phone number. Many social media services such as Instagram use two-factor authentication, so a SIM Swap Attack can be used to access a celebrity’s social media account. It’s interesting to note that this is how nude photos of Justin Beiber were released to the public!
With the rise in popularity of cryptocurrencies, SIM Swap Attacks are now being used to target the accounts of crypto investors. Bank accounts are insured and stolen funds can be tracked. Social media accounts can be temporarily switch off in the event of a suspected attack. But unlike banks or social media platforms which are centralised companies, cryptocurrencies are bearer instruments, meaning that they can be stolen with no trace and no recourse.
So what are some solutions to reduce the risk of a SIM Swap Attack on your crypto? It should be stressed that cryptocurrencies really shouldn’t be held in large amounts on exchanges. Exchanges carry third party risk and are hacked regularly through a variety of ingenious methods. Most crypto holdings should be stored offline or on secure hardware wallets. But if it’s necessary to use a cryptocurrency exchange, then a solution may be to use multiple exchanges to spread the ‘exchange risk’. The whole purpose of cryptocurrencies is to decentralise assets, so keeping the entirety of a crypto portfolio in one wallet, or on one exchange defeats the purpose of holding a decentralised asset.
Other solutions to minimise the risk of a Sim Swap Attack, or any identity attack for that matter, is to separate your identity from your crypto. Many exchanges do not have ‘Know Your Customer’ (KYC) requirements. When using these exchanges, it may pay to create an entirely new email address and profile that is not related to your personal identity. This provides anonymity and reduces the chances of your identity being stolen and used to access your account.
But in order to transfer currency in and out of the crypto ecosystem, many cryptocurrency investors use a regulated exchange which requires KYC verification. These exchanges are useful because they connect the crypto world to the banking system, allowing users to seamlessly move funds in and out of crypto using their bank account. But they are vulnerable to SIM Swap Attacks because the customer’s real identity is used to verify the account. So using a combination of KYC regulated and unregulated exchanges may be a way of avoiding a SIM Swap Attack.
Phone plans are cheap, so if planning on using a mobile device as a method for two-factor authentication, an idea may be to create a designated phone account just for crypto trading. But keep in mind that ID is required open a typical phone number account, and the ID and credentials supplied to the phone company can be hacked.
It’s important to keep in mind that phone numbers were never intended to be a way to confirm identity, so the limited security of phone companies are a vulnerability. Instead of using a phone number to authenticate access to an account, designated authentication apps like Google Authenticator may be a better way to perform two-factor authentication.
Sim Swap Attacks are just another scam to watch out for when holding cryptocurrencies. The story of Michael Terpin’s $24 million loss is an example of why caution must be taken when investing in cryptocurrencies.