How Easy Is It to Launch a SIM Swap Attack? How to Stop One

How Easy Is It to Launch a SIM Swap Attack? How to Stop One

Despite ⁣the ‍advancement​ of⁤ cyber⁤ infrastructure, there are still many ⁤risks ⁤associated ⁢with⁣ online ⁢identity, such as​ those related to phone⁣ number ‍hacking.

In⁤ early July, ⁣LayerZero ‌CEO ​Bryan⁤ Pellegrino ‌was ‍one ⁢of⁢ the latest victims ⁣of⁢ a SIM swap ⁢attack. ‌Hackers⁣ briefly‍ took⁢ over his‌ Twitter account.

We ‌are ⁤back. The ⁤last 24 ⁢hours ⁢have ⁤pretty ‍much⁢ been‌ my⁣ life. ⁣Luckily we saw⁢ the hack right away​ and the fight ‍began pic.twitter.com/pjrkMfQ2vT

Bryan ‍Pellegrino,​ @PrimordialAA‍ July⁣ 5, ​2023

Pellegrino’s⁢ Twitter ⁤account was restored​ shortly⁢ after‍ he got⁢ his‍ badge ⁣back. “I’m‍ guessing someone ‌pulled it⁢ out ​of⁢ the trash and ⁤somehow managed⁤ to ‍get⁢ a ⁢rep to ⁢use⁢ it for⁤ SIM swapping ‍while ‌I⁣ was‌ leaving Collision,” ⁣he wrote.

Pellegrino ⁣said ‍the ⁤paper⁣ badge⁢ just said ‌”Bryan ⁢Pellegrino⁣ – ⁢Speaker”.

Users​ may assume that​ a‍ SIM hack is easy to ⁣perform if they just​ grab someone ⁢else’s⁤ ID.‌ AskFX contacted a few cryptocurrency ⁣security ⁤firms⁤ to​ see ⁤if‌ this ​was ​the ⁢case.

What​ is ⁤a SIM hack?

SIM‍ swap hacks ⁣are⁤ a⁢ type of ​identity ⁤theft⁤ in which ‍attackers ⁤steal‌ a‍ victim’s ‍number​ and ⁣gain ​access ⁣to ‌their bank account, ​credit card,‌ or​ crypto ‍account.

The‌ United‌ States Federal⁣ Bureau⁤ of⁤ Investigation⁤ (FBI) received 1,600 SIM swap‍ complaints in⁣ 2021,‍ resulting⁢ in over‍ $68 ‍million in losses. ‌Hugh ‌Brooks, ⁣CertiK director of security​ operations, told AskFX that​ this⁤ is a⁣ 400%⁢ increase in⁤ complaints‍ compared to the past three ​years.

Brooks said‍ that ‌unless​ telecom ​companies ⁢increase their ‍security standards and ⁣there‍ is‌ no ‌move away from SMS-based ‌2-FA, attacks⁤ will‍ continue⁣ to increase.

According ⁣to⁤ 23pds, SlowMist’s Chief Information ⁣Security ⁣Officer,⁣ SIM swapping ‍is not‌ yet widespread but has ⁤the potential ‍to ⁢grow⁣ in the future. He said:

As Web3​ becomes⁢ more ‍popular‌ and attracts​ new ⁣people‍ into ⁤the industry,⁤ the​ likelihood ⁢of SIM swapping ⁢attacks⁤ also increases due ⁢to ⁤the⁤ reduced‌ technical ⁣requirements.

The ​SlowMist‍ executive ⁤cited some recent ‌cases‍ of SIM ⁢swap ⁤hacks that ‌have⁣ occurred in​ the ‍crypto world. Coinbase ⁤announced in October⁤ 2021 ‌that⁤ hackers stole ‍cryptocurrencies from 6,000 customers due​ to‌ a ⁤two-factor⁣ authentication‍ breach. In 2019, ‍British ‌hacker Joseph​ O’Connor ‌was accused ⁢of ⁢stealing about​ $800,000 ⁢worth‌ of cryptocurrency through multiple ​SIM ​swap ​hacks.

How difficult ​is it ‍to hack a​ SIM ​card?

According to ‍the​ CertiK executive, ‌SIM swap‌ hacking‌ is ⁣often ‌done using ⁤information‍ that‌ is​ publicly ⁤available‌ or ⁣can be obtained ‍through​ social engineering.

Brooks​ stated that “overall SIM swapping could‍ be⁢ viewed ​as an ‌easier entry​ point for⁣ attackers than more​ technical attacks​ such‌ as ‌smart ‍contract exploits ⁤and ‍exchange hacks.”

SlowMist’s⁣ 23pds team ⁢also agreed,‌ that⁤ SIM replacement ‌does not require advanced ⁤technical⁤ knowledge. He noted that ⁢SIM swapping is “common​ even‌ in⁤ the Web2 ⁢environment” and ‍so​ it⁢ is ⁢”not‍ surprising” ⁣that ⁢it ‌is being ⁤observed ⁤in Web3.

23pds​ stated that ‍social engineering is often ⁢used⁢ to trick relevant operators⁣ or ‍customer service representatives.

How ​to​ prevent⁢ a‍ SIM ⁢swap?

Users must ‍ensure⁤ their⁣ identities ‌are ⁣protected to‌ avoid ‍such ‌hacks as SIM swap‌ attacks can ​be​ considered⁣ low ⁢technical skill by hackers.

Restricting​ the ‌use of‍ SIM card-based‌ 2FA ​methods is the ⁣best⁤ protection⁢ against ‌a SIM swap ⁢hack. ⁤Hacken’s⁢ Budorin said it’s better to use​ apps like‌ Google⁢ Authenticator and ⁢Authy ⁤rather​ than⁢ solely‍ relying on ‌SMS-based ​methods.

SlowMist’s ‌”23pds” also⁣ mentions other⁢ strategies, such as ‍B. ⁢Multi-factor authentication ⁣and ​advanced⁢ account ‌verification, ​such as​ B.⁣ additional ⁣passwords. ‌He also ‍recommended users to create ‌strong passwords⁣ or ⁢PINs‌ for⁣ SIM cards and ⁤mobile⁢ phone⁢ accounts.

Protecting personal information such ‍as ⁤your ⁢name,⁤ address, phone number and date‍ of ​birth​ is ​another ⁣way to ⁤prevent⁢ SIM ⁢swaps. ‌SlowMist 23pds recommends⁢ that you also check ⁢online‌ accounts ⁢to ‌see⁤ if there ‌is⁤ any​ unusual activity.

CertiK’s Brooks⁤ emphasized that platforms should⁤ be held ‍accountable ‍for promoting 2FA‌ security.‍ For ⁤example, companies can ‌require additional ​verification before allowing account ‌changes⁤ and educate users‍ about​ the ⁤risks⁢ of‍ switching ⁤SIMs.

Felix ⁣Ng,​ editor of ‍AskFX, ‍contributed‌ to ‌this ⁣report.

Related Articles

AskFX.com