Despite the rise of cybersecurity infrastructure, online identity still faces many risks, including those related to the hacks of users’ phone numbers.
In early July, LayerZero CEO Bryan Pellegrino became one of the latest victims of a SIM swap attack, which allowed hackers to take over his Twitter briefly.
And... we're back in. This was basically my life for the past 24 hours. Luckily we saw hack immediately and the battle began pic.twitter.com/pjrkMfQ2vT— Bryan Pellegrino (@PrimordialAA) July 5, 2023
“My guess is that somebody grabbed my badge out of the trash and somehow was able to trick a rep into using it as a form of ID for the SIM swap while I was leaving Collision,” Pellegrino wrote soon after getting his Twitter account back.
“It was ‘Bryan Pellegrino — speaker’ just your normal paper conference badge,” Pellegrino told Cointelegraph.
The incident involving Pellegrino’s mishap may lead to users assuming that performing a SIM swap hack is as easy as just grabbing someone’s badge. Cointelegraph has reached out to some cryptocurrency security firms to find out whether that’s the case.
What is a SIM swap hack?
A SIM swap hack is a form of identity theft where attackers take over a victim’s phone number, allowing them to gain access to bank accounts, credit cards or crypto accounts.
In 2021, the United States Federal Bureau of Investigation received more than 1,600 SIM-swapping complaints involving losses of more than $68 million. This represented a 400% increase in complaints received compared with the three previous years, indicating that SIM swapping is “definitely on the rise,” CertiK’s director of security operations Hugh Brooks told Cointelegraph.
“If there is no move away from SMS-based 2FA and telecommunications providers do not lift their security standards, we are likely to see attacks continue to grow,” Brooks stated.
According to SlowMist chief information security officer “23pds,” SIM swapping is currently not too widespread, but it has a significant potential to rise further in the near future. He stated:
“As the popularity of Web3 grows and attracts more people into the industry, the likelihood of SIM swapping attacks also increases due to its relatively lower technical requirements.”
The SlowMist exec mentioned a few cases involving SIM swap hacks in crypto over the past few years. In October 2021, Coinbase officially disclosed that hackers stole crypto from at least 6,000 customers due to a two-factor authentication (2FA) breach. Previously, British hacker Joseph O’Connor was indicted in 2019 for stealing roughly $800,000 in crypto via multiple SIM swap hacks.
How hard is it to perform a SIM swap hack?
According to CertiK’s exec, SIM swap hacking can often be done with information that is publicly available or that can be obtained through social engineering.
“Overall, SIM swapping might be seen as a lower barrier to entry for attackers when compared to the more technically demanding attacks like smart contract exploits or exchange hacks,” Brooks said.
SlowMist’s 23pds agreed that SIM swapping doesn’t require high-level technical skills. He also noted that such SIM swaps are “prevalent even in the Web2 world,” so it’s “not surprising” to see it emerge in the Web3 environment as well.
“It is often easier to execute, with social engineering being used to deceive relevant operators or customer service personnel,” 23pds said.
How to prevent SIM swapping hacks?
As SIM swap attacks are often seen as non-demanding in terms of hackers’ technical skills, users must be diligent with their identity security to prevent such hacks.
The core protection measure from a SIM swap hack is restricting the usage of SIM card-based methods for 2FA verification. Instead of relying on methods like SMS, one should better use apps like Google Authenticator or Authy, Hacken’s Budorin noted.
SlowMist’s 23pds also mentioned more strategies like multifactor authentication and enhanced account verification, like additional passwords. He also strongly recommended users establish strong PINs or passwords for SIM cards or mobile phone accounts.
Another way to avoid SIM swapping is to protect personal data like name, address, phone number and date of birth. SlowMist’s 23pds also recommended scrutinizing online accounts for any anomalous activity.
Platforms should also be responsible for promoting safe 2FA practices, CertiK’s Brooks stressed. For example, firms can require additional verification before allowing changes to account information and educate users about the risks of SIM swapping.
Additional reporting by Cointelegraph editor Felix Ng.