2FA
Today’s topic is SIM swap fraud, aka SIM swapping. This attack method is far from new but remains a live threat because of how effective it is. SIM swapping attacks pose a serious danger to business because they enable threat actors to gain access to corporate communications, accounts, and sensitive information like financial data.
What is SIM swapping?
SIM swapping is an attack method for hijacking a mobile phone number and transferring it to a device owned by the attackers. Put simply, said attackers go to a mobile telecoms operator’s office, somehow wangle a new SIM card with the number of a victim-to-be (see below for examples of how), insert it into their own phone, and thus gain access to the target’s communications.
It’s typically text messages that are of most interest to the attackers — specifically ones that contain one-time verification codes. Having gained access, they can then log in to accounts linked to the phone number and/or confirm transactions using the intercepted codes.
As for the SIM swapping process itself, there are various approaches by the bad guys. In some cases the criminals employ the services of an accomplice working for the mobile operator. In others, they deceive an employee using forged documents or social engineering.
The fundamental issue that makes SIM swapping possible is that in today’s world, SIM cards and cell phone numbers are not used solely for their designated purpose. They were not originally intended to serve as proof-of-identity which they’ve evolved into.
Now, one-time codes by text are a very common means of account security, which means that all other protective measures can be rendered null and void by a fraudster who smooth-talked a store employee into issuing a new SIM card with your number. Such a threat cannot be ignored.
For the targeted organization, a SIM swapping attack can hit the bottom line hard. Cybercriminal interest in cryptocurrency assets continues to grow as they can be hijacked relatively easily and, more importantly, quickly. However, this method can be applied in more sophisticated attacks, too.
U.S. Securities and Exchange Commission loses X account
For instance, here’s a very recent case. On January 9, 2024, the U.S. Securities and Exchange Commission (SEC) posted on X (Twitter) that it had approved a Bitcoin spot exchange-traded fund (ETF).
This Bitcoin-boosting event had long been in the pipeline, so the news didn’t strike anyone as implausible. Naturally, in the wake of the announcement, the Bitcoin price soared (by roughly 10% to $48,000).
Fake post from the hacked SEC account announcing the approval of a Bitcoin ETF. Source
However, the post was later deleted and replaced with a message that the SEC account had been compromised. The next day, X issued a statement saying that the compromise was due not to a breach of its systems, but to an unidentified individual who had obtained control over a phone number associated with the @SECGov account. Most likely, the jump in the Bitcoin price caused by the fake post meant the fraudster made a killing.
Then, toward the end of January, the SEC itself officially acknowledged that its X account had been hacked by SIM swappers. On top of that, it turned out that two-factor authentication (2FA), at the request of SEC staff, had been disabled by X support in July 2023 to resolve login issues. The issues duly resolved, they then simply forgot to turn 2FA back on — so until the January incident, the account was left without additional protection.
$400 million FTX crypto heist
It was only recently revealed that one of the largest crypto heists in history was carried out using SIM swapping. We’re talking about the theft of $400 million worth of assets from the FTX crypto exchange in the fall of 2022.
Initially, many suspected that FTX founder Sam Bankman-Fried himself was behind the heist. However, the ensuing investigation showed that he appeared to have nothing to do with it. Then came the indictment of a “SIM swapping group” headed by a certain Robert Powell.
Part of the indictment in the case of the $400 million FTX SIM-swap crypto heist. Source
The text of the indictment gave us the details of this heist, which, incidentally, was neither the gang’s first nor its last. The list of victims of its SIM-swap operations runs into the dozens. The indictment goes on to mention at least six more cases, in addition to FTX, involving the theft of large sums of money.
Here’s how the criminals operated: first, they selected a suitable victim and obtained their personal information. Next, one of the perpetrators forged documents in the victim’s name, but with the photo of another criminal — the one doing the actual SIM swap.
The latter criminal then paid a visit to the respective mobile operator’s office and got a replacement SIM card. Text messages with confirmation codes sent to the victim’s number were then intercepted and used to log in to the latter’s accounts and approve transactions for the transfer of assets to the gang. Interestingly, the very next day after the FTX heist, the group robbed a private individual in the exact same way to steal a modest-by-comparison $590,000.
How to guard against SIM swapping
As we see, in cases involving serious amounts of money, your SIM card and, accordingly, 2FA through one-time codes by text become the weak link. As the above examples show, SIM swapping attacks can be extremely effective; therefore, threat actors will doubtless continue to use them.
Here’s what to do to protect yourself:
- Wherever possible, instead of a phone number, use alternative options to link your accounts.
- Be sure to turn on notifications about account logins, pay close attention to them, and respond to suspicious logins as quickly as possible.
- Again, where possible, avoid using 2FA with one-time codes by text.
- For your 2FA needs, it’s better to use an authenticator app and a FIDO U2F hardware key — commonly called YubiKeys after the best-known brand.
- Always use strong passwords to protect your accounts – this means unique, very long, and preferably randomly generated. To generate and store them, use a password manager.
- And remember to protect those devices where passwords are stored and authenticator apps are installed.
Tips