The attacker deceived service providers to control the victim’s SIM card. This cryptocurrency fraud strategy has been used very often since 2017
A computer engineer explains how he lost US $100,000 in cryptocurrencies through the hacking of his telephone SIM card. This type of attack, also known as SIM exchange fraud, was committed by cybercriminals to access his Coinbase wallet.
BitGo Chief Engineer, Sean Coonce, published his story on Medium last May 20th. He says that the hacking or “SIM port attack” was perpetrated within a period of 24 hours and that the attacker is now managing his cryptocurrency account.
Coonce explains that through this process the attacker deceives a service provider into transferring the victim’s telephone number to a SIM card placed in a device under his control. In this way, he can reestablish the passwords and access the accounts online.
This service, offered by most cell phone providers, is taken advantage of by cybercriminals to made SIM port attacks, which usually begin with the hacking of the victim’s e-mail account, such as the investor narrates in his story.
Coonce says that once cybercriminals control the main e-mail account, they start using it to administer profitable online services like bank accounts and social network accounts, among others. He notes that they can even block the victims’ access to their own accounts, leaving them with few resources to recover them.
The Attack in Several Steps
According to Coonce, the attack started when the hacker succeeded in translating his telephone number to a SIM card installed in a device under his possession. In order to do that, he requested the change from the service provider.
With the authorization, he used the SIM card to reestablish the victim’s Google account through the two-factor authentication (2FA) process based on SMS messages, also changing the password. Afterward, he used the e-mail account to start the procedure to recover the password of the cryptocurrency account.
In the end, both the e-mail account and the cryptocurrency account were manipulated by the cybercriminal to conduct several transactions. In this way, he could transfer and spend funds, quickly emptying the victim’s account.
This type of crime has occurred very often since 2017, when a growing number of attacks through calls were made to the companies Verizon, T-Mobile US, Sprint and AT&T, asking them to transfer the control of a telephone number to another device under the hackers’ control. Last year American investor Michael Terpin filed a lawsuit of US $224 million against AT&T, after being a victim of this kind of fraud whilst this company was his service provider.
Some Recommendations
Investors should have different options to protect their crypto assets from cybercriminals, among which are using cold wallets and storing offline. Besides, they must be alert with respect to deficiencies in the 2FA process based on SMS messages, so they are advised to use physically-managed authentication hardware.
Additionally, they can use the Google Voice 2FA service for establishing a 2FA recovery number without the need of an SIM card. It is also recommended to create secondary e-mail accounts, avoid sharing many personal data on the Internet, and use offline password administrators.
By Willmen Blanco
