Linking various financial services to a phone number is certainly convenient. However, two-factor authentication via SMS can become a gateway through which attackers can take over your cryptoassets.In many online services, including cryptocurrencies, the phone number is most often used for two-factor authentication. It would seem that this is the “gold standard” that reliably protects clients’ funds by having non-reusable passwords via SMS. But in reality, it’s not that simple.SIM swapping, or SIM card substitution, is a common type of scam, allowing to steal millions of dollars in crypto or fiat money. The essence of the scheme is that the scammer gains the victim’s data, in particular, the phone number, and then requests the mobile operator to reissue the SIM card, pretending to be its real owner. After the hacker gets a SIM card, he can enter any service linked with this SIM card by two-factor authentication via SMS, including a cryptocurrency wallet.According to the Federal Trade Commission (FTC), in 2013 cases of identity theft through SIM cards accounted for 3.2% of all thefts of personal information, and already in early 2016, their number almost doubled, amounting to 6.3% of all cases of identity theft. Every year the situation is getting worse and hackers successfully use cloning of SIM-cards to gain access not only to social media accounts, but also to bank or cryptocurrency accounts.In 2018, Crowd Machine, a cryptocurrency startup, was attacked by hackers using SIM swapping. Scammers were able to withdraw 1 billion tokens of the project. Also last year, the scammers managed to withdraw $ 50,000 in cryptocurrency by substituting a SIM card from the Binance exchange. In spring, 2019, hackers stole $ 23.8 million from an entrepreneur from the United States, gaining access to his SIM card.While SIM swapping is a common problem, there are a number of steps you can take to help prevent your assets from being stolen.
First, you should realize that tying two-factor authentication via a phone number to important resources is obviously dangerous. If you use a factor, then it is better that it be either a mobile application to get the second factor, or a hardware key that gives out the second factor.But, if it is not possible to use anything other except a phone number as a second factor, it is desirable for this to be a contractual connection. In this case, the SIM card is restored according to the ID of SIM card owner.
It is also advisable to visit the office of the mobile operator and submit a claim that any actions with the SIM card should be made only after presenting the ID, and, possibly, in a specified office. This will allow you to keep under control all actions with the SIM card.
Since SIM swapping is a fairly common situation in the cryptocurrency community, all available methods to prevent it should be used.