Bitcoin Forum

Forget cryptojacking, SIM hijacking now seems set to become even more lucrative for criminals looking to cash in with bitcoin from the burgeoning space.

]A 20-year old college student from BostonMassachusetts was arrested in California earlier this month on charges of being part of a gang that hacked cellphone numbers before stealing over US$5 million in bitcoin and other cryptocurrencies.

According to Motherboard, the number of cell phone numbers that the Bostonian named Joel Ortiz and his accomplices hacked using a technique referred to as SIM swapping or hijacking was about 40. With SIM hijacking, mobile operators are tricked into transferring the phone number of a target to a SIM card that’s under the control of the criminal. Upon obtaining the number the criminals can then reset passwords before accessing online accounts of their victim.


Read more about this news https://www.ccn.com/sim-hijackers-steal-over-5-million-in-bitcoin-in-first-reported-crime-of-its-kind/

The first time I can say I'm happy to be with Orange..

When I got my sim damaged I had to go in person to a store with my id card and my PUK code in order to give me a new one and on top of that I've had to wait until they've verified that indeed that was the original sim

Took me 2 hours of waiting and I've cursed them with every damn word in my fucktionarry but now reading this I'm quite happy things are like that.

SIM hijacking is a serious issue and is an attack vector that has been known for years. It's why the usage of mTAN by banks has been critized as highly insecure in the past. I'm not sure about the actual success rate of said attacks, but they have existed for quite a while now [1]. Reading stompix' post it seems like at least mobile providers finally got the memo though.

The lesson: Don't rely on text messages for 2FA! Use an app or a dongle instead!

(German source only, sorry)
[1] https://www.heise.de/security/meldung/Online-Banking-Neue-Angriffe-auf-die-mTAN-2851624.html

That’s alarming to all to secure their account & password, because they can be victim as well.
For that it is necessary to use one time password along with 2 way authentication, it will be more usefull if you used hardware wallet.

This attack was happening a few years back to youtubers. A lot of high profile youtubers were getting their account hacked because they had T-Mobile and their security policies weren't very strict. Hackers would just call customer support, pretend to be the youtuber, and boom they get their simcard. 2FA through text is the least secure method for 2FA. As you said, use an app like authy or google authenticator. Infinitely more secure.

What's a 2FA dongle though? I have never heard of a dongle for 2FA before, but I would love to get one.

It's freaking scary how much you can achieve by simply calling customer support. I always get a bit uneasy when I get in touch with customer support that seems to handle support requests a tad bit too informal for my taste. Sure it's convenient, but also... you know... insecure.



Yubikey for example:
https://www.yubico.com/products/yubikey-hardware/

I have no personal experience with this hardware, but recently read an article about how Google has shifted away from app-based 2FA to Yubikeys. Apparently they've been using them internally for 1-2 years by now, with good results. Not sure how widely supported they are though.

It always amazes me that people who have so much money stored in cryptocurrency are so technically inept and bad at security.

If your 2FA can be reset/hacked by the same method that would reset/hack your logins/passwords, then it isn't 2FA. Use one that isn't linked to or backed up on your SIM, email, etc. Some hardware wallets such as the Ledger have a 2FA app available for them.

I heard that it is not convenient to store bitcoin for a long time, and maybe only 2FA Google authentication protection authority can eliminate this crime

Information is terrible !!!
They can steal information from our sim.
Their actions are condemning. High-tech security and privacy activists need to take action to reverse the bad behavior!

Those attacks do not involve stealing information from SIM cards. They don't even require access to the victim's mobile phone (neither physically nor via malware). It's a question of lacking security procedures from the side of mobile operators. Those were social hacks, not technical ones.

Security researches have warned about the risks of SMS based 2FA for almost a decade. Most mobile operators did next to nothing to alleviate these risks. Banks continue using mTANs. Websites and many users continue relying on SMS based 2FA. For some unfathomable reason apparently even tech companies still rely on SMS based 2FA in some cases, with obvious results: https://www.reddit.com/r/announcements/comments/93qnm5/we_had_a_security_incident_heres_what_you_need_to/

People need to start listening to security researches instead of viewing them as paranoid nerds. But they never do until shit hits the fan.

/rant

SIM hijacking has absolutely nothing to do with cryptojacking, they are completely different kinds of attacks and the only thing they have in common is the word "jacking". So, why should we forget cryptojacking?

This attack is not new, it has been around for years and people who are into security know that mobile authentification is weak and things like google authentificator should be used instead.

This is purely not the fault of the phone holder because there is no way to control what someone who steal your phone can do with it. The fault is actually from the service provider with how much they pride themselves as using state of the art facilities, they could be tricked into giving personal information in  such a cheap way and not asking for more information to clarify before giving such information. I wish those who suffer the losses should sue them for the losses as they should be the one held responsible for such vulnerability. I also wish the way they attach it to crypto currency is just to make a statement as it surely more than that, people have their phone numbers linked to their bank accounts which means some other people would have suffered huge amount of loss from that end too. The people involved should be prosecuted and made to face the law but also those who made it possible in this case the service providers should also be made to pay.

SimJacking is a serious crime and takes high knowledge and long preparation - serious type of crime.

It partly is, though. We know SMS verification is inherently insecure, and has been for years. Continuing to use it is akin to using the same simple password for every account you own.

If you have enough IT knowledge to buy and store crypto, then you definitely have enough to use proper 2FA.

This isn't really new information to be honest. People have been having issues with 2FA being easily broken by similar cases for quite a long while now. Which is probably why you mostly see token based 2FA rather than the old style.

yeah, they may have studied with a short time and this is dangerous

This is sad. Seems like the hackers are coming up with new ways to make money out of people's hard earned coins. The telecom companies need to be more cautious because such incidents will defame their names on the process.

I'm glad I live in a country ,where phone numbers can't be just transferred from one SIM card to another.
I was reading some other posts here,claiming that smartphones are the most secure place to store cryptocurrencies,because the crypto wallet installed on the phones has no connection to the phones's operating system nore to internet.What a joke?

It's the mobile operators' fault for allowing the SIM transfers. It's relatively easy to social engineer one's way around a customer support agent over the phone if some credentials of the victim are known and, after gaining access to the phone number, the intruder can go to town resetting all victim's accounts. SIM transferring should only be allowed by visiting the company's offices and doing it in person after verification of the identity of the SIM owner. I have heard a lot of horror stories about SIM hijacking - mainly famous influencers' Twitter accounts getting hacked via social engineering and lax security protocols of the mobile operators.

The power of SIM cards is incredible these days. Banks are using them for verification, crypto wallets have them with 2FA, and more and more sensitive information is being stored on people's phones.

It's hard to believe that you can lose so much if you lose your phone. A thief can use that phone to access your information and take out massive loans in your name. Or they could get your bitcoin keys, bank password, anything you use to keep money. People need to be more careful about what they leave lying around inside their phones.

But yeah, it's definitely the operators' fault. That's just plain stupid, transferring SIMs that easily.

I don't believe that you should blame anyone for what happen even the mobile operators are not aware but still they are liable for what happened. Criminals will do whatever they think they can give them huge money. Every system has its vulnerability and its to us (users and the mobile operators) to make strengthen the security what we have by communicating each other regarding this matter.

That is really scary, thanks for sharing the news with the community. Hopefully, people will be more careful from now on. Seems like the 2FA that we relied so much upon isn't actually safe at all. Hardware wallets that have an separate 2FA feature should be the best possible solution right now.

You realize that you're contradicting yourself in just one line?
I'm willing to bet you actually have no clue what this is about.


Just stealing your phones means nothing, the thief would have first to get it unlocked, then try to find if you have accounts with 2fpa, find the username....It's plenty of time to just call your operator, tell them your security code and block the sim.


What country is that?

The news is really dangerous. I think we should be more careful. Thank you that you shared the news. This will benefit many. SIM hijacking, more than 5 million US dollars have already been stolen. I think our warning will safeguard us.

This days SIM service has been more available than ever, SIM services should be secured by the operators using new technology. Over the phone or PIN, PUK these are considerably secured but highly risky as well. We need to have a more secure technology to handle these issues. Then hacking would be controlled.

This is really concerning right now. If such incidents can happen and people can hack our sim so easily then we need to opt for apps for 2FA. Right now it looks like mobile 2FA is the weakest of all the verification method available out there.

A 20-year old college student from Boston, Massachusetts was arrested in California earlier this month on charges of being part of a gang that hacked cellphone numbers before stealing over US$5 million in bitcoin and other cryptocurrencies.

The link in this news are in the top if you are interested

Hacking has been a serious issue in this, market and now the sim hijacking comes which is even more vulnerable. I think mobile operator, sim companies, phone manufacturing companies should do best from their respective parts to tight the security to stop such hacking.

Read what I was asking!!!!!!!!!
He claimed in his country phone numbers can't be transmitted from sim to sim, which sounds impossible.

So, just like the victims, pay some attention!

It seems there will be nowhere to run to from these hackers as time goes on. New methods of hacking emerge from time to time, leading to the loss of huge sum of money. These people seem capable of putting cryptocurrency at great risk. What can the way out be? Today, there is a latest security and the next day it has been broken.

this is very upseting news, but phone owner does have any fault here cause if SIM is hacked then the owner can't control it , SIM companies support is mandatory then and we really hope they will provide these support to the users

We need to raise awareness among the public who are investing in cryptos. They should know that keeping their cryptos in exchanges is never safe. The best way to keep your cryptos safe is to use hardware wallets, software wallets are also a secured way to store cryptos. 2FA authentication is also failing to keep cryptos safe from hackers. I hope there will be a solution to these hackings soon.

Hello,

Really interesting topic thank you because I was not aware of this kind of hack. Really surprising that so young guy was involved and the stolen amount seems really huge !

I try to secure at the maximum my assets but always better to know the différents technics that evolve really fast.

it's a very serious crime , but its been happening for a long time. with the right precautions it can be avoided

In my opinion sim hacking is not new. It has been here for a long time ofcourse it is harmful but I dont think it is harmful or can do any harm to your cryptocurrency balance beacuse it is secured with blockchain technology.

This is a really serious issue. We all should be careful and make ourselves more secured. Otherwise it can be happened with anyone among us.

So you can't do nothing really about it, it's operator's fault cause they felt for social engineering bullshit.

I have noticed that a large numbers of criminals are now targeting bitcoin. So we all should be alarmed. Bitcoin is so much popular now. It can easily allure criminals.

Those sim hijackers have to be not get prisoned but hired by the operators so that the hijackers can gain more than $5 million.

One common crime that's carried out on cryptocurrency investors is the phone-porting attack. Hackers snoop around social media, looking for cryptocurrency conversations in which investors post their phone and email for easy contact. Then, posing as the victim, they call up the phone provider in an attempt to fool the customer service representative into transferring the phone number to a device they control. Once the hackers take over the phone number, they can go into the victim's cryptocurrency exchange account by resetting the password, ultimately stealing cryptocurrencies from the account. Cody Brown, a virtual reality developer, blogged about how he lost around $8,000 worth of cryptocurrencies on Coinbase in 15 minutes, triggered by a phone porting attack on his phone account. A cellphone number is not the only point of weakness. Adam Dachis, a former writer for Lifehacker, says his Coinbase account was ransacked in May by hackers who took control of his home computer, costing him $10,000 worth of cryptocurrencies. "Computer hacks, phishing attacks and cryptocurrency Ponzi schemes are all common types of cryptocurrency theft," said Jonathan Levin, co-founder of Chainalysis, an intelligence software firm that specializes in tracking and solving cryptocurrency crimes.


[/b]

To find out, we reached out to three cryptocurrency investors and three cybersecurity experts. All three investors have lost some cryptocurrencies due to different hacks. One of the experts, Amir Bandeali, also is an investor, lost about 18 percent of his investments because the exchange (Bitfinex) he was trading with was hacked. That incident inspired him to build decentralized exchanges, which he believes will be the future for trading cryptocurrencies.

All of them admitted there's no perfect solution to the problem. In the age of cryptocurrency, hard drives and personal computers have become the new bank vaults. And our real-world knowledge of protecting money from theft is not enough in the virtual world. The following suggestions can serve as a safety pamphlet for new cryptocurrency investors.


[/b]

Jonathan Levin, co-founder of Chainalysis

1. Before you open up an account on Coinbase [or other exchanges], set up an unique email that you are going to use for that account.

2. Make sure to set a really hard and long password, and you are the only one to access it from a piece of paper that you control.

Dan Romero, VP of operation at Coinbase

1. On Coinbase, turn off SMS-based two-factor authentication and account recovery for your email account. If you move to Google Authenticator but don't turn off SMS account recovery, a phone port attack can still lead to an email compromise.

2. On Coinbase, setup the Coinbase Vault and two-factor authentication for any sends off-site.

Sean Everett, VP of product management, Coinbase account was hacked by phone porting attack

1. Don't talk about cryptocurrency publicly, especially on social media.

2. Call your cellphone provider, put every level of security you possibly can, and add a passcode to it. The next level protection is to add a "do not port" SIM card to your account. That can last for a year.

3. Even though Coinbase says it takes security seriously and has system designs to protect customers, it's not a bank. Don't trust it as such.

Adam Dachis, digital consultant, Coinbase account was raided by a computer hack

Don't keep all your cryptocurrency investments in one place. Diversify among exchanges. It's unlikely you are going to get hacked at the same time through all of them. Especially if you have different emails and passwords for each.

Sanjay Beri, CEO of Netskope, specialize in enforcing security across cloud applications and network.

Keep your cryptocurrency off the internet, in a "cold wallet."

"Cold wallet" is not a brand, it's a concept of storing bitcoins offline (not connected to internet) so that it reduces the opportunities for hackers to steal via online techniques.

"Hot wallet" is connected to the internet, for daily transactions. Think about "hot wallet" as a checking account and "cold wallet" as the savings account.

Here is how to create a cheap "cold wallet" on a dedicated computer:

First, download a cold wallet application to a new, secure usb drive.

Then, take a computer, reset it to factory setting, disconnect it from the internet and keep it offline.

Last, load the cold wallet application onto the computer, keep your cryptocurrencies on that clean and offline computer. You can make transactions offline, using the cold wallet application.

Amir Bandeali, CTO and founder of 0x project


1. If you must use a centralized exchange, withdrawal often, store your tokens on a hardware wallet, which is a hardware device, creates transactions without connecting through the internet.

2. If you are trading tokens on ethereum, I recommend looking into decentralized exchanges. The biggest difference between centralized exchanges (like Coinbase, Kraken and Bitfinex) and decentralized exchanges is that decentralized exchanges do not hold users' funds. No one can ever access your funds other than you. So it can't be stolen unless your private keys are compromised.

I think day by day crimes related to cryptocurrency will be increased. There should be some strict rules. I hope these things will be stopped as bitcoin will may have developed security in future.

Sim hijacking will apparently happen when you have lost your sim card and did not take any initiative to take it back. It happens so many times that we lose our SIM card and don't report the telco/ authority. We should stop doing it and be more careful.

It’s really terrible. All should secure their account and password, otherwise anyone can be a victim of it. I think all should use one time password with multiple way of verification. 

THIS IS OUTRAGEOUS. CRIMINALS EVERYWHERE LOOKING FOR ONE THING TO STEAL. A NEW METHOD OF THEFT.  I AM NOT SUPRISE AS LONG AS ICT IS CONCERNED, THERE IS ALWAYS  A CASE OF HIJACKERS OR SCAMMERS WANTING TO HIJACK ONE THING OR THE OTHER. WE JUST NEED TO BE CAREFUL WHO WE GIVE OR ALLOW ACCESS TO OUR GADGETS AND ALSO TO MIND WHO YOU GIVE YOUR PHONE TO MAKE A PHONE CALL AS YOU MIGHT BE MONITORED BY THEM NOT ONLY THAT MIND THE KIND OF RESPONSE YOU GIVE VIA PHONE SMS ALERT RESPONSE. SOME SMS MIGHT JUST BE A CODE TO GET THROUGH YOUR GADGETS TO STEAL SOME VITAL INFORMATION FROM YOU WITHOUT  YOU KNOWING WHILE SOME SMS MIGHT JUST BE YOU ACTIVATING THE ALREADY SENT BUG TO YOUR PHONE. WE JUST NEED TO BE CAREFUL THESE DAYS AS NOT TO FALL VICTIM OF THE NEFAROUS ACT OF SIM HIJACKERS AND SCAMMERS. YOU CAN IMAGINE THE WORTH VALUE OF BITCOIN HIJACKED.
THUS IS JUST MY OPINION.

which is  why i  don't  trust exchanges which mandate us to us phone verification and  google authentication. this isn't just the  issue i had in mind but also if my  phone is lost or stolen, it can be used to take my coins in the exchanges.  situation like this  can happen again and again  as hackers can become more creative. i  think dex are going to be the next best thing to use when adoption finally came. DEX doesn't require phones and users have the private keys with them.

Thieves always stole our wallet, there are too many tricks to steal. So, to protect your wallet, you just have to protect yourself, do the security work, but a bit annoying but our wallet is always safe and we can sleep well.

This is not a good news for the cryptocurrency community. I think strict actions must be taken against those hijackers. FBI labelled it as tech support hack.  Let's see what the trial decides for them.

I hope the perpetrators like them must be punished as hard as possible because the obstacles in working in the digital world are actors like them