Bitcoin Forum

Just like not your keys not your coins is repeated on the forum, it seems sim swap attack warning/awareness needs to be spread as such.

It is not news again that co-founder of Ethereum Vitalik Buterin had his twitter(X) account hacked (https://bitcointalk.org/index.php?topic=5466271.0). This lead to a phishing link been posted and many lost their funds.

Now Vitalik himself has come out to said the attack was through his T-Mobile phone number by  sim swap (https://cryptopotato.com/vitalik-buterin-reveals-sim-swap-attack-as-root-cause-of-twitter-hack/) and the hacker got access to his X account through requesting for the authentication through phone number.

Vitalik prostrated that he didn’t take the security warning about sim swap serious if not now.  

The takeaway is avoid taking authentication through phone numbers alone, but if we look at it accepting authentication through even E-mail is risky so the best act is to avoid storing funds on platforms that requires this.

How to know if your phone number has been swapped.

1. When you notice your network is no longer available

2. When you receive a notification from your network provider about a change of sim

3. When you can not have access to your social media accounts or any online accounts accounts again.

Once you notice one of this then you need to act fast

Sim swap attack through T-Mobile is not new. I am disappointed that these kind of people with numerous followers do not protect their social media account. Twitter, now called X has 2FA and Security key hardware which Twitter users can use to protect their account.

Image from Twitter securities and privacy on my Twitter account
https://talkimg.com/images/2023/09/12/6Z3zC.jpeg

Why would people go for text message only which is also by default. Sim authentication is not safe. Use app 2FA or hardware security key for a better security.

This is really frightening. The majority of the users use their phone numbers for their account security. Even I have used my phone number for 2FA authentication for my Gmail and other social media. I think now I need to change that. In my country, mobile banking services are very popular, and many people use them every day. For mobile banking, you just need to have a mobile number, and you need to do KYC through your ID card. People store thousands of dollars in their mobile banking accounts, so if these SIM swap attacks happen in my country, this will be a total disaster.

Keeping funds on a platform is never a good idea, which is why the #Not Your, Not Your Coin rhyme is being spread every single day in different forms here in this forum and aside from this place in areas or platforms that encourage self-custodian usage.

But in aspect of social media account the case is different, we can't avoid receiving emails or mobile number authentication authorization request, as they are one of the ways those apps approve signin from a new device, even when we are making use of the email and phone number security, for someone like Vitalik he should be aware that those kind of security alone is not enough for their account as influencers account is on a highest target rate now a days from hackers, most of this social media accounts have a 2factor authentication option enables on the security part of individual account, if this option was enable on his account I believed this could have been a little less possible for the hackers to access the account but not entirely impossible though.

In the aspect of the sim swap, I don't know how it's being done, but however they are doing it, it's very risky, and network providers should make things a little bit difficult for someone who is not a sim original owner to have limited access to sim details and the swap option.

Regarding how to know if your sim has been swapped or not, the only valid option I see here is the network going off your current phone, in the aspect of your social media accounts being logged out, those could be avoided by the hacker, someone can change your password and still allow your account to be logged on your current device, they can operate in the background and do what ever they want to do, since your mind is not their you might not bother checking through your previously dropped posts which those hackers could easily drop a phishing link through an original post comment section or others post comment section and disable the post notifications so that you won't get any of of reaction notifications on that post/comment, few hours of their control and they can steal on your own watch. 

This that just happened with Vitalik X's account is another reminder for the general public to reduce their test for greed and do not trust what ver comes out of the mouth of your celebrity influencer or what they post in their account, because a verified or trusted person dropping a link does not make the link entirely legit. The public should learn how to limit their trust and greed; it will save them from a lot of scams.

Thank you for your important words and raising awareness of the sim swap attack. It's crucial for everyone to be vigilant about their online security. In today's digital age, where our personal and financial information is interconnected, taking proactive steps to protect ourselves from potential threats like sim swap attacks is paramount.

How is a sim swap possible?
Here in my country before you request anything from the sim carrier like requesting for sim replacement you need to provide a selfie and submit a few documents for verification. So how does Vitalik Buterin fall to this attack?

The only thing that I could think of is that the mobile number or sim he had is not yet ID-verified. That is why the hacker can request to sim carrier to activate a new number and ask the carrier to redirect all calls and texts to a new number without ID verification.

This might be the reason why Binance removed phone number verification on withdrawal.

It is like you are asking that how is bank fraud possible. Or asking that how scammers get people's identity to register on centralized exchanges to scam. (https://bitcointalk.org/index.php?topic=5464208.msg62734243#msg62734243)

In sim swap attack, one or some of the workers from the sim providing company may know about it. Sim swap is not something that is new.

Not many countries or network providers actually do sim swap physically like you have stated. Some network providers would just ask for identifications through call and hackers usually would have gotten such informations from either social media platforms or through phishing sites. Another way is there is always staffs working with this network providers that aid this acts. Probably this is what happened to Vitalik

Here in my country, it was also hard to replace the original SIM owner and swap the SIM without their knowledge. Not until network providers started approving agents to start doing SIM registration and swapping on the street did everything become very possible. The only thing that is needed is for the person who has the authorization to do the SIM swap to be in agreement with you, and everything will be a bit easier.

The finger print verification, which was one of the difficult parts, is even bypassed now. What they can just do is ask the agent to check through the SIM they brought and give them details. Those details of the original SIM owner can be used to fabricate documents that will match the owner's own, and any image could also be used in replacement of the person's passport. It's very possible now.

Though this might have been discussed already before now but i think i still see it as being a reminder for those that already knows about the shady acts coming through this whole process while the newbies will also get along with the required standard information needed not to fall a victim, there are many ways scammers are now developing to make sure that they attack people and most of their targets are the begginers, because they know that these set of people aren't familiar with the whole system yet, so they take their advantage.

I once worked for a network operator in my country. At that time, smartphones and social networks didn't exist yet, but SIM swapping or SIM cloning was already a popular method of attack. It was mainly used to make free calls, charged to someone else's account. The scenario often involved individuals who didn't know how to remove their SIM cards from their phones. When they brought their phones in for repairs, they left the SIM card inside, which some bad actors could easily clone onto a new SIM card. I guess today scammers are even more resourceful.

SMS code for 2-factor authentication is not safe. 2FA from centralized services like Google Authentication is not safe too and they even want to back up codes on their cloud storage.

You can turn on 2FA for your Twitter account and use good 2FA applications like Aegis that is open source.

https://getaegis.app/

It's a given that everybody shouldn't feel sufficiently safe with just sim or SMS verification or authentication alone, but I think service providers should also be implementing strict measures to prevent sim-swap attacks. Requests for sim change shouldn't be easy. A lot could be compromised simply because of it. This isn't the first time a T-mobile user falls victim to such attack.

If not with an insider, sim swap attacks could also begin by phishing or other ways to obtain personal information. Especially if a sim is already attached to a name, address, and other personal information, it can't easily be stolen. So, it definitely helps if we are also extra careful in giving out our personal details. This includes staying away from centralized platforms which require KYC. If not stolen, personal data could easily be bought or hacked. Or it could leak.

This was also the same thing Kiakia was talking about in his thread here (https://bitcointalk.org/index.php?topic=5466025.0), and I think that such methods of scam are already popular in some parts of the world, which they are already aware of, and how to handle the situation when their sim stops providing network. Although sometimes your sim can stop providing network due to a damaged sim or bad phone, but it should be given immediate attention to know why one's sim is not providing network so that if it's a case of sim swap, it can be quickly handled. Again, I think people should always take note of every SMS that they receive from their network provider because there is no way your SIM will get swapped without you receiving an SMS asking you to verify that you are the one performing the swap action or take immediate action to cancel the process. Also, if you pay full attention to the SMS you receive and you come across some transactions in which you were not the one that initiated them, just know that your SIM might have been swapped. Lastly, using SMS verification as the only OTP method is not safe.

Exactly, this is where most of those hacks through sim swap comes. Their 2FA is through their sim numbers and that's how these hackers gained access to them. Those that does it thinks that it's easy and safer because the 2FA code is sent over your network provider. But it has been proved for so many times that it's not and with sim swap, it can be taken by the hacker. Aside from 2FA through authentication apps, the email AUTH is also another option but this is not safe too especially if you've been using that email and you know that it has the same password of what you're using in many websites.

This wouldn't happened for those who have more than one verification which is not just sms verification but also 2FA verification. This is not new attack though therr are some people who are victims of these attack. Anyway, thanks for sharing this news OP although if we talk about keeping money safe it should be very secure even though it is annoying to access your account where you have to go through more than one verification and it's also the same in an online account as it could be used to fool anyone using your account to get what they want.

Never trust your phone security.Have a financial accounting record off of your device will help you later . There all sorts of attacks going on at the moment you don't even need to be a victim of it before you get prepared or ready.  Take all the precautionary measures to stay safe online. Sim swap attack is actually more dangerous. Sometimes it is better to get the paid security measures on your device.

It’s that disappointing for real with these guys and this one with Vitalik Buterin even given the fact that, his a programmer and understands the risk that surrounds the cryptospace, what influence he commands and who a single flaw from him could cause a worldwide significant damage like we hear people cry of recent.

Layers of security is needed when you wheel that sort of power over a large mass which most are unknown to you.
Even having these 2FA delivers to you by mail is very difficult. I once did have an authenticator app to provide me with these codes. It worked like tokens, and wiped every 30 seconds or so. That would serve some real purpose but, you’ll be sure to ensure it’s used in a safe device and you properly store your importing code/seed.

They are technical men with deep knowledge about security. They know how to go OPSEC but it is knowledge which is different than practice.

They can have good knowledge and skills to secure their devices and accounts but practically, they can not do enough security wise steps to keep their devices and accounts safely from hacks.

Vitalik is not a first senior developers have accounts or devices hacked or compromised.

Luke Dash Jr., a senior Bitcoin developer got one too.
Bitcoin developer @lukedashjr's wallet was hacked (https://bitcointalk.org/index.php?topic=5432665.0)

I cannot believe that someone who cares about privacy still uses a phone number to secure his accounts, not to mention that he is a developer and is supposed to know this information. Securing your account using a phone number leaves you at the mercy of a third party. This third party may freeze your phone number, block it, or even misuse it, waiting for this to happen. Such attacks to update your information about security is a bad thing.

All that you need for successful sim swap is one incompetent and not enough educated person working for those telecommunication companies and that's probably what happened here.

Still, its baffling that people like Bitalik are not taking better care of their social media accounts and still use mobile phone number for 2FA, when they know (or at least they should) what kind of damage hacjker can do if he gets control over it.

Pray you don't become a victim to sim swapping attack, even if you act very fast and report the issue it's still not the end, There was a story online about a man in New Jersey who was a victim and reported back to his service provider customer care, they fixed the issue and he believed them, few months later they stole all his crypto assets.

If a culprit is working as the customer service in the sim company then this is possible, this was what everyone starts thinking, sometimes, this evil act can also come from those within your circle, someone very close can install some spying software in your phone without you knowing, this is why I don't give up my phone to any family and relatives, it takes seconds to minutes to install something you don't know on your smartphone and they will keep spying on you.

I also wondered that until I once had to replace my old SIM and I went to the physical office of my operator who only asked for my existing mobile number and nothing more - in one minute I had a new SIM card. I never thought of using a mobile number for 2FA before (and especially after that), and as for how Mr. Vitalik managed to lose his account is something that speaks volumes about how intelligent he is.

A man who has been trying to dethrone Bitcoin for 10 years and who suddenly concluded that POS is better than POW is not even capable of protecting an ordinary account on a social network.

The victim of this attack is one of the big names who has many followers, someone like Vitalik, who is known as one of the founders of the Ethereum platform, can still be infiltrated by hackers. It's not that he already knew the risk that weak Twitter account security would be very detrimental to other people due to the influence he has, so why did he ignore this risk and not strengthen the security of his Twitter account using 2FA? Attacks via SIM cards are very easy to carry out without other security support such as 2FA. This incident teaches us to be more careful in accessing suspicious or phishing links.

Imagine even the top valuable names get attacked their account if these person use the another layer of security to their devices like the 2FA there's a chance might be aware and have this preventive measures well right now there's no really safe in the internet reason why your credentials must be secured.
I guess this could serve as an expensive mistakes to the victim and of course possible ruins or damage Vitalik's name at this point.

I am still wondering this whole scenario of a thing. If a computer guru, the founder of ethereum blockchain could have his phone simcard swap and got his account hacked I was also wondering how the novice that knows nothing about tech could be going through without their knowledge of being hacked.

This is the more reasons one needs to act and play safe with their devices and gadgets. Nobody can tell who the target could be. Avoid clicking on links you know nothing about. If you are not expecting a mail from anybody and you receive unsolicited messages do well to press the delete button with immediate effect to be on the safe side.

Lastly, take Cognizance of your call log and activities. Never give your phone to strangers for a minute call or whatsoever otherwise you will have yourself to blame when the repercussion comes knocking at the door.

The phone has always been a weak point for crypto users, especially when it comes to making any crypto transactions, gaining access to an account or other confirmation methods. I prefer to trust passwords, two-factor authentication and email confirmation for any login attempt with a new device or new IP.

The Quickstart Guide to Protecting Against SIM Swaps (https://medium.com/@3NUMDAO/the-quickstart-guide-to-protecting-against-sim-swaps-ebaefe39d6e0)

You don't need to wonder how it happened because sim swap is not new and the hacker had help from someone in the telecommunication company. As a tech expert and with the incessant cases of sim swap on the rise, I expected him to fortify his account with another layer of security. If he had added 2FA to his Twitter account, it would have made it impossible for the hacker to hijack the account and send the phishing link. Sadly, persons who fell for the click bait have to learn the hard way and newbies can also learn from this.

It all points towards my curiosity and making it pertinent that one must be careful and be able to protect their details safely so as to avoid hack or if per adventure any attempt is made, there would be a prompt from the end of the account owner but what baffles me on is that the victim is a computer guru himself and a founder of the Second largest blockchain itself. He is the list person I would hear about suffering hack from scammers when in the reality he himself knows more about the industry and how it works.

Vitalik is one of the most prominent names and personalities in the crypto market, and he is not the only one exposed to a sim swap attack. I can say that many prominent figures like him were exposed to this attack previously, such as Jack Dorsey. The sim swap attack has been common for years. Scammers use it after deceiving the mobile network operators under any pretext to obtain the new SIM cards of prominent and influential people who have accounts containing millions of followers and substantial financial accounts so that they can obtain calls and messages to the victims’s SIM cards so that they can hack their accounts.

What I know is that it is an attack targeting specific people and not a random attack. Also, as the OP mentioned, some signs are easy for anyone subjected to this attack to recognize. Still, he must be on the lookout for his phone, which has a SIM card constantly. He must link his accounts instead of two-factor authentication to the SIM number, which must be done through the Google Authenticator application or YubiKey or GoogleTitan Key.

Sim swap attacks are real, I am surprised that someone like him isn't taking this very seriously, he should know better than anyone else, I refused to link my phone number to any crypto or social media account, I believe that those who works in the telecom companies can easily sim swap anyone numbers.

My advice is people should stop using their phone numbers as the only way to access their social account, bank account and crypto exchange accounts, make sure you set up three ways of receiving verification codes before you can log into your accounts, I used to add phone numbers, but now I don't.

Now I prefer to use a special code that's know to me, a code to my email account, and another code through 2FA authentication, for hackers to get into my account, they will need all these codes at once, it will be extremely hard for them to get all the codes. 

In some countries you don't even need to mislead a telecommunication company employee with social engineering. Because phone numbers have a "Porting Authorisation Code" allowing them to be bounded(ported) to a new SIM card. So if someone knows this code he can steal your phone number, and receive SMS and calls on his phone.
https://en.wikipedia.org/wiki/Porting_Authorisation_Code