Bitcoin Forum
November 17, 2024, 07:55:50 AM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: My SIM swap attack: How I almost lost $71K, and how to prevent it  (Read 306 times)
sparkystacey (OP)
Jr. Member
*
Offline Offline

Activity: 58
Merit: 4


View Profile WWW
July 25, 2019, 05:51:33 PM
 #1

One month ago, I was part of a coordinated attack on blockchain executives. (I am one of the co-founders of https://provide.services). It was shockingly easy for them to take over my accounts, despite being security conscious. They attacked dozens of others around the same time across T-Mobile, AT&T and likely others.

I hope this story and the lessons learned helps you protect your crypto!

https://hackernoon.com/my-sim-swap-attack-how-i-almost-lost-dollar71k-and-how-to-prevent-it-tj39q3aju

Provide Technologies: Pioneering the decentralized platform as a service (dPaaS)—the blockchain acceleration platform. Https://provide.services
pixie85
Hero Member
*****
Offline Offline

Activity: 2184
Merit: 531


View Profile
July 25, 2019, 06:35:26 PM
 #2

Essentially for those who won't click and read, don't allow your passwords and 2fa to be tied to a phonenumber. Your cell provider who employees unknowing teenagers will easily bend rules and print Sims with phone numbers without proof of ownership.

It's much more important to keep your phone safe. Holding money and passwords on the phone makes it as valuable as your wallet. Would you leave your wallet at a store for people to open and play around with?

I'm more interested in screening of employees at that store. It's time for them to start keeping cards locked in a cabinet with only 1 person holding the key.
LFC_Bitcoin
Legendary
*
Offline Offline

Activity: 3724
Merit: 10475


#1 VIP Crypto Casino


View Profile
July 25, 2019, 06:50:55 PM
 #3

Essentially for those who won't click and read, don't allow your passwords and 2fa to be tied to a phonenumber. Your cell provider who employees unknowing teenagers will easily bend rules and print Sims with phone numbers without proof of ownership.

This is bad news to be honest, I suggest if anybody uses online wallets etc to never text anybody about their involvement in bitcoin. There’s so many tech gifted people around willing to misuse their ‘talents’. You never know who is following your footsteps via text or call.

Basically the one & only rule has always been do not leave large amounts of bitcoin on online wallet providers where your phone number is linked. In fact don’t leave any significant amount online full stop.

█████████████████████████
███████████▄█████████████
██████▀░▀█▀░▀█▀░▀████████
███████▄███▄███▄█████████
████▀██▀██▀░▀████▀░▀█████
███████████░███▀██▄██████
████▀██▀██░░░█░░░████████
███████████░███▄█▀░▀█████
████▀██▀██▄░▄███▄░░░▄████
███████▀███▀███▀██▄██████
██████▄░▄█▄░▄█▄░▄████████
███████████▀█████████████
█████████████████████████
 
.Bitcasino.io.
 
.BTC  ✦  Where winners play  BTC.
.
..
.
    ..





████
████
░░▄████▄████████████▄███▄▄
░███████▄██▄▄▄▄▄▄█████████▄
███████████████████████████
▀████████████████████████▀
░░▀▀████████████████████
██████████████████▄█████████
██
▐███████▀███████▀██▄██████
███████▄██▄█▀████▀████████
░░██████▀▀▀▄▄▄████▀▀████
██▐██████████▀███▀█████████████    ████
███
████████████
███████████████    ████
█████▀████████████████▀
███████▀▀▀█████████▀▀
..
....
 
 ..✦ Play now... 
.
..
Moshaid
Copper Member
Jr. Member
*
Offline Offline

Activity: 546
Merit: 1


View Profile
July 25, 2019, 07:15:21 PM
 #4

This is so sad to hear, I believe this will be an eye opener for everyone seeing this news. Have learnt one or two from this and I do hope I don't fall victim of such. 100% protection of assets and wallet is not guaranteed anywhere but hopefully our funds are in safu regardless of where it is. Haha

► BLOCKBURN ◄ ★WHERE CRYPTOCURRENCY AND ONLINE GAMING MEET★ ► BLOCKBURN ◄
───●◉●───●◉●───●◉●───●◉●───●◉●─[   ABOUT US   ]─●◉●───●◉●───●◉●───●◉●───●◉●───
Website◂ | ▸Medium◂ | ▸LinkedIn◂ | ▸Telegram◂ | ▸Reddit◂ | ▸CoinMarketCap
stompix
Legendary
*
Offline Offline

Activity: 3080
Merit: 6632


Leading Crypto Sports Betting & Casino Platform


View Profile
July 25, 2019, 07:24:37 PM
 #5

You lost me at:

Quote
Even though I had my SIM replaced in 45 minutes, that provided ample time to do damage. Since I have an iPhone XR, they used Face ID to access my accounts. Face ID works on the phone level, so they added their face to result in a positive pass of Face ID, and that unlocked my account names from my iCloud. Easy peasy. Keys to the kingdom.

Exactly, face id works at a phone level, so the "hackers" getting ahold of your number means nothing.
You can't add a face ID to your account when an existent one is still active, you must remove the previous and it will work only with your face.

So unless the sim hijacker got also an iPhone and stick it to your face or he knew your security passcode (which is stored at phone level)  he couldn't have gained access to it.

Also,
(I am one of the co-founders of https://provide.services).

No really the best way to advertise your business...just saying!

..Stake.com..   ▄████████████████████████████████████▄
   ██ ▄▄▄▄▄▄▄▄▄▄            ▄▄▄▄▄▄▄▄▄▄ ██  ▄████▄
   ██ ▀▀▀▀▀▀▀▀▀▀ ██████████ ▀▀▀▀▀▀▀▀▀▀ ██  ██████
   ██ ██████████ ██      ██ ██████████ ██   ▀██▀
   ██ ██      ██ ██████  ██ ██      ██ ██    ██
   ██ ██████  ██ █████  ███ ██████  ██ ████▄ ██
   ██ █████  ███ ████  ████ █████  ███ ████████
   ██ ████  ████ ██████████ ████  ████ ████▀
   ██ ██████████ ▄▄▄▄▄▄▄▄▄▄ ██████████ ██
   ██            ▀▀▀▀▀▀▀▀▀▀            ██ 
   ▀█████████▀ ▄████████████▄ ▀█████████▀
  ▄▄▄▄▄▄▄▄▄▄▄▄███  ██  ██  ███▄▄▄▄▄▄▄▄▄▄▄▄
 ██████████████████████████████████████████
▄▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄
█  ▄▀▄             █▀▀█▀▄▄
█  █▀█             █  ▐  ▐▌
█       ▄██▄       █  ▌  █
█     ▄██████▄     █  ▌ ▐▌
█    ██████████    █ ▐  █
█   ▐██████████▌   █ ▐ ▐▌
█    ▀▀██████▀▀    █ ▌ █
█     ▄▄▄██▄▄▄     █ ▌▐▌
█                  █▐ █
█                  █▐▐▌
█                  █▐█
▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀█
▄▄█████████▄▄
▄██▀▀▀▀█████▀▀▀▀██▄
▄█▀       ▐█▌       ▀█▄
██         ▐█▌         ██
████▄     ▄█████▄     ▄████
████████▄███████████▄████████
███▀    █████████████    ▀███
██       ███████████       ██
▀█▄       █████████       ▄█▀
▀█▄    ▄██▀▀▀▀▀▀▀██▄  ▄▄▄█▀
▀███████         ███████▀
▀█████▄       ▄█████▀
▀▀▀███▄▄▄███▀▀▀
..PLAY NOW..
Artemis3
Legendary
*
Offline Offline

Activity: 2030
Merit: 1573


CLEAN non GPL infringing code made in Rust lang


View Profile WWW
July 25, 2019, 07:27:07 PM
 #6

You should only keep spare change in a phone wallet anyway, never important amounts. Phones are vulnerable in a multitude of ways beyond this particular attack, they are almost as bad as a pc running windows.

Perhaps a hardware wallet would be wiser for less modest amounts, but for truly large amounts a cold wallet (seed words written with your own hand in a piece of paper) is a must, with the proper protocol (offline computer live linux wallet creation, etc).

██████
███████
███████
████████
BRAIINS OS+|AUTOTUNING
MINING FIRMWARE
|
Increase hashrate on your Bitcoin ASICs,
improve efficiency as much as 25%, and
get 0% pool fees on Braiins Pool
sparkystacey (OP)
Jr. Member
*
Offline Offline

Activity: 58
Merit: 4


View Profile WWW
July 26, 2019, 03:38:11 PM
Merited by BayAreaCoins (1)
 #7

Quote

No really the best way to advertise your business...just saying!


This was a coordinated attack on blockchain leaders. I am also a strong proponent of the agile methodology who strives to be "less wrong" versus "right" (read: close-minded), and believe that failure is something to be socialized and a learning experience for as many as possible. The real question is what you do from failure? I'm starting here hoping that others learn and are better protected, but also am using my position to work on better tech to solve this. That's the long tail though. This is the start.

If leaders don't use their position to help others, are they really a leader?

Provide Technologies: Pioneering the decentralized platform as a service (dPaaS)—the blockchain acceleration platform. Https://provide.services
hugeblack
Legendary
*
Offline Offline

Activity: 2702
Merit: 3993



View Profile WWW
July 28, 2019, 07:25:40 AM
 #8

Essentially for those who won't click and read, don't allow your passwords and 2fa to be tied to a phone number. Your cell provider who employees unknowing teenagers will easily bend rules and print Sims with phone numbers without proof of ownership.
Sorry for your loss.
It is not limited to your service provider but using the phone to verify your accounts weakens the protection of it rather than enhancing it.
There are many reports about SIM Swapping and other ways that hackers can use to access your text messages and then access your account directly.
hope that the user will publish a summary of this story, as randomly clicking on URLs is also a technical threat.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Ucy
Sr. Member
****
Offline Offline

Activity: 2688
Merit: 403


Compare rates on different exchanges & swap.


View Profile
July 28, 2019, 10:00:19 PM
 #9

Essentially for those who won't click and read, don't allow your passwords and 2fa to be tied to a phonenumber. Your cell provider who employees unknowing teenagers will easily bend rules and print Sims with phone numbers without proof of ownership.

Is it that easy to print SIM thesedays? Don't the network companies ask for stuff like biometric ID? It is either they  are Bribed to clone the SIMs  or some very influential people are doing the cloning.
Good advice though on not allowing ones passwords and 2fa to be tied to a phone number.

████████████████████                                                    OrangeFren.com                                                ████████████████████
instant KYC-free exchange comparison
████████████████████     Clearnet and onion available #kycfree + (prepaid Visa & Mastercard)     ████████████████████
abeecrypto
Copper Member
Member
**
Offline Offline

Activity: 242
Merit: 18

Proof-of-Stake Blockchain Network


View Profile
July 29, 2019, 08:24:27 AM
 #10

This is scary, but informative. Attacks coming in different form. The network providers will have to do better in securing their users against sim swapping and other related attacks. Users should also try to secure themselves against the attacks. users are the greatest weakness to all attacks.

Banks, exchanges, phone companies will have to work together to prevent all this kind of attacks. Because, more attacks will keep coming, especially as the blockchain horizon widens.
meanwords
Full Member
***
Offline Offline

Activity: 1624
Merit: 163


View Profile
July 29, 2019, 08:50:38 AM
 #11

If I remember correctly, this also happened to a Youtuber too, I think it's h3h3. A person is able to change his number which holds his youtube account. It's scary how easily numbers could be change without the owners knowning. I mean, how low is there security for them to just sim swap without any proof of ownership? that is just absurd.
Lucius
Legendary
*
Offline Offline

Activity: 3430
Merit: 6157


Crypto Swap Exchange🈺


View Profile WWW
July 29, 2019, 09:03:00 AM
 #12

I recently need to change my SIM because my new phone is not support old SIM type. I go to store of my mobile provider with ID and old SIM, and all they ask from me is my mobile number. I get new (cloned) SIM in less then 2 minutes, and I must admit that I was shocked in the manner in which this procedure is conducted. I am not talking here about some less known mobile provider, but big EU company who should protect their users much better then just giving replacement SIM cards to anyone who ask that.

Because of this experience I would never use my mobile phone number as extra protection in any service, especially not those associated with cryptocurrency.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Micerker
Full Member
***
Offline Offline

Activity: 593
Merit: 100


BBOD The Best Derivatives Exchange


View Profile WWW
July 29, 2019, 09:15:02 AM
 #13

One month ago, I was part of a coordinated attack on blockchain executives. (I am one of the co-founders of https://provide.services). It was shockingly easy for them to take over my accounts, despite being security conscious. They attacked dozens of others around the same time across T-Mobile, AT&T and likely others.

I hope this story and the lessons learned helps you protect your crypto!

https://hackernoon.com/my-sim-swap-attack-how-i-almost-lost-dollar71k-and-how-to-prevent-it-tj39q3aju
This is one of the most common attacks in many years, and there is no correct way to stop it. Professional hackers can break all security. They always have new attacks to remove all layers of security to hijack the accounts of the users they want. The best way to ensure the security of your account, turn on all the security layers provided by the system.

YuginKadoya
Legendary
*
Offline Offline

Activity: 3038
Merit: 1169



View Profile
July 29, 2019, 10:29:53 AM
 #14

There are a lot of holes in the system that hackers might see especially with an undeniably weak wallet that let you store your Bitcoin and other cryptocurrencies that will be a big problem if the wallet is an online site, Hackers can sure attack anything that is connected with the worldwide web, there is no perfect online service and we should always treat them that way, And always use the site with caution because you will never when they will attack, It is better to be prepared and ready, And if it happens to you, It should become a lesson you will never forget.
gentlemand
Legendary
*
Offline Offline

Activity: 2590
Merit: 3015


Welt Am Draht


View Profile
July 29, 2019, 11:11:01 AM
 #15

If you use sim-based 2FA your entire financial future may hinge on how engaged some bored call centre worker on 10 bucks an hour is feeling that afternoon. That's not reassuring.

What's bizarre is how many companies don't offer alternatives when they should know the risks perfectly well. In the UK quite a few banks are now moving to making all internet banking and online shopping transactions require SMS only confirmation. There are probably hundreds of thousands of people who have no signal at home and they're not being offered landline or email as an alternative.

I quite often never get a text message arriving, or if it does it's several minutes after the window has expired. It's seriously clunky and needs to be given the boot.

Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!