Securing ALL the Things
You’ve now learned how to secure your accounts, created secure paper backups of important information, and successfully gotten token-based authentication rolling via Google Authenticator.
Here’s the easy, although mildly tedious, next step: You’re going to set up Google Authenticator on every website or service you use that allows it, and remove your phone number / SMS recovery.
Pro-tip: Since you are going to be logging into all these accounts anyways, we recommend you set up a password manager like LastPass or 1Password if you don’t already use one, and create new, secure, unique passwords for each of these accounts. This ensures password reuse doesn’t bite you in the ass, especially with the billions of username / passwords that have been compromised over the years.
While it would be impossible to list every service you may use, here is a prioritized list of what to add your new best friend Mr. 2FA to.
You can also use
https://twofactorauth.org/ to view more services and see what 2FA formats they support. The s̶t̶r̶u̶c̶k̶ ̶i̶t̶e̶m̶s̶ don’t offer 2FA at all, or only offer SMS 2FA, so you need to change your phone number to your super-secure Google Voice number.
1.Password managers: LastPass, 1Password, etc.
2.Backup / Sync / Cloud Storage: Apple / iCloud, Google Drive, Dropbox, Microsoft / OneDrive, B̶o̶x̶, etc.
3.Email: Gmail, Apple / iCloud, ProtonMail, Y̶a̶h̶o̶o̶, A̶O̶L̶, etc.
4.Exchanges: Coinbase, Gemini, Circle, Binance, Bittrex, Kraken, Poloniex, Huobi, Okex, Bitfinex, Bitstamp, ShapeShift, etc. Note: You shouldn’t be storing significant assets on these, but they should still absolutely be 2FA'd. This also ensures that your fiat / bank accounts can’t be drained and your exchange account isn’t hijacked and used to launder money in your name. Some exchanges (Kraken 😍) allow separate 2FA codes for withdrawals, trades, and logging in. Poke around and enable any security settings your exchange offers!
5.Dev: Github, Bitbucket, Gitlab, npm, T̶w̶i̶l̶i̶o̶, etc.
6.Web: GoDaddy, Bluehost, Google Cloud, Heroku, Wordpress, Shopify, SquareSpace, AWS, Microsoft Azure, Digital Ocean, CloudFlare, etc.
7.Social media accounts: Facebook, Twitter, Instagram, LinkedIn, Google / Youtube, Medium, Tumblr, Buffer, HootSuite, Snapchat, etc. Note: These are often used to defraud your friends or obtain sensitive / secret information when compromised.
8.Messaging platforms: Apple / iMessage, Google / Hangouts + Fi + Voice, Skype, Slack, Discord, Telegram, W̶h̶a̶t̶s̶A̶p̶p̶, Facebook Messenger, W̶e̶C̶h̶a̶t̶, V̶i̶b̶e̶r̶, L̶i̶n̶e̶, Gitter, R̶i̶o̶t̶, W̶i̶r̶e̶, S̶i̶g̶n̶a̶l̶, etc. Note: These are often used to defraud your friends or obtain sensitive / secret information when compromised.
9.Photo Storage: iCloud, Google Photos, Adobe. Note: Besides screenshots of secrets / backups, SIM-swappers love to utilize, ehrm, certain types of photos to extort people. Consider removing secret / sensitive / sexy photos from your cloud provider entirely.
10.Finances / Money: Chase, Wells Fargo, B̶a̶r̶c̶l̶a̶y̶s̶, HSBC, Charles Schwab, Betterment, E*Trade, T̶D̶ ̶A̶m̶e̶r̶i̶t̶r̶a̶d̶e̶, Vanguard, Fidelity, Mint, Y̶N̶A̶B̶, C̶r̶e̶d̶i̶t̶ ̶K̶a̶r̶m̶a̶, Carta, eBay, Alipay, TurboTax, Quickbooks, Robinhood, C̶a̶s̶h̶ ̶A̶p̶p̶, V̶e̶n̶m̶o̶, TransferWise, Paypal, etc.
11.Forums: Reddit, S̶t̶a̶c̶k̶E̶x̶c̶h̶a̶n̶g̶e̶/̶S̶t̶a̶c̶k̶o̶v̶e̶r̶f̶l̶o̶w̶, Q̶u̶o̶r̶a̶, I̶m̶g̶u̶r̶, random gaming forums, random hobby forums, old shitty forums, etc.
12.Work: A̶s̶a̶n̶a̶, BambooHR, G̶u̶s̶t̶o̶, Jira, Clubhouse, Front, ZenDesk, Zenefits, Groove, Mailchimp, Substack, Salesforce, Slideshare, Trello, SendGrid, Blackboard, Docusign, etc.
13.Notes: Evernote, Notion, Scribd, P̶o̶c̶k̶e̶t̶, T̶o̶d̶o̶i̶s̶t̶, etc.
14.Shopping: Amazon, T̶a̶r̶g̶e̶t̶, W̶a̶l̶m̶a̶r̶t̶, Newegg, etc.
15.Misc: R̶i̶n̶g̶, N̶a̶n̶i̶t̶, B̶l̶i̶n̶k̶, N̶e̶s̶t̶, your car’s app (T̶e̶s̶l̶a̶, M̶e̶r̶c̶e̶d̶e̶s̶ ̶M̶e̶, etc.), S̶p̶o̶t̶i̶f̶y̶, Uber, L̶y̶f̶t̶, A̶i̶r̶b̶n̶b̶, N̶e̶t̶f̶l̶i̶x̶, P̶o̶r̶n̶h̶u̶b̶, S̶a̶m̶s̶u̶n̶g̶, U̶P̶S̶, F̶e̶d̶E̶x̶, D̶H̶L̶, IFTTT, Zapier, G̶r̶u̶b̶H̶u̶b̶, E̶x̶p̶r̶e̶s̶s̶V̶P̶N̶, PIA, ProtonVPN, US IRS, Health Insurance, Utilities, etc.
How to handle sites that only support SMS 2FA?
For whatever bizarre reason (or, depending on who you ask, societal laziness) many websites and services still only offer SMS 2FA. Amazingly, this includes many banks.
Until these laggards catch up, you have two options:
1.Insist on using competitors that offer better security. If this is feasible, we highly encourage you to switch to a competitor service and let it be known that you’ve switched for this reason. Speaking with our money (this applies even to "free" sites) is a great way to encourage change.
2.If there is no suitable replacement for the service and you must continue using it, utilize your new Google Voice number for SMS activation / account reset.
...
Last Step: Prepare Yourself
When you have your SIM swapped, you will no longer have the ability to make calls or send text messages, nor will you be able to connect to the internet unless you are connected via Wi-Fi. While this may seem obvious, many victims report fumbling around trying to figure out how to make a call on a phone that can no longer make calls.
Take the time now to set up and practice making a phone call without your SIM card.
First, select & set up a VOIP service that supports calling landlines
•Google Hangouts / Voice: This is your best choice because it’s actually free and it works from your browser or mobile app. Downside: if your Google account is compromised, you won’t be able to access it. So, make sure you secure your Google accounts or Google Voice is set up on multiple accounts. Hangouts on your Computer, Android, iOS or Voice on your Computer, Android, or iOS.
•FreedomPop: An app that gives you a free 200 minutes / month once you set it up. Make sure you test it first. We didn't particularly like the permissions it requested on Android, but it did work on our test device. iOS and Android only.
•Line: The newest rage in Asia and supposedly allows you to make free calls to landlines if you watch an ad first. You’ll have to confirm it works though as it rejected every number we tried calling. Available for literally every device.
•Skype: Available for every device but costs a bit of money to call a landline (as you will need to do in this case). Loading it up with $10 of credit should be sufficient for your needs and is a good choice if you already use Skype.
•Viber: It costs money to call landlines via Viber Out, but if you already use Viber it would probably still be worth it to throw $10 worth of credit on it now just to have it available. iOS, Android, Mac, Windows, Linux.
Action Items
•Take your SIM out of your phone.
•Using the option you chose above (or a different option you prefer), try calling yourself. Ensure the call connects and you hear your voicemail message playing.
•Find your mobile phone provider’s customer support phone number(s). Some are below. They will have a “customer care” number, but also search for a number specifically for urgent or fraudulent situations. For example, AT&T has their “Global Fraud Management Department @ 877.844.5584.”
•Save these numbers to wherever you normally save numbers AND to where you just called from. Save the actual phone number, not the quick-number that only works on certain devices.
•Call this number and ensure you connect and listen to options play. If you feel up to it, have another chat with them about their security offerings. 😉
•If you did this on your computer, repeat on your phone. If you did this on your phone, repeat on your computer.
Some Mobile Phone Provider’s Numbers
•AT&T Fraud: 1 (877) 844–5584
•AT&T: 1 (800) 331–0500
•Cricket Wireless: 1 (800) 274–2538
•Sprint: 1 (888) 211–4727
•T-Mobile: 1 (877) 453–1304
•US Cellular: 1 (888) 944–9400
•Verizon: 1 (800) 922–0204
Thanks to Chris Robison and his SIM swap guide for grabbing all the numbers!
Total Time
•10-15 minutes
...
Bonus round!
There are a few things that don't strictly fall in the scope of this guide but are good practices. We’re including them as they are actions victims of SIM-swapping wished they had taken.
Watermark Your KYC Documents
This ensures any documents stolen from an ICO or exchange or your own email / computer / cloud storage cannot be reused for nefarious purposes. It doesn’t matter if it’s a scan of your identity cards, a photo of you holding them, or a photo of you holding them with a date, you should still watermark it:
Okay, this may be overkill, but you get the idea. Now if an exchange or ICO company is breached, they can’t use your identification scans or selfies to launder money or bypass KYC requirements.
Use offline-only, secure back-ups of private keys, passwords, seed phrases, and other super important secrets
Super important secrets are things like private keys, paper wallets, your birth certificate, or social security card. They should be stored in a manner that is optimal for security and long-term, infrequent access.
Do not print or download them. Don’t take a screenshot. Don’t take a photo. Don't save them to iCloud or Dropbox or Google Drive. Don't email them to yourself.
Instead, take out a pen and paper and write down the secret as carefully and legibly as possible. Then, take a new piece of paper and write it down again. Note the account they are for and the date. Keep these in two physically distinct, secure locations.
You could store these in a fireproof / waterproof safe, something like a Steely or CryptoSteel, get a fire-resistance bag for <$20, or simply laminate them or put them in a Ziploc bag sealed with tamper evident stickers.
One reason to have two copies is that if your house burns down, you have another copy. Get in the habit of backing up and storing critical account information, high-risk passwords, recovery codes, 2FA seeds, private keys, and seed phrases in this manner.
This way, if you are SIM-swapped, any account of yours is compromised, or your device is stolen, you simply don’t have to think about those accounts or funds. However, if you store backups in Google Drive or in your photos or in iCloud, the compromise of your account could lead to not only your exchange assets being stolen, but also the assets you don’t keep on an exchange.
More Helpful Resources on the Subject
•https://medium.com/changelly/hardware-wallets-101-88442ac385b2
•https://support.mycrypto.com/how-to/backup-restore/how-to-save-back-up-your-wallet
•https://en.bitcoinwiki.org/wiki/Cold_storage.
...
PART 2: What to do if you literally just had your SIM jacked
Panic Correctly
“Be like the duck — calm on the surface, but paddling like hell underneath.”
You are not being like a duck.
Do not let emotions cause you to do irrational and counter-productive things. Your first step is triage and damage control. In order to maximize your own effectiveness, you’re going to need to have the cognitive capacity to multitask effectively. Deep breaths.
Call Your Phone Provider
Remember, your phone no longer has the ability to make phone calls so hopefully you are with someone who is willing to lend you their phone. If you aren't, you can call a landline from Google Hangouts / Voice, FreedomPop, Line, Skype, or Viber. (See the "Prepare Yourself" section above.) However you do it, get on the phone with your mobile service provider.
1.Briefly explain the situation at hand. “I am a high-target individual and my phone number was ported approximately 3 hours ago to a new SIM that I do not control, in order to extort and defraud me. What can we do to get this resolved before more damage is done?”
2.Ask that your phone number be “turned off,” as in removed from the device it was just moved to, as in not pointed to any working SIM, as in not working for the attacker nor working for you. Sometimes representatives are willing to do this even if they refuse to move your number back to your SIM. Cutting off the attacker’s access is more important than you having access right now. “Since this is an active situation, can you please remove my phone number from that SIM immediately, meaning no one can receive phone calls or text messages to my number. Then I can more fully explain or visit a location in person to verify my identity.”
3.Ask for your phone number moved back to your SIM / device. As would be the case, they will likely now decide that you must absolutely, positively be in-store with a government-issued ID. But, it never hurts to ask.
4.Ask for and write down the employee’s name / employee ID number and the date / time of your call(s) for your records and future conversations with law enforcement.
5.Ask for and write down the case ID number and / or support ticket number for your records and future conversations with law enforcement. If they push back at all, ask them how you are supposed to reference your case when filing a report with law enforcement.
6.Request that they (your mobile service provider) retain all logs. Specifically ask for the International Mobile Equipment Identity (IMEI) number, time of call, employees involved in fulfillment of the request, and any other information they have related to your account, the SIM porting, and this situation. Note: they may not disclose certain information to you, but you can ask. Priority should be that it's saved somewhere for law enforcement.
Helpful hints for one of the most frustrating conversations of your life:
•Be direct and focus on getting your phone number “turned off” or back in your control. Be explicit. Repeat yourself. Try to avoid wasting time on what / how / why this happened or who’s at fault.
•Don’t yell. Focus on working with them to accomplish what you need accomplished. This minimum wage, outsourced, call-center employee doesn’t know anything about you, your crypto, or your situation, and you do not have the time to explain it to them. Use phrases like “what can we do to make this happen?” to emphasize that you are a “team.”
•Hang up and try again with a new agent if you get a particularly dense or uncooperative employee. This is likely how your attacker did it, so can you.
•Escalate your call to a person with more experience and power. Try asking specifically for the fraud department, using phrases like “identity theft” and “illegal account creation” and “port out fraud,” which seem to be trigger words. The fraud departments are typically filled with more experienced agents.
...
Lock Down Your Accounts
It’s not a bad idea to refresh your locks every now and then.
As you’re doing this, secure any compromised accounts, assess the damage, and start gathering the most critical information for investigators and law enforcement.
Take notes on everything you do and screenshot excessively. Screenshot when you access something. Right before you change something. Right after you change something. For example, you may kill an attacker's active session, BUT you will want their device type, time accessed, and IP address once the dust settles. Also, being filled with adrenaline while multi-tasking results in terrible, terrible memory and you don't want to repeat work.
Access and change your password for your primary email account(s)
Access the account. Screenshot. Go to your settings and turn on 2FA via Google Authenticator. If it was already enabled, remove it and enable it fresh. Screenshot and then remove any recovery emails or phone numbers to prevent another avenue in. Screenshot and then remove all devices, apps, active sessions, app passwords, “log in with….” sites, connected accounts, etc.
If you cannot access your Google because the attacker has changed the password, follow this guide by Chris Robinson on how start the recovery process for your account. You should do this now.
Check your email for any password reset emails or “you just signed in on a new device” emails
•Be sure to check your spam, archive, and trash folders.
•Screenshot excessively.
•Write down any and all the services you see mentioned in these emails.
Make a prioritized list of accounts to secure
1.Accounts that you know the attacker has accessed or attempted to access (such as those in the password reset emails).
2.Critical accounts that can lead to further compromise of data or financial loss (other email addresses, exchanges, password managers, cloud storage, banks).
3.Accounts that could be accessed with the information found in accounts an attacker has already accessed.
4.Any non-critical accounts that could be damaging if compromised, such as older email addresses, social media, messaging, etc.
Starting at the top of your prioritized list, secure all of your accounts
1.Log in to each account on your list. Screenshot.
2.Change the account password to a strong, unique password.
3.Enable 2FA via Google Authenticator. If it was already enabled, remove it and enable it fresh.
4.Screenshot and remove any insecure recovery or 2FA methods (e.g., email addresses, phone numbers). Note if the attacker updated any of this information (perhaps to their own email address?)
5.Remove the phone number linked to the account and/ or replace it with one the attacker does not control.
6.Enable any and all security features that are offered.
7.Enable any and all notifications that are offered.
8.Screenshot and then remove all devices, apps, active sessions, app passwords, “log in with….” sites, connected accounts, etc.
9.Make notes about any financial loss.
10.Make a note if there are signs the attacker accessed that account or made any changes.
Secure your exchanges and any other services that hold money (Paypal, Banks)
In addition to the list above, you should take additional measures for your financial accounts.
1.If you have any money or crypto currently in these services and you can confidently withdraw to an address or bank account you know you control and could not be compromised, do so now. Initiating the withdrawal will put those funds in a “locked” state for a period of time.
2.If you have any money or crypto in these services but you aren’t confident about moving it, you can email them and request they lock down your account and prevent any withdrawals, deposits, trades, buys, sells, transfers, and/or logins until further notice. Links to top exchanges and an email template can be found in Chris Robison’s guide.
3.Enable any special security features (e.g., Kraken’s GSL).
4.Screenshot and remove any withdrawal addresses, linked bank accounts, credit card numbers or banking information, especially those that could be used to withdraw USD from your bank account (e.g.,
https://www.coinbase.com/settings/linked-accounts).
5.Screenshot and remove any “confirmed devices” or “active sessions” or “browsers that don’t need a second factor” (e.g.,
https://www.coinbase.com/settings/account_activity).
6.Screenshot and remove any and all API keys or OAuth applications (e.g.,
https://www.coinbase.com/settings/api).
Check your Telegram for active sessions
It is extremely common for SIM-swappers to go for Telegram accounts shortly after attempting cryptocurrency exchange account access.
•Navigate to “Settings” -> “Privacy and Security” -> “Active Sessions.”
•You should now see all devices that have access to your Telegram and messages.
•Screenshot this screen.
•Click the “Terminate All Other Sessions” button.
•Then, returning to “Privacy and Security.” enable “Two-Step Verification.” Use an email that is not compromised.
•Change the phone number to one that is not compromised.
Breathe.
Once you’ve put the proverbial tourniquet on the situation and phone number is back in your control, or at least guaranteed to be out of the attacker’s control, you’ve secured all of your accounts, there are no new password reset emails or other weird things happening….
Breathe.
Give yourself five solid minutes to decompress. You deserve it and it will help you as you go forward. The next steps require less adrenaline and more attention to detail.
Just do it.
Access or Return to Any Accounts You Haven’t Pull Logs From
You will want to check this for each cryptocurrency exchange, bank account, or any other breached account. Save anything and everything, even if you don’t think it’s important. Some examples...
•Gmail:
https://support.google.com/mail/answer/45938?hl=en &
https://myactivity.google.com/item.
•Google Suite (a custom domain but with Gmail/Google): ask your administrator to pull audits and logs. They are very in depth, such as
https://support.google.com/a/answer/4580120?hl=en.
•Coinbase:
https://www.coinbase.com/settings/account_activity.
Keep your eyes open for anything you missed the first time around. If you see signs of an attacker accessing one of your accounts, what were they doing? What information were they able to access? What information do you know they accessed? What could they do with that information?
Call your phone provider again
See what information you can get from them at this time. Ask them how you can reference your case when filing a report with law enforcement. See if they have any advice for you.
Sometimes they are able to reveal certain information, such as how this occurred, when it occurred, if it was done in-person or over the phone. Sometimes they will even give you the IMEI and other details. Note all of this.
You should also discuss and implement whatever options they have available to secure your account and ensure this can’t happen again. Sometimes, magically, there now is another layer of protection they can offer you that they didn't think to mention before.
File a report with law enforcement
You’re going to want to begin feeding all of this information to the right people. This begins with filing a law enforcement report. In most countries, the local police are not who you want to go to. Tragically, most local police won’t even know the proper place to report it.
Depending on your country, there are different places you need to report to. You can use this handy list for reference. If you’re in the US, then you’ll want to report it via IC3. Please note that IC3s don’t generate report numbers, so be sure to save a copy of your report upon submission!
Ensure your report includes...
1.Your mobile carrier, phone number, time and date of incident, and everything else you’ve recorded regarding your interactions with your mobile carrier (e.g., “they should have the IMEI handy”).
2.Steps you’ve taken to subsequently secure your phone number (e.g.. you’ve added a passphrase).
3.Accounts that have been accessed (e.g., Gmail and Coinbase) with specific timestamps, device information, IP information, and other data as applicable. Be sure to include the obvious - your email address, the account information (username or registered email) for the exchange, etc.
4.Any asset loss, including withdrawal transactions as applicable. If there is a large number of transactions out of a personal wallet or exchange account, note affected personal wallet addresses with a statement like “transactions beginning on X date at Y time were not initiated by me.”
5.Any contact the SIM-swappers have made with you post-breach; this will typically be via Telegram or SMS. Annotate account names, how they contacted you (SMS, Telegram, via a third-party), profile pictures, usernames, and the full content of messages.
6.Any extremely sensitive data that could have been accessed (KYC documents, trade secrets, etc).
Remember: your role is to operate in facts, not theory. Law enforcement has analysts to theorize. Do not provide unnecessary noise with emotional rants about what you think took place. Provide them with the raw data in as sensible of a format in as chronological an order as possible.
...
PART 3: What to do after you’ve been SIM jacked
Inform your network
Regardless of what you are feeling right now (embarrassment, shame, and despair are common), you will need to do the right thing for your personal and professional networks. The data obtained by the SIM-swappers cannot only be used to extort you, but to extort others.
Additionally, sharing your experience and lessons learned may inspire those in your network to take measures to improve their own security.
Here's a sample message you can use as a starter:
“I want to let you know that on [DATE] I was SIM swapped and had some of my accounts hacked. Some information in our messages / emails may have been compromised in the process. [NOTE ANY ESPECIALLY RELEVANT SPECIFICS HERE.] I have notified law enforcement and taken steps to secure my phone number and accounts. It is possible that the SIM swapper(s) may contact you or attempt to extort you. If they attempt to do so, please notify law enforcement and do not pay them. While I find this incident embarrassing, I hope that my transparency in this matter is appreciated and we can continue our professional / personal relationship after my hard lesson learned.”
For those of you that are interacting with the victim of a SIM swap, providing the victim support and understanding during this time, and especially gratitude for their transparency, is extremely important. Inversely, if an individual (and especially) a company experiences a SIM swap or other data breach and conceals it, we highly recommend ceasing any relationship with them due to their disregard for you and your own security. You also have the ability to notify pertinent authorities that this individual or business opted to try to sweep the incident under the rug, which is often illegal. Legalities aside, as an industry, we need to begin expecting individuals (and especially companies) to do the right thing.
...
Fully audit and secure literally all of your accounts
You’ll want to set aside time to go through each and every possible account you can think of: lower-priority accounts you may not have thought of during the “tourniquet phase,” such as old emails, old social media, etc. Any new forensics points you discover (these accounts were accessed) should be annotated.
Additionally, you may want to re-secure and ensure you have secure, offline backups of all of your accounts, passwords, recovery codes, 2FA backups, etc. now that you have more time.
...
Do not engage with the attacker
Do not under any circumstances engage in conversation with the SIM swapper(s) or those claiming to be them, have information on them, etc.
Document but ignore these messages. This cannot be emphasized enough.
You may experience extortion attempts from the SIM swapper(s), but do not give in to these. If you do, the SIM swapper(s) will simply return to you for more money at a later point, possibly on other accounts.
Giving in to extortion not only provides financial support and incentive for continuity of this crime, but encourages the SIM swapper(s) to engage your network and extort them.
...
Decide What Information to Share with People
Do not provide any information about the specifics of your case or raw data dumps to anybody that is not law enforcement, your attorney, or an investigator.
There are very few people who qualify as legitimate investigators for this type of crime and they will not be anonymous. Your friends are not investigators. A random dude on Twitter is not an investigator. Currently, the only known professional service for support on these types of incidents is CipherBlade. Anybody that contacts you claiming to have identifying information on those responsible for your incident, for a fee, is attempting to scam you.
Any details you provide to anyone besides your attorney / law enforcement has a tendency to spread rapidly. It is extremely common for internet fraudsters to social engineer both victims and the networks of victims to further extort money and / or determine what tracks they may need to cover.
...
Decide What Information to Share with the Service Providers of Breached Accounts
It doesn’t hurt to notify exchanges, email providers, or other providers when an account of yours was breached and especially when your assets were stolen. Inform them that your account was breached, you’ve regained access, and you’ve submitted a law enforcement report. If you can, include specific dates, times, transactions, or IP addresses that were not made by you. Include only the information regarding the service you are contacting—don’t give them all your data dumps.
It is highly unlikely these providers will supply you with information you cannot access via your account dashboard, and they especially will not disclose details about another person or account. For example, if you noticed stolen assets ended up transferred to a particular cryptocurrency exchange, that exchange will not provide you with account information due to data privacy laws.
However, giving that exchange a “heads up” that law enforcement may be contacting them soon is still considered to be a good practice.
...
Protect Your KYC & Identity Documents
If you had identity documents (such as scans of driver’s licenses, passports, etc.) that weren’t watermarked, then you’re going to want to notify authorities immediately and obtain new identity documents. Failing to complete this step may result in your identity being used to open new exchange accounts, new credit cards, new loans, or sold on the dark web and further used for nefarious purposes.
As described earlier, it is your responsibility to notify your professional / personal network of this incident, particularly when it comes to identity documents or other personal details being accessed, because SIM swappers will utilize these documents, conversations, and data to pose as you and conduct impersonation scams — most likely on your contacts.
While failing to inform to your network about potentially breached information may not make you an accomplice in the criminal sense, it makes you an accomplice in the moral one.
...
Accept Some Harsh Realities & Work to Move Forward
The process by which you move forward from an attack like this, especially if it includes financial loss, often follows the classic "seven stages of loss": shock / denial, pain / guilt, anger, bargaining, depression / loneliness / reflection, reconstruction, acceptance / hope.
By now, the “tourniquet phase”, “control phase”, “shock phase” are complete and you are likely experiencing pain, guilt, sadness, and perhaps even some anger and bargaining for good measure.
While it is tragic you are the victim of a crime, accepting how it happened, what it currently means, what you must do now, and what to expect is critical in order for you to reach a point of acceptance and move forward.
If at any time during this process things get especially tough and you are feeling hopeless, depressed, or suicidal, we strongly encourage you to talk to someone about it. There are so many amazing resources out there, especially if you aren’t getting the support you need from your own personal network.
•Suicide Hotlines (Worldwide)
•More resources
•Even more resources
•And, if you hate phone calls, you can shoot an email to the Samaritans.
...
You must involve law enforcement
This is non-negotiable. Nobody else is going to legally resolve this matter. No investigator will tell you that your case is legally resolvable without law enforcement and the legal system, and anyone that disputes this is lying to you.
Now is a good time to put aside any personal beliefs, fear, or avoidance of law enforcement. The law enforcement officials you will be in contact with don’t care about your drug preferences or shoddy tax work.
“Hacker for hire” services are almost always scams that capitalize on your desperation and gullibility. At best, you’ll lose (more) money. At worst, you've just implicated yourself in a crime.
...
Own your own shortcomings, use the opportunity to educate others
"Grant me the serenity to accept the things I cannot change, the courage to change the things I can, and the wisdom to know the difference."
Accept:
•There is no single party who is responsible for your loss except, arguably, the attacker.
•Your phone carrier’s service employees failed to do thorough due diligence on the SIM port request and may have ignored your security settings. (Note that this does not mean the phone carrier is liable for consequences of the SIM swapping, such as loss of assets, when those consequences could have been prevented by proper security settings in other places.)
•The system is partially responsible for even deciding that relying on phone numbers was a good idea.
•You are partially responsible due to a lack of your own due diligence surrounding your personal security.
•You will probably not get your money back.
•You cannot go back in time.
You can only change yourself and your own personal security moving forward. While it's incredibly frustrating to rely on third parties without being able to change or control their behavior, that's the way the world works.
Exclusively blaming your phone provider, your exchange, your email provider, or the blockchain itself will result in a longer recovery process for yourself and a lot of angry, sleepless nights. The goal here is to move past this. Please, don’t be this guy.
Additionally, you will experience immense disappointment if you are expecting your email provider, your exchange, or the general public to investigate, change their behavior, or take any specific actions for you, or because of you. It's unlikely they will do much and if they do, they won't share with you.
On a brighter note, some folks find that sharing their experience and educating those around about how to be more secure can be cathartic and rewarding. Be careful not to reveal exact specifics of your case and focus on helping others rather than playing the blame game. Helping others can help yourself.
...
Adjust your expectations of law enforcement
While this is, in fact, law enforcement’s responsibility to investigate and resolve, you’ll need to accept the fact that it may be quite some time before any progress is made on your case. Presuming (and this is a big presumption, since the majority of law enforcement reports don’t contain enough actionable information) your law enforcement report contained adequate data to progress your case, in the US, it may be 2-3 months on average before an FBI Special Agent even contacts you regarding the matter.
In 2018, we saw a large number of arrests of SIM-swappers in the US occur in less than a year from time-of-incident to time-of-arrest. We consider this to be lightning speed. Crypto investigations don’t move at crypto speed.
1.Telling yourself that the assets are lost actually helps your mental health. Constantly thinking about these assets may tempt you to do things fueled by emotion that will push your case backward, such as engaging with the SIM swapper(s), leaking data, or otherwise making needless noise for investigators.
2.Hounding investigators or law enforcement for updates won’t help your cause. To an investigator, “when update?” is equally obnoxious as “when moon?” Investigators and law enforcement may or may not provide you infrequent, pertinent updates. You will not get a play-by-play nor will you get sensitive data. Investigators and law enforcement are extremely busy people with limited amounts of time. Making needless noise for them is pushing rewind, not fast forward.
3.There is no guarantee that your SIM swapper will be caught. While there has been a lot of news lately about SIM swappers being arrested, they were located in the US and had impressively bad operations security (opsec), which made the job of investigators far easier. The investigation of your SIM swapper(s) will likely take longer.
4.You’re probably not getting 100% of your money back, even if your SIM swapper is caught. Sim swappers tend to live lavish lifestyles with their ill-gotten gains and even after the arrest, the process of asset recovery still hasn’t begun and may take a year or more to complete. This means you’ll get a pro-rata asset recovery, presuming there is enough data to identify you as a victim.
...
Consider Hiring Professional Help
This could be to assist you with your own mental health and well-being, the investigation, or mitigating damage potentially done to your business due to data loss or ongoing extortion. As we noted before, be extremely skeptical of people who reach out to you to “help” as these are likely scams. Fully review and collect references before hiring anyone.
Additionally, if you are a high net-worth individual or operate a business, now may be a good time to invest more in your security, your business’s security, and / or your employees’ security. There are a number of reputable firms that can provide security audits, awareness training, and identify single points of failure. This isn’t something you can take shortcuts on. Reputable firms will cost money and will take time. In our opinion, it’s money well spent.
Regardless, you are the best person to determine what help you may need. We encourage you to check in with yourself throughout this process, stay mindful, reflect on your situation, and take measures to improve yourself and your life.
Conclusion
Sim-swapping is a terrifying reality in this day and age and is especially prominent in the cryptocurrency industry. As long as phone numbers remain a single point of failure and protect so much value, SIM swapping attacks will continue and likely increase in frequency and sophistication.
Until we change this aspect of the world, you must take responsibility for your own security. By educating and securing yourself, you are one less victim and one less success story for an attacker. Proper preparation prevents piss poor performance.
...
This article was co-authored by MyCrypto and CipherBlade.
MyCrypto’s experience building one of the most widely-used, “noob-friendly”, Ethereum wallets has taught them the importance of personal security and education within the cryptocurrency space. They’ve experienced these attacks first hand and through their friends and colleagues. MyCrypto is proud to play a role in developing this “anti-sim-swapping bible” and hope it’s contents reduce the amount of loss and successful SIM swaps.
Get in touch with MyCrypto via Twitter, Facebook, or
iheartsecurity@mycrypto.com.
...
CipherBlade is currently the only known professional service to provide support and resources for incidents like SIM swapping. Their dedication to the blockchain space and investigative experience has helped recover millions of dollars of stolen funds, prevented ICO scams, and mitigated emergency security incidents, day and night.
Join CipherBlade on Telegram, Twitter, or
hq@cipherblade.com.
If there’s anything we failed to include, could be more clearly stated, or is no longer correct, please find us on any of the links above and we’ll update ASAP.
Thanks for reading!
...
Seriously, you made it to the end? And… you want more?
•https://medium.com/coinmonks/the-most-expensive-lesson-of-my-life-details-of-SIM-port-hack-35de11517124
•https://www.zdnet.com/article/wave-of-SIM-swapping-attacks-hit-us-cryptocurrency-users
•https://nypost.com/2019/04/13/hackers-are-stealing-millions-in-bitcoin-and-living-like-big-shots/
•https://blog.kraken.com/post/219/security-advisory-mobile-phones/
•https://medium.com/@cipherblade/how-not-to-react-when-your-cryptocurrency-is-stolen-92f7c72616af
•https://medium.com/mycrypto/mycryptos-security-guide-for-dummies-and-smart-people-too-ab178299c82e
•https://winter.mycrypto.com/
•https://cipherblade.com/cybercrime-reporting/
•https://www.youtube.com/watch?v=WW6myutKBYk
•https://coingeek.com/cipherblade-share-a-lesson-about-crypto-theft/
•https://support.mycrypto.com/staying-safe/how-to-securely-store-and-guard-your-private-key
•https://medium.com/changelly/hardware-wallets-101-88442ac385b2
•https://support.mycrypto.com/staying-safe/protecting-yourself-and-your-funds
•https://github.com/crytic/awesome-ethereum-security
•https://github.com/crytic/blockchain-security-contacts
•https://medium.com/mycrypto/mycryptos-security-incident-response-101-36a57b17038b
•https://support.kraken.com/hc/en-us/articles/360000444963-Setting-up-the-Global-Settings-Lock-GSL-
•Titan
•YubiKey
•Ledger
•Trezor