Unfortunately, this problem is increasing yearly

[KiaKia]

Unfortunately, Sim swapping attacks are still growing rapidly, in this month of August I have got bad news about two U.S based family friend losing over 45 ETH and 0.7BTC because of sim swap attacks.

What I have been able to gather is, the telco guys working inside AT&T and other telecommunication companies are the ones bypassing all security measures, now not even your sim SMS 2FA codes can safe your ass from these guys.

Sim swapping is more easier for them, because, remember, if we lost SIM card or it get damaged we can easily retrieve by their help, they will redirect your number into another new SIM card, and you are back online, This makes telecommunications dangerous when it comes to crypto.

Let's stop deceiving ourselves, there is no solution to this attack than

1. Separate your crypto away from your SIM card number.

2. Stop using your phone number to get verification codes for crypto exchanges and other crypto-related platforms.

3. Stop storing crypto on exchanges, e.g coinbase, crypto.com and Binance exchange.

There is a big problem with people in the UK and US when it comes to crypto, they like storing their coins on exchanges, thinking that those 2FA codes and one time passwords for transactions will save them, which is not impossible for SIM swap attacks.

This was also why most people living in the U.S. and the U.K are the biggest victims of FTX, why these people refers storing crypto on platforms and exchange is worrisome, they are their own problem because crypto was never built to be kept on any exchange.

[1715054371]

1715054371

[1715054371]

1715054371

[1715054371]

1715054371

[mk4]

A lot of these problems would've been mitigated if only people used one-time codes from authenticator apps like Google Authenticator and Aegis; but unfortunately SMS 2FA is still the most user-friendly option out there. And again unfortunately, not every service supports one-time code 2FA — understandably so because of SMS-fa being far easier customer support-wise.

[nelson4lov]

It's unfortunate whenever I come across news like this. The truth about the matter is that since there is a centralized risk, issues like this will be inevitable.

- The problem is not only about users but developers themselves need look at other alternatives for two-step authentication.

- Self-custody still rules it anyway. Even if it involves risks but the benefits outweighs the shortcomings for sure.

[paid2]

A lot of these problems would've been mitigated if only people used one-time codes from authenticator apps like Google Authenticator and Aegis; but unfortunately SMS 2FA is still the most user-friendly option out there. And again unfortunately, not every service supports one-time code 2FA — understandably so because of SMS-fa being far easier customer support-wise.

I agree, and if it's ever useful to anyone, it's good to know that there's a reliable open source alternative to Google Authenticator which is FreeOTP.

I've been using it for years and never had a single problem. I remember that a recent update of Google Authenticator gives users the option of saving their 2FA keys in the cloud, it's not mandatory but I think people should be carreful with this app. A mistake or mishandling can happen very quickly.

[albert0bsd]

The issue of Swap SIM attacks is a concern that extends beyond the cryptocurrencies, affecting traditional banking and any accounts reliant on SMS based 2FA

The heart of the problem lies with the centralized exchanges. Remember "Not your keys, not your crypto" holds true even in this context. Entrusting your assets to these platforms puts you at risk without doubt

One potential solution could be to transition away from SMS based verification in favor of one-time password codes. OTPs are typically more secure than SMS, as they are generated independently and are less susceptible to interception. However, it's worth noting that even this approach has its own set of challenges.

In the event of a Swap SIM attack, your email account could also be compromised. For instance, Google recently introduced a feature that backs up your 2FA secrets from the Google Authentication APP to the cloud. While this might be convenient for users, it does introduce a new layer of vulnerability. In this scenario, even OTPs may not provide foolproof protection.

To address these issues, it's essential for both users and service providers to remain vigilant. Service providers, need to continually assess and improve their security measures to stay ahead of emerging threats like Swap SIM attacks.

[Faisal2202]

I did not knew about sim swap before but your post really made me read about it. Like you said AT&T might be behind it (of course you did not directly called their names) as they are the ones who will retrieve a new sim card with same number and recover it for you too. It means they can do it then after reading an article I came to know that the author of that article says, hackers or scammers try to contact those AT&T type cellular companies.

And they ask to change the sim card and they make any excuse to ask them to recover their sim while they already had all the details about the person whom they are going to scam. Well once the personal details are leaked then those scammers would easily convince the service providers that they are the real owner of the sim number. But in reality they are not.

Point is we should definitely not trust on cellular otps, or centralized exchanges and I am agreed with you on that. But we should also try not to share all our essential information with anyone because personal details causes most of the damage.
https://www.avast.com/c-sim-swap-scam

[ZAINmalik75]

A lot of these problems would've been mitigated if only people used one-time codes from authenticator apps like Google Authenticator and Aegis; but unfortunately SMS 2FA is still the most user-friendly option out there. And again unfortunately, not every service supports one-time code 2FA — understandably so because of SMS-fa being far easier customer support-wise.

Other than the easiest factor most of the people used to prefer it because they know if the app of Google authenticator or phone is gone and they have no backup keys like account login details then it will becomes almost impossible for them to retrieve the funds. So yeah people prefer to use easy, simple and secure way.

But as op mentioned in his post that the best practise is not to hold your assets on exchanges for longer period of time. Is the best advice because FTX exchange really made life's of many miserable just due to some mistakes. But those who took extra measures are in good conditions because they knew the science behind not your key not your coin.

AT&T is a big company and to be honest I do not really think that company is behind such scams instead someone must have get access to to upper level of brain that they are able to lure AT&T staff into such scams.

[Coyster]

There is a big problem with people in the UK and US when it comes to crypto, they like storing their coins on exchanges, thinking that those 2FA codes and one time passwords for transactions will save them, which is not impossible for SIM swap attacks.

Is this a problem peculiar to U.K. and U.S. citizens? There are quite a lot of people around the world from different nationalities who use exchanges as a bank, they are either lazy, have no knowledge of crypto or they don't want to take the responsibility of being their own bank. Sim swap attack is definitely a problem, but there are other problems for people who use exchanges as banks, problems such as hack, data leak and assets confiscation.

[jrrsparkles]

Unfortunately, Sim swapping attacks are still growing rapidly, in this month of August I have got bad news about two U.S based family friend losing over 45 ETH and 0.7BTC because of sim swap attacks.

It's unfortunate but could be avoided completely if they opted out for 2FA via apps like Google Authenticator instead of receiving it via SMS but most exchanges encourage setting up 2FA as one of the mandatory security procedures to withdraw their cryptos.

IMO, sim swap attacks are far more dangerous to the traditional banking system than cryptos because if someone is able to swap sims they can gain access to the respective bank accounts at ease and every money will be drained before the actual owner notices that is why the users need to be aware where they use their personal information like giving national ID to random verification, etc.

But in this case, it's done by the telecom employees which can't be avoided no matter what but they will face the consequences cause it is a felony and most likely they will end up in prison for decades.

[Lida93]

Unfortunately, Sim swapping attacks are still growing rapidly, in this month of August I have got bad news about two U.S based family friend losing over 45 ETH and 0.7BTC because of sim swap attacks.

What I have been able to gather is, the telco guys working inside AT&T and other telecommunication companies are the ones bypassing all security measures, now not even your sim SMS 2FA codes can safe your ass from these guys.

That's the inimical aspect of centralized entities, we are worried about centralized exchanges risk as if it's not enough another has surface from the telcom service providers. This attack transient sim card swapping deep diving to ATM card swapping too in my countryside, so it's ain't something peculiar only to the USA.

1. Separate your crypto away from your SIM card number.

2. Stop using your phone number to get verification codes for crypto exchanges and other crypto-related platforms.

It's very easy to rob a person of his money through phone number as it can be easily clone apart from swapping. I do use two factor authentication code system where I have to receive an OTP through my verified email after inputting my personal password. It can't be that possible to clone a Google email compared to a sim card number.

3. Stop storing crypto on exchanges, e.g coinbase, crypto.com and Binance exchange.

All these Cex have a unique use not disputing their importance in someway buy they ain't reliable as place for storing cryptos. I do use Cex exchange like binance for certain transactions and trades but it's never an option to storing my funds any day any time. A Cex is a Cex no matter what.

[Agbamoni]

SIM swapping can happen when someone who works for your mobile service provider isn't well-trained or well-paid. This can lead to security issues sometimes.

The company that provides your SIM card should take responsibility because they are in charge of their employees. In the end, the company is more responsible than the individual employee, especially if the employee has to do shady things to make extra money outside of their job. This problem often occurs when someone loses their SIM card.

One way to prevent this is by setting a PIN for your SIM card on your phone. I do this, and it asks me for my PIN whenever I restart my phone. I think even a mobile service representative would need to know my PIN to access my SIM card. Does this protect against SIM swapping? I thought it did, but I'm not entirely sure.

[DVlog]

Someone from inside doing these. What are the points of using SMS verification for security purposes if that telecom company doesn't want to enhance its security measures? They need to identify these people who are bypassing the security and letting those scammers get account-to-user accounts.

I personally use Google auth and Authy for one-time passwords. Here is some hardware and app-based one-time password option that can be used instead of using your phone numbers.

app:
   

• Google Auth.
• Aegis
• Authy
• 2FAS
• Microsoft Auth.

Hardware:

• YubiKey
• Nitrokey

[Forever101]

It's really an unfortunate one indeed, I think the owners should sue the sim company until the perpetrator fished out. The victim should work with the exchanges and the sim company to come to the root of this. I believe the exchange will have the IP and wallet address used for the operation. This is just my suggestion. I think every Crypto investor needs to be super careful as this attacks comes in different shades and forms.

Many person store their Crypto on exchange for easy swapping , selling or doing any kind of transaction with it. I believe such people should have taken caution with the news of attack flying here and there. Anyone falling victim, chose to be victimized.
 

[Abu-Naim]

Sim swapping is more easier for them, because, remember, if we lost SIM card or it get damaged we can easily retrieve by their help, they will redirect your number into another new SIM card, and you are back online, This makes telecommunications dangerous when it comes to crypto.

Sim swap has a different procedure, which includes requesting the sim user’s personal information, including their NIN number and some personal information. I don’t think there will be a problem if you redirect your personal information to another sim in the name of Sim Swap.

Let's stop deceiving ourselves, there is no solution to this attack than
1. Separate your crypto away from your SIM card number.
2. Stop using your phone number to get verification codes for crypto exchanges and other crypto-related platforms.
3. Stop storing crypto on exchanges, e.g coinbase, crypto.com and Binance exchange.

These recommendations are excellent and will provide us with the utmost level of protection we require, as holding bitcoin in exchanges is not recommended because only exchanges will request such personal information.

Electrum and other open-source wallets do not require phone numbers in order to access or keep your bitcoin.

[Antotena]

Unfortunately, Sim swapping attacks are still growing rapidly, in this month of August I have got bad news about two U.S based family friend losing over 45 ETH and 0.7BTC because of sim swap attacks.

What I have been able to gather is, the telco guys working inside AT&T and other telecommunication companies are the ones bypassing all security measures, now not even your sim SMS 2FA codes can safe your ass from these guys.

Sim swapping is more easier for them, because, remember, if we lost SIM card or it get damaged we can easily retrieve by their help, they will redirect your number into another new SIM card, and you are back online, This makes telecommunications dangerous when it comes to crypto.

Sim swap has been long since it has been in existence, but the use of mobile phone number for Authentication for crypto has redirect their attention to crypto and this is why we hear of multiple hack even when you have your phone number with you and I'm not sure if these Telecommunication companies take account of what happen to people funds, they most likely lock up and act as if these breaches don't happen.

There is one thing that commonly lead to sim swap, here in Nigeria, telecommunication have limitation in which their sim will be kept off from phone without use, if they found out in their system that your sim card is offline for 6 months, they will assumed that your sim is not longer in use and they will have to recirculate the same sim for another person, the same number but under different identity. I don't know why they do that, but maybe their terms state it on their privacy and condition. This is one of the ways which sim card are circulate back to users.

Last year, the wife of the former president of Nigeria Sim card was some how reproduce and sold to another person, the person behind the new sim was using it to receive money from people after finding out that high profile people were calling the number in different occasions but he was later caught and arrested and when they did investigations, it was sim swap but this was done in the company without knowing the sim was registered under the President wife.

Let's stop deceiving ourselves, there is no solution to this attack than

1. Separate your crypto away from your SIM card number.

2. Stop using your phone number to get verification codes for crypto exchanges and other crypto-related platforms.

3. Stop storing crypto on exchanges, e.g coinbase, crypto.com and Binance exchange.

There is a big problem with people in the UK and US when it comes to crypto, they like storing their coins on exchanges, thinking that those 2FA codes and one time passwords for transactions will save them, which is not impossible for SIM swap attacks.

This was also why most people living in the U.S. and the U.K are the biggest victims of FTX, why these people refers storing crypto on platforms and exchange is worrisome, they are their own problem because crypto was never built to be kept on any exchange.

The solution for centralized users can use Google Authy for extra security instead of phone number or simply avoid the use of centralized exchanges, if you escape sim swap, you might not escape exchange hack.

[Ndabagi01]

What I have been able to gather is, the telco guys working inside AT&T and other telecommunication companies are the ones bypassing all security measures, now not even your sim SMS 2FA codes can safe your ass from these guys.

With all of these charges against them, they will not be punished if there is no real evidence to back up their claim. They'll get away with it and defraud more individuals.  It's also possible that the Telecoms company will want to protect its brand and will not allow such news to spread like wildfire.

Many person store their Crypto on exchange for easy swapping , selling or doing any kind of transaction with it. I believe such people should have taken caution with the news of attack flying here and there. Anyone falling victim, chose to be victimized.

This is still the most convenient and user-friendly way to access your wallets while trading cryptocurrency on such exchanges. In situations like this, comfort should not take precedence over security.

[SamReomo]

I believe that sim swap attacks can only work when the operators allow the malicious people to use a sim without proper verification. Sometimes the telecommunication companies appoint so naive team members in their operations who really aren't good in technology and because of those people the hackers can apply their social engineering skills to accomplish their goals of sim swap attacks. Those hackers try their best to convince the telecom operators by saying that they have lost their sim card or their sim card was stolen and that's why they want to have another sim card. They can only do that when they have full details of the victim which they already got using their social engineering skills.

I also believe that storing your coins on an exchange is risky and sim swap attacks may work on all of exchanges because when a criminal gets access to someone sim then that person also gets access to the email addresses of the account owner and that malicious person can easily steal coins from those exchanges by log into the exchanges from the same sim number and email addresses. Most people rely on Google authenticator and at the same time most of them have registered their exchange's account on the same email address.

The hackers know these things and when they are confirmed that everything will work according to their plans then they just execute their plans and steal the coins from the exchanges. I would recommend everyone to use other authentication software instead of Google authenticator. And, if you really want to be safe from sim swapping attacks then never ever share your details with the ones online and also never tell anyone about your crypto investments because sometimes we ourselves leak most of the information and the hackers can then use that information to steal us.

[Davidvictorson]

The average Joe uses a 2fa. While we should be careful of using the sms 2fa we should be more careful when using authenticator app from. Why it is so is because unless you are 100% access to your phone all day, the Google authenticator does have a feature that allows you to lock the app. So even though you have the app for security, it is not secure as anyone that gets a hold of it can have easy to your assets and steal them.

[cryptoaddictchie]

Thats why better to activate all authentication not just number or 2fa or email but all of it. Unless one of them are not met then transaction would be void. I think Binance has something like this and its a good security measure. If one of the following has been stolen at least they needed more info to make it complete.

Im not sure if those are trusted authentication but its better to have more options when it comes to security measure.

[aysg76]

A lot of these problems would've been mitigated if only people used one-time codes from authenticator apps like Google Authenticator and Aegis; but unfortunately SMS 2FA is still the most user-friendly option out there. And again unfortunately, not every service supports one-time code 2FA — understandably so because of SMS-fa being far easier customer support-wise.

But this is a two way problem like people handing out their numbers risks their privacy while service providers are not adding additional security measures like 2FA with passwords and for me TOTP is better then simple OTP but the problem again is people are keeping them on save devices.They will have authenticator app downloaded in the same device which also possess risks of theft but we need to keep it safe.