Unfortunately, this problem is increasing yearly

[tech30338]

Unfortunately, Sim swapping attacks are still growing rapidly, in this month of August I have got bad news about two U.S based family friend losing over 45 ETH and 0.7BTC because of sim swap attacks.

What I have been able to gather is, the telco guys working inside AT&T and other telecommunication companies are the ones bypassing all security measures, now not even your sim SMS 2FA codes can safe your ass from these guys.

Sim swapping is more easier for them, because, remember, if we lost SIM card or it get damaged we can easily retrieve by their help, they will redirect your number into another new SIM card, and you are back online, This makes telecommunications dangerous when it comes to crypto.

Let's stop deceiving ourselves, there is no solution to this attack than

1. Separate your crypto away from your SIM card number.

2. Stop using your phone number to get verification codes for crypto exchanges and other crypto-related platforms.

3. Stop storing crypto on exchanges, e.g coinbase, crypto.com and Binance exchange.

There is a big problem with people in the UK and US when it comes to crypto, they like storing their coins on exchanges, thinking that those 2FA codes and one time passwords for transactions will save them, which is not impossible for SIM swap attacks.

This was also why most people living in the U.S. and the U.K are the biggest victims of FTX, why these people refers storing crypto on platforms and exchange is worrisome, they are their own problem because crypto was never built to be kept on any exchange.

why would at&T tolerate this behavior of those people that's bad for business, anyway or maybe hackers have gather your information somewhere and change, at the same time avoid giving information via phone, a lot of people in my country give information when someone pretends that they are employee of the company or telecom, someone try to do this to me, asking what is my email address, i return the question to him, saying you have my records, in your computer why are you asking it again, also like birthdate , it ended up that he is not working in the company, also avoid using your mobile phone when signing up to a certain site which you don't have any clue, those are just farming information, have you wonder someone called you from a store, and you have no clue why they have your number? I would say, there will come a time that you have no choice, but to use those exchange,  so just securing your phone, never click some links, and your good, never entertain calls , you have no business, i received lots of calls last year from unknown exchange, I just ignore them, until now still safe, thank god.

[Potato Chips]

Honestly, I find SMS 2fa inconvenient -- at least in the long run.

It's merely easy to setup because of how widely used SMS services have been hence, people are so much more familiar with it + no backups are needed (instead you trust your service provider which as mentioned have caused trouble multiple times) so there is little to no learning curve.

But here's the thing, I have used services where you don't have a choice other than SMS 2fa. Oh god, SMS getting delayed or lost is pretty much inevitable even with good signal on my phone. I move around from places to places as well and there were areas where the signal is just poor. On my TOTP app, I don't need to rely on network providers and I always get my code the moment I open my app.

I'd choose TOTP any day. It's more convenient for my use case and most importantly, has better security.

[Dr.Bitcoin_Strange]

In my country, there is something called sim cloning, where some tech guys can just pay some money and your sim card can be cloned while you are even using it, and they can just easily access your bank account or get your OTP code. It's something that's very common. Crypto enthusiasts should always remember one important rule of holding Bitcoin, which is "not your key, not your coin. Even while using some of those crypto platforms, the person should not just use their SIM card as the only means to receive an OTP; they can bind it to more than one 2FA, such as SMS, email, and Google 2FA. That is how I make sure I don't only use one 2FA on all of my accounts, which I use for financial transactions or trading.

[AYOBA]

Sim swapping is more easier for them, because, remember, if we lost SIM card or it get damaged we can easily retrieve by their help, they will redirect your number into another new SIM card, and you are back online, This makes telecommunications dangerous when it comes to crypto.

This may be a rumor, do to my own opinion, they cannot transfer a person's number to a new sim card without the owner's permission. Because even that a person has lost his sim card and he want to the MTN office to have his information swiped before they can his swipe, they will ensure that his personal information is accurate.
The only way to obtain someone's SIM without his permission is through cloning.

 

[sunsilk]

I guess aside from being aware of the sim attacks, the platforms should also enforce that they should force their users to use other way of 2FA aside from SMS.

Since the proliferation of this attack, an alternative is much better and that's through email and as well as the usage of the 2FA apps.

Just last night, someone called me out of nowhere and has got my number offering me a job but it was an obvious scam job. So, in theory, that these hackers can be everywhere and have the source of our numbers so it's easy for them to penetrate and attack random people and if they're lucky enough, if the sim card that they're able to copy was used for transactions in banking and crypto, that's where the danger is.

[Fuso.hp]

This is a big problem, we may not have any idea that the SIM registered with our ID card is being used by someone else without our knowledge. Earlier purchasing a SIM was a very difficult matter but nowadays a SIM can be easily registered with any ID card. We should refrain from buying SIM or sharing our ID number with other people and if ever our SIM is lost then we should go to the nearest customer care and block the lost SIM so that someone else can use it in our absence. If our lost SIM is used by someone else and if that SIM is used for any criminal act, then the administration will tag our ID number and directly identify us as a criminal, so we must be careful before falling into such a danger.

[icalical]

So, I suppose that those 75 ETH and 0.7 BTC are stored in an exchange wallet because SMS 2FA is involved. Storing that much of fund in exchange is already very risky, the hack wouldn't happened in the first place if those fund were stored in a hardware/cold wallet. Exchange are only supposed to be used for exchanging cryptos, not storing a huge amount of crypto in a long time.

[348Judah]

What I have been able to gather is, the telco guys working inside AT&T and other telecommunication companies are the ones bypassing all security measures, now not even your sim SMS 2FA codes can safe your ass from these guys.

If this guys who are the main actors in doing this shady acts were discovered then we should have eard about something concerning them being caught, or handed to the police for tarnishing their company's reputation, this will also serve as a strong warning to many if the organizations to double up their security measures and checks in other not to create an open means for scammers to use their services and products for their evil acts.

Sim swapping is more easier for them, because, remember, if we lost SIM card or it get damaged we can easily retrieve by their help, they will redirect your number into another new SIM card, and you are back online, This makes telecommunications dangerous when it comes to crypto.

Don't store any sensitive informations on your sim card because if anything should go wrong with it, the all access to your assets are gone, well i believe in some countries, their mobile phones do come with network already on it and there's no need of applying sim card again.

[nakamura12]

I have been doing your advice since I started using crypto. I only use authenticator like google authenticator (when it's used by many people before until there's a new authenticator that is more reliable than google authenticator) instead of using my mobile number for verification and such. It's not that my identity is linked to my mobile number but still, I never use my mobile number especially at this time where th government in my country requires us to register our sim which needs our personal detail and ID. It's better to use sms as it is for messages and non-related to crypto information.

[stompix]

Is this a problem peculiar to U.K. and U.S. citizens?

It happens everywhere
India:
https://indianexpress.com/article/technology/tech-news-technology/sim-swapping-how-to-avoid-being-a-target-8026237/
South Africa:
https://www.bleepingcomputer.com/news/security/south-africa-wants-to-fight-sim-swapping-with-biometric-checks/
South Korea:
https://cryptonews.com/news/sim-swaps-other-crypto-related-crimes-set-to-rise-in-south-korea-says-sk.htm

It's just the fact that it makes more waves there because of the sums involved, pretty hard to find somebody with 1 million in his bank account or Binance account in Elkhalil compared to NYC.

This is a big problem, we may not have any idea that the SIM registered with our ID card is being used by someone else without our knowledge.

That's not what's happening here, how would you secure your 2FA with a number you don't even know it exists in the first place?

One way to prevent this is by setting a PIN for your SIM card on your phone. I do this, and it asks me for my PIN whenever I restart my phone. I think even a mobile service representative would need to know my PIN to access my SIM card. Does this protect against SIM swapping? I thought it did, but I'm not entirely sure.

No, it doesn't, that a local setting for your phone, the new sim that will be issued to the attacker in this case will not ask for a PIN.

If there is one thing you can do is to set an alarm on your phone when it loses signal, when the attacker is at the desk asking for a new sim the moment that one is activated by the mobile operator, so even before going in the attacker phone yours will be disabled so your phone will lose access to the network, that's the moment you try a code like #xxxx or whatever and if doesn't work then you call instantly your mobile operator from another phone and disable the number.
Since the sim swaps can only happen during working hours and not at night and swift reaction can prevent a loss.

[sokani]

Sim swapping is more easier for them, because, remember, if we lost SIM card or it get damaged we can easily retrieve by their help, they will redirect your number into another new SIM card, and you are back online, This makes telecommunications dangerous when it comes to crypto.

During sim swaps it is a standard practice or requirement that users provide important information about their old sim like your name, DOB, mother's maiden name, 5 frequently dialled numbers, last airtime recharge etc. So how can scammers successfully claim that they are the bonafide owner of the sim if they don't have these information? Only one thing makes sense... They might be getting help from someone in the Telecom company. Well, this is a major problem for people (ignorant ones and traders) that still keep their assets on CEX, but having your assets in a non custodial wallet would safe you from this kind of hack.