Another day to take caution of sim swap attack

[EL MOHA]

Just like not your keys not your coins is repeated on the forum, it seems sim swap attack warning/awareness needs to be spread as such.

It is not news again that co-founder of Ethereum Vitalik Buterin had his twitter(X) account hacked. This lead to a phishing link been posted and many lost their funds.

Now Vitalik himself has come out to said the attack was through his T-Mobile phone number by sim swap and the hacker got access to his X account through requesting for the authentication through phone number.

Vitalik prostrated that he didn’t take the security warning about sim swap serious if not now.  

The takeaway is avoid taking authentication through phone numbers alone, but if we look at it accepting authentication through even E-mail is risky so the best act is to avoid storing funds on platforms that requires this.

How to know if your phone number has been swapped.

1. When you notice your network is no longer available

2. When you receive a notification from your network provider about a change of sim

3. When you can not have access to your social media accounts or any online accounts accounts again.

Once you notice one of this then you need to act fast

[1714627383]

1714627383

[1714627383]

1714627383

[1714627383]

1714627383

[1714627383]

1714627383

[1714627383]

1714627383

[1714627383]

1714627383

[_act_]

Now Vitalik himself has come out to said the attack was through his T-Mobile phone number by sim swap and the hacker got access to his X account through requesting for the authentication through phone number.

Sim swap attack through T-Mobile is not new. I am disappointed that these kind of people with numerous followers do not protect their social media account. Twitter, now called X has 2FA and Security key hardware which Twitter users can use to protect their account.

Image from Twitter securities and privacy on my Twitter account


Why would people go for text message only which is also by default. Sim authentication is not safe. Use app 2FA or hardware security key for a better security.

[DVlog]

This is really frightening. The majority of the users use their phone numbers for their account security. Even I have used my phone number for 2FA authentication for my Gmail and other social media. I think now I need to change that. In my country, mobile banking services are very popular, and many people use them every day. For mobile banking, you just need to have a mobile number, and you need to do KYC through your ID card. People store thousands of dollars in their mobile banking accounts, so if these SIM swap attacks happen in my country, this will be a total disaster.

[Nwada001]

Keeping funds on a platform is never a good idea, which is why the #Not Your, Not Your Coin rhyme is being spread every single day in different forms here in this forum and aside from this place in areas or platforms that encourage self-custodian usage.

But in aspect of social media account the case is different, we can't avoid receiving emails or mobile number authentication authorization request, as they are one of the ways those apps approve signin from a new device, even when we are making use of the email and phone number security, for someone like Vitalik he should be aware that those kind of security alone is not enough for their account as influencers account is on a highest target rate now a days from hackers, most of this social media accounts have a 2factor authentication option enables on the security part of individual account, if this option was enable on his account I believed this could have been a little less possible for the hackers to access the account but not entirely impossible though.

In the aspect of the sim swap, I don't know how it's being done, but however they are doing it, it's very risky, and network providers should make things a little bit difficult for someone who is not a sim original owner to have limited access to sim details and the swap option.

Regarding how to know if your sim has been swapped or not, the only valid option I see here is the network going off your current phone, in the aspect of your social media accounts being logged out, those could be avoided by the hacker, someone can change your password and still allow your account to be logged on your current device, they can operate in the background and do what ever they want to do, since your mind is not their you might not bother checking through your previously dropped posts which those hackers could easily drop a phishing link through an original post comment section or others post comment section and disable the post notifications so that you won't get any of of reaction notifications on that post/comment, few hours of their control and they can steal on your own watch. 

This that just happened with Vitalik X's account is another reminder for the general public to reduce their test for greed and do not trust what ver comes out of the mouth of your celebrity influencer or what they post in their account, because a verified or trusted person dropping a link does not make the link entirely legit. The public should learn how to limit their trust and greed; it will save them from a lot of scams.

[Tiger420]

Thank you for your important words and raising awareness of the sim swap attack. It's crucial for everyone to be vigilant about their online security. In today's digital age, where our personal and financial information is interconnected, taking proactive steps to protect ourselves from potential threats like sim swap attacks is paramount.

[BitMaxz]

How is a sim swap possible?
Here in my country before you request anything from the sim carrier like requesting for sim replacement you need to provide a selfie and submit a few documents for verification. So how does Vitalik Buterin fall to this attack?

The only thing that I could think of is that the mobile number or sim he had is not yet ID-verified. That is why the hacker can request to sim carrier to activate a new number and ask the carrier to redirect all calls and texts to a new number without ID verification.

This might be the reason why Binance removed phone number verification on withdrawal.

[_act_]

How is a sim swap possible?
Here in my country before you request anything from the sim carrier like requesting for sim replacement you need to provide a selfie and submit a few documents for verification. So how does Vitalik Buterin fall to this attack?

It is like you are asking that how is bank fraud possible. Or asking that how scammers get people's identity to register on centralized exchanges to scam.

In sim swap attack, one or some of the workers from the sim providing company may know about it. Sim swap is not something that is new.

[EL MOHA]

How is a sim swap possible?
Here in my country before you request anything from the sim carrier like requesting for sim replacement you need to provide a selfie and submit a few documents for verification. So how does Vitalik Buterin fall to this attack?

Not many countries or network providers actually do sim swap physically like you have stated. Some network providers would just ask for identifications through call and hackers usually would have gotten such informations from either social media platforms or through phishing sites. Another way is there is always staffs working with this network providers that aid this acts. Probably this is what happened to Vitalik

[Nwada001]

How is a sim swap possible?
Here in my country before you request anything from the sim carrier like requesting for sim replacement you need to provide a selfie and submit a few documents for verification. So how does Vitalik Buterin fall to this attack?

Here in my country, it was also hard to replace the original SIM owner and swap the SIM without their knowledge. Not until network providers started approving agents to start doing SIM registration and swapping on the street did everything become very possible. The only thing that is needed is for the person who has the authorization to do the SIM swap to be in agreement with you, and everything will be a bit easier.

The finger print verification, which was one of the difficult parts, is even bypassed now. What they can just do is ask the agent to check through the SIM they brought and give them details. Those details of the original SIM owner can be used to fabricate documents that will match the owner's own, and any image could also be used in replacement of the person's passport. It's very possible now.

[Dunamisx]

Just like not your keys not your coins is repeated on the forum, it seems sim swap attack warning/awareness needs to be spread as such.

Though this might have been discussed already before now but i think i still see it as being a reminder for those that already knows about the shady acts coming through this whole process while the newbies will also get along with the required standard information needed not to fall a victim, there are many ways scammers are now developing to make sure that they attack people and most of their targets are the begginers, because they know that these set of people aren't familiar with the whole system yet, so they take their advantage.

[Iron Fist]

I once worked for a network operator in my country. At that time, smartphones and social networks didn't exist yet, but SIM swapping or SIM cloning was already a popular method of attack. It was mainly used to make free calls, charged to someone else's account. The scenario often involved individuals who didn't know how to remove their SIM cards from their phones. When they brought their phones in for repairs, they left the SIM card inside, which some bad actors could easily clone onto a new SIM card. I guess today scammers are even more resourceful.

[hd49728]

SMS code for 2-factor authentication is not safe. 2FA from centralized services like Google Authentication is not safe too and they even want to back up codes on their cloud storage.

You can turn on 2FA for your Twitter account and use good 2FA applications like Aegis that is open source.

https://getaegis.app/

[Darker45]

It's a given that everybody shouldn't feel sufficiently safe with just sim or SMS verification or authentication alone, but I think service providers should also be implementing strict measures to prevent sim-swap attacks. Requests for sim change shouldn't be easy. A lot could be compromised simply because of it. This isn't the first time a T-mobile user falls victim to such attack.

If not with an insider, sim swap attacks could also begin by phishing or other ways to obtain personal information. Especially if a sim is already attached to a name, address, and other personal information, it can't easily be stolen. So, it definitely helps if we are also extra careful in giving out our personal details. This includes staying away from centralized platforms which require KYC. If not stolen, personal data could easily be bought or hacked. Or it could leak.

[Dr.Bitcoin_Strange]

This was also the same thing Kiakia was talking about in his thread here, and I think that such methods of scam are already popular in some parts of the world, which they are already aware of, and how to handle the situation when their sim stops providing network. Although sometimes your sim can stop providing network due to a damaged sim or bad phone, but it should be given immediate attention to know why one's sim is not providing network so that if it's a case of sim swap, it can be quickly handled. Again, I think people should always take note of every SMS that they receive from their network provider because there is no way your SIM will get swapped without you receiving an SMS asking you to verify that you are the one performing the swap action or take immediate action to cancel the process. Also, if you pay full attention to the SMS you receive and you come across some transactions in which you were not the one that initiated them, just know that your SIM might have been swapped. Lastly, using SMS verification as the only OTP method is not safe.

[tabas]

Why would people go for text message only which is also by default. Sim authentication is not safe. Use app 2FA or hardware security key for a better security.

Exactly, this is where most of those hacks through sim swap comes. Their 2FA is through their sim numbers and that's how these hackers gained access to them. Those that does it thinks that it's easy and safer because the 2FA code is sent over your network provider. But it has been proved for so many times that it's not and with sim swap, it can be taken by the hacker. Aside from 2FA through authentication apps, the email AUTH is also another option but this is not safe too especially if you've been using that email and you know that it has the same password of what you're using in many websites.

[nakamura12]

This wouldn't happened for those who have more than one verification which is not just sms verification but also 2FA verification. This is not new attack though therr are some people who are victims of these attack. Anyway, thanks for sharing this news OP although if we talk about keeping money safe it should be very secure even though it is annoying to access your account where you have to go through more than one verification and it's also the same in an online account as it could be used to fool anyone using your account to get what they want.

[alastantiger]

Never trust your phone security.Have a financial accounting record off of your device will help you later . There all sorts of attacks going on at the moment you don't even need to be a victim of it before you get prepared or ready.  Take all the precautionary measures to stay safe online. Sim swap attack is actually more dangerous. Sometimes it is better to get the paid security measures on your device.

[Smartvirus]

Sim swap attack through T-Mobile is not new. I am disappointed that these kind of people with numerous followers do not protect their social media account. Twitter, now called X has 2FA and Security key hardware which Twitter users can use to protect their account.

Why would people go for text message only which is also by default. Sim authentication is not safe. Use app 2FA or hardware security key for a better security.

It’s that disappointing for real with these guys and this one with Vitalik Buterin even given the fact that, his a programmer and understands the risk that surrounds the cryptospace, what influence he commands and who a single flaw from him could cause a worldwide significant damage like we hear people cry of recent.

Layers of security is needed when you wheel that sort of power over a large mass which most are unknown to you.
Even having these 2FA delivers to you by mail is very difficult. I once did have an authenticator app to provide me with these codes. It worked like tokens, and wiped every 30 seconds or so. That would serve some real purpose but, you’ll be sure to ensure it’s used in a safe device and you properly store your importing code/seed.

[hd49728]

It’s that disappointing for real with these guys and this one with Vitalik Buterin even given the fact that, his a programmer and understands the risk that surrounds the cryptospace, what influence he commands and who a single flaw from him could cause a worldwide significant damage like we hear people cry of recent.

They are technical men with deep knowledge about security. They know how to go OPSEC but it is knowledge which is different than practice.

They can have good knowledge and skills to secure their devices and accounts but practically, they can not do enough security wise steps to keep their devices and accounts safely from hacks.

Vitalik is not a first senior developers have accounts or devices hacked or compromised.

Luke Dash Jr., a senior Bitcoin developer got one too.
Bitcoin developer @lukedashjr's wallet was hacked

[Yamane_Keto]

I cannot believe that someone who cares about privacy still uses a phone number to secure his accounts, not to mention that he is a developer and is supposed to know this information. Securing your account using a phone number leaves you at the mercy of a third party. This third party may freeze your phone number, block it, or even misuse it, waiting for this to happen. Such attacks to update your information about security is a bad thing.