Zengo

SIM swapping and cryptocurrency: A comprehensive guide to protecting your digital assets

Ouriel Ohayon

It is nearly impossible to ignore: By now you have heard about someone you know personally or indirectly suffering from a “SIM swapping” attack, which caused them to lose control and access to their online accounts and many times their money and crypto.

Latest victims include Vitalik Butterin and Donald Trump Jr.

But anyone can become a target if they have something valuable.

This happens so frequently that you need to understand what is happening, learn how it could affect you, and what you should do to react in such a situation.

“SIM swapping scams” and “cryptocurrency theft” are not just buzzwords that have gained significant attention lately. 

This guide delves deep into how SIM swapping works, its implications for crypto security, and the innovative solutions like Zengo that are changing the game to make you secure.

What is SIM Swapping?

“SIM jacking,” or SIM swapping is a fraud where attackers convince mobile carriers to switch a victim’s phone number to a new SIM card under their control. This tactic is used to bypass “SMS-based two-factor authentication (2FA)”, a common security measure, especially in the crypto world.

How Does SIM Swapping Work?

This is how attackers usually operate.

  1. Information Gathering: Attackers collect personal data, sometimes sourced from “data breaches” or “phishing scams”. 
  2. Impersonation: Using this data, they pose as the victim to request a number transfer from the mobile operator.
  3. Verification Bypass: With sufficient information about the target, they can bypass carrier verifications.
  4. Phone Number Takeover: The victim’s SIM gets deactivated, granting the attacker control.

But it can be worse than that: Insider attacks.

In some cases, the staff on the carrier side can launch this attack or get bribed by the attacker. When done well, a SIM swap attack can earn the attacker hundreds of thousands of dollars and make it easy to compensate any insider. Carrier staff usually have the full ability to send a new SIM card once requested. 

With e-SIMs (virtual SIM cards), this can be done near instantly and via the internet and you do not even need to go to a physical store to retrieve them or even provide a physical address to receive it by email.

Unfortunately, it has really become “easy.”

What is at risk and why is SIM Swapping a threat to cryptocurrency owners?

When a SIM-swapper gets hold of your phone number, they can basically access virtually anything where a phone is required as an authentication or identifier. For example, they can:

  1. Reset your email passwords, and from there reset access to any account connected to your email address.
  2. Reset your second-factor codes (usually sent by SMS) and in some cases even disable them (even 2FA hardware).
  3. Reset your iOS/Apple or Google accounts which controls the restoration of your phone apps, data, back up and even passwords/passkeys and linked 2FA.

You are helpless and when these things happen, they usually happen very quickly. Any apps depending on a password are at risk. 

Here is a video showing how easily an attacker can bypass “passkeys” once they control your phone:

Specifically regarding cryptocurrencies, multiple things can happen. Here’s why crypto owners are targets:

  1. Custodial Wallet Access: Many custodial cryptocurrency wallets use SMS-based 2FA. With phone control, attackers can access these wallets.
  2. Crypto Exchange Vulnerabilities: They can reset passwords on “cryptocurrency exchanges,” bypassing 2FA.
  3. Non-Custodial Wallet: if you have stored your seed phrase back up on an online app or even a password manager that can be accessed after this attack, your wallet is at risk. In addition, many mobile wallets provide a way to back up the “private key” via iCloud or Google drive. Once an attacker controls the iCloud or Google Drive account they can easily restore the wallet with its private keys.
  4. Embedded Non-Custodial wallets: many apps provide a built-in non custodial wallet controlled either by a single factor of authentication like email, social login, or even passkeys. This specific wallet will then be accessed and drained in the same way. This is what happened to 2 friend.tech users who became targets of SIM swap attacks.

A reminder: Crypto transactions can’t be reversed, unlike other types of accounts which can be recovered (e.g. your Twitter/X account). Once the crypto is drained from your wallet, it’s game-over.

How to protect against SIM-swapping attacks

  • Being aware of the risks is already a good starting point. So many people do not even know this is something to watch out for, and therefore will do nothing about it. 
  • Don’t make yourself an easy target: if possible and allowed by the services, avoid giving your personal information, use secondary emails (e.g. iCloud, private emails) or burner phone numbers different from your main one.
  • Depend as little as possible on your main phone number: Make sure it is never used as second-factor authentication, or identifier, unless mandatory. X (formerly known as Twitter) for example is one of the worst places for SIM swapping because it made 2FA based on mobile phone numbers the default option for blue verified users.
  • Even if history has proven this may not be enough: Ask your mobile operator to never reset a SIM card unless you come to a physical store.
  • Even if this can be bypassed by an internal attack: protect your SIM card with a PIN which prevents easy access.
  • Favor hardware security for your online accounts: Adding second factor security based on physical hardware is an additional guarantee. It’s more tedious but a remote attack is less likely. That said, a SIM swap insider attack will allow an attacker to reset nearly any kind of 2FA.
  • Use a SIM-swap proof mobile operator like www. Efani.com 

Protecting your digital assets: Best practices

If you have to use non-custodial wallets, favor wallets that provide multi-factor security by default (multi-sig, or smart contracts or MPC).

  1. Use Advanced Wallets: Opt for wallets with “multi-factor” security by default like multi-sig or MPC.
  2. Secure your Seed Phrases: If you use a seed phrase wallet. Risks are prominent (as seen above) so be aware that a seed phrase stored online is a significant risk, even if you use a hardware wallet
  3. Stay Updated: With the ever-evolving “crypto security landscape,” knowledge is power.

But is that enough?

Zengo & next-gen crypto wallets: The future of digital asset security

Traditional cryptocurrency wallets, software or hardware, and their reliance on private keys have a single point of failure and vulnerability. One single secret, the private key, can control and therefore compromise your wallet.

Modern solutions like Zengo enhance your crypto security in a meaningful way because Zengo’s multi-factory security protects both the recovery of the account and the transactions you are making.

How does Zengo secure my assets better?

  1. Passwordless Authentication: No more passwords, reducing “password hacking” risks.
  2. Secure Recovery: Even if attackers perform a “SIM swap” and gain control of your email and cloud services, Zengo’s 3D Facelock (liveness verification biometrics) will stop them at the point of recovery.
  3. Theft Protection: With Theft Protection enabled, even if an attacker gained access to your phone with Zengo installed, they wouldn’t be able to bypass Zengo’s 3FA protection to initiate a transaction (protected by 3D FaceLock).

Conclusion

As “SIM swap attacks” become more prevalent, understanding and safeguarding against them is crucial, especially in the “cryptocurrency world.” Innovations like Zengo offer hope for a secure digital future. Stay informed, stay safe.