On June 25th, I became a victim of SIM swapping, targeted along with dozens of other leaders in the blockchain community. This type of account takeover (ATO) fraud, also referred to as Port-Out scam, SIM splitting, or SIM jacking, targets a weakness in two-factor authentication & two-step verification, where the second factor or step to access an account from a new device is an SMS or a call placed to a mobile telephone.
I’m a security-conscious IT professional working in blockchain for 3 years, and was stunned by the ease of the attack and how my normal security precautions failed. While the attack was frustrating and embarrassing, I believe strongly that we must learn from failure — and we must socialize to do better in the future. So I am sharing what happened, what I learned and what we can do better to prevent this kind of fraud.
How SIM Swapping happens
In my case, a bad actor went into an AT&T store and got an employee to change my SIM to a new phone, and then accessed all my accounts via the SIM and cloud.
Even though I had my SIM replaced in 45 minutes, that provided ample time to do damage. Since I have an iPhone XR, they used Face ID to access my accounts. Face ID works on the phone level, so they added their face to result in a positive pass of Face ID, and that unlocked my account names from my iCloud. Easy peasy. Keys to the kingdom.
This was unlucky timing, as only last month I upgraded my phone after the last one went through the washing machine. I had disabled iCloud on my previous phone as I don’t believe it is secure, but the new phone had it enabled somehow and I didn’t catch it.
After that, they were able to take over my Apple, Google, Coinbase and Bank of America, and were able to visibly see passwords via the iCloud keychain app for 70+ other accounts. They reset passwords to the key accounts with hijacked access to two factor authentication (2FA) by proxy of having my email and my phone to send those little 6 digit codes.
I also failed to reset up my Google Authenticator for key apps in the attack, mostly because it is such a time consuming process. I set it up for a few apps, but not Coinbase. That was straight-up laziness on my part.
The thieves attempted to steal $71K by overdrawing funds from my Bank of America to Coinbase. I caught it in time, but only because I saw a -$41,000 balance in my checking account. Fortunately, since it was covered by FDIC insurance and Coinbase imposes a waiting lockup period, I was able to recover these funds before they were transferred out of Coinbase into the ether.
How the phone company, banks, Google and Coinbase failed me
I went to the AT&T store within 15 minutes of losing my cell service. The man working there is very nice, but he was at the end of a long day and the air conditioning was out in the store. It was 84 degrees in the store. I could tell he was tired, but he closed the store and continued to help me 15 minutes after closing time. I left with a new SIM chip.
Security at the store means he was unable to see much into my account. This makes sense, but also a flag should have been set. Especially since the phone company later claimed they had already caught it. He couldn’t tell anything from the system besides my account was current. He said it was the first time he ever saw this happening where a SIM chip was burned remotely, but maybe it was the iPhone update that came out today. If he had any way of seeing this, he could have advised me to lock up all of my accounts.
This message was sent 20 minutes after Coinbase deactivated my account for the investigation.
Two days later, realizing the scope of the attack, I called the phone company, AT&T, wondering if they knew they allowed this attack. They confirmed it was SIM swapping, and said they caught it early and shut it down. They never informed me, they did not give the poor store worker any flag or information, and they certainly did not prevent someone taking my SIM. I’m not sure how they are satisfied with this result, but it was an open investigation and they could not tell me more.
They suggested the perpetrators phished my number by calling and hanging up. That confirms its a live number. I’ve also seen text messages, sent to confirm accounts. I received several of these as I was re-taking over my accounts. The attackers continued to persist their attacks.
Meanwhile, my bank allowed 9 overdrafts to process on my account. There were no phone calls, no emails, and no text messages. There was no stopping the hemorrhaging either. I called Bank of America first, but they did not want to put a stop payment on the account until I called Coinbase.
So, I called Coinbase. They opened an investigation and told me it would be 10 days longer before they would reveal any details or let me see my account. I had a small amount of cryptocurrencies in my online Coinbase wallet — less than $2,000. 15 days later I still do not know the result of where those funds ended up.
Google was predictably the best in this scenario. They detected a fraud attempt on my account and notified me that a live agent needed to personally review the account before I could access the account. That process took 3 days, but at least they were proactive.
Three weeks, 9 hours of customer support calls, and 71 password changes later—I am back in all my accounts except Coinbase which is still disabled.
SIM swapping is on the rise
These targeted attacks are on the rise. Either through social engineering, where they find people like myself who works in the blockchain industry who speaks and writes publicly about cryptocurrency. Once they track your number, they have all they need to proceed.
In August 2018, T-Mobile was hacked and the billing information of 2.5 million customers was stolen. All of those accounts are vulnerable.
During the same week of my attack, dozens of my peers were attacked as reported by ZDNet. There is an open FBI investigation.
How to avoid SIM swapping scams
Frankly, there is no perfect way to protect yourself. But you can make it harder.
How we can do better
First, Face ID gives false security. Any security like it today, including thumb prints attach only at the phone level.
Yet, biometrics are the ideal way forward to account authentication. Applications need to connect directly to the Face ID or biometric scan, ideally through an immutable record on a public blockchain.
Recovery needs to be tied to biometrics, always. Trivia, like your mother’s maiden name, or secondary authentication to a compromised device is inherently flawed and vulnerable. Coincidentally, true biometrics would also serve the wider blockchain and crypto communities who need a better way to remember private keys.
Also, there needs to be some accountability and coordination from the phone companies. They have no obligation to report these hacks to the FCC, and could stand to do a better job of educating their call center agents to detect social engineering attacks — or better yet, provide better AI support to learn and adapt with these attacks in real-time.