SIM card swap attack: Why were a large number of encrypted Twitter accounts hacked to post phishing links? How should we prevent this?
Since SIM card swapping attacks typically do not require high technical skills from hackers, users must remain vigilant about their identity security to prevent such attacks.Original: Cointelegraph
Translated by: Wu Says Blockchain
On July 21, Uniswap founder Hayden Adams' Twitter account was hacked and tweeted messages containing phishing links. It is reported that this hack may be a form of SIM card swapping, where the attacker takes over the victim's phone number, allowing them to access bank accounts, credit cards, or accounts.
On July 23, Coinlist's account was also hacked, and phishing links were posted. Additionally, on July 5, LayerZero's Twitter account was stolen, and in June, the official Twitter account of DEX trading aggregation platform Slingshot was hacked, along with BitBoy founder Ben Armstrong's Twitter account. Why are so many crypto accounts being stolen? How can users protect themselves?
Here is the full translation of the Cointelegraph article, original link:
https://cointelegraph.com/news/crypto-sim-swap-how-easy-is-sim-swap-crypto-hack
Since SIM card swapping attacks are often seen as requiring low technical skills, users must remain vigilant about their identity security. Despite the continuous improvement of cybersecurity infrastructure, online identities still face many risks, including those associated with users' phone numbers being hacked.
In early July, LayerZero CEO Bryan Pellegrino became one of the latest victims of a SIM card swapping attack, which briefly allowed hackers to take over his Twitter account. After regaining access to his Twitter account, Pellegrino quickly wrote: "I guess someone took my ID from the trash and somehow tricked the agent into using it as proof for the SIM swap while I was away from Collision." Pellegrino told Cointelegraph, "It was just a regular paper conference badge that said 'Bryan Pellegrino ------ Speaker.'"
Pellegrino's experience may lead users to believe that executing a SIM card swapping attack is as simple as taking someone else's ID. Cointelegraph has reached out to several cryptocurrency security companies to find out if this is true.
What is a SIM Card Swapping Attack
A SIM card swapping attack is a form of identity theft where the attacker takes over the victim's phone number, thereby gaining access to their bank accounts, credit cards, or cryptocurrency accounts.
In 2021, the FBI received over 1,600 complaints related to SIM card swapping, involving losses of over $68 million. Compared to the complaints received in the previous three years, this represents a 400% increase, indicating that SIM card swapping attacks "are definitely on the rise," CertiK's head of security operations Hugh Brooks told Cointelegraph. Brooks stated, "Unless we move away from SMS-based two-factor authentication and telecom providers improve their security standards, we may continue to see an increase in the number of attacks."
According to 23pds, Chief Information Security Officer of SlowMist, SIM card swapping attacks are not very common now but have significant growth potential in the near future. He said, "As Web3 becomes more popular and attracts more people into the industry, the likelihood of SIM card swapping attacks will also increase due to their relatively low technical requirements."
23pds mentioned some cases of SIM card swapping hacks involving cryptocurrency over the past few years. In October 2021, Coinbase officially disclosed that hackers stole cryptocurrency from at least 6,000 customers due to a vulnerability in two-factor authentication (2FA). Previously, British hacker Joseph O'Connor was prosecuted in 2019 for stealing approximately $800,000 in cryptocurrency through multiple SIM card swapping attacks.
How Difficult is it to Execute a SIM Card Swapping Attack
According to CertiK executives, SIM card swapping attacks can typically be carried out using publicly available information or information obtained through social engineering techniques. CertiK's Brooks said, "Overall, compared to more technically demanding attacks, such as smart contract exploits or exchange hacks, SIM card swapping may be seen as having a lower entry threshold for attackers."
SlowMist's 23pds agrees that SIM card swapping does not require advanced technical skills. He also pointed out that this type of SIM card swapping is "common" in the Web2 world, so its emergence in the Web3 environment is "not surprising." He said, "It is generally easier to execute, as it involves deceiving the relevant operators or customer service personnel through social engineering techniques."
How to Prevent SIM Card Swapping Attacks
Since SIM card swapping attacks typically do not require high technical skills from hackers, users must remain vigilant about their identity security to prevent such attacks.
The core protective measure against SIM card swapping attacks is to limit the use of SIM card-based two-factor authentication methods. Hacken's Budorin pointed out that it is better to use applications like Google Authenticator or Authy instead of relying on methods like SMS.
SlowMist's 23pds also mentioned additional strategies, such as multi-factor authentication and enhanced account verification, like extra passwords. He strongly recommends that users set strong passwords or PIN codes for their SIM cards or mobile accounts.
Another way to avoid SIM card swapping is to protect personal data, such as name, address, phone number, and date of birth. SlowMist's 23pds also advises carefully reviewing online accounts for any unusual activity.
CertiK's Brooks emphasized that platforms should also be responsible for promoting secure two-factor authentication practices. For example, companies can require additional verification before allowing changes to account information and educate users about the risks of SIM card swapping.
