In a SIM swapping scam, a cybercriminal gains access to the phone number of a user. They do this by employing social engineering techniques to trick mobile phone operators into issuing a new SIM card to them. The most well-known SIM swapping scam involved cryptocurrency entrepreneur Michael Terpin. He alleged that AT&T was negligent in their handling of his mobile phone credentials resulting in him losing tokens valued at more than 20 million US dollars.
Once cybercriminals have gained access to your phone number, they can use it to bypass any 2FA that relies on that. From there, they can work their way into your cryptocurrency wallets and exchanges.
Another method cybercriminals can employ is to monitor your SMS communications. Flaws in communications networks can allow criminals to intercept your messages which can include the second-factor pin messaged to you.
What makes this attack particularly concerning is that users are not required to undertake any action, such as downloading a fake software or clicking a malicious link.
To prevent falling prey to such scams, here are some steps to consider.
- Do not use your mobile phone number for SMS 2FA. Instead, use apps like Google Authenticator or Authy to secure your accounts. Cybercriminals are unable to gain access to these apps even if they possess your phone number. Alternatively, you may use hardware 2FA such as YubiKey or Google’s Titan Security Key.
- Do not reveal personal identifying information on social media, such as your mobile phone number. Cybercriminals can pick up such information and use them to impersonate you elsewhere.
- You should never announce on social media that you own cryptocurrencies as this would make you a target. Or if you are in a position where everyone already knows you own them, then avoid disclosing personal information including the exchanges or wallets you use.
- Make arrangements with your mobile phone providers to protect your account. This could mean attaching a pin or password to your account and dictating that only users with knowledge of the pin can make changes to the account. Alternatively, you can require such changes to be made in person and disallow them over the phone.