As SIM Swap Attacks Amplify, Companies Recommend against Using SMS as 2FA

As SIM Swap Attacks Amplify, Companies Recommend against Using SMS as 2FA

Phone hijacking, also known as SIM swapping, is considered a major threat to digital asset holders. Many cases were registered of phone numbers being ported by the hijackers to gain access to one time passwords and validate transactions or change account passwords. Following this, major crypto companies stepped back from utilizing SMS-based two-factor authentication.

Crypto Companies Advice Not to Use SMS as 2FA

Reports from Google suggest that having an SMS-based two-factor authentication is highly effective in preventing account hijacking. The Internet company stated that this method could prevent 100 percent of automated attacks, 96 percent of bulk phishing attacks, and 76 percent of targeted attacks.

SMS as a 2FA method is still the most common mechanism deployed by crypto users. However, this hasn’t turned out well for the industry. There have been several reports of theft of millions of dollars using the SIM swapping method.

The ineffective security measures implemented by phone carriers aid hijackers to easily port phone numbers and gain access to funds and personal information quickly. This makes SIM swap attacks relatively common in the crypto markets. The increasing number of hacks have led companies to lose faith in authentication methods tied to a phone as they can be easily compromised. 

Owing to a lack of trust on phone carriers and how easily hackers can trick them into obtaining personal information, many companies including Coinbase and Kraken have warned their users to use 2FA security beyond the SMS-based method.

A member of the Coinbase security team back in 2016 wrote a blog on Medium that read:

“Use two-factor authentication everywhere. Personally, I recommend (in order) U2F, Push-based and TOTP/token-based. Only use SMS if there is no other option.”

BitGo, a blockchain security company, in December 2016, had a change in policy and stopped offering SMS-based 2FA to its new users. It restricted them to only client-side 2FA systems such as TOTP with Google Authenticator. Noting the threat, they also warned their existing users to stop using SMS as 2FA, while also prompting them to remove the mechanism from accounts where they might be using it.

Recent SIM Swap Incidents

The latest incident was the theft of $7.5 million from 40 victims by a 21-year-old man from Boston. In another such SIM swap, a hacker stole a million dollars worth of cryptocurrencies but was later arrested in Manhattan. Many more incidents were reported that saw the theft of funds ranging between $10,000 to as much as five million dollars.

The considerable sum of money that comes tagged with these hacks are a sign of how easy it has become for hackers to execute multiple such attacks by swapping several SIM cards.

Telecommunication companies such as AT&T have been sued for their negligence in exploiting user privacy and giving away information to hackers. One such case even accused three former members of a phone carrier company of giving away clients’ details to hackers in exchange for a bribe. But these incidents hardly seem to make any difference for phone carrier companies in the U.S., who are still unwilling to provide real-time SIM swap data with banks so that any such incident can be busted before they’re successfully carried out.

Marked by such incidents, SMS 2FA is far from being a reliable method for authentication.

The $100,000 Lessons and Recommendations

Sean Coonce, the engineering manager at the blockchain security firm BitGo on May 20, 2019, revealed in his Medium blog how he lost more than $100,000 to a SIM swap attack carried out four days ago.

The hackers were able to port his SIM to their name and drain his Coinbase account over 24 hours. This hack of a BitGo employee is ironic considering the BitGo post mentioned above from 2016, where the company warned users not to use SMS 2FA.

Apart from expressing remorse about his loss, Coonce took the opportunity to jot down the lessons he learned from the attack and the recommendations he had for other crypto users. Coonce emphasized the below tips for a more secure experience as well as other tips for how best to guard private information.

Using a Hardware Wallet to Keep Assets off of the Internet

In recent times, the Internet behaves as the sole medium of access to many user accounts. If digital assets are stored in hardware wallets when transactions aren’t required, they’re cut off from the Internet. This makes it impossible for anyone to access users’ funds without getting physical access to their hardware wallet.

On a personal note, Coonce wrote:

“I knew the risks better than most, but never thought something like this could happen to me. I intensely regret not taking stronger security measures with my crypto.”

Using Hardware-Based Security

Just as storing crypto assets on hardware wallets secures them from any threat lurking on the Internet, relying on hardware-based security methods such as a YubiKey does the same for the authentication key.

Google Authenticator and Authy, Coonce said, should be treated as secondary ways for hardware security as they still are on the mobile phone and can be accessed. 

Sharing Personal Information on the Internet

The reason social media platforms act as a perfect place to start with a hacking process such as SIM swapping is that they have tons of people who share all their personal information regardless of the abounding threat.

The right set of data about users could be efficiently utilized to set a trap and defraud them. Sharing needless personal information should be minimized to maintain a safe distance from any cyber attacks.

Creating a Google Voice 2FA

In the case of someone not owning a hardware-based 2FA or having an account with a service provider that doesn’t support one, they should opt for a Google Voice phone number. These cannot be ported like ordinary phone numbers and can be used to set a two-factor authentication.

Creating a Secondary Email Address

Having a secondary email address that is mentioned nowhere on the Internet apart from being directly linked to primary social accounts, bank accounts, and crypto exchanges can prevent hackers from getting their hands on users’ crypto.

It is also suggested that people protect their secondary email address using a hardware-based 2FA.

Parting Words

When a hacker targets explicitly the average user with an account protected by conventional security methods, the ball is in the hacker’s court. 

It’s thus the responsibility of every Internet user to be aware of cyber threats irrespective of whether they hold cryptocurrencies or not. They must ensure the use of the most reliable methods and should go the extra mile to protect their online identity and assets.

Stay updated, stay safe, and keep hodling.

Mohammad Musharraf

Mohammad Musharraf is an experienced blockchain and cryptocurrency writer. He enjoys untangling the complexity of this technology and creating comprehensible content around it. Apart from writing, he’s a passionate traveler too and plans to spend his youth as a digital nomad.