In January 2018, Michael Terpin reportedly attended the Consumer Electronics Show in Las Vegas where he ended up losing his smartphone. While this was an inconvenience, he says the real shock came when he realized that a hacker was able to use his phone number to convince a support representative from Terpin’s network provider, AT&T, to transfer his phone number to them.
Terpin alleges that someone requested an unauthorized SIM swap on his AT&T account, causing all of his incoming texts and phone calls to go to a device controlled by the attacker. Using this access, the hackers were able to reset Terpin’s cryptocurrency account credentials and steal $23.8 million in crypto assets.
Terpin blames AT&T’s negligence for the theft as this would not have been possible if AT&T had proper security protocols in place. Hence, he is suing the telecom company and 25 unidentified John Doe defendants for $223.8 million in damages to cover his losses and punish AT&T for its failure to protect its customers.
“It was AT&T’s act of providing hackers with access to Mr. Terpin’s telephone number without adhering to its security procedures that allowed the cryptocurrency theft to occur,” his complaint states.
What is SIM swapping?
The type of hack that led to Terpin’s loss of funds is referred to as ‘SIM swapping’. Also known as a ‘port-out scam’, SIM swapping has been around for years but has become a much more common occurrence in the past year as hackers have started to target cryptocurrency and social media accounts.
SIM swap fraud is when a criminal accesses an individual’s personal accounts by convincing a telecom service provider — through the use of social engineering — to transfer their victim’s phone number to themselves. Using this access, the criminal can then use the victim’s phone to reset a wide range of online accounts that use text or phone verification for account resets.
For this type of fraud to work, scammers will attempt to gain as much information as possible about their victims to have the information at hand necessary to convince mobile network providers that they are the person that they are falsely claiming to be. This information gathering usually involves targeting the victim with phishing emails as well as data collection from their victim’s social media accounts.
Furthermore, due to the requirement of personal information about the victim, this type of fraud is generally targeted at people who have some degree of a public digital footprint, thus, often those who are in the public eye. Vocal cryptocurrency investors are, therefore, prime candidates for this type of fraud.
How to protect yourself from SIM swapping
While SIM swapping is one of the most sophisticated types of fraud and rather difficult to prevent, there are several steps you can take to protect your crypto asset holdings from this attack. Firstly, don’t be vocal about your digital asset holdings online. The first line of defense against hackers accessing your crypto is to prevent them from knowing that you own any.
That means no bragging about trading profits and no sharing your portfolio online. While this may sound like common sense, you would be surprised how openly individuals are sharing their portfolios on crypto investing Facebook groups.
Secondly, many mobile phone providers, such as AT&T and T-Mobile in the U.S., have added another layer of security to prevent SIM swapping from occurring. In this case, an extra passcode is required to transfer a SIM card.
However, the insertion of human decision making into this process means it is fundamentally flawed, and Terpin’s complaint alleges that AT&T staff didn’t follow the company’s own security protocols. “Even after AT&T had placed vaunted additional protection on his account after an earlier hacking incident, an imposter posing as Mr. Terpin was able to easily obtain Mr. Terpin’s telephone number from an insider cooperating with the hacker without the AT&T store employee requiring him to present valid identification or to give Mr. Terpin’s required password.”
Thirdly, you can use authentication apps instead of text messages for two-factor authentication. Apps like as Google Authenticator or Authy provide a safer alternative to SMS confirmation for two-factor authentication for your email address or your cryptocurrency exchange accounts.
Finally, you could also go as far as getting a second mobile phone purely for your cryptocurrency holdings. While this may seem overkill, having a second phone number that you do not share with anyone and you only use for two-factor authentication makes it effectively impossible for hackers to engage in SIM swapping to access your holdings.
You will know that you have become a victim of SIM swapping if all of a sudden your calls and texts are not coming through. If that is the case, it is important to call your mobile phone provider immediately to mitigate the damage by regaining access to your SIM.
Cyber attacks and new types of fraud are an unfortunate reality that every cryptocurrency investor is confronted with as crypto assets make a great target for hackers due to the irreversible nature of their transactions. Hence, it is vital to stay vigilant and aware of new developments in this space.