There are a ton of usernames and passwords for us all to remember, whether logging on to a website or online bank account. It’s hard to keep the information straight — and we often forget our passwords. To retrieve one, the website or banks will send a text to confirm the user’s identity. But what if that text doesn’t go to the right person? The discrepancy has led to a problem in recent years known as SIM swapping — and scammers are taking advantage of it to steal cryptocurrency.
SIM swapping is a method by which criminals or hackers take over phone numbers when they receive that text message. In some of those cases, they dupe wireless carriers and in turn, steal thousands or even millions of dollars of cryptocurrency from the user. The biggest problem that exists from this hacking method is that within crypto, if hackers get access to the information and use an individual private key, there is no way to get the money back.
The hack is not as complex as it may seem. First, a criminal must hack into a person’s email or cryptocurrency account using their own device. From that device, they will be asked to perform “two-factor identification,” which will involve sending a text code to the phone number listed. This step ensures that an authorized log-ins occurs but since the hacker has already duped the number at this point, it goes directly to the hacker. Finally, the hacker can “confirm identity” and proceed to have full access to the users’ accounts and financials.
A New York-based venture capitalist had the experience of dealing with a SIM swap attack first-hand. He was suddenly logged out of his email accounts and his phone lost its signal. Due to his experience in cryptocurrency, he knew what was happening and immediately got in contact with his wireless carrier through Skype to regain access to his cell phone. He was able to gain control of his email but was not his Coinbase account. The hacker was able to get away with roughly $5,000 worth of crypto holdings stored online. As no one is really responsible for the attack at this point, not the wireless carrier or the exchange, the venture capitalist was forced to take the loss.
Fortunately for the venture capitalist, most of his crypto assets were stored offline, which is much more difficult to hack. Cryptocurrency exchange Abra, one of the biggest competitors with Coinbase, does not store any of its customers’ funds online. In fact, CEO Bill Barhydt went as far as to say that storing private keys online is “the worst idea in the history of bad ideas.” He went on to say that “your phone number right now is a lot more important than your social security number. The average consumer doesn’t pay attention to security until they’ve been hacked.”