This topic has been talked about many times but the articles never actually address the issue here. The Identity link between these services reflects a major point of contention and I want to address it from the perspective of a cryptocurrency holder and what individuals should ACTUALLY enact.

Sim porting has been a threat for several years for GSM based phones. GSM phones hold close to 90% of the market share so there are many opportunities for sim porting. Digital currencies are a large target for potential hackers due to its decnetralization. It allows for easy mobility of an asset. Also, the type of security needed to properly secure the assets are rarely taken into account and applied.

What is sim porting and why do I care?

To first be able to understand how to avoid an attack like this, we need to analyze what kind of attack it is, and how it affects someone protecting cryptocurrencies. Sim porting or sim swapping is when someone moves their phone number from one sim card to another sim card. The reason this exists is for an individual to maintain control of their phone number if they decide to change service providers or devices. Phone numbers are identifiers for people as they aren’t recycled often and the hassle of adopting a new number is a logistical nightmare for you and your contacts.

Due to this issue, the phone number becomes linked to a specific identity. This has become a problem for holders of crypto as of recently. The security flaw hinges on this information(identity) and the process of porting is made much easier because of the ID link.

Many online services use two factor authentication or multi-factor authentication. A second factor for authentication is a great thing, don’t get me wrong. It is much better to have some kind of second factor rather than nothing. The issue arises when this second factor can be compromised. Your mobile number as a second factor is the issue here. If reset codes, or authentication codes can be sent to your phone number, then it will also be sent to someone who has control of your mobile number. Any individual using SMS authentication on a service is at risk for this kind of attack.

How can I become a target?

When dealing with any kind of attack that requires social engineering, the more information that is available to your attacker, the more equipped the attacker becomes. In an increasingly digital age, there are many pieces of information about you that are publicly facing. A quick search online will garner personal information that can be used to social engineer a service provider employee over the phone. The attacker can call in pretending to be you, or a family member and attempt to have the sim moved to another device. Of course the service providers offer training on how to avoid situations like this, but when dealing with operational security, the company is only as secure as its weakest link. Even if the one employee on the end of the line is savvy enough to know something may be up, the potential attacker can just hang up and try again with a different operator. If you are speaking about cryptocurrencies on a social media platform that has additional information about you like your location, e-mail, or mobile phone number, this is a green light to potential attackers. Anyone can become a target. If there are both sophisticated and motivated enough attackers, they will attempt to come after you especially if there is a large monetary sum at the end of this. You need to make sure that if someone makes you a target, they won’t be able to compromise your account.

The Problems of SMS Authentication

SMS authentication proves to be a poor method of authentication due to the various attacks that exist on SMS networks. NIST (A national government organization that deals with security standards and cybersecurity frameworks) no longer recommends SMS authentication as a valid method for two-factor authentication. This is as perfect a reason as any to move away from SMS based authentication, yet we still see service providers that demand a mobile number to authenticate

Security Measures that Fall Short

I have seen in countless articles and forum posts suggesting a security pin on your sim card is the best option. This is so wrong. These articles, written by the same service that suggests sim security pins gives self-refuting proof that pins are not the best option. If there is an inside threat, then a security pin on your sim will offer no security. There has been some high profile attacks recently that have broken into the media. In the case of Micheal Terpin, he had a security pin on his account and had the account put under a “higher security level” (whatever that may mean) but was still affected by this sim porting on multiple occasions. There are measures that Terpin himself and many other people that have been affected and doing the bare minimum of what these articles state do not offer security against a driven attacker or the technical ineptitude of these corporations that are in charge of controlling your information. The threats will continue to evolve and with the digital age, it will only make it more difficult to implement these sad excuses for security.

What Should I Really Do to Protect Myself?

First thing you can do is to not use SMS authentication for anything. If a service offers something other than SMS authentication, use it. Software authenticators like Authy or Google Authenticator, or hardware tokens like Yubikey or OnlyKey. “But, but my service only has SMS two-factor, whatamigonnadooo?!?!”. This is where the true operational security engineering comes into play. You may use any of these solutions that I pose here. YOU will have to use what works best with your threat model.

Solution 1

Stop giving out your personal cell phone everywhere. If you use your cell phone number as authentication, it is a very poor security practice to give that number to anyone. Your cell phone number is scraped by apps that are located on your mobile device. But even if you have 0 applications on your phone, if you give this number out to a friend, and they save your number in their phone, the apps on their phone are most definitely scraping their contacts. This gets uploaded to a database and sold. You may be able to control what’s on your phone, but you can’t control what’s on someone else’s phone. This may sound like a stretch. What is the point of a cell phone if you can’t use the number? Well, if you are using it as an authentication method, its best not to use that number for normal communication and vice-versa.

Solution 2

I have another solution that can make your life much easier. An easy fix to the sim porting issue is to use a number that you have access to that no one can identify is you. A very good application for this is MySudo. MySudo is a VoIP number service that focuses on privacy. The service gives you phone numbers and randomly generated emails. It will give you up to 9 numbers that you can use to further segregate between your digital accounts/daily life. If you give out your cell phone number, as mentioned above, don’t use it as the authentication method, you can use a separately designated number that MySudo gives you for SMS authentication.

Using MySudo, you can now use a number that cannot be sim swapped. There is no service provider that can be called to attempt a swap. This cuts at the issues core. There is no link back to the user and there is no one to socially engineer, it is solely up to the user to further harden their accounts. Make sure any service that has only SMS 2FA is using a MySudo specific number

MySudo —available on the iOS app store only, though the MySudo team is working on google play store support

Solution 2.5.1

Another solution is to completely segregate your phone by purchasing it anonymously, and paying for the phone bill anonymously. (I won’t get into anonymous phone purchases/bill paying as that’s a blog post in itself, I may write about that in the future)This won’t tie your name to the device but of course there are similar problems down the road to what I mentioned in Solution 1(not giving out your number as that anonymous purchase will soon be meaningless once someone saves your real contact information in their phone). Then on this new device, you can download MySudo and use one of the MySudo numbers as your normal everyday mobile phone number, and a separate number as your SMS 2FA. The everyday number is once again is not sim portable. Your anonymously purchased mobile device is sim swappable but if purchased anonymously, no one can target you specifically because the phone number is tied back to an anonymous profile.

Solution 2.5.2

You can use your regular cell phone number for everything except SMS 2FA. You may use a separate device that may not have cell phone access but has mobile data/wifi access, like a tablet. Use MySudo or another VoIP service that you have access to on this segregated separate device. Use the MySudo technique for your SMS 2FA, and you can use your regular cell phone for everything else. If someone decides to port your number, you won’t have any digital service that uses that number since you use MySudo for that special purpose, and no accounts can be compromised.

Solution 3

Finally, You may use a service like Google Voice or a similar provider that will give you a VoIP number. You may use that number as the authentication method if the service needs 2FA. If you want to add further account segregation, you can use a completely different google account to create the number so that it is not linked to you. These services, similar to MySudo make it impossible to sim swap. You just need to make sure you don’t lose access to those VoIP accounts as that is the authentication method that will allow someone to gain access if they obtain it.

There are further measurement that can be taken to harden your digital accounts like password/account segregation but I specifically wanted to drive home the threat of sim porting. This guide is focused towards people that are holding cryptocurrencies. It can be applied across the board and implemented to any digital identity, as this helps to harden your digital fingerprint.

Take these into account and be considerate that if you are guarding any amount of cryptocurrency, you have to be the gatekeeper. No one will care more about your money than you. If you take precautions and are sure to avoid being the lowest-hanging fruit, it will pay dividends.

If you have any questions regarding security around the sim swaps mentioned in this post or any regards relating to cryptocurrency security, please feel free to reach out to me at J@cryosecurity.io or visit CryoSecurity.io.