Best practices to avoid phone SIM porting risk and impact, and other (crypto) security tips

Mobile phone numbers have grown to become a significant weak link in online security. This vulnerability is generally related to the concept of SIM porting: the transfer of your phone number from one device to another device. Authorized SIM porting is a convenient feature for when one needs to replace their phone. However, unauthorized SIM porting can have cascading effects. A hacker who successfully performed a SIM porting attack may be able to gain access to a variety of very private and important accounts (e-mail, financial, cryptocurrency exchanges, social, etc). This security flaw is possible as a result of the option to bypass your password secured account using your phone number. Recently, a fellow Medium writer and cryptocurrency enthusiast unfortunately lost over $100.000 in this exact way. This brief write-up discusses hardening your security posture, with a focus on closing SIM Porting vulnerabilities.

SIM Porting of Cell Phone Numbers

Unauthorized SIM porting often occurs by way of social engineering. A hacker might acquire your (easy to find) phone number. Knowing your phone number, and other (easy to discover) personal details, the hacker contacts your mobile provider support desk to move your SIM to their device.

Steps to take now:

Add an extra password to the account that is needed for your SIM card to be ported to another device

Set your account to require that SIM porting can only be performed face to face in a cellular phone brick and mortar store

The ability to take these actions may vary among cellular providers.

The above steps increase your security yet do not entirely mitigate the risk. You carry forward the assumptions that the call-center personnel are trained, are ethical, and cannot be manipulated by social engineering. Additional countermeasures are needed to minimize the impact of a port forwarding attack. This involves 1) ensuring your phone number is not a means to recover or change the password of your online accounts. and 2) the utilization of other forms of two factor authentication (2FA).

E-mail Accounts

Once a hacker has control of your phone number via a port forward, e-mail accounts can readily become under control of the hacker since phone numbers are generally default for account recovery / password reset. E-mail accounts are highly desirable to hackers since they contain emails that show which financial services you use as provide a default means to reset passwords to those accounts (such as a crypto exchange).

The vulnerability to bypass / recover your password using your phone number is very much present on Gmail and Outlook.

The list below helps manage risk to e-mail hacks, in general sense, as well as phone porting:

Add non-SMS 2FA to your account (more on these options below).

Remove your phone number as a means of account recovery from all e-mail accounts. If possible remove your phone number from e-mails entirely.

Remove account recovery via “another e-mail address” from all e-mail accounts.

Advanced (for the paranoid): Consider compartmentalizing your life/activities across multiple independent e-mail accounts. For example, use one e-mail for correspondence with friends/colleagues, and another e-mail account for your financial and social accounts.

Once set-up, perform an actual account recovery as practice to ensure that recovering by phone is not possible.

Depending on your phone and e-mail account, evaluate where “trusted device” can be activated. This ensures that your e-mail can only be accessed from a trusted device.

Two Factor Authentication (2FA)

Due to the above mentioned weaknesses of SMS authentication, a stronger approach to needed. The use of temporary 2FA code generators such as Google Authenticator or Authy that function as an additional credential when logging into an online account is highly recommended. An initial linkage between the account and the 2FA is established during setup, and all future temporary passcodes are known deterministically by the app and the online account. Email providers such as Gmail and Outlook also have their own 2FA authentication applications in the Google App and Microsoft Authenticator.

Some best practices when installing and setting up 2FA applications:

When setting up, understand how to reestablish your Google Authenticator or Authy account if your phone/device is lost. This typically involves a password or a specific recovery code that is provided to you when first installing (write this down and store it securely, offline).

Consider installing the app on more than one device in case your phone is lost.

These apps are often installed on phones/tablets/ PC’s. Your security of these apps is strengthened by solid security for gaining access to these devices. It is recommended to require a password / fingerprint to unlock your phone and to require an extra password / fingerprint to open the authentication apps in case you leave your phone unlocked.

Understand various extra protections you can enable on these apps. For example, Authy has multiple passwords (one extra password for web usage and one for restoring encrypted back-up from their zero-knowledge cloud), and also has settings to prevent your Authy information from being installed to new accounts once you have it initially set-up.

It is important to understand the 2FA app that you utilize since this becomes a key mechanism for account access.

Where and when to use: