Source: iStock/Tero Vesalainen

New wave of U.S. crypto community members have become victims of SIM swapping attacks over the past month. More than 50 victims have reportedely lost over USD 35 million to hackers in the San Francisco Bay area alone.

SIM swapping is not a new threat, as more than USD 50 million has been reportedely stolen from over 800 individuals since 2018, but a new wave of coordinated attacks targets U.S. cryptocurrency holders, especially those using "hot", or online crypto wallets.

Sim Swapped. Phone number ported. Thanks @TMobile



That’s at least 15 of us in the crypto community in the last week. — Andrew Kang (@Rewkang) June 1, 2019

My personal identity was hacked last week. The attacker was able to steal $100k+ in a sweep of my Coinbase account. I'm equal parts embarrassed, hurt, and deeply remorseful.



In an effort to raise awareness about the attack, I wrote about it here: https://t.co/ZnbB0AN6Gd — Sean Coonce (@cooncesean) May 20, 2019

I haven't gone public yet but I had three on me personally in the past week. Submitted an FBI report. All sign point to an inside job at the cell company. Phone records were wiped clean for an entire day and "recorded for quality and training purposes" settings were turned off. — Chris Robison (@CBobRobison) May 25, 2019

SIM swapping (also known as SIM porting or SIM jacking) works the following way: thieves contact your telecom service provider and fake your identification to steal the phone number. Transferring your phone number is a casual request which helps whenever you upgrade your phone or switch carriers. However, SIM porting is done by unauthorized source - the attacker who pretends to be you. Here is where the problems start to arise, especially if your phone number is connected to services that are pivotal to your online identities, like your recovery email account or cryptocurrency exchange account. Once scammers steal your phone number, they use it to either access your cryptocurrency account, reset your online wallet password or ask your friends for cryptocurrency payments.

My phone was hacked.



Hacker logged into my @telegram account and messaged a bunch of folks asking for BTC.



PSA: If you got a message from me asking for BTC, that was not me. — Preethi Kasireddy (@iam_preethi) May 25, 2019

Once the attackers have access to your account, they can lock you out with little recourse to claim them back while simultaneously draining your accounts.

SIM swapping attackers might get your phone number by using the following methods:

The attacker bribes or blackmails a mobile store employee into helping them. The attacker could be a current/former mobile store employee who purposefully abuses his or her position to access the company’s customer data. Corrupt mobile company employee(s) trick their associates or colleagues at other departments into swapping your SIM card with a new one.

I've been hearing about another spate of SIM-jackings involving @TMobile, possibly involving bypassed PINs, which hint at insiders or weak processes.



The traditional telecom companies won't clean up their act without a class action lawsuit and heavy fines. Switch to @googlefi. https://t.co/wp60qvyn7i — Emin Gün Sirer (@el33th4xor) June 2, 2019

Telco giants T-Mobile and AT&T are already facing lawsuits from the U.S. crypto investor law firm Silver Miller for SIM porting related thefts, as stated by the firm's press release.

SIM swapping symptoms and protection

Sean Coonce, engineer leader at BitGo, and Chris Robinson, community manager at Hoard.Exchange, summarized their findings and experience with the SIM swapping problem in two recent articles.

Here is what they say:

Common symptoms of SIM swapping:

Your phone career service is unreachable for no reason at all. You can’t make calls, send messages, or use any data. You can still connect to Wi-Fi though since it has nothing to do with your mobile carrier. You are locked out of your email account. Be it Gmail or any other service critical to your online identity. You get recovery email notifications like ‘someone signed in into your account,” “someone recovered your account,” and finally “someone changed your password.”

How to reduce the damage:

Get another phone and call your mobile phone career immediately. Ask them to disable your jacked phone number.

Disable your SMS-based 2FA.

Recover your Google account.

Freeze or change passwords of all your cryptocurrency accounts and other related financial services that could’ve fallen in hackers hands.

If you noticed it too late and already suffered damage, submit a police report as soon as possible.

How to protect yourself against SIM porting

It is relatively easy to protect your accounts against SIM jacking attacks. Here are the things you can do right away to minimize your chances of experiencing such an attack.

First and foremost, don’t use SMS-based two-factor authentication (2FA) for any online accounts, especially your cryptocurrency exchanges and wallet services. Once thieves have access to any of your accounts (be it your email or Facebook account), they can harvest your private information, including your address, photos, documents, or even search history. All of them can be successfully used against you to fool your service providers. Other 2FA methods like Google Authenticator are OK but consider obtaining a universal second-factor (U2F) device like YubiKey , Google Titan Key , Thetis , or Kensington for greater safety.

, , , or for greater safety. Set up a PIN with your mobile career whenever you need to make changes to your account.

Disable your phone number wherever you use it as a tool for account recovery.

Reduce your online footprint by leaving as little personal information online as possible. No random stranger needs to know your birth date, birth town, and other personally identifiable information. Most importantly, don’t brag about your crypto holdings. No one can target you for attacks if they can’t identify you as a target in the first place.

Create a secondary email for critical online identities such as bank accounts, social media, crypto exchanges, and similar services.

Use multi signature or offline wallet to store your private keys. In "hot", or online wallets keep only those funds that are needed for your daily activities. The most popular cold wallets include devices by Ledger or Trezor.

These are some common steps you can take right now to protect yourself from SIM jacking scammers.

Also, it may be good to know that SIM swappers seldom get away with their crimes as telecoms typically log most of their activities unless the getaway is completely clean, but it is best if you don’t get robbed in the first place.