NGRAVE created the world’s most secure hardware wallet so your crypto can be held in secure cold storage, accessible only by you. But we appreciate that many users still choose to trust centralised exchanges with their coins, just as they do cloud services with sensitive personal data and banks with their fiat money. Those services often rely on SMS-based authentication for protection which is vulnerable to SIM Swap Attacks, so we’re excited to announce a partnership with Efani, the leading provider of SIM Swap protection in the United States.
What is a SIM Swap Attack?
A SIM Swap attack is where a criminal is able to transfer someone’s mobile number to a new SIM card without their knowledge in order to circumvent two-factor authentication. Combined with other hacked credentials, a SIM Swap attack allows the perpetrator to circumvent SMS-based security and steal crypto, money or sensitive personal information.
Given so much of our lives is conducted over the internet, cyber theft has become the fastest growing form of crime. In order to combat unauthorised access to centralised online services, such as cryptocurrency exchanges, the first level access of username/password is generally supplemented with what is known as two-factor authentication, often abbreviated to 2FA.
Two-factor authentication generally falls under one of three categories:
Something you know - This is a piece of personal information known only to you such as the answer to a ‘Security Question’, a secret Pin or Swipe Pattern
Something you have - This might be the CVC number on the back of a bank card, a key fob or your mobile phone
Something you are - This refers to something unique to you i.e biometrics such as fingerprint, facial recognition or iris scan.
Given that smartphones have become such an integral part of our digital lives, from both a social and financial perspective, they naturally serve as a very popular form of 2FA.
Unfortunately, this also makes them a single point of weakness that evermore sophisticated cybercriminals target, especially to steal crypto from exchanges that use SMS-based 2FA, and why services like Efani are increasingly in demand.
The legitimate reasons to Swap a SIM
As we manage so much of our lives via our smartphones anything that interrupts access to our devices represents a major inconvenience. Recognising this, mobile carriers focus on offering customers ease of mobile number portability under any circumstance where you might need to route your mobile number to a different SIM:
You lose your phone
You buy a new phone which needs a different SIM format
Your SIM card is damaged
You moved to a new mobile operator with a better deal
Given how frequently these four circumstances arise, cell phone operators process thousands of SIM Swap requests every day. Unfortunately, there is a huge motivation for criminals to try and access your SMS messages as they can combine it with other information to steal crypto, drain your bank or blackmail you over sensitive images or videos.
So though 99% of SIM Swap requests are legitimate, a small but significant number are requested by criminals using a variety of means to trick operators to swap your mobile number to a SIM they control in order to circumvent two-factor authentication. Here’s how SIM Swapping works.
Subscribe To The NGRAVE Blog
Get the latest insights on crypto, security, blockchain, and more.
How SIM Swapping Works
As already described, SMS-based notification is commonly used as a second layer of security for online services, including some cryptocurrency exchanges. A One Time Passcode (OTP) sent to your mobile is required to approve critical processes such as logging in, approving withdrawals, adding new withdrawal addresses and adding/editing banking details.
The aim of the hacker is to access your account and withdraw crypto and fiat to addresses or bank accounts they control without triggering any internal security or drawing your attention.
Crypto is the preferred target as it can be laundered through services like Tornado Cash making it very difficult to trace.
Getting past layer 1
In order for any hacker to perform a SIM Swap attack, they first need to get past your primary account security i.e. username and password.
This underlines the importance of using a very strong password unique to each site and an encrypted email just for crypto, such as proton mail. This will greatly reduce your vulnerability to attack because hackers specifically look for targets who reuse credentials.
Websites are hacked all the time, with hashed passwords cracked and the data sold online for a few euros. Hackers will cross-reference data dumps looking for reused passwords and then use software that automates attempts to use those details to access websites they can exploit.
Gmail and Outlook accounts are particularly valuable because they can open up your entire digital life. Tools are widely available to search through emails specifically looking for clues, such as welcome emails, that confirm accounts with crypto services.
If the hacked data sources come from a crypto-specific service this can cut down the time it takes hackers to pinpoint potential credentials for cryptocurrency exchanges.
Once a hacker has access to a crypto exchange account and/or control of your primary email, they now need to get past the second layer of security in order to complete their heist. At this point, they may have even done enough research to specifically target accounts they know to hold significant balances.
According to Bleeping Computer in 2021 hackers took advantage of a flaw in Coinbase’s SMS Account Recovery process to use basic account credentials and access to the user’s email account to drain 6,000 accounts of funds.
Getting past layer 2
With access to your basic login credentials, secured hackers will generally employ one of three approaches to swap your number to a SIM they control and get passed 2FA.
Bribery - Hackers will bribe mobile operator employees who have the organisational clearance to direct a mobile number to a different SIM
Social Engineering - Hackers will harvest a detailed picture of their victim, using info from data dumps and OSINT (Open Source Intelligence) in order to trick the mobile carrier into swapping the SIM.
Snatch & Run - The potential rewards from hacking crypto accounts have raised the bar for criminal ingenuity. Their tactics now include paying thieves to physically snatch tablets from the managers of mobile carrier stores that have admin access to swap a mobile number to a new SIM.
According to Efani, every second three Americans become victims of a SIM Swap that not only gives hackers access to crypto exchange accounts but valuable client information, banking details, as well as sensitive personal images and videos which brings the risk of blackmail.
The true scale of crypto thefts from SIM Swapping isn’t known but based on high-profile cases such as that of Nicholas Truglia, it likely amounts to several hundred million dollars.
Protect yourself from SIM Swap with Efani
SIM Swapping attacks are now so commonplace that crypto owners are afraid to even put their cell number on a business card for fear of it being used against them. However, innovation springs from adversity, which is how Efani, the leading SIM-protection service, came into existence.
Efani’s CEO, Haseeb Awan, lost his life savings from a crypto-focused SIM Swap attack. Frustrated by the lack of redress from the mobile carrier or law enforcement (the FBI don’t get involved for less than $500,000) Haseeb used his background in telecoms engineering to build a solution himself - Efani.com.
Efani replaces your existing mobile plan with one that gives you an unprecedented level of protection from SIM swap attacks while retaining your existing mobile number. It only takes 10 minutes to set up but enforces 11-layers of propriety client layer authentication with a mandatory 14-day cooling-off period before any SIM swapping can take place.
Efani provides guaranteed protection against SIM Swapping, with any major change to your approved by multiple staff members and run through a rigorous manual process, including a notarized statement. They boast a 100% success rate to date but for additional peace of mind they also provide $ 5 million of insurance against loss.
Crypto traders are among the customers using SIM protection services like Efani along with high-net-worth individuals, professional athletes and celebrities and wealthy business owners.
Given Efani’s focus on greater security for crypto traders via SIM Swap protection, they provide the perfect complement to the NGRAVE ZERO, the ultimate crypto cold storage solution.