It’s a familiar scenario.
You forget a password to a website or log in from a new computer, and get locked out of your account. The website or your bank sends a text to confirm it’s you. Most of the time it is.
But the person receiving that text could be a hacker. Criminals are using a method known as “SIM swapping” to take over phone number accounts by duping wireless carriers, and in some cases stealing millions of dollars worth of cryptocurrency.
“In online banking, if someone gets into your account there’s ways to get the money back,” said Kyle Samani, managing partner at crypto hedge fund Multicoin Capital. “In crypto, if hackers get access to your your private keys, they own your money and you’re screwed.”
This week, a California man sued AT&T for $224 million after hackers used his number to steal $24 million worth of cryptocurrency stored on an online exchange. The plaintiff Michael Terpin accused AT&T of negligence, and likened it to “a hotel giving a thief with a fake ID a room key and a key to the room safe to steal jewelry in the safe from the rightful owner.”
Terpin is hardly the only one to suffer a hack. The total in cryptocurrency lost by individuals hit $1.6 billion at the end of June, according to CoinDesk’s 2018 State of Blockchain Report.
In order to stop the trend, cybersecurity and industry experts say investors should guard their cellphone numbers with the same paranoia with which they guard their social security numbers.
Wireless store employees can assign your phone number to any device, with the right authorization. To confirm, they ask for pieces of private information like a birthday or a social security number. But those can be easily accessed for a price.
“Data is being bought, sold and traded on the dark web,” said Aaron Higbee, chief technology officer and co-founder of anti-phishing company Cofense. “If your phone number is of a sufficient age, you’re on a database somewhere.”
While one piece of data like a birthday might not be valuable on its own, combined with your phone number or address it can be used to answer those security questions from a wireless store employee.
After a criminal hacks into the person’s email or cryptocurrency account from their own devices, what’s known as “two-factor identification” will send a text code to the phone number as a form of security, and to prevent any sort of unauthorized log in. But because the hacker now controls that phone number, there’s no way of the rightful owner regaining control or stopping the hack.
This happened to a New York-based venture capitalist who invests in early stage tech companies. He asked not to be named for this story because he did not want to be targeted again, and feared he might egg on the hackers.
He was in his office on Monday when he was suddenly logged out of both his personal and business email accounts. When he turned on his AT&T phone, the device had no signal. Because of his experience in cryptocurrency and the tech world, he recognized it as a SIM swap attack. He immediately called his wireless carrier through Skype, and quickly went to the store to regain access to his cell phone but “not quickly enough.”
“This was the perfect storm,” he said. “If I was on vacation or didn’t know what to do immediately, they would have taken everything in my bank account.”
He was able to regain control of his email but not his Coinbase account. Hackers had already moved the cryptocurrency he held to another account, and had attempted to wire money from his CitiBank account, which was refunded by the bank, he said.
The total amount stolen was roughly $5,000 — which he says is no where near the total of his crypto holdings because the rest was stored offline.