How a SIM swap attack works

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
Topic Author
gtd98765
Posts: 346
Joined: Sun Jan 08, 2017 4:15 am

How a SIM swap attack works

Post by gtd98765 » Sun May 26, 2019 11:28 am

https://medium.com/coinmonks/the-most-e ... e4d40cd615
I lost north of $100,000 last Wednesday. It evaporated over a 24-hour time span in a “SIM port attack” that drained my Coinbase account. It has been four days since the incident and I’m gutted. I have zero appetite; my sleep is restless; I am awash in feelings of anxiety, remorse, and embarrassment.

This was the single most expensive lesson of my life and I want to share my experience + lessons learned with as many people as possible. My goal is to increase awareness about these types of attacks and to motivate you to increase the security of your online identity.
I thought this was interesting and a useful reminder - key lesson is not to really on SMS based two-factor authentication to protect real money.

p.s.: I could not find the thread designated for computer security messages. I did look for it in forum announcements. Sorry.

bob60014
Posts: 1085
Joined: Mon Jul 31, 2017 8:59 pm
Location: The Land Beyond ORD

Re: How a SIM swap attack works

Post by bob60014 » Sun May 26, 2019 11:32 am

Bitcoin/crypto currency....ugh.

mhalley
Posts: 7259
Joined: Tue Nov 20, 2007 6:02 am

Re: How a SIM swap attack works

Post by mhalley » Sun May 26, 2019 1:19 pm

Just finishing moving all my 2fa numbers to a google phone #.

User avatar
southerndoc
Posts: 1022
Joined: Wed Apr 22, 2009 7:07 pm
Location: Atlanta

Re: How a SIM swap attack works

Post by southerndoc » Sun May 26, 2019 1:33 pm

For Vanguard users, please write to Tim Buckley requesting the ability to disable SMS backup from Yubikeys.

stan1
Posts: 7217
Joined: Mon Oct 08, 2007 4:35 pm

Re: How a SIM swap attack works

Post by stan1 » Sun May 26, 2019 1:36 pm

southerndoc wrote:
Sun May 26, 2019 1:33 pm
For Vanguard users, please write to Tim Buckley requesting the ability to disable SMS backup from Yubikeys.
If you do that give him a suggestion on how to reset a customer's online access if the YubiKey is lost. Your answer can't be "there isn't a way".

User avatar
southerndoc
Posts: 1022
Joined: Wed Apr 22, 2009 7:07 pm
Location: Atlanta

Re: How a SIM swap attack works

Post by southerndoc » Sun May 26, 2019 2:12 pm

They should allow users the ability to call to reset their account access with maybe a 72-hour delay in transactions when that occurs.

Afty
Posts: 1020
Joined: Sun Sep 07, 2014 5:31 pm

Re: How a SIM swap attack works

Post by Afty » Sun May 26, 2019 4:13 pm

gtd98765 wrote:
Sun May 26, 2019 11:28 am
https://medium.com/coinmonks/the-most-e ... e4d40cd615
I lost north of $100,000 last Wednesday. It evaporated over a 24-hour time span in a “SIM port attack” that drained my Coinbase account. It has been four days since the incident and I’m gutted. I have zero appetite; my sleep is restless; I am awash in feelings of anxiety, remorse, and embarrassment.

This was the single most expensive lesson of my life and I want to share my experience + lessons learned with as many people as possible. My goal is to increase awareness about these types of attacks and to motivate you to increase the security of your online identity.
I thought this was interesting and a useful reminder - key lesson is not to really on SMS based two-factor authentication to protect real money.

p.s.: I could not find the thread designated for computer security messages. I did look for it in forum announcements. Sorry.
The most interesting bit of this is that it looks like you can gain access to a Gmail account just by having access to the phone number associated with the account. Once an attacker has access to your email account, they can gain access to any of your other accounts tied to that email. Scary stuff.

chessknt
Posts: 174
Joined: Wed Jul 13, 2016 3:15 am

Re: How a SIM swap attack works

Post by chessknt » Sun May 26, 2019 4:16 pm

If only he had stored this money in an fdic insured bank account or brokerage with fraud prevention agreements and obligations instead of a digital asset with no protection of any kind.

z91
Posts: 383
Joined: Fri Mar 07, 2014 1:19 pm

Re: How a SIM swap attack works

Post by z91 » Sun May 26, 2019 4:21 pm

Not saying this didn't/couldn't happen, but I'm skeptical of the story. The author works for a company that provides services to secure Bitcoin wallets..

CFM300
Posts: 1560
Joined: Sat Oct 27, 2007 5:13 am

Re: How a SIM swap attack works

Post by CFM300 » Sun May 26, 2019 5:08 pm

z91 wrote:
Sun May 26, 2019 4:21 pm
Not saying this didn't/couldn't happen, but I'm skeptical of the story. The author works for a company that provides services to secure Bitcoin wallets..
He even links his company In his first "recommendation," but doesn't disclose the conflict of interest.

It's basically just an advertisement.

Topic Author
gtd98765
Posts: 346
Joined: Sun Jan 08, 2017 4:15 am

Re: How a SIM swap attack works

Post by gtd98765 » Sun May 26, 2019 5:49 pm

Afty wrote:
Sun May 26, 2019 4:13 pm

The most interesting bit of this is that it looks like you can gain access to a Gmail account just by having access to the phone number associated with the account. Once an attacker has access to your email account, they can gain access to any of your other accounts tied to that email. Scary stuff.
You can disable SMS as a second factor in GMail, and limit the second factor to a Yubikey and/or Google Authenticator. Then the SMS fake does not work.

blueman457
Posts: 452
Joined: Sun Jul 26, 2015 12:19 pm

Re: How a SIM swap attack works

Post by blueman457 » Sun May 26, 2019 8:27 pm

stan1 wrote:
Sun May 26, 2019 1:36 pm
southerndoc wrote:
Sun May 26, 2019 1:33 pm
For Vanguard users, please write to Tim Buckley requesting the ability to disable SMS backup from Yubikeys.
If you do that give him a suggestion on how to reset a customer's online access if the YubiKey is lost. Your answer can't be "there isn't a way".

What about OTP via software token?

Blue Man

jeg208
Posts: 59
Joined: Wed Jul 05, 2017 2:42 pm

Re: How a SIM swap attack works

Post by jeg208 » Sun May 26, 2019 9:08 pm

Given the source, this is obviously BS.

I would be more interested in what carrier initiated two SIM ports in 24 hours (actually three since he supposedly got it back after the first one). No details given on how the account PIN was compromised either.

LookinAround
Posts: 58
Joined: Tue Mar 27, 2018 5:41 am
Location: Chicagoland

Re: How a SIM swap attack works

Post by LookinAround » Mon May 27, 2019 10:13 pm

jeg208 wrote:
Sun May 26, 2019 9:08 pm
Given the source, this is obviously BS.

I would be more interested in what carrier initiated two SIM ports in 24 hours (actually three since he supposedly got it back after the first one). No details given on how the account PIN was compromised either.
+1 My thoughts as well

After reading the article, I noticed he says "attacker gathers your personal information". Might be the case. But that's not the problem if one puts a PIN on their account. Granted
  • A PIN doesn't help if the attacker has "inside" help (someone working at the wireless carrier)
  • Yes, it's still safest if you don't have use security based on your phone number (e.g. an SMS message)
However, IMHO If one is certain to create a unique PIN for their wireless account (don;t re-use a PIN you use elsewhere) the problem/risk is grossly overstated.

EHEngineer
Posts: 773
Joined: Sat Feb 28, 2015 4:35 pm

Re: How a SIM swap attack works

Post by EHEngineer » Mon May 27, 2019 10:47 pm

stan1 wrote:
Sun May 26, 2019 1:36 pm
southerndoc wrote:
Sun May 26, 2019 1:33 pm
For Vanguard users, please write to Tim Buckley requesting the ability to disable SMS backup from Yubikeys.
If you do that give him a suggestion on how to reset a customer's online access if the YubiKey is lost. Your answer can't be "there isn't a way".
Medallion signature guarantee
Or, you can ... decline to let me, a stranger on the Internet, egg you on to an exercise in time-wasting, and you could say "I'm probably OK and I don't care about it that much." -Nisiprius

typical.investor
Posts: 966
Joined: Mon Jun 11, 2018 3:17 am

Re: How a SIM swap attack works

Post by typical.investor » Mon May 27, 2019 11:28 pm

EHEngineer wrote:
Mon May 27, 2019 10:47 pm
stan1 wrote:
Sun May 26, 2019 1:36 pm
southerndoc wrote:
Sun May 26, 2019 1:33 pm
For Vanguard users, please write to Tim Buckley requesting the ability to disable SMS backup from Yubikeys.
If you do that give him a suggestion on how to reset a customer's online access if the YubiKey is lost. Your answer can't be "there isn't a way".
Medallion signature guarantee
That could be a nightmare scenario.

If you have most of your money at Vanguard, and your are asking a bank to do the guarantee - it means they are guaranteeing a large amount of money with your likely much smaller deposit.

Maybe, they will do it and maybe not ... not a real backup plan to me.

EHEngineer
Posts: 773
Joined: Sat Feb 28, 2015 4:35 pm

Re: How a SIM swap attack works

Post by EHEngineer » Tue May 28, 2019 10:06 am

typical.investor wrote:
Mon May 27, 2019 11:28 pm
EHEngineer wrote:
Mon May 27, 2019 10:47 pm
stan1 wrote:
Sun May 26, 2019 1:36 pm
southerndoc wrote:
Sun May 26, 2019 1:33 pm
For Vanguard users, please write to Tim Buckley requesting the ability to disable SMS backup from Yubikeys.
If you do that give him a suggestion on how to reset a customer's online access if the YubiKey is lost. Your answer can't be "there isn't a way".
Medallion signature guarantee
That could be a nightmare scenario.

If you have most of your money at Vanguard, and your are asking a bank to do the guarantee - it means they are guaranteeing a large amount of money with your likely much smaller deposit.

Maybe, they will do it and maybe not ... not a real backup plan to me.
Is this any different than guaranteeing a large transfer of assets?

as proposed, this is an opt-in system. It would only apply to those who forgo both sms backup and backup Yubikeys.
Or, you can ... decline to let me, a stranger on the Internet, egg you on to an exercise in time-wasting, and you could say "I'm probably OK and I don't care about it that much." -Nisiprius

nyclon
Posts: 352
Joined: Fri Oct 02, 2015 5:30 pm

Re: How a SIM swap attack works

Post by nyclon » Tue May 28, 2019 10:17 am

Given what's available with vanguard does anyone have suggestions on best approach to security with a vanguard account? Suggestions for
-google / gmail security setup (i see disable sms and enable 2fa as a suggestion)
-wireless carrier security setup (i see enable a pin as a suggestion)
-vanguard security setup (their default is sms verification so does yubikey/2fa matter? or the google setup)

sksbog
Posts: 299
Joined: Wed Jun 20, 2012 9:14 pm

Re: How a SIM swap attack works

Post by sksbog » Tue May 28, 2019 11:15 am

mhalley wrote:
Sun May 26, 2019 1:19 pm
Just finishing moving all my 2fa numbers to a google phone #.
google is reseller of your dossier :). i would switch to a GDPR compliant service.

EHEngineer
Posts: 773
Joined: Sat Feb 28, 2015 4:35 pm

Re: How a SIM swap attack works

Post by EHEngineer » Tue May 28, 2019 1:17 pm

nyclon wrote:
Tue May 28, 2019 10:17 am
Given what's available with vanguard does anyone have suggestions on best approach to security with a vanguard account? Suggestions for
-google / gmail security setup (i see disable sms and enable 2fa as a suggestion)
-wireless carrier security setup (i see enable a pin as a suggestion)
-vanguard security setup (their default is sms verification so does yubikey/2fa matter? or the google setup)
Using burner phone for 2FA SMS messages would prevent the thieves from stealing the phone number (because they wouldn't know what it is)
Or, you can ... decline to let me, a stranger on the Internet, egg you on to an exercise in time-wasting, and you could say "I'm probably OK and I don't care about it that much." -Nisiprius

User avatar
telemark
Posts: 2474
Joined: Sat Aug 11, 2012 6:35 am

Re: How a SIM swap attack works

Post by telemark » Tue May 28, 2019 1:49 pm

Another thread from an earlier incident.

viewtopic.php?t=279859

donfairplay
Posts: 162
Joined: Mon Oct 06, 2008 8:16 pm

Re: How a SIM swap attack works

Post by donfairplay » Tue May 28, 2019 2:05 pm

nyclon wrote:
Tue May 28, 2019 10:17 am
Given what's available with vanguard does anyone have suggestions on best approach to security with a vanguard account? Suggestions for
-google / gmail security setup (i see disable sms and enable 2fa as a suggestion)
-wireless carrier security setup (i see enable a pin as a suggestion)
-vanguard security setup (their default is sms verification so does yubikey/2fa matter? or the google setup)
The only thing that I would add is that make sure that you have access to the other account recovery setup option in your google account when either factory resetting your phone or buying a new phone. There is nothing to save you if you only have 1 or 2 recovery options and you don't have access to them - google doesn't have a phone number or email customer service, and there's no way for google to identify it is actually you that they're communicating with. Definitely consider setting up, at minimum, the printable backup codes.

And definitely consider the yubikeys for both google account recovery and vanguard 2fa.

SpaethCo
Posts: 164
Joined: Thu Jan 14, 2016 12:58 am

Re: How a SIM swap attack works

Post by SpaethCo » Tue May 28, 2019 2:09 pm

gtd98765 wrote:
Sun May 26, 2019 5:49 pm
You can disable SMS as a second factor in GMail, and limit the second factor to a Yubikey and/or Google Authenticator. Then the SMS fake does not work.
You have to go a step further and completely remove your phone number from being associated with your Google account. If Google has your phone number, it's still eligible to be used for a password reset.

The exploit is against password recovery mechanisms, not 2FA verification mechanisms. If the attacker couldn't use SMS to "recover" their way into multiple accounts, this attack doesn't work.

User avatar
SurfCityBill
Posts: 473
Joined: Tue May 01, 2012 10:15 pm
Location: Western United States

Re: How a SIM swap attack works

Post by SurfCityBill » Tue May 28, 2019 5:45 pm

Why can't I put a "freeze" on any SIM / Port transfers with my wireless carrier?
When I get a new phone I would have to call with a code to unfreeze or physically go to a carrier location.
Wouldn't this have prevented the authors problems and beefed up the 2FA security we rely on?

SpaethCo
Posts: 164
Joined: Thu Jan 14, 2016 12:58 am

Re: How a SIM swap attack works

Post by SpaethCo » Tue May 28, 2019 6:00 pm

SurfCityBill wrote:
Tue May 28, 2019 5:45 pm
Why can't I put a "freeze" on any SIM / Port transfers with my wireless carrier?
The system is circumventable by any agents you interact with, even if you put restrictions on your account. People are terrible with codes and passwords under normal circumstances, so it’s not hard to convince an agent that you simply forgot your account lock code. It all comes down to social engineering.
SurfCityBill wrote:
Tue May 28, 2019 5:45 pm
Wouldn't this have prevented the authors problems and beefed up the 2FA security we rely on?
To be clear, this is not a 2FA problem.

This is a 1-factor problem. SMS password recovery lets you get into an account with a single SMS code. Enter username, click “Forgot password” get the code, and you’re in. (even if you had other 2FA mechanisms defined)

Gmail will let you reset your password with just the SMS code if you have a phone registered for recovery, which is required by default. Banks will usually let you reset passwords if you click an email link and type in an SMS code. With SMS control you can set all of that in motion by just resetting passwords and rolling.

If you can get into your account easily after forgetting a password, so can the bad guys.

User avatar
SurfCityBill
Posts: 473
Joined: Tue May 01, 2012 10:15 pm
Location: Western United States

Re: How a SIM swap attack works

Post by SurfCityBill » Tue May 28, 2019 7:04 pm

SpaethCo wrote:
Tue May 28, 2019 6:00 pm
SurfCityBill wrote:
Tue May 28, 2019 5:45 pm
Why can't I put a "freeze" on any SIM / Port transfers with my wireless carrier?
The system is circumventable by any agents you interact with, even if you put restrictions on your account. People are terrible with codes and passwords under normal circumstances, so it’s not hard to convince an agent that you simply forgot your account lock code. It all comes down to social engineering.
This may be true. But if the agent at the wireless carrier is convinced to release your SIM freeze without the proper info, then I know who I'd be going after to reclaim my $100,000.

JBTX
Posts: 5243
Joined: Wed Jul 26, 2017 12:46 pm

Re: How a SIM swap attack works

Post by JBTX » Tue May 28, 2019 10:00 pm

For Vanguard, What I have always thought, and appears to be the case based upon my recent password change, is there isn't just a "change password" option. You go "login Help", where you put in name, email last 4 SS, date of birth. Then that takes you to a security question. Answer that correctly you get your user ID. Then if you don't know your password an email is sent or sms text if 2fa. If answered correctly then you can change your password.

Seems to me you can increase your security by:

1. Not using a common email address. Perhaps even a unique one. Your email address is required in the up front personal information.

2. Make the security question answer a non sensical and impossible one to replicate.

If you do those two it seems virtually impossible to get in via computer.

Now what happens if you claim to forget your security question and call vanguard on the phone, who knows. Having your voice print recorded would theoretically help

Topic Author
gtd98765
Posts: 346
Joined: Sun Jan 08, 2017 4:15 am

Re: How a SIM swap attack works

Post by gtd98765 » Wed May 29, 2019 7:43 am

JBTX wrote:
Tue May 28, 2019 10:00 pm


Now what happens if you claim to forget your security question and call vanguard on the phone, who knows. Having your voice print recorded would theoretically help
Vanguard does not advertise its voice verification security option much, but I would like to think it can make a social engineering attack ("help, I forgot my password") much much harder.

z91
Posts: 383
Joined: Fri Mar 07, 2014 1:19 pm

Re: How a SIM swap attack works

Post by z91 » Wed May 29, 2019 11:48 am

CFM300 wrote:
Sun May 26, 2019 5:08 pm
z91 wrote:
Sun May 26, 2019 4:21 pm
Not saying this didn't/couldn't happen, but I'm skeptical of the story. The author works for a company that provides services to secure Bitcoin wallets..
He even links his company In his first "recommendation," but doesn't disclose the conflict of interest.

It's basically just an advertisement.
Yeah, I was going to say too that the images are very marketing like. If I lost 100k in Bitcoin the last thing I'd do is work on making pretty looking images.

Post Reply