Now that you know how to buy, send and store cryptocurrency, it's time to think about how to keep your crypto safe. This article is part of a constantly updating series of tips and resources for protecting your cryptoassets — be sure to check back often!
Part 1: Bad Actors
SIM-swaps — sometimes referred to as port-out scams — have come into the spotlight as a major concern for cryptocurrency holders in recent years.
A SIM swap is a criminal heist that targets weak points in two-factor authentication (2FA) systems, which many individuals use to provide an additional layer of security for their social media, banking or other online accounts.
2FA introduces an additional step for users’ online log-ins, requiring individuals to enter a one-time passcode received via a text message or phone call to their device.
This can be an effective layer that thwarts potential hacks — but recently, criminals have found a way to use 2FA to their advantage.
How Does a SIM-Swap Work Exactly?
Many cell phone service providers offer consumers the option to port their existing cell phone number to a new SIM card, which can be handy if they’ve lost their phone or decided to switch mobile carrier.
But the seamlessness of this service is also exploitable by so-called SIM swappers, who persuade service providers to port victims’ cell phone numbers to a SIM card under the fraudster’s control.
To successfully do so, a scammer typically impersonates the victim in communication with the mobile carrier, which means that the scammer needs to have gathered personal information about their target.
The data required to pull off this kind of identity theft can be obtained via phishing emails, darknet marketplaces, social engineering techniques or other nefarious means.
There have also been reports of criminals directly bribing employees at mobile carriers to directly collude in the scam.
Once the SIM-swap has been completed, the victim will lose all service connection and all incoming calls or text messages will be redirected to the attacker’s device.
A successful SIM swap attack can be a goldmine for a bad actor.
Intercepting the automated messages used for user authentication systems enables fraudsters to dupe security systems and so hijack online accounts, reset existing passwords and gain access to yet further confidential information. And yes — it can also help them to steal victims’ crypto.
How to Protect Yourself Against a SIM-Swap Heist
There are several methods you can use to reduce your risk of falling prey to a SIM swapper.
One is to use Google Authenticator or a similar authentication app: unlike many forms of 2FA, this links the authentication method to your specific physical device, rather than to your phone number.
Some mobile carriers may allow you to set an additional passcode or PIN for your communications, which can further help to thwart attackers’ attempts at identity fraud.
Typically, the most robust protection in preventing SIM-swaps needs to be taken by mobile carriers themselves, by not porting cell numbers to a new SIM card unless a client appears in-person at a store with an official ID.
While such practices are not mandatory for carriers in many countries, there have been attempts this year in the U.S. by lawmakers to appeal for the introduction of more robust regulation to improve consumer protection.
In the absence of this, make sure you use strong, unique passcodes or passphrases wherever possible, set personal security questions with answers that only you know and be on the alert for suspicious communications that could be phishing attempts.
You can also reach out to your mobile carrier with a special request instructing them not to port your SIM without your presence and ID in-store.
A Brief History of SIM-Swapping in the Crypto Space
SIM-swapping was unheard of just a few years ago — now, this particular form of scam has led to the loss of millions of dollars in cryptocurrency, making people realize the fallibility of connecting your cell phone number to where you store your money.
The history of the many SIM swap heists targeting the crypto industry uncovers the three main actors whose conduct shapes the dark present and future of these crimes: mobile carriers, national regulators and, of course, the SIM swappers themselves.
When it comes to the latter, victims’ lawsuits have cast a spotlight on a host of alleged perpetrators, many of them remarkably young, some of whom were allegedly co-conspirators in grand multi-million dollar schemes.
In May 2019, crypto investor Terpin won a $75.8 million civil case against SIM-swapper Nicholas Truglia, a 21-year-old whose social media swagger exposed his taste for a luxury lifestyle of fast cars, private jets and Rolex watches, bought with illicit riches.
In 2018, Terpin fell prey to a SIM swap heist that cost him almost $24 million worth of cryptocurrency, perpetrated by Truglia and alleged accomplices.
One of these was ostensibly Westchester teen Ellis Pinsky — an “All American Boy,'' just 15 years old at the time of the heist — who is now the subject of a new $71.4 million lawsuit from Terpin.
Other alleged SIM swappers include “gifted 20-year-old college student from Boston,” Joel Ortiz, who was charged with using SIM swaps to steal over $5 million in crypto from 40 victims. Several of Ortiz’s attacks allegedly targeted investors during the high-profile blockchain conference Consensus in New York in 2018.
Another, 19-year old Xzavyer Narvaez, was arrested in California in 2018 for stealing over $1 million in Bitcoin. Prior to his arrest, Narvaez had showcased his snow-white McLaren on Instagram, captioned “live fast, die young.”
If the ostentatious lifestyle of these Generation-Z Bitcoin bandits briefly dazzles, spare a thought for tech entrepreneur Robert Ross, who allegedly lost his $1 million life savings from his Gemini and Coinbase accounts due to the actions of Truglia and others.
As well as revealing the bling and dexterity of a new wave of young crypto-savvy sim-swappers, defrauded victims are also attempting to hold mobile carriers to account for their role in the crimes.
Both Michael Terpin and Robert Ross have filed lawsuits against the United States’ largest mobile service provider AT&T.
Ross — who has uploaded his civil complaint onto an activist resource site for the victims of SIM swap scams — alleges AT&T failed to protect his sensitive account data, leading to repeat violations of his privacy and directly enabling the financial harm caused by fraudsters.
In his $224 million lawsuit against AT&T, Terpin went further: “What AT&T did was like a hotel giving a thief with a fake ID a room key and a key to the room safe to steal jewelry in the safe from the rightful owner.”
Beyond corporate negligence, investigative reports have also pointed to attempts to bribe insiders at telecom firms to collude in perpetrating SIM-swap heists.
Another front in the fight against SIM swaps has been the appeal to regulators to better protect consumers by making it mandatory for mobile carriers to require customers to present an ID in-store if they want to port their SIM.
In a January 2020 letter to the Federal Communications Commission, U.S. lawmakers noted that annual complaints about SIM swaps have increased dramatically between 2015 and 2019 — by close to 240%. These complaints, they noted, represent just a small fraction of the actual number of incidents.
Rising concern about these crimes prompted the formation of a dedicated task force of law enforcement officers and prosecutors, “REACT,” in Santa Clara, California, which has helped, among others, SIM swapped cryptocurrency executives with their cases.