The charging of two men in the US for attempting to steal $500,000 in bitcoin has brought SIM Swap attacks back to the public’s attention. What is a SIM Swap attack? Does the general public need to worry?
What is a SIM Swap Attack?
SIM swapping involves a cybercriminal scamming telecom providers into reassigning an intended victim’s phone number from the victim’s phone to a SIM card in a device held by the attacker. Attackers then pose as the victim with online account providers to request that the provider send authentication codes or account password-reset links to the SIM swapped phone controlled by the attackers.
Subsequently, attackers can reset the victim’s login credentials to social media accounts to get control of the victim’s sensitive information and steal the victim’s identity. They can also, as per the two Massachusetts men, reset passwords to private services like email accounts and cryptocurrency wallets.
The case of the two Massachusetts men charged last week involved Eric Meiggs (20) and Declan Harrington (21). They allegedly tried to steal over $500,000 in cryptocurrency in targeted attacks on ten individuals. These individuals were targeted because they were likely to have large cryptocurrency accounts and held high value social media account names. The victims have not been identified, but the indictment describes one victim as owning a bitcoin teller machine and another as running a “blockchain-based business”.
Who are the Perpetrators of SIM Swap Attacks?
SIM swap scams, also known as simjacking and port-out scams, are not difficult scams to perpetrate. Nor are such scams a new phenomenon. They have been around for quite a few years now. Of late, however, SIM swapping has seen a sharp rise in reported cases. Young people aged nineteen to the mid-twenties are usually the perpetrators of SIM Swap attacks. They buy cheap SIM cards on the internet and then plug them into burner phones to use for the attacks.
With SIM Swapping becoming widespread amongst young cybercriminals, several individuals in the cryptocurrency space have fallen victim to these attacks. This includes prominent individuals at Messari, Coin Center and VideoCoin, who have all reported having suffered SIM Swap attacks. Michael Terpin, a prominent investor in the crypto space, filed lawsuits against his mobile provider AT&T and his 21-year-old alleged perpetrator after also having suffered a SIM swap attack.
How to Safeguard Against SIM Swap Attacks?
Individuals in the crypto space are usually the main targets of SIM Swap attacks. However, anyone from the general public could be a target if they possess something of interest to these cybercriminals.
What can the general public do to protect themselves against such attacks? Other than taking the usual precautions to safeguard personal data and accounts, there is actually not much the general public can do. The individuals being scammed are employees of telecom providers and not the intended victims themselves. It is therefore up to telecom providers to tighten their privacy and security policies to safeguard everyone from such attacks.
To this end, prominent individuals in the crypto space, such as Terpin, have asked regulators take action against SIM swapping to stop this type of fraud. Companies and regulators have taken action. However. there is still much to be done before our personal data and private accounts are safe from such attacks.
What Does the Future Hold?
With the onset of 5G technology, the damage that SIM swap attacks can cause is expected to be much greater. As 5G is used more and more as part of Operational Technology (OT) solutions in the future, SIM swap attacks will not just target individuals, but are likely to spread to enterprise equipment and devices that run 5G SIM cards. According to Trend Micro, a cybersecurity and defense company based in Japan, the use of 5G technology in OT will open doors to wider threats such as “wiretapping, malware injections, large-scale fraud, poisoning of machine learning and supply chain attacks”.
However, the onset of 5G technology has also brought with it the development of new industry standards. For example, in Europe 5G security standards are set in the 3rd Generation Partnership Project (3GPP). It’s true that 5G will create new vulnerabilities. However, it starts life from a much higher baseline than existing mobile systems currently under SIM swap attacks. Therefore, we will hopefully be able to better avoid or counter SIM based security threats in the future.