Staying Alert: Beware of SIM Card Swap Attacks

SlowMist
7 min readOct 13, 2023

--

Background:

On July 17, 2023, our CISO @23pds mentioned in an interview with Cointelegraph, “SIM Swap attacks are expected to intensify because the attack costs are low. As Web3 becomes more widespread and attracts more people into the industry, the possibility of SIM card swap attacks increases due to the relatively low technical requirements.”

Below is a price list for SIM Swap attacks on the black market targeting different carriers:

Friend.tech is a social platform where users need to purchase another user’s Key to communicate with them. The price of the Key increases as more people buy it, allowing holders to profit by selling their Key.

On October 3, 2023, Our founder Cos, addressed the recent hacking of friend.tech users’ accounts and theft of their assets. He pointed out on social media that friend.tech lacks two-factor authentication, posing a risk.

On October 5, 2023, blockchain detective ZachXBT stated on social media that a hacker had, in the past 24 hours, profited 234 ETH (approximately $385,000) by conducting SIM card swap attacks on four different friend.tech users.

To date, friend.tech users have lost approximately 306 ETH due to SIM card swap attacks.

On October 10, 2023, friend.tech announced that users can now add 2FA (Two-Factor Authentication) passwords to their friend.tech accounts. This addition offers extra protection in case their carriers or email services are compromised.

Given the recent security incident with friend.tech, this article will delve into the mechanics of SIM card swap attacks and how to counteract them. First, let’s clarify what SIM cards and 2FA are.

SIM Card and 2FA

A SIM card, or Subscriber Identity Module, serves as an identity module for users. Its primary function is to store information related to the user’s identity and their mobile network provider, enabling the user to connect to a mobile network and access phone and data services. When a user inserts a SIM card into a mobile device, the device reads the information on the card, using it to connect to the respective mobile network.

Two-Factor Authentication (2FA) is an identity verification method requiring users to provide two distinct types of authentication information for access. Widely used in online banking, email services, social media, cloud storage, and cryptocurrency wallets, it enhances account security. SMS-based verification codes are a prevalent 2FA method. Although these codes are random, their transmission is inherently insecure, leaving them vulnerable to risks like SIM card swap attacks.

Next, we’ll discuss how attackers typically execute SIM card swap attacks.

Attack Methods

In the cryptocurrency domain, the primary objective of attackers launching a SIM card swap attack is to take control of the victim’s phone number. This allows them to bypass two-factor authentication and gain access to the victim’s cryptocurrency account.

In recent years, with numerous company data breaches, there’s a surging market on the dark web for stolen personal information. Attackers obtain detailed personal data of victims either from these data breach incidents or through methods like phishing. Armed with this information, they then impersonate the victim to initiate the SIM card swap attack.

(https://www.cert.govt.nz/assets/Uploads/Quarterly-report/2019-Q4/SMS-Swap-diag-full__ResizedImageWzYwMCwyMTld.png)

Detailed Process:

1. Target Identification: The attacker first identifies their target, often scouting social media for information on cryptocurrency holders.

2. Social Engineering: Using tactics like phishing emails or phone calls, the attacker may employ social engineering to coax the target into revealing sensitive information, such as their phone number.

3. Contacting the Carrier: Once the attacker has the target’s phone number, they reach out to the target’s service provider. Typically using forged identification or social engineering tricks, they persuade the provider to link the target’s phone number to a new SIM card.

4. SIM Card Swap: If the attacker successfully convinces the service provider to associate the victim’s phone number with a new SIM card, the original SIM card of the victim gets deactivated. This is because a phone number can be associated with only one SIM card at a time. Consequently, the victim loses access to their phone number, which is now under the attacker’s control.

5. Receiving Verification Codes: The attacker can now intercept the victim’s text messages and phone communications, including verification codes used for two-factor authentication.

6. Accessing the Cryptocurrency Account: With the acquired verification codes, the attacker can log into the victim’s cryptocurrency trading platform or wallet app. This grants them access to the victim’s cryptocurrency funds, enabling unauthorized transactions and the transfer of the victim’s assets.

Countermeasures

To safeguard against SIM card swap attacks, consider the following measures:

1. Avoid SIM-based Authentication: It’s advisable not to rely solely on SIM card-based authentication. While setting up a PIN for your SIM card can provide an added layer of security, ZachXBT points out that even PINs aren’t foolproof. Attackers can often convince service providers that they’ve simply forgotten their PIN. Worse, there have been instances where staff from the service providers themselves were involved in scams. Nonetheless, establishing a PIN can make the attack more challenging and enhance SIM card security.

2. Use TOTP for Two-Factor Authentication: Utilize authenticators that support the TOTP (Time-based One-Time Password) algorithm for 2FA. To understand its significance, let’s compare HOTP (HMAC-based One-Time Password) with TOTP:

  • HOTP: This event-based OTP algorithm generates passwords that remain valid until the user requests another one, which then needs to be verified by the authentication server. Due to its prolonged validity, there’s a greater risk of attackers brute-forcing their way through all possible OTP values.
  • TOTP: This time-based OTP algorithm generally has a lifespan of 30 seconds for each password. If not used within this window, the password expires, necessitating the generation of a new one for access. Given its smaller time window compared to HOTP, TOTP offers superior security. As a result, security teams like SlowMist recommend 2FA using TOTP-supported authenticators like Google Authenticator, Microsoft Authenticator, Authy, etc.

3. Beware of Unsolicited Communications: Handle text messages and emails from unknown sources with caution. Refrain from clicking on random links or providing sensitive information.

4. Stay Alert to Unusual Phone Activity: Some victims from friend.tech reported receiving a flood of spam calls and messages, prompting them to mute their phones. Unfortunately, this caused them to miss critical alerts from their carriers about potential account breaches. Attackers use this tactic to buy time for their malicious activities by ensuring victims mute their notifications. Thus, if you suddenly find yourself bombarded with spam calls or messages, it’s a cue to be on high alert.

Summary

The security of SIM cards largely depends on the protective measures implemented by service providers and is susceptible to tactics like social engineering. As such, it’s advisable to avoid relying solely on SIM card-based authentication. It’s imperative for users to enhance their account security by implementing two-factor authentication, with a preference for authenticators that support the TOTP algorithm. Lastly, for those interested in further insights, consider reading the “Blockchain Dark Forest Self-Rescue Handbook”. https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook

About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Their goal is to make the blockchain ecosystem as secure as possible for everyone. They are now a renowned international blockchain security firm that has worked on various well-known projects such as Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, Cheers UP, etc.

SlowMist offers a variety of services that include by are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. They offer AML (Anti-money laundering) software, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. They have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, they can identify risks and prevent them from occurring. Their team was able to find and publish several high-risk blockchain security flaws. By doing so, they could spread awareness and raise the security standards in the blockchain ecosystem.

💬Website 🐦Twitter ⌨️GitHub

--

--

SlowMist
SlowMist

Written by SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.