Rich Sanders, cofounder and chief security officer of CipherBlade, and Harry Denley, director of security of MyCrypto.com, discuss the phone porting phenomenon: who’s behind these thefts, how they perpetrate them, who is targeted, how to recognize the signs you’re a victim and how to the hackers are adapting to people protecting themselves. They cover how you can protect yourself, which accounts to protect, what kinds of email addresses and numbers to set up, how to set them up, how to separate them from anything valuable, and which two-factor authentication methods could work instead. Plus, they go over how to report a theft, to whom you should report, and what information to include.
Thank you to our sponsors!
Crypto.com: https://crypto.comKraken: https://kraken.com
CipherTrace: https://
Episode links:
MyCrypto: https://mycrypto.
CipherBlade: https://
The SIM Swapping Bible: https://medium.com/
My Forbes story covering the phone hijacking phenomenon: https://www.
Michael Terpin, awarded $75 million in case after losing $24 million in crypto: https://www.coindesk.
Cody Brown who lost $8,000 on Coinbase due to a phone hijacking: https://medium.com/
BitGo engineer losing his money via SIM porting: https://medium.com/
Transcript
Laura Shin:
Hi, everyone. Welcome to Unchained, your no-hype resource for all things crypto. I’m your host, Laura Shin. It’s not easy keeping up on all the news in crypto. If you want a short and quick look at what I think are the top stories every week, sign up for my weekly newsletter. Just go to UnchainedPodcast.com and enter your email address into the box right on the homepage. Sign up today. Interested in the crypto weekend retreat I’m teaching with Meltem Demirors of CoinShares and Jalak Jobanputra of Future Perfect Ventures in September?
If so, be sure to check out the show notes for the link to sign up. Also, Unchained is now on YouTube. You can find the most recent episodes there every week on the Unchained Podcast channel.
KrakenKraken is the best exchange in the world for buying and selling digital assets. It has the tightest security, deep liquidity and a great fee structure with no minimum or hidden fees. Whether you’re looking for a simple fiat onramp, or leveraged options trading, Kraken is the place for you.
Cipher TraceCipherTrace cutting-edge cryptocurrency intelligence powers anti-money laundering, blockchain analytics, and threat intel. Leading exchanges, virtual currency businesses, banks, and regulators themselves use CipherTrace to comply with regulation and to monitor compliance.
Crypto.comGrow your crypto and earn up to 8% per year with Crypto.com. It’s the place to buy over 40 coins at true cost with no fees and no markups. Download the Crypto.com App today!
Laura Shin:
The topic of today’s episode is SIM swapping, also known as phone hijacking or phone porting. Here to discuss are Rich Sanders, Co-Founder and Chief Security Officer of CipherBlade, and Harry Denley, Director of Security at MyCrypto.com. Welcome, Richard and Harry.
Harry Denley:
Hi.
Rich Sanders:
Thanks for having us on.
Laura Shin:
The topic of today’s show is a phenomenon that’s been hitting crypto people in particular for at least three years now, and what happens is victims get their phone numbers compromised, which can lead them to having their crypto stolen or being extorted or having other bad consequences. So before we dive into the meat of this discussion, though, why don’t you guys each briefly describe your companies? Harry, why don’t we start with you? What does MyCrypto do?
Harry Denley:
Sure. MyCrypto is a blockchain interface right now to the Ethereum blockchain. It also is an interface so you can manage your funds and tokens, sending and receiving.
Laura Shin:
And Rich, what about CipherBlade?
Rich Sanders:
CipherBlade’s a blockchain investigative firm. We investigate scams or hacks. We also provide advisory to exchanges to ICOs, and we also provide legal services.
Laura Shin:
And your two companies teamed up on this massive post. Post isn’t even the word, because you guys called it in the title a bible, which is probably a better word. It takes 50 minutes to read, and it covers in detail these kinds of attacks, how to prevent them, and what to do if you fall victim to them. Describe what this attack typically looks like. What is it that the attacker does?
Rich Sanders:
So what one of these attackers will do is they’re either going to social engineer a phone service representative, or they’re going to have an insider in the phone company, and what they’re doing is they’re changing who owns the phone number associated with the account. So they’re going to basically port it to another SIM card. That’s why it’s called a SIM swap. Once they do that, what they’re able to do is they’re able to reset any accounts that phone number is connected to.
So, for example, a lot of people, instead of using Google Authenticator, they have it still set to SMS reset. So, from there, they’ll be able to reset a Gmail, and then, from there, people usually, if they’re going to have money stolen from them in a SIM swap, they might make the mistake of having a private key or a seed freeze stored in Google Drive, or from the Gmail, they might search and see what exchange accounts this person has. Those exchange accounts might also be resettable via SMS reset, and that’s how financial loss takes place.
Laura Shin:
And so how does the initial piece happen where the phone number gets switched to a different device?
Rich Sanders:
So what ends up happening is one of these SIM swappers will either call the phone company and pretend to be that individual, and a lot of people don’t have security settings on the account. So it’s really just a matter of sounding convincing, and if they don’t have security settings, they’re just going to need to know really basic info, like possibly address or some very, very basic stuff that can be found via open source. Other times, what ends up happening is that there’s an insider within the phone companies, which is essentially an employee that the SIM swappers will pay in order to port the number to a different SIM card. That’s the initial setup.
Laura Shin:
Wow, and how are the perpetrators finding those employees?
Rich Sanders:
So that’s a big misconception. I’ve read and heard that a lot of it…apparently, it’s believed that it comes from sharing phone numbers at conferences, which is actually not the case. The majority of the time, it’s just a matter of these SIM swappers looking at who has a decent net worth and who looks like an easy target. It’s a hybrid of the two, and they’re called OSINT tools, and you can go out there and go on, like, Spokeo or TruthFinder or plug in someone’s name. Odds are, you’re going to be able to find their phone number.
Laura Shin:
Oh, but actually, I meant when the perpetrator wants to find an employee to bribe, how do they do that? Do they just walk into a store, or do they call the mobile carrier directly and ask the CSR, hey, can I give you money if you do this thing, or how does that part work?
Rich Sanders:
I’ve never seen either of those take place, but I’ve never seen one clear-cut way that I would say is the methodology for that. Sometimes it does come out to outreach. I would say the most common one I have seen is that it’s one of these SIM swappers that has a friend that joins a company with the explicit purpose of doing this, but I’ve also seen them kind of outreaching on other forums, especially the SIM swappers that were with that group Ogusers. They would find people with these phone companies perusing through LinkedIn and Facebook and engage them on burner accounts.
Laura Shin:
Okay, and just describe for people who Ogusers are.
Rich Sanders:
So Ogusers is / possibly soon to be was a website where a lot of the users on there would go after what were called OG accounts, and those were typically Instagram or Twitter or Steam or other types of accounts that had desirable users names, like things that would be only three letters or they were considered to be rare accounts, and there was a marketplace for them, and a large portion of those accounts were illicitly obtained, and essentially, where that evolved is it evolved from them stealing accounts into stealing money.
Laura Shin:
Okay, and they have I guess done a number…like, how widescale are the attacks that they have done, these SIM swaps?
Rich Sanders:
So, just to clarify, not everybody on Ogusers was a SIM swapper within the context of what we’re discussing now, which is SIM swapping relative to cryptocurrency. They were really big on account hijacking in general, but it was a select portion of them that engaged in SIM swapping with the explicit intent of financial gain. So if you Google, like, SIM swappers arrested, you see names like Joel Ortiz or Joseph Harris, Xavier Narvaez. They were all the OG users that decided that they were going to go after money.
Laura Shin:
All right, and then just to go back, when you were talking about how the attacker will call the phone company and get the phone number switched to their device, what if you do have a PIN code on your account? Does that protect you?
Rich Sanders:
Not all of the time, and that’s for two reasons. If there’s an insider within the company, well, then that’s moot. If there is not an insider and they’re doing the traditional social engineering approach, there’s a couple of different things that could happen. The service rep can entirely overlook it, or you have to bear in mind, you’re dealing with social engineers, and the unfortunate reality is that these phone service reps…and this is no disrespect intended to them, but these are not folks that are compensated extremely highly and extremely trained.
So think of it like this. If you’re doing your first job, you’re early on in your career field, and somebody calls you panicking, freaking out. My husband needs his account unlocked. It’s an emergency. I need to get in touch with him. Odds are you’re going to end up getting convinced to ignore having a PIN code on the account. There’s also other things that I have seen. Like, I’ve seen PIN codes and passphrases that are extremely easy to guess, like last four of a social or you know, numbers of a street address, which are just sloppy off-site practices.
Laura Shin:
All right. So from the victim’s side, what happens? If it’s happening to me, what would be the signs that I’m now being targeted in this way?
Harry Denley:
All right. So you’ll see suddenly your service will go, and you’ll have no signal. You won’t be able to receive inbound or outbound calls or messages, or sometimes you’ll get a call back from the CSR saying, hey, we got disconnected. Let’s continue the conversation, and that just means that they got a CSR that they couldn’t say sure engineer first try at least to port your number to a different SIM.
Laura Shin:
And then I believe they also, if they are successful, then they start trying to get into your email accounts and stuff. So would you also experience other kind of signs that have to do with your email?
Harry Denley:
Yeah. That depends on how you set up your email. Assuming you’ve only got SMS 2FA on your email, then you will maybe see on your phone that you’ll be signed out of your email account, or you’ll get a notification on a backup email associated with the email address saying a new login attempt. If you don’t have SMS 2FA and you have something like Google Authenticator or Outlook Authenticator, then you’ll get a notification on your phone from the app to say authorize this login.
Laura Shin:
So then let’s say that they do get into these accounts, in particular your email. What do these attackers typically do once they get into an account like that?
Harry Denley:
They would look in your email inbox to see what kind of emails you get from exchanges to see which exchanges they can pivot to and get access to. Sometimes they would do reset passwords, and then, since they’ve got access to your email account, resetting the password is trivial, assuming you don’t have another method to factory authentication, such as Google Authenticator. Well, then if they can, they can maybe open a support ticket with your email address saying I lost my 2FA backup codes. Can you remove 2FA?
Rich Sanders:
And to build off of that, as well, a big mistake that I see a lot of is people will store their KYC documents on something like Google Drive. So it’s fairly easy for one of these SIM swappers, if even after the fact, to social engineer one of these exchanges into transferring, or removing, rather, Google Authenticator. Another thing that’s worth mentioning is that these SIM swappers almost always operate in teams.
So they’re going to have the person that does the actual breach, whether that breach is the social engineering of a service provider or the insider. Once that happens, though, they have multiple people. They have someone that’s going to search the account, like Harry was talking about, seeing which exchanges. They’ve already got copy and paste. They’re going to query every exchange. They’re going to query for private keys, and then from there, they’re just dividing and conquering.
Laura Shin:
Yeah. When I wrote about this in 2016, I wrote that…the intro kind of incident that I described was one in which Jared Kenna, who, he founded one of the earliest bitcoin exchanges Tradehill, which didn’t last super long, but he was a very early miner, and when I say very early, as he described it, sometimes he would hook up to the network and there would only be four people on the network. So he was earning those 50 bitcoins every 10 minutes, you know, fairly frequently.
And he said that he believes that within seven minutes, he was locked out of 30 plus accounts. So, you know, when you say that there are people working in teams and they sort of comb your email and just keep blocking you out and changing your passwords and everything, they know what they’re doing. They’re doing it quickly, and they can do multiple accounts, because there’s a number of these people, within a matter of a few minutes.
And this was, you know, even before he really understood what was going on with his phone. All right, so what are some of the worst consequences you’ve seen for the people who have been victims of such attacks? Like, how much money have they lost or have they been extorted in some fashion, or what are some of the various ways this has played out for them?
Rich Sanders:
So there’s a really wide variance of financial loss, and typically, the lower end is in the 30 to 50K range, and then at the higher, higher end, you have, like, Turpin, who lost the 24 million.
Laura Shin:
Michael Turpin.
Rich Sanders:
Yeah, and it’s typically not in the seven-figure-plus range. It’s typically in the 50K to six digits range. However, one trend I definitely have noticed, especially this year, is that, typically, people now have the wherewithal to have either authenticator on the exchange or you know, not store a private key or a seed freeze on Google Drive, but what’s typically going on is that these people will get SIM swapped.
And what ends up happening to swap their primary email is they’ll have a recovery email that they can use for the account. So even if you have Google Authenticator on your main Gmail account, if you have an old email, one that you probably entirely forgot about…it could be like an old work or college email that you had secured via SMS, that’s how they’re getting it.
And the change in tactic, the way that the SIM swappers are continuing to monetize it this way, is that they’re transitioning to extortion. So they might steal business documents, SAPs, whatever the case might be, and threaten to leak them. They might threaten to leak…this is going to be a little crude. I’m not sure if this needs to be edited out for the podcast, but they might threaten to leak nude photographs, and that’s how they’re continuing to monetize it, for the most part.
Laura Shin:
Wow, and then they want payment in crypto so it can’t be reversed?
Rich Sanders:
Correct.
Laura Shin:
And so you sort of alluded to this earlier. Like, who are the attackers targeting? It seems to be maybe not always the highest net worth people?
Rich Sanders:
I mean, net worth is one of two indicators. It’s always a balance, and the example that I always like to give people is that if you have 5 billion dollars, but it’s secured like Fort Knox and you have 5 million dollars and it’s secured behind a screen door, well, then what’s the more attractive target? The one that’s behind the screen door, right? So it’s a balance of the two.
Laura Shin:
And you said that they’re finding them via conferences, or how are they figuring out who to target?
Rich Sanders:
So that’s a big misconception. I’ve read that one quite a lot, that people were believing that because they gave out their phone number at Consensus, that’s why they were getting targeted. I haven’t seen anything that indicates that to me. I mean, this could all be done, hypothetically, 100 percent remotely. You don’t need to go in person to get somebody’s phone number. You could find it via an OSINT tool. So as far as, you know, how they’re identifying who these people are to even run their names in an OSINT tool, that’s simply a matter of being on Telegram, reading Reddit, following what’s going on in the industry.
Harry Denley:
Especially one of Telegram’s recent updates was your mobile number attached to your Telegram account was made public, and you had to opt in to turn that off with your privacy settings. So that could be another way that, being remote, you could get someone’s phone number.
Laura Shin:
Yeah. I literally just figured that out, and I was like, oh my god, I can’t believe that people were able to see my phone number. So is law enforcement making any headway in finding the perpetrators?
Rich Sanders:
They absolutely are, I mean, if you look at the slew of arrests that took place just last year, thanks largely to REACT and the FBI. The thing is this, is that law enforcement has very few staff that are extremely proficient in this, and that’s not a knock on them. It’s roughly the equivalent of any one of us being asked to perform surgery on a horse. We have absolutely no context or background.
A lot of these cases are assigned to law enforcement personnel that barely have any cyber experience, let alone blockchain, and if you marry that with the just harsh reality that, A, the majority of these go unreported to law enforcement, and B, the minority that actually do go reported simply don’t have adequate data, then a lot of those will go unsolved.
The reason why a lot of those folks from Ogusers were arrested last year is that there were folks that were able to get law enforcement the data they needed, and you know, within my case, without stating exactly what the data I fed was, it was stuff that would serve legally as attribution, enough for warrant for arrests, for assets, anything for prosecution in the case of Joel Ortiz.
Laura Shin:
And so why is it just not possible to tell the company don’t port my phone number, you know, in pretty much any circumstance?
Rich Sanders:
In theory, it is possible to tell them that. In practice, though, there’s the two pain points I mentioned earlier, which is you’re going to have these phone representatives that are easily social engineered, and you have the reality of the fact that there are going to be insiders, and the thing is this. You have to look at it from a business model for the phone carriers. They’re not collecting payment to act as a custody provider, right? And you also have to bear in mind the fact that a lot of these people that are requesting that their phone number be ported are doing it for a legitimate purpose. So the overwhelming majority of the client base for these phone providers would provide a lot of pushback if they increase the difficulty of doing that.
Laura Shin:
All right. Okay. So I think it’s just going to be a risk factor for people involved in the space, and for those who sort of want to get more of a picture of how widespread this is, even back in that 2016 story, I noted a whole bunch of people who had been targeted in this way, such as Adam Draper, Bo Shen, a lot of the founders of Augur, Brock Pierce, and you know, it’s continuing. There was just kind of an everyday person who…I forget. He lost only, like…I forget.
It was only like 8 thousand bucks or something. His name was Cody Brown, but he wrote about it on Medium, and that went viral, and we mentioned Michael Turpin, who kind of is an early crypto person who did a lot of PR for the various crypto teams. Michael Turpin, he lost what was reported as 24 million dollars worth of crypto. I don’t know what the current value is. He did eventually get a judgment of 75 million dollars in his favor this past May. So this is still ongoing, and the most recent kind of high profile case of this was a security engineer…
Yeah, a higher-up engineering person at BITCO, which is a security company, having his phone number stolen from him twice in two days. So he lost more than 100 thousand dollars worth of crypto in that attack, and yeah, this is just something that pretty much anybody who has any involvement in the space should know about. So, to that end, let’s talk about the preventative measures. What should people do to try to ensure from the get-go that they never fall victim to this attack? And let’s start with their mobile carrier. What are some of the best practices they should implement there?
Rich Sanders:
So you mention that this is a risk factor that people in the industry are just going to have to deal with, and in a sense, you’re right, but in another sense, I actually disagree with that. This risk factor can be almost entirely, if not fully, mitigated. So a great example of that is you mentioned the SIM swapping bible that Harry and I, our teams collaborated on.
Yes, it is a 50-minute read, but look at the amount of time that people spend, whether they’re in this industry working in it as a full-time job for 40 hours a week, or even if they’re just an enthusiast or an investor, all things considered, taking a few hours to do everything that’s listed in that guide is a very, very minor investment of time in the grand scheme of things. So starting with the phone provider, having a, at a bare minimum…it’s going to vary depending on the phone provider.
But having a PIN code or a passphrase is a good start. I would always recommend telling them that you only authorize a SIM port in person with a government-issued ID. That being said, I would actually focus more…and Harry will be able to expand on this greatly, but I would focus more on, as much as possible, removing your direct mobile number from existence for anything that can touch your cryptocurrency.
Laura Shin:
Yeah, so let’s talk about that. If you’re going to do that, I mean, a lot of things do require a phone number. So what should people do instead?
Harry Denley:
One thing that I’ve seen lots of people doing is going onto Google Fi, which is a mobile network, but it has no real in-store or human support agents that can be socially engineered. So you won’t be able to get your number ported. So they use those virtual mobile numbers.
Laura Shin:
Yeah, and as far as I understand, with Google Fi, if you have a number there, then you just go to a website and click a button that says enable this number to be ported or you know, don’t enable it to be ported. So you are in control of that, and if you want to switch carriers, you can do it, but if you don’t, then you can just block it.
Harry Denley:
Yeah. It relies heavily on your Google account being secured, but if you use all of Google’s security tools, then you should be good.
Laura Shin:
All right. So I want to also…because you guys did outline a slightly different method, which is that people could also set up a separate Google account and create a Google voice number on that account that, again, is not connected to your normal email, but then use that phone number. Did I understand that right, that that’s another option, as well?
Harry Denley:
Yeah, that’s another option. So assume that one day, your primary email account, or Google account, I should say, will get hacked, but then you’ll have one that you’ll only ever use just for that Google voice number and you won’t use for your primary email. So it’s just another barrier to keep you safe if you assume that one day, your primary email account will get hacked.
Laura Shin:
So they use this number on anything touching crypto or anything financial, and where else…should they just use this number as their phone number going forward in as many places as possible as they can?
Harry Denley:
They can. There’s no reason why they couldn’t. I would only use it for anything financial myself.
Rich Sanders:
To expand on that, when it comes to cryptocurrency in particular, the exchanges, I can’t think of…and Harry, absolutely correct me if I’m wrong, but off the top of my head, I can’t think of a single exchange that offers only SMS authenticator and not Google Authenticator.
Laura Shin:
Well, that’s good, and we’ll talk a little bit more about Google Authenticator, but let’s first actually talk about why it’s so important for them to secure every Google account that they have, and you sort of mention this. So, basically, I feel like what people maybe need to imagine is that it’s sort of like quarantining or something, where you create a little universe where that phone number and that email touches certain things, but nothing else in your life. Is that sort of the right picture to have?
Rich Sanders:
It’s a perfect analogy.
Harry Denley:
Yes.
Laura Shin:
Okay. So talk about how to set that up so that people don’t mess up and don’t end up having that one little crack that the attackers can use to unlock everything.
Harry Denley:
So, to start from the very beginning, a lot of people have an email account that is super old that they made maybe when they were a teenager. They didn’t really care much about their online security. They then grew up a bit and created a new account, and when you’re creating a new account, some of the providers ask for a backup email in case you forget your password.
And then people use that very old email account that they made when they were teenagers, didn’t really care about security. So now your new primary email account is vulnerable because it’s linked to that very old email account, and the bad guys will go after the old email account that will probably be in some public dump somewhere, and then pivot from that email account into your primary one, and then they’ve got your identity.
Laura Shin:
So what people need to do if they want to prevent that from happening is what?
Harry Denley:
They need to remove email backup from their Google account. So any of the online accounts basically have the only backup mechanism as 2FA or backup codes that you store offline.
Laura Shin:
Great. So we’re going to keep discussing how to prevent a SIM swapping attack, but also what to do if you are a victim after this break, but first a quick word from our sponsors.
Crypto.comWhen buying crypto, price matters. With the Crypto.com App, you can buy more than 40 coins at true cost. Our multi-exchange trading engine ensures the lowest possible prices to buy crypto with no fees or markups. Not only is the App good for buying crypto, it’s also good for growing crypto! You can earn up to 8% per year on BTC, ETH, XRP and more when you make a deposit into the 1-month, 3-month or flexible terms. You just have to deposit your crypto to begin! Interests are paid out weekly and immediately available for use. Start earning through the Crypto.com App! Available on the App Store and Google Play.
Cipher TraceWill the world follow France and advocate banning privacy-coins? Will government-backed stable-coins become the new fiat? Are distributed and peer-to-peer exchanges just a flash in the pan? The answer is maybe. Virtual currencies can flourish and create a new, private and more versatile economy. But that grand vision can’t happen without keeping crypto clean —AND that requires support of governments and accountability for bad actors.
Privacy Enhanced Compliance using cryptographic controls has the potential to preserve anonymity without compromising legitimate investigations. CipherTrace is working on this vision of the future. Sign up stay up to date on the Privacy Enhanced Compliance initiative and receive authoritative Crypto AML reports quarterly. https://www.CipherTrace.com/KeepCryptoClean
KrakenToday’s episode is brought to you by Kraken. Kraken is the best exchange in the world for buying and selling digital assets. With all the recent exchange hacks and other troubles, you want to trade on an exchange you can trust. Kraken’s focus on security is utterly amazing, their liquidity is deep and their fee structure is great – with no minimum or hidden fees. They even reward you for trading so you can make more trades for less.
If you’re a beginner you will find an easy onramp from 5 fiat currencies, and if you’re an advanced trader you’ll love their 5x margin and futures trading.
To learn more, please go to kraken.com.
Laura Shin:
Back to my conversation with Rich and Harry. So let’s now then also talk about why securing your Google accounts is so important. Why is that?
Harry Denley:
So, in today’s world, Google is like Big Brother. It’s not just providing email to you. It’s providing location services, cloud storage, maybe even website hosting, database hosting, and that sort of ties to your Google account, which is also your Gmail account, which is your email account. So once they’ve got your email account, they pretty much have all of your online identity, including, which is most scary, your location data.
Laura Shin:
Wow, and then they can also break into anything you’ve got stored on Google Drive or I guess…
Rich Sanders:
On Google Chrome, as well. That’s a thing. They could even log in and see your favorites, any saved passwords.
Laura Shin:
Wow. Okay, so how should people secure their Google accounts?
Harry Denley:
They should have a very strong password generated randomly with a password manager like 1Password or LastPass, and then those password manager backups should be stored offline, away from your main machine, in case your main machine gets a virus or a rat or something. Then your Gmail account should have…and with that strong password, you should monitor active sessions.
You shouldn’t really authenticate apps with Gmail login, especially apps that look great, but are new that you’ve never heard of them, but you give them read and write access to your email, for example. So there’s that way. Also having a look at your recovery options. I think by default, Google has recovery option of your phone number. So you’d have to go back into the security settings and remove your phone number from there and any backup emails.
Rich Sanders:
And two things to build off of that, as well. I mean, that’s all in either initial setup of the account or when you’re doing a scrub of it. So exactly what Harry is saying, is that you should really limit what your recovery options are, and there’s a line between security and convenience. So I’m not going to sit here and tell you, yeah, completely remove everything except for Google Authenticator.
But if you’re going to have just Google Authenticator, make sure that you’re storing your backup code somewhere safe. You know, actually jot it down or print it out, presenting that you’re not on Wi-Fi and susceptible to a man in the middle attack. Store it offline. The other thing to kind of build off of that, as well, I see this with a lot of ICOs and a lot of blockchain companies. The default within Google admin is that people actually can use personal recovery emails.
So that very attack vector has been used to compromise company emails that were believed to be secure via Google Authenticator, and what Harry mentioned as far as, you know, doing a scrub of your active sessions, security is not a one-time thing. So you can’t read The SIM Swapping Bible, do everything in it, check the block, and say I’m done for good.
That’s not just because the threat vectors change, but because you want to continue to monitor it. So the analogy I like to use is you want to think of security as like brushing your teeth, and I’m not saying that you have to do a scrub every single day, but yeah, in the grand scheme of things, what is 15 minutes a week just to jot down as a recurring calendar event for you and scrub your active sessions, make sure everything looks good.
Laura Shin:
All right, and let’s just also define a few things for people. So you keep talking about Google Authenticator. That is basically an app on your phone that providers temporary codes. I think they change every 30 seconds or something. So that instead of receiving your second-factor authentication code, the text message or phone call, what happens is you, you know, try to log in. You put in your password.
It asks for your code, and instead of sending one to your phone, you just open the app, put in the temporary code that’s active for that 30 seconds, and you would’ve need to set this up before that. That the way that you log in here is with your Google Authenticator, and then the system will know, okay, the person logging in has this trusted device, which is the phone that you previously set up with Google Authenticator, and that’s how it will identify you and not use your phone number to do so. Did I explain that correctly?
Rich Sanders:
Correct. So Google Authenticator’s using a time-based, one-time password algorithm, and the way you described it is correct, and you know, the real tragic thing is that setting up Google Authenticator takes all of a few minutes, and when you look at a lot of these especially exchanges that offer both Google Authenticator and SMS-based 2FA, the reason why they offer SMS-based 2FA is that people don’t want to take the few minutes. You know, it’s kind of like what I was talking about with the phone service providers, right?
The overwhelming majority of people that want to change their SIM would not want to deal with all of the hassle of making it extensively more difficult to appease people that were victimized by SIM swapping in cryptocurrency, and you have to look at exchanges in the same light. A lot of people just want to quickly sign up for an exchange. They don’t want to take a couple of minutes. So it boils down to business and conversion rates for the exchanges.
Laura Shin:
Yeah, and when I did the story on this previously, I did ask Coinbase about why it is that they still…at least at that time. I’m actually not sure right now, but at that time, why they still offered 2FA via text message, and they said the reason is because for users that don’t have smartphones, it was still more secure than…you know, for kind of lowest common denominator users, that was the better form of security, and obviously, for people who have higher security needs, that was not sufficient. So one other thing that Harry mentioned is about not storing your backup codes on a computer or anywhere digital. So how should people store their backup codes?
Harry Denley:
So you can print them and store them physically, somewhere secure in either a nice place that you know, like maybe a bank vault or maybe your parents’ place or a safe or somewhere. You can also store them on external hard drives, things that are not always connected to the internet.
Laura Shin:
And how do you protect against, you know, fire or just…paper does not seem like a super safe way to store a backup code.
Rich Sanders:
There’s tons of solutions for this, and it really just depends on how much time and money you want to put into it. On the higher end, there’s things like crypto seals which you can use for private keys or seed phrases, and Harry, correct me if I’m wrong, but I think those run, like, 130 bucks. Alternatively, what you can do is you can run over to your local hardware store, grab a piece of scrap steel, buy a bunch kit, and it’ll cost less than 20 bucks and take you about 15 minutes to chisel in an entire private key, and that’s going to be offline, fireproof, and waterproof. If you want to make it theft proof, as well, then simply split it into two or memorize a portion of it.
Laura Shin:
All right. Okay. Well, I feel like this is the same conversation I always have about securing crypto where every time I get to that part where you have to store something offline, I’m like, I feel like I’m going to lose that right away, but anyway, okay, so we talked about, obviously, you know, two-factor authentication via text message or phone call is not a good option.
We talked about how Google Authenticator is another good option, but there are a few other ways that people can use…or a few other things that people can use for their second factor. One would be a physical device, like a YubiKey, and then Google also offers something called Advanced Protection, which appears to be physical token based, but can you describe what those options are and who should opt for that, as opposed to something like Google Authenticator?
Harry Denley:
I think it was a recent update, or maybe it was just super hidden and it was just made public to me a couple weeks ago. Google has an advanced security section where you can add a YubiKey to your account for two-factor authentication. YubiKeys are not super expensive for the security that they give. So, really, they could be used for anyone depending on their paranoia on if they’re a target or not, although you could assume that you’re always a target in cryptocurrency. So although Google Authenticator is a good default, if you are super paranoid or you assume that you’re a target, then upgrading to a YubiKey is a good move.
Laura Shin:
Okay, and so then let’s talk about some other accounts. We’ve been focusing on Google quite a lot. You also talk in your post about the importance of securing Apple accounts. Why is that important, and how should people secure those?
Harry Denley:
So Apple, like Google, also has cloud storage, which I think, when you set it up, all of the pictures that you take on your iDevices are sent to cloud storage. I may be mistaken if that’s not default, but some people take pictures of maybe their IDs or their backups codes, and not known to them, it’s automatically sent to cloud storage. So if your Apple account gets hacked, then they’ve got access to those photos, as well. Also your location data. They could also factory reset your phone so they could maybe extort you that way. Hey, I’ve got access to your iCloud. I could reset your phone or lock you out of your phone.
Laura Shin:
And I believe that the iCloud account does require a phone number. So, in this case, which phone number should people use?
Harry Denley:
That is the phone number that is with your iDevice I think. My only experience with Apple devices is iPhone. So I’m unsure if you can have an iCloud device for that iPhone. Can you?
Laura Shin:
Well, so I think the phone number that they should use is the one that is probably the one that can’t be ported, right, the Google Voice or Google Fi number?
Harry Denley:
Yeah. Though, if you have an iPhone, then it’s, by default, your iPhone number I think. I may be wrong.
Laura Shin:
Yeah, because that’s through your carrier, right?
Rich Sanders:
The other thing, too, when it comes to anything with Apple ID is that it’s going to notify you on a sign-in request on a new device. So that’s an additional layer of protection that actually is a default within that.
Laura Shin:
Oh, that’s true. Right, but yeah, I don’t think that’s related through your phone number. Anyway, so let’s also now talk about you guys did mention password managers and how people should use those. Are password managers in the browser such as, you know, Chrome or Safari or whatever will manage your passwords, are those not secure enough?
Harry Denley:
They are, assuming your Google account doesn’t get hacked, as the passwords are saved to your profile if you sync your storage across devices. So if they log into your Google account on a new device and sync the storage, they’ll get access to your saved passwords.
Laura Shin:
So what do you recommend people do?
Harry Denley:
Have a dedicated password manager, separate application, such as 1Password or Enpass or LastPass, something like that that they can generate independently from Chrome, generate passwords independently from Chrome.
Laura Shin:
And then how should they set up their security on their password manager? Because it feels like if that’s compromised, then…
Harry Denley:
Yeah. So the good thing about password managers is you only need to have really one master super secure password, which you can store offline maybe with engraving it in metal or something, but then you can also have backups and store those offline, as well. So if your main machine that is connected to the internet gets a rat, then there is near zero chance that someone could extract your backups that are stored on your main machine because you’ve stored them offline and do an offline attack and brute force the login there.
Rich Sanders:
And to build off of what Harry’s saying, too, one thing that’s definitely worth bearing in mind is that SIM swapping is just one of several vectors that anyone in this industry should be cognizant of, and while you’re going through all these steps to secure yourself from SIM swapping, you could be secured in the sense that you’ve told your phone carrier what to do, you’ve set up your Gmail, but looking at Ogusers is kind of the case study.
If anyone’s familiar with Ian Balina, the cryptocurrency influencer that was hacked for about, think it was, 2-1/4 million dollars worth of variant cryptocurrencies last year, that was perpetrated by a group of SIM swappers, but the vector there actually wasn’t a SIM swap. It was a database dump that…you know, Harry alluded to this earlier. Old college email, old password that was used. So it is worth bearing in mind that there are a lot of low-hanging fruits for these individuals that are not by any means super sophisticated hackers.
Laura Shin:
Yeah, as far as I understand, a number of them aren’t even really…they’re not, like, real crypto…it’s not like they even really understand crypto. They’re really just criminals, right?
Rich Sanders:
Well, they understand crypto within the context of how to use it and how to get into exchanges. I wouldn’t say they have the knowledge of the technology nor the industry that the folks in this podcast do, obviously. However, I also wouldn’t say, for the most part, most of them are career criminals. They’re obviously criminals in the sense they’re doing the SIM swapping.
And they’re criminals in the sense that they almost always have SIM swapped more than one individual, so they’re repeat offenders, but it’s not like most of these folks have a long track record. That being said, if you look at the folks with Ogusers, they’re criminals with a track record in the sense that a lot of them as kids did stuff that was like a lot of script kiddies do. Back then, they were into DDoS’ing, and it’s like I was talking about earlier.
They were into stealing accounts just to have the OG accounts. So they have a track record with that, with swatting. The head of that ring was actually arrested and extradited to the US years and years ago when he was a minor. So they have criminal history in that sense, but these aren’t folks that are, you know, super sophisticated blackout hackers that have been going at this for a decade.
Laura Shin:
Yeah. Yeah, that was I think a line I had in my article, which was that you might call them hackers, but it’s not like they’re doing any fancy computer work. They’re just calling up a customer service rep repeatedly until they find one who will send them the phone number. All right, so we kind of touched briefly on Telegram. You know, you mentioned that the default was that people’s phone numbers should be exposed. So how do people secure their Telegram account?
Harry Denley:
So since one of the latest updates being privacy settings is that your phone number attached to your Telegram account is made public, you should go and make that private and also configure the invite privacy so not anybody could invite you to a new group and maybe expose some details that way. So, for example, if you have all of the default settings on, someone finds your Telegram handle, invites you to a group, and then a bad actor is in that group, sees you got invited, looks at your profile. Oh, I know this guy because he’s big in cryptocurrency. This is his mobile number. Thanks, Telegram. So step one to securing your Telegram account is to configure your privacy setting from non-default.
Laura Shin:
All right, and then so we’re not going to get to every single place where people should lock down their security, but your post does kind of go through a lot of the main honeypots that these perpetrators go for, and you know, some that come to the top of my mind are Dropbox or Evernote. What are some of the other types of sites or apps that people should be sure to lock down and make secure?
Harry Denley:
Their social media, such as Facebook and Twitter, maybe LinkedIn. They could either pivot from your social media and pretend to be you and message your friends to get some more information about you, or you have maybe on social media, maybe your Facebook account, you lost your phone maybe three years ago, and you made a post saying, hey, lost my phone. Here’s my new number. Text me your numbers or something like that, which I see quite often in my circle of friends.
And by default, maybe Facebook privacy settings has made that post public. So someone goes to your Facebook account and looks back at your posts maybe 3 or 5 years ago. There’s your phone number in plain site. So go to pretty much all of your social media ones, active and now not active, ones you don’t use anymore, and configure the privacy settings there on each one. It maybe take awhile, but the benefit you get outweighs*- the time it takes.
Laura Shin:
And are there any others?
Rich Sanders:
It doesn’t hurt to secure bank accounts, as well. So I don’t see a lot of SIM swapping that involves liquidation of bank accounts, but I have seen it, and it really boils down to…so here’s kind of an interesting thing. I mentioned the overwhelming majority, if not all, major exchanges do Google Authenticator in addition to SMS, whereas banks, I haven’t seen a majority of banks have a Google Authenticator other option. A lot of them are stuck on SMS as a 2FA. So considering, you know, it is still less likely that a SIM swapper’s going to go for that instead of an exchange account, it is worth making sure that you lock down bank accounts, as well. Use a secure password. Use a Google Voice number.
Laura Shin:
All right. So now let’s talk about what people should do if their phone number is ported. So, you know, they start to notice they don’t have any signal. Maybe they’re starting to see these notifications in their emails about other accounts they’re supposedly trying to log into. So, at that point, what do they do?
Rich Sanders:
Well, it starts off with a race against time. So, immediately, they need to be getting on the phone with the mobile service provider. The sooner they’re doing that, the sooner they’re cutting the problem off at the source. As they’re on the phone with the mobile service provider, they want to be, if at all possible…you know, if the SIM swappers didn’t change the password, they want to be regaining access to their Gmail or email provider. They want to be killing any active sessions on Telegram. They want to be locking down their exchange accounts as much as they can. That might not be possible until they get their phone number back, but they should be making an effort while they’re on the phone with the service provider.
Laura Shin:
And when they talk to the service provider, you wrote about how they should be logging information, as well. What do they need to record?
Rich Sanders:
So, at a bare minimum, what the service providers are going to have is an IMEI, and the person that’s getting SIM swapped doesn’t necessarily need to get that right away, but they will need to get that at a point for the law enforcement. The thing is this, is that I mentioned earlier, the majority of these go unreported, especially the ones that do not result in financial loss. They almost never go reported, and they should anyway, but even the ones that do result in financial loss, the majority of these reports, which I mentioned earlier, they don’t have adequate data, and one of those data points is the IMEI.
Laura Shin:
And what is the IMEI?
Rich Sanders:
It’s a unique identifier for each mobile phone.
Laura Shin:
Okay, and why is that important exactly?
Rich Sanders:
Because based upon that IMEI, law enforcement might be able to determine where that device was purchased, who it was purchased by, and there’s actually some mobile carriers…for example, I know T-Mobile will actually send you an email whenever your phone is ported. It’ll tell you the old IMEI and the new one.
Laura Shin:
Oh, okay. You also mention in your post that people should take notes on everything and obsessively screenshot. So what should they be notating, and what should they screenshot?
Rich Sanders:
Well, they should absolutely annotate who the person they’re talking to, the service provider, is, right, because they want to say I spoke to this person, their employee ID number. They switched my phone back. The phone carrier should have logs of who made the actual SIM port for the SIM swapper. They may or may not…they usually won’t provide this to the actual victim, but mentioning, hey, you know, make sure this is retained, right, that’s a huge, huge step.
Law enforcement should be able to contact this mobile service provider and get that data. Going onto…yeah, this is really where the law enforcement reports fall short. On Gmail, your access history, you’re going to see IPs in there. On exchanges, same thing. You’re going to have access history. Those are all things that you’re going to want to include in a law enforcement report. Any device information that you could possibly get, you want to include in there.
Withdrawal transactions, you want to include those, too. It’s absolutely baffling. You know, in one sense, you want to feel bad for these victims, but you have to look at this from the law enforcement perspective. If law enforcement can’t tell, you know, what the device was or where it was or can’t do anything on chain looking at the transactions and finding out where the funds went, they’re simply not going to be equipped for success.
Laura Shin:
And who in law enforcement should victims call? Just the police or who?
Rich Sanders:
So, in the US, what you would fill is called an IC3 report, which is at IC3.gov, and again, this is another unfortunate thing. Just because crypto’s so new to most people, most people don’t know that answer, and they’re going to default, either call the local police. They’ll go to the local police. Even most local police don’t know where to report this stuff, but this would always fall under IC3 if you’re a US citizen. If you’re abroad, that answer changes. Typically, that answer is it’s still handled at the federal level. Our website actually has a list by country of where to report cyber crime of this nature.
Laura Shin:
Okay. So I guess people need to prepare for a long road of dealing with all this and gathering all this information to try to get their money back. One other thing I wanted to ask was, so if a victim loses access to their email account, how do they get access back?
Rich Sanders:
Well, presuming that they lost access because they did an SMS reset, if the SIM swapper added different details…and this is, by the way, operating under the presumption that it’s Gmail. Gmail has a way to request access back, and that might be different information they ask of you that you input when you first created the account, and then they’ll actually review it, and that might take a few days. That’s the unfortunate thing, which is why, as we were discussing earlier, you want to, as much as possible, create these buffers in between.
Laura Shin:
Yeah, I’ve heard some people did not get access back to their Gmail for months. So, yeah, that’s a huge I think headache if that happens. All right, so what have we not covered that you think people should know about this topic?
Harry Denley:
I think once you’ve identified that you’ve been SIM jacked, your exchanges and email accounts are being accessed, you should monitor for any foreign API keys, especially on exchanges and any foreign apps linked to your Gmail. So, for example, you get access back to your Gmail, your exchanges. You think everything’s dandy, but maybe three months down the line, you see a withdrawal via an API request that…because you forget to check API keys on exchanges, and the bad actors made some API keys when they had access to your exchange account, or you see access to your email account from a strange app that was authorized when you didn’t have access to your email, and the bad actors have made maybe like an application that can read and write your email inbox. So they would still have access, but you wouldn’t know.
Rich Sanders:
I think one thing that’s worth expanding on is that, yeah, we are dealing with decentralized assets here, and the protections that society is used to in the past, like ChargeMax, those are gone, and yes, law enforcement will try to handle these cases, provided that they have adequate information. Dealing with cryptocurrency, dealing with blockchain tech, you’re dealing with a general loss of the centralized protections, and that places an inherent responsibility on the end user to bolster their security.
And these security steps, I mean, reading that entire thing, you mentioned it takes 50 minutes, but doing everything in there, you can get that done in less than one full day, and I see people that take all this time to discuss cryptocurrency and Telegram, go to conferences, monitor coin market cap every five minutes. If people have the time to do that, they can set aside one day to make sure their security is properly set. We cannot continue to have a mentality that it’s this carrier’s fault or it’s this exchange’s fault, because it’s simply not.
They’re service providers, and you know, especially within the context of mobile carriers, they were not the ones that asked to become custody solutions. That’s not what you’re paying your mobile carrier to do, and it’s kind of almost hypocritical that there’s a mentality that we want decentralization. We want to move away from government controlling this, but the same people spouting that belief are often the same people that are saying we should sue the phone carrier or we should sue the exchanges.
You have to be the one that’s responsible for this, and there’s a big line between security and convenience. You know, Harry and I really share this mentality, which is we’re not expecting people to summon the blood of a unicorn to log into every single one of their accounts. So, yeah, it boils down to…Harry used a really good example earlier, which is you could put on steel something for, like, your password manager, and that would be something that’s not very convenient to get to, but that is your master key. Everything else is conveniently accessible.
And I would look at your cryptocurrency the same way, right? We’re no longer in the days of centralized protections where it’s in a bank and you don’t have to worry about it. You’re going to want to keep the majority of what you have in something that’s very hard to access. If you want to have funds that are accessible for, you know, day trading or investing in ICOs or whatever the case might be, that’s fine. You know, not everything has to be on a hardboard key, on steel, separated in two different locations, but it should be a small amount.
Laura Shin:
All right. Yeah, I definitely would concur with that, that the phone carriers do not see themselves as a lynchpin in your security setup, which they are, but they don’t view their role that way, and so, for that reason, you need to do everything you can to I guess patch that vulnerability right there. All right. Well, thank you both so much for coming on the show. Where can people learn more about you and MyCrypto and CipherBlade?
Harry Denley:
They can learn about MyCrypto at Medium.com/MyCrypto. We do publications about MyCrypto, MyCrypto side projects, and just security-related things within the cryptocurrency ecosystem. Also Twitter.com/MyCrypto or MyCrypto.com.
Rich Sanders:
And they can learn more about CipherBlade by going to CipherBlade.com, and we’ve also got social media channels, and I encourage folks to check both of us out because there’s an old saying that an ounce of prevention is worth a pound of cure, but I would argue in this industry, it’s actually worth a ton of cure.
Laura Shin:
Yeah. Yeah, and we can put a dollar sign on that, too. All right. Well, thanks both of you for coming on the show.
Rich Sanders:
Thanks for having us. It was a pleasure.
Harry Denley:
Thank you.
Laura Shin:
Thanks so much for joining us today. To learn more about Rich and Harry and MyCrypto and CipherBlade, check out the show notes inside your podcast player. If you’re not yet subscribed to my other podcast, Unconfirmed, which is shorter and a bit newsier, be sure to check that out. Also, find out what I think are the top crypto stories each week by signing up for my newsletter at UnchainedPodcast.com. You can sign up right on the homepage. Unchained is produced by me Laura Shin, with help from Fractal Recording, Anthony Yoon, Daniel Nuss, and Rich Stroffolino. Thanks for listening.
