SIM Swaps are crushing the cryptocurrency industry. Victim after victim can be found on Twitter just by searching “sim swap.” From experience investigating SIM swaps, most victims share the same vulnerability where the attacker uses SMS 2FA to take over accounts.
What I have also learned is attackers are very tactical and patient when choosing their victims. They use your online footprint against you. They know your time zone, they know your schedule and they know the right time to execute the sim swap.
Even if you are security conscious and have taken the necessary steps you still can be compromised by insider threats, social engineering and fake IDs used inside telecommunication stores. This is why it is critical to do a personal security check of your accounts to see how they hold up. Below are best practices gained from investigating cases targeting attackers that stole funds from digital currency users.
Operational Security (OPSEC) Review:
Avoid advertising long distance travel on social media. This gives attackers a time frame of when to execute the sim swap.
Review all of your photos on your phone and delete all screenshots of recovery keys or phrases. Print all of your screenshots you need, store in a safe place and delete them from your phone. Yes, if you have thousands of photos this will take time. Take time now so when you are attacked it is one less thing you have to worry about.
Password block all of your personal notes on your phone. Make sure this password is different from your email and other accounts.
Do NOT take screenshots with your mobile carrier identified in the photo and post on social media. Make it a little harder on the attackers.
Use Google Authenticator (GA) for everything. Uber? Yes, GA 2FA. Instagram? Yes — use GA 2FA! Twitter-YES! Your Google Authenticator app should scroll because you have so many accounts tied to it. Write down your authenticator backup codes in the event your phone is compromised or lost. Bottom line, if a company is compatible with an authentication app then use it.
Considering using an external security key such as Yubi or Titan for emails and other services that offer the support. I understand through personal experience that external keys for email access can be very inconvenient but they are often necessary. If you are high profile and have an online footprint for days, then you should seriously consider one of an external security key.
Use external hardware wallet services such as Blockchain lockbox or Trezor to store funds not being used to trade or make every day purchases.
Search all of your emails on haveibeenpwned for password compromise.
Do not use the same passwords for cryptocurrency accounts and emails.
Bookmark your regularly visited links to fight phishing attacks.
Install an anti virus tool on your computer to fight against malware attempting to steal your personal information.
Purchase a VPN for your phone and computer. Use this anytime you connect to public wifi or you travel internationally. If you can hotspot from your phone this is always better than public wifi.
Do not use your personal phone number for any of your accounts if possible. Use Google Voice or an app such as Burner. Make sure VOIP numbers are not associated with SMS 2FA recovery for any accounts. VOIP is no good if you use it for SMS 2FA.
Write all of your passwords down and store in a safe place. Password managers are great but at the end of the day nothing beats writing things down.
If you discuss sensitive items regularly associated with your company or personal financial information, consider using secure methods that auto erase the information after a specified period of time.
IF you must HODL on an exchange:
REMOVE SMS 2FA VERIFICATION.
Enable an Authenticator app.
Require 2FA for every transaction made from your wallet.
Enable Whitelisting requirement for all withdrawals.
Considering using a vault if available. Some exchanges offer this service that require a 48 hour waiting period to remove funds and two separate email addresses to approve the movement of the funds.
These steps will ensure if you are the victim of a SIM Swap you will have 24–48 hours to fight back before they steal your funds.
Secure your accounts today! Tomorrow is too late!
Consider hiring CyChain to review your online footprint to be better prepared in the event an attack happens.
CyChain is a Digital Currency Risk and Advisory firm. You can contact us here: www.cychain.net or directly at [email protected].