Q: What is SIM Swapping? [23]
According to reports, all users of T-Mobile have had their data leaked and made available for purchase on the dark web; for customers who use financial apps, a hack is coming very soon.
Well hello there, my friends.
This is yet another week where the news dominates our conversation, and prevents me from putting out some of the content I had planned (and I’m developing quite a bit of a backlog of great content to share with you).
This week, though, we’re going to talk about a serious security threat to not just bitcoiners, but anyone who uses digital FinTech (including centralized services like Venmo or CashApp): SIM Jacking.
While I was putting together the newsletter this week, news emerged that TMobile, one of the nation’s largest mobile carriers, was hacked and had user data released for sale on the dark web. We’re not talking about a small leak, either, but around 100 million user records.
If you take TMobile’s word for it (based on disclosures of numbers of users in quarterly earnings), this is their entire userbase, and likely some of the userbase of the recently acquired subsidiaries of Sprint and MetroPCS. Believe me when I say the following: If you’ve talked about any financial product as a user on public social media, you will be hacked soon, and it is not an enjoyable experience.
This is an experience I’ve been through more than once. I’ll talk about it, and more importantly, what you can do to prevent it from happening to you!
Because this is an important topic and a major security threat to a large portion of my audience, I’m making this issue freely available to everyone on the list.
Thanks to my paying subscribers who make this possible. Consider buying an ADB NFT from one of them to pay it forward!
Thanks for your support!
As always for those who are, thank you for being a subscriber to my newsletter! Your support makes all this possible. If you think you know someone who’d benefit from this issue, feel free to forward them this email!
If you’re someone who got this email via forward, use the following link to try us out for another two weeks, free!
As is appropriate for a newsletter on the topic, you’re able to purchase your subscription using a variety of cryptocurrencies, including Bitcoin!
And, of course, there’s this new thing we’re doing with art NFTs (read more, read more paid) where you can buy some cover art and own a lifetime subscription to the pub!
Blockchain Bulletin
Poly Network DeFi site hit by massive attack for $600M worth of crypto. Cross-chain DeFi site Poly Network got hit by what it calls a “white hat” hack for $600 million, reported CoinTelegraph, after quite the saga, and now most of the funds have been returned.
BitPay integrates Google Pay wallet app. Cryptocurrency payment service BitPay now allows users with BitPay prepaid MasterCard cards to add their cards to the Google Pay Wallet App, reported PYMNTS.com.
Venmo users can get crypto as ‘cash back’ rewards. PayPal-owned Venmo has stated its own cash back program that pays in crypto, according to CoinTelegraph, where users can opt to earn different cryptocurrencies when they make payments.
Blockchain Behind the Scenes
Soccer star Messi signing at Paris St Germain includes crypto. Famous soccer star Lionel Messi has accepted a deal that will include cryptocurrency as part of his signing bonus in a celebrity deal that represent a significant part of his “welcome package.”
DAO Maker hack leads to approximately $7M in losses. In yet another hack of the week, startup token crowdfunding site DAO Maker suffered a hack that lost the company $7 million in losses; although the company was quick to respond, over 5,000 cryptocurrency accounts suffered losses.
Blockchain Deep Dive: How do I protect myself from SIM Swapping.
Blockchain Bulletin
Poly Network DeFi site hit by massive attack for $600M worth of crypt
The cross-chain decentralized finance site Poly Network was hit by a massive hack that drained approximately $610 million worth of crypto tokens last week. The network runs across Ethereum, Binance Smart Chain, and the Polygon blockchains.
To date, the hacker who hit the network has returned almost the entire amount stolen and has refused the $500,000 “white hack” bounty, and apparently has been in communication with the Poly team about the nature of the attack, according to CoinTelegraph.
The initial hack was discovered by the Poly team and published quickly to Twitter with the addresses the tokens were traced to, reported by CoinDesk on Aug 10. This included pleas from Poly Network to miners to freeze the assets.
Over the next few days, the hacker began to talk to the team, and the community, and explain the exploit. The hacker communicated via embedded messages in Ethereum transactions and appeared to be a non-native English speaker, and gave an AMA.
The hacker first returned approximately half of the tokens. When asked why they picked the Poly Network the hacker claimed that “cross chain hacking is hot” and “hacking is fun.”
And as for why the hacker was taking so long to return all of the funds it was because the hacker felt that it was needed to remain anonymous and because they needed rest. Also, in the transcript, when asked why they had traded some of the coins, “I was pissed by the Poly team for their initial response.”
According to the hacker, he or she felt that the Poly team had directed others to hate them before knowing their intent. In the AMA the hacker tried to make it clear that the plan was to reveal the exploit and not to steal anything.
BitPay integrates Google Pay wallet app
BitPay, cryptocurrency payment services provider, has announced that U.S. BitPay Prepaid MasterCard cardholders can now add their cards to Google Wallet and spend cryptocurrency using Google Pay, reported PYMNTS.com.
“Consumers are seeking more new places and ways to spend their crypto and we want to make their experience fast, easy and secure,” said BitPay CEO Stephen Pair.
Support for BitPay is planned for Apple Pay and Samsung Pay soon.
New card customers waiting for their physical cards can add their virtual card to Google Wallet and start spending immediately.
“Adding Google Pay makes it easy and convenient for customers to live life on crypto and benefit from the increased value crypto provides from day-to-day items to luxury purchases,” said Pair.
Venmo users can get crypto as ‘cash back’ rewards
Paypal-owned payments app Venmo now enables users to get crypto as cashback rewards as part of the company’s new “Cash Back to Crypto” program, reported CoinTelegraph.
Credit card customers who opt into the new program can earn between 1% and 3% “cash back” as crypto assets on select purchases.
The app currently supports four different types of cryptocurrencies Bitcoin, Ethereum, Litecoin, and Bitcoin Cash. The new feature can be activated by selecting it on the rewards tab of the credit card home screen
Venmo believes this is a great way to introduce people to crypto by providing a way for them to earn some from purchases.
Blockchain Behind the Scenes
Soccer star Messi signing at Paris St Germain includes crypto
French club Paris St Germain's signing fee for soccer superstar Lionel Messi will include cryptocurrency fan tokens issued by the French club in what is expected to be the largest celebrity endorsement of crypto assets to date, reported Reuters.
The tokens were included in his “welcome package,” which the media reported was approximately worth 25-30 million euros ($29-35 million USD) but the club did not disclose how much of the package would be made up of tokens. However, it was said to be “significant.”
"We have been able to engage with a new global audience, creating a significant digital revenue stream," said Marc Armstrong, PSG's chief partnerships officer
According to the report, fan tokens are a type of cryptocurrency issued by Socios, a creator for fan tokens, which made the $PSG tokens. Socios said that tokens have generated $200 million in revenue for partner clubs in 2021 and Messi’s deal is already beginning to see returns.
Celebrity attention to cryptocurrencies can have a profound effect on mainstream adoption. This has been seen now repeatedly on already existing markets when Elon Musk
DAO Maker hack leads to approximately $7M in losses
It’s been a bad week for decentralized finance, Newsweek reported that yet another hack has hit over 5,000 cryptocurrency accounts at DAO Maker, a crowdfunding site for startup companies, resulting in the loss of approximately $7 million in assets.
DAO Maker CEO Christoph Zaknun confirmed the attack saying, "We decisively moved the unaffected funds to a brand-new secure wallet, while users are still able to withdraw their funds unimpeded, should they choose to do so."
The hackers stole USDC from the site and swapped it for Ethereum. The reason for this is because USDC can be more easily frozen.
In order to help understand the attack and better shore up defenses, DAO Maker has contacted Cipher Blade, a blockchain forensics team, to help recover the stolen funds.
As reported above, this hack closely follows the hack of the Poly Network.
Blockchain Deep Dive: What is SIM Jacking, and do I protect myself from it?
Yesterday, around 100 million TMobile customer data records were exposed as available for sale on the dark web, and as I sit typing this, another data breach was reported by the company, where 40 million other user records were exposed of a different data set (personally identifiable data, credit records and social security numbers).
This isn’t just a recent development. As mobile devices become increasingly intrinsic to our daily lives, it’s impossible to overstate the number of ways this impacts our daily life. In speaking with a lawyer on an unrelated crypto legal issue back in October, she said that in some cases the governmental seizure of mobile devices is being protested on the grounds that it’s an invasion of privacy, in that we are essentially becoming defacto cyborgs, with a good chunk of our biological memories and cognitive processes having been offloaded to silicon-based computing devices we keep in our pockets.
It’s pretty bonkers to imagine that, in that context, we’re all walking around with a gaping security vulnerability in our brains — but here we are.
Much like being the victim of a home invasion or a mugging, you don’t realize how vulnerable you are until it happens to you.
“Rizzn gets SIM-Swapped.”
In mid-2019, I was amongst about 20-30 other higher profile Bitcoiners on the TMobile network who were SIM Swapped after having been identified on Twitter as being a bitcoiner. I spoke to a local CBS affiliate (alternate link) some time after the event when it was revealed that Twitter CEO Jack Dorsey was also targeted by these hackers.
What is SIM-jacking (sometimes called SIM-Swapping)? It’s when a hacker has enough personally identifiable information about you to call in to your mobile provider and social engineer the customer service team into switching your phone service to a new device, usually for the purposes of accessing secondary accounts.
In my case (and the case of the dozens of others who were penetrated), the grift went like this:
Look for folks mentioning finance apps/protocols. In my case, they were specifically trapping on the names of folks involved with Bitcoin, but folks who mention using any crypto as well as common digital wallet platforms like Venmo, CashApp or PayPal have also known to be targetted.
Crosscheck the names and personally identifiable info from the captured social data with real world databases. If you Google “reverse phone lookup” or “lookup address,” you’ll get a dozen or two services that for $20 bucks or so will allow you to have infinite access to public databases.
Crosscheck that refined data with hacked databases from T-Mobile and other carriers available for purchase on the Dark Web. Using dark net markets, it’s trivially easy and cheap to purchase cracked databases as individual records or in bulk. If the hacker has a large enough dataset, they can cross check you (their hacking target) with datasets of previously compromised users. In the past, this may be a hit or miss process, but effectively every T-Mobile user (and a significant chunk of other carriers’ users) have had some or all of their data be a part of a leak or hack.
Batch up the users by likely net worth and hit them in groups all at once so companies don't have time to react at the corporate level. In my particular situation, they went as far as to get a co-conspirator to get hired at a T-Mobile store in Maryland as a manager, and switch all of the compromised accounts manually. If they don’t have an inside man, particularly with the level of data available from this recent hack at T-Mobile, social engineering them via phone support or a local store would suffice.
The moment the SIM swap has occurred successfully, have a team that immediately goes to work to compromise the accounts. In my circumstance, they went straight to work trying to compromise my cloud email and notes files, looking (no doubt) for stored private keys and exchange logins.
Once the emails backup has been initiated, begin the work of trying to reset passwords. In most cases, a relatively normal account won’t have mult-factor authentication turned on, or if it is, it’ll be set up to send a text message. Between the email account, the phone number and the forgot password link, all the major targets should be hackable within minutes. Once those accounts are penetrated, it’s a simple matter of transferring funds away from the victim to a controlled account.
In my instance, I happened to be sitting up late in bed on my phone working while watching TV with my wife. It was a relatively simple matter to catch them in the act and re-secure my accounts the first time it happened (although if my wife wasn’t nearby with a secondary line on the same plan, it would have been significantly more difficult to recover my account).
The second time it occurred, I had beefed up my security across all my accounts, and they were only able to SIM swap me, but weren’t able to get into any of my cloud accounts. After the first attack, I attempted to follow best suggested practices and have my account security beefed up on the mobile carrier side, but it didn’t seem to make much of a difference.
Perhaps the worst part of all of this is that there is very little that can be done if you end up getting robbed using this method. My case (as well as the dozens of others hit in the same attack) was investigated by the Seattle branch of the FBI, but despite repeated followups with law enforcement, no movement was ever made on the case.
At this point, I’m of the opinion that despite SIM-swapping being very much a crime that is not victim-less, it is in fact a crime that if executed with a modicum of planning that can go without being prosecuted, despite what damages may occur.
There are a lot more details to the case, if you’re interested in how it went down, which I discussed in depth with Gary Leland on his “Crypto Cousins” podcast a few years ago.
Can I just ignore this attack?
In short, almost certainly not. If you’re on T-Mobile, and you’ve ever mentioned owning a Venmo, CashApp or PayPal account, or mentioned any major cryptocurrency or blockchain technology on a public social media profile, you’re going to be hacked… it’s not a matter of if, but when.
Despite whatever best efforts may or may not be occurring at the major carriers, the truth of the matter is that even when they know a specific customer is going to be targeted, none of the procedures they put in place ever seem to be enough to protect their users.
Wired reported earlier yesterday of the most recent T-Mobile breach:
The trove includes not only names, phone numbers, and physical addresses but also more sensitive data like social security numbers, driver's license information, and IMEI numbers, unique identifiers tied to each mobile device. Motherboard confirmed that samples of the data “contained accurate information on T-Mobile customers.”
Regardless of what PINs and protections you ask of T-Mobile, armed with this data, even an incompetent social engineering attempt would likely succeed.
What are the best moves to protect myself, then?
The best thing you can do to protect yourself is leave T-Mobile. Most, if not all, major carriers are similarly vulnerable in the same way that T-Mobile is, but what we do know at this point is that 100% of all T-Mobile customers have had their data exposed. Personally, I’m preferential to the newer mobile company that Ryan Reynolds owns (because it’s more or less equivalent service for a far cheaper price), but if for whatever reason that’s not an option, you can do some things to protect your finances from would-be SIM jackers.
Do the “security audits” on your Google and Apple accounts. These are first stops after penetrating your mobile accounts. Make sure you have security settings turned up to the max.
Do not store your private keys and mnemonics ANYWHERE in the cloud. Do not put them in your cloud notes, or in your email drafts folder. These are the first places hackers will check.
Any services that you use which offer 2FA or MFA, turn it on. 2FA stands for “two-factor authentication” and MFA stands for “multi-factor authentication.” Most services that offer these options will ask you to set up 2FA/MFA through the use of your mobile number. This protection is better than none at all, but if your account has been compromised in the T-Mobile attack, it leaves it very vulnerable.
A better option is to use an MFA service like Authy or Google Authenticator. I’m preferential to Google Authenticator, but either is fine. Google Authenticator is, in my experience, just as secure as Authy, but a bit more user friendly when it comes to porting to a new device.If using Authy, you can set up an “airgapped backup” for your safety deposit box, but disable multi-device once you have it set up (same with Apple Watch or even laptop use on Authy). It’s ok to enable multi-device to add a new device, but don’t forget to turn it off.
Call your provider and set up maximum security for your account. Right now with T-Mobile, this will likely barely slow an attacker down, as they’ll likely be able to bypass any additional security by providing personally identifying information. That said, it’s one of the only things you can do, so ask that your PIN numbers be required for all account actions, and set a PIN with the max digits they offer (it's 6 digits with T-Mobile). Store managers can still override this option at their discretion, but at least you’re limiting attack vectors this way.
Ask them to require someone to show ID when making any changes at a T-Mobile store. This is something easily defeated by a skilled scammer (Fake IDs are not that expensive), but it will at least raise the barrier of attack a little via that vector, and make you slightly less desirable as a target.
As bleak as it sounds, I’ve yet to hear of a single carrier that has this problem licked. By the very nature of being large, multi-national conglomerates (and centralized ones at that), it’s seemingly impossible to provide a level of security necessary to prevent these bad actors.