SIM swapping attacks involve tricking or bribing a phone company into assigning someone else’s phone number to you; once you have the number, you can intercept SMS-based two-factor authentication messages and use them to take over accounts.
Though SIM-swapping is laughably easy (thanks to lax security in the mobile phone industry), it’s still not fully automatable, and so SIM-swapping attacks usually target higher-value accounts, such as valuable social media handles, domain takeovers, and cryptocurrency wallet hacks.
Last weekend, parties unknown launched a wave of SIM-swap attacks against US cryptocurrency owners, succeeding in some cases, with at least one $100k score.
Some of the targets were saved by their use of hardware tokens or mobile apps for their two-factor authentication. 2Fa is generally very effective, even against targeted attacks; using a separate app or token is an extremely powerful form of security.
ZDNet also spoke with some of the other victims over the weekend. Some candidly admitted to losing funds, while others said the SIM swapping attacks were unsuccessful because they switched to using hardware security tokens to protect accounts, instead of the classic SMS-based 2FA system.
One victim, who wanted to remain anonymous, said that once hackers realized access to cryptocurrency exchange accounts was not possible, intruders quickly switched tactics and targeted social media and email accounts, successfully hijacking the victim’s Instagram account.
This exact same thing also appears to have happened to other users, with hackers taking over social media accounts over the past week when they realized they couldn’t access cryptocurrency accounts.
Wave of SIM swapping attacks hit US cryptocurrency users [Catalin Cimpanu/Zdnet]
(via /.)