If you are actively responding to a SIM swap, I recommend reading this guide. You need to freeze your phone number asap to shut the hacker out, recover your number by going to a physical store, and lock down your accounts starting with your email.
tldr: I got SIM swapped last weekend and you probably will too. Here’s how I walked away relatively unscathed (knock on wood) and what you should do to protect yourself.
“Tony Sheng,” I say.
“xxx - xxx - xxxx.”
“Alright, you’re all set. Just go to guest list and show them the text I sent you and they’ll let you in.”
I thank the man who says he’ll get us into that night’s Zedd show. My wife Anna and I walk back to our room.
Back at the room, we watch the NBA finals game until it’s time to get ready to go out. I check my phone. No service. Odd because I definitely had service earlier in the day.
I check my texts. No text from the promoter. So either he never sent it or I haven’t had service since we met with him.
Little alarm bells go off but I don’t think what might have happened actually happened. I turn to Anna and murmer “I wonder if I got SIM swapped.”
I check my email. “Microsoft account password reset.” Definitely didn’t do that. Maybe I did get SIM swapped.
A notification in Telegram says an unknown session was initiated somewhere in Washington state. We’re in Las Vegas.
I call my carrier and while I’m on hold (for over twenty minutes, by the way), I google for instructions on how to deal with a SIM swap. Nothing particularly useful.
While I wait for my carrier to pick up, I mindlessly flip through shitposts on twitter until I realize I should ask my very smart followers. Which I do. As I engage with the comments, I realize that at least I still have access to twitter. And email. So I’m not entirely pwnd.
I have Mason’s excellent “Minimum Viable Security” post to thank for that. After reading it, I followed most of its advice and it prevented the worst from happening. More on that later.
Priority number one is to shut the hacker out.
My carrier finally answers, takes ten minutes to verify who I am, and confirms that my number has been ported to another SIM card. How? They don’t know.
They suggest that I go to a physical store in the morning. There’s no way I’m waiting until the morning. I ask them to freeze the number so nobody can use it in the meantime. They tell me that’s a good idea and do it. I can’t decide whether to laugh or rage at their incompetence. Imagine giving the hacker another twelve hours with the number active.
Luckily, I’m in Vegas and the store, like everything else, is open late. We go in. A woman sits us down and commiserates.
“This is so common. I got swapped just a few weeks ago. But luckily I work here and saw them changing my account info and shut it down.”
This doesn’t make me feel better but I make a note of it. At least she’s familiar with this scenario. The phone rep did not seem to know what to do.
A few minutes later and I have access to my number again.
“All done. No charge of course,” she says.
I consider saying something sarcastic but decide not to. I ask her if there’s anything I can do to prevent this from happening again. She says not really. And there’s nothing she can do from the store. I’ll have to call in to change my passwords or make notes on my account.
I thank her and we leave.
As we walk down the strip, I try to regain control of my Telegram account but realize that I can’t–the hacker put a 2FA password on my account that I can’t remove. After a few minutes of research I find an option to delete my account. I do that. Turns out the best way to leave telegram groups you don’t want to be in anymore is to lose access to your account and delete it.
I check my accounts. No suspicious logins. I’m satsfied for now and we enjoy the rest of our night.
I walked away relatively unscathed. (So far. Knock on wood.)
But after posting to twitter, I received some alarming messages from SIM swap victims. Some had lost hundreds of thousands of dollars. Others had their identities stolen; loans and insurance policies taken out in their names. Even simply recoving an email account sounded nightmarish.
How bad could it get? Here’s some SIM swap gore from Vice.
Money stolen from bank accounts
Credit cards issued and sent to the hacker
Loss of access (changed passwords) to sensitive accounts
And while most of these victims will recover their funds (banks are pretty good at reversing fraudulent transactions), they won’t recover their time or sense of security.
For crypto holders, the stakes are higher. An exchange can’t reverse a fraudulent transaction and probably won’t reimburse you from their balance sheet. When you lose crypto, you lose for real.
Another common attack is posing as the victim on social media or messaging apps and asking for funds from friends. Over the last week alone I’ve received half a dozen messages from close contacts who had been swapped asking me to send them BTC or ETH for an emergency.
How did I manage to minimize damage? In roughly priority order:
1. Disassociated my phone number from my email address.
If you connect your phone number to your email, then a hacker with your phone number can reset your password and take over your email address.
Once they have your email and your phone number, they can reset passwords on pretty much all your accounts for which you don’t have physical 2FA (like a Yubikey).
Step 1 is far and away the most important. If you haven’t done this yet. Stop reading and do it now.
2. Used an authenticator app without cloud backup
I use a password manager and 2FA for everything. But that’s not enough if your 2FA is linked to your phone number. SMS (text message) based 2FA is obviously compromised in a SIM swap but authenticator apps with cloud backup could be as well. For example, the popular Authy app allows the owner of the number to download the private keys for that account.
Instead, use physical 2FA like a Yubikey when possible and Google Authenticator (which does not back up any keys to the cloud) when not.
These two preventative measures kept the hacker out of my email and sensitive accounts. But what if they had gotten access?
3. Held no crypto on exchanges
I don’t hold crypto on exchanges unless I absolutely have to which is almost never. Had hackers gotten access to my exchange accounts they would have been disappointed.
4. Didn’t store any sensitive information on the cloud
Things like KYC documents, private conversations, private keys (obviously), and anything else you wouldn’t like published publicly should not be stored unencrypted in the cloud.
I haven’t been perfect at this but I’m in the process of deleting accounts and encrypting sensitive information. In this case, I got lucky. The only account the hacker got access to was my inactive Microsoft OneDrive account (which only contains a chapter of a shitty book I drafted in 2013) and my telegram account (where I try to be very polite to others).
What could I have done better?
First off, not be a public figure. Being visible and especially visible in crypto makes you a target. Even writing this post probably elevates my risk, but if it helps a few people it’s worth it. But I knew that eventually I’d be targeted which motivated me to take the preventative measures I listed above.
Second, get on Google Fi which is not as vulnerable to social engineering as the major mobile carriers.
Third, activate 2FA for my Telegram account. I had no idea this feature existed (and based on the convos I had after the hack, most others didn’t either). In Privacy and Security, you can set up a “Two-Step Verification” password that can be recovered by your email.
Finally, follow all the instructions in this very detailed guide.
The rate of SIM swaps has rapidly increased. Over the last week alone, at least a dozen of my contacts have been hacked. Which means there are more victims that don’t want to share.
What saved my butt is assuming that one day I would be targeted. I recommend you do the same. How prepared would you be if somebody SIM swapped you tomorrow?
Happy to answer questions and help out where I can. This is bad stuff and I think we’re just starting to appreciate the scale of these attacks.