How to Protect Your Bitcoin Against a SIM Port Attack

If you own a significant amount of cryptocurrency such as Bitcoin and especially with the Bitcoin value rising, you likely know that storing it in an exchange-hosted wallet isn’t such a smart idea. As this wallet’s private key is stored by the exchange, you don’t fully own this wallet and therefore aren’t in complete control of your digital assets. However, many of today’s top exchanges offer security precautions that actively encourage people to use their wallets. Unfortunately, this is putting people at risk of SIM port attacks where attackers are able to copy their SIM card to another device without their authorization. In this article, we’ll explain everything you need to know about how to protect your bitcoin against a SIM port attack.

 

It’s 2019, why are people still storing bitcoin in exchange wallets?

It’s widely known that storing bitcoin or any cryptocurrency on an exchange-hosted wallet isn’t recommended over the long term. According to Group-IB, an international cybersecurity firm, 19 exchanges have been hacked since 2011, resulting in the combined loss of over 1.2 million bitcoins. However, many exchanges have introduced stringent security practices to address the threat of hacks, and this has incentivized users to leave their cryptocurrencies idling in exchange wallets.

These include:

• 2FA

Most exchanges strongly encourage their users to set up two-factor authentication (2FA) protection on their accounts. Popular 2FA options include sending an email with a confirmation link to a specific email address or sending a code via SMS to the users’ phone to verify a sign in attempt.

• Cold storage

Many exchanges keep a high percentage of their users’ assets in cold (offline) storage, where they are protected from hacks and other attacks. Some exchanges even let users create a secure ‘vault’ for this purpose.

• Free insurance

Top exchanges cover all users’ cryptocurrency assets with a comprehensive insurance policy. This is a strong incentive for many bitcoin holders given the cost of bitcoin storage insurance premiums.

These measures have helped encourage users to view exchange-hosted wallets more favorably. However, the exchange insurance policies don’t cover user error, where people unwittingly lose or have stolen their personal information such as their sign in details. Cases such as SIM port hacking, although not directly the fault of the user, are not covered.

 

What is a SIM port attack?

Many bitcoin holders currently have SIM-based 2FA set up on their cryptocurrency exchange accounts. This precaution is vulnerable to a SIM port attack where an attacker ports a user’s SIM card to a phone they control. To understand how this works, let’s first look at authorized SIM porting.

 

Authorized SIM porting

If you want to transfer your phone number to a new device, you can request your mobile carrier to carry out a SIM port. There are a variety of reasons why you may need this, including any time you switch mobile carriers or any time you upgrade to a new phone.

 

SIM port attack

A SIM port attack is when an unauthorized source (anyone except you) initiates the port. This could be done in one of three ways:

• Collecting your personal information (date of birth, address, etc.) and then calling your mobile carrier pretending to be you and requesting a SIM port.
• Working with a source inside the mobile carrier to port your SIM without the company’s authorization.
• Hacking into the back-end system used by the mobile carrier to bypass security measures.

Following the port, the attacker can initiate password resets on any account that uses your SIM as a 2FA option, such as your email account. They intercept the verification code and take control of your SIM card.

 

With access to both your SIM and your email account, the hacker can then use that information to gain access to your exchange account. They can usually find which exchanges you are registered with by going through your emails, or they may have this information already.

 

SIM port attacks show the limitations of using a SIM-based method to protect any digital assets such as bitcoin that are stored in an exchange-hosted wallet.

 

How to protect your bitcoin against a SIM port hack

With SIM port hacks on the rise, it’s clear that SMS-based 2FA alone is no longer sufficient for protecting exchange-hosted wallets. Fortunately, there are a number of easy precautions that you can take to safeguard your bitcoin and other crypto assets.

• Limit your online footprint

By far, the most common method used by SIM port hackers is collecting personally identifiable information and then spoofing your identity to the mobile carrier operator. Take steps to limit the amount of publically available data held online. You can do this yourself, or pay a specialist company to help you.

 

• Use an authenticator app

Instead of relying on SMS-based 2FA, try using an authenticator app instead. Apps such as Authy and Google Authenticator turn your phone or tablet into a physical security key. This way, even if a hacker ported your SIM, they would still need to physically obtain your mobile device to take control of your exchange account.

 

• Use Google Voice

If your exchange doesn’t support authenticator apps, you can create a Google Voice phone number and use this for 2FA. Unlike SIMs, Google Voice cannot be ported.

 

• Use a secondary email address

SIM port attacks highlight the danger of protecting everything through one email address. Try creating secondary email addresses for 2FA purposes on sensitive accounts that you use. Keep these confidential and never post them online.

 

• Use an offline password manager

Offline password managers such as KeePass can help you protect your passwords and create stronger passwords for your email and exchange accounts.

 

• Buy a hardware authentication device

Many cryptocurrency exchanges already support the Universal 2nd Factor (U2F) protocol, meaning that you can use a hardware authentication device such as a YubiKey to protect your account. These small devices generate one-time passwords that let you access any service with which they are connected. As you physically control this device, it cannot be spoofed.

 

• Use a hardware wallet

Transferring your bitcoin or cryptocurrency out of an exchange-hosted wallet could incur network fees and/or withdrawal charges. This is one of the main reasons why so many people leave their funds idle on exchanges in the first place. However, moving large amounts of crypto to a hardware wallet is the best overall solution for long-term storage.

 

Today’s range of hardware wallets from the likes of Trezor, Ledger, and KeepKey are the overall best way of keeping your bitcoins safe. A hardware wallet keeps your private keys offline and gives you the security of a cold (offline) storage solution with convenience of a hot (online) wallet when you want to sign transactions.

Final thoughts

If you’re ready to take your bitcoin security seriously, take heart from the fact that most safeguards are completely free and take just a few minutes to set up. With the Bitcoin value rising, Bitcoin and other digital assets deserve rigorous security as new threats are constantly emerging. You may have never experienced a SIM port attack, but the steps you take to guard against it today may save you from a threat that emerges in the future.