A hacker’s insight into SIM-swap & social engineering

23 Oct A hacker’s insight into SIM-swap & social engineering

Ethereum’s founder Vitalik’s troubling SIM-swap

In September 2023 an article was published online regarding Ethereum’s founder Vitalik getting his SIM card swapped. This means attackers were able to social 1engineer the phone provider and pose as Vitalik to get a new SIM card with the same phone number. They then used this to reset his X/Twitter account as this is possible with just SMS verification.

We want to give extra attention to SIM-swaps as it has become a very common attack vector over the last few years and as is seen here can even pose a risk for tech savvy personalities.

SMS verification on major platforms

Unfortunately, many platforms still offer password recovery or resets by phone/SMS, which not only includes X/Twitter but other big-name platforms such as Google or Discord as well. Besides password recovery, many platforms also support SMS as a two-factor authentication.

Protect your online identity: disable SMS verification

Due to customer demand, we do offer SMS verification as an option, but we strongly recommend that you use two factor authentication instead as it is far more secure.

It is a good exercise to verify that your accounts on any platform has the phone/SMS verification disabled. Even better, where possible don’t provide a phone number at all, or remove it directly if they require this initially (looking at you Google!). Don’t use phone/SMS as a two-factor solution where possible, although there are still plenty platforms that don’t only offer this.

Opt for two-factor authentication

Always use either OTP or passwordless (passkeys) via a dedicated app for two- or multi-factor authentication where possible.

Treat your mobile phone number like you would with any private data as it is a very unique key and identifier for you as a person.

If possible, don’t add it to mail signatures or publish this somewhere online. If you are in sales use a dedicated contact number that is not used for authentication at all.

Protect your online identity

Keeping other private stuff such as your/father’s/mother’s full name(s), birthday, address, passport off the public internet helps a lot as well of course, as this would be very useful information for attackers to impersonate you in social engineering calls.

Be careful where and what personal information you provide when signing up for any service, as data breaches could reveal a lot of personal information that could be used against you in social engineering attacks. If not legally required don’t provide all the in-depth details about you as a person, but only what is absolutely necessary.

Remember, in 2023 almost all breaches leverage social engineering (either by phishing, sim-swaps or phone calls) to get initial access to corporations.