What is sim swapping?

In September this year Vitalik Buterin (co-founder of Ethereum) became the latest target of a sim swapping attack. His Twitter account was compromised and sent out a tweet which directed any of his 4.9million followers to a fake Consensys website where they could claim a ‘commemorative NFT’ in recognition of the upcoming proto-danksharding work.

Sadly many people believed it was legitimate and followed the link. They even connected their wallets to try and claim the NFT and this led to losses of nearly $700k in both NFTs and tokens.

So what happened to Vitalik’s account?

As he detailed on alternative social media platform Farcaster, he was the victim of a sim swapping attack.

This is where a bad actor will call up your phone company (in his case, t-mobile) and convince them that the phone number needs to be moved over to a new sim card. They will likely pretend to be you saying that you’ve lost access to the old sim card or changed phone tariff to a new sim. Most often this alone isn’t sufficient and there will be security questions on your account, and so the scammers will have likely been gathering information on you from social media, sending you phishing emails or even installing spyware on your device. Once they have the required information to pass the security checks then your phone number can be ported across to their sim card and all messages and calls will be diverted to their device — including 2FA texts for accounts which they’re then going to try and breach!

Vitalik had connected his Twitter account to his mobile number as part of the Twitter Blue subscription, meaning that whilst it wasn’t set as his 2factor authentication, just the phone number could be used to ‘recover’ (or in this case, take over) his account! It’s as easy as going through the ‘Forgot password’ process and entering the phone number of someone — which illicit actors can find from your Telegram if you haven’t got your number set to private!

Notably this isn’t the first time T-Mobile has been involved in a sim swap attack. Back in 2020, they were sued after someone lost $8.7m worth of crypto and in 2021 when someone had $450k pilfered from a sim swap.

To avoid this type of attack

- Remove your phone number from Twitter and Telegram and don’t include it on business cards

- Enable 2FA on accounts using an authenticator app, NOT SMS

- Keep a wary eye on phishing emails and suspicious links which could be intended to social engineer information from you

- Limit the personal information you post on social media and never share information related to security questions for accounts (e.g first pet’s name, mother’s maiden name, first car, favourite teacher etc etc)

- Where possible, add pin codes or additional security to bank accounts and mobile phone providers as an extra layer of security