Unchained - How to Keep Your Crypto From Being Stolen Via Your Phone - Ep.128
Episode Date: July 16, 2019Rich Sanders, cofounder and chief security officer of CipherBlade, and Harry Denley, director of security of MyCrypto.com, discuss the phone porting phenomenon: who's behind these thefts, how they per...petrate them, who is targeted, how to recognize the signs you're a victim and how to the hackers are adapting to people protecting themselves. They cover how you can protect yourself, which accounts to protect, what kinds of email addresses and numbers to set up, how to set them up, how to separate them from anything valuable, and which two-factor authentication methods could work instead. Plus, they go over how to report a theft, to whom you should report, and what information to include. Thank you to our sponsors! Crypto.com: https://crypto.com Kraken: https://kraken.com CipherTrace: https://ciphertrace.com/unchained Episode links: MyCrypto: https://mycrypto.com/ https://twitter.com/MyCrypto https://medium.com/mycrypto CipherBlade: https://cipherblade.com The SIM Swapping Bible: https://medium.com/mycrypto/what-to-do-when-sim-swapping-happens-to-you-1367f296ef4d My Forbes story covering the phone hijacking phenomenon: https://www.forbes.com/sites/laurashin/2016/12/20/hackers-have-stolen-millions-of-dollars-in-bitcoin-using-only-phone-numbers/#1964ddb738ba Michael Terpin, awarded $75 million in case after losing $24 million in crypto: https://www.coindesk.com/crypto-investor-awarded-over-75-million-in-sim-swapping-hack-case Cody Brown who lost $8,000 on Coinbase due to a phone hijacking: https://medium.com/@CodyBrown/how-to-lose-8k-worth-of-bitcoin-in-15-minutes-with-verizon-and-coinbase-com-ba75fb8d0bac BitGo engineer losing his money via SIM porting: https://medium.com/coinmonks/the-most-expensive-lesson-of-my-life-details-of-sim-port-hack-35de11517124 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Hey everyone, just a quick announcement before we begin today's episode. Thanks to everyone who participated in our survey. We got lots of great and helpful responses and many of you said really nice things about the show. So thank you for that. I just want to take a moment to dispel a few myths that I saw. Several people suggested that I cover the news in some way and many people were unaware that I have another podcast, Unconfirmed. Well, guess what? Unconfirmed is a shorter 20-minute podcast where I tend to dive into that week's news.
It comes out every Friday and it's on all the same platforms that Unchained is, so you can find it
wherever you listen to this show. Some others were unaware that we do put the podcast on YouTube.
It's audio only, but you can find and subscribe to Unchained as well as Unconfirmed on YouTube.
It's also on Spotify for those who asked and a host of other platforms like Pandora, Stitcher,
tune in, Google Play, IHeart, and many others, including, as some of you have discovered, United Airlines.
Also, for those of you who requested transcripts, we have them for unchained.
They may not be published right at the exact moment that the podcast goes live, but they are
always on the website within a couple days.
Finally, we have five winners of a free Kasa Bitcoin Lightning Node, plus a free year of
Kasa's gold membership, including a multi-six security app for iPhone and Android, a Treasurer
hardware wallet, a Kasa Faraday bag, and 24-7 support.
The winners are, Andy from
Denver, Gabby Civils, Henry Elder, Julian Gall, and Rosemary Heather. Congratulations. Thanks again to
everyone who participated in the survey, and thanks to CASA for this donation. Now, on to the show.
Hi, everyone. Welcome to Unchained, your no-hyped resource for all things crypto. I'm your host,
Laura Shin. It's not easy keeping up on all the news in crypto. If you want a short and quick look at what I
think are the top stories every week, sign it for
my weekly newsletter. Just go to Unchainedpodcast.com and enter your email address into the box right
on the homepage. Sign up today. Interested in the crypto weekend retreat, I'm teaching with
Milton Demiris of Coin Shares and Jala Jobo Pruja of Future Perfect Ventures in September. If so,
be sure to check out the show notes for the link to sign up. Also, Unchained is now on YouTube.
You can find the most recent episodes there every week on the Unchained podcast channel.
Cracken is the best exchange in the world for buying and selling digital assets.
It has the tightest security, deep liquidity, and a great fee structure with no minimum or hidden fees.
Whether you're looking for a simple fiat on-ramp or leveraged options trading, Cracken is the place for you.
Cipher trace cutting-edge cryptocurrency intelligence powers anti-money laundering, blockchain analytics, and threat intel.
Leading exchanges, virtual currency businesses, banks, and regulators themselves use ciphertrace to comply with regulation and to monitor compliance.
Grow your crypto and earn up to 8% per year with crypto.com.
It's the place to buy over 40 coins at true cost with no fees and no markups.
Download the crypto.com app today.
The topic of today's episode is sims swapping, also known as phone hygiene.
jacking or phone porting. Here to discuss are Rich Sanders, co-founder and chief security officer
of Cipherblade and Harry Denley, Director of Security at MyCrypto.com. Welcome, Richard and Harry.
Thanks for having us on. The topic of today's show is a phenomenon that's been hitting
crypto people in particular for at least three years now. And what happens is victims get their
phone numbers compromised, which can lead them to having their crypto stolen or being extorted or
having other bad consequences. So before we dive into the meat of this discussion, though,
why don't you guys each briefly describe your companies? Harry, why don't we start with you?
What does My Crypto do? Sure. My Crypto is a blockchain interface right now to the Ethereum
blockchain. It also is an interface so you can manage your funds and tokens sending and
receiving. And Rich, what about Cipherblade? Cipherblade's a blockchain investigative firm. We
investigate scams or hacks. We also provide advisory to exchanges, to ICOs, and we also provide
legal services. And your two companies teamed up on this massive post. Post isn't even a word because
you guys called it in the title, a Bible, which is probably a better word. It takes 50 minutes to read.
And it covers in detail these kinds of attacks, how to prevent them, and what to do if you fall victim to them.
Describe what this attack typically looks like.
What is it that the attacker does?
So what one of these attackers will do is they're either going to social engineer a phone service representative or they're going to have an insider in the phone company.
And what they're doing is they're changing who owns the phone number associated with the account.
So they're going to basically port it to another SIM card.
That's why it's called a SIM swap.
Once they do that, what they're able to do is they're able to reset any accounts that
phone number is connected to.
So, for example, a lot of people, instead of using Google Authenticator, they have it
still set to SMS reset.
So from there, they'll be able to reset a Gmail.
And then from there, people usually, if they're going to have money stolen from them in
the SIM swap, they might make the mistake of having a private key or a seed freeze
stored in Google Drive. Or from the Gmail, they might search and see what exchange accounts this
person has. Those exchange accounts might also be resettable via SMS reset, and that's how financial loss
takes place. And so how does the initial piece happen where the phone number gets switched to a
different device? So what ends up happening is one of these sim swappers will either call the phone
company and pretend to be that individual. And a lot of people don't have security settings.
settings on the account. So it's really just a matter of sounding convincing. And if they don't
have security settings, they're just going to need to know really basic info, like possibly address
or some very, very basic stuff that can be found via open source. Other times what ends up
happening is that there's an insider within the phone companies, which is essentially
an employee that the sim swappers will pay in order to port the phone number to a different
SIM card. That's the initial setup.
Wow. And how are the perpetrators finding those employees?
So that's a big misconception. I've read and heard that a lot of it, apparently, it's believed that it comes from sharing phone numbers at conferences, which is actually not the case.
The majority of the time, it's just a matter of these sim swelvers looking at who has a decent net worth and who looks like an easy target. It's a hybrid of the two.
and there's all kinds of, they're called OSEN tools.
And you can go out there and go on like Spokio or Truthfinder or plug in someone's
name.
Odds are you're going to be able to find their phone number.
Oh, but actually I meant when you, when the perpetrator wants to find an employee to
bribe, how do they do that?
Do they just like walk into a store and or do they call the, the mobile carrier directly
and ask the CSR, hey, can I give you money?
if you do this thing, or how does that part work?
I've never seen either of those take place,
but I've never seen one clear-cut way that I would say is the methodology for that.
Sometimes it does come out to outreach.
I would say the most common one I have seen is that it's one of these sim swappers
that has a friend that joins a company with the explicit purpose of doing this.
But I've also seen them kind of outreaching on other forms,
especially the sim swappers that were with that group OG users.
They would find people with these phone companies perusing through.
LinkedIn and Facebook and engage them on burner accounts.
Okay, and just describe for people who OG users are?
So OG users is slash possibly soon to be was a website where a lot of the users on there
would go after what were called OG accounts.
And those were typically Instagram or Twitter or Steam or other types of accounts that
had desirable usernames, like things that would be only three letters or they were
considered to be rare accounts.
there was a marketplace for them.
And a large portion of those accounts were illicitly obtained.
And essentially, where that evolved, is that it evolved from them stealing accounts into stealing money.
Okay.
And they have, I guess, done a number, like how wide scale are the attacks that they have done, these like sim swaps?
So just to clarify, not everybody on OG users was a sim swapper within the context of,
of what we're discussing now, which is sim swapping relevant to cryptocurrency.
They were really big on account hijacking in general, but it was a select portion of them
that engaged in sim swapping with the explicit intent of financial gain.
So if you Google like sim swappers arrested, you see names like Joel Ortiz or Joseph Harris,
Xavier Navarrez, they were all the OG users that decided that they were going to go after money.
All right.
And then just to go back, when you were...
we're talking about how the attacker will call the phone company and get the phone number
switch to their device. What if you do have a pin code on your account? Does that protect you?
Not all of the time. And that's for two reasons. If there's an insider within the company,
well, then that's moot. If there is not an insider and they're doing the traditional social
engineering approach. There's a couple of different things that can happen. The service rep can
entirely overlook it, or you have to bear in mind you're dealing with social engineers. And
the unfortunate reality is that these phone service reps, and this is not disrespect intended to
them, but these are not folks that are compensated extremely highly and extremely trained. So
think of it like this. If you're doing your first job, you're early on in your career field,
and somebody calls you panicking, freaking out, my husband needs this account unlocked. It's an emergency. I need to get in touch with him. Odds are you're going to end up getting convinced to ignore having a pin code on the account. There's also other things that I have seen. Like I've seen pin codes and past phrases that are extremely easy to guess, like last four of a social or, you know, numbers of a street address, which are just sloppy off-sec practices.
All right. So from the victim's side, what happens? How, if it's happening to me, what would be the signs that I'm now being targeted in this way?
Right. So you'll see a, suddenly your service will go and you'll have no signal. You won't be able to receive inbound or outbound calls or messages. Or sometimes you'll get a call back from the CSR saying,
hey, we got disconnected, let's continue the conversation. And that just means that they got a CSR
that they couldn't social engineer first try at least to port your number to a different
sim. And then I believe they also, if they are successful, then they start trying to get into
your email accounts and stuff. So would you also experience other kind of signs that have to
do with your email? Yeah, that depends on how you set up your email. Assuming you've only got
SMS 2FA on your email, then you will maybe see on your phone that you'll be signed out of
your email account or you'll get a notification on a backup email associated with the email address
saying a new login attempt. If you don't have SMS2A and you have something like Google
authenticator or Outlook Authenticator, then you'll get a notification on your phone from the app
to say, authorize this login. So then once, so let's say that they do get into these accounts,
in particular your email. What are they, what do these attackers typically do once they get in
to an account like that? They would look into your email address inbox to see what kind of
emails you get from exchanges to see which exchanges they can pivot to and get access to.
Sometimes they would do reset passwords.
And then since they've got access to email account, resetting the password is trivial,
assuming you don't have another method of two-factor authentication such as Google Authenticator.
although they can
they can maybe open a support ticket with your email address saying
I lost my 2FA backup codes
can you remove 2FA?
And to build off of that as well,
a big mistake that I see a lot of
is people will store their KYC documents
on something like Google Drive.
So it's fairly easy for one of these SIM swappers,
if even after the fact,
to social engineer one of these exchanges
into transferring or removing, rather,
Google Authenticator.
Another thing that's worth mentioning is that these sim swappers almost always operate in teams.
So they're going to have the person that does the actual breach, whether that breach is the social engineering of a service provider or the insider.
Once that happens, though, they have multiple people.
They have someone that's going to search the account, like how I was talking about, seeing which exchanges.
They've already got copy and paste.
They're going to query every exchange.
They're going to query for private keys.
And then from there, they're just dividing and conquering.
Yeah, when I wrote about this in 2016, I wrote the intro kind of incident that I described was one in which Jared Kena, who he founded one of the earliest Bitcoin exchanges, Trade Hill, which didn't last super long, but he was a very early minor.
And when I say very early, as he described it, sometimes he would hook up to the network and there would only be four people.
on the network. So he was earning those 50 bitcoins every 10 minutes, you know, fairly frequently.
And he said that he believes that within seven minutes, he was locked out of 30 plus accounts.
So, you know, when you say that there are people working in teams and they sort of, you know,
comb your email and just keep locking out and changing your passwords and everything,
like they know what they're doing. They're doing it quickly. And they can do multiple accounts
because there's a number of these people, you know, within a matter of a few minutes. And this was,
you know, even before he really understood what was going on with his phone. So, all right. So what are some of
the worst consequences you've seen for the people who have been victims of such attacks? Like how much
money have they lost or have they been extorted in some fashion or like what are some of the
various ways this has played out for them? So this is a really wide variance of financial loss.
and typically the lower end is in the 30 to 50k range.
And then at the higher, higher end, you have like Turpin, who lost the 24 million.
Michael Turpin.
Yep.
And it's typically not in the seven-figure plus range.
It's typically in the 50K to six digits range.
However, one trend I definitely have noticed, especially this year, is that typically people now have the wherewithal to have either
authenticator on the exchange or not store a private key or a seed free is on Google Drive.
But what's typically going on is that these people will get sim swapped and what ends up happening
to swap their primary email is they'll have a recovery email that they can use for the account.
So even if you have Google Authenticator on your main Gmail account, if you have an old email,
one that you probably entirely forgot about.
It could be like an old work or college email that you had secured via SMS.
That's how they're getting in.
And the change in tactic, the way that the Sim Swappers are continuing to monetize it this day, is that they're transitioning to extortion. So they might steal business documents, SAFs, whatever the case might be, and threaten to leak them. They might threaten to leak, this is going to be a little crude. I'm not sure if this needs to be added to top for the podcast, but they might threaten to leak nude photographs. And that's how they're continuing to monetize it for the most part.
Wow. And then they want payment in crypto, so it can't be reversed.
Correct. And so you sort of alluded to this earlier, like, who are the attackers targeting? It seems to be maybe not always the highest net worth people. I mean, net worth is one of two indicators. It's always a balance. And the example that I always like to give people is that if you have $5 billion, but it's secured like Fort Knox and you have $5 million and it's secured behind a screen door, well, then what's the more attractive target, the one that's behind the screen door, right? So it's a balance of the two.
And you said that they're finding them via conferences or how are they figuring out who to target?
So that's a big misconception. I read that one quite a lot that people were believing that because
they gave out their phone number at consensus, that's why they were getting targeted.
I haven't seen anything that indicates that to me. I mean, this could all be done hypothetically,
100% remotely. You don't need to go in person to get somebody's phone number. You could find it via an OSENT tool.
So as far as how they're identifying who these people are to even run their names in a nocent tool, that's simply a matter of being on telegram, reading Reddit, following what's going on in the industry.
Especially one of telegram's recent updates was your mobile number attached to your telegram account was made public and you had to opt in to turn that off with your privacy settings.
So that could be another way that using being remote, you could get someone's phone number.
Yeah, I literally just figured that out. And I was like, oh, my God, I can't believe that people were able to see my phone over.
So is law enforcement making any headway in finding the perpetrators?
They absolutely are. I mean, if you look at the slew of arrest that took place just last year, thanks largely to react in the FBI.
The thing is this, is that law enforcement has very few staff that are extremely proficient in this. And that's not a knock on them.
It's roughly the equivalent of any one of us being asked to perform surgery on a horse.
We have absolutely no context or background.
A lot of these cases are assigned to law enforcement personnel that barely have any cyber experience, let alone blockchain.
And if you marry that with the just harsh reality that, A, the majority of these go unreported to law enforcement,
and B, the minority that actually do go reported simply don't have adequate data, then a lot of those will go unsolved.
The reason why a lot of those folks from OG users were arrested last year is that there were folks that were able to get law enforcement the data they needed.
And within my case, without stating exactly what the data I fed was, it was stuff that would serve legally as attribution, enough for warrants for arrests, for asset seizure, and even for prosecution in the case of Chulartis.
And so why is it just not possible to tell the company, don't port my phone number, you know,
in like pretty much any circumstance? In theory, it is possible to tell them that. In practice,
though, there's the two pain points I mentioned earlier, which is you're going to have these phone
representatives that are easily social engineered, and you have the reality of the fact that
there are going to be insiders. And the thing is this, you have to look at it from a business model
for the phone carriers. They're not collecting payment to act as a custody provider, right? And you also
have to bear in mind the fact that a lot of these people that are requesting that their phone number
be ported are doing it for a legitimate purpose. So the overwhelming majority of the client base for
these phone providers would provide a lot of pushback if they increase the difficulty of doing that.
All right. Okay. So I think it's just going to be a risk factor for people involved in the space.
And for those who I sort of want to get more of a picture of how widespread this is, even back in that 2016 story, I noted a whole bunch of people who had been targeted in this way, such as Adam Draper, Bo Sheen, a lot of the founders of Auger, Brock Pierce. And, you know, it's continuing. There was just kind of an everyday person who, I forget.
he lost only like forget it was only like 8,000 bucks or something as new as Cody Brown,
but he wrote about it on medium and that went viral.
And we mentioned Michael Turpin, who kind of was an earlier or is an early crypto person
who did a lot of PR for the various crypto teams.
Michael Turpin, he lost what was reported as $24 million worth of crypto.
I don't know what the current value is.
He did eventually get a judgment of $75 million.
in his favor this past May. So this is still ongoing and the most recent kind of high profile
case of this was a security engineer or yeah, a higher up engineering person at Bicko, which is a
security company, having his phone number stolen from him twice in two days. So he lost more than
$100,000 worth of crypto and that.
attack. And yeah, this is just something that pretty much anybody who has any involvement in this
space should know about. So to that end, let's talk about the preventative measures.
What should people do to try to ensure from the get-go that they never fall victim to this
attack? And let's start with their mobile carrier. What are some of the best practices they should
implement there? So you mentioned that this is a risk factor that.
people in the industry are just going to have to deal with.
And in a sense, you're right, but in another sense, I actually disagree with that.
This risk factor can be almost entirely, if not fully mitigated.
So a great example of that, as you mentioned that, the sim swapping Bible that Harry and I,
our teams collaborated on, yes, it is a 50-minute read.
But look at the amount of time that people spend, whether they're in this industry
working in it as a full-time job 40 hours a week, or even if they're just an enthusiast or an
investor, all things considered, taking a few hours to do everything that's listed in that guide
is a very, very minor investment at time in the Granch game of things. So starting with the phone
provider, having a, at a bare minimum, it's going to vary depending on the phone provider. But having
a pencode or a passphrase is a good start. I would always recommend telling them that you only
authorize a SIM port in person with a government issued ID. That being said, I would actually focus more
and Harry will be able to expand on this greatly.
But I would focus more on as much as possible removing your direct mobile number from
existence for anything that can touch your cryptocurrency.
Yeah, so let's talk about that.
If you're going to do that, I mean, a lot of things do require a phone number.
So what should people do instead?
One thing that I've seen lots of people doing is going on to Google Fi, which is a mobile network.
but it has no real in-store or human support agents that can be socially engineered.
So you won't be able to get your number ported.
So they use those virtual mobile numbers.
Yeah.
And as far as I understand with Google Fi, if you have a number there, then you just go to
website and click a button that, you know, says like enable this number to be ported
or, you know, don't enable it to be ported.
So you are in control of that. And, you know, if you want to switch carriers, you can do it. But if you don't, then you can just block it. So, yeah, it relies heavily on your Google account being secured. But if you use all of Google security tools, then you should be good. All right. So I want to also, because you guys did outline a slightly different.
method, which is that people could also set up a separate Google account and create a Google
voice number on that account that, again, is not connected to your normal email, but then use
that phone number. Is that, did I understand that right, that that's another option as well?
Yeah, that's another option. So assume that one day you'll get your primary email account,
or Google account, should I say it will get hacked.
then you'll have one that is that you'll only ever use just for that Google voice number
and you won't use for your primary email.
So it's just another barrier to keep you safe if you assume that one day your primary email account will get hacked.
And so where, so they use this number on anything touching crypto or anything financial.
And where else?
Should they just use this number as their phone number going forward in as many places?
as possible as they can?
They can.
There's no reason why they couldn't.
I would only use it for anything financial myself.
To expand on that, when it comes to cryptocurrency, in particular, the exchanges,
I can't think of, and Harry absolutely correct me if I'm wrong, but off the top of my head,
I can't think of a single exchange that offers only SMS authenticator and not Google
authenticator.
Well, that's good.
And we'll talk a little bit more about Google Authenticator.
cater. But let's first actually talk about why it's so important for them to secure every Google
account that they have. And you sort of mentioned this. So basically, I feel like what people maybe
need to imagine is that it's sort of like quarantining or something where you create a little universe
where that phone number and that email touches like certain things, but like nothing else in
your life. Is that sort of the right picture to have?
That's a perfect analogy.
Yes.
Okay, so talk about how to set that up so that people don't mess up and don't end up having that one little crack that the attackers can use to unlock everything.
So to start from the very beginning, a lot of people have an email account that is super old that they made maybe when they're a teenager.
They didn't really care much about their online security.
They then grow up a bit and create a new account.
And when you're creating a new account,
some of the providers ask for a backup email in case you forget your password.
And then people use that very old email account that they made when they were teenagers,
didn't really care about security.
So now your new primary email account is vulnerable
because it's linked to that very old email account.
and the bad guys will go after the old email account that will probably be in some public dumps somewhere
and then pivot from that email account into your primary one and then they've got your identity.
So what people need to do if they want to prevent that from happening is what?
They need to remove email backup from their Google accounts or any other online accounts.
basically have the only backup mechanism as 2FA or backup codes that you store offline.
Great. So we're going to keep discussing how to prevent a sim swapping attack, but also what to do if you are a victim after this break.
But first a quick word from our sponsors.
When buying crypto, price matters. With the crypto.com app, you can buy more than 40 coins at true cost.
Our multi-exchange trading engine ensures the lowest possible prices to buy crypto with no fees or markups.
Not only is the app good for buying crypto, it's also good for growing crypto.
You can earn up to 8% per year on BTC, ETH, XRP, and more when you make a deposit into the one-month, three-month, or flexible terms.
You just have to deposit your crypto to begin.
Interests are paid out weekly and immediately available.
for use. Start earning through the crypto.com app. Available on the app store and Google Play.
Will the world follow France and advocate banning privacy coins? Will government-backed stable coins
become the new fiat? Are distributed and peer-to-peer exchanges just a flash in the pan?
The answer is maybe. Virtual currencies can flourish and create a new, private, and more versatile
economy. But that grand vision can't happen without keeping crypto clean. And that requires support
of governments and accountability for bad actors. Privacy enhanced compliance using cryptographic
controls has the potential to preserve anonymity without compromising legitimate investigations.
CypherTrace is working on this vision of the future. Sign up to stay up to date on the
privacy-enhanced compliance initiative and receive authoritative crypto-aML reports quarterly.
www. www.cifertrace.com slash keep crypto clean.
Today's episode is brought to you by Cracken.
Cracken is the best exchange in the world for buying and selling digital assets.
With all the recent exchange hacks and other troubles, you want to trade on an exchange you can trust.
Cracken's focus on security is utterly amazing.
their liquidity is deep and their fee structure is great with no minimum or hidden fees.
They even reward you for trading so you can make more trades for less.
If you're a beginner, you will find an easy on-ramp from five Viat currencies.
And if you're an advanced trader, you'll love their 5x margin and futures trading.
To learn more, please go to crackin.com.
That's KRAK-E-N.com.
Back to my conversation with Rich and Harry.
So let's now then also talk about, like, why securing your Google accounts is so important.
Why is that?
So in today's world, Google is like big brother.
It's not just providing email to you.
It's providing location services, cloud storage, maybe even website hosting, database hosting.
And that's all tied to your Google account, which is also your Gmail account, which is your email account.
which is your email account.
So once they've got your email account,
they pretty much have all of your online identity,
including, which is most scary,
your location data.
Wow. And then they can also break into anything you've got stored on Google Drive or,
I guess.
On Google Chrome as well.
That's the thing.
They could even log in and see your favorites,
any save passwords.
Wow.
Yeah.
Okay.
So how should people secure their Google account?
They should have a very strong password generated randomly with a password manager like one password or last pass.
And then those password manager backups should be stored offline away from your main machine in case your main machine gets a virus or a rat or something.
Then your Gmail account should have only that strong password.
you should monitor active sessions.
You shouldn't really authenticate apps with Gmail login,
especially apps that look great but are new.
You haven't never heard of them,
but you give them read and write access to your email, for example.
So there's that way.
Also having a look at your recovery options,
I think by default, Google has a recovery option of your phone number.
So you'd have to go back into the security settings and remove your phone number from there and any backup emails.
And two things to build off of that as well.
I mean, that's all in either an initial setup of the account or when you're doing a scrub of it.
So exactly what Harry is saying is that you should really limit what your recovery options are.
And there's a line between security and convenience.
So I'm not going to sit here and tell you, yeah, completely remove everything except for Google Authentigator.
But if you're going to have just Google Authentator, make sure that you're storing your backup code.
and we're safe.
You know, actually jot it down or print it out,
presuming that you're not on Wi-Fi
and susceptible to a man in the middle attack,
store it offline.
The other thing to kind of build off of that as well,
I see this with a lot of ICOs and a lot of blockchain companies.
The default within Google admin is that people actually can use personal recovery emails.
So that very attack vector has been used to compromise company emails that were believed
to be secure via Google Authenticator.
And what Harry mentioned, as far as doing a scrub of your active sessions,
security is not a one-time thing.
So you can't read the SIM swapping Bible, do everything in it, check the block, and say, I'm done for good.
That's not just because the threat vectors change, but because you want to continue to monitor it.
So the analogy I like to use is you want to think of security, like brushing your teeth.
And I'm not saying that you have to do a scrub every single day.
But, yeah, in the grand scheme of things, what is 15 minutes a week, just to jot down as a recurring calendar event for you?
And scrub your active sessions, make sure everything looks good.
All right. And let's just also define a few things for people. So you keep talking about Google
Authenticator. That is basically an app on your phone that provides temporary codes. I think they
change every 30 seconds or something. So that instead of receiving your second factor authentication
code via text message or phone call, what happens is you try to log in, you put in your password.
it asks for your code, and instead of sending one to your phone, you just open the app,
put in the temporary code, the one, you know, that's active for that 30 seconds. And you would
have need to have, you know, set this up before that, you know, it's that the way that you log in
here is with your Google Authenticator. And then the system will know, okay, the person
logging in has this trusted device, which is, you know, the phone that you previously set up
with Google Authenticator. And that's how it will identify you and not use your phone number
to do so. Is that, did I explain that correctly? Correct. So Google Authenticator is using a time-based
one-time password algorithm. And the way you described it is correct. And yeah, the real tragic thing is
that setting up Google Authenticator takes all of a few minutes. And when you look at a lot of these,
especially exchanges that offer both Google Authenticator and SMS-based 2FA, the reason why they
offer SMS-based 2FA is that people don't want to take the few minutes. It's kind of like I was talking
about with the phone service providers, right? The overwhelming majority of people that want to change their
SIM would not want to deal with all of the hassle of making it extensively more difficult to appease people
that were victimized by SIM swapping and cryptocurrency. And you have to look at exchanges in the same light.
A lot of people just want to quickly sign up for an exchange. They don't want to take a couple of minutes.
So it boils down the business and conversion rates for the exchanges.
Yeah. When I did the story on this previously, I did ask Coinbase about why it is that they still, at least at that time, I'm actually not sure right now, but at that time why they still offered to FAA via text message. And they said the reason is because for users who don't have smartphones, it was still more secure than, you know, like for kind of lowest common denominator users, like that was the better form of security. And obviously,
for, you know, for people who have higher security needs that was not sufficient.
So one other thing that Harry mentioned is about not storing your backup codes on a computer
or anywhere digital. So how should people store their backup codes?
So you can print them and store them physically, somewhere secure in either a nice place
that you know, like maybe a bank vault or maybe your parents' place or a safe or somewhere,
you can also store them on external hard drives, things that are not always connected to the
internet.
And how do you protect against, you know, fire or just, like, paper does not seem like a super
safe way to store a backup code?
There's tons of solutions for this.
And it really just depends on how much time and money.
want to put into it. On the higher end, there's things like crypto steels, which you can use for
private keys or seed phrases. And Harry, correct me if I'm wrong, but I think those run like
130 bucks. Alternatively, what you can do is you can run over to your local hardware store,
grab a piece of scrap steel, grab a die bunch kit, and it'll cost less than 20 bucks and take
you about 15 minutes, the chisle on an entire private key. And that that's going to be offline,
fireproof and waterproof. If you want to make it theft-proof as well, then
then simply split it into two or memorize a portion of it.
All right.
Okay.
Well, I feel like this is the same conversation I always have about securing crypto where
every time I get to that part where you have to store something offline, I'm like,
I feel like I'm going to lose that right away.
But anyway, okay, so let's now talk.
So we've talked about, obviously, you know, two-factor authentication via text message
or phone number or phone call is not a good option.
We talked about how Google Authenticator is another good option,
but there are a few other ways that people can use,
or a few other things people can use for their second factor.
One would be like a physical device, like a UBKee,
and then Google also offers something called Advanced Protection,
which appears to be physical, you know, physical token-based.
But can you describe what those options are
and who should opt for that as opposed to something like Google Authenticator?
I think it was a recent update, or maybe it's just super hidden and it was just made public to me a couple weeks ago.
Google came out has an advanced security section where you can add a UBiki to your account for two-factor authentication.
The UBK keys are not super expensive for the security that they give.
So really, it could be used for anyone, depending on their paranoia, if they're a target or not.
Although you could assume that you're always a target in cryptocurrency.
So although Google Authenticator is a good default, if you are super paranoid or you assume that you're a target,
then upgrading to a UBiki is a good move.
Okay. And so then let's talk about some other accounts. We've been focusing on Google quite a lot. You also talk in your post about the importance of securing Apple accounts. Why is that important and how should people secure those?
So Apple like Google also has cloud storage, which I think when you set it up, all of the pictures that you take on your eye devices are sent to cloud storage.
I may be mistaken if that's not default.
But some people would take pictures of maybe their IDs or their backup codes
and not knowing to them, it's automatically sent to cloud storage.
So if your Apple account gets hacked, then they've got access to those photos as well.
Or so your location data.
They could also factory reset your phone, so they could maybe extort you that
way, hey, I've got access to your ICloud, I can reset your phone or lock you out of your phone.
And I believe that the ICloud account does require a phone number. So in this case,
which phone number should people use? That is the phone number that is with your I device,
I think. I've, I've, my only experience with Apple devices is iPhone. So I'm unsure if you can have
an on clouded device without an iPhone, can you?
Well, I think, so I think the phone number that they should use is the one that is probably
the one that can't be ported, right?
The Google Voice or Google Fi number?
Yeah.
Though if you have an iPhone, then it's by default your iPhone number, I think.
I may be wrong.
Yeah, I, because that's through your carrier, right?
the other thing too when it comes to anything with Apple ID is that it's going to notify you on a sign-in
request on a new device so that's an additional layer of protection that actually is a default within
that oh that's true right but yeah i don't i don't think that's related through your phone number
anyway so let's also now talk about you guys did mention password managers um and how people
should use those are password managers in the browser such as
like, you know, Chrome or Safari or whatever, we'll manage your passwords. Are those not secure enough?
They are assuming your Google account doesn't get hacked as they can, as the passwords are saved to your profile.
If you sync your storage across devices. So if they log into your Google account on a new device and sync the storage, they'll get access to your safe passwords.
So what do you recommend people do?
have a dedicated password manager separate application, such as one password or N pass or last pass, something like that, that they can generate independently from Chrome, generate passwords independently from Chrome.
And then how should they set up the security on their password manager?
Because it feels like if that's compromised, then...
The good thing about password managers is you only need to have really one master super secure password,
which you can store offline, maybe with engraving it in metal or something.
But then you can also have backups and store those offline as well.
So if your main machine that is connected to the internet gets a rat,
then there is near zero chance that someone could extract your backups that are stored on your main machine.
because you've stored them offline and do an offline attack and pre-force the login there.
And to build off what Harry is saying, too, one thing that's definitely worth bearing in mind
is that sim swapping is just one of several vectors that anyone in this industry should be cognizant of.
And while you're going through all these steps to secure yourself through sim swapping,
you could be secured in the sense that you've told your phone carrier what to do, you've set up your Gmail.
But looking at OG users is kind of a case study.
If anyone's familiar with Ian Bolina, the cryptocurrency influencer that was hacked for about, I think it was two and a quarter million dollars worth of varying cryptocurrencies last year, that was perpetrated by a group of sim swappers. But the vector there actually wasn't a sim swap. It was a database dump that, you know, Harry alluded to those earlier, old college email, old password that was used. So it is worth bearing in mind that there are a lot of low-hanging fruits for these individuals that are not by any means super-success.
sophisticated hackers. Yeah, as far as I understand, a number of them aren't even like really,
they're not like real crypto. It's not like they even really understand crypto. They're really just
criminals, right? Well, they understand crypto within the context of how to use it and how to get it
to exchanges. I wouldn't say they have the knowledge of the technology nor the industry that the folks in
this podcast do, obviously. However, I also wouldn't say, for the most part, most of them are
career criminals. They're obviously criminals in the sense they're doing the sim swapping,
and they're criminals in the sense that they almost always have sim swapped more to one individual,
so they're repeat offenders. But it's not like most of these folks have a long track record.
That being said, if you look at the folks with OG users, they're criminals with a track record
in the sense that a lot of them as kids did stuff that was like a lot of script kitties do.
Back then, they were into DDoSing.
And it's like I was talking about earlier, they were into stealing accounts just to have the OG accounts.
So they have a lot of a track record with that, was swatting.
The head of that ring was actually arrested and extradited to the U.S.
years and years ago when he was a minor.
So they have criminal history in that sense, but these aren't folks that are super sophisticated
Black Cat hackers that have been going at this for a decade. Yeah. Yeah, that was, I think, a line I had in
my article, which was that, you know, they, you might call them hackers, but it's not like
they're doing any fancy computer work. They're just calling up a customer service rep repeatedly
until they find one who will send them the phone number. So, all right, so we kind of
touched briefly on Telegram. You know, you mentioned that the default was that people's
phone number should be exposed. So how do people secure their telegram account?
So since one of the latest updates being your privacy settings is that your phone number
attached to your telegram account is made public, you should go and make that private and also
configure the invite privacy. So not anybody could invite you to a new group and maybe expose some
details that way. So for example, if you have all of the default settings on, someone finds your
telegram handle, invites you to a group, and then a bad actor is in that group, sees you got
invited, looks at your profile, oh, this guy, I know this guy because he's big in cryptocurrency,
this is his mobile number, thanks to telegram. So step one to securing a telegram account is to
configure your privacy settings from non-default.
All right.
And then, so we're not going to get to like every single place where people should lock down
their security, but your post does kind of go through a lot of the main honeypots that
these perpetrators go for.
And, you know, some that come to the top of my mind or, you know, like Dropbox or
Evernote.
What are some of the other types of sites of.
or apps that people should be sure to lock down and make secure?
There's social media, such as Facebook and Twitter, maybe LinkedIn.
They could either pivot from your social media and pretend to be you and message your friends
to get some more information about you, or you have maybe on social media,
maybe your Facebook account.
You lost your phone maybe three years ago
and you made a post saying,
hey, lost my phone, here's my new number,
text me your numbers or something like that,
which I see quite often in my circle of friends.
And by default, maybe Facebook privacy settings
has made that post public.
So if someone goes to your Facebook account
and looks back at your post maybe three or five years ago,
there's your phone number in plain sight.
So go to pretty much all of your,
social media ones active and now not active ones you don't use anymore and configure the privacy
settings there on each one. It may take a while, but the benefits you get outweigh the time it
takes. And are there any others? It doesn't hurt to secure bank accounts as well. So I don't see a lot
of sim swapping that involves liquidation of bank accounts, but I have seen it. And it really
boils down to you. So here's kind of an interesting thing. I mentioned the overwhelming
majority, if not all, major exchanges do Google Authenticator in addition to SMS. Whereas banks,
I haven't seen a majority of banks have a Google Authenticator or other option. A lot of them are
stuck on SMS as a 2FA. So considering, you know, it is still less likely that a SIM Swapper is going
to go for that instead of an exchange account. It is worth making sure that you lock down bank accounts
as well, use a secure password, use a Google Voice number. All right. So now let's talk about
what people should do if their phone number is ported. So they, you know, they start to notice they
don't have any signal. Maybe they're starting to see these notifications and their emails about other
accounts they're supposedly trying to log in, log into. So at that point, what do they do?
Well, it starts off with a race against time. So immediately they need to be getting on the phone
with the mobile service provider. The sooner they're doing that, the sooner they're cutting the problem
off at the source. As they're on the phone with a mobile service provider, they want to be,
if at all possible, you know, if the SIM swappers didn't change the password, they want to be
re-gaining access to their Gmail or email provider. They want to be killing any active sessions
on telegram. They want to be locking down to exchange accounts as much as they can. That might not
be possible until they get their phone number back, but they should be making an effort while they're
on the phone with the service provider. And when they talk to the service provider, you wrote about
how they should be locking information as well. What do they need to record? So at a bare minimum,
what the service providers are going to have is an IMEI. And the person that's getting SIM swapped
doesn't necessarily need to get that right away, but they will need to get that at a point for the law
enforcement report. The thing is this is that I mentioned earlier, the majority of these go unreported,
especially the ones that do not result in financial loss, they almost never go reported. And they should
anyway. But even the ones that do result in financial loss, the majority of these reports,
which I mentioned earlier, they don't have adequate data. And one of those data points is the IMEI.
And what is the IMEI? It's a unique identifier for each mobile phone. Okay. And then why is that
important exactly? Because based upon that IMEI, law enforcement might be able to determine where that
device was purchased, who it was purchased by. And there's actually some mobile carriers. For example,
I know Team Mobile will actually send you an email whenever your phone is ported.
It'll tell you the old IMEI and the new one.
Oh, okay.
You also mentioned in your post that people should take notes on everything and obsessively screenshot.
So what should they be notating and what should they screenshot?
Well, they should absolutely annotate who the person they're talking to, the service provider, is, right?
Because they want to say, I spoke to this person, their employee ID number.
They switched my phone back.
the phone carrier should have logs of who made the actual SIM port for the SIM swapper.
They may or may not.
They usually won't provide this to the actual victim.
But mentioning, hey, you know, make sure this is retained, right?
That's a huge, huge step.
Law enforcement should be able to contact this mobile service provider and get that data.
Going on to, yeah, this is really where the law enforcement reports fall short.
On Gmail, your access history, you're going to see IPs in this.
there on exchanges, same thing. You're going to have access history. Those are all things that
you're going to want to include in a law enforcement report. Any device information that you could
possibly get, you want to include in there. Withdrawal transactions. You want to include those
to. It's absolutely baffling. In one sense, you want to feel bad for these victims, but you have to
look at this from the law enforcement perspective. If law enforcement can't tell, you know, what the device was
or where it was or can't do anything on chain, looking at transactions and finding out where the
funds went, they're simply not going to be equipped for success.
And who in law enforcement should victims call? It's just the police or who?
So in the U.S., what you would file is called an IC3 report, which is at IC3.gov.
And again, this is another unfortunate thing, just because crypto is so new to most people.
Most people don't know that answer. And they're going to default either call,
the local police to go to the local police. Even most local police don't know where to report this
stuff, but this would always fall under IC3 of your U.S. citizen. If you're abroad, that answer changes.
Typically, that answer is it's still handled at the federal level. Our website actually has a
list by country of where to report cybercrime of this nature. Okay. So I guess people
need to prepare for a long road of dealing with all this and gathering all this. And gathering all
information to try to get their money back. One other thing I wanted to ask was, so if a victim
loses access to their email account, how did they get access back? Well, presuming that they
lost access because they did an SMS reset, if the Sim Swapper added different details,
and this is, by the way, operating under the presumption that it's Gmail. Gmail has a way to
request access back, and that might be different information they ask of you that you input when you
first created the account, and then they'll actually review it. And that might take a few days.
That's the unfortunate thing, which is why, as we were discussing earlier, you want to as much
as possible, create these buffers in between. Yeah, I've heard some people did not get access
back to their Gmail for months. So, yeah, that's a huge, I think, headache if that happens.
All right. So is there, what have we not covered that you think people should know about this topic?
I think once you've identified that you've been SIMJacked,
your exchanges and email accounts have been accessed.
You should monitor for any foreign API keys,
especially on exchanges and any foreign apps linked to your Gmail.
So, for example, you get access back to your Gmail, your exchanges.
You think everything's dandy, but maybe three months down the line,
you see a withdrawal via an API request that because you forgot to check API keys on
exchanges and the bad actors made some API keys when they had access to your exchange account
or you see access to your email account from a strange app that was authorized when you
didn't have access to your email and the bad actors have made maybe like an application
that can read and write your email inbox.
So they would still have access, but you wouldn't know?
I think one thing that's worth expanding on is that we are dealing with decentralized assets here.
And the protections that society is used to in the past, like chargebacks, those are gone.
And yes, law enforcement will try to handle these cases, provided that they have adequate information.
Dealing with cryptocurrency, dealing with blockchain tech, you're dealing with a general
loss of the centralized protections, and that places an inherent responsibility on the end
user to bolster their security. And these security steps, I mean, reading that entire thing,
you mentioned it takes 50 minutes, but doing everything in there, you can get that done in less
than one full day. And I see people that take all this time to discuss cryptocurrency and
telegram, go to conferences, monitor coin market cap every five minutes. If people have the time
to do that, they can set aside one day to make sure the security is properly set. We cannot
continue to have a mentality that it's this carrier's fault or it's this exchanges fault because
it's simply not that there's service providers. And, you know, especially within the context of
mobile carriers, they were not the ones that asked to become custody solutions. That's not what
you're paying your mobile carrier to do. And it's kind of almost hypocritical that there's a
mentality of we want decentralization. We want to move away from government controlling this.
but the same people spouting that belief are often the same people that are saying we should sue the phone carrier, we should sue the exchanges.
You have to be the one that's responsible for this.
And there's a big line between security and convenience.
You know, Harry and I really share this mentality, which is we're not expecting people to summon the blood of a unicorn to log into every single one of their accounts.
So, yeah, it boils down to Harry used a really good example earlier, which is you could put on steel something for like your password manager.
and that would be something that's not very convenient to get to,
but that is your master key.
Everything else is conveniently accessible.
And I would look at your cryptocurrency the same way, right?
We're no longer in the days of centralized protections
where it's in a bank and you don't have to worry about it.
You're going to want to keep the majority of what you have
and something that's very hard to access.
If you want to have funds that are accessible for, you know,
day trading or investing in ICOs or whatever the case might be,
that's fine.
You know, not everything has to be on a hardware key,
on steel separate it in two different locations, but it should be a small amount.
All right. Yeah, I definitely would concur with that, that the phone carriers do not see themselves
as a linchpin in your security setup, which they are, but they don't view their role that way.
And so for that reason, you need to do everything you can to, you know, to, I guess, patch that
vulnerability right there. All right. Well, thank you both.
so much for coming on the show. Where can people learn more about you and MyCripto and MyCriplade?
They can learn about MyCripto at Medium.com slash MyCripto. We do publications about MyCripto,
my crypto side projects, and just security related things within the cryptocurrency ecosystem.
Also, Twitter.com slash MyCripto or MyCripto.com.
And they can learn more about Cipherblade by going to Cypherblade.com.
and we've also got social media channels.
And I encourage folks to check both of us out because there's an old saying that an ounce of prevention is worth a pound of cure.
But I would argue in this industry, it's actually worth a ton of cure.
Yeah, yeah.
And we can put a dollar sign on that too.
All right.
Well, thanks both of you for coming on the show.
Thanks for having us.
It was a pleasure.
Thank you.
Thanks so much for joining us today to learn more about Rich and Harry and My Crypto and Cypricer Blade.
Check out the show notes inside your podcast player.
If you're not yet subscribed to my other podcast Unconfirmed, which is shorter and a bit newsier,
be sure to check that out.
Also, find out what I think are the top crypto stories each week by signing up for my newsletter
at Unchainedpodcast.com.
You can sign up right on the homepage.
Unchained is produced by me, Laura Shin, with help from factual recording, Anthony Yoon, Daniel Ness,
and Rich Struffolino.
Thanks for listening.