The Most Expensive Lesson Of My Life: Details of SIM port hack

June 5, 2019
SIM port attack

Port tweeking summary

This might not be new as peoples’ testimony regarding SIM port attack on mobile phone numbers has been alarming since this will make your digital life worse than ever. CYBER criminals are using a simple trick to steal people’s mobile phone numbers, move them to a different carrier and use the stolen number to gain access to the victim’s other personal information, bank accounts, social media accounts, etc., it’s a surprisingly easy thing to accomplish and can wreak havoc for those who unconsciously become a target.


What is SIM port attack?


It is a malicious SIM port performed by an unauthorized source — the attacker. The attacker ports your SIM card to a phone that they control. The attacker then initiates the password reset flow on your email account. A verification code is sent from your email provider to your phone number — which is intercepted by the attacker.


Attack timeline

This is based on the sequence of event from a victim(s) account,

  1. Tuesday – 10:00PM – Attacker ports my SIM card to a device they control.
  2. 10:05 PM – Attacker reset my Google account password. My 2FA verification code is sent to their device, which is used to change my password.
  3. 10:51 PM – Coinbase sends a password reset email to my email address.
  4. Wednesday – 10:10 PM – Attacker drains my Coinbase wallets. Also, made multiple buy orders using my account and sweeps those funds.


Fraud Prevention

  • Use A Hardware Wallet to Secure Your Crypto: Move your crypto to a hardware wallet/offline storage/multi-sig wallet whenever you are not transacting.
  • SMS Based 2FA Is Not Enough: Regardless of the assets and/or identities you are trying to protect online, upgrade to hardware-based security (i.e.: something physical that an attacker would have to physically obtain in order to perform an attack or simple phishing attack would leverage 2FA weakness).
  • Reduce Your Online Footprint: Reduce the urge to needlessly share personally identifiable information (birthdate, location, pictures with geo location data embedded in them, etc.) online.
  • Google Voice 2FA: In some cases, an online service will not support hardware-based 2FA (they rely on weaker SMS based 2FA
  • Create a Secondary Email Address: Instead of binding everything to a single email address, create a secondary address for your critical online identities (bank accounts, social media accounts, crypto exchanges, etc.).
  • Offline Password Manager: Use a password manager for your passwords. Even better, use an offline password manager like Keypass.


About the author

Leave a Reply