Peculiar $30 Million BCH SIM SWAP Hack
There has been a rumor floating around of an alleged SIM swap hack incident where a Chinese whale purportedly lost around $30 Million worth of BCH. The rumor stems from a now-deleted Reddit post of the supposed victim asking miners for help to recover access to his BCH. The victims added that he still has his private key and will be rewarding miners who will be able to help him. This SIM swap hack incident is nothing new, there have been several victims of SIM hacks in the past resulting in multimillion losses but this recent one is quite unique as the victim clearly states that he has still access to his private keys meaning he was hacked from a non-custodial wallet.
SIM swap hack
To understand the incident clearly, I will explain what is a SIM swap hack and how it is executed. Basically, a SIM swap hack is a situation where a hacker was able to gain access to private and secure information intended for the victim. They do this by convincing mobile service providers to activate your phone number on another device. It seems that convincing mobile carriers to authorize such changes is not that hard to do, so long as the hacker can present information that would prove that they are what they say they are, customer representatives are more than willing to make the changes.
This infers that the victim’s information may have already been compromised. Perhaps they have already been a victim of a phishing attack or social engineering prior to being targeted for the attack vector. There are only a few options the victim can do when they are being targeted by a highly-skilled SIM swap hacker since a successful execution of the attack rests primarily on the carrier’s approval of the change. If the hackers will be able to give all the necessary requirements they will successfully execute the hack.
Why hackers are interested in SMS messages
Now some of you might be asking why would hackers go through all the trouble of a SIM swap hack if they have all the necessary information they need to get access in a victim’s secure network. The simple answer to this is the fact that SMS has become the second layer of security of choice by many applications when users enable second-factor authentication 2FA. This takes on the form of One-time Passwords (OTPs). A successful SIM SWAP would mean that the second layer of protection has been compromised leaving all applications that use this unprotected.
Moreover, emails and social media accounts use SMS as a way to authenticate ownership when recovering the said accounts. Take for example when a Gmail user tries to recover his or her account. It only takes an SMS OTP to authorize a change in password. Mind you, email is also generally recognized as another 2FA method similar to SMS. This only shows how immensely important to keep your SMS or your mobile line safe. However, this proves to be easier said than done as SMS relies heavily on the due diligence of mobile service providers.
Despite previous incidents of SIM swapping hacks, SMS is still one of the primary choices of many applications such as digital wallets, bank apps, centralized cryptocurrency exchanges and many more. In reality, SMS 2FA gives users a false sense of security as they rely too much on a third party for their security. In this case, SMS 2FA is only secure if the users are the only ones that have access to it. Since the SMS 2FA goes through the carrier’s network it is always at risk from internal and external risks, from bad actors within the network to hackers that utilize vulnerabilities in the SMS protocol such as the SIMJacker vulnerability.
Securing our SIM
The only way to secure our SIM is by not allowing hackers to get sensitive information online. Hence extra care should be taken when dealing with unfamiliar sites that require you to undergo KYC or upload personal information. One should always double-check the URL link to ensure that it is the site you intend to enter or log in. It is highly recommended to activate anti-phishing features if the option is open. In addition, be aware that hackers utilize several social engineering techniques to get sensitive information. Remember, customer representatives will almost never contact you first nor ask for more information than necessary.
If additional authentication methods are available you might want to enable them as an extra precaution. Alternative 2FA methods include Email, authenticator apps like Google authenticator or Authy and hardware keys like Yubi keys. The additional layers of security will definitely increase security and deter attacks if hackers get access to your SIM. There is however another way of securing assets like cryptocurrencies without having to deal with 2FA methods. In fact, you don’t have to enable 2FA at all as you can have total control and access to your own assets without relying to any third party. These are called non-custodial wallets or accounts where users have total control and access to their assets.
Non-custodial wallets or accounts
Non-custodial wallets allow each user to create their own private keys (PK) using offline cryptographic wallet tools. While the tools are created by other developers only the user who generated the keys are able to access them. The only way for other people can have access to the private key is if the owner shares it with them. Most of the time users secure their PK by writing them down on a piece of paper and physically storing them in a secure location such as vaults or safety deposit boxes. Some store them in specialized USB keys that have enhanced security features and others use hardware wallets.
Non-custodial wallet SIM swap hack
The person who allegedly had his BCH stolen claims to have been a victim of a SIM swap hack but also claims he still has the private keys of the wallet that has been hacked. This has left some of the people in the crypto community scratching their heads as it seems to suggest that he had his non-custodial wallet compromised via a SIM swap. The hack would have made total sense if the wallet came from a centralized exchange or a custody wallet service provider since most of them use SMS 2FA to secure their wallets. But since the victim has access to his private keys we can only conclude it was indeed a non-custodial wallet.
The details of the hack are largely unknown to the public and there had been no update from the alleged victim after he deleted his original post on Reddit. What is peculiar with the hack is the fact that the victim inferred to have his funds stolen from his non-custodial wallet. Those who are familiar with how non-custodial wallets work know that the only way to get access to these funds is to get its private keys. It is highly unlikely that a user with that much amount of money will ever store the private keys that can be accessed via SMS.
We may never know for sure how it happened but we can all agree that the only way that the hackers succeeded in getting access to the funds of a non-custodial wallet is by having access to the private keys of the wallet. We can, therefore, attribute the hack to a very expensive poor judgment of the wallet owner who carelessly stored his private key that can be accessed online or using SMS. Keeping private keys offline is one of the cardinal rules in using non-custodial wallets and ignoring this rule can have some dire consequences as you have witnessed above.
Non-custodial wallets and trading still the best in security
There has never been any incident where non-custodial wallets were ever involved in any type of security flaw or weakness in the past. If the alleged SIM swap hack were true, the hack would be a result of the owner’s oversight for not securing his private keys well enough or inviting trouble by having it accessible using online or through his SIM. Wallets that are custodial in nature will never reach the same level of security as non-custodial wallets. I believe that the highest and most optimal security can only be achieved by giving users absolute and total control of their own assets which is the case in non-custodial wallets.
This security extends to all other services that use non-custodial wallets. This includes decentralized exchanges (DEXs) like Newdex which do not utilize a user account system that requires customers to deposit into custodial wallets held by the exchange operator. All transactions happen directly from the non-custodial wallets of the customers ensuring optimal safety since traders never lose custody of their digital assets until the moment they execute a transaction or trade. DEXs that use highly scalable blockchain like what Newdex uses, EOS, will see near instant execution of trades.
Despite the many security enhancements made by CEXs operators in the past such as keeping most liquid funds offline and getting insurance, it cannot still compare to the security DEXs offers as asset owners never surrender custody of their crypto.
CEXs might have mitigated risk from external threats but have not really made relevant progress in terms of risk associated with having to maintain a user account system in their platform and keeping custody of their client’s digital assets. Customer’s assets can still be trapped inside CEX’s for a variety of reasons, lost private keys of cold storage wallets, technical issues with their platform, regulatory compliance, and even insolvency issues.
SIM Swap Hack Possible in a Non-custodial Wallet?
Given the right conditions, this is possible but is highly unlikely. The wallet owner of the non-custodial wallet would have ignored all reminders to keep the private keys offline and safe from the prying eyes of hackers and would have acted extremely irresponsible for having it accessible in an insecure network like the SMS. The rumor that circulated is likely to be just that, a rumor, but has opened up some interesting questions on the possibility of a non-custodial wallet to be hacked using this attack vector.
It all boils down to one thing. The safety of non-custodial wallets rests on how the asset owner handles the security of the private key of the wallet or account. So long as the asset owner follows the suggested safety procedures they should enjoy unparalleled security unmatched even by the best-centralized exchanges in the world. The kind of security that blockchain technology can offer and way beyond anything the best-centralized exchanges could ever give.
The above article is a commissioned work for Newdex. I was tasked to write about the SIM Swap attack and how non-custodial wallets are resilient against this attack vector. Total creative freedom was given to me. All the information stated above came from my own research and statements are of my own opinion based on my experience and knowledge. It has not been edited by Newdex or any of the aforementioned projects in the article
Originally published in Hackernoon.
For more information about Newdex please follow its official links below: