Using a phone number for identity authentication is a bad operational security practice. Handing over bitcoin to a third party like a cryptocurrency exchange or lending service also reduces security — “not your keys, not your coins” is a security recommendation often shared over Twitter and the Bitcoin podosphere.
Case in point: For the better part of the last decade, the combination of these two practices has given rise to an increasing number of SIM swap attacks ending in the theft of bitcoin and other cryptocurrencies.
A SIM swap is a low-cost, nontechnical way for attackers to gain control of a victim’s wireless phone account. To pull off an attack, a hacker needs to know how mobile wireless carriers authenticate identity and some portion of information about their victim. Often, this only requires a victim’s phone number.
Now, there is unequivocal evidence that the majority of people in the United States who have phone number accounts with wireless carriers are vulnerable to SIM swaps. If you hold bitcoin that you don’t want to lose, this fact can be all the more harrowing.
The Rise of SIM Swapping
This increased potential for SIM swapping was proven in an empirical study[1] published in January 2020 by a joint group of professors and Ph.D. students at Harvard University’s Department of Computer Science and Princeton University’s Center for Information Technology Policy.
“The attacker calls your carrier, pretends to be you, and asks to transfer service to a new SIM — one that the attacker controls,” wrote Arvind Narayanan[2], an associate professor at Princeton and one of the paper’s authors, in a summation[3] via Twitter. “That’s bad enough but hundreds of websites use SMS for 2-factor authentication, putting your accounts at risk.”
The study tested the
