Be your own bank: New SIM swap heist shows where crypto needs to go
Centralised exchanges are getting caught in no man's land and will have to start making a move soon.
Be your own bank (BYOB), it'll be fun! Or so runs the crypto mantra. Unfortunately part of being your own bank is being your own security guard and cybersecurity specialist, which is impossible for any individual or institution to do with 100% reliability.
A new high profile SIM swapping heist demonstrates this, highlighting the very clear differences between the crypto and fiat banking worlds, and raising old concerns around the future of centralised exchanges in the cryptocurrency space.
A professional job
A few days ago prominent Twitch eSports streamer "DoubleLift" recounted the details of the heist that robbed him of $200,000 in fiat and an undisclosed amount of cryptocurrency.
The theft was apparently weeks in the making, with the robber carefully laying the groundwork without drawing attention. DoubleLift, it's worth noting, did almost everything right. He had his two factor authentication in place for both bank transfers and cryptocurrency, and took almost all other reasonable security precautions.
He only made two mistakes. The first was to leave his money on Coinbase rather than keeping it in a more secure hardware wallet. But to be fair it's a mistake that a lot of people deliberately make, judging the risk of theft or exchange insolvency to be low enough to offset the hassle of managing seed phrases and shopping around for a hardware wallet.
The second mistake was to mention to the world that he owned cryptocurrency and that it was on Coinbase. This, coupled with his relative prominence as a streamer, might have suggested to the thief that it was worth going to all the trouble of robbing him.
The thief started by SIM swapping. This is when someone impersonates their victim to a mobile provider – in this case T-Mobile – and then asks them to swap the victim's phone number to a new SIM card and a new phone.
This is usually done under the auspices of having lost one's old phone somehow, or otherwise having gotten a new phone. The first sign that this has happened is that one's phone just stops working.
"I remember one day my service randomly turned off, my phone just turned off," DoubleLift says.
"They [the thief] impersonated me to T-Mobile, said "my phones lost and missing, I can't find it, but I want my phone number transferred to this SIM card," on another phone obviously, completely bypassing two factor authentication."
When he discovered it, he contacted T–Mobile who told him that his phone had been flagged as lost or stolen. They then re-enabled his phone, and DoubleLift didn't think much of it, chalking it up to some technical or clerical error.
But in the short time between the SIM swap (which disabled the phone) and contacting T-Mobile to get it re-enabled, the thief used the number to get through DoubleLift's two factor authentication on his email account and anywhere else they could. This was likely done by using the forgot password functions, and then providing phone verification or guessing some secret questions.
"This was weeks before anything happened," DoubleLift says. "I guess in that small amount of time they got access to my email."
"He [the thief] didn't kick me out of my email. He had this system where every email I get from Coinbase for transactions immediately gets sent to trash then deleted, and all emails that go through that email account get forwarded to another email, which is obviously not mine, and I had no idea that any of this was happening."
By now, the thief has complete access to DoubleLift's email. From here they can get at his Coinbase account, bank account, social media and anything else linked to that email by requesting a password change or claiming forgotten password. These get forwarded to the thief's email account, which lets them respond as though they were DoubleLift.
From there they can either disable two factor authentication (because they no longer had access to the victim's phone number) or simply change the phone number used for two factor authentication, using the systems put in place in the event of someone getting a new phone.
The entire time, DoubleLift has no idea what's going on. He was probably receiving plenty of alert emails, but these were being instantly and automatically deleted. Even changing his email password and taking other steps wouldn't necessarily stop the thief at this point, he says.
"There are so many ways he can access my email, even after I log out, close the session, change the password... through recovery emails, recovery apps."
It's reasonable to assume that the thief grabbed all the crypto first, and then saved DoubleLift's bank accounts for later.
Triggering the alarm
The alarm was triggered when DoubleLift got a message from his bank saying he was overdrawn. When he went to check it out, he found an empty digital vault where there used to be $200,000.
This would be an appropriate time to panic.
DoubleLift contacted the bank which started investigating, contacted Coinbase and generally did what a bank robbery victim is supposed to do.
The upshot, he says, is that he's probably going to get the $200,000 from his bank account back, but that the crypto is gone for good.
"Coinbase said "you're shit out of luck, dude. You cant get any of it back,"" DoubleLift paraphrased. "I take the crypto as a loss, but I'm pretty grateful I got everything else back... I'm probably gonna get everything else back."
Security and liability gaps, and what they mean for the future of crypto
Systems need ways to let users recover and change passwords. It's necessary, but also means that if someone's email gets compromised it can snowball to losing control of everything connected to it. Of course, email accounts need the exact same password recovery and changing mechanisms, which are increasingly tied to phone numbers and relying on two factor authentication.
Functionally, this kind of cybersecurity has become a system where a lot of different services just pass the buck around in an endless circle. By picking out the weakest link in the circle, a thief can do it all.
Right now, that weakest link is almost certainly mobile providers. Two factor authentication and control of phone numbers has rolled in as a critical element of cybersecurity, but SIM swapping procedures haven't kept pace with the growing importance.
Functionally, the rise of two factor authentication has left minimum wage branch staff (according to indeed.com a sizable portion of US AT&T and T-Mobile retail sales associates are indeed around the federal minimum wage of $7.25 per hour) as the gatekeepers to countless bank accounts, multiple fortunes in digital assets and near-complete control of one's online identity.
It's safe to say that neither the training nor the pay generally meets the gravity of the role.
Another recent $24 million SIM swap crypto heist, which resulted in a lawsuit against AT&T, may have involved bribing staff to carry out a SIM swap rather than just impersonating the victim, and in some cases it might also be possible to SIM swap online with just some basic information about the victim.
The problem of actually preventing SIM swap fraud is a thorny one without any clear solution in the immediate future.
In the nearer future, protection might be more about formalising liability for stolen funds. DoubleLift is probably going to get his bank money back, but the crypto is probably gone for good. Right now banks, card providers and other financial institutions are all responsible for customer funds to a certain extent, but "banking" at crypto institutions like Coinbase is almost entirely at one's own risk.
Many mobile providers can definitely do more to prevent SIM swap fraud in their unwanted newfound capacity as bank security guards, but no protection is ever 100%. Plus suing mobile providers over every little bit of identity theft isn't a terribly efficient system, to say nothing of it being horribly exclusionary for anyone who can't afford the lawyers.
As such, centralised exchanges like Coinbase will eventually have to put on their big boy pants and find some way of guaranteeing customer funds. Just hand-waving away all losses as being the customer's fault is not a permanent solution.
This guarantee of customer funds might go in two directions.
It could go towards legitimacy and centralisation, such as bank-style insurance and government arrangements. Or it might go towards decentralisation, such as refusing to hold any customer funds whatsoever and only selling to external wallet addresses.
"Be your own bank" is a nice catchphrase, but it wasn't intended to be used as a licence for centralised exchanges to disavow their responsibility to customers. These exchanges are standing with a foot in either world for the best parts of each, but if they want to survive in the long run they'll need to choose a side.
Disclosure: At the time of writing the author holds ETH, IOTA, ICX, VET, XLM, BTC, ADA