background
friend.tech is a social platform. Users need to buy other users Keys to talk to them. The price of Keys will also increase as the number of people who buy them increases. The holders can make profits by selling Keys.
On October 3, 2023, Cos, the founder of SlowMist, posted on social media that friend.tech lacked two-factor authentication and was risky in response to the recent situation where friend.tech user accounts were hacked and assets were stolen.
On October 5, 2023, chain detective ZachXBT posted on social media that a hacker made a profit of 234 ETH (approximately 385 ETH) by conducting SIM card swap attacks on four different friend.tech users in the past 24 hours. , 000 USD).
So far, friend.tech users have lost approximately 306 ETH due to SIM card swap attacks.
On October 10, 2023, friend.tech stated that users can now add 2 FA passwords to their friend.tech accounts to provide additional protection if their carrier or email service is compromised.
On July 17, 2023, SlowMist CISO @ 23 pds mentioned in an interview with Cointelegraph that “SIM Swap is expected to become more and more popular in the future because of its low attack cost, and as Web3 becomes more popular and attracts more people to enter the industry, due to SIM Swap Swaps technical requirements are relatively low, increasing the potential for SIM swap attacks.
The picture below shows the SIM Swap quotations for different operators on the black market:
In various contexts, based on this friend.tech security incident, this article will explain how SIM card swapping attacks are implemented and how to deal with them. First, lets explain what a SIM card and 2 FA are.
SIM cards and 2FA
SIM card (Subscriber Identity Module) is the user identification module. The main function of a SIM card is to store information related to the users identity and mobile network operator, and to allow the user to connect to the mobile network and use telephony and data services. When a user inserts a SIM card into a phone or other mobile device, the device can read the information on the SIM card and use it to connect to the mobile network.
Two-Factor Authentication (2 FA for short) is an authentication method that requires users to provide two different types of authentication information to gain access. It is widely used in online banking, email services, social media, cloud storage, cryptocurrency wallets and other services to increase account security. SMS verification code is a common 2FA method. Although the SMS verification code is also random, it is not secure during the transmission process, and there are risks such as SIM card swap attacks.
Below we explain how attackers typically implement SIM card swapping attacks.
Attack techniques
In the cryptocurrency space, attackers launch SIM swap attacks with the goal of gaining access to a victims cryptocurrency account by taking control of the victims phone number in order to bypass two-factor authentication.
Following many corporate data breaches in recent years, there have been deals selling stolen personal information on the dark web. Attackers will obtain detailed personal information such as the victims ID card from data breaches or through phishing. The attacker will then use this information to impersonate the victim and start a SIM card swap attack.
(https://www.cert.govt.nz/assets/Uploads/Quarterly-report/2019-Q4/SMS-Swap-diag-full__ResizedImageWzYwMCwyMTld.png)
The following is the specific process:
1. Target identification: Attackers first need to identify their targets. They will look for information about cryptocurrency holders on social media;
2. Social engineering: Attackers may use social engineering, such as phishing emails or phone calls, to trick targets into providing their phone numbers or other sensitive information;
3. Contact the carrier: Once the attacker has identified the target’s phone number, they will contact the target’s carrier, usually through fake identity or social engineering techniques, and ask the carrier to associate the target’s phone number with a new SIM card;
4. SIM swapping: Once the attacker successfully convinces the operator to associate the victims phone number with a new SIM card, the victims original SIM card is deactivated since the phone number can only be associated with one SIM card. This means that the victim loses access to their phone number, which is now controlled by the attacker;
5. Receiving verification codes: Attackers can now receive text messages and phone communications from victims, including verification codes for two-factor authentication;
6. Access Cryptocurrency Accounts: Using the received verification code, the attacker can log into the victim’s cryptocurrency exchange or wallet application and gain access to their cryptocurrency funds, perform unauthorized transactions, and transfer the victim the owner’s assets.
Responses
To prevent SIM card swapping attacks, the following measures can be taken:
It is best not to choose SIM card based authentication method. You can set a PIN code to protect the SIM card, but ZachXBT points out that using a PIN code is still not secure enough and you should use an authenticator or security key to ensure account security. Attackers are often able to convince carriers that they have simply forgotten their PIN, or even carrier staff are involved in the scam. Of course, setting a PIN code can still increase the difficulty of attacks and improve the security of the SIM card.
Use an authenticator that supports the TOTP algorithm for two-factor authentication. Here is a brief comparison between HOTP and TOTP. OTP (one-time password) includes HOTP and TOTP, the difference between the two is the algorithm that generates them:
HOTP is an event-based OTP algorithm. Each time HOTP is requested and verified, the mobility factor is incremented according to the counter. The generated password remains valid until the user actively requests another password and is verified by the authentication server. HOTP has a longer validity window, so attackers have a greater risk of breaking into user accounts by brute force cracking all possible OTP values;
TOTP is a time-based OTP algorithm. The time step is the preset lifetime of the OTP, usually 30 seconds. If the user does not use the password within the window, the password is no longer valid and a new password needs to be requested to access the application. Compared with HOTP, TOTP has a smaller time window and is more secure. Therefore, the SlowMist security team recommends using an authenticator that supports the TOTP algorithm for two-factor authentication, such as Google Authenticator, Microsoft Authenticator, Authy, etc.
Be careful with text messages and emails from unknown sources and don’t click on links and provide sensitive information.
In addition, the victim of friend.tech said that he had received a large number of spam text messages and phone calls, so he silenced his mobile phone, which caused him to miss the text message from the operator Verizon warning that his account might be compromised. The attacker does this to trick the victim into muting their cell phones to buy time for them to steal funds. Therefore, users should be vigilant when they suddenly receive a large number of spam calls and text messages.
Summarize
The security of the SIM card itself relies on the operators security measures and is vulnerable to attacks such as social engineering.Therefore, it is best not to use SIM card-based authentication. It is necessary for users to add two-factor authentication to their accounts to improve account security. It is recommended to use an authenticator that supports the TOTP algorithm.Finally, welcome to read the book produced by Slow MistBlockchain Dark Forest Self-Help Manual。
