To avoid SIM-swap attacks, experts urge users, especially those with huge followings, to remove their phone numbers as a recovery option.
Vitalik Buterin, one of the masterminds behind Ethereum, has publicly verified that the recent hack of his X (formerly Twitter) account was the result of a SIM-swap attack.
The cybersecurity loophole has raised new questions about the secure management of online accounts, particularly for those in the cryptocurrency space.
Did you know?
Want to get smarter & wealthier with crypto?
Subscribe - We publish new crypto explainer videos every week!
How to Avoid Rug Pulls in Crypto? (5 Ways Explained)
Buterin took to Farcaster, a decentralized social media platform, on September 11th to confirm that he regained access to his T-Mobile phone account after it was hijacked.
Yes, it was a SIM swap, meaning that someone socially-engineered T-Mobile itself to take over my phone number.
As reported earlier, the hacker exploited this vulnerability to access, control, and promote malicious link via Buterin's X account. Victims of the scam collectively suffered losses exceeding $691,000.
In the aftermath, Buterin shared some insights gleaned from his harrowing experience. "A phone number is sufficient to password reset a Twitter account even if not used as 2FA," he cautioned, also noting that it is possible to "completely remove <a> phone from Twitter." He admitted:
I had seen the ‘phone numbers are insecure, don't authenticate with them’ advice before, but did not realize this.
Addressing the broader issue of online account security, Ethereum developer Tim Beiko also chimed in with a recommendation. On September 10th, he advised account holders, particularly those with large followings, to deactivate their phone numbers as a recovery option and to enable two-factor authentication (2FA).
The SIM-swap attack, also known as simjacking, is not unfamiliar terrain for T-Mobile. The telecom company has faced legal repercussions for its role in previous invasions. In 2020, a lawsuit claimed T-Mobile facilitated the loss of $8.7 million in cryptocurrency through a string of SIM-swap incidents. The company found itself in a similar situation in February 2021 after another customer reported losing $450,000 in Bitcoin (BTC) due to the same type of attack.
It is worth noting that in March, crypto exchange Coinbase was sued by Bitcoin investor over the company's alleged role in a SIM-swap attack.
The recent hack of Vitalik Buterin's Twitter account serves as a poignant reminder of the persistent vulnerabilities in online security systems. With T-Mobile's recurring involvement in SIM-swap incidents and the increasing amount of financial assets being held online, particularly in cryptocurrency, the call for more robust cybersecurity measures has never been louder.