Protection From SIM Swap Scams Following the Ledger Hack

The Ledger hack and data breach scandal that was made public towards the end of 2020 affected a great number of the company’s customer base. In all, it’s believed 272,000 wallet orders were leaked online, which made the home address and phone number of those customers available to the public.

I covered how to handle the Ledger hack and data breach in another article, but scammers are coming up with new ways to use the leaked data to their advantage. Perhaps the biggest problem we’re seeing is the SIM swap scam.

Below, you will find details of what SIM swapping is and how you can protect yourself.

What is SIM Swapping?

  • SIM splitting
  • SIMjacking
  • SIM hijacking
  • Port-out scamming

This scam works when the fraudster takes control of your mobile account from your SIM card to one that’s owned by them. They do this by gathering as much personal information about you as possible, which is why the Ledger data breach could potentially cause a surge in this activity.

Once a scammer has enough information, they take on your identity and call your mobile service provider, asking for a new SIM card or for help switching to a new phone. If this part of the scam is successful, all text messages and phone calls to your phone will be redirected to the cybercriminal instead.

Phishing emails, malware, and social media stalking are also key ways cybercriminals gather data that can be used to answer security questions.

With control over your mobile account, fraudsters can get in touch with institutions such as your bank pretending to be you. They can also take advantage of two-step verification processes that require a phone number to reset your passwords.

How is this Scam Successful?

To get enough data, a scammer will usually pester a customer service representative from your mobile provider until they manage to gather a small piece of information. They will then hang up, call again, and repeat the process until they have enough of your information that the last person they call is convinced it’s you on the other end of the phone.

Another way in which the SIM swap scam works is when the cybercriminal pretends to work in one of the stores owned by the mobile provider. They will then act as if you are a customer in the store, but the store’s systems aren’t working properly. The scammers will mention you are losing patience and will ask the representative on the phone to unlock your account.

Playing on the sympathy and empathy of the customer service representatives on the other end of the line works to great effect. Even without specialist software, a social engineering hacker can create a powerful scenario that encourages the customer service representative to be as helpful as possible. Journalist Kevin Roose discovered this at DEFCON when a social engineering hacker convinced his mobile provider to give up his email address and change his passwords in just a few minutes.

The Fallout of SIM Swap Scams

Some reps are led to believe the worst thing that could happen is a new iPhone is charged to an innocent person’s account, and the money lost would be reimbursed.

Following the Ledger hack and data breach, scammers can assume many of the people in the database also have an account with one of the top crypto exchanges. After completing a SIM swap, the fraudsters can find a way to access a person’s exchange account to make unauthorised transactions. With physical home addresses leaked, the scammers can work out the victim’s time zone, and complete their cyber attack while the victim is sleeping.

If your bank account is connected to the exchange as well, the fraudsters can use your money to buy more cryptocurrency, effectively draining your exchange and bank account. Alternatively they can hack into your online banking profile and transfer your money to themselves.

It’s worth remembering that scammers cannot take funds from your crypto wallet. Despite the hack on Ledger, the currency it contains cannot be stolen unless you give the scammers something they can act on such as sharing your 24-word recovery phrase.

How to Protect Yourself From a SIM Swap Scam

Lockdown Your Primary Email Account

To ensure your email is as safe as possible:

  • Do not add your mobile number to your email address as a recovery method
  • Create a strong, unique password that you do not use with any other service
  • Consider using a password manager service
  • Use a yubikey for services where possible as a second factor authentication
  • Ask your telephone operator to add an additional password to establish telephone contact with you in the event of a customer service call
  • If you are using a Gmail account, follow the advice on Google’s Advanced Protection Program

Change From SMS Two-Factor Verification to Other Methods

As mentioned before, you can also use a yubikey to add an extra layer of protection.

Your Mobile Phone Number

If you sign up for a service that demands a mobile phone number, you can use a “burner” number courtesy of quacker.io to bypass giving away your personal information.

What Should You Do If You Have Been Affected?

If you need any legal advice or representation, please do contact me. I have been working as a specialist lawyer in the crypto scene for many years, and my work has even helped Steve Wozniak (cofounder of Apple) take YouTube to court.

To stay up to date with the latest news on the Ledger hack and to receive guidance, make sure to join Naray Law’s Telegram group dedicated to the Ledger data breach for support.

Attorney at Law and Entrepreneur in Switzerland. He is specialised in corporate, commercial and fiscal law. He has built several successful Ecommerce businesses