Mark Risher, Google’s head of account security on January 25 pointed out that a user’s account with two-step verification is susceptible to attack. According to Risher, cryptocurrencies are the major focus for hackers who use SIM swapping to take advantage of this vulnerability.
SIM Swapping Attack Has Been on the Rise Over the Past Year
Based on a media outlet’s report, Mark Risher, an executive whose role at Google is overseeing to email fraud, abuse, and identity issues, has cautioned people on the use of two-step verification. The executive said for the past year, SIM swap attack has been on the rise. Also, it has led to the loss of cryptocurrencies due to low transaction fees, the anonymity of transactions, and the ease at which money can be moved around.
SIM swapping is a method used by hackers to hijack a person’s phone number that is linked to their social media, exchange, or personal accounts. If such accounts are using the two-step verification, then the one-time password or pin will be forwarded to another number which the attacker is in control of. As such, they can gain access to the user’s account to steal cryptocurrencies.
Google’s Cryptographic Feature Discourages Spammers
On the other hand, Risher revealed that since the launch of Google’s cryptographic feature, Titan Keys, spam has been reduced. This feature links a user’s account to a particular device instead of the phone number. As a result, even if the number is changed or hijacked, the attacker will be unable to gain illegal access to accounts.
Risher also said:
There’s no code that sends over the airwaves, nothing is sent to the telcos. If your phone number has changed, we won’t even know as part of this flow, and if someone else has grabbed your phone number, they won’t have any higher credibility than a complete stranger.
Preventing SIM Swap Attack Using Google Authenticator App or Authy
Therefore, people have been advised to do away with the two-step authentication and adopt the Google Authenticator app or Authy. While either of these will prevent a SIM Swap attack, Risher has however adviced that users have a backup of QR codes that have been linked to the Authenticator app. As a result, there won’t be a permanent lockout on accounts if the device is changed.
BTCNN on January 20 reported that Michael Terpin, a victim of a SIM swap attack in January 2018, claimed to have lost over $23 million worth of cryptocurrencies. Terpin has filed charges against a suspect, Nicholas Truglia. AT & T, his mobile carrier has also been charged for allowing access to his phone number.