The Ledger hack and data breach scandal that was made public towards the end of 2020 affected a great number of the company’s customer base. In all, it’s believed 272,000 wallet orders were leaked online, which made the home address and phone number of those customers available to the public.
I covered how to handle the Ledger hack and data breach in an earlier article, but scammers are coming up with new ways to use the leaked data to their advantage. Perhaps the biggest problem we’re seeing is the SIM swap scam.
Below, you will find details of what SIM swapping is and how you can protect yourself.
What is SIM Swapping?
SIM swapping is also known by various different names including:
- SIM splitting
- SIM hijacking
- Port-out scamming
This scam works when the fraudster takes control of your mobile account from your SIM card to one that’s owned by them. They do this by gathering as much personal information about you as possible, which is why the Ledger data breach could potentially cause a surge in this activity.
Once a scammer has enough information, they take on your identity and call your mobile service provider, asking for a new SIM card or for help switching to a new phone. If this part of the scam is successful, all text messages and phone calls to your phone will be redirected to the cybercriminal instead.
Phishing emails, malware, and social media stalking are also key ways cybercriminals gather data that can be used to answer security questions.
With control over your mobile account, fraudsters can get in touch with institutions such as your bank pretending to be you. They can also take advantage of two-step verification processes that require a phone number to reset your passwords.
How is this Scam Successful?
Under normal circumstances, it can be tricky for scammers to get all the information they need to convince your mobile provider to switch SIMs. Fraudsters, however, tend to be very perseverant.
To get enough data, a scammer will usually pester a customer service representative from your mobile provider until they manage to gather a small piece of information. They will then hang up, call again, and repeat the process until they have enough of your information that the last person they call is convinced it’s you on the other end of the phone.
Another way in which the SIM swap scam works is when the cybercriminal pretends to work in one of the stores owned by the mobile provider. They will then act as if you are a customer in the store, but the store’s systems aren’t working properly. The scammers will mention you are losing patience and will ask the representative on the phone to unlock your account.
Playing on the sympathy and empathy of the customer service representatives on the other end of the line works to great effect. Even without specialist software, a social engineering hacker can create a powerful scenario that encourages the customer service representative to be as helpful as possible. Journalist Kevin Roose discovered this at DEFCON when a social engineering hacker convinced his mobile provider to give up his email address and change his passwords in just a few minutes.
The Fallout of SIM Swap Scams
Speaking as a guest on the Andreas Antonopoulos’s YouTube channel, Taylor Monahan discussed the issues she has faced with SIM swap hackers. The founder of MyCrypto discovered that customer service representatives are given a small amount of training about this scam, but the full implications are not made clear.
Some reps are led to believe the worst thing that could happen is a new iPhone is charged to an innocent person’s account, and the money lost would be reimbursed.
Following the Ledger hack and data breach, scammers can assume many of the people in the database also have an account with one of the top crypto exchanges. After completing a SIM swap, the fraudsters can find a way to access a person’s exchange account to make unauthorised transactions. With physical home addresses leaked, the scammers can work out the victim’s time zone, and complete their cyber attack while the victim is sleeping.
If your bank account is connected to the exchange as well, the fraudsters can use your money to buy more cryptocurrency, effectively draining your exchange and bank account. Alternatively they can hack into your online banking profile and transfer your money to themselves.
It’s worth remembering that scammers cannot take funds from your crypto wallet. Despite the hack on Ledger, the currency it contains cannot be stolen unless you give the scammers something they can act on such as sharing your 24-word recovery phrase.
How to Protect Yourself From a SIM Swap Scam
The following advice is a must for anyone affected by Ledger’s data breach, but it is also very useful in general. To protect yourself from the SIM swap scam, you can:
Lockdown Your Primary Email Account
Email providers give users a variety of ways to recover access to their accounts in the event they are locked out. However, the more verification methods you use, the more vulnerable you make yourself. Once into your account, it won’t take a hacker long to find your phone number.
To ensure your email is as safe as possible:
- Do not add your mobile number to your email address as a recovery method
- Create a strong, unique password that you do not use with any other service
- Consider using a password manager service
- Use a yubikey for services where possible as a second factor authentication
- Ask your telephone operator to add an additional password to establish telephone contact with you in the event of a customer service call
- If you are using a Gmail account, follow the advice on Google’s Advanced Protection Program
Change From SMS Two-Factor Verification to Other Methods
Protection services such as Google Authenticator work on a Time-based One-time Password Algorithm. You will be presented with a QR code that contains an access key to the account your signing into.
As mentioned before, you can also use a yubikey to add an extra layer of protection.
Your Mobile Phone Number
For anyone affected by the Ledger leak, you do not necessarily have to change your phone number, but you will need to remove that number from anything crypto related. This includes your exchange accounts and your email address.
If you sign up for a service that demands a mobile phone number, you can use a “burner” number courtesy of quacker.io to bypass giving away your personal information.
What Should You Do If You Have Been Affected?
The data breach has had serious repercussions for many Ledger customers, whether they have been SIM swapped or not. If you have suffered any financial loss as a result of the breach, Naray Law is in the perfect position to help you.
If you need any legal advice or representation, please do contact me. I have been working as a specialist lawyer in the crypto scene for many years, and my work has even helped Steve Wozniak (cofounder of Apple) take YouTube to court.
To stay up to date with the latest news on the Ledger hack and to receive guidance, make sure to join Naray Law’s Telegram group dedicated to the Ledger data breach for support.