You are currently viewing our desktop site, do you want to download our app instead?
Moneyweb Android App Moneyweb iOS App Moneyweb Mobile Web App

NEW SENS search and JSE share prices

More about the app

Five steps to protect your crypto and other assets from hackers

With a relatively simple SIM swap, hackers can gain access to your phone, email, and crypto assets. Here’s how to defend against this.
The first step is to remove your mobile phone number as a recovery method from your primary email. Image: Shutterstock

The freedom and power of the internet comes with massive responsibility. You have to defend yourself from attacks. No one will do it for you.

The downside of not defending yourself online is devastating.

Here is an everyday story: Sarah gets SIM-swapped while she sleeps.

People often do SIM swaps when, for example, they lose their phone and buy a new one.

In this case, an anonymous thief badgers a call-centre agent at her mobile services provider into switching the SIM card linked to Sarah’s phone number with a SIM card in their possession – using time-tested techniques: perhaps pretending to be Sarah (possibly using information gleaned about her online), talking about emergencies, or masquerading as a fellow call centre agent battling to log on.

Once the hacker gets control of Sarah’s phone using the new SIM, he checks the time zone Sarah lives in. Yes, Sarah is fast asleep. Sarah won’t notice anything has gone wrong until later the next morning.

Sarah has a bad feeling and checks her phone during the night. Her WiFi is on. Everything looks like it is okay, but it isn’t.

Now that the hacker has taken over Sarah’s phone by way of a SIM swap, he can go to her Gmail account, type in her email address and ask to recover her password to her phone.

Gmail obliges and sends the recovery password to the hacker-controlled phone. The hacker goes through all the financial services on Sarah’s email: bank accounts, home loans, crypto exchanges and credit cards. He is an expert at what he does.

Sarah’s primary email is essentially her digital identity.

One by one the hacker probes and resets the bank and crypto exchange passwords. The passwords are sent to the Gmail address. Sometimes a one-time-password or text message (Sarah’s two-factor authentication method of choice) is sent to the hacker-controlled phone to confirm access to Sarah’s account. Sarah has two crypto exchange accounts with her bank account linked to both. The hacker sends funds from Sarah’s bank account and home loan to one of the exchanges and does a quick market order to buy crypto. Sarah had a large access bond on her house, and a healthy current account balance for her child’s education.

The hacker buys a huge amount of bitcoin with Sarah’s money. He then sends the crypto to his own crypto wallet. He checks any crypto and fiat balances on the next crypto exchange – and then cleans them out. The crypto takes 10 minutes to appear in his wallet.

The hacker is accomplished and thorough. He deletes all the emails from all his password resets and transfer shenanigans, leaving no trace for Sarah to unjumble her life.

Over the next few hours all Sarah’s available funds are drained. All her bank accounts – current, home loan, savings – are empty.

All the crypto assets she owns on a variety of different exchanges are drained.

All of it – gone.

This SIM-swap scenario happens every day

Imagine this happening to you. This event can break a person. Bring a person and their families to their knees.

There are some key steps to take that can prevent this from happening to you or your family.

Knowledge is power. Here is a simple framework to help guide individuals to protect their identity and assets online.

There are three pillars in my framework called ‘Internet Freedoms’: First you defend, then you advance and lastly, you become powerful (sovereign).

Here are five simple steps to start defending your digital identity and online assets.

Step 1: Remove your mobile phone number as a recovery method from your primary email

Sarah linked both her phone number and secondary email as a recovery method.

This is an exploit possibility once you have been SIM-swapped. Once a hacker has control of your phone number, he will use the recovery method of your primary email to reset your password. The hacker then has access through which he change all of your online accounts.

Remove the recovery methods (both mobile phone number and email) as a matter of urgency. This protects your digital identity from being hacked.

Step 2: Use a password manager to create unique and strong passwords

You may be a bit lazy to do this because it means downloading a password manager like LastPass and creating strong and unique passwords for all of your online platforms.

But, be encouraged that this is best practice.

You can create many difficult and unique passwords using your password manager and you only have to remember one hard password to unlock the password manager.

If your email address and password haven’t been breached before, then you don’t have to do this step. If your data has been breached, then you need to download a password manager like LastPass or 1Password and start to update and harden all your passwords.

To check if your data has been breached, go to this website and type in your email address: Have I Been Pwned.

Once you download the password manager remember to add two-factor authentication (2FA) – using an authenticator app on your mobile phone like Google Authenticator or Authy (it’s free) to your password manager. Your password manager is your digital vault and you want it bulletproof.

Step 3: Add 2FA to your primary email using an authenticator app

Sarah did not have a two-step verification set up for her Gmail account.

As part of this step, you need to use the password manager to strengthen your password.

For the second step go to security settings on your primary email account and set up 2FA.

This – using a strong password and also a time-based authentication (2FA) on your mobile phone with an authenticator app – protects your digital identity from being hacked.

Step 4: Replace all SMS two-factor authentications (2FAs) with a time-based one-time password using an authentication app

Sarah took the easy option and used the text message (SMS) sent to her mobile phone for 2FA.

Banks often use SMS 2FA. This is a vulnerability for SIM swaps.

Make sure you convert all of your SMS 2FA to use an authenticator app like Google Authenticator and Authy.

Step 5: Authy app users must turn off this one dangerous default setting

If you use the Authy app it is crucial that you disable a default setting that will make you vulnerable to a SIM swap – even with 2FA installed.

When you first create an Authy account, ‘multi-device’ is enabled by default.

This means you’ll be free to set up any other device to use your same Authy account and 2FA tokens. All you’ll need to do is download and install Authy on the desired device, add your phone number, and allow this new device on your original Authy installation.

Beware. This is exactly what a hacker will do.

Disable this multi-device on your Authy app immediately.

You have now started a good base for defending your online privacy and security. It all starts with taking responsibility. There are many more steps to take on your journey to become powerful (sovereign).

Eugéne Etsebeth is former CEO of crypto exchange iCE3 and specialises in training related to ‘Internet Freedoms’.

COMMENTS   9

Sort by:
  • Oldest first
  • Newest first
  • Top voted

You must be signed in to comment.

SIGN IN SIGN UP

Step 6: Either it is going to be stolen, or the bubble will burst and you will have lost your entire “investment.”

Easiest way to avoid losing out: just stay away completely. There is no underlying value in crypto. You can’t go to the shop and buy a bread or fill up your car using it. It’s not a currency, but a pure speculative instrument with nothing behind it. Blockchain is a technology which hasn’t found a widespread use in 10 years either.

So what is the “underlying value” in USD, Rand, etc?

The economy of the country issuing the currency. If you need to ask the value of a currency then you should not be investing. Enjoy speculating and gambling instead.

@Ettiene is dead right. The value of a currency is also in the trust the world and the inhabitants place in the issuing authorities of that currency, and in the country’s economy. The dollar and Swiss Franc have a lot of trust, Zim dollars, not so much. This trust is completely absent from Bitcoin or any other cryptocurrency. So it’s, as Ettiene implied, pure gambling to think bitcoin has any intrinsic value.

The purely speculative nature of bitcoin is demonstrated by its wild swings in price. So how does one justify any trust in bitcoin? For this very reason, bitcoin is not a real currency, and this is proven by the fact that you cannot go and buy a loaf of bread or fill up your car using a bitcoin.

Imagine you fill up your tank this week and pay with bitcoin, only to realize a week later that your bitcoin has “appreciated” by 30% and you paid 30% too much for your petrol – you’d not want to buy anything soon again, would you? You’d be losing out. This is the nightmare scenario known as deflation, which happened during the Great Depression, and this is one of the many reasons bitcoin is not and will never be a true currency, because if its insane volatility.

Very useful info, thanks.

It takes a lot of effort to protect my sheep against stock theft and stray dogs. They come at night to kill and steal and they leave very little evidence. There is no way to recoup your losses. Farmers are on duty 24 hours per day. They work during the day and they monitor the alarms at night.

Now you tell me that owners of cryptocurrency are in a similar situation? Why invest in an instrument when that investment only creates employment opportunities for criminals? It is like an investment in South Africa basically. Luthuli House sidesteps all the laws, breaks all the codes of conduct to plunder your investment through socialist laws, taxes and cadre deployment.

In this day and age, if someone manages to steal from us, then we are the guilty party.

Indirectly, actually very directly you vote for the current variation of the Mafia by paying your tax religiously.You know exactly what does not happen with your tax money once it passes the portals of Luthuli. Surely you dont vote for them, but by default you are an active supporter. In the end it is just the might of the state that prevents you from defaulting. The state deals in fiat. Thus fiat in the states hands is loot. But now it gets interesting . If a certain grandson or son comes to your showroom or to buy a sheep, that cash is all of a sudden pure pure. After you the trail is even more remarkable, the looted money is used to buy groceries eg in Orania(albeit after having done the rounds a few times). The crypto corruption anology does not hold. Think of who benefited from the Steinhoff and Gupta sagas….fiat was used. Private schools, real estate agents, lawyers…paid for in money now white as snow.Hilarious.I suppose best to be second receiver of the suitcase ful of cash. There is zero paper trail(ask Christo Wiese how to, he has the knack)

Using taxes is not a valid comparison, sorry. Taxes are not voluntary and are backed with the threat of state violence against you – throwing you in jail if you don’t pay up. There is a world of difference in being forced at virtual gunpoint to pay taxes, which may or may not be stolen by a corrupt state, and voluntarily “investing” in a bubble which you know full well is only useful to scammers and criminals.

Long-term, only the crypto equivalents of Marietjie Prinsloo (Krion) are going to score, whereas the ordinary “investors” are going to be left begging at the traffic lights.

Phew! At last an acknowledgment of the real use for Bitcoin … 😉

End of comments.

LATEST CURRENCIES  

USD / ZAR
GBP / ZAR
EUR / ZAR
BTC / USD

Podcasts

INSIDER SUBSCRIPTIONS APP VIDEOS RADIO / LISTEN LIVE SHOP OFFERS WEBINARS NEWSLETTERS TRENDING PORTFOLIO TOOL CPD HUB

Follow us:

Search Articles: Advanced Search
Click a Company: