Don’t use your number for 2FA on crypto accounts — here’s why

Keep your crypto account secure
Keep your crypto account secure (Image credit: Snappa)

Ultra-tight account security in the cryptocurrency world is a must. Not only are your digital assets at risk, but crypto exchanges are notorious for offering lousy customer support. If your account gets hacked and a malicious actor drains your funds, good luck finding a live agent! Even Coinbase, one of the world’s most popular crypto exchanges, is known for being as helpful as a chocolate teapot when it comes to recovering compromised accounts.

As such, crypto investors should be gung-ho about implementing preventative security measures because the crypto realm isn’t as forgiving as the fiat world when it comes to lost assets. Two-factor authentication (2FA) is a highly recommended way to add an extra layer of security to your account, but there’s a caveat — using your number could put your assets in grave danger. There’s a troubling scam that’s growing more popular among crypto hackers: SIM swapping. 

What is SIM Swapping?

Picture this! A crypto hacker, hungry and ravenous for a new victim, secures a list of leaked emails, passwords and numbers from a crypto exchange. Unfortunately, he spots your credentials and decides to use it. Attempting to hijack your crypto account, the hacker types in your email and password, but he runs into one major obstacle. The crypto exchange uses 2FA, prompting customers to input phone-bound codes to verify their identities. He can’t break into your account because he doesn’t have access to your SMS codes.

Does the hacker hang his head down in disappointment and give up? Nope! He’ll stop at nothing to get your Bitcoin, Ethereum, Dogecoin and Shiba Inu. Next, he calls your carrier and convinces them to port your number over to a SIM card they control. The agent unwittingly acquiesces to his malicious request and now the hacker can receive the golden keys he’s been waiting for: your SMS codes. Once he invades your account, he’ll milk you dry, leaving you with no money and no phone service. That, my friends, is SIM swapping. 

 Hackers are taking advantage of phone carriers’ vulnerabilities 

Last year, a group of professors and Ph.D. from Harvard and Princeton University published a scathing report entitled, “An Empirical Study of Wireless Carrier Authentication for SIM Swaps.” The lead investigators discovered that five major U.S. wireless carriers — Verizon, AT&T, T-Mobile, Tracfone and US Mobile — all used insecure authentication methods for SIM swapping.

The report’s authors said that the carriers’ poor verification protocols could easily be subverted by malicious actors, which is why many hackers successfully stole victims’ phone numbers and took over their accounts over the years.

SIM swapping isn’t new, but it’s catching authorities’ attention as the practice becomes more prevalent in the cryptocurrency space. Just last month, a teenager stole $36 million in cryptocurrency using this fraudulent method. Unfortunately, once you’re a victim of a SIM swapping attack, seeking recourse is difficult. Thankfully, there are ways you can safeguard your crypto account to prevent SIM hijacking. 

How to avoid a SIM swap attack and safeguard your crypto accounts 

First and foremost, instead of using text messages for 2FA, use an authenticator app (e.g. Google Authenticator). Malicious actors will punch the air in frustration when they realize that your second layer of security is Google Authenticator, which they have no access to — even if they manage to snag your phone number.

The next thing you’ll want to do is make sure you set up a PIN number or password with your phone plan. If a hacker calls your carrier to port out your number onto their SIM card, a cat will get his tongue when customer support asks him for your PIN number. No PIN number? No porting out!

On top of that, the FTC recommends limiting the information you share online. This is easier said than done because we often stumble upon online forms that demand our personal information, but you should be more cognizant of who is on the receiving end of your data.  “An identity thief could find that information and use it to answer the security questions required to verify your identity and log into your accounts,” the agency said.

Finally, it’s important to transfer your cryptocurrencies off unsecure exchanges like Coinbase and move them into a well-protected wallet, preferably a hardware wallet like the Ledger Nano X. Imagine your hacker’s disappointment when he discovers that there’s nothing to steal from your account because you’ve moved them elsewhere. Ha!

Security over convenience

Adding several layers of security to your crypto account is, without a doubt, a pain in the rear. Before trading, you’re prompted to enter your password and a pin number. On top of that, if your phone isn’t nearby, you have to scavenge the area for your device to input the Google Authenticator code. 

In the crypto world, time is money. While you’re inputting passwords or scrambling to find your phone, the price of your desired crypto can rise significantly. As such, you may be tempted to make your account logins more lenient. Even KuCoin has an enticing option that says, “Trust this device and no security verification is needed when logging in 30 days.” As tempting as it may be to enjoy seamless, fast logins, a little discomfort and inconvenience is worth the additional security that can protect you from losing your hard-earned profits.

I look forward to the day when we can have security and convenience. Gemini, one of the most popular crypto exchanges in the U.S., explained that biometric authentication is one of the highest levels of security one can add to their account. That being said, I’m waiting for an inventor to create a USB-C fingerprint scanner that lets me log into my crypto accounts quickly and efficiently. Until then, we have no choice but to endure multi-factor authentication (and ditch SMS-based verification) to keep our accounts safe and secure. 

Kimberly Gedeon

Kimberly Gedeon, holding a Master's degree in International Journalism, launched her career as a journalist for MadameNoire's business beat in 2013. She loved translating stuffy stories about the economy, personal finance and investing into digestible, easy-to-understand, entertaining stories for young women of color. During her time on the business beat, she discovered her passion for tech as she dove into articles about tech entrepreneurship, the Consumer Electronics Show (CES) and the latest tablets. After eight years of freelancing, dabbling in a myriad of beats, she's finally found a home at Laptop Mag that accepts her as the crypto-addicted, virtual reality-loving, investing-focused, tech-fascinated nerd she is. Woot!