You Just Got SIM Hacked! Now What? Crypto Mondays, San Juan July 8th

in #security2 years ago

A couple days ago I shared some thoughts at Crypto Mondays San Juan on securing your cryptocurrency. After over ten years building FoxyCart with my business partner and processing well over a billion dollars for thousands of stores, including PCI level-1 compliance and securely storing encrypted credit card numbers, we never had a significant security event. I learned a lot about what it takes to secure yourself online.

2019-07-09 22.37.11.jpg

Michael Turpin also shared some thoughts from his experience, including how he recently won a $75M judgement regarding his own SIM card hack.

2019-07-09 22.37.17.jpg

Here's the full video which is about an hour long, including Q&A.

Here are some of my notes I took down last Friday as I was helping a community member recover from a SIM swap hack. They may help you further secure your systems and avoid losing your funds. When you own cryptocurrency, you own the responsibility of actually controlling and protecting your store of value.

You Just Got Hacked. Now What?

Assess the damage and prioritize your attack surface. Start with your high value targets such as your email accounts, your bank accounts, and your cryptocurrency exchange accounts. If you can still login, do so and change your passwords immediately. If your password no longer works (because the hacker already changed it), contact the sites immediately. If your email is compromised, the hacker will use the password recovery feature of many common website services (like dropbox) to access your files. They will often delete the emails out of your inbox and/or change your passwords to lock you out. Keep in mind, they may also not change your passwords, to keep you from realizing they have access. For the sites that support it (many banks, exchanges, and email providers do), check your account settings for last login date and IP address. You may also want to revoke any active sessions with the site, if they have that feature.

If you got SIM hacked, start with the phone company and have them lock things down so the hacker can't continue to use your phone number. After you get access again, you can reactivate your number.

If the hacker gets access to your email, they will use it to do password resets on everything using two-factor authentication (2FA) via your phone number instead of via an app. They will often get access to your email because it's common to use a phone number as a recovery method for your email (gmail, for example, does this by default). If you have a recovery phone number set, remove it. Yes, you can also use a number not connected to a SIM card, but personally, I think it's better to rely on your password manager and use no recovery than open up a security hole with a phone number.


Always uses an app on your phone like Google Authenticator (Authy is okay also).

Email account recovery settings should not be connected to a recovery phone number or to a backup email that is connected to a recovery phone number. Connecting to a separate email you only use for that purpose and no where else can work (such as

Once you're out of triage mode, here are some further steps you should take to protect yourself:

  • Get the latest OS updates on your computer.
  • Get an up-to-date antivirus software installed and pay for the regular updates.
  • Install a password manager like 1Password (Keypass and LastPass are okay also) and ensure your encrypted password file is backed up (dropbox sync, for example). Go through all passwords and reset them with passwords generated by 1Password. Turn off browser passwords (you can also import them into 1Password). Use your password manager for everything. It only works to secure you if you use it!
  • Use Google Authenticator (or Authy) as your 2FA solution on every website that supports it which you want to secure.
  • Use a hardware wallet to store your private keys. Recovery passphrases can be stored in your password manager unless you have access to an industry-level secure safe at which point you can store them only offline in physical form, though that does create backup concerns. You can send portions of your recovery phrases hidden in emails to friends and family with instructions to recover the whole thing (your own web of trust), but for most people this is overkill. Problems exist with bank safety deposit boxes as well (I've heard stories). A separate computer for accessing cryptocurrency wallets isn't a bad idea. A separate computer for trades is a good idea also.
  • Don't download and install anything you don't fully understand and trust as reputable.
  • Keep your funds off exchanges. They are for exchanging, not for ownership (whoever controls the private key, essentially owns the cryptocurrency).

I hope you find that helpful. I did a short video a couple years ago on the account which you may also enjoy.

Luke Stokes is a father, husband, programmer, STEEM witness, DAC launcher, and voluntaryist who wants to help create a world we all want to live in. Learn about cryptocurrency at

I'm a Witness! Please vote for @lukestokes.mhth


Sorry to hear it. I use Yubico for 2FA, but in some cases Trezor can perform the same function. Trezor can also store your passwords.

Security will become an increasingly unsustainable nightmare until authority relinquishes control and decides to allow their security model to be turned inside out (no large honeypots or large databases of sensitive info). Data needs to live in it's own rightful location and not be hostage to authority. Hashes of data can prove ID on the rare occasion it is needed.

Thankfully, the community member impacted by this did not lose any funds at all. Other than not using a password manager and still having a phone number as part of the account recovery approach, their setup was fairly secure (no funds on exchanges, 2FA with Google auth on exchanges, etc, etc).

YubiKey's are interesting for sure. I have one but haven't started using it yet and got a little spooked with the recent recall on some models. I personally think the simplicity of Google Auth accomplishes much the same thing, but may be slightly less convenient. At least with google authenticator, I have to unlock my phone. I'm not as sure how YubiKeys work in that regard (anyone who has it can use it, assuming they also have my login password), but I should probably try it and play with it more.