This weekend, Vitalik Buterin had his account hacked, resulting in the publication of a phishing link that caused at least $700,000 in losses to investors. Buterin has since spoken out about the attack, confirming that it was the result of a SIM swap.
Vitalik Buterin confirms that a “SIM swap” was the cause of the hack on his X account
Just a few days ago, Vitalik Buterin, the founder of Ethereum (ETH), suffered a hack of his X account. As a reminder, this impersonation was used to publish a phishing link, causing at least $700,000 in theft of cryptocurrencies and non-fungible tokens (NFT) from various investors who fell for the trap.
On the decentralised social network Warpcast, the person concerned confirmed last night that this intrusion had been enabled by a so-called “SIM swap” attack:
In a nutshell, SIM swapping allows you to “clone” your victim’s SIM card, so as to receive their communications and, by extension, their dual authentication codes. There are various ways of achieving this, either by pretending to be the target to their operator when they know their personal details, or by using an accomplice to contact the operator.
The telephone number: insufficient security
On X, you can create an account using your phone number, which in this case shows that there are security gaps. However, Vitalik Buterin explains that he has no recollection of providing his number when creating his account, except when subscribing to the premium service, which is indeed necessary.
To prevent such risks, it is advisable to ensure that the various identifiers for accounts considered sensitive cannot be reset simply by using one’s telephone number.
For double authentication, specially dedicated applications may be preferred, although the most secure solution is to use physical validation keys. Yubico brand keys, for example, enable this, as do Ledger hardware wallets through the FIDO U2F application.
He concludes by saying that he is happy to be on Farcaster, which powers Warpcast, because at least his account can only be recovered with a valid Ethereum address. It’s an interesting observation, because this method of authentication may indeed be a more secure alternative to emails and phone numbers for various web accounts.