Another common attack facing individual holders is SIM hijacking. In this attack, the attacker convinces the phone company to port the target’s phone number over to another phone (or they pay off someone inside the phone company to do it). Since many websites use SMS to recover accounts when the password is lost, an attacker with control of the target’s phone may be able to access some of their accounts.
- Never use SMS for account recovery.
- Avoid SMS for 2FA. Use hardware tokens or OTP instead.
- Use a sovereign key storage system where no third parties have the ability to spend your coins.