Protecting Yourself Against SIM Swapping Attacks

What is a SIM swap?

SIM swapping is when a hacker convinces your cell phone carrier to switch your phone number to a different SIM - one that they own. This is a relatively normal thing for a retail employee to do, which means that someone asking for a swap doesn’t raise red flags (imagine you bought a different phone and now needed to switch your cell service so you could continue receiving texts/calls on your new device).  

It doesn’t require a hacker to have any technical knowledge, just a SIM card and a phone call to your provider. Curious as to how easy this is? Check out this video of a woman breaking into someone’s phone carrier account in under 2 minutes. Even if the phone provider realizes that the action they’re being asked to take is unusual, often hackers will bribe customer service reps with upwards of $100 per swap (which is a huge incentive for employees who make ~10$/hour).

Once the swap has been done, it is very difficult to reverse, as your phone will no longer work. Plus, you'll likely have to go to your carrier in person in order to prove that the swap was incorrect and that you are the owner of the account. Also, until you're able to do this a hacker can intercept all your phone calls and messages - including SMS based authentication codes for 2FA, and text-based password reset options. This could allow them to access your online accounts, or blackmail you with information they've gleaned from text messages and phone calls.

Has this happened before?

Yes! It's quite common and has impacted a number of prominent figures, including the FTC's lead technologist in 2016, many Instagram accounts, and a number of T Mobile customers who were targeted by a crime ring dedicated to SIM swapping.

What else can these attackers do?

One victim reported that,

IN THE SPACE of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook. [...]
Had I been regularly backing up the data on my MacBook, I wouldn't have had to worry about losing more than a year’s worth of photos, covering the entire lifespan of my daughter, or documents and e-mails that I had stored in no other location.

If your phone number is tied to any online accounts, the hacker can often reset your password via text, meaning that the hacker now has access to all of your accounts. They can quickly reset your primary email address password, and then use that email address to trigger password resets for other accounts like Amazon, online banking, social media sites, etc.

One example,

Apple tech support confirmed to me twice over the weekend that all you need to access someone’s AppleID is the associated e-mail address, a credit card number, the billing address, and the last four digits of a credit card on file. I was very clear about this. During my second tech support call to AppleCare, the representative confirmed this to me. “That’s really all you have to have to verify something with us,” he said.”

All of this information is relatively easy to find - addresses can be quickly looked up on sites like WhitePages and Spokeo, while there are dedicated email lookup services. Also, Apple needs any credit card number, not necessarily the one on file. The last 4 digits of a credit card on file is a little harder, but far from impossible. If an attacker has already compromised your primary email by resetting the password, they can use this information to reset access to accounts like Amazon (which show the last four digits of the credit cards on file). The hacker can then use this information to gain access to your AppleID and reset your password – as well as accessing all of your data on iCloud.

If you’re like many people, and you store passwords or personal data on your phone (in your notes app) or in your iCloud backup, the hacker now has access to all of this information. They can steal it for blackmail purposes or delete it for the 'lulz'. Typically this information is unrecoverable.

But I don’t have anything to hide!

This isn’t just about data, though most people would dislike having every text, email, and picture they have made public (or deleted!).  After SIM swapping, hackers can place large orders on your Amazon account, break into your bank accounts, cryptocurrency wallets, or retirement accounts and empty them. They can also hijack your social media sites to spread disinformation, or views antithetical to your own (racist, homophobic, or otherwise offensive).

They can destroy your online life, then start on your friends and family. Often attackers will use your (compromised) email to reach out and phish them. Some of this might be reversible. Much of it is not. Once your online identity has been stolen, it’s very difficult to prove to various online platforms that you are the true owner. This becomes even harder when you don't control the platform's means of verification (like an email account or phone number).

But no one would target me!

The most important thing to remember here is that often this isn’t a targeted attack at you. It’s unlikely that someone would say, ‘oh let's target Bob’. However, hackers may target an account without knowing who the owner is. For example, common targets include cryptocurrency account holders or unique social media handles (‘the OG handles’ such as ‘@awesome’ – handles you would have needed to be first to a particular platform to claim).

Then the hacker will track down the owner, swap their SIM, and take what they want. This hack requires low levels of technical sophistication, time, and money, and is extremely lucrative (OG handles sell for between $500-$5000 each, while siphoning bank or retirement accounts can net upwards of thousands of dollars), making it extremely popular among hackers.

Many of the hackers in the forums dedicated to SIM swapping are teenagers. They often don’t think about the long-term consequences of their actions, and are just pursuing fun. They’re not rational actors, and often don’t have to think about their victims as people whose lives they’re destroying because they never interact with them or the consequences of their decisions.

It is also a very difficult hack to prosecute. Attribution is extremely difficult to ascertain for cyber attacks and the sheer volume of attacks taking place makes it very difficult for law enforcement to keep up.

As one law enforcement agent noted,

For the amounts being stolen and the number of people being successful at taking it, the numbers are probably historic,” Tarazi said. “We’re talking about kids aged mainly between 19 and 22 being able to steal millions of dollars in cryptocurrencies. I mean, if someone gets robbed of $100,000 that’s a huge case, but we’re now dealing with someone who buys a 99 cent SIM card off eBay, plugs it into a cheap burner phone, makes a call and steals millions of dollars. That’s pretty remarkable.”

Source

Recommendations for everyone:

  • Use a method of 2FA other than SMS, such as an app like Google Authenticator, or a hardware key like YubiKey. This should be used for as many sites as offer 2FA (at minimum it should be used for your primary email address).
  • Use a password manager
  • Add a PIN to your cell phone plan (not 100% effective, but better than nothing). All four major carriers in the United States offer this service. Many carriers in Africa (including in Mozambique, South Africa, Kenya, and Nigeria), the UK, and Australia have implemented protections to enable banks to check if the customer has swapped their SIM recently when processing a transaction (so if there was a recent SIM swap, they can refuse the transaction). This limits the damage an attacker can do, but it is still wise to remain wary to these types of attacks.
  • Act immediately if you notice your cell phone stop functioning. Call your cell phone service provider on a different device and lock down your accounts immediately.
  • Use services like Privacy or Blur which provide single use credit/debit cards for purchases in order to avoid linking a single credit card to many accounts.

Additional recommendations for high-risk targets:

  • Use a hardware key for your primary email address, and app-based 2FA for other accounts. Enable 2FA for as many accounts as offer it.
  • If you use Gmail as your primary personal email account, enroll in their Advanced Protection Program.
  • Do not link your phone number to any accounts – this often enables password reset via text without warning you. If you must add a phone number to your account, set up a separate phone number with a service like MySudo or Google Voice. Do not use that phone number for ANYTHING else.

Sources/Further Reading:

Show Comments
As seen in: