In recent months, cybercriminals have been resorting to an old tactic to hijack the phone numbers of unsuspecting victims and use them to make quick buck. Called a SIM swap, the attack has been at the center of many financially motivated online crime cases, including the takeover of Instagram accounts and the theft of digital currencies.
What is a SIM swap attack?
Basically, a SIM swap attack involves an attacker tricking (or bribing) someone who works at your mobile carrier to transfer your phone number to a SIM card they own. When this happens, attackers can receive and make phone calls and text messages with your phone number. But more importantly, they’ll be able to access the online accounts linked to your phone number, including your messaging and social media accounts, and your digital wallets.
How does a SIM swap happen?
To conduct a SIM swap attack, attackers need to know some basic information about their target. The phone number is obviously a necessary component, but they will also need to know enough about their victim, such as their home address or Social Security Number, to be able to pose as the victim and convince a worker at a mobile retail shop that they’ve lost their SIM card and want to transfer the same number to a new SIM.
Alternatively, some attackers make mutually beneficial arrangements with mobile shop employees to facilitate the process. In May, cybersecurity researcher Brian Krebs reported that T-Mobile was investigating one of its retail store employees for being complicit in SIM swapping schemes.
Unlike other cyberattacks like phishing, SIM swappers can carry out their attack without directly involving the target. This means the victims realize they’ve been the target of a SIM swap attack only when their phone suddenly loses its connection to the carrier. Unfortunately, by then, it’s already too late.
- Free reverse phone lookup with Google: How it works
- How to get a Google Voice number
- How to encrypt an iPhone in seconds
How bad is a SIM swap attack?
SIM swapping can be very damaging, and not just to high-profile personalities. Every one of us holds dozens of email, social media, messaging, and other online accounts, including some that are tied to our bank accounts and credit cards. Many of these services require users to link their accounts to a mobile phone for two-factor authentication (2FA) and account recovery purposes. Messaging applications such as WhatsApp, Viber, and Telegram explicitly require a mobile phone number for the initial setup.
That means that when a hacker gains access to your phone number, they can effectively take over all those accounts, even if you’ve set up 2FA on the account. In July, Vice’s Motherboard described how hackers had used SIM swapping to hijack Instagram accounts with valuable handles and resell them at high prices in online black markets.
Cryptocurrencies are also a big target for SIM swappers. Again, in July, U.S. law enforcement arrested a SIM swapper as he was about to board a plane for Europe in the Los Angeles International Airport. The suspect and his associates had stolen more than $5 million in cryptocurrency from their victims. Likewise, in August, authorities in California arrested a man who had carried out SIM swap attacks to hijack the digital wallets of his victims and steal $1 million in cryptocurrencies. More recently, a cryptocurrency entrepreneur filed a $223 million lawsuit against telecom giant AT&T for not having done enough to prevent SIM card fraud.
These are just some of the many cases of SIM swapping that have happened in recent months. SIM swappers might also use the scheme to dox or blackmail their victims after taking over their accounts.
How to protect yourself against SIM swap attacks
There are several steps you can take to protect yourself against SIM swap attacks. The first thing you should do is set a PIN or passcode for your SIM card. All major carriers support this. Setting a passcode for your SIM card makes it harder to compromise your identity. Hackers can usually obtain information such as your home address from public sources. Even your Social Security Number is retrievable from the tons of breached data that is being circulated in online black markets. A passcode can be harder to obtain.
However, passcodes are not a perfect security solution, especially if you don’t adhere to best practices for choosing strong passwords. And since you don’t frequently use your SIM card’s PIN or passcode, you must make sure you don’t forget it. Also take note that if the SIM swapper has an accomplice working at the carrier, passcodes won’t protect you because they’ll be able to bypass it.
You must also make sure your online accounts are safe in case your SIM card does become compromised. One important measure is to use alternate 2FA mechanisms. Even without SIM swapping, SMS codes are not the most secure method to protect your account. You can instead use an authenticator app such as the Google Authenticator. Authenticator apps aren’t tied to your phone number and generate unique codes in short time intervals (approximately 30 seconds).
A more secure alternative is to use a FIDO key such as the YubiKey. FIDO keys are USB devices that you link to your account. Every time a new user wants to access your account, they must insert the FIDO key into the computer. FIDO keys can’t be spoofed and are very secure, as long as you don’t lose them.
Finally, if you ultimately must tie a phone number to your accounts, try to use one from a VoIP service such as Skype or Google Voice, or use a separate SIM card that you don’t use for your day-to-day communications. Using a number that fewer people know about reduces your attack surface.