Key Takeaways
SIM swapping is a method hackers use to bypass two-factor authentication (2FA) by tricking phone companies into transferring a phone number to a new SIM card.
SIM-swapping attacks primarily target financial gains, with cryptocurrency accounts being preferred due to their absence of chargeback options. In case you suspect a SIM-swapping attack, it is crucial to promptly safeguard your bank accounts and credit lines, update your passwords, and inform the authorities to file a report. To prevent such attacks, it is advisable to utilize app-based authentication or physical security keys instead of relying on SMS-based 2FA.
Believing that you are executing all the correct actions, with your security measures in place, and two-factor authentication activated on all your accounts. However, hackers have found a method to circumvent this security measure, known as SIM swapping.
This article for Cybersecurity Awareness Week is presented by Incogni in collaboration.
What Is a SIM-Swap Attack?
"SIM swapping" is not inherently problematic. In the event of losing your phone, your carrier will undertake a SIM swap and transfer your mobile number to a fresh SIM card. This is a regular customer service procedure.
Hackers and organized criminals have successfully devised methods to manipulate phone companies into conducting SIM swaps, posing a major concern. Through this technique, they gain unauthorized access to accounts that rely on SMS-based two-factor authentication (2FA).
Consequently, your phone number becomes linked to a different device belonging to the criminal. As a result, they gain complete control over all incoming text messages and phone calls that were originally meant for you.
Two-factor authentication was developed as a solution to the issue of password leaks. Numerous websites lack proper password protection measures and rely on techniques like hashing and salting to obfuscate passwords, preventing unauthorized access by external parties.
Moreover, the problem worsens as individuals tend to reuse passwords across various platforms. In the event of a hack on one site, the attacker gains access to all the necessary information to compromise accounts on other platforms, leading to a domino effect.
To ensure security, numerous services necessitate individuals to enter a unique, single-use password (OTP) each time they log into their accounts. These OTPs are generated instantly and have limited validity, expiring within a brief duration.
To enhance convenience, several websites transmit these OTPs directly to users' mobile phones via text messages, which poses certain risks. What if an attacker manages to acquire your phone number, either by stealing your device or executing a SIM swap? This grants the perpetrator nearly unrestricted entry into your digital existence, encompassing your banking and financial profiles.
So, how exactly does a SIM-swap attack function? Essentially, it relies on the attacker deceiving a phone company employee into transferring your phone number to a SIM card that they have control over. This manipulation can occur either through a phone call or in-person at a phone store.
In order to successfully execute this attack, the perpetrator must possess some knowledge about their target. Thankfully, social media platforms are abundant with personal information that can easily trick security questions. Details such as your first school, pet, love interest, and even your mother's maiden name can often be obtained from your social media accounts. And in case these methods fail, there's always the option of resorting to phishing tactics.
SIM-swapping attacks are both intricate and time-consuming, making them more suitable for targeted intrusions directed towards specific individuals. Executing such attacks on a large scale is challenging. Nevertheless, there have been instances of SIM-swapping attacks affecting numerous individuals. For instance, a Brazilian organized crime gang successfully conducted SIM swaps on 5,000 victims within a relatively brief timeframe.
A similar scheme known as a "port-out" scam entails the hijacking of one's phone number through the process of "porting" it to a different cellular service provider.
Who Is Most at Risk?
Hannah Stryker
SIM-swapping attacks often yield remarkable results when considering the extensive effort involved, predominantly driven by financial motives.
In recent times, cryptocurrency exchanges and wallets have become attractive targets for such attacks. This is further amplified by the absence of chargeback options with Bitcoin, distinguishing it from conventional financial services. When a Bitcoin transaction is completed, it becomes irretrievable.
Additionally, individuals can establish a cryptocurrency wallet without the necessity of registering with a financial institution. This provides a level of anonymity in financial transactions, simplifying the process of laundering stolen funds.
A notable example of someone facing the consequences of this is Michael Tarpin, a prominent Bitcoin investor. He fell victim to a SIM-swapping attack, resulting in the loss of 1,500 coins. This unfortunate incident occurred just weeks prior to Bitcoin reaching its highest ever value. At that time, Tarpin's assets amounted to a staggering $24 million.
ZDNet journalist Matthew Miller experienced a SIM-swap attack, where the hacker attempted to buy $25,000 worth of Bitcoin using his bank account. Fortunately, the bank was able to reverse the transaction before the funds were withdrawn. However, the attacker successfully gained control of Miller's online presence, including his Google and Twitter accounts.
In another incident, Twitter and Square founder Jack Dorsey became a victim of a SIM-swapping attack on August 30, 2019. Hackers seized control of his Twitter account, using it to spread racist and anti-Semitic messages to his millions of followers.
How Do You Know an Attack Has Taken Place?
The first sign of a SIM-swapping account is the SIM card loses all service. You won’t be able to receive or send texts or calls, or access the internet through your data plan.
Miller's phone provider sent him a text just before transferring his number to a new SIM card. This alarmed him when his oldest daughter woke him up at 11:30 pm on Monday, June 10th. She relayed that his Twitter account had been hacked, but the situation turned out to be even more dire.
Upon awakening, I reached for my Apple iPhone XS and observed a text notification stating, "T-Mobile alert: The SIM card for xxx-xxx-xxxx has been altered. If this modification was not authorized, please contact 611.'"
Furthermore, if you retain access to your email account, you may encounter peculiar occurrences such as receiving notifications about alterations to your account and unfamiliar online orders that you did not initiate.
How Should You Respond to a SIM-Swapping Attack?
When a SIM-swapping attack happens, it’s crucial you take immediate, decisive action to prevent things from getting worse.
Start by immediately contacting your bank and credit card companies to place a freeze on your accounts, preventing any unauthorized transactions. As you've become a victim of identity theft, it is advisable to inform the different credit bureaus and request a credit freeze.
Next, proactively outsmart the attackers by transferring your accounts to a new and uncompromised email address. Disconnect your previous phone number and create strong and entirely new passwords. If you are unable to take these actions promptly for certain accounts, reach out to their customer service departments.
Finally, you must get in touch with the police and submit a report. I cannot stress this enough — you are the target of a crime. Numerous homeowner's insurance policies offer coverage for identity theft. By filing a police report, you may be able to initiate a claim against your policy and reclaim a portion of the funds.
How to Protect Yourself From an Attack
Hannah Stryker
Undoubtedly, taking preventive measures is preferable to finding a solution afterwards. Avoiding the use of SMS-based 2FA is the most effective approach to safeguard against SIM-swapping attacks. Thankfully, there exist several convincing alternatives.
To enhance your security, opt for an app-based authentication program such as Google Authenticator. For added protection, you may also acquire a physical authenticator token like the YubiKey or Google Titan Key.
If you must resort to text- or call-based 2FA, it is advisable to invest in a separate SIM card solely for this purpose. Alternatively, you can utilize a Google Voice number, bearing in mind that it may not be accessible in all countries.
Regrettably, despite utilizing app-based 2FA or a physical security key, numerous services still enable users to bypass these measures and regain control of their accounts by sending a text message to their phone number. To address this concern, services like Google Advanced Protection provide enhanced security features that are particularly beneficial for individuals vulnerable to targeting, such as journalists, activists, business leaders, and political campaign teams.
It is disheartening to note that a considerable number of services currently offer only SMS or voice call based 2FA, including many banks. As a result, it is crucial to be proactive and prepared for potential attacks of this nature.