In our article about the massive Facebook data leak earlier this month, we mentioned the concept of SIM swapping. This type of attack is becoming increasingly easier, thanks to leaks that associate email addresses and mobile phone numbers. Let’s take a deeper dive into how this type of attack is pulled off, why it's so popular, and steps that you can take to prevent it in the future.
Every mobile phone has a special card called a Subscriber Identity Module (SIM). These cards come in three different sizes: big, medium and small (there are other names for them, but stick with me here for simplicity). The newest phones have the smallest cards, which are about the size of your pinkie’s nail surface, if you have small fingers. If you have this smallest SIM card, you can still fit in in the tray for your older phone, thanks to cardboard adapters that are included if you ever have to buy a new card.
Actually, there is a fourth version of the SIM — a virtual SIM or eSIM — that can be found on the newest smartphone models. This allows you to use two SIMs on your phone, such as when you travel internationally (remember those days?) and want to have a local number and a second mobile carrier in another country.
How the swap works
No matter what size or shape the SIM, compromising it is a relatively simple task — this is why the attack is so popular. Scammers call your mobile carrier and say your phone was lost or you dropped it and it doesn’t work. They ask the carrier to activate a new SIM with your phone number on their phone. If they sound convincing enough (or if they've found someone at the carrier they can bribe to do their bidding), you're toast. Because once the swap is made, you don’t get any of your texts, calls or other data. Anything that is tied to your cell phone number — which, for many of us, is our only phone number — is fair game for the attacker to compromise. At this point, the scammer can change your email address and make changes to your banking and credit information, posing as you.
If you think this ploy sounds too unbelievable, think again. A group of researchers at Princeton University looked at the major US cellular carriers, along with 140 different websites. All of the carriers and 17 of these websites were found to be vulnerable. Granted, this was done during 2019, but still, reviewing the resulting paper is a chilling and frustrating analysis of how ineffective the purported protections by the carriers can be in the hands of a wily hacker with a good story.
For example, some carriers ask for personal information (such as payment details on your account) but give the hackers guidance if they guessed incorrectly with their first answer. The researchers have alsopublished a table that documents the various websites and whether their implementations were properly secured. Sadly, this table is not as outdated as you might think. While innovation happens quickly in some areas in tech, this is not one of them.
Well-known victims of SIM swaps
SIM swaps have happened to some notable people over the years. Matthew Miller, a ZDNet freelance journalist, had his phone attacked back in 2019. He lost his Twitter followers, had $25,000 worth of Bitcoin stolen (eventually returned) from his bank account, and had to change dozens of passwords that were linked to his compromised accounts.
“Everybody I know in the cryptocurrency space has gotten their phone number stolen,” said Joby Weeks, a Bitcoin entrepreneur quoted in this story about SIM swaps published in 2017. Also cited in that story was what happened to Adam Pokornicky, a managing partner at Cryptochain Capital. His phone was hacked while he was online and he watched an attacker seize all of his accounts within a few minutes. His account was a target of thieves for quite some time because he had an enticing Twitter handle.
Probably one of the earliest and most infamous SIM swaps happened to DeRay Mckesson’s Twitter account back in 2016. Speaking of Twitter, its CEO Jack Dorsey’s own account was hijacked in 2019. Other celebrities who have been victims include actress Jessica Alba, the recording artist King Bach, and online personalities like Shane Dawson and Amanda Cerny. Some other horror stories have also been reported by security writer Brian Krebs.
How to prevent future attacks
There has been some progress made by the carriers on SIM swapping. The major US carriers announced an effort to make their own smartphone authentication app, which is now available as Zenkey.
As the FTC suggests, one of the first lines of defense is to be more aware of what could go wrong. They correctly recommend that you shouldn’t reply to any calls or texts that request your personal information. Ever. Even something as innocuous as a package notification text could be harmful if you click on the embedded link.
Second, as our Facebook leak article recommends, you should try to switch your second authentication factor from SMS to authenticator apps, such as Google Authenticator and Authy. While this can be a frustrating exercise (as we document in this post), it goes a long way to stopping the swaps. Also, don’t rely on Facebook, Google or Twitter to authenticate you to login to other services — you should set up a separate authentication process with unique passwords. To keep track of your password collection, use a password manager to create complex ones that you don’t have to remember and retype.
Finally, another way to try to stop potential attackers from gaining control is to put an additional passcode on your mobile phone account. The problem, as the Princeton crew found out, is that phone company call center staff can easily be persuaded to get around this protection. Matthew Miller’s story also has plenty of tips on what to do if you have been a victim of a SIM swap attack.