You think you are making the right moves. You are smart with your security. You have enabled two-factor authentication on all your accounts. But hackers have a way around that: sim swapping.
It is a devastating method of attack with serious consequences for those who fall victim to it. Fortunately, there are ways to protect yourself. Here's how it works and what you can do.
What is a sim swap attack?
There is nothing inherently wrong with "sim swapping". If you ever lose your phone, your carrier will do a SIM swap and move your mobile phone number to a new SIM card. It is a routine customer service task.
The problem is that hackers and organized criminals have figured out how to trick telephone companies into performing SIM swaps. They then have access to accounts secured with SMS-based two-factor authentication (2FA).
Suddenly your phone number is linked to someone else's phone. The criminal then receives all text messages and phone calls that are intended for you.
Two-factor authentication has been devised in response to the problem of leaked passwords. Many sites cannot properly protect passwords. They use hashing and salting to prevent passwords from being read by third parties in their original form.
Even worse, many people reuse passwords on different sites. When a site is hacked, an attacker now has everything they need to attack accounts on other platforms, creating a snowball effect.
For security reasons, many services require people to provide a special one-time password (OTP) when logging into an account. These OTPs are generated immediately and are valid only once. They also expire after a short time.
For the sake of convenience, many sites send these OTP & # 39; s to your phone in a text message, which comes at its own risk. What happens if an attacker can find out your phone number, either by stealing your phone or doing a SIM swap? This gives that person almost unlimited access to your digital life, including your bank and financial accounts.
So, how does a sim swap attack work? Well, it depends on whether the attacker is cheating on a telephone company employee to transfer your phone number to a SIM card he or she manages. This can be done by telephone or in person at a telephone shop.
To achieve this, the attacker needs to know something about the victim. Fortunately, social media is filled with the biographical details that are likely to fool a security question. Your first school, pet or love, and your mom's maiden name can all be found on your social accounts. If that doesn't work, there is always phishing.
SIM swapping attacks are involved and time consuming, making them more suitable for targeted raids against a particular individual. It is difficult to implement them to scale. However, there are some examples of widespread SIM swapping attacks. A Brazilian organized crime gang managed to trade 5,000 victims in a relatively short time.
A "port-out" scam is similar in that it involves hijacking your phone number by "porting" it to a new mobile provider. [1
Who Is Most At Risk?
Due to the effort required, SIM swapping attacks typically have spectacular results. The motive is almost always financial.
Recently, cryptocurrency exchanges and wallets have been popular targets. This popularity is compounded by the fact that, unlike traditional financial services, there is no such thing as a chargeback with Bitcoin. Once it is shipped it is gone.
In addition, anyone can create a cryptocurrency wallet without having to register with a bank. It's the closest thing to anonymity when it comes to money, which makes it easier to launder stolen money.
A well-known victim who learned this the hard way is Bitcoin investor, Michael Tarpin, who lost 1,500 coins in a SIM-armed attack. This happened just weeks before Bitcoin reached its all-time high. At the time, Tarpin's assets were worth over $ 24 million.
When ZDNet journalist Matthew Miller fell victim to a sim swap attack, the hacker tried to buy $ 25,000 worth of Bitcoin through his bank. Fortunately, the bank was able to reverse the charge before the money came from his account. However, the attacker was still able to destroy Miller's entire online life, including his Google and Twitter accounts.
Sometimes the goal of a sim swapping attack is to embarrass the victim. This cruel lesson was learned by Twitter and Square founder, Jack Dorsey, on August 30, 2019. Hackers hijacked his account and posted racist and anti-Semitic swear words on his feed, which is followed by millions of people.
How do you know that an attack has taken place?
The first sign of a SIM swapping account is that the SIM card loses all service. You cannot receive or send text messages or calls, or access the Internet through your data plan.
In some cases, your telephone provider may send you a text message informing you that the exchange is taking place just before you move. transfer your number to the new SIM card. Here's what happened to Miller:
“On Monday June 10 at 11:30 PM, my oldest daughter shook my shoulder to wake me up from a deep sleep. She said it looked like my Twitter account had been hacked. It turned out that it was much worse than that.
After I rolled out of bed, I picked up my Apple iPhone XS and saw an SMS saying 'T-Mobile alert: The SIM card for xxx-xxx-xxxx has changed. If this change is not authorized, please call 611. & # 39; ”
If you still have access to your email account, you may also see strange activities, including notifications of account changes and online orders you don't have placed.  How should you respond?
When a sim swapping attack occurs, it is critical that you take immediate, decisive action to keep things from getting worse.
First call your bank and credit card companies and request a freezing of your accounts. This prevents the attacker from using your money for fraudulent purchases. Since you have also effectively become a victim of identity theft, it is also wise to contact the various credit bureaus and request a credit freeze.
Then try to get ahead of the attackers by moving as many accounts as possible to a new, unaffected email account. Disconnect your old phone number and use strong (and completely new) passwords. For all accounts that you cannot reach in time, please contact customer service.
Finally, you must contact the police and report it. I cannot say this enough – you are the victim of a crime. Many homeowners insurance policies provide protection against identity theft. If you file a police report, you may be able to file a claim against your policy and get some money back.
How to Protect Yourself from an Attack
Of course prevention is always better than cure. The best way to protect you from SIM swapping attacks is to simply not use SMS-based 2FA. Fortunately, there are some compelling alternatives.
You can use an app-based authentication program, such as Google Authenticator. For another level of security, you can choose to purchase a physical authentication token, such as the YubiKey or Google Titan Key.
If you absolutely must use text or call-based 2FA, you should consider investing in a special SIM card that you don't use anywhere else. Another option is to use a Google Voice number, although it is not available in most countries.
Unfortunately, even if you use app-based 2FA or a physical security key, many services allow you to bypass them and regain access to your account via SMS sent to your phone number. Services such as Google Advanced Protection provide more bulletproof security for people at risk of being targeted, such as journalists, activists, business leaders, and political campaign teams.
RELATED: What is Google Advanced Protection and Who Should Use It?