You’re Under a ‘SIM Port Attack.’ Here’s How to Fight Back. NOW.

9 min readMay 26, 2019

These are immediate steps you can take to prevent further damage. Please note: this post is Gmail specific. However, many element may be applicable for similar SIM Port Attacks.

Symptoms
What to Expect from the Hacker
Steps to Reduce Current Damage <GO HERE IF EMERGENCY
Steps to Prevent Further Damage
What to Do in the Aftermath
How to Make Sure this Doesn’t Happen Again

Symptoms

Your phone no longer has carrier service — you cannot make phone calls, send/receive text messages, or connect to your carrier’s data. You should still be able to connect to WiFi.

You’ve been locked out of your Gmail — you cannot log into your email. When you try to log in, you’ll be alerted that your password was changed.

You’ve received notifications to your “recovery email” — if you have a recovery email, it will receive 3 consecutive emails alerting you of the hack: (1) the hacker has recovered your account, (2) the hacker has signed into your account, (3) the hacker has changed your password

What to Expect

1. Financial Theft

They will try to access all your personal and financial information to steal your funds, including:

Bank Accounts — JP Morgan/Chase, Bank of America, Wells Fargo, etc
Retirement Accounts — IRAs, 401Ks, Pensions, etc
Social Security — old age, survivor, disability, etc
Cryptocurrency Accounts— Coinbase, Binance, Kraken, etc

2. Repeated Attempts

Even if you succeed in getting your SIM Port returned to your phone, the hacker will likely attempt to port in again. In many cases, they will succeed. Recently, they’ve done this by bribing mobile service provider employees. Repeated attempts may occur for more than 48 hours.

3. Alternative Attack Vectors

Although difficult, the hacker may attempt to take over your 2-Factor-Authentication applications, like Authy or Google Authenticator. They will either make enough attempts to lock you out or they will succeed.

They will also change your recovery email to an address that they control.

4. Social Engineering

They will likely succeed in additional attempts to social engineer and steal your identity. They will do this by taking over many of your most valuable non-financial accounts:

Social Media — Facebook, Twitter, LinkedIn, etc
Storage Accounts — Dropbox, Box, etc (critical if you store passwords)
Shopping — Amazon, Etsy, etc
Messaging Apps — Telegram, WhatsApp, Discord, etc

5. Family Members

If you have any other family members on the same mobile service account, they will likely be targeted next. This will be especially easy for the attacker if your phone number is the listed as the primary on the account and they still have control over it.

Steps to Reduce Current Damage

1. Call Your Mobile Service Provider

Tell them you are a victim of a ‘SIM Port Hack’ and ask them to immediately disable your phone number. They will be much more willing to disable the ported phone number for everybody (you and the hacker) than they will be to try to figure out who the the real owner. You can sort out the real owner later.

AT&T: 1 (800) 331–0500
Cricket Wireless: 1 (800) 274–2538
Sprint: 1 (888) 211–4727
T-Mobile: 1 (877) 453–1304
US Cellular: 1 (888) 944–9400
Verizon: 1 (800) 922–0204

Pro tip: while you’re on hold move immediately to steps 2 (very fast to accomplish) and step 3 (you are in a race against the attacker in step 3 — GO!)

2. Disable Multi-Device Access on 2FA

Skip if you don’t use Authy.

If you use Authy and have multi-device support enabled (highly likely), go in an immediately disable it. Instructions. The hacker will attempt to steal your 2-Factor-Authentication keys.

3. Recover Your Google Account

Note: This will only begin the process of recovering your Gmail account. You’ll still need to wait 3–5 business days if successful.

Go to account recovery. You’ll be prompted to complete the following steps (image below):

Enter your hacked gmail
Enter the last password you used before the hack
Click “I don’t have my phone” — DO NOT enter your phone number. The hacker has it.
Enter the month and year the you created the Gmail — this is the worst question ever. If you get it wrong, Google will allow you to continue to Step 9, but then notify you that they could not verify that the account belongs to you. If this happens, you will need to start from the Step 1 and try again. Tips for recalling the date and month below.
Enter your recovery email — Gmail will prompt you with a hint as to what email you used as your recovery when you created your Gmail
Receive a verification code — you’ll be notified that a verification code was emailed to your recovery account
Find the verification code — go to your recovery email and find the verification code in an email
Enter the verification code — return to the account recovery page, click “next”, and enter the verification code
Confirm account recovery — if everything worked, you’ll be notified that a support specialist will contact you in 3–5 business days. If this fails, the most likely culprit is that you entered the wrong month and year that you created your Gmail (see step 4). If this fails, begin from Step 1 and try again with a different month and year.
Confirm Account Recovery Request — you’ll receive 2 emails upon a successful attempt. The first is a confirmation that you successfully made a request to recover your account
Confirm Password Reset Request — the second email you’ll receive is similar to the first. It’s another confirmation of a successful request. This one specifically let’s you know that you’ll be able to update your password

Please note Google has confirmed that even if you get to Step 11, the hacker will still have continued access to your account until you succeed at Google’s account recovery process (*if you succeed). This process is system generated and Google claims no human intervention is possible. More information below in “Aftermath” section.

Recovering Date and Month

Again, this is the worst question ever, and Google employees will be the first to admit it. Consider these strategies:

Business Formation — is this a business email? Did you create this email the same month you incorporated an LLC or other corporate entity? You can search public records to find your company’s incorporation date, which should coincide with the month and date you opened your Gmail. Here is a list of all 50 Secretary of State websites. Find the state your company is registered in. Search for your company. Find the incorporation date, which is publicly available.
Social Media — did you begin creating social media accounts from this email when you created it? Twitter, for example, specifically displays the month and year you joined the platform on your public profile.
Early Emails — who were some of the first people you would have begun emailing when you first opened your gmail? If it’s a friend or family member, ask them to search “from: yourhackedemail@gmail.com” in their Gmail inbox search bar. Then click back to the first email you ever sent them. The email will provide an exact date and time of when you might’ve created your Gmail.

4. Freeze Your Financial Accounts

Depending on the amount, consider prioritizing your cryptocurrency accounts first. Stolen cryptocurrency cannot be recovered. Submit support tickets to all the exchanges that hold your crypto.

IMPORTANT: When prompted for your email DO NOT enter the email that was hacked — it will send an automated support ticket receipt to the hacker and tip them off that you have something of value in that account. Only provide an alternative email you currently control. Explain the situation in the body of the message (see template message below):

Binance
Coinbase
Gemeni
Kraken
Poloniex — email support. DO NOT use Poloniex support portal. You must be logged in to submit a ticket. Ticket receipt will be sent to hacker.

Email: Use email you control ; DO NOT use hacked email
Subject: URGENT HACKED: Please Freeze My Account!
Body: I am currently under a SIM Port Attack. They have complete control over my <exchange> email. Please freeze my account immediately: buys, sells, transfers.
The email provided above is NOT my <exchange> email. DO NOT send any messages to my <exchange> email. I do not want an automated support ticket receipt to be sent to the hacker. I do not want them tipped off that I have anything of value in <exchange>.
Please respond to <email provide above> for all communication. I control this email and can prove my ID. The account associated with my <exchange> is actually <associated email>. PLEASE FREEZE THIS ACCOUNT IMMEDIATELY.

Steps to Prevent Further Damage

Remove Your Phone Number From All Gmails

If you have any other Gmail accounts associated with your phone number, they are vulnerable to the same attack. Go to that Gmail’s Account Settings. Then follow these instructions (image below):

Go to the security tab & select “recovery phone” — on the left hand side, you’ll see a security tab. Click and then scroll down to the section that reads “Ways we can verify it’s you.” If you have a phone number registered in the “Recovery phone” section, click the “>” arrow immediately to its right.
Enter the password — enter the password of the vulnerable email
Click the trash can icon — after you verify your password, click the garbage can icon on the far right of the “Recovery phone” window.
Confirm “Remove number”— you’ll be asked if you’re sure you want to remove your phone number. Confirm “Remove number.”

Note: after you remove your phone number, you’ll want to install proper 2-Factor-Authentication to replace it. Details below. Quick link here.

Send Yourself Automated Text Messages

The attacker will continue to try to port your SIM and your family members’ SIMs for as long as they can get away with it. You cannot trust your service provider to stop these attacks. After all, they are the ones who gave the hacker your phone number in the first place.

You should rely on your own monitoring of the situation as a “first responder” strategy. The absolute first symptom you’ll experience in a repeated attack is a loss in mobile service, so you should use an app like Do It Later (Android) to send yourself text messages every 5–20 minutes for a ~week. If your SIM is ported again, you’ll stop receiving text SMS messages. If you notice the automated messages have stopped, you’ll know you’ve lost service again.

What to do in the Aftermath

File a Police Report and FBI Investigation

SIM Port hacking is a federal offense. Submit police and FBI reports immediately. If you decide to open a lawsuit against your mobile service provider, you will want to have both of these filed.

Police Report — here is a list of all police departments in the United States. Find yours and file a report.
FBI Report — file a report with the FBI online or by phone here.

Continue Gmail Recovery Process

Google claims that the recovery process is entirely system-generated and no human intervention is ever possible (even if it happened to a Google employee). This means that if you fail to correctly answer the questions provided in the “Recover your Google account” section above, you are locked out of your account forever.

You may have noticed that one of the default questions is “What is your recovery email?” If the hacker has changed your recovery email to an account they control, you will likely fail this question and, therefore, the entire recovery process. Google claims after enough attempts there is a chance you will be provided with a new set of questions that the hacker couldn’t have tampered with. However, they do not publicly release how questions are chosen.

For what it’s worth, you have unlimited attempts to recover your account.

How to Make Sure this Doesn’t Happen Again

Set Up (Non-SMS) 2FA

Download a 2-Factor-Authentication mobile app like Authy (or Google Authenticator) and use it to secure all your Gmails.

Here is an excellent guide from Authy on how to do this.
Make sure you backup your 2FA application: “How to Backup Authy”.
Once you install it (if Authy), disable multi-device support

Thank you to all the people who helped with this article. I will not identify anyone by name who contributed to this document. You know who you are.