Everything you need to know about SIM swapping

SIM swapping attackers take over victims’ online accounts by stealing their cellphone numbers.

SIM swapping is an increasingly common phenomenon where attackers take over victims’ cellphone numbers in order to gain access to their online accounts. This could include their social media and email accounts, as well as bank accounts and cryptocurrency wallets.

SIM swapping is also known as SIM hijacking or port-out scams. SIM hijackers can wreak havoc with victims’ lives if they gain use of their cellphone number. SMS verification via text message is often used for two-factor authentication or to allow you to reset passwords, meaning an individual who takes control of your cellphone number can quite easily take over your online accounts.

How do SIM swapping scams work?

SIM swap scammers generally use a variety of social engineering tactics to convince an operator at a telephone company to transfer control of a victim’s phone number to them. As a phone number can only have one SIM card registered to it at a time, once this transfer happens the victim’s phone stops working, and they can no longer make or receive texts or phone calls.

It is often quite trivial for these scammers to convince a telecoms agent to transfer ownership of the cellphone number: in many cases they use data gleaned from the many data breaches of recent years — such as a Social Security number or home address — to verify “their” identity and take control of the cellphone number.

What’s the big deal?

The big deal is that having your phone number makes it easy for hackers to gain access to most of your online accounts — even if you have two-factor authentication enabled. Many online services use SMS-based two-factor authentication, meaning that the person with the phone number is the one who will get the verification text message. Given the many large data breaches of recent years — and the high number of people reusing their passwords online — it would likely not be too difficult for an attacker to access a victim’s password, and thanks to SIM swapping they can now bypass two-factor authentication too.

Even in cases where the attackers don’t have access to a user’s password, having access to their phone number could still mean they can access a person’s account. Text messages are often used for verification purposes for account recovery — meaning the attacker can simply click “Forgot Password” and set a new one with ease.

And then what?

Given how much of our life is lived online in 2018, once attackers have access to your online accounts they can do a whole lot of damage.

As well as the expected targets of accessing people’s bank accounts through SIM swapping, SIM hijackers were also reportedly targeting the accounts of people with highly sought after social media handles and taking them over. On some underground markets, popular social media handles can reportedly sell for thousands of dollars. The Instagram handle @Bitcoin was reportedly sold on an underground forum for $20,000 earlier this year. Motherboard also wrote a lengthy story featuring the owner of the @Rainbow handle on Instagram, who was targeted by aggressive SIM swap attackers who wanted control of her Instagram handle.

SIM swappers have also reportedly targeted the accounts of high-profile people on social media: the Instagram account of popstar Selena Gomez — one of the most-followed people on the social networking site — was hacked last year, reportedly through SIM hijacking, and naked photos of her ex-boyfriend Justin Bieber were published on her Instagram feed.

It’s not just high-profile social media stars and celebrities that need to be worried about SIM swappers though: people with cryptocurrency wallets would also be advised to be wary. Earlier this year, a 20-year-old Californian man was arrested for allegedly stealing $5 million in Bitcoin, primarily by using SIM swapping attacks to gain access to victims’ cryptocurrency wallets. Several of the people he targeted were tech-savvy people heavily involved in the world of blockchain and cryptocurrencies, highlighting that no one is really safe from these attacks.

How to protect yourself from SIM swapping attacks

As SIM swapping relies heavily on social engineering tactics — and on the attackers being able to convince someone to hand your number over to them — it can be quite hard to fully protect yourself against it. However, there are some steps you can take to limit your exposure to these types of attack.

· Set up a passcode or PIN that must be used in order to make any changes to your account, such as transferring your phone number. Many cellphone providers now allow this, and this passcode should be unique and different to the one used to sign into your online account.

· Don’t link your number to your online accounts, and use an authentication token or app, such as Symantec VIP, rather than SMS for two-factor authentication.

Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cyber security.

Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.