Having two-factor authentication (2FA) in place is a good way to keep your accounts safe, but if it’s over text, it’s not foolproof. SIM hijacking, or SIM swapping, has been around for a while, but as our financial identities exist increasingly online, it’s becoming a lot more popular to steal phone numbers and use them to gain access to accounts. It’s getting harder to pull off as phone carriers slowly enhance their security procedures and as 2FA apps like Google Authenticator and Authy become more common, but as of 2018, it’s still a growing problem.
How does it work?
1. Finding a target
Laying the groundwork is a crucial part of SIM swapping. First, the attackers find some personal information on potential targets. Anything from bank logins to age, location — even social security numbers — can be found floating around the web. If they need more, they may use a phishing attack to trick users into revealing something crucial.
2. Tricking tech support
Now that they have a strategy, the hacker will call up your carrier (it’s pretty easy to find out which carrier a number is on), use what they know about you to get through the security questions, and ask them to port the number to a new SIM card. With a bit of social engineering, they can trick the tech support representative into putting a user’s number onto a phone controlled by hackers.
3. Swapping the SIM
If the attack succeeds, the carrier will give your number and SIM to the attacker, upon which users may (or may not) receive a message informing them that their SIM has been updated or deactivated. They will then be unable to place calls or send texts, at which point most people will realize something is wrong.
4. Accessing accounts
Once the number is under the attacker’s control, they can use it to gain access to accounts by using its 2FA capabilities or using it to reset your passwords. With your phone number, they often only need to know your email address and possibly a few pieces of personal information to get in.
5. Taking over
Once in, attackers will generally change passwords, email addresses, and other information that could enable users to regain control of their accounts. If the hacked account is a bank, cryptocurrency exchange, or other financial institution, they’ll take money. This will go on until they’ve gotten what they want or until the user gets their access revoked.
Who/What gets hacked?
Pretty much everyone is at risk of getting their SIM hijacked, but since it’s not the simplest attack to carry out, only so many people can be targeted at a time. People with easily accessible personal information, high-profile social media accounts, or high-value financial accounts are certainly vulnerable, but that doesn’t exclude average people with a decent sense of online security from running into this issue. Even something as seemingly innocuous as a memorable Instagram handle, like “@Rainbow”, could prompt a hack, since these can sell for surprisingly large amounts of money.
What if it happens to me?
If your phone suddenly loses service in a place where you normally have it, you may want to consider checking with your carrier. If you suspect a SIM swap, you should:
- Find a connection as soon as possible and get in touch with your carrier. SIM swapping is a known issue, so if they find evidence of it, they’ll probably know what to do. You may want to check back every few hours, however, to make sure someone hasn’t gotten back in.
- Monitor your email and any accounts that you know are tied to your number.
- If any suspicious activity pops up, remove your phone number from your accounts, or, if possible, change it to a VoIP number or someone else’s number.
- Make sure that the customer service representative locks down your account and gets you a new SIM, protected from unauthorized changes by a PIN.
- Even if you’re not sure which accounts have been compromised, it’s safest to follow standard post-hack practice and change your passwords and any sensitive information, like account numbers, that may have been involved.
- Stay alert. If it happened once, the information that’s floating around the Web could come back to haunt you again.
How do I protect myself?
Unfortunately, many carriers, companies, and financial institutions have yet to implement foolproof security measures to prevent this. Even with extra layers of security around customer information, the attackers may have accomplices working on the inside funneling customer information out to hijackers. That said, there are a few things you can do.
- Set up extra security with your carrier — a PIN at the very least, which requires anyone wanting to make changes to your account to enter it.
- Text- or voice-based 2FA is better than nothing, but if possible, switch your 2FA to an authentication app like Google Authenticator or Authy. These can’t be hacked using your SIM, but they’re unfortunately not a common 2FA option yet.
- Start using a VoIP (Voice over Internet Protocol) service like Google Voice. Since these phone numbers operate over the internet rather than using a SIM card, they are immune to being swapped. Replace your SIM-based number with the VoIP number wherever possible.
In conclusion: hacking happens
Even with a PIN, authenticator app, and VoIP service, you’re not exactly bulletproof — PINs can be stolen, authenticator apps aren’t widely supported, and some services won’t let you use VoIP. In the ever-shifting world of cybersecurity, the best you can generally do is set yourself up well, keep an eye out for suspicious activity, and react quickly if anything happens. The stronger your security, the less likely it is that you’ll become a target, and the quicker you react, the smaller the chance that you’ll find yourself a few dollars or Instagram accounts lighter.