You think you’re making all the right moves. You’re smart with your security. You have two-factor authentication enabled on all your accounts. But hackers have a way to bypass that: SIM swapping.
It’s a devastating method of attack with dire consequences for those who fall victim to it. Fortunately, there are ways to protect yourself. Here’s how it works, and what you can do.
What Is a SIM-Swap Attack?
There’s nothing inherently wrong with “SIM swapping.” If you ever lose your phone, your carrier will perform a SIM swap and move your cell phone number to a new SIM card. It’s a routine customer service task.
The problem is hackers and organized criminals have figured out how to trick phone companies into performing SIM swaps. They can then access accounts protected by SMS-based two-factor authentication (2FA).
Suddenly, your phone number is associated with someone else’s phone. The criminal then gets all text messages and phone calls intended for you.
Two-factor authentication was conceived in response to the problem of leaked passwords. Many sites fail to properly protect passwords. They use hashing and salting to prevent passwords from being read in their original form by third parties.
Even worse, many people reuse passwords across different sites. When one site gets hacked, an attacker now has everything he needs to attack accounts on other platforms, creating a snowball effect.
For security, many services require that people provide a special one-time password (OTP) whenever they log in to an account. These OTPs are generated on the fly and are only valid once. They also expire after a short time.
For convenience, many sites send these OTPs to your phone in a text message, which has its own risks. What happens if an attacker can obtain your phone number, either by stealing your phone or performing a SIM swap? This gives that person almost unfettered access to your digital life, including your banking and financial accounts.
So, how does a SIM-swap attack work? Well, it hinges on the attacker tricking a phone company employee into transferring your phone number to a SIM card he or she controls. This can happen either over the phone, or in-person at a phone store.
To accomplish this, the attacker needs to know a bit about the victim. Fortunately, social media is filled with the biographical details likely to fool a security question. Your first school, pet, or love, and your mother’s maiden name can all likely be found on your social accounts. Of course, if that fails, there’s always phishing.
SIM-swapping attacks are involved and time-consuming, making them better-suited for targeted incursions against a particular individual. It’s hard to pull them off at scale. However, there have been some examples of widespread SIM-swapping attacks. One Brazilian organized crime gang was able to SIM swap 5,000 victims over a relatively short period of time.
A “port-out” scam is similar and involves hijacking your phone number by “porting” it to a new cellular carrier.