Categories
Interior

How to protect yourself from sim-swapping attacks

New wave of U.S. crypto community members have become victims of SIM swapping attacks over the past month. More than 50 victims have reportedely lost over USD 35 million to hackers in the San Francisco Bay area alone.

SIM swapping is not a new threat, as more than USD 50 million has been reportedely stolen from over 800 individuals since 2018, but a new wave of coordinated attacks targets U.S. cryptocurrency holders, especially those using “hot”, or online crypto wallets.

Sim Swapped. Phone number ported. Thanks @TMobile

That’s at least 15 of us in the crypto community in the last week.

My personal identity was hacked last week. The attacker was able to steal $100k+ in a sweep of my Coinbase account. I’m equal parts embarrassed, hurt, and deeply remorseful.

In an effort to raise awareness about the attack, I wrote about it here: https://t.co/ZnbB0AN6Gd

I haven’t gone public yet but I had three on me personally in the past week. Submitted an FBI report. All sign point to an inside job at the cell company. Phone records were wiped clean for an entire day and “recorded for quality and training purposes” settings were turned off.

SIM swapping (also known as SIM porting or SIM jacking) works the following way: thieves contact your telecom service provider and fake your identification to steal the phone number. Transferring your phone number is a casual request which helps whenever you upgrade your phone or switch carriers. However, SIM porting is done by unauthorized source – the attacker who pretends to be you. Here is where the problems start to arise, especially if your phone number is connected to services that are pivotal to your online identities, like your recovery email account or cryptocurrency exchange account. Once scammers steal your phone number, they use it to either access your cryptocurrency account, reset your online wallet password or ask your friends for cryptocurrency payments.

Hacker logged into my @telegram account and messaged a bunch of folks asking for BTC.

PSA: If you got a message from me asking for BTC, that was not me.

Once the attackers have access to your account, they can lock you out with little recourse to claim them back while simultaneously draining your accounts.

How to protect yourself from sim-swapping attacks

SIM swapping attackers might get your phone number by using the following methods:

  1. The attacker bribes or blackmails a mobile store employee into helping them.
  2. The attacker could be a current/former mobile store employee who purposefully abuses his or her position to access the company’s customer data.
  3. Corrupt mobile company employee(s) trick their associates or colleagues at other departments into swapping your SIM card with a new one.

I’ve been hearing about another spate of SIM-jackings involving @TMobile, possibly involving bypassed PINs, which hint at insiders or weak processes.

The traditional telecom companies won’t clean up their act without a class action lawsuit and heavy fines. Switch to @googlefi. https://t.co/wp60qvyn7i

Telco giants T-Mobile and AT&T are already facing lawsuits from the U.S. crypto investor law firm Silver Miller for SIM porting related thefts, as stated by the firm’s press release.

SIM swapping symptoms and protection

Sean Coonce, engineer leader at BitGo, and Chris Robinson, community manager at Hoard.Exchange, summarized their findings and experience with the SIM swapping problem in two recent articles.

Here is what they say:

Common symptoms of SIM swapping:

  1. Your phone career service is unreachable for no reason at all. You can’t make calls, send messages, or use any data. You can still connect to Wi-Fi though since it has nothing to do with your mobile carrier.
  2. You are locked out of your email account. Be it Gmail or any other service critical to your online identity.
  3. You get recovery email notifications like ‘someone signed in into your account,” “someone recovered your account,” and finally “someone changed your password.”

How to reduce the damage:

  • Get another phone and call your mobile phone career immediately. Ask them to disable your jacked phone number.
  • Disable your SMS-based 2FA.
  • Recover your Google account.
  • Freeze or change passwords of all your cryptocurrency accounts and other related financial services that could’ve fallen in hackers hands.

If you noticed it too late and already suffered damage, submit a police report as soon as possible.

How to protect yourself against SIM porting

It is relatively easy to protect your accounts against SIM jacking attacks. Here are the things you can do right away to minimize your chances of experiencing such an attack.

  • First and foremost, don’t use SMS-based two-factor authentication (2FA) for any online accounts, especially your cryptocurrency exchanges and wallet services. Once thieves have access to any of your accounts (be it your email or Facebook account), they can harvest your private information, including your address, photos, documents, or even search history. All of them can be successfully used against you to fool your service providers. Other 2FA methods like Google Authenticator are OK but consider obtaining a universal second-factor (U2F) device like YubiKey, Google Titan Key, Thetis, or Kensington for greater safety.
  • Set up a PIN with your mobile career whenever you need to make changes to your account.
  • Disable your phone number wherever you use it as a tool for account recovery.
  • Reduce your online footprint by leaving as little personal information online as possible. No random stranger needs to know your birth date, birth town, and other personally identifiable information. Most importantly, don’t brag about your crypto holdings. No one can target you for attacks if they can’t identify you as a target in the first place.
  • Create a secondary email for critical online identities such as bank accounts, social media, crypto exchanges, and similar services.
  • Use multi signature or offline wallet to store your private keys. In “hot”, or online wallets keep only those funds that are needed for your daily activities. The most popular cold wallets include devices by Ledger or Trezor.

These are some common steps you can take right now to protect yourself from SIM jacking scammers.

Also, it may be good to know that SIM swappers seldom get away with their crimes as telecoms typically log most of their activities unless the getaway is completely clean, but it is best if you don’t get robbed in the first place.

Share:

  • Click to share on Twitter (Opens in new window)
  • Click to share on Facebook (Opens in new window)
  • Click to share on Pinterest (Opens in new window)

Do you know what a SIM card is? It’s that little chip inside your smartphone to identify you within the cell network that assigns your phone number. It’s something you never think about unless something goes wrong with your phone.

Well, it’s time to start thinking about them. That’s because “SIM-swapping” scams are on the rise. If SIM-swapping sounds familiar, it’s because Kim warned us a long time ago about these types of attacks and how they were inevitable. Tap or click here to learn more about SIM-swapping.

The good news is there are ways to protect your devices from these types of attacks. Keep reading and we’ll explain how SIM-swapping works and how to stay protected.

Scammers are targeting your phone with SIM-swapping

Princeton University recently conducted a study to see just how vulnerable mobile carriers are when it comes to SIM-swapping scams. They tested five major U.S. carriers by signing up for 10 prepaid accounts with each one. What they found was shocking.

One discovery was when they called into a carrier’s customer service, it only took one piece of information to verify their identity and switch service to a different SIM card. They were even able to do this if they failed to get other authentication questions right. This makes it easy for scammers to take control of your account.

Your daily dose of tech smarts

Learn the tech tips and tricks only the pros know.

To understand why this is bad, you need to know how SIM-swapping works. Here are the details:

SIM-swapping is an elaborate scam. The first thing the criminal needs to do is get some basic information about the victim. This can be done through social engineering and phishing scams where crooks gather as much information as they can.

They browse social media posts, use search engines or engage potential victims in online chats in hopes of getting details that can be used for security questions. Like your mother’s maiden name, names of pets, etc.

Criminals can also get this type of information by using keylogging or spying malware. They can also purchase personal information databases from the Dark Web. Tap or click here to learn how to protect your online identity from the Dark Web.

Once scammers have the information they need, they contact the victim’s mobile phone carrier. They claim to be the victim and that their phone has been lost or stolen, so they need to activate a new phone with a fresh SIM card.

If they successfully pass the identity checks by answering security questions, the old SIM card is deactivated and the one the criminal has is activated. All of the calls and texts are now sent to the fraudster’s phone.

If this happens to you, your phone will stop working and you will most likely get a “No Service” warning. This is the first sign that you’re being scammed. And it’s not just a lack of phone service you need to worry about — the thief can now try to access your bank and other online accounts.

They do this by using the personal data they’ve already gathered, but this time they can incorporate your phone number to receive two-factor authentication (2FA) codes. If successful, they can change your profile settings and set it up to make deposits into their own account.

Now the crook can start draining your bank account. If you have 2FA set up, your bank will ask them for confirmation of who they are by requiring an authentication code sent to your phone number, which is under the criminal’s control. Game over — your bank account is now wiped out.

To make matters worse, now you have to deal with your phone company and bank to prove who you are, which can be a major headache. It’s best to take preventative steps before falling victim to one of these scams.

How to protect your phone from SIM-swap attacks

Since SIM-swap scams are becoming more prevalent, you need to know how to protect yourself. Here are some suggestions:

Use a 2FA app

As we told you earlier, SIM-swapping scams are designed to circumvent 2FA — but only if the 2FA you’re using relies on text messages sent to your phone.

Instead of using text messages for your 2FA codes, try using an authenticator app like Google Authenticator. It’s far more secure than text messages, since the codes can’t be intercepted at the carrier level.

The Google Authenticator app is available for both Apple and Android devices.

Never overshare online

For SIM-swapping scams to be successful, the criminal needs personal information. One way the get it is from social media sites like Facebook. That’s why you should never include things like your address and phone number when creating your profile.

Also, don’t give any sensitive information away if you happen to be chatting with strangers online. It might seem like you’re having a harmless conversation when they ask you the name of your childhood pet, but they can use that information against you when it comes to online account security questions.

To be safe, you should remove your personal data and opt out of broker sites. Tap or click here to learn how.

Create a PIN for your mobile account

Some mobile carriers require a PIN code to make any changes to your account by default. Even if it’s not this way with your carrier, you should set one up.

Call your carrier and explain you want to set up a PIN they have to ask for before any changes can be made to your account — including switching SIM cards. This way, a criminal won’t be able to take over your account just by knowing the name of the first dog you ever had.

Two-factor authentication is rapidly becoming a “must-do” in this era of rampant cyber threats. I’ve discussed and encouraged two-factor authentication here and in Learning Tree’s cyber security introduction course. But it must be done correctly.

Two-step and two-factor authentication

Some organizations use hardware tokens that display numbers that change every thirty seconds or so. Apps such as Google Authenticator perform a similar function. (The main difference is that the numbers on the token are entered as part of a password – e.g. mypassword409678 – while the value on the Google Authenticator is entered separately. Thus, the former is called two-factor authentication, while the latter is called two-step authentication.)

Many web sites use a technique where a code is sent to a user’s mobile device via SMS, the “Short Message Service” generally used for text messages. There is a potential issue with that, though: the wrong people could receive the message.

SIM-swapping

SMS messages are sent to users’ phone numbers. It is assumed that only the authorized user has access to the phone corresponding to the numbers. Attackers have found ways to move the numbers to other phones. The number is associated with the phone via the SIM (subscriber identification module) card, a tiny electronic device embedded in plastic or cardboard.

How to protect yourself from sim-swapping attacks

There are two predominant ways attackers move a number to a device they control and both rely on social engineering. The first way is to contact the victim’s mobile service provider, pretend to be the victim, and get the number re-assigned. The second way is for the attacker to pretend to be an employee of the service provider and gain access to the provider’s subscriber management database.

Attackers have used these techniques to steal cash and bitcoin. One theft was alleged to be in the tens of millions of dollars. But many are smaller and the victims are not just individuals; the attackers may want access to corporate or government systems. The problem has become significant and US Senators and Members of Congress have sent a letter to the FCC asking it to take action.

My concern is that web sites and others use messages sent by SMS to validate password changes. If an attacker has access to the SMS messages of a victim, not only can the attacker receive access codes, but can also reset account passwords.

What can be done to protect your account

If SMS can be used as an authentication step, mobile service providers must take two important steps. The first is to train their employees about the dangers of social engineering attacks. Specifically, they must be taught to accurately authenticate number change requests. Secondly, there needs to be mechanisms deployed that prevent a single employee from making a change without actual confirmation from the subscriber.

Some providers – e.g. T-Mobile – allow users to enable a process where number changes can only be made when the user appears in person with proper identification. At least at T-Mobile, the process is voluntary and may have some issues. Many providers have a feature where a PIN number is required for a change.

The best solution is to use a different second step such as Google Authenticator, but with ubiquitous SMS capabilities on mobile devices, sending a number via a text message is attractive to website designers. If using another option is impossible or unavailable, enabling all possible account protections is essential.

What Is a SIM-Swap Attack?

There’s not anything inherently incorrect with “SIM swapping.” If you ever lose your phone, your service will carry out a SIM switch and circulate your cell smartphone range to a new SIM card. It’s a routine customer service task.

The hassle is hackers and organized criminals have figured out the way to trick telephone corporations into acting SIM swaps. They can then get entry to accounts included with the aid of SMS-based totally two-aspect authentication (2FA).

Suddenly, your phone number is associated with someone else’s cellphone. The crook then gets all textual content messages and call calls meant for you.

Two-factor authentication changed into conceived in reaction to the problem of leaked passwords. Many sites fail to properly shield passwords. They use hashing and salting to save you passwords from being examine of their original form through third-parties.

Even worse, many humans reuse passwords across exceptional websites. When one site receives hacked, an attacker now has everything he wishes to attack accounts on different platforms, creating a snowball effect.

For protection, many services require that people provide a special one-time password (OTP) each time they log in to an account. These OTPs are generated on the fly and are handiest valid once. They additionally expire after a short time.

For convenience, many web sites send these OTPs to your phone in a textual content message, which has its own risks. What happens if an attacker can reap your phone wide variety, both via stealing your phone or appearing a SIM change? This gives that individual almost unfettered access to your virtual life, together with your banking and monetary accounts.

So, how does a SIM-change attack work? Well, it hinges at the attacker tricking a cellphone company employee into moving your telephone quantity to a SIM card he or she controls. This can manifest either over the smartphone, or in-man or woman at a telephone store.

To accomplish this, the attacker needs to know a chunk approximately the victim. Fortunately, social media is filled with the biographical details probably to fool a safety question. Your first school, pet, or love, and your mother’s maiden call can all probable be observed in your social debts. Of course, if that fails, there’s usually phishing.

SIM-swapping attacks are worried and time-consuming, making them better-suitable for centered incursions against a particular individual. It’s difficult to pull them off at scale. However, there were some examples of massive SIM-swapping attacks. One Brazilian organized crime gang was able to SIM swap 5,000 sufferers over a relatively short length of time.

How to protect yourself from sim-swapping attacks

Criminal hackers have been targeting Instagram users with short or unique usernames, as well as people who own Bitcoin. To steal the victim’s accounts or cryptocurrencies, the hackers first seize the cell phone numbers of targets, which gives them the ability to reset passwords on any account linked to a given number.

This kind of hack is what’s called a port out scam—an expression derived from the concept of porting a number from one carrier to another—and is also known as SIM swapping or hijacking. One hacker who used to SIM swap told me it happens “all the time,” despite telecom providers having known about this attack method for years. According to T-Mobile, hundreds of people have been hit by this scam. In the last few months, Motherboard has spoken to more than 30 victims who have gotten their numbers stolen. In addition to her Instagram handle, one SIM hijacking victim I spoke to got her Amazon, Ebay, Paypal, Netflix, and Hulu accounts hacked as a result.

“Our phones are our greatest vulnerability,” she told me.

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at [email protected], or email [email protected]

So, what can you do to protect yourself?

Ultimately, this hack relies on scammers tricking carrier’s tech support, and if the company’s representatives take the bait, it’s important to remember that there’s only so much you can do. The good news is you can make it considerably harder for hackers to steal your phone number. And, even more importantly, you can take steps to mitigate the damage in case they are able to steal it anyway.

HARDEN YOUR ACCOUNT

In light of increasing attacks against customer’s accounts, the major US cell phone providers have introduced new security features to make it harder for hackers to take over accounts and telephone numbers.

AT&T allows customers to add a passcode to their accounts. This is a credential that’s separate from the password customers use to log into their accounts online. This passcode will be required to make significant changes to the account, such as porting the number to a different SIM card. Here’s a detailed step-by-step from AT&T on how to turn on this feature.

Verizon says it now requires every customer to have a PIN or password as a “primary authentication” method when they reach out to a call center. This PIN is similar to the passcode that AT&T customers can set up, as it’s used when communicating with Verizon tech support and provides an extra layer of security.

Last year, T-Mobile started offering a “port validation feature” to protect against these hacks. This is essentially a passcode, separate from the usual password to access the online account, that is required whenever someone tries to make changes to the account, such as getting a new SIM card. Ask a T-Mobile representative to add this code to your account. This can protect you from a hacker who may pretend to be you on the phone, or from a scammer attempting to use a fake ID at a T-Mobile store, as they should still be required to provide the code.

Sprint also offers customers a separate PIN that needs to provided when doing a SIM swap, in addition to the option of answering a security question instead.

We advise calling your provider directly and telling them that you’re worried about criminals taking over your phone number, and asking for all the extra security measures you can take to protect your account.

DON’T LINK YOUR NUMBER TO YOUR ONLINE ACCOUNTS

Once hackers steal your phone number, they leverage it to reset the password on any online account that’s linked to the number. In many cases, this bypasses two-factor authentication. That’s why having control of a phone number is so powerful.

If possible, you should remove your phone number from any account that could interest hackers. You can still link a type of phone number to those accounts, but we suggest using a VoIP number, such as a Google Voice number, that is SIM hijack-proof. Of course, you must protect this number as well, using a unique password, two-factor authentication on the account, and making sure it doesn’t expire if you don’t use it regularly.

To remove your phone from your Gmail account, go to myaccount.google.com, log in (if necessary), and then click on Personal Info & Privacy and Personal Info. If you have your number there, remove it. Also be sure you don’t have a phone number listed under Account Recovery Options. Instead, add an authentication app like Google Authenticator as two-factor.

If you really want to have a number there, we suggest creating a new Google Voice number—from a different, ideally ad hoc Gmail account—and use that number. Note that Google Voice is only available in the United States, so anywhere else and you will have to try a different VoIP service. (Pro tip: always create and save recovery codes when you turn on two-factor.)

To remove your phone from your Microsoft account, go to account.live.com, navigate to Security, and then click on Update Info under Update Your Security Info. If you have a phone number there, remove it, unless it’s a Google Voice or another VoIP number.

If you use an Apple device, go to appleid.apple.com, log in, then click on Edit next to the Security section. Add your Google Voice or VoIP number as Trusted Phone Number and then remove your regular phone number if you had it there. For iMessage and FaceTime you’ll still need to provide your actual cell phone number, but you can use a different one as a Trusted Phone Number.

On Twitter, click your avatar, go to Settings and Privacy, and navigate to Mobile on the right hand menu. If you have two-factor enabled, you’ll need to provide a number. For this reason, we suggest you provide a VoIP or Google Voice number so that hackers can’t SIM swap it. It’s also possible to just use an authenticator app or security key and remove your phone number from Twitter altogether.

The situation is similar for Instagram: From the mobile app, click on your avatar, then Edit Profile and change your number to a VoIP or Google Voice number. Unlike Twitter though, it’s not possible to remove your phone number altogether from Instagram without turning off two-factor.

For Facebook, select Settings under the drop-down arrow at the top right. First, click on Mobile in the right-side menu, and remove your phone number. Now add your Google Voice or other VoIP number. Then navigate to Security and Login (also on the right-side menu), click on Edit in the Use Two-Factor Authentication option, and make sure your new VoIP or Google Voice number is there.

Finally, for Amazon, click on Accounts and Lists, then Your Account. Then click on Login & Security, input your password, and check if you have your number listed there. If you do, you know the drill: swap it for your VoIP or Google Voice number.

We suggest you do the same for Paypal, eBay, Netflix, and similar other accounts, plus your bank of choice.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.

Get a personalized roundup of VICE’s best stories in your inbox.

By signing up to the VICE newsletter you agree to receive electronic communications from VICE that may sometimes include advertisements or sponsored content.

Protect yourself before it’s too late.

Sep 21, 2018, 6:05 pm*

In recent months, cybercriminals have been resorting to an old tactic to hijack the phone numbers of unsuspecting victims and use them to make quick buck. Called a SIM swap, the attack has been at the center of many financially motivated online crime cases, including the takeover of Instagram accounts and the theft of digital currencies.

What is a SIM swap attack?

Basically, a SIM swap attack involves an attacker tricking (or bribing) someone who works at your mobile carrier to transfer your phone number to a SIM card they own. When this happens, attackers can receive and make phone calls and text messages with your phone number. But more importantly, they’ll be able to access the online accounts linked to your phone number, including your messaging and social media accounts, and your digital wallets.

How to protect yourself from sim-swapping attacks

How does a SIM swap happen?

To conduct a SIM swap attack, attackers need to know some basic information about their target. The phone number is obviously a necessary component, but they will also need to know enough about their victim, such as their home address or Social Security Number, to be able to pose as the victim and convince a worker at a mobile retail shop that they’ve lost their SIM card and want to transfer the same number to a new SIM.

Alternatively, some attackers make mutually beneficial arrangements with mobile shop employees to facilitate the process. In May, cybersecurity researcher Brian Krebs reported that T-Mobile was investigating one of its retail store employees for being complicit in SIM swapping schemes.

Unlike other cyberattacks like phishing , SIM swappers can carry out their attack without directly involving the target. This means the victims realize they’ve been the target of a SIM swap attack only when their phone suddenly loses its connection to the carrier. Unfortunately, by then, it’s already too late.

READ MORE:

How bad is a SIM swap attack?

SIM swapping can be very damaging, and not just to high-profile personalities. Every one of us holds dozens of email, social media, messaging, and other online accounts, including some that are tied to our bank accounts and credit cards. Many of these services require users to link their accounts to a mobile phone for two-factor authentication (2FA) and account recovery purposes. Messaging applications such as WhatsApp, Viber, and Telegram explicitly require a mobile phone number for the initial setup.

That means that when a hacker gains access to your phone number, they can effectively take over all those accounts, even if you’ve set up 2FA on the account. In July, Vice’s Motherboard described how hackers had used SIM swapping to hijack Instagram accounts with valuable handles and resell them at high prices in online black markets.

Cryptocurrencies are also a big target for SIM swappers. Again, in July, U.S. law enforcement arrested a SIM swapper as he was about to board a plane for Europe in the Los Angeles International Airport. The suspect and his associates had stolen more than $5 million in cryptocurrency from their victims. Likewise, in August, authorities in California arrested a man who had carried out SIM swap attacks to hijack the digital wallets of his victims and steal $1 million in cryptocurrencies. More recently, a cryptocurrency entrepreneur filed a $223 million lawsuit against telecom giant AT&T for not having done enough to prevent SIM card fraud.

These are just some of the many cases of SIM swapping that have happened in recent months. SIM swappers might also use the scheme to dox or blackmail their victims after taking over their accounts.

How to protect yourself from sim-swapping attacks

How to protect yourself against SIM swap attacks

There are several steps you can take to protect yourself against SIM swap attacks. The first thing you should do is set a PIN or passcode for your SIM card. All major carriers support this. Setting a passcode for your SIM card makes it harder to compromise your identity. Hackers can usually obtain information such as your home address from public sources. Even your Social Security Number is retrievable from the tons of breached data that is being circulated in online black markets. A passcode can be harder to obtain.

However, passcodes are not a perfect security solution, especially if you don’t adhere to best practices for choosing strong passwords . And since you don’t frequently use your SIM card’s PIN or passcode, you must make sure you don’t forget it. Also take note that if the SIM swapper has an accomplice working at the carrier, passcodes won’t protect you because they’ll be able to bypass it.

You must also make sure your online accounts are safe in case your SIM card does become compromised. One important measure is to use alternate 2FA mechanisms. Even without SIM swapping, SMS codes are not the most secure method to protect your account. You can instead use an authenticator app such as the Google Authenticator. Authenticator apps aren’t tied to your phone number and generate unique codes in short time intervals (approximately 30 seconds).

A more secure alternative is to use a FIDO key such as the YubiKey. FIDO keys are USB devices that you link to your account. Every time a new user wants to access your account, they must insert the FIDO key into the computer. FIDO keys can’t be spoofed and are very secure, as long as you don’t lose them.

Finally, if you ultimately must tie a phone number to your accounts, try to use one from a VoIP service such as Skype or Google Voice , or use a separate SIM card that you don’t use for your day-to-day communications. Using a number that fewer people know about reduces your attack surface.

How to protect yourself from sim-swapping attacks

How to protect yourself from sim-swapping attacksA common cyber threat is the SIM swapping attacks, through which hackers exploit the victim’s phone number, bypass multi-factor authentication (SMS-based) and steal credentials. The US Federal Trade Commission (FTC) decided to help them users, giving some instructions on how to protect them attacks.

SIM swapping attacks are also known as SIM hijacking, SIM splitting or SIM jacking. The primary goal is for hackers to gain control of the number of the victim.

This is often done with the help of mobile carriers. Hackers often bribe them employees and ask them to change the victim’s phone number and give it to them so they have that control and not the victim. There is also the possibility of not bribing employees but cheating them through social engineering.

Criminals usually use one of the following methods to carry out the attack:

  1. Criminals bribe or blackmail an official company telecommunications to engage in crime.
  2. Employees willingly participate, take advantage of customer data access and assist criminals.
  3. Employees cheat on their affiliates from other branches of the company and force them to swap the SIM card.

Once criminals obtain their victim’s credentials, through this process, they are able to do various things, such as access to banking account, steal money, use social media or e-mail.

Still, according to the FTC: “They could change their passwords and prevent you from logging into your accounts.”

How to protect yourself from sim-swapping attacks

What are the FTC’s tips to protect against SIM swapping attacks?

  • Don’t answer in calls, messages or emails that request personal information. Companies do not request such information through these methods. This may be some Phishing attack. So you have to be very careful.
  • Don’t share a lot of personal information online. Ideally you would not upload it to social media or any site, such as your full name, address or phone number. The Criminals can use this information to answer security questions (to verify your identity) and sign in to your accounts.
  • Use a PIN or a strong password in your accounts.
  • Use more effective authentication methods, especially in accounts that contain sensitive personal or financial information. SMS-based multi-factor authentication can be bypassed in a SIM swapping attack. In this case it is best to use a application authentication or a security key.

What about people who have been a victim SIMs. swapping attack; How can they reduce the consequences?

  1. You should contact your carrier immediately and get back your phone number. When this is done, you will need to change your account passwords.
  2. You should check your credit card and bank accounts immediately to see if any charges or changes have occurred. If you find something strange, contact her immediately bank you.

SIM swapping attacks, as well as any other attack aimed at stealing credentilas and thus gaining access to accounts and personal and financial data, can cause major problems for the victims. For this reason, all users should be very careful and take into account the instructions of experts. security, to stay safe.

Share

These days, account protection is getting smarter—but hackers are getting smarter, too.

Many of today’s banks, email providers, and e-commerce sites have a two-factor verification option that sends a one-time pin to your phone every time you attempt to log in. Since you need both this PIN and your usual password to sign in, two-factor authorisation is a great way to keep your accounts guarded against infiltration.

Unfortunately, it’s not infallible, because hackers have learned how to get around it. You may be shocked to learn that today’s fraudsters can hijack your SIM card and get access to all your messages—including your one-time PIN. This process, known as SIM hijacking or SIM swapping, has become an increasingly popular way for scammers to circumvent the two-factor security measure and get into high-value accounts. Accounts that use single-factor verification (i.e. password only) are at even greater risk since you can usually reset a password using the account’s linked phone number.

Some of the common targets of this scam include high earners and people with highly desirable social media or gaming handles, but SIM hijacking can happen to anyone. That’s why it’s important that you know how to protect yourself against it.

Cybersecurity tips for avoiding SIM hijacking

1. Understand How SIM Hijacking Works

As with any scam, the first step in protecting yourself against is to understand how the scheme works.

Scammers start the hijacking process by finding a target and collecting their personal information. They get hold of data like email addresses, mailing addresses, government-issued ID numbers, date of birth and more by trawling social media, setting up phishing attacks, or buying it from other online fraudsters.

Then, the hijackers contact your phone carrier. They use the information they’ve swiped to answer your security questions and convince your carrier to port your phone number onto a SIM card in their possession. Once they have access to your number and all your messages, the hackers can start breaking into your accounts, taking your money, stealing your social media handles and more.

2. Add a PIN to Your Phone Account

Now you know how SIM hijacking works, the first measure you can take to prevent it is clear: harden your phone account by adding a PIN code. Most of today’s cell phone providers allow you to set up a PIN that you must state to make changes to your account. If you don’t have a PIN, hackers only need to know your easily obtained personal details to convince your phone carrier to port your number to a new SIM. To set up a PIN code, check your online phone account, call the customer service department, or head to your carrier’s local store in person.

3. Change to a 2FA App

Another great way to prevent hackers from bypassing your two-factor phone verification is to use a different verification tool altogether: an app. Two-factor verification methods that use a 2FA app instead of a phone number are far more secure because they can’t be hacked using a SIM card. A fraudster would need to steal your phone and know your phone passcode to break into your account using a two-factor app, which is a very unlikely scenario given that most hackers work remotely.

4. Don’t Put Personal Information Online

Alongside hardening your accounts, you can avoid becoming a SIM hijacking victim by preventing hackers from accessing your personal information. To protect yourself against any type of fraud or identity theft, never put your phone number, date of birth, email address, or answers to security questions (like your first car, first pet, or maiden name) online. Look at your profiles on social media, online marketplaces, and web portfolios to see if you’ve put up any information that could be used to hack you. If you have, delete those posts as quickly as you can.

5. Don’t Open Phishing Emails

Phishing emails are another common way hijackers get your personal information. These fake emails are set up to look like communications from your account providers, but all the information you send them goes straight to the fraudster targeting you. In general, the best way to avoid a phishing scam is to never click on links in emails that claim to come from your bank or other account providers. If you receive an email from your bank asking you to update your details, for example, do not click on the update link. Instead, go to your bank’s official website and log into your account to see if the request is legitimate.

6. Remove Your Phone Number from Your Accounts

Remember that SIM hijacking isn’t just used to bypass two-factor verification. Hackers also use it to quickly and easily access accounts that are only secured by a password (such as Twitter, Instagram, and gaming accounts). You can stop hackers resetting your password in this way by removing your phone number from all your social media and email accounts. If you must add a number to an account, use a VoIP number (like Google Voice) as these services can’t be SIM hijacked.

7. Know How to Respond

If you do become the victim of a SIM hijacking scam, you’ll need to respond quickly and efficiently to minimise the damage. First, make sure you know how to spot a hijacking. When a scammer gets access to your phone number, you won’t be able to make calls or send texts from your phone anymore. So, if you suddenly lose service or get a message that your SIM has been deactivated, contact your carrier to secure your account.

Alongside contacting your carrier, check your email account for notifications of suspicious login activity or changed passwords. This will let you know which accounts the attacker has logged into, so you can get in touch with those companies and take anti-fraud measures. You should also change the passwords on all your sensitive accounts, just in case the hacker has accessed them or plans to in the future.

And after you’ve responded to a hijacking incident, don’t forget to stay alert. If fraudsters could find your personal information once, they can do it again.

Bottom Line

Even though there’s no surefire way to protect against hacking, following the advice above is the best way to drastically reduce your risk.

Two-factor authentication is rapidly becoming a “must-do” in this era of rampant cyber threats. I’ve discussed and encouraged two-factor authentication here and in Learning Tree’s cyber security introduction course. But it must be done correctly.

Two-step and two-factor authentication

Some organizations use hardware tokens that display numbers that change every thirty seconds or so. Apps such as Google Authenticator perform a similar function. (The main difference is that the numbers on the token are entered as part of a password – e.g. mypassword409678 – while the value on the Google Authenticator is entered separately. Thus, the former is called two-factor authentication, while the latter is called two-step authentication.)

Many web sites use a technique where a code is sent to a user’s mobile device via SMS, the “Short Message Service” generally used for text messages. There is a potential issue with that, though: the wrong people could receive the message.

SIM-swapping

SMS messages are sent to users’ phone numbers. It is assumed that only the authorized user has access to the phone corresponding to the numbers. Attackers have found ways to move the numbers to other phones. The number is associated with the phone via the SIM (subscriber identification module) card, a tiny electronic device embedded in plastic or cardboard.

How to protect yourself from sim-swapping attacks

There are two predominant ways attackers move a number to a device they control and both rely on social engineering. The first way is to contact the victim’s mobile service provider, pretend to be the victim, and get the number re-assigned. The second way is for the attacker to pretend to be an employee of the service provider and gain access to the provider’s subscriber management database.

Attackers have used these techniques to steal cash and bitcoin. One theft was alleged to be in the tens of millions of dollars. But many are smaller and the victims are not just individuals; the attackers may want access to corporate or government systems. The problem has become significant and US Senators and Members of Congress have sent a letter to the FCC asking it to take action.

My concern is that web sites and others use messages sent by SMS to validate password changes. If an attacker has access to the SMS messages of a victim, not only can the attacker receive access codes, but can also reset account passwords.

What can be done to protect your account

If SMS can be used as an authentication step, mobile service providers must take two important steps. The first is to train their employees about the dangers of social engineering attacks. Specifically, they must be taught to accurately authenticate number change requests. Secondly, there needs to be mechanisms deployed that prevent a single employee from making a change without actual confirmation from the subscriber.

Some providers – e.g. T-Mobile – allow users to enable a process where number changes can only be made when the user appears in person with proper identification. At least at T-Mobile, the process is voluntary and may have some issues. Many providers have a feature where a PIN number is required for a change.

The best solution is to use a different second step such as Google Authenticator, but with ubiquitous SMS capabilities on mobile devices, sending a number via a text message is attractive to website designers. If using another option is impossible or unavailable, enabling all possible account protections is essential.