Hackers never cease to stop evolving and finding new ways to get your information. Hackers are now breaking into telecom companies to take over victim’s phone numbers. Being able to take over someone’s phone number is a valuable and important hacking technique to know about. Hackers who gain access to someone’s cell phone number will be able to access their emails, social media accounts, cryptocurrency accounts, and some SMS-based two-factor authentication checks. This method of hacking is accomplished through the something known as SIM Swapping.
What is SIM Swapping?
SIM Swapping occurs when your cell phone number, which is tied to a SIM card, is swapped to someone else’s SIM card in their cell phone. SIM Swapping used to be limited to a physical swap of SIM cards between two compatible phones, however, that is no longer the case. All that is required today, is for a customer service representative to force a port of your phone number through their computer to a new Cell phone. This opens up many more avenues for social engineering and insider threat hacking to occur. Hackers can now remotely gain access to your phone number by hacking a telecom company directly.
How do they do it?
Hackers who want to take over your cell phone number must get a telecom provider to move your number off your SIM Card to their cell phone’s SIM card. This can be done in a number of ways including:
- Calling the telecom provider you use and convincing them to port your number (social engineering attack);
- Convincing a telecom provider agent to click a phishing link granting the hacker remote access into the telecom agents’ computer (phishing attack);
- Paying a telecom representative a bribe for transferring phone numbers between SIM Cards (insider threat).
Each of these attacks is relatively easy to accomplish for a competent hacker leading to your SIM Card being swapped into the hacker’s phone.
What are the risks from SIM Swapping?
SIM Swapping represents a significant risk to individuals and companies alike. The reason is that society mistakenly believes that your phone number is an identifying factor for your identity and it can be trusted. The truth is that a phone number is no more an identifying factor of your identity than your car is. If someone can “borrow” your car, they can “borrow” your phone number. Here are some possible hacking scenarios resulting from SIM Swapping:
- Hackers can log into your Bank and send payments (electronic or by check) to themselves draining your accounts of money. They simply need your banking password which may have been stolen from data breach at Drop Box, Linked In, Yahoo or 10 billion other accounts breached as reported at HaveIbeenpwned.com.
- Hackers can log into other financial accounts tied to your phone number for 2nd factor authentication (VENMO?, PayPal?, eTrade?) then transfer money to themselves or others.
- Hackers could take over your Social Media identities (Facebook etc) and all the sensitive data they contain about you and your family.
- Hackers can take over any account protected by your phone number for the second factor authentication.
How do you protect yourself from SIM Swapping?
There are no full-proof methods to protect yourself from SIM Swapping, however, there are ways to reduce the likelihood of becoming a victim to SIM Swapping. More importantly, these methods can help protect you from losing access to critical accounts currently tied to SMS-based 2FA.
- Put a PIN/Passcode on your account and SIM card with your telecom provider. When a hacker calls a telecom provider and attempts to socially engineer a phone number swap they will not know the Pin/Passcode and hopefully, be unable to port your number to them.
- Answer your Account Recovery Questions securely (make up answers and save them in your Password Manager). Hackers can research many of the answers to your recovery questions such as Mother’s Maiden name, and your 8th grade teacher’s name or city you were born. So, make up answers and have fun with it! Don’t tell my Mom, but her maiden name is “Jupiter Honeycake Salmon mud!” (not really – or is it???).
- Upgrade your 2FA on your critical accounts to NOT use phone based SMS text messages. Government entity NIST has asked companies to stop using SMS text-based authentication in favor of other better methods such as software and hardware tokens (i.e.: Google Authenticator or Yubikey). Use these whenever they are available in place of SMS-based authentication.
- Always be aware of Phishing Campaigns. Whether you’re a telecom provider helpdesk person, or someone under attack, phishing attacks are responsible for over 80% of breaches today including the start of some SIM Swapping hacks!
- Upgrade to encrypted texting applications. Encrypted SMS is available from 3rd party applications such as Signal, What’sApp, or iMessage. This prevents hackers from snooping those SMS codes from unencrypted SMS messages over the air or on your phone due to them being encrypted.
- Limit access to your Personally Identifiable Information. Do not publish your date of birth, addresses, credit card numbers, your name, screen name, security answers and PIN Codes should be kept private so that a hacker cannot use this information to impersonate you with with the telecom representative.
- Pro Tip: Create a secondary (and secret) phone number for yourself. For critical accounts at companies that are still forcing you to use SMS text messaging 2FA, you can configure them to point to your secret phone number. Google Voice will give you a number for free that can receive SMS text messages which you do not need to publish to anyone else anywhere. Keeping this ultra secret phone number for these SMS authentication is an extra layer of protection that just might protect you from a targeted attack. Warning: do not forward the SMS messages from Google Voice to your cell phone, otherwise, a hacker who steals your phone will get those SMS messages to your super-secret secondary cell phone.