How The State & Hackers Hack (And How to Stop Them) – Part 4: Sim Swapping

SIM stands for 'Subscriber Identity Module' and is the small removable chip card in your cell phone. Each SIM is unique and associated to a phone's service account. If you remove the SIM and place it in another phone, the account data moves with it.

SIM swapping, also called SIM jacking or SIM hijacking, is a form of identity theft where a criminal or otherwise steals your mobile phone number by cleverly assigning it to a new SIM card. They then insert the new SIM into a different phone to access your other accounts and cause real damage or snoop. This hack is as bad as it gets, and some simple steps need to be considered.

This scam relies on a customer service rep being fooled by an impersonator. What if a hacker or bad state actor paid money or blackmailed a customer service representative? This may be an under reported occurrence, as cell phone carriers would likely cover up such events.

SIM swapping begins with a person contacting a cell phone carrier pretending to be YOU. They claim they (you) have a new SIM card to activate for the account and that the original phone and SIM card are lost, damaged, or accidentally sold.

At this point the carrier will likely request some identity verification, like an account PIN or security questions – or even the last four digits of SSN. Once the customer service rep has been persuaded, they disconnect the old phone SIM partnership and start a new one in the hands of the impersonator.

Now the bad guys can reset account passwords, locking you out, and begin accessing emails, wallets, social media, shopping, cloud-based photographs etc.

DATA BREACHES

How does the impersonator obtain the information required to perform the swap? Very common Data breaches can contain names, email addresses, passwords, phone numbers, SSN's, Physical addresses, date of birth and much more.

Once a hacker has connected several data points together, they can attempt the scam. This data, along with finely tuned Social Engineering skills have been very successful in the past and continue to work.

What about the elusive PIN number? Unfortunately, many use an easy to guess PIN such as a birthday, birth year, street address, zip code etc. Even without guessing the correct PIN the customer service rep may just ask for the last four digits of your SSN.

HOW TO TELL IF SIM HAS BEEN SWAPPED

Most of these will occur while you are sleeping

- One method involves getting the target to call a number the day or so before, via phishing. This 'recent call' is then relayed to the customer service rep as evidence of ownership

- You may receive a text message stating that the SIM card has been changed.

- Texting and calling will stop working.

- If using Wi-Fi, you will start receiving emails about account changes and password changes.

- Friends may inform you of strange social media messaging requests for money or otherwise.

- Unauthorized bank transfers.

HOW TO PREVENT SIM SWAPPING

1. RESET THE PIN ON MOBILE ACCOUNT

You should be using a strong and complex PIN that only you will ever know. Never use information that could show up in a data breach.

2. BE MORE PRIVATE WITH SOCIAL MEDIA

Once a hacker has your data breach information, they may look for social media accounts to glean further facts about you that help the scam.

3. SCAN DATA BREACHES REGULARLY

You need to be aware of what is out there already and, of that information, how a hacker can use it. Check https://haveibeenpwned.com/ or https://monitor.firefox.com/

4. KNOW CARRIER SECURITY PROTECTIONS

Read up on and understand your cell phone carrier security protocols.

5. CONSIDER 2FA WITH AN APP OR DEVICE NOT SMS

If you use 2FA (Two Factor Authentication) with email a SIM swapping hack will allow them to access your email easily. Consider using https://authy.com/ or https://www.yubico.com/

6. USE A PASSWORD MANAGER WITH UNIQUE PWs

As discussed in Part 1 (LINK) a unique long password for accounts is so important

7. PHISHING ATTEMPTS ARE A TELL

If a hacker feels like they need more information before a SIM swapping attempt, they may try to phish further details by calling, texting, or emailing. This could be a tell of a prelude to SIM theft. Read Part 2 and 3 for more on malware & Phishing (LINK)

8. AVOID USING REAL CELL NUMBER WHERE POSSIBLE

Try to remove your cell phone from accounts that do not actually require it. For those that do then consider a VOIP service such as Google voice and Sudo https://mysudo.com/ to create an online phone number. Just remember to keep that account safe!

BY CARRIER

T-MOBILE – Set up T-Mobiles 'Account Takeover Protection Service' and add the feature to each individual line on the account. And, of course, change the PIN to a more hardened version.

AT&T – Go to 'account profile' and click 'sign-in info'. Select wireless account then 'manage extra security' under the wireless passcode section and make the changes you need.

Verizon – Call *611 and ask for a port freeze on your account.

For other carriers just call up customer service and ask about their enhanced protection.

IF A VICTIM

- Contact your Cell provider immediately to take back control of the number. Once access is regained change passwords.

- Check all accounts email banking etc. and change passwords or get them temporarily locked.

NEW RULES COMING

The U.S Federal Communications Commission (FCC) said in October 2021 that it is planning to move quickly on requiring cell companies to adopt more secure methods of authenticating customers before Sim swapping is enabled.