SIM SWAP
What It Is , How to Recognize It If It Happens, and Steps to Take to Make Yourself Less Likely to Become a Victim!
It's the end of another long day. You get into bed, but before you go to sleep you pick up your mobile phone to check in on a family member and get a “No Service” message. Hmmm, that's strange, you think. Not sure what's going on but not yet assuming the worst, you open your computer to send an email to that family member instead of a text. You’re tired and will call your mobile carrier in the morning to figure out what's going on. Then you notice that you have been signed out of your email account and your current password isn’t signing you in. You try signing in to a couple of other accounts, and realize you don’t have access to those anymore either. Your stomach drops. You have very likely just become the newest victim of a SIM Swap attack.
So what exactly is a SIM Swap attack?
To understand what a SIM Swap attack is, let's first define what a SIM is. SIM stands for Subscriber Identity Module, and is a smart card located inside of your mobile phone that holds a unique identification number. This card stores personal information such as passwords and phone numbers. It is usually associated with a particular mobile carrier network, and renders your phone inoperable if it is removed or disabled. This is the piece of technology that threat actors attempt to take control of when a SIM Swap attack occurs. To do this, these threat actors will try to identify a victim, usually through social media platforms, that they believe will be an easy target. This will be someone who provides enough of the personal information a threat actor needs to be able to socially engineer a convincing impersonation. The threat actor will call your mobile carrier and convince the customer service representative to activate your mobile number on a new SIM card, one in a phone that they possess. Once your phone number is activated on that phone, the threat actor is fully in control to change passwords to all of your accounts through the use of unique codes sent to you via SMS two-factor authentication.
The threat of SIM swapping is growing at a rapid pace and is surging higher every year. From January 2018 to December 2020, the Federal Bureau of Investigation’s (FBI) records show it received 320 complaints related to SIM-swapping incidents, with losses totaling approximately $12 million. In 2021, it received 1,611 SIM-swapping complaints, with losses totaling more than $68 million. In 2022, the FBI highlighted the increasing prevalence of SIM-swap attacks, especially targeted at individuals with significant cryptocurrency holdings. In 2022, the FBI estimated that $72 million was stolen through SIM-swap attacks.
Who is committing these attacks, and why?
Threat actors make up the majority of those responsible for perpetrating SIM Swap attacks. The primary purpose is most often and not surprisingly, monetary gain through traditional or cryptocurrency account access. However, attention and notoriety have been the strong driving forces behind some of the more public SIM Swap attacks.
Unknowing and vulnerable individuals, though making up the majority of incidents reported, are not the only ones being victimized by this crime. Individuals and organizations all across the spectrum are becoming victims of SIM Swap attacks. Beginning in the latter part of 2021 and continuing into late 2022, Lapsus$, a globally active cyber group focused on extortion-type attacks, gained access to dozens of high-profile companies and government agencies through penetration of corporate networks. They stole source code, published political messages, and demanded ransom payments, mostly to just gain attention and notoriety. The Cybersecurity & Infrastructure Security Agency (CISA) found that in several instances during these attacks, access to the targeted organizations was initially gained through SIM Swapping, allowing the threat actors to intercept one-time SMS-generated passcodes and push notifications to reset passwords.
A number of other high-profile account hacks are also known to have used SIM swapping to gain initial account access. In 2018, crypto investor Michael Terpin, founder and CEO of Transform Group, lost almost $24 million to a SIM swap attack. A SIM Swap attack enabled a hacker to take over the Twitter account of Ethereum cofounder Vitalik Buterin in order to promote a malicious cryptocurrency scheme. The threat actor stole over $691,000 from people who clicked on a malicious link that was posted to Buterin’s account, providing the actor with access to their digital wallets.
Even former Twitter CEO Jack Dorsey’s Twitter account was hacked through SIM Swapping and taken over for 20 minutes.
How is information gathered for the SIM Swapping attack?
The information needed for social engineering a successful SIM Swap attack is often found and collected on a target’s social media accounts. Threat actors will scour accounts for personal content that will be helpful to them to, for example, answers to common security questions. These questions typically include, “The color of your first car”, “Your mother’s maiden name”, “Your highschool mascot,” and often answers to these questions can be found through online research or in data breaches.
Tip: Next time you go to post that “Throwback Thursday” photo, make sure it doesn’t contain any information or images that could be used to harm you!
Another way threat actors gain access to the personal information necessary for a SIM Swap attack is through phishing. With phishing, the actor impersonates a legitimate company or organization with the goal of getting you to share personal information. For example, they may send an email that appears to be from your phone carrier or bank account, asking you to update your account information. Once provided, the threat actor can use this information with your real phone carrier.
Victims of a Swim Swap account often:
Cannot send or receive text messages or make phone calls.
Do not have phone service (A “No Service” or “Searching” message on their phone).
Are notified their phone number has been activated on a new device (Mobile carriers often notify their customers when their SIM card or phone number is activated on a new device).
Have unusual activity on their social media accounts.
Protecting yourself:
Enable SIM Swap protections through your mobile carrier: Current federal law requires mobile carriers to let you transfer your phone number to a new SIM card whenever desired. However, the Federal Communications Commission (FCC), in response to the rise in SIM swap attacks, is proposing new rules that would require carriers to add additional security features, such as the use of pins or passwords, before porting numbers. Fortunately, the three major phone carriers are already offering some options that you can enable to help protect yourself.
AT&T
You can add a passcode to your account by logging in to your AT&T account and going to the "Manage Extra Security" section. You'll be prompted to enter this passcode when you want to manage your account online or at a store. You will now also need to request a Number Transfer PIN before you can port your number to a different carrier.
T-Mobile
T-Mobile has disabled self-service SIM switching for security concerns. Customers who want to change the SIM assigned to a particular line must now contact support to do so. Before the switch is complete, a verification code, sent either by email or SMS, must be given. Additionally, a new SIM block service has been created to allow customers to put a block on either individual lines or an entire account to prevent the SIM from being changed.
Verizon
Verizon offers a service called Number Lock, which when activated (it is not on by default), will keep your mobile number from being ported until the lock is disabled by the account holder. A previously chosen account PIN is used to verify that you are an account owner, and then a Number Transfer PIN needs to be requested before transferring a number to a new carrier.
Take additional steps to protect yourself
Use non-SMS multi factor authentication such as an authenticator app.
Keep personal information offline.
Use unique, complex passwords for each account.
Don’t post about assets of any kind online, this can make you an ideal target.
Be skeptical by nature when it comes to any kind of request for personal information. Never feel bad about taking extra time to verify credentials and authenticity.