Imagine you haven't received any phone calls lately and consequently learn that your phone is out of commission. You stopped receiving text messages and phone calls. What would you think? Would you suspect that you are victim of a SIM Swap Attack? Perhaps shortly after, you discover that your bank account has been drained. Are you familiar with the recent stories of these types of attacks?
A Subscriber Identity Module (SIM) Swap Attack is when an attacker convinces a cell phone carrier to switch a victim's phone number over to a new device. As a result, the attacker gains access to private accounts such as banks, credit cards, social media and other sensitive log-ins. Once a hacker has access to a smart phone, they can access email and go to various accounts requesting new passwords. After there is request for two-factor authentication, they also have access to text messages on the phone, allowing them access to various accounts.
Hackers are savvy and realize they will need to answer security questions from the phone carrier as part of the security verification process to complete the account change. In order to obtain these answers, the attacker often uses social engineering. Have you thought about how easily someone could guess the answers to your security questions based on your social media presence? In other cases, the phone carrier employee is part of the scheme and is paid off to make the request.
As our mobile-phone dependence increases, so do these attacks. What's at stake? The attacker has access to all the victim's text messages, phone calls and accounts linked to the phone number. These accounts can often be easily reset. Consider how many accounts one could gain access to based on all the data they could pull from your phone. Most of us would be very vulnerable if our phone account was taken over.
In September of 2018, REACT Task Force arrested Fletcher Robert Childers and Joseph Harris for using SIM swaps to steal $14 million from a crypto-currency company in California. Joel Ortiz was arrested for stealing more than $5 million in crypto-currencies in July 2018. Xzavyer Clemente Narvaez was arrested in August of 2018 for SIM attacks. One of his victims reported that he was robbed of $150,000 in virtual currencies after his phone number was hacked. Ricky Joseph Handschumacher was part of a group of nine people across states who have worked together to drain bank accounts using SIM swaps. His mother overheard him impersonating an AT&T employee and found bags of SIM cards in his room which aided in his arrest in July 2018.
These are stories of large-scale attacks, but many people have fallen prey to smaller attacks. According to T-Mobile, hundreds of people have been hit by these types of attacks. In one example, a victim reports that her Instagram handle, Amazon, eBay, PayPal, Netflix and Hulu accounts were hacked.
What can you do? Set up a phone account PIN to protect from SIM attacks. Contact your phone carrier to add this security feature. Any significant changes to the account including porting the number to a different SIM card will require this PIN in addition to the account password.
Furthermore, do not log in or conduct sensitive business on your mobile device if you do not have to. Mobile devices can be a huge vulnerability. Finding the right balance between security and convenience is a challenge we are always faced with.