IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

SIM Swapping Is a Growing Cyber Threat — Here’s Help

From cryptocurrency thefts to hacking bank accounts, SIM swapping is a growing threat online. Here are relevant definitions, real-world examples and tips to help stop cyber criminals.

A CNBC story last week led with this headline: “Coinbase slammed for what users say is terrible customer service after hackers drain their accounts.”

Here’s an excerpt: “For Tanja Vidovic, it was a moment of panic: She had received a series of alerts about someone changing access to her cryptocurrency account. And she realized, as she stared at her computer screen, that nearly all of her $168,000 in holdings was gone — vanished before her eyes. …

"In a response to his frantic email, Coinbase told Ben his computer had been hacked and there wasn’t anything the company could do. …

"Experts say SIM swapping, where fraudsters seize control of a victim’s phone number and SIM card through their phone company, is to blame for many of the cryptocurrency thefts.”

You can watch a video segment on the same topic here:
Another recent example comes from Forbes, which highlighted an FBI bitcoin and cryptocurrency alert:

“The FBI advised financial and crypto companies to check the origin of emails and keep an eye on recently created accounts while those buying bitcoin and cryptocurrencies were encouraged to use multi-factor authentication — meaning they must have access to at least two devices or accounts linked to the platform—avoid download requests, remote access applications and any unofficial company communication channels.”

One more headline, from earlier this year, read "Europe SIM swapping: 10 arrested in Europe over €82.4m scam to hijack celebrities' phones": “European police have arrested 10 people for allegedly hijacking mobile phones belonging to high-profile celebrities in the United States. …

"Europol said that "sim swapping" can be done either by fooling the phone company with "social engineering techniques" or by using a "corrupt insider."

WHAT IS SIM SWAPPING?



I often get asked questions about growing cyber threats and how to keep online accounts safe — including cryptocurrencies. One area that has been getting a lot more attention is SIM-swapping fraud.

A SIM-swapping attack is also known as SIM splitting, SIMjacking, SIM hijacking and port-out scamming. This article from privacypros.io does a nice job of explaining how the fraud works:

“You might attempt access to one of your bank accounts that uses text-based two-factor authentication. This refers to when you start to access your account by typing in your user name and password.

"Then your bank sends a code to your mobile device for you to continue the login process.

"But some scammers can change the SIM card linked to your mobile number. That offers them control over the phone number, meaning they can receive access to your bank account and your finances."

This technique defeats two-factor authentication by giving the cyber criminal access to your texts or phone calls. The bad actors need to trick your mobile phone company into believing that the request to swap SIM cards is coming from you.

WHAT TO DO IN A SIM-SWAPPING ATTACK


In case you’re wondering, no, this topic is not new, but it is a growing threat as more and more users start using two-factor authentication. This article from Norton entitled "SIM swap fraud explained and how to help protect yourself" is a few years old, but still relevant:

“Here are three other signals you may be a victim of SIM swapping.

"You’re unable to place calls or texts. The first big sign that you could be a victim of SIM swapping is when your phone calls and text messages aren’t going through. This likely means fraudsters have deactivated your SIM and are using your phone number.

"You’re notified of activity elsewhere. You’ll know you’re a victim if your phone provider notifies you that your SIM card or phone number has been activated on another device.

"You’re unable to access accounts. If your login credentials no longer work for accounts like your bank and credit card accounts, you likely have been taken over. Contact your bank and other organizations immediately.”

Over the past week, there has been a lot of coverage of the T-Mobile data breach. Cnet covers this important topic in this article, which also discusses the SIM-swap scam and steps to take:

“You can decrease your chances of someone gaining access to and taking over your phone number by adding a PIN code or password to your wireless account. T-Mobile, Verizon and AT&T all offer the ability to add a PIN code.

"If you're unsure if you have a PIN code or need to set one up, here's what you need to do for each of the major U.S. carriers.

  • T-Mobile: Set up T-Mobile's Account Takeover Protection service. You need to add the feature to each individual line on your account. I also suggest changing your account PIN (if you're not asked to while setting up Account Takeover Protection). 
  • AT&T: Go to your account profile, sign in, then click Sign-in info. Select your wireless account if you have multiple AT&T accounts, then go to Manage extra security under the Wireless passcode section. Make your changes, then enter your password when prompted to save.
  • Verizon Wireless: Call *611 and ask for a Port Freeze on your account, and visit this webpage to learn more about enabling Enhanced Authentication on your account.”

One more example. Brian Krebs tells many SIM-swapping stories in his blog, including this story:

“In 2018, Andrew Schober was digitally mugged for approximately $1 million worth of bitcoin. After several years of working with investigators, Schober says he’s confident he has located two young men in the United Kingdom responsible for using a clever piece of digital clipboard-stealing malware to siphon his crypto holdings. Schober is now suing each of their parents in a civil case that seeks to extract what their children would not return voluntarily. … Mark Rasch, a former prosecutor with the U.S. Justice Department, said the plaintiff is claiming the parents are liable because he gave them notice of a crime committed by their kids and they failed to respond.”

FINAL THOUGHTS


SIM swapping is getting much more attention globally as these high-profile cases, often involving millions of dollars, are surfacing without clear responsibility on any one financial institution or online company.

As passwords disappear even more in the coming years in favor of multifactor authentication, we all need to be ready to build protections around those items we have, such as mobile phones.

Why? Because the bad actors want your cellphone access to get to your money. Be prepared.
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.