Trading cards is fun when it’s baseball or Pokémon, but less so when it’s the card in your phone that contains your personal information.
If a hacker convinces a mobile carrier to “SIM swap,” or move a target’s number to a new chip under the threat actor’s control, the transaction puts the SIM swapper at an advantage, and could leave the victim locked out of their formerly secure accounts.
Because allowing SIM swapping is usually a consumer-friendly compromise by comms companies, the threat is a targeted one that often requires over-the-phone effort. For those on the radar of the SIM swappers, a number of defenses are helpful, including authenticator apps and staying as private as possible.
Major communications vendors have been compromised by hackers playing the SIMs:
- A February report from KrebsOnSecurity revealed that cybercriminal groups have been advertising compromised T-Mobile accounts on Telegram.
- On January 30, Google notified customers that a breach of its Google Fi telecommunications and mobile internet service allowed SIM-swapping attacks.
- In October 2022, Verizon warned customers that exposed credit card info (especially the last 4 digits) were used to enact unauthorized phone changes.
According to complaints made in the last year to the Internet Crime Complaint Center, there have been over 1,650 victims of SIM swaps, netting losses over $86 million across the country.
From January 2018 to December 2020, the FBI Internet Crime Complaint Center (IC3) received only 320 complaints related to SIM-swapping incidents, with adjusted losses of approximately $12 million.
SIM swapping requires greater effort than the oft-automated method of password bypass known as credential stuffing, which throws large amounts of compromised credentials at a web form.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
A swapper must call a mobile carrier to convince them to move a target’s number to their new memory card, sometimes taking advantage of an easily deduced PIN (like one’s birthday).
After the transfer, the SIM swindler asks for temporary login codes from a service they want access to, and the codes are sent via text to the swapped device.
“But this is a lot more time-consuming. So, it has to be a lot more targeted. And the threat actor would have to be quite a bit more motivated to pursue the target in this case,” Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, told IT Brew.
To defend against SIM swapping, the FBI recommends avoiding the posting of personal information online, like mobile phone numbers, addresses, or other personal identifying details—not an easy task, given the frequency of data collection and data breaches.
Steinhauer suggested using an authenticator app, which provides a verification code tied to the user’s physical device: “If your phone number were to be moved...those codes won’t go to the threat actor. They would only be available on your device,” Steinhauer told IT Brew.
The reward from SIM swaps can be quite the sum. Crypto investor Michael Terpin lost just under $24 million in 2018. Only recently did a New York district court determine that Terpin should be paid back over $20 million—not quite an even trade.—BH