Sim Swapping attacks: How to protect yourself from this common phone scam
SIM Swapping, the renaissance of scamming.
SIM Swapping: it's a pretty scary form of hacking that even managed to catch the CEO of Twitter off guard. Let's jump straight into it and have a little look at how it all works. Whether it's our reliance on mobile functionality or the fact that most essential services use the same goddamn method of account security, we have seen a large spike in SIM Swapping attacks over the last few years, so maybe it's not such a great idea that our identities are tied to our phones. So we wanna chat a little about what this scam attack is and the best way you can protect yourself from it.
In simple terms a SIM Swapping attack is exactly what the name might suggest. A scammer or hacker will port or transfer (swap) your phone number onto a blank SIM. A successful attack can give someone access to port your number using personal sensitive information acquired through a variety of methods:
Data leaks, server hacking, organisational corruption, a jealous ex (hey, it happens) or the ever present risk of phishing; the personal data needed for a successful SIM swapping attack can originate from a range of sources. To gain access to your number, scammers will typically impersonate their victim and contact a telecommunications company claiming they need to port the victim's phone number onto a new blank SIM. These (not so) lovely people will use any of the mentioned methods of hacking to convince these employees that their credentials are legitimate. You lose access to your number and the security your number provides.
SIM Swapping isn't necessarily a new form of digital scamming, but it's one that we are seeing grow in frequency thanks to the increasing reliance on two-factor-authentication (2FA). Whilst 2FA sets a strong foundation of protection against password hacking or server breaching, security practices which rely on phone number authentication also open the door for some scary consequences. Which means you have to ask...
What happens to my accounts if someone gets access to or obtains my phone number?
Once a hacker or scammer has ported your number — there's not much they can't access. And honestly it's pretty wild. Thanks to 2FA, a scammer is granted access to (you ready for this?):
Temporary passwords, account resets, the withdrawal of personal funds (usually crypto or other uninsured assets rip), personal identifiers and private data, BNPL (such as Afterpay), Paypal... it can all potentially be targeted. So yeah, not good.
Here's the thing, whilst the concept of SIM Swapping may not sound as scary as a traditional data hack, it is without a doubt some pretty gnarly identity theft — and we're seeing it happen to both regular folks and tech heads alike. In the states alone, the Wall Street Journal reported that in 2021 SIM Swapping resulted in the private loss of $68 million USD, a figure 5 times larger than the combined 3 years prior. As our dependency on our phones increases, the risk of identity theft continues to grow as our phone numbers become an ever increasing part of our identities. The level of exposure is pretty dangerous when you consider just how many of your personal accounts can be reset from one handheld device.
Vice and other news outlets often run news pieces on the effect of SIM Swapping; typically a SIM swapping attack results in a victim losing years worth of savings — these stories are painful to read. These scams aren't just affecting the non tech oriented though, in 2019, Former CEO and co-founder of twitter, Jack Dorsey's personal phone number was tied to Twitter's text to tweet service. An alleged security oversight from the network provider allowed scammers to gain temporary control over Dorsey's twitter account (which currently has 6.4 million followers). Safe to say we know why Twitter cancelled that service shortly after.
Insert scary 90's infomercial voice here. So how do I know if I've been SIM swapped?
Your biggest tell-tale sign will have to do with your number (shocking i know). If you notice that you're unable to access your normal range of services, it is recommended you quickly investigate your account status. Be on the lookout for transactions you don't remember making — you should receive email confirmation for most account changes so be wary of legitimate communications from your provider — early detection allows you to act before you get locked out of any of your accounts.
How can I prevent SIM Swapping attacks?
Well dear reader, I am so glad you asked because there are in fact a few small steps that will make all the difference in creating a barrier of protection which can help mitigate the risk of attack.
Phishing; you know the one — the dodgy emails you warn your Grandma about. But don't underestimate the effectiveness of this archetypal attack — in fact the rate of successful phishing attacks were recorded at an all time high in December of last year. This unfortunately means that no matter how silly you think it may be, counterfeit emails are improving and our ability to disconcert the truth grows hazier. But to keep it simple — if you're ever unsure about the validity of an email (and hear me out) DO NOT CLICK THE LINK.
Back up, back up, back up; protection like security pin codes (pls dont make them all the same), security questions (get creative with them and steer clear of any maiden names) or non phone number 2FA apps make it so that scammers have multiple hoops to jump through. Whilst this may seem time consuming we promise it'll be less hassle than trying to reclaim your accounts.
USE SESSION; or rather look at it as lowering your attack surface area.
Okay, not to overly plug our own product in this article, but hey if you have a great solution to a problem, shouldn't you share?
Session was built to preemptively fight this issue, because scammers cannot gain access to your account through a SIM Swapping attack. Session is sans phone number, nein numbers, nada. Meaning that at no point will you ever have a phone number tied to your session account.This article was not written to sell you Session, but diversifying your messaging apps/points of comms minimises your surface area of attack and lowers the risk of your sensitive data being stolen or leaked. If 4/5 SIM Swapping attacks are successful, the important things in life should be shared somewhere safe.
Upgrading open groups: Bringing back DMs from open groups
September 12, 2022 / Kee Jefferys
Target acquired: The increasing threat of targeted cyber-attacks
September 11, 2022 / Alex Linton
Session Release Roundup #15: 👍😈🔥
September 05, 2022 / Harris
Avoiding malicious hackers: How to reduce your personal attack surface
September 01, 2022 / Alex Linton
Creating multilateral privacy solutions: Is the GDPR actually helping?
August 24, 2022 / Alex Linton
Physical privacy defenders: Learning from these awesome low-tech privacy tools
August 19, 2022 / Alex Linton