Stolen SIMS
What do a spate of hacked Instagram accounts, a $220 million lawsuit against AT&T and a bustling underground crime ring have in common? They all started with SIM card swaps, a scam in which hackers steal your mobile identity—and use it to upend your life.
At its most basic level, a SIM swap is when someone convinces your mobile phone carrier to switch your phone number over to a SIM card they own. By diverting your incoming messages, scammers can easily complete the text-based two-factor authentication checks that protect your most sensitive accounts. Or, if you don’t have two-factor set up in the first place, they can use your phone number to trick services into coughing up your passwords.
SIM attacks appear to be behind a recent string of Instagram takeovers, and they can impact other corners of your life as well. Recently, a cryptocurrency investor claimed that a SIM swap resulted in the theft of $23.8 million-worth of tokens; he’s suing his carrier, AT&T, for 10 times that amount. And Motherboard recently documented a number of incidents in which SIM hijackers drained thousands of dollars out of people’s checking accounts.
If a skilled SIM hijacker targets you, there’s realistically not much you can do to stop them.
That’s because ultimately, the machinations behind SIM swaps are largely out of your control. Perfect security hygiene won’t always keep someone from fooling your carrier.
What can you do?
The good news is, you can take steps to limit the chances that a SIM swap attack will happen to you—and limit the fallout if it does. Every major US carrier offers you the option of putting a PIN or a passcode on your account. Take them up on it. Having one adds another layer of protection, another piece of information an attacker needs before they can compromise your identity.
Yes, remembering another PIN is a pain, especially when you’ll likely only need it every couple of years. But it’s worth the effort. “Most people have that turned off because if they can’t remember their PIN they can’t go into the local Verizon store and get a new phone,” says Chet Wisniewski, principal research scientist at security firm Sophos. “If you can turn a PIN on with your mobile carrier to prevent your number from being manipulated, you should. Go ahead and write it down. No one’s going to break into your house and steal your notepad from your secret drawer in your bedroom.”
In addition, getting your two-factor authentication codes over SMS is better than nothing, but it won’t help at all if a SIM swap hits. What will work? Using an authentication app instead. Apps like Google Authenticator and Authy give you that extra layer of security like SMS-based two-factor does, but they also tie it to your physical device rather than the number the phone company assigned to you.
The other step you can take, however overused the phrase, is vigilance. If your smartphone suddenly stops working, or messages stop going through, you know you’ve lost your SIM. The sooner you act to preempt account takeovers, the better off you’ll be.
About Cybersafe
The Division of Information Technology is dedicated to informing the community of the latest cybersecurity threats. Visit fitnyc.edu/cybersafe and stay tuned for emails from [email protected] for the latest from the Cybersafe campaign at FIT.
-Walter Kerner
Assistant Vice-President and Chief Information Security Officer