Imagine waking up to see that your cell phone has no service, and nothing you do seems to help. You hop on your computer to look for the nearest provider location to get help. While online, you try to check your email, but your password doesn’t seem to be working.
Sensing something might be wrong, you try logging into other services. You can’t get into Facebook or other social media accounts. As panic starts to set in, you log into your bank account and discover multiple transfers have been made to accounts you don’t recognize.
Your accounts are practically empty.
No, we’re not describing a movie plot. Stories like this are real and happening more and more.
SIM-Swap Cell Phone Scam
All this can be caused by a hacker using your personal information to hijack your identity. It starts with an attack known as a SIM-swap attack. The aftermath can be life-changing. Two individuals, Sean Coonce and Matthew Miller, have recently written about the damage that followed such an attack when it happened to them personally. Miller nearly lost $25,000, and Coonce lost $100,000.
SIM-swap attacks use a service that allows you to change phones or even providers. It’s known as porting your SIM card. Simply put, your phone number is assigned to another device or SIM card. The process happens whenever you upgrade devices or change providers. We’ve all used this service, and it’s usually pretty smooth and simple.
Acquire Phone Number
Unfortunately, because porting numbers is so simple, it can allow an unauthorized person to port your SIM card and steal your phone number. The attacker starts by requesting a port of your phone number to a device they control. With a few pieces of personal information, the attacker pretends to be you and convinces the provider to move your number to their device. Just like that, you’re disconnected, and the attacker begins receiving all of your phone calls and text messages.
Take Over Email
From there, they begin resetting the passwords on your email accounts. Google, for example, typically sends verification codes via SMS during the reset process. Theses codes now go straight to the attacker, and they choose a new password. Now, you no longer have access to your email.
On To Other Accounts
Once they have your email account, everything goes downhill from there. If you log into Chrome with this email, they have access to any saved passwords. Simply parsing through your email can give the attacker hints as to what services you use.
They begin resetting your passwords for practically any other account you own. After a little work, the attacker has gained access to everything from your social media accounts to cloud storage to bank accounts. In a matter of hours, you’re locked out of everything, and they’re likely stealing your money and your identity. The damage can affect you for years afterward.
How Do You Prevent It?
If SIM-swap attacks sound scary, it’s because they are. Thankfully, there are a few ways to prevent becoming the next victim. We highly recommend following the steps below to protect you and your family.
1. Use Hardware-Based 2FA
We’re huge proponents of two-factor authentication (2FA or MFA). The added layer of protection keeps hackers out of your accounts, but not if they’ve stolen your phone number. You can prevent account hacking by using 2FA via an authenticator app on your device. Google, Microsoft, and Authy all offer authenticator apps. Even if an attacker steals your number, only you can access the authenticator apps that are on your device.
2. Use Google Voice
There are plenty of services that only work with SMS-based 2FA. Create a Google Voice number that’s only used for these services. It’s a free service that can receive calls and text messages. Google Voice numbers can’t be ported without paying to unlock them, so they’re much harder to steal. You can also use it as a recovery phone number for accounts.
3. Create An Alternative Email Address
People tend to use a single email address for everything. Some may have a secondary that they use for junk mail. You should create another address strictly for use with any critical accounts. Don’t use it anywhere else and never share it with anyone. Enable 2FA via either an app or a Google Voice number.
4. Evaluate Your Password Management
Saving passwords in your browser offers convenience when logging into accounts. It’s typically safe, but not if someone else can log in with your stolen email account. Using a third-party password manager, like 1Password or LastPass, offers better security. You should also go through your list and deactivate/remove any old, unused accounts.
5. Ask Your Mobile Provider About Locking Your SIM
SIM-swap attacks start at the provider. The biggest issues have been with T-Mobile. T-Mobile was hacked in 2018, and hackers stole the billing information for 2.5 million customers. This information opens the door for attackers to steal your number. Also, PIN numbers were exposed online. Most providers don’t really require them for porting anyway, so don’t trust a PIN number protecting your account.
Instead, ask your provider to require you to visit the store and present ID for any SIM changes. The provider may tell you this isn’t possible. It is. Just keep asking. This will make upgrading a little more annoying since you’ll have to go to the store. However, it should prevent anyone from moving your phone number.
While none of this guarantees that your phone number and accounts won’t be stolen, it greatly reduces the risk. As with most cyber-attacks, preventing an attack greatly outweighs trying to recover from one.