ExplainersHow-To

What Is Sim Swapping and How Can You Prevent It?

1
sim swapping feature
Image Credit: @brett_jordan

SIM swapping isn’t the practice of replacing your phone’s SIM card. Rather, it describes an attack on a SIM card, swapping your SIM into the phone of an attacker—all without ever meeting you, touching your phone, or even being in the same country.

SIM swap attacks hit several high-profile cryptocurrency users, as well as other important financiers and even politicians. The result of a SIM swap is devastating.

So, how do you stop a SIM swapping attack? And can you prevent a SIM swap attack from taking place?

What Is a SIM Swap Attack?

A SIM swap attack, also known as a SIM swap scam or simjacking, is a form of identity and account theft.

At its most basic level, a SIM swap attack is when someone convinces your mobile carrier to swap your phone number onto a new SIM card in their possession. Once the scammer has access to your phone number, they can reset your online accounts to take possession of them and begin clearing out your accounts.

SIM swapping attacks target vulnerabilities in several areas of security. Most of the SIM swapping vulnerabilities lie with the social engineering of the mobile carrier representatives, as well as with two-factor authentication.

How Does a SIM Swap Attack Work?

The SIM swap hacker calls your carrier, impersonating you. They convince the carrier representative that you desperately need to swap your existing number and SIM card data to a new SIM. The new SIM is in possession of the hacker.

Once the transfer is complete, the original SIM in your smartphone dies. You lose access to the SIM card and in many cases, temporarily to the phone itself as it reconfigures.

The hacker doesn’t want access to your texts or calls. With your SIM card in their possession, the SIM swap hacker can begin resetting your private cryptocurrency accounts. If you have SMS two-factor authentication on your accounts, the hacker will receive any factor unlock codes directly. If the account has email token two-factor authentication, they can still recover your email account to the stolen SIM card using the associated phone number.

Why Are SIM Swapping Attackers Targeting Cryptocurrency Users?

Cryptocurrency users are a prime target for three reasons:

  1. Large amounts of cryptocurrency, which is easy to cash out and hide.
  2. Cryptocurrency apps primarily accessed using a smartphone, which is vulnerable.
  3. The biggest names in cryptocurrency are easy to track down and gather valuable information on, increasing their exposure to an attack.

That combination makes a cryptocurrency user a prime simjacking target. The more well known the target, the larger the potential cryptocurrency payday. But because of the rapid rise of cryptocurrency, many regular people now hold enormous sums of money in cryptocurrency tokens.

Cryptocurrency users must stay alert to scams. Here are some of the most common cryptocurrency scams and frauds to watch out for.

Are the Police Arresting SIM Swap Hackers?

Perhaps the most famous SIM swap hacker currently behind bars is Joel Ortiz. The 21-year old college student was a prolific SIM swapper, stealing over $7.5 million from more than 40 targets, many of whom were involved in cryptocurrency.

Ortiz targeted the 2018 Consensus cryptocurrency industry conference. Thousands of cryptocurrency industry leaders were present at the conference. Ortiz saw the gathering as an opportunity to pick off as many marks as possible, sending shockwaves through the cryptocurrency world.

The result for many people was catastrophic. Ortiz (and his co-conspirators) stole the life savings of numerous people. After completing their SIM swap attacks, they splashed the stolen funds on expensive watches, fast cars, bonkers Airbnb rentals (one totaling $150,000), and more. Believing they were above the law, the ridiculous spending drew attention from the authorities.

The following video shows Ortiz and others pouring $200 bottles of Dom Perignon straight out onto expensive watches in a club.

Ortiz was arrested and charged. He entered a plea deal and received a ten-year sentence. After his arrest and sentencing, investigators recovered just $400,000. The rest is hidden or spent.

“After his thefts, Ortiz spent his loot lavishly—including $10,000 nights at Los Angeles clubs, hiring a helicopter to bring him and some friends to a music festival, and on Gucci luggage and clothing.”

Cryptocurrency scams are major issue for crypto users. You cannot revert a scam once it completes.

More Than One SIM Swap Hacker

Ortiz wasn’t the only young SIM swapper. There was a team working closely together to track and SIM swap hack high-value targets. In late November 2018, a 21-year old hacker named Nicholas Truglia was arrested in the Bay Area. Prosecutors charged him with theft of $1 million of cryptocurrency, swiped from the Coinbase and Gemini accounts of San Francisco resident, Robert Ross.

Ross noticed something was wrong with his phone. But by the time he called his carrier and established what was going on, his cryptocurrency accounts were empty. $300,000 was later recovered, but it is incomparable to the amount stolen.

In the aftermath, Robert Ross started Stop SIM Crime to highlight awareness of this rapidly growing crime.

There are many more SIM swap hackers, with thousands of attacks going unreported. Many of the SIM swappers connected through and were frequent visitors to the OGUSERS forum, a marketplace for stolen social media accounts and similar illicit activities.

How to Protect Yourself from a SIM Swap Attack

Protecting yourself from a SIM swap attack is difficult. Some cryptocurrency users have come under attack several times. The lack of action from mobile carriers is contributing strongly to the SIM swap hacking issues facing cryptocurrency users. Still, you must have a smartphone. Here are some tips to keep you safe from a SIM swap attack.

1. Change Your 2FA Method

Receiving 2FA authentication messages via SMS is not the most secure option. And that’s without the threat of a SIM swap attack. If you are the victim of a SIM swap attack, the attacker will receive all 2FA SMS authentication directly.

However, if you use an authenticator app such as Authy or Google Authenticator, the authentication is linked to the physical phone, rather than your phone number.

2. Stop Using Your Phone Number for Account Security

With so many apps and accounts requiring a phone number for authentication, if you fall victim to a SIM swap hack, the attacker will have carte blanche on your accounts. You can delete your phone number from your important apps, making sure that the attackers cannot use your number against you.

3. Create a PIN or Extra Password with Your Carrier

You can call your carrier directly and create an additional PIN code to protect your account. You can also request an extra password, too, depending on the carrier. Making the PIN and password as unique and removed from your identity as possible is important.

Most SIM hacks are targeted, meaning the hacker has gathered at least some information. If the passwords protecting your account are truly random and unique, the hacker will have a much more difficult time accessing your account and switching your SIM.

Why Are SIM Swap Attacks A Growing Security Nightmare?

High-profile SIM swap victims catch the headlines. For example, Twitter CEO Jack Dorsey lost access to his accounts using a SIM swap attack. There are, however, hundreds, if not thousands more SIM swap attack victims across the cryptocurrency world. Furthermore, the number of attacks involving SIM swap fraud ballooned by 60% from 2016 to 2018, according to the BBC.

There is another issue, too. There is some evidence that sophisticated SIM swappers are recruiting carrier representatives to help their attacks. A recent Flashpoint report “observed an insider recruitment campaign mostly targeting employees at mobile phone carriers.” For as little as $80 per SIM card, carrier representatives were willing to swap the SIM details.

It gets worse.

“In most of the cases that we’ve seen, a sufficiently determined attacker can take over someone’s online footprint,” says Allison Nixon, a threat researcher at Flashpoint. “Phone numbers were never intended to be a way to confirm someone’s identity. Phone companies were never in the business to sell identity documents. It was imposed on them.”

With this knowledge, a number of SIM swap hack victims filed against US-based mobile carriers AT&T and T-Mobile for failing to protect their customers. (Even without insider help, carrier representatives were easily duped into SIM swapping.) Most cases are still underway at the time of writing.

Bulk Up Your Crypto and Smartphone Security

Even if it seems hopeless, using the additional security measure on your mobile account could help you stop a SIM swap attack. Taking a moment to bulk out your security could become the difference between keeping your Bitcoin, or an empty cryptocurrency wallet.

Cryptocurrency theft and scams will continue. That’s nothing new and is the same as fiat currency. Whenever someone has money, horrible people will attempt to steal it. There are other types of cryptocurrency scams, too. For instance, here’s how cryptojacking malware uses your CPU to mine cryptocurrency secretly—and how you can stop that from happening.

We earn commission if you purchase items using an affiliate link. We only recommend products we trust. See our affiliate disclosure.

Gavin Phillips
Gavin is the SEO Manager and a Senior Writer for Blocks Decoded. He’s been invested in Bitcoin since 2010 and has contributed to several crypto and blockchain publications, including Envilope. Gavin loves real-world applications of blockchain technology, such as Civic and uPort, and how blockchain technology can help protect privacy. Gavin is also a Senior Writer for MakeUseOf.
Advertisement

1 Comment

  1. This is the first article I’ve seen which explained why Google Authenticator and Authy are better than SMS authentication. How are they tied to the physical phone? I think I heard somewhere that MAC addresses can be faked.

Leave a reply

Your email address will not be published. Required fields are marked *

You may also like

Advertisement