QU1CK51LV3R was your average internet scammer. He had worked various spoofs, compromises and amateur hacks, but his specialty was account takeover. And recently, sim swapping was his method of choice.
The attack began with QU1CK51LV3R social engineering Bob Smythe. He first found Bob’s phone number and email through his Facebook account. A subsequent online search revealed his current physical address on a public records site.
That was all he needed.
Sally was checking in for her work day at a well-known cellular company. She had handled customer inquiries for years now and had heard it all. One thing she had always encountered was a mobile user’s request to move a phone number to a new phone. It was usually an easy process and she had done it dozens of times. And that was why she was unprepared when she got the call.
QU1CK51LV3R started speaking to Sally as a friend. He related Bob’s other personal data such as an upcoming birthday, his workplace and hometown—things he also found from his Facebook and other social media accounts. With the noise of small kids in the background (a recorded sound), QU1CK51LV3R was in need of switching his number to a new device that his wife gave to him as a present. Sally decided to help QU1CK51LV3R with the transfer.
QU1CK51LV3R had just acquired the way into Bob’s email, data, and bank and credit accounts.
Usually, once a scammer acquires the personally identifiable information (PII) of a user, they can do a lot of damage. It may be months before they are discovered and by that time may be done with the account.
Sim swapping also leverages a consumer’s PII, but its effects are immediate. Bob couldn’t even make or take calls, nor receive or send texts. Typically-used multi-factor authentication (MFA) using “one-time password” texts can also be compromised to access banking or credit accounts, relying on only possession of the phone number. Ultimate goals for the process may include bank account transfers, extortion or sales of the user’s accounts on the dark web.
What’s more, though these effects are immediate, consumer attempts to get their phone number back and protect his other accounts may take weeks or even months.
The hack is simple really–just three pieces of publicly-available information:
1. The phone number to be compromised.
2. The email address associated with the account. (Access to the email account is not even required.)
3. And the verification of the physical address and the user’s full name to a telecom customer service representative.
Moving a mobile number to a new phone is intended to be seamless in our consumer-focused economy. Customer service representatives are instructed to serve customers without a quarrel, and call centers can handle a tremendous amount of daily service calls with a variety of requests. Typically, when a caller calls in to have his/her number moved, “the customer is always right.” SIM swaps can normally be requested for lost or stolen phones or moving an account to a new device, often a device that has a prepaid or post-paid number. Unfortunately, good intentions on the part of telecom companies can cause significant weaknesses like sim swapping.
So how common is this hack? Twitter CEO Jack Dorsey is among the victims. But beyond the high profile attacks, SIM swaps quintupled attacks of the previous three years combined in 2021 (Wikipedia). Dozens or hundreds of people are targeted for SIM swaps each day. Only one is needed.
Despite that cell providers have been training their workers in preparation for the sort of SIM swap vishing that enables this hack, Tech Kahunas recommends:
1. If your phone does not receive calls or messages, immediately contact your telecom customer service department. If you do fall victim to a sim swap hack, change your passwords and account details immediately.
2. In addition to having a PIN on your mobile device, you should also set one on your mobile account itself. Every major cell provider offers this setting and it is offered online or by calling. They are comprised of four to fifteen digits. Don’t use phone numbers or SSNs or other easily-discoverable number for your PIN.
3. Don’t put your PII on Facebook or other social media where scammers can find them. Keep personal data (social security number or driver’s license), passwords or PINs private. Don’t publish your phone number on the internet. Financial institutions will never ask for this data. If contacted by your bank or institution directly, only respond by directly contacting their office. Cell providers may send emails or texts to confirm account changes, so monitor these accounts, if possible.
4. Use an alternate email for banking and financial transactions.
5. If possible, use your telecom’s mobile app for account or billing matters. Apps are generally more secure.
6. Whenever you can, use MFA methods like the Google or Microsoft authenticator app or a hardware key to access your cell providers and financial accounts.
7. Keep up to date on threat data and messages from your cell provider. View any videos or advisories from your bank or other account providers.
8. Don’t use password or PII in your emails.
Losing your phone can cause headaches that can last for weeks, if not months, especially if you don’t get your number back immediately. You may incur hundreds to thousands of dollars of losses and penalties resulting from other accounts relying on your phone number, i.e. banks or financial institutions. If you lose your phone number, you can use services like Talkatone or TextNow to provide you with a WiFi phone number temporarily. (Alternately, a scammer may bribe a customer service rep to change the number to the device; this is actually becoming more prevalent than the basic social engineering variety.)
Cell providers have to reexamine their service and security policies to prepare for these attacks. With just three pieces of information, a scammer/hacker can use or hold hostage a person’s livelihood for financial or other gain. Customer service has to go hand in hand with security measures.
Taking a few minutes to protect yourself from sim swaps means time and money. But investing in precautions may cost $50-$100 for a solution like a hardware wallet–but that constitutes only 0.1% of the assets that you can secure in the process. The cost of a sim swap exploit can be $100,000–or upwards of seven figures.
With Tech Kahunas sim card protection services:
* Your account would be protected from unapproved sim swaps; bad actors would encounter a 14-day cooling off period before they could switch the account.
* Multiple staff members would have to approve any major changes to your account; changes would run through a rigorous manual process, including a notarized statement.
* Tech Kahunas’ security protocols use an 11-layer proprietary verification process.
(Restriction: if you damage your phone to the point of needing a new sim, you cannot use a phone for 14 days )
Tech Kahunas know the needs of SMBs and organizations—and will protect your accounts against sim swapping.
We’ll stay on top of the threats.
We’ll watch your data.
We’ll review your risks.
We’ve got years of this.