But recently, some hackers have taken identity theft to a terrifying new level. Leveraging information they’ve gained via social engineering, these criminals trick or bribe mobile carrier employees into switching their victim’s phone number to a different SIM card.
Identity theft isn’t a game, and these cybercriminals aren’t playing around. Here’s what you need to know about SIM swapping — the latest security threat sweeping the internet. Plus, we’ll tell you how you can steer clear of this crime and avoid disaster.
The (crime)wave of the future
If you’re not familiar with the concept of SIM swapping, consider this a warning: It’s one of the most difficult cybercrimes to prevent and fight against. According to reports from the Wall Street Journal, victims have lost a collective $70 million in the U.S. alone.
More than 3,000 people have lost access to critical accounts, thanks to SIM swapping, with some reporting being blackmailed in addition to having their identities stolen.
To make matters worse, this crime uses the ordinary security functions of a website against victims. These schemes are successful when the criminals use old-school con artist tactics to trick or bribe third parties into coughing up the information they need.
How does SIM swapping work?
To successfully SIM swap and hack a victim, the perpetrator needs to know who you are and what your phone number is. Usually, this is obtained by extralegal research. Aside from scouring social media for information to help them masquerade as you, the WSJ reports attackers often resort to classic impersonation methods.
They’ll use fake IDs or cherry-pick public records. The report revealed several attackers went as far as bribing AT&T and Verizon retail employees into providing the information they needed.
Once the attacker has your phone number and identifying information, they’ll visit a different carrier store and perform the namesake SIM swap. This means your number is ported to a brand new SIM card to be used inside a different phone. This prevents two-factor authentication from alerting you to an attack and also disables your phone.
The attacker strikes at your email account. Once they’ve gained access, there’s no stopping them from resetting your other passwords, checking your inbox for sensitive information or outright stealing the money and data associated with your other accounts.
One SIM swapping victim, Michael Terpin, was a high-profile cryptocurrency investor before his accounts were compromised. Once his data was breached, the hackers drained more than $20 million worth of cryptocurrency from his portfolio.
Terpin had multiple layers of security to protect himself, but it was useless in the face of charismatic, determined hackers.
How can I protect myself from this horrible hack?
The attackers knew specifically who they were targeting. They put great effort into obtaining enough information to trick retail employees, and those who performed bribes obviously cared enough to invest some of their own cash into their scheme.
Many of the victims were wealthy or high-profile individuals, which made them attractive targets for this kind of cybercrime. If you’re a relative “nobody” in the grand scheme of the internet, you’re more likely safe than not.
It’s still worth knowing ways to beef up your security so this never has a chance to happen to you. Here are a few ways to stay safe:
1. Implement an extra layer of protection
Don’t make the mistake of assuming protection like 2FA isn’t worth the effort. Though hackers got past Terpin’s 2FA, cybersecurity still recommends using 2FA over no extra protection at all. Google’s research from earlier this year even showed 2FA stops most types of cyberattacks in their tracks.
Since your carrier is the first line of defense between an impostor and your phone number, you may want to take extra steps to make sure they can effectively catch identity thieves. One of the most popular ways is setting up a passcode or PIN for your mobile account.
Some carriers, like T-Mobile, require a PIN to make any changes on your account by default. If you’re not sure whether your account has a PIN, call your carrier and explain you want to set up an authentication passcode or PIN to verify your identity.
Once your carrier has set up a code, any would-be impostor will need to provide this number to gain access to your phone number. Make sure to write your PIN down and keep it in a safe place where nobody else can access it. We recommend not storing this digitally and choosing a number no one can guess.
3. Something extra to take with you
Security keys are a new way to authenticate your identity online, and they’ve received acclaim from cybersecurity experts across the board. These small, USB-powered devices act as a physical key to your account and must be inserted into your computer when you log in.
Two of the most popular brands on the market are Yubico and Google Titan, both of which provide keys that work with computers and mobile products. The phone-based products are Bluetooth compatible, and give you the same benefits a USB key would for a desktop machine.
Unfortunately, not every platform currently supports security keys. A good majority have started to, and you can see if your favorite website works with these products by clicking or tapping here. Look through the categories listed or type your website into the search field to see if your platform of choice is compatible.
4. A different code every time
Gmail users can enjoy a free 2FA protection plan by signing up for Google’s in-house Authenticator app. This app essentially replaces the need for your phone number and generates a one-time code for you to enter each time you log in. This is one of the most direct ways to circumvent SIM swapping.
To use Authenticator, you’ll need to set up 2FA on your Gmail account first. Once you’ve set up Authenticator, you’ll stop receiving text messages when you try to log in. Keep in mind if you lose your phone, you’ll have difficulty getting back into your account. This method, however, is by far the most ironclad protection method against SIM swapping.