SIM-jacking is a new kind of attack on the rise that allows hackers to access your phone number and receive messages and calls. It can invalidate SMS 2FA and has severely devastated financial lives, as covered in a previous article. Learn more about the issue and how you can defend against it.
If you haven’t read our previous articles on SIM-Jacking, let’s provide a quick rundown. SIM-jacking, SIM-splitting, or SIM-swapping is a new kind of attack where a hacker, either through impersonation, fraud, or other means, ends up with your phone number on their device.
Having access to your device means they can receive your text messages, and in some cases, outright have access to some apps and accounts.
With this access, hackers can quickly reset your email, social, and banking accounts. As a security precaution, these services often text the phone number tied to the account to reset or change passwords. Unfortunately, the hackers will now receive these text messages and can validate any change to the account.
This is how hackers can then drain bank accounts, or since most targets so far have been cryptocurrency holders, make huge cryptocurrency purchases and drain the accounts. Due to the nature of cryptocurrency and because exchanges aren’t regulated like banks, it is extremely difficult to trace and/or track how the money moves.
So, how do you stop it?
Preventing SIM-swapping attacks
SIM-jacking is extremely effective and hackers take advantage of the fact that 1) phone company staff can be bought off and/or 2) the staff hasn’t properly been trained to identify or combat this attack.
But you can place additional security measures on your phone account to make it more difficult and/or impossible for a hacker to literally walk into a store and perform the attack, (a method that is known to be successful). However, these measures all vary by mobile service provider so we recommend trying to enable all of these.
Add a PIN to your mobile account
This isn’t on by default, but many mobile service providers allow you to set a security PIN (personal identity number) that you use before authorizing any changes to your account. This includes changing SIMs but should also cover additional actions such as changing your mailing address or adding additional authorized users to your account (these are also actions a hacker may take to steal your number).
Add security questions and answers to your account
Similar to setting up a PIN, providers such as Sprint, allow you to set up security questions and answers as an additional form of verification.
However, it’s extremely important to make sure the answers to questions aren’t accurate or tied to your personal information. Answers to questions such as “What is your mother’s maiden name?” or “What was the first school you went to?” aren’t difficult to find, especially if hackers are specifically targeting you. Make sure the answers here are either 1) made up, or 2) constructed like passwords.
Request a port freeze or NOPORT setting to be placed on your account
This is a T-Mobile-specific option, although it’s unclear whether other mobile service providers offer the option. Having NOPORT on your account means that changing SIM cards or swapping numbers requires the account holder to physically present themselves in a store and provide proof of identification in order to have a SIM changed. To learn more about the NOPORT option, check out this article by Vice.
A port freeze is similar, stopping any SIM swapping from happening until the freeze is lifted. However, impersonation techniques may still get around this port freeze.
Reduce a hackers’ effectiveness
To more effectively defend against this kind of targeted attack and to limit a hacker’s effectiveness as they carry it out, you should work to increase your security and privacy across all your accounts.
Use 2FA via authenticator apps or hardware keys
Part of the reason this attack is so effective is because hackers know many users’ accounts are tied to their mobile phone. If, however, you use an authenticator app or a hardware key as your form of 2FA, then your accounts are significantly safer and the codes won’t be sent via SMS.
Limit how much information about you is available
If a hacker is trying to target you specifically, then you’re likely the subject of a lot of research. Think about how much information you’re willingly divulging. Are you saying too much on social media? Do your public profiles give out a lot of sensitive information like your hometown, your address, previous employers, current employers? These are data points that can be very useful for a hacker trying to impersonate you.
Increase security on your most important accounts
For financial accounts, make sure you have more security placed on it. This means having 2FA but also alerts or freezes on specific actions. Depending on your banking provider, you can also set limits such as withdrawal, purchase, or transfer limits.
If you believe you’re at high risk for this kind of attack, carry out the thought experiment of what would happen if you were attacked. Your phone is deactivated, your social media accounts might be at risk. What about your apps? Your bank accounts?
Thinking through the potential fallout can help you take specific actions to make sure it doesn’t happen but also to help you put security measures in place.
Even if you don’t think you’re at particular risk for this attack, it still might be helpful to take some of these actions. Beefing up security on your mobile accounts is a good idea and it’s one of the most effective actions you can take to prevent a SIM-Jacking attack from being successful.