What if someone else suddenly had your phone number?
With the rapid and necessary rise in two-factor authentication, where codes are sent to us by text message to unlock accounts after we’ve entered passwords, suddenly our phone numbers have become more important than ever. If someone can get your text messages sent to them, they can get those codes and then log into your accounts. This assumes that they’ve already stolen or cracked your password, but often that’s the easy part given that they have your phone number.
How could they get your phone number on their phones? What if the phone company just routed your calls right to them? They wouldn’t do that, would they? It’s happened before, often enough to warrant a warning.
SIM-jacking, which is also known as SIM-swapping or SIM-splitting, is an attack where a hacker successfully reroutes a victim’s phone number onto the hacker’s own SIM card. If you’ve ever activated your new phone or changed mobile phone providers, then you’re familiar with the process. However, a hacker, taking advantage of poor security on many mobile service providers, can impersonate the account holder or even physically go to a store to get the employee to make the switch.
To increase the likelihood of success, hackers often equip themselves with whatever information is needed to bypass certain security precautions. Personal details such as a home address, mothers’ maiden name (a common security question), and email addresses associated with the account are easily found online or in the troves of data leaked by various data breaches.
This may sound difficult, and you might expect it to be rare. But it’s not. It takes effort, which means the attack happens when the attacker knows that the target has something worth the trouble. Celebrities, wealthy folks, cryptocurrency holders, and those prominent for one reason or another are the most likely victims.
SIM-jacking – a catalyst for worse hacks
SIM-jacking is a high-value attack because, when successful, it captures a central point of communication and security for many people – their phones (and phone numbers). With the phone/number in hand, hackers can easily access many sensitive accounts. Often they first hack into the primary email account. This account usually uses a phone number in order to authenticate a log in or reset a password. Because of the SIM-jack attack, they now get the 2FA code, meaning they
Because email addresses are usually a main source of account verification, once a hacker has access to your primary email account, they can then access any number of your other accounts.
Here is the terrible sequence of events: .
- A hacker decides you are worth attacking.
- They call your phone provider, or visit a mobile phone store, and convince someone that they’re you (or a friend or relative) and get your number assigned to their phone. SIM-Jack complete.
- Then they try to get into your primary email account and reset the password.
- They may have the password because it was leaked in a breach, they re-used a password from another breach, they may guess it, or use a brute-force tool to figure it out.
- If your email has an SMS-based two-factor authentication on it, the hacker receives that code (because they swapped SIMs) and they’re in.
- They then reset your email password with a new password, locking you out.
- With access to your email, the hacker can now reset passwords to any number of other accounts and verify the reset via email. They’ll also get codes for any other 2FA protection you have setup using SMS.
SIM-jacking is the counter-measure to two factor authentication. Stealing your phone number steals your 2FA codes, if you use SMS-based 2FA. This is why 2FA Authenticator apps and 2FA hardware keys are more secure.
However, SMS-based 2FA is by far the most popular form, making SIM-jacking a dangerous problem. There have been multiple instances where victims of SIM-jacking found their lives turned upside down and in many cases, had their financial accounts pilfered.
In our next article, we’ll detail the experiences of two SIM-jacking victims and what they lost as a result of the attack.