What is a SIM swap and why is it dangerous?
Your SIM card is the chip in your cell phone that tells your device what phone number and cellular network to use. Your SIM card is assigned to your phone number by your wireless service provider.
A SIM swap happens when someone somehow convinces your cell provider that they are you. Once they do so, they have the service provider switch the SIM card linked to your phone number to a SIM card they have in their possession, which routes all your incoming calls and texts to whatever phone the hacker’s SIM card is in.
This may not seem like a big deal at first glance, but it allows the hacker to have immediate access to any two-factor authentication code you receive through text messages. For example, the hacker accesses your Google account asks for a password reset link via SMS message. Then they simply change the password and access your account.
SIM swapping allows a hacker to access email, online bank accounts, social media accounts, and cryptocurrency accounts within minutes.
SIM swaps have been reported on all major U.S. cell phone networks and these types of attacks are on the rise in recent years. According to Lieutenant John Rose of the Regional Enforcement Allied Computer Team based out of San Jose California, although mobile carriers are aware of the threat, “[i]t is still very, very easy to SIM Swap.” In the fall of 2019, the FBI went so far as to issue a security advisory private industry partners due to the increase in frequency of these attacks.
Are hackers really able to steal millions? What if I’m not a millionaire?
In the fall of 2018 two hackers were arrested in Oklahoma on suspicion of stealing $14 million in cryptocurrency via SIM swapping.
One man, Robert Ross, lost his life savings, one million dollars, when a hacker gained control of Ross’s phone, accessed his online bank accounts, used his money to buy crypto-currency, and then transferred the crypto-currency into accounts he controlled at difference financial services providers, all before Ross could regain control over his phone number.
In April 2019, Gregg Bennett, the CEO/Founder of Columbia River Technologies, a bitcoin mining company, had nearly $1 million worth of bitcoin stolen from him personally via SIM Swapping.
Perhaps most famously, crypto investor Michael Terpin lost $24 million in bitcoin via SIM swap in January 2018.
While, these cases clearly show that perpetrators of these types of attacks target victims with significant financial resources and investment in cryptocurrency, that doesn’t mean you shouldn’t be concerned. Many middle-class Americans have also been victims of SIM swapping and the perpetrators simply transfer whatever they can out of the victims’ bank accounts and use it to buy crypto currency.
What can you do protect yourself?
Cybersecurity experts all agree that you should stop using SMS for two-step verification. Instead, use an authentication app such as Google Authenticator, Microsoft Authenticator, or Authy. These apps can’t be accessed via your cell phone number and the verification codes expire quickly (usually within 30 seconds).
Another good option is Google Prompt. Google Prompt is a feature you can enable on your Google account without using SMS or a separate app. Google suggests only using this on devices that are secured with a password or fingerprint scanner and not using on a shared device. You can enable this feature by following these steps:
- Enable two-step verification for your Google account if you haven’t already (via myaccount.google.com)
- From the 2-Step Verification page scroll down to the Google Prompt section under Set up alternative second step, click Add phone and click Get started
- Select your device from the drop-down menu
- Once you’ve selected a phone, click Next
- If you’re set up properly, you will receive a notification on the device you’re trying to connect. Unlock it and tap Yes to enable Google Prompt
Additionally, you should add a PIN code or password to your wireless account. This will require the wireless provider to authenticate your identity with the PIN or password before allowing access to your account via phone.
Of course, generally recommended security practices will help too, such as having lengthy passwords and protecting them. Cybersecurity experts recommend using a password manager. A password manager is essentially an encrypted digital vault that stores the login information you use to access apps on mobile devices, websites and other services. It also generates strong, unique passwords to ensure you aren’t reusing them across services and devices. Two good choices are LastPass and 1Password; however, there are others.
What should you do if you’ve been hacked?
The easiest way to tell if your SIM card is no longer active is if you completely lose service on your phone. Of course, this means you won’t be able to place or receive phone calls or text messages.
- Use someone else’s device to call the customer service for your service carrier immediately
- Reach out to your bank(s) and credit card companies and check to see if the hacker has change any of your passwords or make any fraudulent transactions
- Place a Fraud alert with the credit reporting agencies
- File a police report with the local authorities
- File a report with the Federal Trade Commission (who tracks these types of cyber attacks)
- Change passwords on accounts that may be compromised
What are the legal remedies are available to you if you’re the victim of a SIM swap?
Criminal: Unfortunately, as in the case of Robert Ross, hackers in these attacks often convert stolen funds into cryptocurrency which is difficult to trace. So, while the perpetrators face criminal prosecution if they are identified, it can be difficult to recover the stolen funds.
Civil: There are potential civil actions you can pursue against the wireless service provider.
First, all fifty states have laws that mandate the protection of private consumer information (“personally identifiable information” or “PII”). In Virginia that includes full name in combination with information such as your social security number, driver’s license, credit card number, or access or security codes such that would permit a person to access financial accounts or medical information.
Second, the Federal Communications Act creates an obligation for network service providers to protect sensitive customer information, especially something called Customer Proprietary Network Information. SIM swapping constitutes a compromise of this sensitive information.
If you’ve been a victim of a SIM swap, you can potentially sue your wireless service provider for negligence for failing to protect your data as required by both State and Federal law. In fact, Robert Ross, Michael Terpin, and Seth Shapiro, VideoCoin’s head of strategy, and have all filed lawsuits against AT&T in federal courts for failure to adequately protect their accounts and sensitive information.
Gregg Bennett has filed a similar suit against cryptocurrency exchange Bittrex for losses resulting from the SIM swap, alleging Bittrex failed to adhere to its own security protocols and accepted industry standards.