Beware SIM Card Swaps are on the rise

Most everyone has a cell phone these days, It’s how we stay connected and how we verify our online accounts.  Most companies will ask if you want to add your phone number to your account for verification and recovery purposes. This is called “ 2Factor Authentication.”  

If and when you need to access your account(s) you simply enter in a code that is sent to your cell phone and you have access to your account again. Simple right? For the most part, this is supposed to keep our accounts safe and secure and only allow the owners access.

However, there is an underground crime ring that is now performing Sim Card Swaps to steal Instagram, Twitter, and other usernames to sell them on the black market for thousands of dollars.

Not only is there that concern, but there are individuals who try to hack into accounts just to show business where security loopholes exist. In just a couple of minutes, your entire digital life can be erased. Read about the apple and amazon Honan hacking.

What is a SIM Swap?

A SIM swap is when someone convinces your phone carrier to switch your phone number over to a SIM card they own. By diverting your incoming messages, to their phone scammers can complete the text-based two-factor authentication checks that protect your most sensitive accounts. Or, if you don’t have two-factor set up in the first place, they can use your phone number to trick services into providing your passwords.  A determined attacker can take over your online footprint in just a few minutes once they have access to your accounts.

SIM swap attacks appear to be behind a recent string of Instagram takeovers, for example, Justin Bieber nude photos from Selena Gomez’s account last year. Not only are they disrupting Instagram and Twitter users they can also steal money from accounts.  A cryptocurrency investor claimed that a SIM swap resulted in the theft of $23.8 million-worth of tokens; he’s suing his carrier, AT&T, for 10 times that amount. And Motherboard recently documented a number of incidents in which SIM hijackers drained thousands of dollars out of people’s checking accounts.

Unfortunately, SIM swaps are largely out of your control. Even if you have great security hygiene it won’t always keep someone from fooling your carrier, and in fact, they may not even have to; Flashpoint has found some indications that SIM hijackers recruit retail workers at mobile shops to gain access to protected accounts.

The good news is, you can take steps to limit the chances that a SIM swap attack will happen to you—and limit the fallout if it does.

Use a Pin

Every major US carrier offers you the option of putting a PIN or a passcode on your account. Make sure you use have a Pin on your account.  In doing so it adds another layer of protection. It’s another piece of information an attacker needs before they can steal your identity.

On AT&T, you can set up a “wireless passcode” that’s four to eight digits long by going to your profile, then Sign-in info, then Get a new passcode. You should also add what the carrier calls “extra security,” which just means it’ll require the passcode to manage your account online or in a retail store. You can find that by going again to Sign-in info, then Wireless passcode, and checking Manage extra security.

Verizon requires a PIN automatically, but to set yours up or change it, go to this site, and sign into your account. Simply enter a PIN of your choice twice, click Submit, and you’re done.

For T-Mobile, you have to call instead; dial 611 from your mobile phone and ask to add “Port Validation” to your account, which lets you choose a six to 15 digit PIN.

For Sprint users, sign into your account, click on My Sprint, then go to Profile and security. Scroll to Security information, and update your PIN there.

I know remembering another PIN is a pain, but it’s always better to be safe than sorry.  If you have to write it down and keep it safe. So far hackers can’t open a drawer in your home and see what is written in a notepad.

Use Better Two-Factor Authentication

We have written about using two factor authentication before, but it bears repeating. Getting your two-factor authentication codes over SMS is better than nothing, but it won’t help you are a victim of a SIM swap. What will work help protect you is using an authentication app instead.

Apps like Google Authenticator and Authy give you an extra layer of security. They tie into your physical device instead of your phone number. They provide you with a six-digit code that changes every 30 seconds or so, and stays in constant sync with whatever service you connect them to.

There is another option that is even more secure.  Use a fob that you connect to your device and your accounts.  Yubikey fits on your keychain and plugs into your computer’s USB port to help verify your identity.  This is the most secure way to protect your accounts. If you’ve enabled a physical token, plus your password, and you turn off SMS, hackers won’t be able to access your account unless they have your fob in their possession.

Not all services have the option for using a fob to connect to your accounts yet, but having one to connect to the services that have the ability helps keep them safe.  We all have to take responsibility to keep our accounts safe and secure, to keep hackers from stealing our information and identities.

Until Next Time,

Megabite