If they can get Jack Dorsey they can get you… learn the simple ways to protect yourself against Sim Swapping Attacks.
Just last August Twitter’s own CEO, Jack Dorsey, had his handle @jack compromised by a group of hackers who took the opportunity to tweet antisemitic and racist remarks to his 4.2 million Twitter followers. After researching the issue, Twitter’s team confirmed that he had fallen victim to a Sim Swapping Attack. This same attack has been used to hack other high profile names like Jessica Alba and to drain the cryptocurrency and traditional bank accounts of normal people like you and me. Here’s an overview of how it all goes down and how to protect yourself from being next.
How Sim Swapping Works
Many secure websites and services such as banking, email, and social media now connect our mobile phone numbers as a second form of authentication and to verify that you are a real person. It’s easy as basically all of us have a mobile number and it creates a barrier to entry for bad actors who try to create lots of fake accounts. While it does provide some benefits and an additional level of security, this method has some pretty gaping vulnerabilities.
Sim Swapping is when a criminal contacts your phone company and social engineers, or tricks them, to change your mobile connection to a device they control. As an example, they may call your provider pretending to be you and say that your cell phone has been stolen and you need them to switch your service to a new cell phone you just bought. Alternatively, they may just have an employee of the cell phone provider in their pocket that can perform the sim swap without the need for social engineering.
Once your sim has been swapped to a new device, the criminal will then receive all of your text messages and phone calls. The criminal then uses your cell phone number to reset your password and gain access to all of your secure accounts, often helping themselves to your cryptocurrency and bank account balances in the matter of minutes. They may also lock you out of your social media or cloud storage services and demand ransom in exchange for the safe return of your personal information. The only silver lining to this type of attack is that you’ll know right away when this happens because your device will lose service.
Pretty scary right? Any service that uses your phone number is vulnerable to this type of attack and it can be performed by anybody in the world without any special technical knowledge. Think your carrier can keep you safe? A study published this year by Princeton University found that major US carriers including ATT, T-Mobile, and Verizon, among others, are definitely susceptible to Sim Swapping.
Staying safe will require you to act proactively. Here are some strategies to protect yourself.
First Things First — Enabling 2FA
Despite the risks of Sim Swapping, you should always enable 2 Factor Authentication (2FA) on your accounts. This will keep your accounts safe by requiring a secondary pin sent to your mobile phone in addition to your username and password to gain access to your accounts. 2FA is now a standard feature with most secure services and can be enabled in your login and security settings.
While I realize that I just spent several paragraphs describing the shortcomings of SMS-based authentication, the reality is that enabling it will stop most threats. Even if a criminal were to discover your password through malware or a data breach, they would still require access to your SMS messages to get into your accounts. Most attackers won’t bother to perform a sim swap and will simply move on to an easier target that doesn’t have 2FA enabled.
That said, it’s important to remember that many services will allow you to reset your password with just your mobile number. For that reason, it is common for attackers to use the Sim Swap to gain access to accounts without having to know your password.
Your First Line of Defense — Ditch SMS
The simplest way we can protect ourselves is to choose app-based 2FA when available. While having 2FA enabled is always better than not, many services offer two flavors of it. The most common is SMS-based which sends an SMS to your cell phone and is vulnerable to Sim Swaps. The less common but more secure is app-based authentication. Rather than send you a text message, your authentication code is generated by an authenticator app on your mobile device, the most popular being Google Authenticator (iOS, Android).
All you need to do is download an authenticator app and then choose app-based authentication when configuring your 2FA settings on each of your accounts. You’ll be prompted to scan a QR code with your authenticator app and then you’ll be set up! When asked for an authentication code just open the app on your phone and type in the 6 digit code it displays for the website you’re trying to access.
Authenticator apps are not susceptible to Sim Swapping. These apps rely on details unique to your physical device that cannot be transferred to another device by your phone company. This means that even if an attacker manages to take over your messages they will not be able to duplicate your unique authentication codes or get into your accounts.
The Best Solution — Private Phone Number
Although in a perfect world an Authenticator app would solve all of our problems, the challenge is that many websites do not support app-based authentication. Anecdotally, all of my bank accounts and credit cards offer SMS-based identification as their only option. So how are we to protect ourselves?
Since we know any and all carriers can be exploited to perform this attack, our only solution is to use a phone number nobody knows about. An attacker can’t perform a Sim Swap if they don’t know which number to use. The nice thing is that secure services don’t reveal our phone numbers to attackers — they typically have to find them through other means like when we publicize them ourselves on social media or via public record. A phone number nobody knows about defeats the point of a phone, so it makes sense to get a second phone just for this purpose.
Head over to your nearest big box retailer like Walmart or Best Buy to purchase the cheapest prepaid phone and plan they have. You’ll only need to use this phone once. Since in this case we don’t plan to use this phone as a tool for anonymity, it’s okay to order online as well. Mint Mobile tends to offer the most affordable plan for our purposes offering a 7-day trial for just $5. You can use a spare cell phone that is compatible with their service or purchase a cheap, unlocked flip phone to go with it for about $30.
Once you have your prepaid device go ahead and activate it by following the instructions and note down your new, private mobile number. This is the number you’ll use exclusively for 2FA across all of your services. Before we move on, we’ll want to switch to a free mobile plan so that you don’t have to keep paying for Mint’s wireless service every month. That’s where Google Voice comes in.
Navigate to Google Voice and log into your existing Google account or create a new one. This is a good time to ensure you have app-based 2FA enabled for your Google account. Once you’ve registered you’ll need to port your private prepaid phone number to Google Voice using these instructions. You’ll incur a small fee to complete this transaction, usually $20, but in exchange you’ll be able to receive calls and texts at this number absolutely free, forever! That beats buying a monthly plan from Mint in my book.
While you can accept calls and texts from your browser using Google Voice, that’s a pain in my opinion. I suggest downloading the Google Voice app (iOS, Android) to receive texts on your mobile device. It goes without saying that you shouldn’t use Google Voice’s forwarding service to forward your texts to your primary number as that would defeat the purpose of this exercise. At this stage you can put away your prepaid flip phone or spare device as you won’t need it anymore.
You can now set this up as your 2FA phone number on all of your accounts knowing you’re fully protected. Nobody knows your new phone number and even if they discovered it, they wouldn’t be able to get into your Google Account to access it since you’ve enabled app-based 2FA.
What About Free VoIP Phone Numbers?
Google Voice and many other services actually allow you to register a phone number for free, so why aren’t we using those? You can try it — but most services don’t accept VoIP numbers. The reason why is simple: they are easy and cheap to obtain anonymously so they’re commonly used by criminals and other bad actors.
We circumvent this restriction by first registering the number with a prepaid carrier and then porting it over to a VoIP service, Google Voice in our case. The services you use have no way to know how you’re receiving your messages, they simply know which numbers are reserved for VoIP services and block those numbers from registering. You’ll be in the clear as you’re using a number originally reserved for prepaid carriers.
While there is a minor cost and time commitment to implementing this safety measure, it pales in comparison to the financial and emotional complications of a data breach. This solution will effectively protect you from the large majority of cyber threats without that much effort on your part. Cybersecurity is certainly one area where it pays to be proactive!
This article is for informational purposes and does not constitute financial, legal, or cybersecurity advice. The information is presented as-is and you are encouraged to do your own research before taking any action. If your life, safety, or livelihood is at risk you should consult a security professional.