SIM swapping, also known as SIM hijacking, is a technique used by attackers to gain control of your mobile number by deceiving your cellphone provider into transferring your number to their device. With your phone number in their hands, attackers can bypass security measures to access your emails, bank accounts, social media profiles, and more. This method exploits the use of text messages for account recovery, alongside information obtained from phishing, two-factor authentication intercepts, or leaked data.
A 5:30pm today someone walked into a T-Mobile store, claiming my identity and swapped my sim. At 5:45pm I noticed my texts were not sending. I had no phone calling ability. Other house mobile phones worked. Wifi internet on my phone worked. I see an alert on my chase account of a credit inquiry at Macy’s Department store minutes later.
At that point I knew it was a sim card swap attack. I called Tmobile. Recording says, “1 hour wait.” I leave my wifes number for them to call back. I race over to the Tmobile store 5 minutes away and plead my case. “Stop the phone access.”
They research and see that the swap happened at a store but can’t say which one. They call into Tmobile to figure out next steps. While we are waiting, I get the call back from Tmobile corporate. They agree it is a fraud case and they switch the sim back to my phone, I regain access within 1 hour or so since the swap occurred. I agreed to switch phone numbers being that I was hacked once already, I will likely continue to be a target due to the ledger hack.
How to mitigate your chances of being a victim of a Sim-Swap
1. If your account has the option, add extra security of having to verify the 4-8 digit passcode every time you go to a store or call in. Contact your carrier to discuss options like port freezes or number locks, which can add an extra layer of security to prevent unauthorized port-outs.
2. Have customer service leave a PRIORITY NOTE on the account stating “No one besides the account holder is authorized to swap sim cards – account holder must be in store and verify 4-8 digit passcode”
3. Setup a sim pin in case your phone is ever stolen. Scumbags will put your sim card into another phone and if they have any of your info it is basically game over.
4. For Verizon users they have recently added the option to lock sim swaps via the VZ app. Once the lock is enabled swaps are not allowed unless you log into the app using a thumbprint or pin and unlock swapping.
5. Time-based, one-time passwords (TOTPs) are more secure than SMS 2FA. TOTP codes are more difficult to intercept than SMS to begin with. The most basic way to intercept SMS codes is by either swapping out the victim’s SIM card or impersonating the victim and ordering a copy of their SIM card to be sent to a different address. Or, a hacker may be able to target a specific user’s phone and steal it.
TOTP codes are generated by an app installed on the user’s device, so any bad actor looking to steal their code would need to either steal their phone or somehow break into the app first, which requires more technical skill.
6. Want to step your two-factor up even further? Opt instead for a physical authentication method, like a Yubikey. These little fobs fit on your keychain, and plug into your computer’s USB port to help verify your identity. “If you’ve enabled a phsyical token, plus your password, and you turn off SMS, then someone literally is going to have to physically steal your keys.
Stay safe.
Theodore Lee is the editor of Caveman Circus. He strives for self-improvement in all areas of his life, except his candy consumption, where he remains a champion gummy worm enthusiast. When not writing about mindfulness or living in integrity, you can find him hiding giant bags of sour patch kids under the bed.