“SIM Hijacking” - A New Target for Cyber Criminals

Your cell phone is a "Golden Ticket" to many of your secure services!

While phishing attacks remain one of the most prevalent attack methods for cybercriminals, new threats continue to emerge. As mobile devices become more omnipresent, fraud utilizing these devices will only continue to rise! Did you know 60% of fraud originates from mobile devices? And while 80% of mobile fraud comes from downloaded apps, an even more harmful scam has emerged … “SIM Hijacking”. Last month a hacker who stole $5 million resulting from SIM Hijacking was sentenced to 10 years in jail.

How Does SIM Card Hijacking Work?

“SIM” stands for Subscriber Identify Module; it links your physical phone and your phone number. SIM Hijacking or SIM Swapping results in your phone number being taken. Your phone number is the key for 2-factor authentication and other verification processes. Only one SIM card can be associated with a phone number. This puts the victim in the dark after it is stolen. The phone number has become the golden ticket for access. This makes it extremely sought-after for those attempting to extort money, steal handles or steal your identity.


What is Authorized SIM Porting?

The ability to port your SIM card to another device is a service that mobile carriers provide to their customers. It allows a customer to request their phone number be transferred to a new device. In most cases, this is a perfectly legitimate request; this happens when we upgrade to a new phone, switch mobile carriers, etc.


What Is A SIM Port Attack?

A “SIM port attack”, however, is a malicious port performed by an unauthorized source — the attacker. The attacker ports your SIM card to a phone that they control. The attacker then initiates the password reset flow on your email account. A verification code is sent from your email provider to your phone number — which is intercepted by the attacker, as they now control your SIM card. 

Once the attacker controls your primary email account, they begin to move laterally across any lucrative online services that you manage via that email address (bank accounts, social media accounts, etc.). If they’re terribly malicious, they can even lock you out of your own accounts with little recourse to reclaim them.

Most of us have a primary email account that is connected to A LOT of other online accounts. Most of us also have a mobile device that can be used to recover your email password should you ever forget it.


Take a moment to consider the sheer volume of sensitive information tied to a single Google Account:

  1. Your address, date of birth, and other private, personally identifiable information
  2. Access to potentially compromising photos of you (and/or your partner)
  3. Access to your calendar and upcoming travel dates
  4. Access to your private emails, documents, and search history
  5. Access to your personal contacts and their private information as well as relation to you
  6. Access to all other online services for which your primary email address was used as the authentication source


How Can You Prevent This From Happening to You?

The first thing someone concerned should do is call their carrier. Many carriers offer the option to require a PIN for switching SIM cards. Calling your carrier and setting up this PIN or notifying them of your concern for this hacking technique can prevent it from happening.

  • Use a SIM PIN:  A SIM PIN is one of the most effective ways to protect your SIM card if cybercriminals have physical access to your lost or stolen phone. A SIM PIN prompt appears anytime the phone is restarted or whenever the SIM card is inserted into a new phone.
  • Use an Authenticator App:  Apps such as Authy, Google Authenticator, 1Password and others use a six-digit code from the authenticator app, eliminating the need to text codes. Use the authenticator app for all providers that allow them. Many financial institutions do not allow the use of authenticator apps, in which case email authentication is the best choice.
  • Use a PIN for Your Mobile Provider Account:  Mobile providers typically allow you to create a PIN for use when you want to access your account.  If a SIM scammer does not know your mobile provider account PIN, the provider should not provide the scammer with any account information.
  • Use A Hardware Wallet To Secure Your Crypto:  Move your crypto to a hardware wallet/offline storage/multi-sig wallet whenever you are not transacting. Do not leave funds idle on exchanges or fiat on-ramps. 
  • SMS Based 2FA Is Not Enough:  Regardless of the assets and/or identities you are trying to protect online, upgrade to hardware-based security (i.e.: something physical that an attacker would have to physically obtain to perform an attack). While Google Authenticator and Authy can turn your mobile device into a piece of hardware-based security, we advise going a step further. Pick up a YubiKey that you physically control and cannot be spoofed.
  • Reduce Your Online Footprint:  Reduce the urge to needlessly share personally identifiable information (birthdate, location, pictures with geolocation data embedded in them, etc.) online. All of your personal publicly available data can be turned against you in the event of an attack.
  • Google Voice 2FA:  In some cases, an online service will not support hardware-based 2FA (they rely on weaker SMS based 2FA). In these cases, you might be better off creating a Google Voice phone number (which cannot be SIM ported) and using that has your 2-Factor Auth recovery number.
  • Create a Secondary Email Address:  Instead of binding everything to a single email address, create a secondary address for your critical online identities (bank accounts, social media accounts, crypto exchanges, etc.). Do not use this email address for anything else and keep it private. Back up that address with some form of hardware-based 2FA.
  • Offline Password Manager:  Use a password manager for your passwords. Even better, use an offline password manager like Password Store. 
  • Require an In-Store Visit Before Swapping Your SIM Card:  Requiring an additional pin for your account is one way to stay secure but requiring an in-person visit is even better. Attackers may try to do an in-person SIM swap, but it is a lot less likely and significantly harder for them to pull off. Unfortunately, phone carriers are notorious for ignoring notes about in-person phone swaps in your personal profile. 


The good news is that with the increased visibility of SIM card hacking, we’re hopeful that this will continue to improve. For more tips on protecting data, and what to do if you are hacked by calling 833-ALPHA-ONE or 334-245-3125.