When hackers took over the Twitter account of Twitter’s chief executive, Jack Dorsey, last week, they used an increasingly common and hard-to-stop technique that could have given them complete access to his digital activities, including social media, email and financial accounts.
Called SIM swapping, it allows hackers to take control of a victim’s phone number. It has been used to hijack the online personas of politicians, celebrities and notables to steal money all over the world and to simply harass regular people.
Victims, no matter how prominent or technically sophisticated, have been unable to protect themselves, even after they have been hit again and again.
“I have been looking at the criminal underground for a long time, and SIM swapping bothers me more than anything I have seen,” said Allison Nixon, director of research at security firm Flashpoint.
“It requires no skill, and there is literally nothing the average person can do to stop it.”
How a Sim swap works
Criminals have learned how to persuade mobile phone providers like T-Mobile and AT&T to switch a phone number to a new device that is under their control. The number is switched from a tiny plastic SIM card in the target’s phone to a SIM card in another device.
Sometimes hackers get phone numbers by calling a customer help line for a phone carrier and pretending to be the intended victim. In other recent incidents, hacking crews have paid off phone company employees to do the switches for them, often for as little as $100 for each phone number.
Once the hackers have control of the phone number, they ask companies like Twitter and Google to send a temporary login code, via text message, to the victim’s phone. Most major online services are willing to send those messages to help users who have lost their passwords.
But the temporary code is sent to the hackers.
Phone companies have been aware of the problem for years, but the only routine solution they have come up with is offering PIN codes that a phone owner must provide in order to switch devices. Even this measure has proved ineffective. Hackers can get the PIN codes by bribing phone company employees.
“It doesn’t seem like the AT&Ts of the world are really doing anything to make it more difficult,” said Erin West, a deputy district attorney in California’s Santa Clara County
“Account takeover fraud is an industrywide problem. We use a number of safeguards to protect against this crime and offer customers a variety of options to help them protect their own information,” Paula Jacinto, a spokeswoman for T-Mobile said.
Who has been hit?
It is difficult to ascertain how many mobile phone users have been hit by a SIM swap. But people around the world, from Kenya to Hollywood, have complained about it.
In recent weeks, the most prominent targets have been celebrities like Dorsey, actress Jessica Alba and online personalities like Shane Dawson and Amanda Cerny. The hackers used the accounts to post offensive messages to millions of followers. They also gained access to private communications.
Matthew Smith, who owns an internet-focused design studio in South Carolina, has been hit by SIM swappers four times — three times this year alone. Hackers had long wanted his Instagram handle, @whale. That made him a target.
Progressing from prank to theft
SIM swapping became popular in the hacking community years ago. Attackers were mostly interested in taking control of rare or iconic social media account names. But hackers soon realised they could gain access to more than social media accounts.
In 2016, SIM-swapping gangs started targeting cryptocurrency holders. Unlike traditional bank transactions, once virtual currency is moved to a new address, the transaction cannot be reversed.
US bank accounts have been less vulnerable to SIM swapping because banks will generally reverse any criminal transactions.