SIM Card Hacking:How It Works and What You Can Do About It

Setting up two-factor authentication (2FA) is a good way to protect your accounts, but if it's text, it's not foolproof. SIM card hijacking, or SIM card swapping, has been around for a while, but as our financial identities increasingly exist online, it's becoming more common to steal phone numbers and use them to access to accounts. This is becoming harder to achieve as phone carriers slowly improve their security procedures and 2FA apps like Google Authenticator and Authy become more common, but as of 2018 it's still a growing problem.

ContentsHow does it work?Who/What gets hacked?What if it happened to me?How can I protect myself?In conclusion:hacking happens

How does it work?

1. Find a target

Laying the groundwork is a crucial part of SIM swapping. First, attackers find personal information about potential targets. Everything from banking credentials to age, location — even social security numbers — can be found floating around the web. If they need more, they can use a phishing attack to trick users into revealing something crucial.

2. Misleading Technical Support

Now that he has a strategy, the hacker will call your carrier (it's pretty easy to find out which carrier a number is on), use what he knows about you to answer security questions, and ask him to port the number to a new SIM card. With a little social engineering, they can get the tech support rep to put a user's number on a hacker-controlled phone.

Almost anyone is at risk of having their SIM card hacked, but since it's not the easiest attack to carry out, a limited number of people can be targeted at a time. People with easily accessible personal information, large social media accounts, or high-value financial accounts are certainly vulnerable, but that doesn't exclude average people with a decent sense of online safety from running into this issue. Even something as seemingly innocuous as a memorable Instagram handle like "@Rainbow" could prompt a hack, as these can sell for surprisingly high sums.

What if it happened to me?

If your phone suddenly loses service in a location where you normally have it, you might consider checking with your carrier. If you suspect a SIM swap, you should:

• Find a connection as soon as possible and contact your carrier. SIM swapping is a known issue, so if they find evidence of it, they'll probably know what to do. You might want to check every few hours, though, to make sure someone hasn't returned.
• Monitor your email and any accounts you know are linked to your number.
• If suspicious activity appears, remove your phone number from your accounts or, if possible, replace it with a VoIP number or someone else's number.
• Make sure the customer service representative locks your account and gets you a new SIM card, protected against unauthorized changes by a PIN code.
• Even if you're not sure which accounts have been compromised, it's safer to follow standard post-hack practice and change your passwords and any sensitive information, like account numbers, that may have been involved.
• Be alert. If this happened once, the information floating around the web might come back to haunt you again.

How can I protect myself?

Unfortunately, many carriers, businesses, and financial institutions have yet to implement foolproof security measures to prevent this. Even with additional layers of security around customer information, attackers may have accomplices working inside to pass customer information to hijackers. That said, there are a few things you can do.

• Set up extra security with your carrier – a PIN at the very least, which requires anyone who wants to make changes to your account to enter it.
• Text or voice 2FA is better than nothing, but if possible switch your 2FA to an authenticator app like Google Authenticator or Authy. These cannot be hacked using your SIM card, but unfortunately they are not yet a common 2FA option.
• Start using a VoIP (Voice over Internet Protocol) service like Google Voice. Since these phone numbers work on the Internet rather than on a SIM card, they cannot be exchanged. Replace your SIM number with the VoIP number whenever possible.

In conclusion:piracy is coming

Even with a PIN, authenticator app, and VoIP service, you're not really bulletproof:PINs can be stolen, authenticator apps aren't widely supported, and some services do not allow you to use VoIP. In the ever-changing world of cybersecurity, the best you can generally do is to settle in, keep an eye out for suspicious activity, and react quickly if anything happens. The stronger your security, the less likely you are to become a target, and the quicker you react, the less likely you are to end up with a few fewer dollars or Instagram accounts.