Security consultants are warning customers world-wide about an expanding and dangerously effective attack targeting SIM cards and utilising a technique known as “SIM-hijacking” or “port out scam”.
Firstly, criminals will call a mobile carrier’s tech support number and impersonate their target. They will request their phone number be transferred (or ported) to a new SIM card, or to be sent a new SIM card for their phone because, for example, they have “lost” the original. With some simple social engineering – e.g. providing a home address, date of birth, etc – the criminals can successfully convince the employee that they are who they claim to be, and the hack is complete. From there, the victim will lose service and hackers can reset various accounts using their phone number as a recovery method. Often, hackers can even bypass two-factor authentication setups.
With phone numbers becoming the key to our digital identities, this growing hack is tremendously dangerous for millions of global customers. Our phone numbers are often linked to our most sensitive accounts – email, banks, Facebook and more.
Director of Intelligence and Research at Celsus Advisory Group, Roel Schouwenberg explains that “any type of number can be ported” by a determined and resourced criminal. Even if this access is temporary, according to Schouwenberg they can gain enough information to complete a successful heist. In a blog post on the matter, Schouwenberg emphasized that “most systems aren’t designed to deal with attackers taking over phone numbers…our phone number has become an almost irrevocable credential. It was never intended as such…a phone number provides the key to the kingdom for most services and accounts today.”
Unfortunately, the scheme can be extremely lucrative. Over the years, Instagram accounts have been hacked using SIM-hijacking and sold for up to $40,000, according to some sources. In 2017, Cody Brown, founder of the virtual reality company IRL VR, lost more than $8,000 in Bitcoin within 15 minutes after hackers took over his phone number and accessed his email and Coinbase account.
In October 2017, T-Mobile was alerted to a bug on their website allowing hackers to access customers personal data. This data was able to be pooled and used to help hackers impersonate that customer, allowing them to grab an even bigger prize – their phone number. In response, T-Mobile contacted hundreds of customers to warn them and suggested they place more security checks on their accounts.
Then again in February T-Mobile sent out a mass text to customers warning them of the “industry-wide threat” posed by SIM-hijacking. To protect against these criminals, T-Mobile began offering a “port validation feature”. This acts as a separate password and is required whenever someone tries to make changes to an account.
Indeed, many cell phone providers have stepped up their account security and identity checks. AT&T created a separate credential for accounts that is required when making significant changes. Verizon also requires every customer to have a PIN or password when reaching out to call centres, providing an extra layer of security.
However, many believe that as this scam grows in complexity, hackers are finding ways around these security measures. One source claimed that the criminals are paying employees within the phone company to hand over the PIN for $80-$100. Indeed, in a recent arrest of a 25-year-old man in Florida, it was revealed that hackers are equally successful at bypassing lax authentication procedures as they are at paying off or working with the carrier’s employees to conduct unauthorised SIM swaps. The Florida man was accused of taking part in a multi-state cyber fraud ring centred around SIM-hijacking. An alleged victim of this group lost approximately $150,000 in cryptocurrency after their phone was cloned.
Unfortunately, phone numbers have become the master key to our lives. While there are steps we can take to inhibit these attacks, the only way to prevent them is by removing your phone number from any account that may interest hackers. A move away from SMS-based authentication, and towards a robust two-factor authentication system will help customers bolster their security. Finally, utilising other authentication methods such as once-off code generator apps or hardware-based security keys will give you the best chance at protecting your information and accounts from these criminals.