SIM Swapping Attacks – Stealing Everything from Your Bitcoins to Your Instagram Accounts

You often see and hear people compare a password to a physical key. While it's obvious where the parallels come from, there are quite a few differences. For example, without the key, you can't unlock the door. Gaining access to an account without the password is possible, however, and it's all thanks to an attack called SIM swapping.

What is SIM Swapping?

Also known as SIM hijacking or a port out scam, it's fair to say that it has one of the more descriptive names. It's the act of hijacking a victim's cell phone number and using it with a different SIM card. SIM swapping has been around for a few years now, and although it has yet to receive significant mainstream media attention, it appears to be growing in popularity, especially as we'll find out in a minute, with budding teenage cybercriminals.

How does it all work?

SIM swapping is a type of identity theft, and as you should know by now, identity theft is made possible by the fact that crooks have access to your data. Not surprisingly, in this instance, they need your name, your cell phone number, and in some cases, a few other details. It's still not clear what the exact mechanisms are, but a recent Motherboard investigation suggests that both the security precautions and the techniques for going around them are evolving.

A couple of years ago, the crooks would find the victim's information in a leaked database and call the carrier. They would impersonate the victim claiming that they have lost their SIM card. They would say that they've got another one and would request that the number is ported to it. Back then, the carriers' security protocols were less than perfect. The customer service representative would ask for the victim's Social Security Number or home address, the hackers would provide it, and the carrier would happily port the number to the wrong SIM card.

Quite a few people got badly burned, and to avoid further problems the mobile service providers had no choice but to update the authentication mechanisms. The game got dirty. The crooks started bribing carrier employees who helped illegally port out the cell phone numbers of quite a few people. The corrupt workers got quite a lot of cash for their cooperation as well – between $80 and $100 per victim.

What is SIM swapping used for?

Law enforcement is taking SIM swapping seriously, and agencies have been on the trail of a group of criminals that have defrauded quite a lot of people using this technique. Last month, they arrested 20-year-old Joel Ortiz who allegedly hijacked the cell phone numbers of around 40 individuals. On August 17, Xzavier Narvaez who is just 19 years old, was brought in for questioning with regards to a large-scale SIM swapping operation. Basically, you've got teenagers getting their hands on someone else's phone number. Unfortunately, the results are far more serious than a few prank calls.

A while ago, online service providers like Google started letting you add your phone number to your account. It's not meaningless tracking and data collection. The idea is that if you ever lose access to your profile, Google will be able to verify you via a text message or a call to the number you've provided. The same exact account recovery mechanism is now abused by the SIM swappers.

When they successfully hijack the phone number, the crooks need to act quickly because before cutting the victim off, the carrier sends a text notification regarding the updated SIM card. According to reports, SIM swappers use the hijacked number to gain access to the victim's email, and they then go about resetting the passwords for other online accounts. They move fairly quickly and leave almost no time for reaction. Because the crooks get all the victim's texts and calls, two-factor authentication is often bypassed.

SIM swappers don't target just anyone, though. Motherboard's investigation reported on a bustling online marketplace where stolen Instagram accounts with interesting handles like "@Rainbow" are bought and sold for hundreds and sometimes thousands of dollars.

Speaking of Instagram, the aforementioned Xzavier Narvaez did what any 19-year-old would do – he used the image sharing platform to show the world how expensive his new supercar is. Law enforcement officers suspect that he may have bought it with bitcoins which he stole after SIM swapping the phone numbers of a few high-profile cryptocurrency traders. In April, one such trader going by the name of Michael Terpin filed a lawsuit against AT&T alleging that because of the carrier's poor security practices, he fell victim to a SIM swapping attack that cost him more than $20 million worth of cryptocurrency.

Crooks are falling deeper in love with SIM swapping which, it must be said, is hardly a surprise. The required-skills-to-potential-gains ratio is great for them, and it's blatantly obvious that mobile service providers are not doing enough to thwart the attacks. Here's hoping that this will soon change.