Over the past year, we’ve seen reports of SIM-jacking, a particularly malicious attack hackers are using to assume control of victims’ digital and financial lives. What is SIM-jacking and how exactly does it happen? These attacks allow hackers to take over a person’s cell phone number and usually their digital life along with it. Threat actors typically start by social engineeringtheir way into getting an employee at a cell phone carrier company to port over a phone number to another SIM card. Essentially, they bribe these employees with cryptocurrency or PayPal transfers to have them swap cell service from a victim’s device’s SIM card over to a SIM card in the attacker’s possession. From there, they can take over their victims’ email, social media and event financial accounts, extorting cryptocurrency for returned control. Common targets include celebrities or social media influencers, high-profile employees and more.
Motherboard recently reported on one such incident. According to the article, entrepreneur Jared Goetz was targeted by a SIM-jacking operation, sustaining fraudulent charges to his credit card, and cut off from his phone and email accounts. Goetz was able to (kind of) befriend the attacker and ultimately negotiate the safe return of his digital life. Many victims aren’t as lucky. Most that face SIM-jacking attacks lose quite a bit in the end – some lose money, others lose social media followers, and others yet lose their user handles for various social media platforms.
Who is at fault in SIM-jacking attacks?
SIM-jacking involves much more than one single target. There are several layers to this ploy, so let’s examine who might be at fault.
Cybercriminals are obviously to blame for these attacks – they’re the ones looking to hijack their victims’ phones and extort them. But, not all bad guys are offering money to inside threats at cell phone carrier companies. With so many data breaches each year, all it takes is prying eyes, diligence and curiosity for a bad actor to aggregate enough data about a potential victim for them to carry out a SIM-jacking attack. There are many data dumps on the dark web of social security numbers, physical addresses, and much more personally identifying information – some for free and others at a cost. All of this information can be used to trick carrier companies, instead of bribing them.
For the service provider’s stance, employees that succumb to bribes from SIM-jackers are just as bad as the attackers themselves. That said, as I alluded to above, sometimes they end up aiding an attacker unknowingly. Having worked for cell phone service provider companies previously, I know that these employees are often at the mercy of whoever’s calling in and what information they provide. What I mean by that is, most people wouldn’t be able to differentiate a legitimate customer calling in with a request from a caller that’s actually a threat actor with access to private data through breached information. Going through the initial call flow, these employees ask certain questions and based on their answer, the caller was authorized per the account.
You could argue that SIM-jacking victims themselves carry some responsibility here as well. Every customer has the ability to harden their account with their respective cell phone service provider, but far too many either don’t know or care to take the necessary steps. I am sure not many people go about their day expecting to be targeted by hackers in any circumstance, much less a SIM-jacking attempt specifically. Never the less, carriers allow options for their customers to add additional security measures to their accounts. An example of these added protections would be requirements for a PIN code or another extra security step – on top of predefined security questions – in order to request or allow any kind of major account update. This added step would be much like a second or third token requirement in multi-factor authentication solutions.
Practical advice for SIM-Jacking prevention, detection and response
One step that can be taken to better protect yourself would be to proactively harden your account with your cell phone provider. Call their customer support line and inquire about additional steps that are available to ensure that even if someone has all of your information that another piece of information would be needed to prevent unauthentic requests. Ask them if they allow an additional security question or PIN code options for any changes to the account. Another step would be to avoid using your personal cell phone number for all your accounts. There are services that allow you to use other phone numbers, much like Google Voice. Use alternate numbers provided through these options for your online accounts, so they aren’t directly tied to your phone’s SIM card.
If you do end up the victim of a SIM-jacking attack and your phone is cut off or you are contacted by the perpetrator directly, not all is lost. The outcome of the pickle in which you find yourself really depends on where you are and the time of day. The first thing to do would be to contact your cell phone carrier right away. If they offer 24/7 customer support you should be able to quickly explain the problem and learn whether or not the attacker made additional account changes that might prevent you from regaining control. It will likely take the attacker a good deal of time to go from assuming control of your phone to taking over email and social media accounts. You should try to log into your accounts from a computer in the meantime to maintain control. If you’re unable to log into your email account or any other account for that matter, then you’d have to reach out to that provider’s support for further options.
Typically, your email is associated with many service accounts, so getting your email account back into a secured state should prevent the attacker from using the “Forgot Password” option for your other accounts. From there, reach out to other providers and refer to your old email address or phone number that was used during the creation of said account. Ask them to update it to your new information and hope for the best.
As you can tell, SIM-jacking attacks shouldn’t be taken lightly, and they can ultimately cost you a lot of time and money. The best way to avoid falling victim to them is to proactively secure your cell phone account with the most stringent security settings offered by your carrier, and by maintaining proper security hygiene across all of your online accounts in general. A good starting point would be to audit your security posture across your entire digital life and identify where you need to improve. Set strong, unique passwords for each respective account, enable multi-factor authentication wherever possible, be on your guard for suspicious emails and phone calls that could be phishing attempts, and avoid sharing too many personal details on social media. While SIM-jacking is an emerging and formidable threat, it’s just one example of the many types of online attacks you can prevent using these security best practices.