A Defensive Computing Checklist
by Michael Horowitz
A SIM swap is Identity Theft in which bad guys steal your mobile phone number and get it assigned to one of their phones. They do this because a phone number is often used to prove identity, with forgotten passwords. Other terms for this are SIM hijacking, SIM jacking, SIM porting, phone porting, port out fraud and a port-out scam.
- First signs: A few people have noted that the first sign of trouble was no cell reception on their phone. For one person, the first hint of trouble was a text message from T-Mobile about a call to them that he did not make.
- First thing to do: If you lose cell service call your cell company immediately.
- Defense: A phone number from TextNow is a safer way to use a phone number for 2FA. For more see the Phone Number Hiding topic.
This is my idea, I have not seen anyone else suggest it.
- Defense: Have the customer service number(s) for your cell company saved on your phone. Also save other information that could prove your identity to the cell company such as the credit card used to pay the bill, the date the account was opened, etc. And, save everything you need to logon to their website.
- Defense: To defend against SIM swaps, you can create a security code with your cellphone provider. This code needs to be provided over the phone, or in person at a store, before account changes are made. T-Mobile sometimes calls it an Account PIN, sometimes they call it a Port Validation feature (see Protect against phone number port-out scams).
Verizon calls it both an Account PIN and a Billing Password. AT&T calls it a Security Passcode.
How to Protect Yourself Against a SIM Swap Attack by Brian Barrett in Wired (Aug. 2018) has details on how to setup the extra PIN code for each cellphone company.
- AT&T Defense: AT&T has two defenses: both a passcode and Extra Security to enforce the use of the passcode. See Manage extra security for your wireless account.
- T-Mobile Defense: Account Takeover Protection is a free service from T-Mobile
- T-Mobile Defense: Update your Customer PIN/Passcode
- T-Mobile Defense: The company was hacked in August 2021. Anyone will a T-Mobile account, should have set a new PIN after this data breach.
- T-Mobile Defense: T-Mobile Has a Secret Setting to Protect Your Account From Hackers That It Refuses to Talk About by Lorenzo Franceschi-Bicchierai for Vice (Sept 2019). A feature called NOPORT requires customers to physically come to a store and present a photo ID in order to request their number to be ported out to a different carrier or a new SIM card. This is separate and distinct from their Port Validation.
- Verizon Defense: Call *611 and ask for a Port Freeze on your account (advice from CNet). Their website offers Two Factor Authentication which they also call Enhanced authentication. But it is only SMS. And even when its off, it is on (personal experience). I tried to turn it on (Jan 2020) and it broke the Verizon wireless website.
- Verizon Defense Documentation: Verizon mobile Account PIN FAQs from Verizon
- Defense: How to Stop Your Mobile Number from Being Hijacked by
Paul Wagenseil (March 2018). Most victims seem to use T-Mobile.
- Defense: The SIM Swapping Bible: What To Do When SIM-Swapping Happens To You by CipherBlade and MyCrypto (June 2019). Extremely long article that has not been updated (for the most part).
- Defense: a company called Efani (www.efani.com) is focused on resisting SIM swaps. In fact, that is their business. They sub-contract with a cellular company (they do not say which one) and provide cell service with many protections against SIM swaps. Unlimited calls/text/data is $100/month (as of July 2022) or $1,000/year. There are very few reviews of the service.
- Poor defense: The PIN code defense is far from perfect. Brian Krebs wrote (Nov. 2018) that there is no defense against malicious employees of the cellphone company. He also wrote about lazy employees who ignore the system. Matthew Miller had his T-Mobile phone number stolen from him twice, despite having a PIN code on file.
He writes that T-Mobile has two PIN codes, one for when you call into customer service, and another port validation PIN (6 -15 digits). After reading his story, you might want to avoid T-Mobile entirely. Then too, the TrickBot malware is known to modify the signon page for cellphone companies to steal these pin codes.
(Secureworks Aug. 2019)
- Defense: If you use either AT&T or T-Mobile, and your PIN(s) were set prior to August 2018, change the PIN(s). In August 2018 were learned that T-Mobile was hacked and bad guys stole their customer billing information. In the same month, we learned that both AT&T and T-Mobile had their customer PINS exposed to the world.
- Defense: Use a land line for two factor authentication rather than a cellphone number, if possible. Rather than a text, the company calls you and speaks the temporary code. Apple supports this. A similar option, championed by Lorenzo Franceschi-Bicchierai (July 2018) is a Google Voice phone number.
- MetroPCS customers can take one of two defensive steps against a sim swap attack made far too easy by poor security at MetroPCS. April 2019
- Defense: In Nov. 2018, Joseph Cox of Vice, suggested dedicating an iPod Touch to using Signal for secure phone calls. It's Wi-Fi only, and you can add a VPN for still more security. See
How to Use an iPod Touch as a Secure Device Instead of a Phone.
- Immediately Afterwards: check that you still have access to your most important accounts. Email, bank, credit cards, etc.
- Afterwards: The US Federal Trade Commission runs identitytheft.gov where you can both report the identity theft and learn how to recover from it.
- Defending email from password resets: ProtonMail can block all password resets. In the web interface, click Settings and there is an option to "Allow password reset". Tutanota does not allow two factor authorization with text messages, they only support the stronger options: Time Based Onetime Passwords (TOTP) and physical keys like Yubikey. In the Email section, I discuss using multiple email addresses. This avoids having too many eggs in any one basket, should an email account get hacked. Consider that email may well be important enough to pay for, if for no other reason than to get tech support when things go bad. I suggest ProtonMail, Mailbox.org or Tutanota.
- Background: Much of the world has fixed this problem, but the US remains vulnerable.
Why Phone Numbers Stink As Identity Proof by Brian Krebs (March 2019). Wave of SIM swapping attacks hit US cryptocurrency users by Catalin Cimpanu for ZDNet (June 2019).
- Lawsuits: AT&T Faces New $1.8 Million Lawsuit Over Sim Hijacking Attack by Karl Bode (Oct 2019). This is just the latest in a series of lawsuits attempting to hold cellphone carriers accountable. A subscriber had both his identity and life savings stolen via SIM swap. A different subscriber sued AT&T last year for $220 million. T-Mobile was also sued last year.
- Things are bad: Lawmakers Prod FCC to Act on SIM Swapping (Brian Krebs Jan 2020). The Republican FCC protects the cell companies, not consumers. Some Democrats in Congress are mad. Other countries protect consumers.
- Things are bad: A study by researchers at Princeton University: An Empirical Study of Wireless Carrier Authentication for SIM Swaps (Jan 2020). Quoting: "We examined the authentication procedures used by five prepaid wireless carriers when a customer attempts to change their SIM card, or SIM swap. We found that all five carriers use insecure authentication challenges that can easily be subverted by attackers." See also a Twitter thread by Arvind Narayanan.
- Things will only get worse: Hackers Are Breaking Directly Into Telecom Companies to Take Over Customer Phone Numbers by Joseph Cox (Jan 2020). Bad guys are using RDP to directly access the internal systems of T-Mobile, AT&T and Sprint to do their own SIM swaps. Bribing employees is so last year.
- One guys story: SIM swap horror story: I've lost decades of data and Google won't lift a finger By Matthew Miller of ZDNet (June 2019). This should convince people to take defensive steps. After getting control of his phone number, bad guys used it change the password on his Google and Twitter accounts and used his bank account to buy $25,000 of Bitcoin.
- Another guys story: How Twitter CEO Jack Dorsey's Account Was Hacked (Wired Aug. 2019) A SIM swap gave the bad guys access to his phone number. Then, they sent texts to his Twitter account, which appeared as Tweets, without needing to know his Twitter password.
- Big picture. As a rule, adding two factor authentication (2FA) makes an account more secure. But, in mid-2019 a couple techies wrote about being victimized by SIM swaps (articles are linked above), which, in turn, made it possible for bad guys to change many of their passwords. In these cases, the use of 2FA made them vulnerable. For more on the pros/cons of 2FA see the Two Factor Authentication section.
- What to expect: In June 2019, I tried to add Extra Security to an AT&T mobile phone number. The web page explaining exactly what this does was broken, so I don't know what it really does. Also, the system is poorly designed. When I first signed in to the AT&T website it sent a text with a one-time code to the phone. Had I been a victim of SIM swapping, this would have locked me out of the website. Dealing with AT&T is hard, you need to keep track of a userid (for which there are two definitions) a password, an Access ID (beats me), an email address, a security passcode and two security questions. When I got in to the website, it forced me to pick two new security questions even though I had already set this up long ago. Why? It didn't say. To add the mythical Extra Security: click on your first name is the top menu bar (on the right), then Profile, then Sign-in Info. Perhaps chose a particular phone number. Then, click on Manage Extra Security in the Wireless passcode section. Then turn on the checkbox for Add Extra Security to my account. Then enter your passcode. Whew.
- What to expect: In July 2019, I changed the passcode on an AT&T mobile phone number. The process starts by logging in to www.att.com/wireless/ which includes entering a code sent to the phone via a text message. Then, click on the account holder's first name in the upper right corner -> Profile -> Big box for SignIn Info -> click on the "Get a new passcode" link -> enter the last 4 digits of the social security number and the zip code -> then get a text message with another temporary code -> enter this code -> then, finally enter the new passcode. What is a valid passcode? They don't say. Must it be numeric? How long can it be? None of your business. At the end, you get another text message that the code was changed.
| This page: 4 views per day (over 18 days) Total views: 63 Created: September 9, 2022|
Copyright 2019 - 2022