SIM Swaps

SIM SWAPS

A SIM swap is Identity Theft in which bad guys steal your mobile phone number and get it assigned to one of their phones. They do this because a phone number is often used to prove identity, especially with forgotten passwords. Other terms for this are SIM hijacking, SIM jacking, SIM porting, phone porting, port out fraud and a port-out scam.

First signs: A few people have noted that the first sign of trouble was no cell reception on their phone. For one person, the first hint of trouble was a text message from T-Mobile about a call to them that he did not make. In this case, the first warning was two alerts from Verizon that both contained authorization codes - the kind of security measure they take when you make changes to your account. There was also a receipt from Verizon for $0 and a message thanking me for activating my new device. Then, no cell service.
First thing to do: If you lose cell service call your cell company immediately.
AT&T: 800-331-0500
T-Mobile: 800-937-8997
Verizon: 800-922-0204
Verizon customers can also call *611 from the de-activated phone.
Background: FBI warns of surge in SIM-swapping attacks - how to protect yourself by Paul Wagenseil (October 19, 2022). A good article on the topic.
Defense: A phone number from TextNow is a safer way to use a phone number for 2FA. For more see the Phone Number Hiding topic. This is my idea, I have not seen anyone else suggest it.
Defense: Have the customer service number(s) for your cell company saved on your phone. Also save other information that could prove your identity to the cell company such as the credit card used to pay the bill, the date the account was opened, etc. And, save everything you need to logon to their website.
Defense: To defend against SIM swaps, you can create a security code with your cellphone provider. This code needs to be provided over the phone, or in person at a store, before account changes are made. T-Mobile sometimes calls it an Account PIN, sometimes they call it a Port Validation feature (see Protect against phone number port-out scams). Verizon calls it both an Account PIN and a Billing Password. AT&T calls it a Security Passcode. How to Protect Yourself Against a SIM Swap Attack by Brian Barrett in Wired (Aug. 2018) has details on how to setup the extra PIN code for each cellphone company.
AT&T DEFENSES
1. AT&T has a free security feature for wireless customers called "Wireless Account Lock" that disables 12 types of account changes.
  See Learn about Wireless Account Lock Last updated: July 30, 2024.
  The myAT&T app is the only way to enable/disable this feature. This is what gets disabled:
  - Device changes: Device upgrades, SIM and eSIM swaps and changes, IMEI changes
  - Line changes: Phone number changes, Transferring number to or from another wireless carrier
  - Account and billing changes: Adding or removing wireless lines, Changes to authorized users, Changes to billing info (account number, contact name, address, email, or billing responsibility)
2. They also have a passcode and Extra Security to enforce the use of the passcode.
  See Learn about account passcodes Last updated: November 20, 2024
  "Every account has a passcode. With wireless accounts, you can use it when you sign in as an extra layer of security. " It sounds pretty lame. To begin with, it is "usually" four digits. The actual rules? They don't say. And, you "may" need it when calling Customer Care. When is it required and when is it not? They don't say.
T-MOBILE DEFENSES
- The T-Mobile Privacy Center
- Account Takeover Protection from T-Mobile is a free service that aims to protect unauthorized phone number ports.
- Online safety and cybersecurity from T-Mobile is an index to many articles on the subjects.
- The Scam Shield app from T-Mobile claims to use advanced scam-blocking technologies. Manage anti-scam features in the free app and take more control when you pay for premium features.
- Help with scams, spam, and fraud from T-Mobile. Undated.
- Update your Customer PIN/Passcode from T-Mobile. Undated.
- T-Mobile Has a Secret Setting to Protect Your Account From Hackers That It Refuses to Talk About by Lorenzo Franceschi-Bicchierai for Vice (Sept 2019). A feature called NOPORT requires customers to physically come to a store and present a photo ID in order to request their number to be ported out to a different carrier or a new SIM card. This is separate and distinct from their Port Validation.
  February 28, 2023: From reader comments to a Brian Krebs story a bout T-Mobile hacking (on the Cellphone Companies page). You should be able to call T-Mobile and ask them to enable NO PORT on your number. Or, in the T-Mobile account settings, go to Privacy, then SIM lock.
VERIZON DEFENSES
1. A feature called Number Lock was introduced in June 2020. How to protect your Verizon number from SIM swapping attacks by Sergiu Gatlan of Bleeping Computer (July 10, 2020). Number Lock protection is free and it can be configured with either the My Verizon app or the My Verizon website. When activated, the phone number can not be ported to another line/carrier or swapped to another SIM. If you later get a new phone, you will first have to disable the Number Lock. From Verizon: Stop scams; talk tech with experts; call for help: 4 ways Verizon customers win (June 2020) discusses Number Lock and the Number Transfer PIN.
2. Call *611 and ask for a Port Freeze on your account (advice from CNet). Their website offers Two Factor Authentication which they also call Enhanced authentication. But it is only SMS. And even when its off, it is on (personal experience). I tried to turn it on (Jan 2020) and it broke the Verizon wireless website.
3. Verizon Documentation: Verizon mobile Account PIN FAQs
4. Verizon Documentation: SIM Swapping. On this page there is a section on protecting against SIM swaps. In part it says: Be suspicious of unsolicited texts, e-mails, and calls, especially those urging you to act immediately and provide personal details. Verizon will never contact you to request any password, PIN, social security number, or payment information. If you receive a suspicious text message claiming to be from Verizon, please forward it to us right away at S-P-A-M (7726), then delete it.
Defense: How to Stop Your Mobile Number from Being Hijacked by Paul Wagenseil (March 2018). Most victims seem to use T-Mobile.
Defense: The SIM Swapping Bible: What To Do When SIM-Swapping Happens To You by CipherBlade and MyCrypto (June 2019). Extremely long article that has not been updated (for the most part).
Defense: a company called Efani (www.efani.com) is focused on resisting SIM swaps. In fact, that is their business. They sub-contract with a cellular company (they do not say which one) and provide cell service with many protections against SIM swaps. Unlimited calls/text/data is $100/month (as of July 2022) or $1,000/year. There are very few reviews of the service.
Poor defense: The PIN code defense is far from perfect. Brian Krebs wrote (Nov. 2018) that there is no defense against malicious employees of the cellphone company. He also wrote about lazy employees who ignore the system. Matthew Miller had his T-Mobile phone number stolen from him twice, despite having a PIN code on file. He writes that T-Mobile has two PIN codes, one for when you call into customer service, and another port validation PIN (6 -15 digits). After reading his story, you might want to avoid T-Mobile entirely. Then too, the TrickBot malware is known to modify the signon page for cellphone companies to steal these pin codes. (Secureworks Aug. 2019)
Defense: If you use either AT&T or T-Mobile, and your PIN(s) were set prior to August 2018, change the PIN(s). In August 2018 were learned that T-Mobile was hacked and bad guys stole their customer billing information. In the same month, we learned that both AT&T and T-Mobile had their customer PINS exposed to the world.
Defense: Use a land line for two factor authentication rather than a cellphone number, if possible. Rather than a text, the company calls you and speaks the temporary code. Apple supports this. A similar option, championed by Lorenzo Franceschi-Bicchierai (July 2018) is a Google Voice phone number.
The FBI says that victims of SIM swapping attacks should change all their passwords and contact their financial institution. Then, inform their local law enforcement agency. Victims are also encouraged to file a complaint with the FBI at ic3.gov.
MetroPCS customers can take one of two defensive steps against a sim swap attack made far too easy by poor security at MetroPCS. April 2019
Defense: In Nov. 2018, Joseph Cox of Vice, suggested dedicating an iPod Touch to using Signal for secure phone calls. It's Wi-Fi only, and you can add a VPN for still more security. See How to Use an iPod Touch as a Secure Device Instead of a Phone.
Immediately Afterwards: check that you still have access to your most important accounts. Email, bank, credit cards, etc.
Afterwards: The US Federal Trade Commission runs identitytheft.gov where you can both report the identity theft and learn how to recover from it.
Defending email from password resets: ProtonMail can block all password resets. In the web interface, click Settings and there is an option to "Allow password reset". Tutanota does not allow two factor authorization with text messages, they only support the stronger options: Time Based Onetime Passwords (TOTP) and physical keys like Yubikey. In the Email section, I discuss using multiple email addresses. This avoids having too many eggs in any one basket, should an email account get hacked. Consider that email may well be important enough to pay for, if for no other reason than to get tech support when things go bad. I suggest ProtonMail, Mailbox.org or Tutanota.
Background: Much of the world has fixed this problem, but the US remains vulnerable. Why Phone Numbers Stink As Identity Proof by Brian Krebs (March 2019). Wave of SIM swapping attacks hit US cryptocurrency users by Catalin Cimpanu for ZDNet (June 2019).
Lawsuits: AT&T Faces New $1.8 Million Lawsuit Over Sim Hijacking Attack by Karl Bode (Oct 2019). This is just the latest in a series of lawsuits attempting to hold cellphone carriers accountable. A subscriber had both his identity and life savings stolen via SIM swap. A different subscriber sued AT&T last year for $220 million. T-Mobile was also sued last year.
Maybe things will get better: FCC adopts new rules to protect against SIM-swapping attacks by Sergiu Gatlan for Bleeping Computer. November 18, 2023
Things are bad: Lawmakers Prod FCC to Act on SIM Swapping (Brian Krebs Jan 2020). The Republican FCC protects the cell companies, not consumers. Some Democrats in Congress are mad. Other countries protect consumers.
Things are bad: A study by researchers at Princeton University: An Empirical Study of Wireless Carrier Authentication for SIM Swaps (Jan 2020). Quoting: "We examined the authentication procedures used by five prepaid wireless carriers when a customer attempts to change their SIM card, or SIM swap. We found that all five carriers use insecure authentication challenges that can easily be subverted by attackers." See also a Twitter thread by Arvind Narayanan.
Things will only get worse: Hackers Are Breaking Directly Into Telecom Companies to Take Over Customer Phone Numbers by Joseph Cox (Jan 2020). Bad guys are using RDP to directly access the internal systems of T-Mobile, AT&T and Sprint to do their own SIM swaps. Bribing employees is so last year.
ARTICLES ABOUT ACTUAL SIM SWAP ATTACKS
- How SIM Swappers Straight-Up Rob T-Mobile Stores by Joseph Cox for 404 Media. November 10, 2023. The article is about how bad guys in a T-Mobile store would steal the tablets used by T-Mobile employees so that they could take over the phone number of T-Mobile customers. T-Mobile claims to have tightened their security so that thefts like this are no longer the security risk they used to be.
- August 25, 2023: Kroll Employee SIM-Swapped for Crypto Investor Data by Brian Krebs. Quoting: "Security consulting giant Kroll disclosed today that a SIM-swapping attack against one of its employees led to the theft of user information for multiple cryptocurrency platforms that are relying on Kroll services in their ongoing bankruptcy proceedings ... T-Mobile, without any authority from or contact with Kroll or its employees, transferred that employee's phone number to the threat actor's phone at their request ... T-Mobile has not yet responded to requests for comment ... Kroll did not respond to questions." This looks bad for both T-Mobile (not the first time) and Kroll. Translation: threat actor means bad guy.
- April 6, 2023: Riley Reid's Twitter Hacked and Posting Extremely Racist Things for Days to 2 Million Followers by Emanuel Maiberg for Vice. "One of the biggest pornstars in the world has been hacked to spread hateful content and Twitter hasn’t done anything about it for days." The headline is misleading, the actual attack was SIM Swapping.
- April 2, 2023: My phone, my credit card, my hacker, and me by Avery Hartmans for Business Insider. This is scary as there is no defense for the first part - US Postal employees stole a credit card from the mail. Then, someone SIM swapped the victim so that when suspicious charges were made on the credit card, the warnings could be approved by the bad guys. Also scary is the lousy way Verizon, Chase and the police dealt with this.
- Vice has a collection of their SIM Swapping articles
- August 2019: How Twitter CEO Jack Dorsey's Account Was Hacked in Wired. A SIM swap gave the bad guys access to his phone number. Then, they sent texts to his Twitter account, which appeared as Tweets, without needing to know his Twitter password.
- June 2019: SIM swap horror story: I've lost decades of data and Google won't lift a finger By Matthew Miller of ZDNet. This should convince people to take defensive steps. After getting control of his phone number, bad guys used it change the password on his Google and Twitter accounts and used his bank account to buy $25,000 of Bitcoin.
Big picture. As a rule, adding two factor authentication (2FA) makes an account more secure. But, in mid-2019 a couple techies wrote about being victimized by SIM swaps (articles are linked above), which, in turn, made it possible for bad guys to change many of their passwords. In these cases, the use of 2FA made them vulnerable. For more on the pros/cons of 2FA see the Two Factor Authentication section.
See Also: The page about Cellphone Companies.
What to expect: In June 2019, I tried to add Extra Security to an AT&T mobile phone number. The web page explaining exactly what this does was broken, so I don't know what it really does. Also, the system is poorly designed. When I first signed in to the AT&T website it sent a text with a one-time code to the phone. Had I been a victim of SIM swapping, this would have locked me out of the website. Dealing with AT&T is hard, you need to keep track of a userid (for which there are two definitions) a password, an Access ID (beats me), an email address, a security passcode and two security questions. When I got in to the website, it forced me to pick two new security questions even though I had already set this up long ago. Why? It didn't say. To add the mythical Extra Security: click on your first name is the top menu bar (on the right), then Profile, then Sign-in Info. Perhaps chose a particular phone number. Then, click on Manage Extra Security in the Wireless passcode section. Then turn on the checkbox for Add Extra Security to my account. Then enter your passcode. Whew.
What to expect: In July 2019, I changed the passcode on an AT&T mobile phone number. The process starts by logging in to www.att.com/wireless/ which includes entering a code sent to the phone via a text message. Then, click on the account holder's first name in the upper right corner -> Profile -> Big box for SignIn Info -> click on the "Get a new passcode" link -> enter the last 4 digits of the social security number and the zip code -> then get a text message with another temporary code -> enter this code -> then, finally enter the new passcode. What is a valid passcode? They don't say. Must it be numeric? How long can it be? None of your business. At the end, you get another text message that the code was changed.