Sim Swapping Hack

In our last articles (here, for example), we mentioned double authentication and a reader of the blog (thanks to him!), asked us more information about Sim Swapping. Indeed, we hadn’t discussed yet what SIM Swapping is, how to prevent it, and the alternative solutions.

What’s a Sim swapping scam?

As you know, your phone number has become a way for many companies to confirm your identity (social networks, bank…). Basing the identification of accounts on a phone number makes a lot of sense, mainly because a phone number is something you can quickly and cheaply acquire in many countries, and it guarantees the user a satisfactory way to confirm his identity.

But in some countries, getting a phone number is not an easy process and may involve proving not only your identity but also your address.

Getting an “anonymous” SIM card, or using a misregistered card, is overlooked as it is a criminal offense in some jurisdictions. Just saying 🙄

Sim Swap Scam

A SIM card exchange scam - also known as SIM card splitting, SIM card hijacking, SIM card hacking - is a fraud that occurs when scammers take advantage of a weakness in two-factor authentication and verification, where the second step is a text message (SMS) or a call to your mobile phone number.

In a successful SIM swap scam, cybercriminals could hijack your cell phone number and use it to gain access to your sensitive personal data and accounts.

How Sim Swapping Works?

  • Calling our telecom operator

SIM hacking consists of pretending to be the victim with his mobile phone operator to recover the use of his phone number.

Once the number has been transferred to the SIM card, the hacker can easily defeat two-factor authentication systems on different platforms, which require users to validate their identity with a series of digits sent by SMS.

The problem is that when you call the company and pretend to be someone else, the checks are minimal and inadequate. Often, security issues are easily found on social networks or through social engineering (psychological manipulation for scamming purposes). These are not very confidential things. Hackers can also find the personal information needed to defeat security through phishing emails, malicious software, or possession of stolen or leaked data.

  • Bribing an employee of the telecom operator

It is a more original technique, but all methods to achieve this are good! To ensure 100% success, some hackers go further: they bribe telecom employees. The employee, an accomplice, will carry out the SIM exchange with complete discretion. The American site Vice mentions amounts between 500 and 1,000 dollars per number. The NewYork Time website reports that the investment can be in the order of a hundred dollars.

  • Hack the telecom provider

As in the French novel ‘Le Bossu’ (The Hunchback): Si tu ne viens pas à Lagardère, Lagardère ira à toi! (“If you don’t come to Lagardère, Lagardère will come to you!")

The technique is more elaborate. It consists of hacking the telephone operator directly to get the necessary information from the source. Especially at the moment, during the COVID period, employees are often teleworking, and this is a favorable window for this kind of hack. Hackers can hijack remote desktop software to take control of the computer, for example, and thus perform SIM swapping themselves.

Sim Swapping vs. Twitter’s CEO.

Do you think that as Twitter’s CEO, you are well protected from this type of attack?

And yet, Mr. Dorsey’s Twitter account was hacked when fraudsters took control of his phone number - and then tweeted offensive messages during the 15 minutes it took to regain control of his account.

How did the hackers get access to his phone number? They managed to convince Dorsey’s phone operator to exchange mainly SIM cards, by assigning Dorsey’s phone number to their SIM card and phone. They then used Cloudhopper’s text-to-tweet service for Twitter.

An error occurred while retrieving the Tweet. It might have been deleted.

This type of hacking is more and more known, although telecom operators remain very vulnerable. Although the Sim Swap attack is well known, the impact is less well known.

How To Protect Against Sim Swapping.

We are at the mercy of the authentication systems of the telephone operators and platforms we use, but several precautions can be taken to prevent this:

  • Online activity: Be aware of links you click on and phishing emails.
  • Account security: Have a strong password that is difficult to guess (long, different kinds of characters, etc.). Use different passwords on each of your accounts. Make sure your secret questions are hard to guess.
  • Use alternative methods of 2FA, such as Yubikeys or mobile identification applications (we are going to publish a dedicated blog post on 2FA).
  • Operator password: If your mobile operator offers you the possibility to create an account password, do so.
  • Phone number: Avoid using your phone number as an identifier or authentication measure for your online accounts.
  • Keep your personal information private: Don’t post like your date of birth on social networks and don’t share other personal information online.

Berty: A Messaging App That Doesn’t Require Your Phone Number.

At Berty’s, we’re building tomorrow’s messaging application. The one that will protect you, the one that will respect your privacy and anonymity.

When we thought about creating Berty, we didn’t want there to be a phone number needed to sign up. We want you to be as confidential as possible (and therefore free) when you communicate.

…and there’s no need to worry about Sim Swapping!

  • Thank you for reading this article. If you liked it, please let us know in the comment section below. It means a lot!
An error occurred while retrieving the Tweet. It might have been deleted.