Simple phone hack huge threat to online security
Social media, financial accounts, email at risk in ‘SIM swapping’
SAN FRANCISCO— When hackers took over the Twitter account of Twitter’s chief executive, Jack Dorsey, last week, they used an increasingly common and hard-to-stop technique that could have given them complete access to his digital activities, including social media, email and financial accounts.
Called SIM swapping, it allows hackers to take control of a victim’s phone number. In recent months, SIM swapping has been used to hijack the online personas of politicians, celebrities and notables like Dorsey, to steal money all over the world and harass regular people.
“I’ve been looking at the criminal underground for a long time, and SIM swapping bothers me more than anything I’ve seen,” said Allison Nixon, director of research at security firm Flashpoint.
“It requires no skill, and there is literally nothing the average person can do to stop it.” How a SIM swap works Criminals have learned how to persuade mobile phone providers like T-Mobile and AT&T to switch a phone number to a new device that is under their control.
The number is switched from a tiny plastic SIM card, or subscriber identity module, in the target’s phone to a SIM card in another device.
Sometimes hackers get phone numbers by calling a customer help line for a phone carrier and pretending to be the intended victim. In other recent incidents, hacking crews have paid off phone company employees to do the switches for them, often for as little as $100 (U.S.) for each phone number.
Once the hackers have control of the phone number, they ask companies like Twitter and Google to send a temporary login code, via text message, to the victim’s phone.
Most major online services are willing to send those messages to help users who have lost their passwords. But the temporary code is sent to the hackers.
Phone companies have been aware of the problem for years, but the only routine solution they have come up with is offering pin codes that a phone owner must provide in order to switch devices.
Even this measure has proved ineffective. Hackers can get the pin codes by bribing phone company employees.
“It just doesn’t seem like the AT&Ts of the world are really doing anything to make it more difficult,” said Erin West, a deputy district attorney in California’s Santa Clara County who is a member of a law enforcement task force focusing on the problem.
No American authorities are keeping statistics on the frequency of the attacks.
But West and others who are tracking cases said they have become more frequent over the last year.
“Account takeover fraud is an industrywide problem,” said Paula Jacinto, a spokeswoman for T-Mobile.
“We use a number of safeguards to help protect against this crime and offer customers a variety of options to help them protect their own information.” Who has been hit? It is difficult to ascertain how many mobile phone users have been hit by a SIM swap. But people around the world, from Kenya to Hollywood, have complained about it.
In recent weeks, the most prominent targets have been celebrities like Dorsey, actress Jessica Alba and online personalities like Shane Dawson and Amanda Cerny (her second time). The hackers used the accounts to post offensive messages to millions of followers. They also gained access to private communications.
T-Mobile said it would not comment on specific customers.
Victims have complained that after the attacks, they have struggled to get help from their phone companies or to even get someone on the line at a phone company who understood the problem.
When recording artist King Bach lost and then regained control of his phone number in late August, he posted an angry video on Twitter in which he said he had spent hours on the phone with AT&T.
“The customer service is trash,” he said. “I couldn’t get no help.”
AT&T did not respond to numerous requests for comment. From pranks to theft SIM swapping became popular in the hacking community years ago. Attackers were mostly interested in taking control of rare or iconic social media account names, like a Twitter or Instagram account with just one name.
But hackers soon realized they could gain access to more than social media accounts.
In 2016, SIM-swapping gangs started targeting cryptocurrency holders.
Over the last year, law enforcement officials have arrested some of the gangs stealing cryptocurrency. For the first time, a hacker was sent to jail and is serving a 10-year sentence.
In Africa, gangs have used SIM swapping to target financial accounts tied to mobile phone providers, like the popular MPesa service in Kenya.
South African officials said there were over11,000 incidents there last year, triple that of the year before.
Security experts have recommended that companies stop using phone numbers to help customers recover accounts.
“This is a technology problem because we are using a very old technology that is not designed to be secure to send secure codes,” said Fabio Assolini, a security research at Kaspersky Lab, who lost his own phone number in a SIM-swapping attack last year.