“Unfortunately, this is definitely a situation where government regulation needs to step in,” says Allison Nixon, chief research officer with cyber intelligence firm Unit221B, “because private companies have utterly failed to deal with this problem themselves.” Twitter CEO Jack Dorsey was famously SIM swapped in 2019. Both AT&T and T-Mobile were embroiled in lawsuits that accused them of failing to protect their customers from this kind of attack. One cryptocurrency investor even sued a high school senior for allegedly stealing $23.8 million of cryptocurrency from him via SIM swap. Here’s what you need to know about this increasingly common form of hacking and what the FCC is doing to stop it.
What is SIM swapping?
SIM swapping refers to a type of fraud where attackers take over your phone number and use it to authenticate accounts that you own, says Nixon. If you have two-factor authentication on, you will usually get a verification code sent to your phone in order to get into your accounts. That authentication process is the reason most hackers will SIM swap, because it’s an easy way to get into people’s email and bank accounts once they have the phone number. For example, if you’ve ever logged onto an account and then received a confirmation code via text message to your phone, then you’ve experienced the moment that the hackers exploit. “SIM swapping attacks have increased dramatically in the last year in different countries, not only in the United States, but also in Canada and in Europe,” says Benjamin Fung, a professor in the School of Information Studies at McGill University. He notes that the practice inspires a lot of copycats, because the attack does not require much time or technical skill and can yield lucrative access to bank account logins.
How does SIM swapping work?
There are a few different ways hackers can do this. A hacker can call up your cell phone carrier, pretend to be you, say that they got a new phone and then ask the carrier to switch the number to their phone. Or they can call up a different carrier, say they want to switch from Verizon to AT&T, for example, and get the number put on a new AT&T phone. Another method involves malware installed on a carrier’s network, and then using the malware to control employee accounts, in order to just force the changes through that they want. They can also bribe, extort or blackmail employees at phone carriers in order to get access to the numbers they want. “All the victim will see is that their cell phone stops receiving service, because the carrier is giving service to a different phone at this point,” says Nixon. “It’ll look as if you didn’t pay your bill and you got cut off.” The victim will then have to stand by and watch their passwords getting reset on their accounts until they are locked out of all or most of them.
How can people protect themselves?
There is very little people can do to protect themselves against this. “The problem is that the way people identify themselves over the internet is broken,” says Nixon. “To a website, you as a person are nothing more than your phone. If someone else is able to steal your phone number then they’re effectively you.” Nixon, who’s been working with people who have been SIM swapped for years, says she’s seen situations where the fraudster was better at proving their stolen digital identity than the victim was at verifying themselves. Her victims were often people who took every suggested digital precaution and were still permanently locked out of their accounts. “The foundation that we built the internet on has some cracks, and the foundation itself needs to be repaired,” she says. When Nixon deals with her high-end clients, she tells them to assume the phone system is compromised and that any kind of two-factor authentication that involves using a phone number for verification is suspect. Using a Yubikey, a physical key where you have to press a button while logging in, is safe, as is using an authenticator app like Authy that generates a number you put in, or a barcode to scan, while logging in.
Why aren’t the phone companies fixing this?
If you walk into a phone store with $1,000, and tell them you forgot your login but want to buy a phone, the phone company will likely figure out a way for you to access your account because they want the business, says Nixon. That’s a way of thinking that is at odds with account security. “The problem is that these accounts are so easy to take over, because these phone companies want to sell phones and service plans,” says Nixon. “If these companies secured these accounts, it would make it more difficult for the average consumer to buy a phone.” Fixing the problem would involve making customer accounts more secure, which would make customer acquisition more expensive for phone companies. “Unless we see the government forcing companies to fix this, it’s not going to get fixed,” says Nixon.
How is the FCC addressing this?
The FCC’s proposed regulations will require phone carriers to authenticate people’s identity before transferring their number to a new phone. People can verify their identity by offering a pre-established password or getting a one-time password sent via text message, email or phone call. Carriers will also have to immediately notify people if a SIM change request is made on their account. Right now, that change occurs instantaneously, with zero warning and no opportunity for people to protest or reverse the change. Providers will not be able to SIM swap phones if customers cannot authenticate their accounts via these methods. Phone carriers will also have to give customers a “port-freeze” option on their accounts that does not allow for any SIM swapping. “This will eliminate a good number of SIM swap cases,” says Fung. “Whether it will completely eliminate this type of cyber attack may not be the case, but this move is better than nothing.” Phone providers have not voiced their displeasure yet at these new requirements, even though US Telecom has issued statements about other aspects of the FCC proposal. “Everybody is pretty much in agreement that SIM swappers suck,” says Nixon. “Maybe some lobbying group will try to fight this proposal because it’s going to increase costs for the providers. But you know what? The victims right now are experiencing costs. And no one’s lobbying for them.”