Experts have warned consumers to be on guard against “SIM swapping” when hackers move a victim’s phone number onto a mobile device that they control.
‘SIM swapping’ is in the spotlight following the recent hack of Twitter CEO Jack Dorsey’s account on his own platform. Last week, several offensive tweets were briefly posted to the account before being deleted. Twitter confirmed that the account was compromised and launched an investigation.
"The phone number associated with the account was compromised due to a security oversight by the mobile provider. This allowed an unauthorized person to compose and send tweets via text message from the phone number. That issue is now resolved," the company tweeted on Aug. 30.
“SIM swap fraud is one of the fastest [growing] forms of fraud across the world, as it’s low risk with potentially very high reward,” warns JT, a telecoms company based in the British Channel Islands.
JT explains that that SIM swapping was created so that users can easily move their phone number to a new SIM card. “This is helpful in cases where consumers are upgrading to a new phone or replacing a damaged or lost SIM card,” it said, in a blog post published in the wake of the Dorsey hack. “Because this is a data sensitive process, consumers are required to contact their provider, answer questions, and provide account information that verifies their identity before the provider will authorize the SIM swap.”
The process, however, provides a golden opportunity for hackers. The New York Times reports that hackers have been known to call a phone carrier’s customer helpline and obtained phone numbers pretending to be the intended victim. They then ask the likes of Google or Twitter to send a temporary login code to the phone, which they then access, according to the New York Times.
“With access to one of these primary accounts and a person’s phone number, the hacker can fairly easily get into the rest of the victim’s online accounts,” explained JT in its blog post. “All they have to do is go through the password-reset process for the accounts they want to hack into, follow links, and copy verification codes. Once they’ve done this, they’ll have direct access into an account that is tied to the victim’s finances — generally a bank account.”
Ashlee Benge, a threat researcher at cybersecurity company ZeroFox, warned that information such as phone numbers is prized on shadowy “takeover forums” used by hackers. “Whether these attacks are conducted to take over an account and drain associated bank accounts or bitcoin wallets, or as a publicity stunt, it's important to protect yourself against these types of cybercriminals.”
Benge recommends that users enable the option to be notified when a login occurs from a new device. “Additionally, although it will not prevent account hijacking if a phone number has been taken over, we also recommend that two-factor authentication be enabled whenever possible,” she said. “This is best done with an app like Google Authenticator or Duo. If SMS-based two-factor authentication is required, we recommend using Google Voice.”
Clearly, phone numbers falling into the wrong hands can have devastating effects for consumers.
Benge cited the recent report that records of more than 419 million Facebook accounts, including phone numbers, had been exposed on a server. The number, she warned, could be harnessed by hackers. “When phone numbers associated with identities are leaked, like in this case where they are associated with specific Facebook profiles, it poses a high risk for SIM swapping attacks such as the recent attack against Twitter CEO Jack Dorsey,” she said.
On Wednesday, Twitter said that it is temporarily turned off the ability to Tweet via SMS, or text message, in a move designed to protect people’s accounts. "We’re taking this step because of vulnerabilities that need to be addressed by mobile carriers and our reliance on having a linked phone number for two-factor authentication (we’re working on improving this)," it tweeted.
On Thursday, Twitter tweeted that the feature was turned back on in a few locations that depend on SMS to tweet, but it remains turned off in the rest of the world.
A host of companies use SMS for two-factor authentication. In addition to SMS verification, Google also offers its Advanced Protection Program, which uses a physical security key in addition to two-factor authentication. The tech giant also lets users harness their Android devices as a second factor for authentication.
Fox News’ Joseph A. Wulfsohn and Fox Business’ Ann Schmidt contributed to this article. Follow James Rogers on Twitter @jamesjrogers