SIM swapping: Do hackers have your number?

Recently, I was browsing through the archives of the podcast Reply All (well worth doing, if you’re interested in unusual stories about how technology impacts our lives) when I came across an episode titled “The Snapchat Thief”. 

The gist of this episode is as follows: a young woman reports that her Snapchat account has been hacked, and asks asks the hosts of the show to help her investigate. She’s received emails from Snapchat telling her that her password has been changed and her account is now associated with a different phone number — and she’s also received threatening texts from the hacker, warning her not to report the hack to Snapchat. She’s spooked, and has no idea how the hacker gained access to her account, or even why they would want to. 

When host Alex Goldman investigates, he learns that the woman’s phone number was transferred to a SIM card controlled by the hacker. Since phone numbers are often linked to account authentication (e.g., many apps send two-factor authentication codes via text message) “SIM swapping” has become a common means for hackers to gain access to accounts.

How SIM swapping works

SIM swapping is much more a social engineering attack than a technical trick. Usually, the hacker will simply do a little research to find the phone number associated with their target account; then, they’ll call the phone company pretending to be the account holder, claim to have purchased a new SIM card, and ask for the number to be transferred. Given a gullible customer service agent, that’s all it takes — if the agent is reluctant, many hackers will offer a bribe. 

SIM swapping and social media

Back to our Reply All mystery — the SIM swap explained how the hacker had gained access to the caller’s Snapchat account, but it didn’t explain why. Social media profiles aren’t usually linked to financial assets, and the woman wasn’t a public figure with millions of followers or a carefully-crafted image to protect. 

However, she did have one thing of value — the username “@lizard”. Single words and common names are known as “OG usernames”, and once a social media platform gains traction, they become incredibly rare. Hackers who gain access to these usernames can sell them for hundreds and sometimes thousands of dollars through sites like ogusers.com. 

Of course, accounts with large followings are also valuable, even if they’re associated with less-desirable usernames. Hackers and their customers can use these accounts to broadcast marketing or political messages to a huge audience, as in the hacks of HBO’s Twitter account in 2017, and the London Police Department’s Twitter account earlier this year. 

SIM swapping and cryptocurrency

In addition to social media hacks, SIM swapping is often used to steal something of more obvious financial value: cryptocurrency. Phone numbers are a common means of authentication for cryptocurrency accounts, and cryptocurrency is an easier target than a traditional bank account, which may have tighter security and processes in place to reimburse customers for fraud. Members of one hacking group are facing up to 100 years in prison for stealing more than $2 million worth of cryptocurrency via SIM swapping, and two hackers were arrested last year for stealing more than $14 million from the cryptocurrency startup Crowd Machine.  

Protecting yourself from SIM swapping

After investigating the Snapchat case, Reply-All’s Alex Goldman wanted to know what he could do to protect himself from SIM swapping — so he hired a cybersecurity expert to analyze his vulnerabilities and provide a list of recommendations. 

One of the first steps on that list was to switch to a two-factor authentication app, rather than receiving two-factor codes via text message. A YubiKey or similar device works, too, as long as it separates authentication codes from your phone number. Another recommendation was to choose a phone company that requires more authentication, such as a personal PIN number, before making changes to your plan. And a third was to use a Google Voice number to receive calls, messages, and texts, since Google Voice accounts aren’t associated with SIM cards. 

Overall, though, we need to encourage companies to move away from using phone numbers as a verification method. Your phone number almost certainly isn’t a secret, and SIM swapping cases are proof that it’s far from secure.